Reuse of security associations for improving hand-over performance

US 6,418,130 B1
Filed: 01/21/1999
Issued: 07/09/2002
Est. Priority Date: 01/08/1999
Status: Expired due to Term

First Claim

Patent Images

1. In a radio telecommunication system, a method for accomplishing hand-over of a mobile unit from a first stationary unit to a second stationary unit, said method comprising the steps of:

disconnecting the mobile unit from the first stationary unit;

connecting the mobile unit to the second stationary unit; and

reusing an existing security association to support the connection between the mobile unit and the second stationary unit, wherein the existing security association was previously used to support the connection between the mobile unit and the first stationary unit.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a radio telecommunication system, the performance of a mobile unit can be significantly improved during a hand-over procedure by reusing existing security associations that correspond to the mobile unit. By reusing existing security associations, a mobile unit can begin secure communications immediately following the hand-over. Otherwise, and in accordance with conventional practice, the mobile unit will have to undertake the time consuming task of renegotiating the required security associations, before it can begin transmitting and receiving secure communications.

Citations

35 Claims

1. In a radio telecommunication system, a method for accomplishing hand-over of a mobile unit from a first stationary unit to a second stationary unit, said method comprising the steps of:
- disconnecting the mobile unit from the first stationary unit;
  
  connecting the mobile unit to the second stationary unit; and
  
  reusing an existing security association to support the connection between the mobile unit and the second stationary unit, wherein the existing security association was previously used to support the connection between the mobile unit and the first stationary unit.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 further comprising the step of:
3. The method of claim 2, wherein the security association attributes are transferred from the first stationary unit directly to the second stationary unit.
4. The method of claim 2, wherein said step of transferring the number of security association attributes, associated with the security association, from the first stationary unit to the second stationary unit comprises the steps of:
- transferring the number of security association attributes from the first stationary unit to a data storage entity; and
  
  transferring the number of security association attributes from the data storage entity to the second stationary unit.
5. The method of claim 4, wherein the data storage entity is a database accessible to the second stationary unit.
6. The method of claim 2 further comprising the step of:
- encrypting the number of security association attributes, prior to the step of transferring the number of security association attributes from the first stationary unit to the second stationary unit, using an encryption key that is shared by the first and the second stationary units.
7. The method of claim 1, wherein the existing security association is an ISAKMP security association.
8. The method of claim 1, wherein the existing security association is an IP_SECsecurity association.
9. The method of claim 1, wherein the first stationary unit and the second stationary unit are both associated with a common administrative domain, such that the first stationary unit and the second stationary unit are subject to a common security policy.
10. The method of claim 9, wherein the first stationary unit and the second stationary unit share a common IP address.

11. In a radio telecommunication system, a method for accomplishing hand-over of a mobile unit from a first stationary unit to a second stationary unit, said method comprising the steps of:
- disconnecting the mobile unit from the first stationary unit;
  
  connecting the mobile unit to the second mobile unit; and
  
  reusing an existing security association to support the connection between the mobile unit and the second stationary unit, wherein the existing security association was previously used to ensure secure communications for a connection between the mobile unit and a third stationary unit, and wherein the third stationary unit and the second stationary unit are associated with a first administrative domain that employs a common security policy.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11 further comprising the step of:
13. The method of claim 11, wherein said step of transferring the set of security association attributes associated with the existing security association from the third stationary unit to the second stationary unit comprises the steps of:
- transferring the security association attributes from the third stationary unit to a storage location; and
  
  transferring the security association attributes from the storage location to the second stationary unit.
14. The method of claim 13, wherein the storage location is in a database associated with the first administrative domain to which the third stationary unit and the second stationary unit belong.
15. The method of claim 11, wherein the first stationary unit is associated with a second administrative domain.

16. In a radio telecommunication network, a method for reusing security associations to facilitate hand-over of a mobile unit between stationary units that are associated with a common administrative domain, wherein all of the stationary units associated with the common administrative domain are subject to the same security policy, said method comprising the steps of:
- negotiating a first security association for a connection between the mobile unit and a first stationary unit associated with the common administrative domain;
  
  disconnecting the mobile unit from the first stationary unit;
  
  connecting the mobile unit to a second stationary unit associated with the common administrative domain;
  
  transferring a first set of security association attributes, corresponding to the first security association, from the first stationary unit to the second stationary unit; and
  
  employing the first security association to ensure secure communications for the connection between the mobile unit and the second stationary unit.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, wherein said step of negotiating a first security association comprises the step of:
18. The method of claim 17 further comprising the steps of:
- negotiating a second security association, in accordance with an IKE phase 2 negotiation procedure, for the connection between the mobile unit and the first stationary unit;
  
  transferring a second set of security association attributes, corresponding to the second security association, from the first stationary unit to the second stationary unit; and
  
  employing the second security association, in conjunction with the first security association, to further ensure secure communications for the connection between the mobile unit and the second stationary unit.
19. The method of claim 18, wherein the second security association is an IP_SECauthentication header protocol security association.
20. The method of claim 18, wherein the second security association is an IP_SECencapsulating security payload protocol security association.

21. In a radio telecommunication system, an apparatus for accomplishing hand-over of a mobile unit from a first stationary unit to a second stationary unit, said apparatus comprising:
- means for disconnecting the mobile unit from the first stationary unit;
  
  means for connecting the mobile unit to the second stationary unit; and
  
  means for reusing an existing security association to support the connection between the mobile unit and the second stationary unit, wherein the existing security association was previously used to support the connection between the mobile unit and the first stationary unit.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The apparatus of claim 21 further comprising:
23. The apparatus of claim 22, wherein the security association attributes are transferred from the first stationary unit directly to the second stationary unit.
24. The apparatus of claim 22, wherein said means for transferring the number of security association attributes associated with the security association from the first stationary unit to the second stationary unit comprises:
- means for transferring the number of security association attributes from the first stationary unit to a data storage entity; and
  
  means for transferring the number of security association attributes from the data storage entity to the second stationary unit.
25. The apparatus of claim 24, wherein the data storage entity is a database accessible to the second stationary unit.
26. The apparatus of claim 22 further comprising:
- means for encrypting the number of security association attributes, prior to transferring the number of security association attributes from the first stationary unit to the second stationary unit, wherein said means for encrypting the number of security association attributes employs an encryption key that is shared by the first and the second stationary units.
27. The apparatus of claim 21, wherein the existing security association is an ISAKMP security association.
28. The apparatus of claim 21, wherein the existing security association is an IP_SECsecurity association.
29. The apparatus of claim 21, wherein the first stationary unit and the second stationary unit are both associated with a common administrative domain, such that the first stationary unit and the second stationary unit are subject to a common security policy.
30. The apparatus of claim 29, wherein the first stationary unit and the second stationary unit share a common IP address.

31. In a radio telecommunication system, an apparatus for accomplishing handover of a mobile unit from a first stationary unit to a second stationary unit, said apparatus comprising:
- means for disconnecting the mobile unit from the first stationary unit;
  
  means for connecting the mobile unit to the second mobile unit; and
  
  means for reusing an existing security association to support the connection between the mobile unit and the second stationary unit, wherein the existing security association was previously used to ensure secure communications for a connection between the mobile unit and a third stationary unit, and wherein the third stationary unit and the second stationary unit are associated with a first administrative domain that employs a common security policy.
- View Dependent Claims (32, 33, 34, 35)
- - 32. The apparatus of claim 31 further comprising:
33. The apparatus of claim 31, wherein said means for transferring the set of security association attributes associated with the existing security association from the third stationary unit to the second stationary unit comprises:
- means for transferring the security association attributes from the third stationary unit to a storage location; and
  
  means for transferring the security association attributes from the storage location to the second stationary unit.
34. The apparatus of claim 33, wherein the storage location is in a database associated with the first administrative domain to which the third stationary unit and the second stationary unit belong.
35. The apparatus of claim 31, wherein the first stationary unit is associated with a second administrative domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Cheng, Yi, Rinman, Martin Jakob, Jerrestam, Karl Dan Gustav, Björup, Lars
Primary Examiner(s)
Kizou, Hassan
Assistant Examiner(s)
SPAFFORD, TIMOTHY J

Application Number

US09/234,512
Time in Patent Office

1,265 Days
Field of Search

370/328, 370/338, 370/331, 455/410, 455/411, 380/247
US Class Current

370/331
CPC Class Codes

H04L 63/06   for supporting key manageme...

H04L 63/164   at the network layer

H04W 12/033   of the user plane, e.g. use...

H04W 12/041   Key generation or derivation

H04W 12/0433   Key management protocols

H04W 12/062   Pre-authentication

H04W 12/069   using certificates or pre-s...

H04W 36/0038   of security context informa...

H04W 80/04   Network layer protocols, e....

Reuse of security associations for improving hand-over performance

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Reuse of security associations for improving hand-over performance

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links