Method to provide dynamic internet protocol security policy service

US 6,839,338 B1
Filed: 03/20/2002
Issued: 01/04/2005
Est. Priority Date: 03/20/2002
Status: Expired due to Term

First Claim

Patent Images

1. A method to dynamically provide Internet Protocol security policy service, comprising the steps of:

receiving a connection request sent from a mobile node to a foreign agent, wherein the mobile node uses Mobile Internet Protocol;

obtaining at least one policy template for the mobile node, wherein the at least one policy template includes processing information for Internet Protocol security packets sent between the foreign agent and a home agent for the mobile node;

negotiating Internet Protocol security parameters with the home agent;

creating at least one filter, wherein the at least one filter identifies data packets traveling between the home agent and the foreign agent to receive Internet Protocol security processing, and wherein the at least one filter identifies the at least one policy template to apply to the data packets receiving Internet Protocol security processing; and

storing the at least one filter in a list of active filters maintained by the foreign agent, wherein the list of active filters identifies data packets in a plurality of active Internet Protocol security sessions between the foreign agent and respective home agents of other mobile nodes that are registered with the foreign agent.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mobile node may roam away from its home network to a foreign network. The mobile node may communicate using the Mobile Internet Protocol, and it may use Internet Protocol security to communicate with its home network. A foreign agent on the foreign network and a home agent on the home network may dynamically link a policy to be used for a Internet Protocol security session between the foreign agent and the home agent. The foreign agent and the home agent may dynamically create a filter to be used for the Internet Protocol Security session.

191 Citations

29 Claims

1. A method to dynamically provide Internet Protocol security policy service, comprising the steps of:
- receiving a connection request sent from a mobile node to a foreign agent, wherein the mobile node uses Mobile Internet Protocol;
  
  obtaining at least one policy template for the mobile node, wherein the at least one policy template includes processing information for Internet Protocol security packets sent between the foreign agent and a home agent for the mobile node;
  
  negotiating Internet Protocol security parameters with the home agent;
  
  creating at least one filter, wherein the at least one filter identifies data packets traveling between the home agent and the foreign agent to receive Internet Protocol security processing, and wherein the at least one filter identifies the at least one policy template to apply to the data packets receiving Internet Protocol security processing; and
  
  storing the at least one filter in a list of active filters maintained by the foreign agent, wherein the list of active filters identifies data packets in a plurality of active Internet Protocol security sessions between the foreign agent and respective home agents of other mobile nodes that are registered with the foreign agent.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 further comprising a computer readable medium having stored therein instruction for causing a processor to execute all the steps of the method.
  - 3. The method of claim 1, further comprising the steps of:
    - terminating a connection with the mobile node; and
      
      removing the at least one filter from the list of active filters.
  - 4. The method of claim 1, wherein the security parameters are negotiated using Internet Key Exchange.
  - 5. The method of claim 1, wherein the security parameters are negotiated using Internet Security Association and Key Management Protocol.
  - 6. The method of claim 1, wherein the at least one policy template specifies a type of encryption.
  - 7. The method of claim 1, wherein the at least one policy template specifies a lifetime of a key.
  - 8. The method of claim 1, wherein the at least one policy template specifies at least one rule used to negotiate the type of Internet Protocol security service.
  - 9. The method of claim 1, wherein the at least one filter includes a first filter and a second filter;
    - andwherein the first filter includes parameters to specify end points for Internet Security Association and Key Management Protocol packets, and wherein the second filter includes parameters to specify packets that need Internet Protocol security service.
  - 10. The method of claim 1, wherein the at least one policy template includes information for a Network Address Translation/Port Address Translation application.
  - 11. The method of claim 1, wherein the at least one policy includes information for a firewall application.
  - 12. The method of claim 1, wherein the at least one policy comprises a plurality of policies.
  - 13. The method of claim 1, wherein the at least one filter comprises a plurality of filters.

14. A method to dynamically provide policy service to a mobile node, comprising the steps of:
- receiving an authentication request sent from a foreign agent on a foreign network to a home agent on a home network, wherein the authentication request indicates a mobile node roaming from the home network to the foreign network, and wherein the mobile node uses Mobile Internet Protocol;
  
  determining whether the mobile node needs Internet Protocol security for packets sent between the foreign agent and the home agent;
  
  informing the foreign agent that the mobile node needs Internet Protocol security for data packets sent between the home agent and the foreign agent; and
  
  linking at least one security policy template for the mobile node to the home agent, wherein the security policy template specifies parameters to be used in Internet Protocol security communications between the foreign agent and the home agent;
  
  creating a filter wherein the filter identifies packets traveling between the home agent and the foreign agent to receive Internet Protocol security processing, and wherein the filter identifies the policy template to apply to the packets receiving Internet Protocol security processing; and
  
  storing the at least one filter in a list of active filters maintained by the home agent, wherein the list of active filters identifies data packets in a plurality of active Internet Protocol security sessions between the home agent and respective foreign agents of other mobile nodes.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The method of claim 14 further comprising a computer readable medium having stored therein instruction for causing a processor to execute all the steps of the method.
  - 16. The method of claim 14, further comprising the step of:
    - negotiating Internet Protocol security parameters with the foreign agent.
  - 17. The method of claim 16, wherein the Internet Protocol security parameters are negotiated using Internet Key Exchange.
  - 18. The method of claim 16, wherein the Internet Protocol security parameters are negotiated using Internet Security Association Key Management Protocol.
  - 19. The method of claim 16, wherein the Internet Protocol security parameters are negotiated using the OAKLEY protocol.
  - 20. The method of claim 14, further comprising the step of:
    - determining the mobile node has roamed off the foreign network; and
      
      removing the filter from the home agent filter list.
  - 21. The method of claim 14, wherein determining whether the mobile node needs Internet Protocol security further comprises accessing an authentication, authorization and accounting server.

22. A method for providing policy service in an Internet Protocol security application, comprising the steps of:
- receiving a request from a mobile node roaming to a foreign network to establish a secure connection to a home network, wherein the mobile node uses Mobile Internet Protocol;
  
  authenticating the mobile node with the home network;
  
  receiving an indication to use Internet Protocol security for packets sent between a home agent on the home network and a foreign agent on the foreign network;
  
  linking a policy for the mobile node to the foreign agent, wherein the policy identifies processing information for Internet Protocol security packets sent between the foreign agent and the home agent;
  
  negotiating Internet Protocol security parameters with a home agent to create a virtual tunnel between the foreign agent and the home agent;
  
  creating a filter for the mobile node, wherein the filter can be used to identify packets traveling between the foreign agent and the home agent that use Internet Protocol security; and
  
  storing the at least one filter in a list of active filters maintained by the foreign agent, wherein the list of active filters identifies data packets in a plurality of active Internet Protocol security sessions between the foreign agent and respective home agents of other mobile nodes that are registered with the foreign agent.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
- - 23. The method of claim 22 further comprising a computer readable medium having stored therein instruction for causing a processor to execute all the steps of the method.
  - 24. The method of claim 22, further comprising the steps of:
    - receiving a packet;
      
      searching the filter list to determine whether to apply Internet Protocol security processing to the packet; and
      
      processing the packet based at least in part on information included in the policy.
  - 25. The method of claim 22, further comprising the step of:
    - determining the mobile node has roamed away from the foreign network; and
      
      removing the filter from the filter list.
  - 26. The method of claim 22, wherein the policy identifies a type of Internet Protocol security encryption to use in sending packets through the virtual tunnel.
  - 27. The method of claim 22, wherein the policy specifies a lifetime of a key used in sending packets through the virtual tunnel.
  - 28. The method of claim 22, wherein the policy specifies domain of interpretation rules used to negotiate a type of service used to send packets through the virtual tunnel.
  - 29. The method of claim 22, wherein the mobile node is a wireless computer, a personal digital assistant or a mobile phone.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
UTStarcom Incorporated (UTStarcom Holdings Corp.)
Inventors
Amara, Satish, Verma, Madhvi
Primary Examiner(s)
Ton, Dang
Assistant Examiner(s)
Phan, Tri H.

Application Number

US10/101,641
Time in Patent Office

1,021 Days
Field of Search

370/338, 370/400, 370/401, 455/410, 455/432.1, 455/432.3, 455/433, 455/435.1, 455/436, 455437-438, 455/439, 455/442, 713/152, 713164-171, 713/200, 709/227, 709/228, 709/229, 709/225
US Class Current

370/338
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0272   Virtual private networks

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0823   using certificates cryptogr...

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

H04L 69/22   Parsing or analysis of headers

H04W 80/04   Network layer protocols, e....

Method to provide dynamic internet protocol security policy service

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

191 Citations

29 Claims

Specification

Use Cases

Quick Links

Others

Method to provide dynamic internet protocol security policy service

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

191 Citations

29 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others