Secure communication with mobile hosts
First Claim
1. A method for secure data communication with a mobile machine comprising the steps of:
- establishing a pool of secure addresses;
receiving a data packet from the mobile machine, the data including a particular network address for the mobile machine;
creating a data structure holding address translation associations wherein each association is between a particular network address and a particular one of the secure addresses;
determining if the received data packet is a secure data packet;
when the received data packet is a secure packet, identifying an association between the received data packet'"'"'s network address and a secure address in the data structure; and
translating the data packet'"'"'s network address to the associated secure address before forwarding the data packet on to higher network protocol layers, wherein when the received data packet from the particular network address is not secure, passing it on without address translation to higher network protocol layers and terminating address translation for the particular network address after a preselected time interval.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for secure data communication with a mobile machine in which a data packet is received from the mobile machine having a particular network address. A pool of secure addresses is established and a data structure is created to hold address translation associations. Each association is between a particular network address and a particular one of the secure addresses. If the received data packet is a secure data packet an association between the received data packet'"'"'s network address and a secure address in the data structure is identified and the data packet'"'"'s network address is translated to the associated secure address before forwarding the data packet on to higher network protocol layers. When the received data packet is not secure it is passed it on without address translation to the higher network protocol layers. For outgoing packets addressed to a secure address, the secure address is translated to a real network address (e.g., IPv4 or IPv6 addresses) and the packet payload is encrypted. Outgoing packets that are addressed directly to real network addresses pass through in a conventional manner.
142 Citations
24 Claims
-
1. A method for secure data communication with a mobile machine comprising the steps of:
-
establishing a pool of secure addresses;
receiving a data packet from the mobile machine, the data including a particular network address for the mobile machine;
creating a data structure holding address translation associations wherein each association is between a particular network address and a particular one of the secure addresses;
determining if the received data packet is a secure data packet;
when the received data packet is a secure packet, identifying an association between the received data packet'"'"'s network address and a secure address in the data structure; and
translating the data packet'"'"'s network address to the associated secure address before forwarding the data packet on to higher network protocol layers, wherein when the received data packet from the particular network address is not secure, passing it on without address translation to higher network protocol layers and terminating address translation for the particular network address after a preselected time interval. - View Dependent Claims (2, 3)
receiving a subsequent data packet from the mobile machine, the subsequent data packet including the particular network address;
determining if the subsequent data packet a secure packet; and
when the subsequent data packet is a secure packet, resetting a timer that measures time during the preselected time interval.
-
-
3. The method of claim 1 wherein the step of identifying an association between the received data packet'"'"'s network address and a secure address in the data structure further comprises:
examining the data structure to determine if an association for the particular network address is already stored in the data structure.
-
4. A method for secure data communication with a mobile machine comprising the steps of:
-
establishing a pool of secure addresses;
receiving a data packet from the mobile machine, the data including a particular network address for the mobile machine;
creating a data structure holding address translation associations wherein each association is between a particular network address and a particular one of the secure addresses;
determining if the received data packet is a secure data packet;
when the received data packet is a secure packet, identifying an association between the received data packet'"'"'s network address and a secure address in the data structure, determining a public key for the received data packet, determining whether the public key is already associated with one of the secure addresses and, if so, using the already assigned secure address to create an association in the data structure, and when the public key is not associated with one of the secure addresses assigning one of the secure addresses from the pool of secure addresses to create an association in the data structure; and
translating the data packet'"'"'s network address to the associated secure address before forwarding the data packet on to higher network protocol layers. - View Dependent Claims (5, 6, 7, 8)
-
-
9. A method for secure data communication with a mobile machine comprising the steps of:
-
establishing a pool of secure addresses;
receiving a data packet from the mobile machine, the data including a particular network address for the mobile machine;
creating a data structure holding address translation associations wherein each association is between a particular network address and a particular one of the secure addresses;
determining if the received data packet is a secure data packet;
when the received data packet is a secure packet, identifying an association between the received data packet'"'"'s network address and a secure address in the data structure;
translating the data packet'"'"'s network address to the associated secure address before forwarding the data packet on to higher network protocol layers; and
discarding all received data packets that contain a particular network address that is one of the pool of secure addresses.
-
-
10. A system for secure data communications with a mobile machine comprising:
-
a gateway machine having a secure port for coupling to a secure network and an insecure port for coupling to an insecure network;
a data structure within the gateway machine holding address translation associations wherein each association is between a particular network address and a particular secure addresses;
an address translation device within the gateway machine coupled to the data structure and operative to translate between a secure address and its associated network address and between a network address and its associated secure address;
an analysis device in the gateway machine for analyzing data packets received from the insecure network to determine whether the received data packet is secure and operative to enable the address translation device when the receive data packet is secure; and
means for measuring elapsed time since a packet is received in the clear, wherein the analysis device is coupled to the address translation device to invalidate a selected address translation association in the data structure at a preselected time after a packet is received in the clear from the network address associated with the address translation association. - View Dependent Claims (11)
-
-
12. A system for secure data communications with a mobile machine comprising:
-
a gateway machine having a secure port for coupling to a secure network and an insecure port for coupling to an insecure network;
a data structure within the gateway machine holding address translation associations wherein each association is between a particular network address and a particular secure addresses;
an address translation device within the gateway machine coupled to the data structure and operative to translate between a secure address and its associated network address and between a network address and its associated secure address; and
an analysis device in the gateway machine for analyzing data packets received from the insecure network to determine whether the received data packet is secure and operative to enable the address translation device when the receive data packet is secure, wherein each address translation association in the data structure corresponds to a network address from which no data packet has been sent in the clear since receiving a secure data packet.
-
-
13. A system for secure data communications with a mobile machine comprising:
-
a gateway machine having a secure port for coupling to a secure network and an insecure port for coupling to an insecure network;
a data structure within the gateway machine holding address translation associations wherein each association is between a particular network address and a particular secure addresses;
an address translation device within the gateway machine coupled to the data structure and operative to translate between a secure address and its associated network address and between a network address and its associated secure address; and
an analysis device in the gateway machine for analyzing data packets received from the insecure network to determine whether the received data packet is secure and operative to enable the address translation device when the receive data packet is secure, wherein address translation associations in the data structure are dynamically updated in response to receiving a data packet from a network address that has an entry in the data structure but includes new key information.
-
-
14. A computer implemented system for secure data communication with a mobile machine operable on a computer system having a processor and data storage devices coupled to the processor, the system comprising:
-
computer implemented code devices executing on the processor and configured to cause the computer to define a pool of secure addresses;
computer implemented code devices executing on the processor and configured to cause the computer to receive a data packet from the mobile machine, the data including a particular network address for the mobile machine;
computer implemented code devices executing on the processor and configured to cause the computer to create a data structure holding address translation associations wherein each association is between a particular network address and a particular one of the secure addresses;
computer implemented code devices executing on the processor and configured to cause the computer to determine if the received data packet is a secure data packet;
computer implemented code devices executing on the processor and configured to cause the computer to identify an association between the received data packet'"'"'s network address and a secure address in the data structure when the received data packet is a secure packet;
computer implemented code devices executing on the processor and configured to cause the computer to translate the data packet'"'"'s network address to the associated secure address before forwarding the data packet on to higher network protocol layers;
computer implemented code devices executing on the processor and configured to cause the computer to respond to receiving a data packet from the particular network address that is not secure by starting a timer measuring time elapsed since the insecure data packet was received; and
computer implemented code devices executing on the processor and configured to cause the computer to terminate address translation for the particular network address after a preselected time interval as measured by the timer. - View Dependent Claims (15, 16, 17, 18, 19)
computer implemented code devices executing on the processor and configured to cause the computer to pass the data packet on without address translation to higher network protocol layers when the received data packet from the particular network address is not secure.
-
-
16. The system of claim 15 further comprising:
-
computer implemented code devices executing on the processor and configured to cause the computer to receive a subsequent data packet from the mobile machine, the subsequent data packet including the particular network address;
computer implemented code devices executing on the processor and configured to cause the computer to determine if the subsequent data packet a secure packet; and
computer implemented code devices executing on the processor and configured to cause the computer to reset a timer when the subsequent data packet is a secure packet.
-
-
17. The system of claim 14 wherein the computer implemented code devices that identify whether an association between the received data packet'"'"'s network address and a secure address in the data structure further comprise:
computer implemented code devices executing on the processor and configured to cause the computer to examine the data structure to determine if an association for the particular network address is already stored in the data structure.
-
18. The system of claim 14 wherein the computer implemented code devices that identify an association between the received data packet'"'"'s network address and a secure address in the data structure further comprise:
-
computer implemented code devices executing on the processor and configured to cause the computer to determine a public key for the received data packet; and
computer implemented code devices executing on the processor and configured to cause the computer to determine whether the public key is already associated with one of the secure addresses and, if so, use the already assigned secure address to create an association in the data structure.
-
-
19. The system of claim 14 wherein the computer implemented code devices that identify an association between the received data packet'"'"'s network address and a secure address in the data structure further comprise:
computer implemented code devices executing on the processor and configured to cause the computer to verify that the public key is not revoked and not invalidated.
-
20. A computer implemented system for secure data communication with a mobile machine operable on a computer system having a processor and data storage devices coupled to the processor, the system comprising:
-
computer implemented code devices executing on the processor and configured to cause the computer to define a pool of secure addresses;
computer implemented code devices executing on the processor and configured to cause the computer to receive a data packet from the mobile machine, the data including a particular network address for the mobile machine;
computer implemented code devices executing on the processor and configured to cause the computer to create a data structure holding address translation associations wherein each association is between a particular network address and a particular one of the secure addresses;
computer implemented code devices executing on the processor and configured to cause the computer to determine if the received data packet is a secure data packet;
computer implemented code devices executing on the processor and configured to cause the computer to identify an association between the received data packet'"'"'s network address and a secure address in the data structure when the received data packet is a secure packet;
computer implemented code devices executing on the processor and configured to cause the computer to translate the data packet'"'"'s network address to the associated secure address before forwarding the data packet on to higher network protocol layers; and
computer implemented code devices executing on the processor and configured to cause the computer to assign one of the secure addresses from the pool of secure addresses to create an association in the data structure when the public key is not associated with one of the secure addresses. - View Dependent Claims (21, 22, 23, 24)
computer implemented code devices executing on the processor and configured to cause the computer to pass the data packet on without address translation to higher network protocol layers when the received data packet from the particular network address is not secure.
-
-
22. The system of claim 20 wherein the computer implemented code devices that identify whether an association between the received data packet'"'"'s network address and a secure address in the data structure further comprise:
computer implemented code devices executing on the processor and configured to cause the computer to examine the data structure to determine if an association for the particular network address is already stored in the data structure.
-
23. The system of claim 20 wherein the computer implemented code devices that identify an association between the received data packet'"'"'s network address and a secure address in the data structure further comprise:
-
computer implemented code devices executing on the processor and configured to cause the computer to determine a public key for the received data packet; and
computer implemented code devices executing on the processor and configured to cause the computer to determine whether the public key is already associated with one of the secure addresses and, if so, use the already assigned secure address to create an association in the data structure.
-
-
24. The system of claim 20 wherein the computer implemented code devices that identify an association between the received data packet'"'"'s network address and a secure address in the data structure further comprise:
computer implemented code devices executing on the processor and configured to cause the computer to verify that the public key is not revoked and not invalidated.
Specification