Telecommunications system and method for communicating internet packets between an external packet data communications network and a packet radio network

US 7,860,037 B2
Filed: 05/17/2004
Issued: 12/28/2010
Est. Priority Date: 06/16/2003
Status: Active Grant

First Claim

Patent Images

1. A telecommunications system for communicating internet packets between a mobile communications user equipment forming a correspondent node and a mobile node via an external packet data communications network, the system comprising:

a packet radio network operable to provide a plurality of packet data bearers for communicating the internet packets with nodes attached to the packet radio network, each of the bearers being defined with respect to a source address of the internet packets, the packet radio network including a gateway support node operable to provide an interface between the external network and the packet radio network, whereinthe gateway support node is operableto detect whether an internet packet is for providing a binding update to the correspondent node of a first source address of the mobile node to a care-of-address of the mobile node, and if the internet packet is a binding update,to confirm the care of address as a legitimate destination address of the mobile node, andto allow egress of internet packets sent from the correspondent node having the care-of-address of the mobile node as the destination address from the gateway support node to the external network if the care of address is legitimate and block any internet packets sent from the correspondent node using a destination address which is not legitimate;

wherein the gateway support node includes a security function operable to control the egress of the internet packets from the packet radio network by comparing the destination address of the internet packet sent from the correspondent node with a list of legitimate destination addresses stored in a data store, the security function allowing egress of the internet packet from the packet radio network if the destination address of the internet packet appears in the list, and otherwise dropping the internet packet, the care-of-address of the mobile node being added to the list upon detecting the binding update.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A telecommunications system for communicating internet packets between a correspondent node and a mobile node. The system comprises a packet radio network providing packet data bearers for communicating internet packets with nodes. Each of the bearers is defined with respect to a source address of the internet packets, the packet radio network including a gateway support node (GGSN) to provide an interface between the external network and the packet radio network. The GGSN detects whether an internet packet is for providing a binding update to the correspondent node of a first source address of the mobile node to a care-of-address of the mobile node. If the internet packet is a binding update, the GGSN allows egress of internet packets sent from the correspondent node. By allowing egress of packets from the correspondent node having this care-of-address as the destination address, a measure of security is provided.

30 Citations

View as Search Results

44 Claims

1. A telecommunications system for communicating internet packets between a mobile communications user equipment forming a correspondent node and a mobile node via an external packet data communications network, the system comprising:
- a packet radio network operable to provide a plurality of packet data bearers for communicating the internet packets with nodes attached to the packet radio network, each of the bearers being defined with respect to a source address of the internet packets, the packet radio network including a gateway support node operable to provide an interface between the external network and the packet radio network, whereinthe gateway support node is operableto detect whether an internet packet is for providing a binding update to the correspondent node of a first source address of the mobile node to a care-of-address of the mobile node, and if the internet packet is a binding update,to confirm the care of address as a legitimate destination address of the mobile node, andto allow egress of internet packets sent from the correspondent node having the care-of-address of the mobile node as the destination address from the gateway support node to the external network if the care of address is legitimate and block any internet packets sent from the correspondent node using a destination address which is not legitimate;
  
  wherein the gateway support node includes a security function operable to control the egress of the internet packets from the packet radio network by comparing the destination address of the internet packet sent from the correspondent node with a list of legitimate destination addresses stored in a data store, the security function allowing egress of the internet packet from the packet radio network if the destination address of the internet packet appears in the list, and otherwise dropping the internet packet, the care-of-address of the mobile node being added to the list upon detecting the binding update.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The telecommunications system as claimed in claim 1, wherein the gateway support node is operable to associate the care-of-address with the first source address to the effect that the egress of the internet data packets is allowed in accordance with the egress of internet packets which is allowed for the first source address.
  - 3. The telecommunications system as claimed in claim 2, wherein the first source address is a home address of the mobile node.
  - 4. The telecommunications systems as claimed in claim 3, wherein the internet packet sent from the correspondent node includes the home address of mobile node in an extension field of the header and the care-of-address of the mobile node in the destination address field, and the gate way support node is operable to allow the internet packet to egress from the packet radio network to the external network if both the care-of-address of the mobile node and the home address of the mobile node are legitimate addresses.
  - 5. The telecommunications systems as claimed in claim 2, wherein the internet packet sent from the correspondent node includes the home address of mobile node in an extension field of the header and the care-of-address of the mobile node in the destination address field, and the gate way support node is operable to allow the internet packet to egress from the packet radio network to the external network if both the care-of-address of the mobile node and the home address of the mobile node are legitimate addresses.
  - 6. The telecommunications systems as claimed in claim 1, wherein the internet packet sent from the correspondent node includes the home address of mobile node in an extension field of the header and the care-of-address of the mobile node in the destination address field, and the gate way support node is operable to allow the internet packet to egress from the packet radio network to the external network if both the care-of-address of the mobile node and the home address of the mobile node are legitimate addresses.
  - 7. The telecommunications system as claimed in claim 6, wherein the extension header field is hop-by-hop field as defined in accordance with an Extension Header Type 2 of Ipv6.
  - 8. The telecommunications system as claimed in claim 1, wherein the care-of-address is associated with the first source address if the care-of-address is confirmed as a legitimate address.
  - 9. The telecommunications system as claimed in claim 8, wherein the gateway support node is operable to confirm that the care-of-address is a legitimate address by monitoring internet packets sent from the correspondent node to the mobile node, andupon detecting a binding update acknowledgment from the mobile node that the care-of-address has been accepted,confirming that the care-of-address of the mobile node is a legitimate address, and thereafter allowing the internet packets to egress from the gateway support node.
  - 10. The telecommunications system as claimed in claim 1, wherein the gateway support node is operable to confirm that the care-of-address is a legitimate address by monitoring internet packets sent from the correspondent node to the mobile node, andupon detecting a binding update acknowledgment from the mobile node that the care-of-address has been accepted,confirming that the care-of-address of the mobile node is a legitimate address, and thereafter allowing the internet packets to egress from the gateway support node.
  - 11. The telecommunications system as claimed in claim 1, wherein the gateway support node is operable to confirm that the care-of-address is a legitimate address by performing a reverse routability confirmation with the mobile node.
  - 12. The telecommunications system as claimed in claim 1, wherein the gateway support node includes a traffic controller operableto compare the first source address in the internet protocol header received from the mobile node via the external network with a plurality source addresses for which the plurality of bearers have been established,to communicate the internet packet to the correspondent node via the appropriate bearer corresponding to the first source address, if a bearer has been established for the first source address,to determine whether an internet packet received from the mobile node is the binding update, and if the internet packet is the binding update, the associating the care-of-address with the first source address includes associating the care-of-address of the mobile node with the packet data bearer defined with respect to the first source address.
  - 13. The telecommunications system as claimed in claim 12, wherein the traffic controller is operable to associate the care-of-address of the mobile node with the first source address by communicating the care-of-address to the security function, the security function being operable to update the list of legitimate destination addresses to include the care-of address of the mobile node.
  - 14. The telecommunications system as claimed in claim 1, wherein the packet radio network is a General Packet Radio System network and the gateway support node is a GPRS Gateway Support Node.
  - 15. The telecommunications system as claimed in claim 14, wherein the traffic controller is a Traffic Flow Template controller operable in accordance with a GPRS standard.
  - 16. The telecommunications system as claimed in claim 15, wherein the security function is effected by a Service Based Local Policy controller operable in accordance with the GPRS standard.
  - 17. The telecommunications system as claimed in claim 14, wherein the security function is effected by a Service Based Local Policy controller operable in accordance with the GPRS standard.

18. A gateway support node for communicating internet packets between an external packet data communications network and a packet radio network, the packet radio network providing a plurality of packet data bearers for communicating the internet packets, each of the bearers being defined with respect to a source address of the internet packets, wherein the gateway support node is operableto detect whether an internet packet is for providing a binding update to the correspondent node of a first source address of the mobile node to a care-of-address of the mobile node, and if the internet packet is a binding update,to confirm the care of address as a legitimate destination address of the mobile node, andto allow egress of internet packets sent from the correspondent node having the care-of-address of the mobile node as the destination address from the gateway support node to the external network if the care of address is legitimate and block any internet packets sent from the correspondent node using a destination address which is not legitimate;
- wherein the gateway support node includes a security function operable to control the egress of the internet packets from the packet radio network by comparing the destination address of an internet packet sent from the correspondent node with a list of legitimate destination addresses stored in a data store, the security function allowing the egress of the internet packet from the packet radio network if the destination address of the internet packet appears in the list, and otherwise dropping the internet packet, wherein the care-of-address of the mobile node is added to the list, upon detecting the binding update.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 19. The gateway support node as claimed in claim 18, wherein the gateway support node is operable to associate the care-of-address with the first source address to the effect that the egress of the internet data packets is allowed in accordance with the egress of internet packets which is allowed for the first source address.
  - 20. The gateway support node as claimed in claim 19, wherein the first source address is a home address of the mobile node.
  - 21. The gateway support node as claimed in claim 20 wherein the internet packet sent from the correspondent node includes the home address of the mobile node in the extension field of the header and the care-of-address of the mobile node in the destination address field, and the gate way support node is operable to allow the internet packet to egress from the packet radio network to the external network if both the care-of-address of the mobile node and the home address of the mobile node are legitimate addresses.
  - 22. The gateway support node as claimed in claim 19 wherein the internet packet sent from the correspondent node includes the home address of the mobile node in the extension field of the header and the care-of-address of the mobile node in the destination address field, and the gate way support node is operable to allow the internet packet to egress from the packet radio network to the external network if both the care-of-address of the mobile node and the home address of the mobile node are legitimate addresses.
  - 23. The gateway support node as claimed in claim 18, wherein the internet packet sent from the correspondent node includes the home address of the mobile node in the extension field of the header and the care-of-address of the mobile node in the destination address field, and the gate way support node is operable to allow the internet packet to egress from the packet radio network to the external network if both the care-of-address of the mobile node and the home address of the mobile node are legitimate addresses.
  - 24. The gateway support node as claimed in claim 18, wherein the care-of-address is associated with the first source address if the care-of-address is confirmed as a legitimate address, and otherwise not associating the care-of-address with the source address.
  - 25. The gateway support node as claimed in claim 24, wherein the gateway support node is operable to confirm that the care-of-address is a legitimate address by monitoring the internet packet data sent from the mobile node to the correspondent node, andupon detecting a binding update acknowledgment from the mobile node that the care-of-address has been accepted,confirming that the care-of-address of the mobile node is a legitimate address, andthereafter allowing the internet packets to egress from the gateway support node.
  - 26. The gateway support node as claimed in claim 18, wherein the gateway support node is operable to confirm that the care-of-address is a legitimate address by monitoring the internet packet data sent from the mobile node to the correspondent node, andupon detecting a binding update acknowledgment from the mobile node that the care-of-address has been accepted,confirming that the care-of-address of the mobile node is a legitimate address, andthereafter allowing the internet packets to egress from the gateway support node.
  - 27. The gateway support node as claimed in claim 18, wherein the gateway support node is operable to confirm that the care-of-address is a legitimate address by performing a reverse routability confirmation with the mobile node.
  - 28. The gateway support node as claimed in claim 18, including a traffic controller operableto compare the first source address in the internet protocol header received from the mobile node via the external network with a plurality source addresses for which the plurality of bearers have been established,to communicate the internet packet to the correspondent node via the appropriate bearer corresponding to the first source address, if a bearer has been established for the first source address,to determine whether an internet packet received from the mobile node is the binding update, and if the internet packet is the binding updateto associate the care-of-address of the mobile node with the packet data bearer defined with respect to the first source address.
  - 29. The gateway support node as claimed in claim 28, wherein the traffic controller is operable to associate the care-of-address of the mobile node with the first source address by communicating the care-of-address to the security function, the security function being operable to update the list of legitimate destination addresses to include the care-of-address of the mobile node.

30. A method of communicating internet packets between an external packet data communications network and a packet radio network, the packet radio network providing a plurality of packet data bearers for communicating internet packets, each of the bearers being defined with respect to a source address of the internet packets, the method comprising:
- detecting whether an internet packet is for providing a binding update to a correspondent node of a first source address of a mobile node to a care-of-address of the mobile node, and if the internet packet is a binding update,confirming the care of address as a legitimate destination address of the mobile node, andallowing egress of internet packets sent from the correspondent node having the care-of-address of the mobile node as the destination address from the packet radio network to the external network if the care of address is legitimate and blocking any internet packets sent from the correspondent node using an unauthorized address which is not legitimate by;
  
  comparing the destination address of an internet packet sent from the correspondent node with a list of legitimate destination addresses stored in a data store,allowing the egress of the internet packet from the packet radio network if the destination address of the internet packet appears in the list, andotherwise dropping the internet packet, wherein the care-of-address of the mobile node is added to the list upon detecting the binding update.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 31. The method as claimed in claim 30, comprisingassociating the care-of-address with the first source address to the effect that the egress of the internet data packets is allowed in accordance with the egress of internet packets allowed for the first source address.
  - 32. The method as claimed in claim 31, wherein the first source address is the home address of the mobile node.
  - 33. The method as claimed in claim 32 wherein the internet packet sent from the correspondent node includes the home address of the mobile node in the extension field of the header and the care-of-address of the mobile node in the destination address field, the allowing the internet packet to egress to the external network includesallowing the internet packet to egress from the packet radio network to the external network if both the care-of-address of the mobile node and the home address of the mobile node are legitimate addresses.
  - 34. The method as claimed in claim 32, comprisingconfirming that the care-of-address of the mobile node is a legitimate address for the mobile node before allowing the egress of internet packets in accordance with the destination address.
  - 35. The method as claimed in claim 31, wherein the confirming comprises associating the care-of-address with the first source address if the care-of-address is confirmed as a legitimate address.
  - 36. The method as claimed in claim 35, wherein the confirming comprisesconfirming that the care-of-address is a legitimate address by monitoring internet packets sent from the mobile node to the correspondent node, andupon detecting a binding update acknowledgment from the mobile node that the care-or-address has been accepted,confirming that the care-or-address of the mobile node is a legitimate address, andthereafter allowing the internet packets to egress from the gateway support node.
  - 37. The method as claimed in claim 31, wherein the confirming comprisesconfirming that the care-of-address is a legitimate address by monitoring internet packets sent from the mobile node to the correspondent node, andupon detecting a binding update acknowledgment from the mobile node that the care-or-address has been accepted,confirming that the care-or-address of the mobile node is a legitimate address, andthereafter allowing the internet packets to egress from the gateway support node.
  - 38. The method as claimed in claim 37, wherein the confirming that the care-of-address is a legitimate address comprisesperforming a reverse routability confirmation with the mobile node.
  - 39. The method as claimed in claim 31 wherein the internet packet sent from the correspondent node includes the home address of the mobile node in the extension field of the header and the care-of-address of the mobile node in the destination address field, theallowing the internet packet to egress to the external network includes allowing the internet packet to egress from the packet radio network to the external network if both the care-of-address of the mobile node and the home address of the mobile node are legitimate addresses.
  - 40. The method as claimed in claim 30, wherein the internet packet sent from the correspondent node includes the home address of the mobile node in the extension field of the header and the care-of-address of the mobile node in the destination address field, the allowing the internet packet to egress to the external network includesallowing the internet packet to egress from the packet radio network to the external network if both the care-of-address of the mobile node and the home address of the mobile node are legitimate addresses.
  - 41. The method for communicating internet packet data as claimed in claim 30, wherein the packet radio network is a General Packet Radio System network and the gateway support node is a GPRS Gateway Support Node.

42. A computer program providing computer executable instructions, the computer program loaded on to a data processor configuring the data processor to operate as a gateway support nodefor communicating internet packets between an external packet data communications network and a packet radio network, the packet radio network providing a plurality of packet data bearers for communicating the internet packets, each of the bearers being defined with respect to a source address of the internet packets, wherein the gateway support node is operableto detect whether an internet packet is for providing a binding update to the correspondent node of a first source address of the mobile node to a care-of-address of the mobile node, and if the internet packet is a binding update,to confirm the care of address as a legitimate destination address of the mobile node, andto allow egress of internet packets sent from the correspondent node having the care-of-address of the mobile node as the destination address from the gateway support node to the external network if the care of address is legitimate and block any internet packets sent from the correspondent node using a destination address which is not legitimate;
- wherein the gateway support node includes a security function operable to control the egress of the internet packets from the packet radio network by comparing the destination address of the internet packet sent from the correspondent node with a list of legitimate destination addresses stored in a data store, the security function allowing egress of the internet packet from the packet radio network if the destination address of the internet packet appears in the list, and otherwise dropping the internet packet, the care-of-address of the mobile node being added to the list upon detecting the binding update.

43. A computer program having computer executable instructions, the computer program loaded on to a data processor causing the data processor to perform a method comprising:
- communicating internet packets between an external packet data communications network and a packet radio network, the packet radio network providing a plurality of packet data bearers for communicating internet packets, each of the bearers being defined with respect to a source address of the internet packets, the method comprisingdetecting whether an internet packet is for providing a binding update to the correspondent node of a first source address of the mobile node to a care-of-address of the mobile node, and if the internet packet is a binding update,confirming the care of address as a legitimate destination address of the mobile node, andallowing egress of internet packets sent from the correspondent node having the care-of-address of the mobile node as the destination address from the packet radio network to the external network if the care of address is legitimate and blocking any internet packets sent from the correspondent node using a destination address which is not legitimate by;
  
  comparing the destination address of an internet packet sent from the correspondent node with a list of legitimate destination addresses stored in a data store,allowing the egress of the internet packet from the packet radio network if the destination address of the internet packet appears in the list, andotherwise dropping the internet packet, wherein the care-of-address of the mobile node is added to the list upon detecting the binding update.

44. A telecommunications system for communicating internet packets between a mobile communications user equipment forming a correspondent node and a mobile node via an external packet data communications network, the system comprising:
- a packet radio network operable to provide a plurality of packet data bearers for communicating the internet packets with nodes attached to the packet radio network, each of the bearers being defined with respect to a source address of the internet packets, the packet radio network including a gateway support node operable to provide an interface between the external network and the packet radio network, whereinthe gateway support node is operableto detect whether an internet packet is for providing a binding update to the correspondent node of a first source address of the mobile node to a care-of-address of the mobile node, and if the internet packet is a binding update,to confirm a hop-by-hop field contains a legitimate care-of-address and the source address contains a legitimate address of the mobile node, andto allow egress of internet packets sent from the correspondent node having the care-of-address of the mobile node as the destination address from the gateway support node to the external network if the hop-by-hop field contains the legitimate care-of-address and the source address contains the legitimate address and block any internet packets sent from the correspondent node using a destination address which is not legitimate;
  
  wherein the gateway support node includes a security function operable to control the egress of the internet packets from the packet radio network by comparing the destination address of the internet packet sent from the correspondent node with a list of legitimate destination addresses stored in a data store, the security function allowing egress of the internet packet from the packet radio network if the destination address of the internet packet appears in the list, and otherwise dropping the internet packet, the care-of-address of the mobile node being added to the list upon detecting the binding update.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
3G Licensing S.A. (Fineur International S.A.)
Original Assignee
Orange S.A.
Inventors
Chen, Xiaobao
Primary Examiner(s)
Pérez-Gutiérrez; Rafael
Assistant Examiner(s)
Arevalo; Joseph

Application Number

US10/560,915
Publication Number

US 20080117841A1
Time in Patent Office

2,416 Days
Field of Search

370/338, 370/349, 370/395.52, 370/367, 370/902, 370/466, 370/329, 370/401, 370/400, 370/497, 370/328, 709/236, 709/249, 455/435.1, 455/414.1, 455/466, 455/439, 455/440
US Class Current

370/310
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/14   for detecting or protecting...

H04L 69/161   Implementation details of T...

H04W 12/126   Anti-theft arrangements, e....

H04W 40/02   Communication route or path...

H04W 8/26   Network addressing or numbe...

H04W 80/04   Network layer protocols, e....

H04W 88/10   adapted for operation in mu...

H04W 88/16   Gateway arrangements

Y10S 370/902   Packet switching

Telecommunications system and method for communicating internet packets between an external packet data communications network and a packet radio network

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Telecommunications system and method for communicating internet packets between an external packet data communications network and a packet radio network

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links