Secure communication with mobile hosts

US 6,507,908 B1
Filed: 03/04/1999
Issued: 01/14/2003
Est. Priority Date: 03/04/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method for secure data communication with a mobile machine comprising the steps of:

establishing a pool of secure addresses;

receiving a data packet from the mobile machine, the data including a particular network address for the mobile machine;

creating a data structure holding address translation associations wherein each association is between a particular network address and a particular one of the secure addresses;

determining if the received data packet is a secure data packet;

when the received data packet is a secure packet, identifying an association between the received data packet'"'"'s network address and a secure address in the data structure; and

translating the data packet'"'"'s network address to the associated secure address before forwarding the data packet on to higher network protocol layers, wherein when the received data packet from the particular network address is not secure, passing it on without address translation to higher network protocol layers and terminating address translation for the particular network address after a preselected time interval.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for secure data communication with a mobile machine in which a data packet is received from the mobile machine having a particular network address. A pool of secure addresses is established and a data structure is created to hold address translation associations. Each association is between a particular network address and a particular one of the secure addresses. If the received data packet is a secure data packet an association between the received data packet'"'"'s network address and a secure address in the data structure is identified and the data packet'"'"'s network address is translated to the associated secure address before forwarding the data packet on to higher network protocol layers. When the received data packet is not secure it is passed it on without address translation to the higher network protocol layers. For outgoing packets addressed to a secure address, the secure address is translated to a real network address (e.g., IPv4 or IPv6 addresses) and the packet payload is encrypted. Outgoing packets that are addressed directly to real network addresses pass through in a conventional manner.

142 Citations

24 Claims

1. A method for secure data communication with a mobile machine comprising the steps of:
- establishing a pool of secure addresses;
  
  receiving a data packet from the mobile machine, the data including a particular network address for the mobile machine;
  
  creating a data structure holding address translation associations wherein each association is between a particular network address and a particular one of the secure addresses;
  
  determining if the received data packet is a secure data packet;
  
  when the received data packet is a secure packet, identifying an association between the received data packet'"'"'s network address and a secure address in the data structure; and
  
  translating the data packet'"'"'s network address to the associated secure address before forwarding the data packet on to higher network protocol layers, wherein when the received data packet from the particular network address is not secure, passing it on without address translation to higher network protocol layers and terminating address translation for the particular network address after a preselected time interval.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1 further comprising:
3. The method of claim 1 wherein the step of identifying an association between the received data packet'"'"'s network address and a secure address in the data structure further comprises:
- examining the data structure to determine if an association for the particular network address is already stored in the data structure.

4. A method for secure data communication with a mobile machine comprising the steps of:
- establishing a pool of secure addresses;
  
  receiving a data packet from the mobile machine, the data including a particular network address for the mobile machine;
  
  creating a data structure holding address translation associations wherein each association is between a particular network address and a particular one of the secure addresses;
  
  determining if the received data packet is a secure data packet;
  
  when the received data packet is a secure packet, identifying an association between the received data packet'"'"'s network address and a secure address in the data structure, determining a public key for the received data packet, determining whether the public key is already associated with one of the secure addresses and, if so, using the already assigned secure address to create an association in the data structure, and when the public key is not associated with one of the secure addresses assigning one of the secure addresses from the pool of secure addresses to create an association in the data structure; and
  
  translating the data packet'"'"'s network address to the associated secure address before forwarding the data packet on to higher network protocol layers.
- View Dependent Claims (5, 6, 7, 8)
- - 5. The method of claim 4 wherein the step of determining a public key comprises requesting the at least one key from a local database.
  - 6. The method of claim 4 wherein the step of determining a public key comprises requesting the public key using certificate discover protocol (CDP).
  - 7. The method of claim 4 further comprising a step of verifying that the public key is not revoked and not invalidated.
  - 8. The method of claim 4 wherein when the public key is an X.509 key certificate.

9. A method for secure data communication with a mobile machine comprising the steps of:
- establishing a pool of secure addresses;
  
  receiving a data packet from the mobile machine, the data including a particular network address for the mobile machine;
  
  creating a data structure holding address translation associations wherein each association is between a particular network address and a particular one of the secure addresses;
  
  determining if the received data packet is a secure data packet;
  
  when the received data packet is a secure packet, identifying an association between the received data packet'"'"'s network address and a secure address in the data structure;
  
  translating the data packet'"'"'s network address to the associated secure address before forwarding the data packet on to higher network protocol layers; and
  
  discarding all received data packets that contain a particular network address that is one of the pool of secure addresses.

10. A system for secure data communications with a mobile machine comprising:
- a gateway machine having a secure port for coupling to a secure network and an insecure port for coupling to an insecure network;
  
  a data structure within the gateway machine holding address translation associations wherein each association is between a particular network address and a particular secure addresses;
  
  an address translation device within the gateway machine coupled to the data structure and operative to translate between a secure address and its associated network address and between a network address and its associated secure address;
  
  an analysis device in the gateway machine for analyzing data packets received from the insecure network to determine whether the received data packet is secure and operative to enable the address translation device when the receive data packet is secure; and
  
  means for measuring elapsed time since a packet is received in the clear, wherein the analysis device is coupled to the address translation device to invalidate a selected address translation association in the data structure at a preselected time after a packet is received in the clear from the network address associated with the address translation association.
- View Dependent Claims (11)
- - 11. The system of claim 10 wherein a timer that measures time during the preselected time interval is reset upon receiving a secure packet.

12. A system for secure data communications with a mobile machine comprising:
- a gateway machine having a secure port for coupling to a secure network and an insecure port for coupling to an insecure network;
  
  a data structure within the gateway machine holding address translation associations wherein each association is between a particular network address and a particular secure addresses;
  
  an address translation device within the gateway machine coupled to the data structure and operative to translate between a secure address and its associated network address and between a network address and its associated secure address; and
  
  an analysis device in the gateway machine for analyzing data packets received from the insecure network to determine whether the received data packet is secure and operative to enable the address translation device when the receive data packet is secure, wherein each address translation association in the data structure corresponds to a network address from which no data packet has been sent in the clear since receiving a secure data packet.

13. A system for secure data communications with a mobile machine comprising:
- a gateway machine having a secure port for coupling to a secure network and an insecure port for coupling to an insecure network;
  
  a data structure within the gateway machine holding address translation associations wherein each association is between a particular network address and a particular secure addresses;
  
  an address translation device within the gateway machine coupled to the data structure and operative to translate between a secure address and its associated network address and between a network address and its associated secure address; and
  
  an analysis device in the gateway machine for analyzing data packets received from the insecure network to determine whether the received data packet is secure and operative to enable the address translation device when the receive data packet is secure, wherein address translation associations in the data structure are dynamically updated in response to receiving a data packet from a network address that has an entry in the data structure but includes new key information.

14. A computer implemented system for secure data communication with a mobile machine operable on a computer system having a processor and data storage devices coupled to the processor, the system comprising:
- computer implemented code devices executing on the processor and configured to cause the computer to define a pool of secure addresses;
  
  computer implemented code devices executing on the processor and configured to cause the computer to receive a data packet from the mobile machine, the data including a particular network address for the mobile machine;
  
  computer implemented code devices executing on the processor and configured to cause the computer to create a data structure holding address translation associations wherein each association is between a particular network address and a particular one of the secure addresses;
  
  computer implemented code devices executing on the processor and configured to cause the computer to determine if the received data packet is a secure data packet;
  
  computer implemented code devices executing on the processor and configured to cause the computer to identify an association between the received data packet'"'"'s network address and a secure address in the data structure when the received data packet is a secure packet;
  
  computer implemented code devices executing on the processor and configured to cause the computer to translate the data packet'"'"'s network address to the associated secure address before forwarding the data packet on to higher network protocol layers;
  
  computer implemented code devices executing on the processor and configured to cause the computer to respond to receiving a data packet from the particular network address that is not secure by starting a timer measuring time elapsed since the insecure data packet was received; and
  
  computer implemented code devices executing on the processor and configured to cause the computer to terminate address translation for the particular network address after a preselected time interval as measured by the timer.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The system of claim 14 further comprising:
16. The system of claim 15 further comprising:
- computer implemented code devices executing on the processor and configured to cause the computer to receive a subsequent data packet from the mobile machine, the subsequent data packet including the particular network address;
  
  computer implemented code devices executing on the processor and configured to cause the computer to determine if the subsequent data packet a secure packet; and
  
  computer implemented code devices executing on the processor and configured to cause the computer to reset a timer when the subsequent data packet is a secure packet.
17. The system of claim 14 wherein the computer implemented code devices that identify whether an association between the received data packet'"'"'s network address and a secure address in the data structure further comprise:
- computer implemented code devices executing on the processor and configured to cause the computer to examine the data structure to determine if an association for the particular network address is already stored in the data structure.
18. The system of claim 14 wherein the computer implemented code devices that identify an association between the received data packet'"'"'s network address and a secure address in the data structure further comprise:
- computer implemented code devices executing on the processor and configured to cause the computer to determine a public key for the received data packet; and
  
  computer implemented code devices executing on the processor and configured to cause the computer to determine whether the public key is already associated with one of the secure addresses and, if so, use the already assigned secure address to create an association in the data structure.
19. The system of claim 14 wherein the computer implemented code devices that identify an association between the received data packet'"'"'s network address and a secure address in the data structure further comprise:
- computer implemented code devices executing on the processor and configured to cause the computer to verify that the public key is not revoked and not invalidated.

20. A computer implemented system for secure data communication with a mobile machine operable on a computer system having a processor and data storage devices coupled to the processor, the system comprising:
- computer implemented code devices executing on the processor and configured to cause the computer to define a pool of secure addresses;
  
  computer implemented code devices executing on the processor and configured to cause the computer to receive a data packet from the mobile machine, the data including a particular network address for the mobile machine;
  
  computer implemented code devices executing on the processor and configured to cause the computer to create a data structure holding address translation associations wherein each association is between a particular network address and a particular one of the secure addresses;
  
  computer implemented code devices executing on the processor and configured to cause the computer to determine if the received data packet is a secure data packet;
  
  computer implemented code devices executing on the processor and configured to cause the computer to identify an association between the received data packet'"'"'s network address and a secure address in the data structure when the received data packet is a secure packet;
  
  computer implemented code devices executing on the processor and configured to cause the computer to translate the data packet'"'"'s network address to the associated secure address before forwarding the data packet on to higher network protocol layers; and
  
  computer implemented code devices executing on the processor and configured to cause the computer to assign one of the secure addresses from the pool of secure addresses to create an association in the data structure when the public key is not associated with one of the secure addresses.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The system of claim 20 further comprising:
22. The system of claim 20 wherein the computer implemented code devices that identify whether an association between the received data packet'"'"'s network address and a secure address in the data structure further comprise:
- computer implemented code devices executing on the processor and configured to cause the computer to examine the data structure to determine if an association for the particular network address is already stored in the data structure.
23. The system of claim 20 wherein the computer implemented code devices that identify an association between the received data packet'"'"'s network address and a secure address in the data structure further comprise:
- computer implemented code devices executing on the processor and configured to cause the computer to determine a public key for the received data packet; and
  
  computer implemented code devices executing on the processor and configured to cause the computer to determine whether the public key is already associated with one of the secure addresses and, if so, use the already assigned secure address to create an association in the data structure.
24. The system of claim 20 wherein the computer implemented code devices that identify an association between the received data packet'"'"'s network address and a secure address in the data structure further comprise:
- computer implemented code devices executing on the processor and configured to cause the computer to verify that the public key is not revoked and not invalidated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Caronni, Germano
Primary Examiner(s)
Darrow, Justin T.

Application Number

US09/262,191
Time in Patent Office

1,412 Days
Field of Search

713/151, 713/153, 713/156, 713/158, 713/162, 713/168, 713/170, 713/175, 713/176, 713/178, 713/202, 713/160, 380/33, 380/248, 380/270, 709/218, 709/219, 709/225, 709/229, 709/230, 709/238, 370/351, 370/352, 370/389, 455/412, 455/428, 455/432, 455/433, 455/445
US Class Current

713/153
CPC Class Codes

H04L 61/00   Network arrangements, proto...

H04L 61/2539   Hiding addresses; Keeping a...

H04L 61/2557   Translation policies or rules

H04L 61/35   involving non-standard use ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0823   using certificates cryptogr...

H04L 63/123   received data contents, e.g...

H04W 8/26   Network addressing or numbe...

H04W 80/04   Network layer protocols, e....

Secure communication with mobile hosts

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

142 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Secure communication with mobile hosts

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

142 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links