Network-based mobile workgroup system

DC CAFC

US 6,954,790 B2
Filed: 12/05/2000
Issued: 10/11/2005
Est. Priority Date: 12/05/2000
Status: Expired due to Term

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A network-based mobile workgroup system comprising:

a plurality of mobile client nodes, each mobile client node providing an interface for user interaction by a mobile user;

a plurality of mobile service router nodes, each mobile service router node providing a mobile Virtual Private Network (VPN) to the mobile client nodes spanning multiple router hops and sites;

a network address identifier (NAI) with which a user of a mobile client is uniquely identified to the mobile VPN system; and

a set of firewall filters and route policies with which the workgroup is protected, wherein the mobile VPN provides each mobile client secure data access to the VPN and provides secure data access to each mobile client from within the mobile VPN, wherein a point of attachment of any mobile client node to the mobile VPN may change without affecting that mobile client node'"'"'s participation in the mobile VPN.

View all claims

6 Assignments

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

A network-based mobile workgroup system has considerably wider appeal and application than normal virtual private networks in that it provides seamless mobility across a number of access technologies at the same time as it offers a granular security separation down to workgroup level. The mobile workgroup system is an access management system for mobile users with VPN and firewall functionality inbuilt. The mobile user can access the mobile workgroup system over a set of access technologies and select server resources and correspondent nodes to access pending their workgroup membership approvals. All workgroup policy rules are defined in a mobile service manager and pushed down to one or more mobile service routers for policy enforcement. The mobile service router closest to the mobile client, and being part of the mobile virtual private network, performs regular authentication checks of the mobile client during service execution. At the same time it performs traffic filtering based on the mobile user'"'"'s workgroup memberships. Together, these two components constitute an unprecedented security lock, effectively isolating a distributed workgroup into a mobile virtual private network.

525 Citations

101 Claims

1. A network-based mobile workgroup system comprising:
- a plurality of mobile client nodes, each mobile client node providing an interface for user interaction by a mobile user;
  
  a plurality of mobile service router nodes, each mobile service router node providing a mobile Virtual Private Network (VPN) to the mobile client nodes spanning multiple router hops and sites;
  
  a network address identifier (NAI) with which a user of a mobile client is uniquely identified to the mobile VPN system; and
  
  a set of firewall filters and route policies with which the workgroup is protected, wherein the mobile VPN provides each mobile client secure data access to the VPN and provides secure data access to each mobile client from within the mobile VPN, wherein a point of attachment of any mobile client node to the mobile VPN may change without affecting that mobile client node'"'"'s participation in the mobile VPN.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101)
- - 2. The mobile workgroup system of claim 1, wherein the network address identifier is used to authenticate the mobile user at start and during the continuation of a network login session and wherein the firewall filters and route policies are applied to the forwarding of packets based on the mobile user'"'"'s workgroup memberships.
  - 3. The mobile workgroup system of claim 2, wherein an IP address allocated to the mobile client is tied to the network address identifier of the mobile user.
  - 4. The mobile workgroup system of claim 3, wherein the allocated IP address for each mobile client is kept stable during the duration of a network login session and used in the mobile service router as a identifier of workgroup filters to apply to a packet.
  - 5. The mobile workgroup system of claim 4, wherein a specific IP address is an IPv6 address where one portion of the address indicates mobile VPN system and another mobile client identity.
  - 6. The mobile workgroup of claim 4, wherein a specific IP address is an IPv4 address where the IP address range from which the address is selected indicates mobile VPN system.
  - 7. The mobile workgroup system of claim 4, wherein the participating nodes can communicate using intra-domain, inter-domain or remote access routing.
  - 8. The mobile workgroup system of claim 7, wherein a node first attempts to establish intra-domain routing with the mobile workgroup data network;
    - wherein inter-domain routing is attempted in case intra-domain routing is not available;
      
      wherein remote access is seen as last resort.
  - 9. The mobile workgroup system of claim 8, wherein intra-domain routing between participating nodes in a mobile VPN home network is based on flat (non-hierarchical), mobile adhoc network (MANET) routing techniques.
  - 10. The mobile workgroup system of claim 9, wherein one specific metric for route calculation is quality of service.
  - 11. The mobile workgroup system of claim 9, wherein one specific mobile adhoc routing technique includes the Topology Broadcast based on Reverse-Path Forwarding (TBRPF) protocol.
  - 12. The mobile workgroup system of claim 9, wherein one specific mobile adhoc routing technique includes the Core-Extraction Distributed Ad Hoc Routing (CEDAR) protocol.
  - 13. The mobile workgroup system of claim 9, wherein one specific mobile adhoc routing protocol technique includes the Adhoc On-demand Distance Vector (AODV) protocol.
  - 14. The mobile workgroup system of claim 9, wherein one specific mobile adhoc routing technique includes multicasting and groupcast (xcast) protocols for the purpose of sending messages to all or selected members of a workgroup.
  - 15. The mobile workgroup system of claim 14, wherein the multicast address resolution protocol is used to discover a node for subsequent unicasting of packets to same node.
  - 16. The mobile workgroup system of claim 14, wherein one specific routing algorithm to obtain lowest cost to reach a set of destinations is based on a branch and cut algorithm for solving Steiner tree problems.
  - 17. The mobile workgroup system of claim 9, further comprising routing between:
    - mobile client—
      
      mobile client;
      
      mobile client—
      
      mobile service router;
      
      mobile service router—
      
      mobile service router.
  - 18. The mobile workgroup system of claim 17, wherein multiple paths are available for routing to and from a multi-homed node.
  - 19. The mobile workgroup system of claim 18, wherein the selection of next-hop node for a route in the workgroup network is decided on;
    - a per destination basis;
      
      Quality of service preferences;
      
      Security preferences;
      
      Protocol/application type.
  - 20. The mobile workgroup system of claim 19, wherein any node (mobile client and mobile service router) may change primary point of attachment to the workgroup home network without changing IP address.
  - 21. The mobile workgroup system of claim 20, wherein changing point of attachment is treated as a routing update;
    - wherein a link-state routing update may be due to forced handoff initiated by the underlying link or IP tunneling layer technology; and
      
      wherein a change of point of attachment may be due to a volunteer handoff initiated by the intra-domain routing process when discovering a stable, new optimal route to all workgroup nodes across alternative links or IP tunnels;
      
      wherein either handoff style causes temporary replication of sent data packets from and towards the moving node over both old and new route in the mobile virtual private network.
  - 22. The mobile workgroup system of claim 21, wherein forced handoff at the link layer initiates partitioning at the routing layer in case no route is discovered during a configured interval to a subset of the workgroup nodes;
    - andwherein the discovery of a new link initiates merging of partitions at the routing layer in case nodes from both partitioning are part of the same workgroup.
  - 23. The mobile workgroup system of claim 8, wherein inter-domain routing is performed through encapsulation of intra-domain packets in a tunneling protocol between foreign and home mobile service router following a handshake via any number of AAA proxies.
  - 24. The mobile workgroup system of claim 23, further comprising:
    - authentication, authorization and accounting between foreign mobile service router and home mobile service router based on the DIAMETER protocol;
      
      authentication, authorization and accounting between foreign mobile service router and home mobile service router based on the RADIUS protocol;
      
      authentication and mobility management between the mobile client, the foreign mobile service router and the home mobile service router based on the Mobile IP protocol. payload encryption, authentication and compression between mobile client and the foreign and home mobile service router respectively using the IPSec protocol.
  - 25. The mobile workgroup system of claim 24, wherein the mobile user information data storage is separated from the home mobile service router.
  - 26. The mobile workgroup system of claim 25, wherein multiple home mobile service routers may act as AAA servers for the same user through the use of a common data storage.
  - 27. The mobile workgroup system of claim 26, wherein the selection of home mobile service router acting as DIAMETER server is based on routing information, further comprising:
    - Route preference of each mobile service router for IPv4 networks;
      
      Shared anycast address for all mobile service routers in IPv6 networks.
  - 28. The mobile workgroup system of claim 26, wherein the geographic vicinity of the mobile client with regards to available home mobile service routers is determined by the use of a spatial location protocol.
  - 29. The mobile workgroup system of claim 26, wherein the home mobile service router is kept the same at change of point of attachment in foreign domain.
  - 30. The mobile workgroup system of claim 29, wherein the selection of mobile service router is re-computed when roaming into a new foreign domain.
  - 31. The mobile workgroup system of claim 8, wherein remote access from non-workgroup aware Internet environment is allowed for both mobile client and mobile service router.
  - 32. The mobile workgroup system of claim 31, further comprising:
    - mobility service router discovery and security negotiation using the Security Policy Protocol (SPP);
      
      authentication and mobility management using the Mobile IP (MIP) protocol applied with the co-located care of address option;
      
      payload authentication, encryption and compression using the IPSec protocol.
  - 33. The mobile workgroup system of claim 32, wherein the policy server function is placed in the mobile client and the mobile service router.
  - 34. The mobile workgroup system of claim 33, wherein the security gateway is placed in the mobile service router.
  - 35. The mobile workgroup system of claim 34, wherein the node attempting mobile service router discovery sets the destination to a well-known name for the workgroup and can retrieve a set of IP addresses of available mobile service routers from the domain name system.
  - 36. The mobile workgroup system of claim 35, wherein discovery of and negotiation with intermediate security gateways is performed during the security policy protocol exchange towards the discovered mobile service router.
  - 37. The mobile workgroup system of claim 36, wherein the intra-domain routing protocol is applied on top of the remote access technique.
  - 38. The mobile workgroup system of claim 1, wherein the mobility workgroup service is provided independently of mobility services offered by a radio access technology specific network.
  - 39. The mobile workgroup system of claim 38, wherein the radio access technology specific network includes Wireless LAN and HiperLAN2.
  - 40. The mobile workgroup system of claim 38, wherein the cellular access technology specific network includes IMT-2000 based systems like UMTS and cdma2000.
  - 41. The mobile workgroup system of claim 38, wherein the data network is operated by an Internet Service Provider (ISP) utilizing a centralized mobile service manager.
  - 42. The mobile workgroup system of claim 41, wherein extranet workgroups are created through the aggregation of workgroups from different organizations in the same mobile service manager.
  - 43. The mobile workgroup system of claim 38, further comprising:
    - service access control to intranet and internet services;
      
      secure access connectivity option to neighbor node;
      
      service provisioning based on physical location;
      
      quality of service differentiation based on workgroup membership;
      
      interactive real-time communication services between workgroup members.
  - 44. The service access control service of claim 43, wherein a firewall profile is downloaded from the mobile service manager to all nodes allocated to the workgroup.
  - 45. The mobile workgroup system of claim 44, wherein Internet access is provided via any of the nodes allocated to the workgroup using Internet routing protocols.
  - 46. The mobile workgroup system of claim 45, wherein the Internet routing protocols include Open Shortest Path First (OSPF).
  - 47. The mobile workgroup system of claim 45, wherein the Internet routing protocols include Border Gateway Protocol (BGP).
  - 48. The mobile workgroup system of claim 45, wherein the route metrics from the Internet routing protocol is propagated into the workgroup intra-domain routing protocol.
  - 49. The mobile workgroup system of claim 44, wherein threshold-based scanner protection is applied in all nodes allocated to the workgroup to protect against attacks towards the workgroup data network from the Internet.
  - 50. The mobile workgroup system of claim 43, wherein every packet is authenticated and/or encrypted using the IPSec protocol.
  - 51. The mobile workgroup system of claim 43, wherein wildcards are added in the service profile when downloaded from the mobile service manager to the workgroup nodes.
  - 52. The mobile workgroup system of claim 51, wherein the mobile service router acts as a directory agent using the Service Location Protocol to discover services from local service agents.
  - 53. The mobile workgroup system of claim 51, wherein the mobile service routers allocated to a workgroup provides consistent domain names for services in the profile.
  - 54. The mobile workgroup system of claim 51, wherein the mobile service routers update their domain name service resource records with the results of the local service discovery process and the mobile clients caches correspondent resource records for later use.
  - 55. The mobile workgroup system of claim 43, wherein all workgroup members share the same quality of service profile.
  - 56. The mobile workgroup system of claim 55, wherein all nodes allocated to a workgroup applies the same quality of service profile.
  - 57. The mobile workgroup system of claim 56, wherein the quality of service differs based on application type.
  - 58. The mobile workgroup system of claim 55, wherein a distributed weighted fair queuing schema is applied among neighbor nodes.
  - 59. The mobile workgroup system of claim 58, wherein cause of packet loss due to random error on radio link is made known to the Transport Control Protocol (TCP) implementation running on the mobile client.
  - 60. The mobile workgroup system of claim 59, wherein the mobile client TCP implementation ignores packet loss due to random error when determining window size.
  - 61. The mobile workgroup system of claim 55, wherein quality of service statistics are collected from the workgroup nodes to the mobile service manager in order to follow-up service level agreements.
  - 62. The mobile workgroup system of claim 43, wherein mobile service routers maintain stable domain name resource records for all members of a workgroup and mobile clients caches such resource records for later use.
  - 63. The mobile workgroup system of claim 62, such as multimedia services wherein voice over IP is one service.
  - 64. The mobile workgroup system of claim 63, wherein the technology specific protocols include the Session Initiation Protocol (SIP).
  - 65. The mobile workgroup system of claim 64, wherein the nodes belonging to a workgroup applies a SIP filter downloaded from the mobile service manager applying encryption only to control communication.
  - 66. The mobile workgroup system of claim 63, wherein the technology specific protocols include the xcast protocol suite for small group multicasting.
  - 67. The mobile workgroup system of claim 38, wherein the security solution is based on a separation of each site of the mobile virtual private network into two parts, further comprising:
    - an access network acting as a shared media for workgroup members and non-members to access the site;
      
      a service network acting as a safe repository for workgroup server resources at the site.
  - 68. The mobile workgroup system of claim 67, wherein one or several mobile service routers perform user authentication, policy routing and packet filtering of traffic between the access and service network in a site based on a mobile user'"'"'s workgroup memberships.
  - 69. The mobile workgroup system of claim 68, wherein mobile service routers placed at the border of the mobile virtual private network also provide firewall protected interfaces to the Internet and a de-militarized zone (DMZ).
  - 70. The mobile workgroup system of claim 68, wherein the mobile IP home network for the mobile client is defined as a service network protected by one or more mobile service routers.
  - 71. The mobile workgroup system of claim 68, wherein the mobile home network for the mobile client is defined as a virtual home network hosted by one or several mobile service routers.
  - 72. The mobile workgroup system of claim 69, wherein a three tier security architecture is defined, further comprising:
    - a mobile virtual private network tier encompassing service and access networks at each mobile VPN site as well as the tunnels connecting the sites;
      
      a workgroup network tier protecting the workgroup peer-to-peer and client-server traffic in the mobile VPN from attacks;
      
      a service network tier protecting workgroup servers at a single mobile VPN site against attacks as well as separating specific workgroup applications from each other using virtual local area networks.
  - 73. The mobile workgroup system of claim 72, wherein the entry barrier to the mobile VPN Tier is a one-way network address translation (NAT) gateway for Internet traffic and an IPSec-based tunnel limited by at least protocol type and source IP addresses.
  - 74. The mobile workgroup system of claim 72, wherein a mobile client is required to go through a user authentication and a per packet workgroup filtering in order to enter the workgroup network.
  - 75. The mobile workgroup system of claim 74, wherein the workgroup filtering includes functions like static packet filtering.
  - 76. The mobile workgroup system of claim 74, wherein the workgroup filtering includes functions like dynamic packet filtering.
  - 77. The mobile workgroup system of claim 74, wherein the workgroup filtering includes functions like application level proxy filtering.
  - 78. The mobile workgroup system of claim 72, wherein a packet filter controls the entrance to the service network using site-local application restrictions and optional end-to-end secure socket layer (SSL) or similar cryptographic associations.
  - 79. The mobile workgroup system of claim 67, wherein the closest mobile service router can push security policy information, extracted from an external source, to a mobile client.
  - 80. The mobile workgroup system of claim 67, wherein the closest mobile service router extracts security policy information that is dynamically obtained during the registration of a mobile client, and thereafter enforce the security policy received.
  - 81. The mobile workgroup system of claim 38, wherein the closest mobile service router acts as DHCP server for the subsequent workgroup home network configuration of the node.
  - 82. The mobile workgroup system of claim 81, wherein the node is configured based on client id=network address identifier and user class=workgroup.
  - 83. The mobile workgroup system of claim 82, wherein the node can be configured with:
    - IP address(es) Subnet mask(s) Broadcast address(es) Host name Domain name Domain Name Server Time offset Servers (e.g. SMTP, POP, WWW, DNSINIS, LPR, syslog, WINS, NTP) Mobile Service Router(s) Router discovery options Service Location Protocol Directory Agent Static routes MTU Default TTL Source routing options IP Forwarding enable/disable PMTU options ARP cache timeout X Windows options NIS options NetBIOS options Vendor-specific options.
  - 84. The mobile workgroup system of claim 83, wherein a set of mobile service routers allocated to a workgroup share DHCP schema tree, address pool and fail-over support.
  - 85. The mobile workgroup system of claim 38, wherein the reachability of the mobile client is ensured via the Dynamic DNS protocol.
  - 86. The mobile workgroup system of claim 38, further comprising a self-service management window for mobile users and workgroup administrators to control workgroup profiles and exchange information.
  - 87. The mobile workgroup system of claim 86, wherein the mobile service router redirects a request for the browser default web page to said self-service management portal.
  - 88. The mobile workgroup system of claim 87, wherein the workgroup administrator can define workgroup based on available service policies and mobile service routers.
  - 89. The mobile workgroup system of claim 88, wherein the mobile user can request and the workgroup administrator can accept workgroup membership.
  - 90. The mobile workgroup system of claim 89, wherein the workgroup administrator can import mobile user data of members from external user directory.
  - 91. The mobile workgroup system of claim 90, wherein the workgroup administrator can provide further information in the form of links to downloadable scripts and software packages applicable to the workgroup.
  - 92. The mobile workgroup system of claim 91, wherein the mobile user can personalize his own profile.
  - 93. The mobile workgroup system of claim 38, wherein the mobile service manager imprints a physically secured security key for each mobile user and network administrator to use within the workgroup through the physical insertion into the mobile service manager management port.
  - 94. The mobile workgroup system of claim 93, wherein the mobile service manager can reprint the physically secured security key.
  - 95. The mobile workgroup system of claim 94, wherein the mobile service manager may imprint policies into the physically secured security key for delegating partial control for self-service management to mobile clients.
  - 96. The mobile workgroup system of claim 95, wherein the physically secured security key includes shared secrets for authentication and encryption of control and payload traffic towards other nodes in the mobile workgroup system.
  - 97. The mobile workgroup system of claim 95, wherein the physically secured security key includes certificates, private and public keys for authentication and encryption of control and payload traffic towards other nodes in or outside the mobile workgroup system.
  - 98. The mobile workgroup system of claim 95, wherein the mobile user and network administrator also is given a PIN code for accessing the security key.
  - 99. The mobile workgroup system of claim 98, wherein the mobile user plugs the security key into the management port of the node'"'"'s hardware and opens it up for use by entering the PIN code on the control panel.
  - 100. The mobile workgroup system of claim 99, wherein manual typing of security keys into mobile client control panel is available as fallback alternative.
  - 101. The mobile workgroup system of claim 100, wherein a secure intra-domain link, inter-domain mobile IP tunnel or remote access tunnel can be established between the node and another node belonging to the same workgroup based solely on the information stored in the security keys.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Longhorn HD LLC (Alpha Alpha Intellectual Partners LLC)
Original Assignee
Interactive People Unplugged AB
Inventors
Forslöw, Jan
Primary Examiner(s)
Etienne, Ario
Assistant Examiner(s)
Alam, Uzma

Application Number

US09/729,199
Publication Number

US 20020069278A1
Time in Patent Office

1,771 Days
Field of Search

709/203, 709/224, 709/227, 709/204, 709/205, 709/229, 370/328, 370/397, 370/352, 370/401, 370/329, 455/555, 455/554.1, 455/461, 455/554, 455/414
US Class Current

709/227
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/0272   Virtual private networks

H04W 80/04   Network layer protocols, e....

Network-based mobile workgroup system

First Claim

6 Assignments

Litigations

1 Petition

Accused Products

Abstract

525 Citations

101 Claims

Specification

Solutions

Use Cases

Quick Links

Network-based mobile workgroup system

First Claim

6 Assignments

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

525 Citations

101 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links