Methods and apparatus for securing proxy Mobile IP

US 7,505,432 B2
Filed: 04/28/2003
Issued: 03/17/2009
Est. Priority Date: 04/28/2003
Status: Expired due to Fees

First Claim

Patent Images

1. In a network device supporting Mobile IP, a method of authenticating a node prior to performing proxy registration on behalf of the node, comprising:

receiving a packet from the node, the packet including a source MAC address and a source IP address, wherein the packet is not a registration request;

ascertaining whether the source MAC address is in a table identifying one or more source MAC addresses; and

composing a registration request including a home address field including the source IP address on behalf of the node according to whether the source MAC address is in the table, wherein the node does not support Mobile IP, wherein composing a registration request comprises appending a MAC address extension to the registration request, the MAC address extension including the source MAC address.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An invention is disclosed that enables proxy Mobile IP registration to be performed in a secure manner. Various security mechanisms may be used independently, or in combination with one another, to authenticate the identity of a node during the registration process. First, an Access Point receiving a packet from a node verifies that the source MAC address identified in the packet is in the Access Point'"'"'s client association table. In addition, as a second mechanism, the Access Point (or Foreign Agent) ensures that a one-to-one mapping exists for the source MAC address and source IP address identified in the packet. As a third mechanism, a binding is not modified in the mobility binding table maintained by the Home Agent unless there is a one-to-one mapping in the mobility binding table between the source MAC address and the source IP address.

147 Citations

32 Claims

1. In a network device supporting Mobile IP, a method of authenticating a node prior to performing proxy registration on behalf of the node, comprising:
- receiving a packet from the node, the packet including a source MAC address and a source IP address, wherein the packet is not a registration request;
  
  ascertaining whether the source MAC address is in a table identifying one or more source MAC addresses; and
  
  composing a registration request including a home address field including the source IP address on behalf of the node according to whether the source MAC address is in the table, wherein the node does not support Mobile IP, wherein composing a registration request comprises appending a MAC address extension to the registration request, the MAC address extension including the source MAC address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as recited in claim 1, wherein composing a registration request including a home address field including the source IP address on behalf of the node according to whether the source MAC address is in a table comprises:
    - when it is ascertained that the source MAC address is in the table, composing a registration request including a home address field including the source IP address and sending the registration request, thereby performing proxy registration on behalf of the node, wherein the table is a client association table.
  - 3. The method as recited in claim 2, wherein the table is a client association table.
  - 4. The method as recited in claim 1, further comprising:
    - ascertaining whether a mapping between the source MAC address and the source IP address exists in a mapping table.
  - 5. The method as recited in claim 4, wherein the table is the mapping table, wherein composing a registration request including a home address field including the source IP address on behalf of the node according to whether the source MAC address is in the table further comprises:
    - when it is ascertained that the mapping between the source MAC address and the source IP address exists in the mapping table, composing a registration request including a home address field including the source IP address and sending the registration request, thereby performing proxy registration on behalf of the node.
  - 6. The method as recited in claim 4, wherein composing a registration request including a home address field including the source IP address on behalf of the node according to whether the source MAC address is in a table further compriseswhen it is ascertained that the mapping between the source MAC address and the source IP address exists in the mapping table and when it is ascertained that the source MAC address is in the table, composing a registration request including a home address field including the source IP address and sending the registration request, thereby performing proxy registration on behalf of the node, wherein the table is a client association table.
  - 7. The method as recited in claim 4, further comprising:
    - ascertaining whether the mapping table includes an entry for the source IP address; and
      
      updating the mapping table with a mapping between the source MAC address and the source IP address when it is ascertained that the mapping table does not include an entry for the source IP address.
  - 8. The method as recited in claim 1, wherein the table is a client association table.
  - 9. The method as recited in claim 1, wherein composing a registration request including a home address field including the source IP address on behalf of the node according to whether the source MAC address is in a table comprises:
    - when it is ascertained that the source MAC address is not in the table, not composing a registration request on behalf of the node, wherein the table is a client association table.

10. A network device supporting Mobile IP, comprising:
- a processor; and
  
  a memory, at least one of the processor or the memory being adapted for;
  
  receiving a packet from the node, the packet including a source MAC address and a source IP address, wherein the packet is not a registration request;
  
  ascertaining whether the source MAC address is in a table identifying one or more source MAC addresses; and
  
  composing a registration request including a home address field including the source IP address on behalf of the node according to whether the source MAC address is in the table, wherein the node does not support Mobile IP, wherein composing a registration request comprises appending a MAC address extension to the registration request, the MAC address extension including the source MAC address.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The network device as recited in claim 10, wherein composing a registration request including a home address field including the source IP address on behalf of the node according to whether the source MAC address is in a table comprises:
    - when it is ascertained that the source MAC address is in the table, composing a registration request including a home address field including the source IP address and sending the registration request, thereby performing proxy registration on behalf of the node, wherein the table is a client association table.
  - 12. The network device as recited in claim 10, at least one of the processor or the memory being further adapted for:
    - ascertaining whether a mapping between the source MAC address and the source IP address exists in a mapping table.
  - 13. The network device as recited in claim 12, wherein the table is the mapping table, wherein composing a registration request including a home address field including the source IP address on behalf of the node according to whether the source MAC address is in the table further comprises:
    - when it is ascertained that the mapping between the source MAC address and the source IP address exists in the mapping table, composing a registration request including a home address field including the source IP address and sending the registration request, thereby performing proxy registration on behalf of the node.
  - 14. The network device as recited in claim 12, wherein composing a registration request including a home address field including the source IP address on behalf of the node according to whether the source MAC address is in a table further comprises:
    - when it is ascertained that the mapping between the source MAC address and the source IP address exists in the mapping table and when it is ascertained that the source MAC address is in the table, composing a registration request including a home address field including the source IP address and sending the registration request, thereby performing proxy registration on behalf of the node, wherein the table is a client association table.
  - 15. The network device as recited in claim 12, at least one of the processor or the memory being further adapted for:
    - ascertaining whether the mapping table includes an entry for the source IP address; and
      
      updating the mapping table with a mapping between the source MAC address and the source IP address when it is ascertained that the mapping table does not include an entry for the source IP address.
  - 16. The network device as recited in claim 10, wherein the table is a client association table.
  - 17. The network device as recited in claim 10, wherein the network device is an Access Point.
  - 18. The network device as recited in claim 10, wherein composing a registration request including a home address field including the source IP address on behalf of the node according to whether the source MAC address is in a table comprises:
    - when it is ascertained that the source MAC address is not in the table, not composing a registration request on behalf of the node, wherein the table is a client association table.

19. In a network device supporting Mobile IP, a method of authenticating a node prior to performing proxy registration on behalf of the node, comprising:
- receiving a packet from the node, the packet including a source MAC address and a source IP address, wherein the packet is not a registration request;
  
  ascertaining whether the source MAC address is in a client association table identifying one or more source MAC addresses; and
  
  composing and sending a registration request including a home address field including the source IP address on behalf of the node according to whether the source MAC address is in the client association table, wherein the node does not support Mobile IP, wherein composing a registration request includes appending a MAC address extension to the registration request, the MAC address extension including the source MAC address.
- View Dependent Claims (20, 21)
- - 20. The method as recited in claim 19, wherein composing a registration request including a home address field including the source IP address on behalf of the node according to whether the source MAC address is in the client association table comprises:
    - composing a registration request if it is ascertained that the source MAC address is in the client association table.
  - 21. The method as recited in claim 19, wherein composing a registration request including a home address field including the source IP address on behalf of the node according to whether the source MAC address is in the client association table comprises:
    - not composing a registration request if it is ascertained that the source MAC address is not in the client association table.

22. In a network device supporting Mobile IP, a method of authenticating a node prior to performing proxy registration on behalf of the node, comprising:
- receiving a packet from the node, the packet including a source MAC address and a source IP address, wherein the packet is not a registration request;
  
  ascertaining whether a one-to-one mapping between the source MAC address and the source IP address exists in a mapping table; and
  
  composing and sending a registration request having a home address field including the source IP address on behalf of the node according to whether a one-to-one mapping between the source MAC address and the source IP address exists in the mapping table, wherein the node does not support Mobile IP, wherein composing a registration request includes appending a MAC address extension to the registration request, the MAC address extension including the source MAC address.
- View Dependent Claims (23, 24)
- - 23. The method as recited in claim 22, wherein composing a registration request having a home address field including the source IP address on behalf of the node according to whether a one-to-one mapping between the source MAC address and the source IP address exists in the mapping table comprises:
    - determining whether an entry for the node exists in the mapping table; and
      
      if an entry for the node exists in the mapping table and it is ascertained that a one-to-one mapping between the source MAC address and the source IP address exists in the mapping table, composing a registration request including a home address field including the source IP address and sending the registration request, thereby performing proxy registration on behalf of the node.
  - 24. The method as recited in claim 22, wherein composing a registration request having a home address field including the source IP address on behalf of the node according to whether a one-to-one mapping between the source MAC address and the source IP address exists in the mapping table comprises:
    - determining whether an entry for the node exists in the mapping table; and
      
      if an entry for the node exists in the mapping table and it is ascertained that a one-to-one mapping between the source MAC address and the source IP address does not exist in the mapping table, not composing a registration request including a home address field including the source IP address.

25. In a network device supporting Mobile IP, a method of authenticating a node prior to performing proxy registration on behalf of the node, comprising:
- receiving a packet from the node, the packet including a source MAC address and a source IP address, wherein the packet is not a registration request;
  
  ascertaining whether the source MAC address is in a client association table identifying one or more source MAC addresses;
  
  determining whether an entry that exists for the node in a mapping table indicates a one-to-one mapping between the source MAC address and the source IP address; and
  
  composing and sending a registration request having a home address field including the source IP address on behalf of the node if it is determined that an entry that exists for the node in the mapping table indicates a one-to-one mapping between the source MAC address and the source IP address and it is ascertained that the source MAC address is in the client association table, wherein the node does not support Mobile IP, wherein composing a registration request includes appending a MAC address extension to the registration request, the MAC address extension including the source MAC address.
- View Dependent Claims (26)
- - 26. The method as recited in claim 25, wherein a registration request is not composed and sent if it is determined that an entry that exists for the node in the mapping table does not indicate a one-to-one mapping between the source MAC address and the source IP address or it is ascertained that the source MAC address is not in the client association table.

27. In a Home Agent, a method, comprising:
- receiving a registration request, the registration request including a source MAC address and a source IP address of a node;
  
  determining whether an entry that exists for the node in a mapping table indicates a one-to-one mapping between the source MAC address and the source IP address;
  
  registering the node with the Home Agent if it is determined that an entry that exists for the node in the mapping table indicates a one-to-one mapping between the source MAC address and the source IP address; and
  
  composing and sending a registration reply including the source IP address and the source MAC address, wherein the registration reply includes an extension that includes the source MAC address.
- View Dependent Claims (28, 29, 30, 31)
- - 28. The method as recited in claim 27, wherein the node does not support Mobile IP.
  - 29. The method as recited in claim 27, wherein the registration request includes an extension that includes the source MAC address.
  - 30. The method as recited in claim 27, wherein registering the node with the Home Agent comprises updating a mobility binding table with an entry for the node.
  - 31. The method as recited in claim 27, wherein the registration request is ignored if an entry that exists for the node in the mapping table does not indicate a one-to-one mapping between the source MAC address and the source IP address.

32. A Home Agent, comprising:
- a processor; and
  
  a memory, at least one of the processor or the memory being adapted for;
  
  receiving a registration request, the registration request including a source MAC address and a source IP address of a node;
  
  determining whether an entry that exists for the node in a mapping table indicates a one-to-one mapping between the source MAC address and the source IP address;
  
  registering the node with the Home Agent if it is determined that an entry that exists for the node in the mapping table indicates a one-to-one mapping between the source MAC address and the source IP address; and
  
  composing and sending a registration reply including the source IP address and the source MAC address, wherein the registration reply includes an extension that includes the source MAC address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Leung, Kent K., Dommety, Gopal
Primary Examiner(s)
Chan; Wing F
Assistant Examiner(s)
Choi; Eunsook

Application Number

US10/426,106
Publication Number

US 20040213260A1
Time in Patent Office

2,150 Days
Field of Search

370/389
US Class Current

370/331
CPC Class Codes

H04L 2101/622   Layer-2 addresses, e.g. med...

H04L 61/5084   Providing for device mobili...

H04L 63/0281   Proxies

H04L 63/1466   Active attacks involving in...

H04L 69/329   in the application layer [O...

H04W 12/062   Pre-authentication

H04W 12/122   Counter-measures against at...

H04W 12/126   Anti-theft arrangements, e....

H04W 60/00   Affiliation to network, e.g...

H04W 8/26   Network addressing or numbe...

H04W 80/04   Network layer protocols, e....

H04W 88/08   Access point devices

H04W 88/182   Network node acting on beha...

Methods and apparatus for securing proxy Mobile IP

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

147 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus for securing proxy Mobile IP

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

147 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links