System and method to support networking functions for mobile hosts that access multiple networks
First Claim
1. A method of routing packets between a first network access device and a second network access device, the method being performed at a secure mobility gateway having an internet interface and an intranet interface, comprising:
- receiving an encapsulated internet protocol-in-user datagram protocol packet having an internet protocol packet sent from the first network access device to the second network access device through the internet interface, the internet protocol packet being encrypted;
locating a mobile status record for the first network access device;
verifying the encapsulated internet protocol-in-user datagram protocol packet based on a parameter contained in the internet protocol-in-user datagram protocol packet and, if the parameter is valid, thenupdating the mobile status record by replacing a current care-of internet protocol address in the mobile status record with an outer source internet protocol address of the encapsulated internet protocol-in-user datagram protocol packet, replacing a current interface in the mobile status record with the internet interface if the current interface is the intranet interface for the first network access device, and replacing a packet sequence number for the first network access device in the mobile status record with the packet sequence number of the encapsulated internet protocol-in-user datagram protocol packet for the first network access device, if the packet sequence number of the encapsulated internet protocol-in-user datagram protocol packet is greater than a current packet sequence number stored in the mobile status record;
decapsulating the encapsulated internet protocol-in-user datagram protocol packet;
decrypting the internet protocol packet and;
sending the internet protocol packet that is unencrypted to the second network access device through the intranet interface, as if the first network access device is deployed on a subnet of an intranet that is represented by the intranet interface, wherein the mobile status record is located using a security association index number in the encapsulated internet protocol-in-user datagram protocol packet.
0 Assignments
0 Petitions
Accused Products
Abstract
An IP-based corporate network architecture and method for providing seamless secure mobile networking across office WLAN, home WLAN, public WLAN, and 2.5 G/3 G cellular networks for corporate wireless data users. The system includes Internet roaming clients (IRCs), a secure mobility gateway (SMG), optional secure IP access (SIA) gateways, and a virtual single account (VSA) server. The IRC is a special client tool installed on a mobile computer (laptop or PDA) equipped with a WLAN adaptor and a cellular modem. It is responsible for establishing and maintaining a mobile IPsec tunnel between the mobile computer and a corporate intranet. The SMG is a mobile IPsec gateway installed between the corporate intranet and the Internet. It works in conjunction with the IRC to maintain the mobile IPsec tunnel when the mobile computer is connected on the Internet via a home WLAN, a public WLAN, or a cellular network. The SIA gateway is a special IPsec gateway installed in the middle of the wired corporate intranet and an office WLAN. It works with the IRC to ensure data security and efficient use of corporate IP addresses when the mobile computer is connected to the office WLAN. The VSA server manages authentication credentials for every corporate user based on a virtual single account concept. The Internet Roaming system can provide secure, always-on office network connectivity for corporate users no matter where they are located using best available wireless networks.
45 Citations
13 Claims
-
1. A method of routing packets between a first network access device and a second network access device, the method being performed at a secure mobility gateway having an internet interface and an intranet interface, comprising:
-
receiving an encapsulated internet protocol-in-user datagram protocol packet having an internet protocol packet sent from the first network access device to the second network access device through the internet interface, the internet protocol packet being encrypted; locating a mobile status record for the first network access device; verifying the encapsulated internet protocol-in-user datagram protocol packet based on a parameter contained in the internet protocol-in-user datagram protocol packet and, if the parameter is valid, then updating the mobile status record by replacing a current care-of internet protocol address in the mobile status record with an outer source internet protocol address of the encapsulated internet protocol-in-user datagram protocol packet, replacing a current interface in the mobile status record with the internet interface if the current interface is the intranet interface for the first network access device, and replacing a packet sequence number for the first network access device in the mobile status record with the packet sequence number of the encapsulated internet protocol-in-user datagram protocol packet for the first network access device, if the packet sequence number of the encapsulated internet protocol-in-user datagram protocol packet is greater than a current packet sequence number stored in the mobile status record; decapsulating the encapsulated internet protocol-in-user datagram protocol packet; decrypting the internet protocol packet and; sending the internet protocol packet that is unencrypted to the second network access device through the intranet interface, as if the first network access device is deployed on a subnet of an intranet that is represented by the intranet interface, wherein the mobile status record is located using a security association index number in the encapsulated internet protocol-in-user datagram protocol packet. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method of routing packets between a first network access device connected to an intranet through a private access network, and a second network access device, comprising:
-
receiving an encapsulated internet protocol-in-user datagram protocol packet having an internet protocol packet sent from the first network access device to the second network access device at a secure internet protocol access gateway disposed between the private access network and the intranet, the internet protocol packet being encrypted using a session key negotiated between the first network access device and the secure internet protocol access gateway, and the encapsulated internet protocol-in-user datagram protocol packet having a message integrity code generated using another session key specified by a security association in a mobile status record in a secure mobility gateway; decrypting the internet packet at the secure internet protocol access gateway, wherein the message integrity code of the encapsulated internet protocol-in-user datagram protocol packet remains unchanged; sending the encapsulated internet protocol-in-user datagram protocol packet to the secure mobility gateway having an internet interface facing an internet, and an intranet interface facing the intranet, the encapsulated internet protocol-in-user datagram protocol packet being sent to the intranet interface; locating a mobile status record using a security association index number in the encapsulated internet protocol-in-user datagram protocol packet; verifying the message integrity code of the encapsulated internet protocol-in-user datagram protocol packet based on the security association; and
if it is valid, thenupdating the mobile status record by replacing a current care-of internet protocol address in the mobile status record with an outer source internet protocol address of the encapsulated Internet protocol-in-user datagram protocol packet, replacing a current interface in the mobile status record with the internet interface if the current interface is the intranet interface for the first network access device, and replacing a packet sequence number for the first network access device in the mobile status record with a packet sequence number of the encapsulated internet protocol-in-user datagram protocol packet for the first network access device, if the packet sequence number of the encapsulated internet protocol-in-user datagram protocol packet is greater than a current packet sequence number stored in the mobile status record; decapsulating the encapsulated Internet protocol-in-user datagram protocol packet at the secure mobility gateway; and sending the internet protocol packet that is unencrypted to the second network access device through the intranet interface, as if the first network access device is deployed on a subnet of the intranet that is represented by the intranet interface.
-
-
7. A method of routing packets between a first network access device connected to an intranet through a private access network, and a second network access device, comprising:
-
receiving an unencrypted internet protocol-in-user datagram protocol packet having an internet protocol packet sent from the first network access device to the second network access device at an access point on a first access network, the internet protocol packet being encrypted; decrypting the internet protocol packet at the access point; sending the unencrypted internet protocol-in-user datagram protocol packet to a secure mobility gateway having an internet interface facing an internet, and an intranet interface facing the intranet, the unencrypted Internet protocol-in-user datagram protocol packet being sent to the intranet interface; locating a mobile status record using a security association index number in the unencrypted internet protocol-in-user datagram protocol packet; verifying a message integrity code of the unencrypted internet protocol-in-user datagram protocol packet based on the security association index number; and
if it is valid, thenupdating the mobile status record by replacing a current care-of internet protocol address in the mobile status record with an outer source internet address of the unencrypted internet protocol-in-user datagram protocol packet, replacing a current interface in the mobile status record with the internet interface if the current interface is the intranet interface for the first network access device, and replacing a packet sequence number for the first network access device in the mobile status record with a packet sequence number of the unencrypted internet protocol-in-user datagram protocol packet for the first network access device, if the packet sequence number of the unencrypted Internet protocol-in-user datagram protocol packet is greater than a current packet sequence number stored in the mobile status record; decapsulating the unencrypted internet protocol-in-user datagram protocol packet at the secure mobility gateway; and sending the internet protocol packet that is unencrypted to the second network access device through the intranet interface, as if the first network access device is deployed on a subnet of the intranet that is represented by the intranet interface. - View Dependent Claims (8)
-
-
9. A method of routing packets between a first network access device connected to an-internet through a first access network, and a second network access device, the method being performed at a secure mobility gateway having an internet interface and an intranet interface, comprising:
-
receiving an encapsulated internet protocol-in-user datagram protocol packet having an internet protocol packet sent from the first network access device to the second network access device through the internet interface, the internet protocol packet being encrypted; locating a mobile status record for the first network access device; verifying the internet protocol packet based on a parameter contained in the encapsulated internet protocol-in-user datagram protocol packet and, if the parameter is valid, then updating the mobile status record if a current interface is the intranet interface for the first network access device; decapsulating the encapsulated internet protocol-in-user datagram protocol packet; decrypting the internet protocol packet; and sending the internet protocol packet that is unencrypted to the second network access device through the intranet interface, as if the first network access device is deployed on a subnet of the intranet that is represented by the intranet interface, wherein the mobile status record is located using a security association index number in the encapsulated internet protocol-in-user datagram protocol packet. - View Dependent Claims (10, 11, 12, 13)
-
Specification