Location-independent packet routing and secure access in a short-range wireless networking environment
First Claim
1. A method of enabling location-independent packet routing in a short-range wireless networking environment, comprising the steps of:
- providing one or more portable client devices, each of the client devices identified by a constant client address and equipped with a short-range wireless communications capability for communicating in the short-range wireless networking environment;
providing one or more application servers, each of the application servers equipped for communicating with the client devices over the short-range wireless networking environment;
transmitting a packet from a selected one of the client devices to a selected one of the application servers;
receiving the transmitted packet at a Foreign Address Masquerader (FAM);
accessing, by the FAM, a FAM translation record;
applying, by the FAM, a network address translation to replace a client address and port in the transmitted packet with a masquerading address and port retrieved by the accessing step, thereby creating a modified packet; and
forwarding, by the FAM, the modified packet to the selected application server.
5 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides methods, systems, and computer program instructions for providing location-independent packet routing and secure access in a wireless networking environment (such as that encountered within a building), enabling client devices to travel seamlessly within the environment. Each client device uses a constant address. An address translation process that is transparent to the client and server is automatically performed as the device roams through the environment, enabling efficient client migration from one supporting access point to another. The secure access techniques provide user-centric authentication and allow policy-driven packet filtering, while taking advantage of encryption capabilities that are built in to the hardware at each endpoint.
-
Citations
50 Claims
-
1. A method of enabling location-independent packet routing in a short-range wireless networking environment, comprising the steps of:
-
providing one or more portable client devices, each of the client devices identified by a constant client address and equipped with a short-range wireless communications capability for communicating in the short-range wireless networking environment;
providing one or more application servers, each of the application servers equipped for communicating with the client devices over the short-range wireless networking environment;
transmitting a packet from a selected one of the client devices to a selected one of the application servers;
receiving the transmitted packet at a Foreign Address Masquerader (FAM);
accessing, by the FAM, a FAM translation record;
applying, by the FAM, a network address translation to replace a client address and port in the transmitted packet with a masquerading address and port retrieved by the accessing step, thereby creating a modified packet; and
forwarding, by the FAM, the modified packet to the selected application server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
determining, by the FAM, that the selected client device does not have a valid session key for encryption;
obtaining, by the FAM, user credentials for a user of the selected client device;
authenticating, by the FAM, the user credentials by contacting an authentication server;
establishing the valid session key when the authenticating step completes successfully; and
using the established session key, by the selected client device and the FAM, to encrypt packets that are transmitted over a link between the selected client device and the FAM.
-
-
5. The method according to claim 4, wherein the step of using the established session key to encrypt packets further comprises the step of using a hardware encryption component of the selected client device and of the FAM to perform the packet encryption.
-
6. The method according to claim 5, further comprising the step of storing a client media access control (MAC) address, the established session key, and an identification of the user by a routing coordinator.
-
7. The method according to claim 6, further comprising the steps of:
-
querying the routing coordinator, by a filtering module, to obtain the user identification associated with a particular MAC address; and
using the user identification, by the filtering module, to filter inbound and outbound packets.
-
-
8. The method according to claim 6, further comprising the steps of:
-
querying the routing coordinator, when a particular client device roams to a different FAM, to obtain the established session key associated with a particular MAC address of the particular client device; and
providing the obtained session key to the different FAM.
-
-
9. A method of enabling location-independent packet routing in a short-range wireless networking environment, comprising the steps of:
-
providing one or more portable client devices, each of the client devices identified by a constant client address and equipped with a short-range wireless communications capability for communicating in the short-range wireless networking environment;
providing one or more application servers, each of the application servers equipped for communicating with the client devices over the short-range wireless networking environment;
transmitting a packet from a selected one of the application servers to a selected one of the client devices;
receiving the transmitted packet at a Home Address Masquerader (HAM);
accessing, by the HAM, a HAM translation record;
applying, by the HAM, a network address translation to replace a masquerading address and port in the transmitted packet with a Foreign Address Masquerader (FAM) address and port retrieved by the step of accessing the HAM translation record, thereby creating a first modified packet;
forwarding, by the HAM, the first modified packet to the FAM;
receiving the forwarded packet at the FAM;
accessing, by the FAM, a FAM translation record;
applying, by the FAM, a network address translation to replace the FAM address and port in the forwarded packet with a client address and port retrieved by the step of accessing the FAM translation record, thereby creating a second modified packet; and
forwarding, by the FAM, the second modified packet to the selected client device. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 49, 50)
the client address comprises the constant client address;
the FAM translation record comprises the constant client address and client port, a server address and port, and the FAM address and port; and
the HAM translation record comprises the client address and port, the masquerading address and port, and the FAM address and port.
-
-
24. A method of enabling location-independent packet routing in a short-range wireless networking environment, comprising the steps of:
-
providing one or more portable client devices, each of the client devices identified by a constant client address and equipped with a short-range wireless communications capability for communicating in the short-range wireless networking environment;
providing one or more application servers, each of the application servers equipped for communicating with the client devices over the short-range wireless networking environment;
transmitting a first packet from a selected one of the client devices to a selected one of the application servers, further comprising the steps of;
transmitting the first packet from the selected client device using the constant client address and a client port as a packet source and an address and port of the selected application server as a packet destination;
receiving the transmitted first packet at a Foreign Address Masquerader (FAM);
accessing, by the FAM, a FAM translation record;
applying, by the FAM, a network address translation to replace the constant client address and client port in the transmitted first packet with a masquerading address and port retrieved by the accessing step, thereby creating a first modified packet; and
forwarding, by the FAM, the first modified packet to the selected application server; and
transmitting a second packet from the selected application server to the selected client device, further comprising the steps of;
transmitting the second packet from the selected application server using the address and port of the selected application server as the packet source and the masquerading address and port as the packet destination;
receiving the transmitted second packet at a Home Address Masquerader (HAM);
accessing, by the HAM, a HAM translation record;
applying, by the HAM, the network address translation to replace the masquerading address and port in the transmitted second packet with a FAM address and port retrieved by the step of accessing the HAM translation record, thereby creating a second modified packet;
forwarding, by the HAM, the second modified packet to either the FAM or a different dynamically-determined FAM which becomes the FAM;
receiving the forwarded second modified packet at the FAM;
again accessing, by the FAM, the FAM translation record;
again applying, by the FAM, the network address translation to replace the FAM address and port in the forwarded second modified packet with the constant client address and the client port retrieved by the step of again accessing the FAM translation record, thereby creating a third modified packet; and
forwarding, by the FAM, the third modified packet to the selected client device. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
the FAM translation record comprises the constant client address and client port, the server address and port, the masquerading address and port, and the FAM address and port; and
the HAM translation record comprises the client address and port, the masquerading address and port, and the FAM address and port.
-
-
26. The method according to claim 24, further comprising the step of providing a routing coordinator, wherein the routing coordinator maintains a plurality of connection table records, each of the connection table records comprising a client address and port, a server address and port, a masquerading address and port, a HAM address and port, and zero or more FAM records.
-
27. The method according to claim 26, further comprising the step of inserting the FAM records into a selected connection table record when a FAM sends a notification to the routing coordinator about an ability of the FAM to communicate with a selected client device identified by the client address and port in the selected connection table record.
-
28. The method according to claim 27, further comprising the step of sending the notification when the FAM receives an outbound packet from the selected client device, and no matching FAM translation record exists for the selected client device.
-
29. The method according to claim 26, further comprising the step of creating each of the connection table records when a HAM sends a notification to the routing coordinator about a new connection.
-
30. The method according to claim 29, further comprising the step of sending the notification when the HAM receives an outbound packet from a particular client device, and (1) no matching HAM translation record exists for the particular client device and (2) no FAM translation record can otherwise be created for the particular client device.
-
31. The method according to claim 26, further comprising the step of creating the connection table records when a FAM sends a notification to the routing coordinator about an ability of the FAM to communicate with a particular client device that is participating in a particular connection, and wherein no previous connection table record exists for the particular connection.
-
32. The method according to claim 26, further comprising the step of receiving, by a particular HAM, the zero or more FAM records from the routing coordinator.
-
33. The method according to claim 32, further comprising the step of transmitting the zero or more FAM records from the routing coordinator to the particular HAM when the FAM records are created by the routing coordinator.
-
34. The method according to claim 32, further comprising the step of requesting, by a particular HAM, the FAM records when the particular HAM receives a packet from a particular server that is addressed to a particular masquerading address and port.
-
35. The method according to claim 26, further comprising the step of deleting, by the routing coordinator, the FAM records from one or more connection table records when the routing coordinator receives a notification from a corresponding FAM.
-
36. The method according to claim 35, wherein the notification identifies a corresponding client device, and further comprising the step of transmitting the notification from the corresponding FAM when the corresponding FAM can no longer communicate with the corresponding client device.
-
37. The method according to claim 36, wherein the notification is initiated upon receipt, by the corresponding FAM, of an explicit link termination message from the corresponding client device.
-
38. The method according to claim 36, wherein the notification is initiated, by the corresponding FAM, upon an implicit link termination due to inactivity with the corresponding client device.
-
39. The method according to claim 35, further comprising the step of notifying a corresponding HAM identified in the connection table records that the corresponding FAM records are being deleted.
-
40. A method of enabling location-independent packet routing in a short-range wireless networking environment, comprising the steps of:
-
establishing, by a client device, a first connection to a first application server;
assigning the first connection to a first Home Address Masquerader (HAM);
establishing, by the client device, a second connection to a second application server; and
assigning the second connection to a second HAM, wherein the first HAM and the second HAM are distinct.
-
-
41. A system for enabling location-independent packet routing in a short-range wireless networking environment, comprising:
-
one or more portable client devices, each of the client devices identified by a constant client address and equipped with a short-range wireless communications capability for communicating in the short-range wireless networking environment;
one or more application servers, each of the application servers equipped for communicating with the client devices over the short-range wireless networking environment;
means for transmitting a packet from a selected one of the client devices to a selected one of the application servers using a masquerading address and port for the selected client device instead of the constant client address by forwarding the packet through a Foreign Address Masquerader (FAM); and
means for transmitting a response packet from the selected application server to the selected client device using the masquerading address and port by forwarding the response packet through a Home Address Masquerader (HAM) and either the FAM or a dynamically-determined different FAM which then becomes the FAM. - View Dependent Claims (42, 43, 44)
means for receiving the transmitted packet at the FAM;
means for accessing, by the FAM, a FAM translation record;
means for applying, by the FAM, a network address translation to replace the constant client address and a client port in the transmitted packet with the masquerading address and port retrieved by the accessing step, thereby creating a modified packet; and
means for forwarding, by the FAM, the modified packet to the selected application server.
-
-
43. The system according to claim 41, wherein the means for transmitting a response packet further comprises:
-
transmitting the response packet from the selected application server to the selected client device;
receiving the transmitted response packet at the HAM;
accessing, by the HAM, a HAM translation record;
applying, by the HAM, a network address translation to replace the masquerading address and port in the transmitted response packet with the FAM address and port retrieved by the step of accessing the HAM translation record, thereby creating a first modified response packet;
forwarding, by the HAM, the first modified response packet to the FAM;
receiving the forwarded packet at the FAM;
accessing, by the FAM, a FAM translation record;
applying, by the FAM, a network address translation to replace the FAM address and port in the forwarded packet with the constant client address and a client port retrieved by the step of accessing the FAM translation record, thereby creating a second modified response packet; and
forwarding, by the FAM, the second modified response packet to the selected client device.
-
-
44. The system according to claim 41, further comprising:
-
means for determining, by the FAM, that the selected client device does not have a valid session key for encryption;
means for obtaining, by the FAM, user credentials for a user of the selected client device;
means for authenticating, by the FAM, the user credentials by contacting an authentication server;
means for establishing the valid session key when the authenticating step completes successfully;
means for supplying the established session key to a hardware component of the selected client device and to a hardware component of the FAM; and
means for using the supplied session key, by the hardware components, to encrypt packets that are transmitted over a link between the selected client device and the FAM.
-
-
45. Computer program instructions embodied on one or more computer readable media, the computer program instructions adapted for enabling location-independent packet routing in a short-range wireless networking environment and comprising:
-
computer program instructions for accessing one or more portable client devices, each of the client devices identified by a constant client address and equipped with a, short-range wireless communications capability for communicating in the short-range wireless networking environment;
computer program instructions for accessing one or more application servers, each of the application servers equipped for communicating with the client devices over the short-range wireless networking environment;
computer program instructions for transmitting a packet from a selected one of the client devices to a selected one of the application servers using a masquerading address and port for the selected client device instead of the constant client address by forwarding the packet through a Foreign Address Masquerader (FAM); and
computer program instructions for transmitting a response packet from the selected application server to the selected client device using the masquerading address and port by forwarding the response packet through a Home Address Masquerader (HAM) and either the FAM or a different dynamically-determined FAM which then becomes the FAM. - View Dependent Claims (46, 47, 48)
computer program instructions for receiving the transmitted packet at the FAM;
computer program instructions for accessing, by the FAM, a FAM translation record;
computer program instructions for applying, by the FAM, a network address translation to replace the constant client address and a client port in the transmitted packet with the masquerading address and port retrieved by the accessing step, thereby creating a modified packet; and
computer program instructions for forwarding, by the FAM, the modified packet to the selected application server.
-
-
47. The computer program instructions according to claim 45, wherein the computer program instructions for transmitting a response packet further comprise:
-
computer program instructions for transmitting the response packet from the selected application server to the selected client device;
computer program instructions for receiving the transmitted response packet at the HAM;
computer program instructions for accessing, by the HAM, a HAM translation record;
computer program instructions for applying, by the HAM, a network address translation to replace the masquerading address and port in the transmitted response packet with the FAM address and port retrieved by the step of accessing the HAM translation record, thereby creating a first modified response packet;
computer program instructions for forwarding, by the HAM, the first modified response packet to the FAM;
computer program instructions for receiving the forwarded packet at the FAM;
computer program instructions for accessing, by the FAM, a FAM translation record;
computer program instructions for applying, by the FAM, a network address translation to replace the FAM address and port in the forwarded packet with the constant client address and a client port retrieved by the step of accessing the FAM translation record, thereby creating a second modified response packet; and
computer program instructions for forwarding, by the FAM, the second modified response packet to the selected client device.
-
-
48. The computer program instructions according to claim 45, further comprising:
-
computer program instructions for determining, by the FAM, that the selected client device does not have a valid session key for encryption;
computer program instructions for obtaining, by the FAM, user credentials for a user of the selected client device;
computer program instructions for authenticating, by the FAM, the user credentials by contacting an authentication server;
computer program instructions for establishing the valid session key when the authenticating step completes successfully;
computer program instructions for supplying the established session key to a hardware component of the selected client device and to a hardware component of the FAM; and
computer program instructions for using the supplied session key, by the hardware components, to encrypt packets that are transmitted over a link between the selected client device and the FAM.
-
Specification