×

Mobile virtual private networks

  • US 8,544,080 B2
  • Filed: 06/12/2008
  • Issued: 09/24/2013
  • Est. Priority Date: 06/12/2008
  • Status: Active Grant
First Claim
Patent Images

1. An apparatus for an Internet Protocol Multimedia Subsystem (IMS) device, wherein the IMS device includes a key derivation module, a tunneling protocol module, a tunnel management module, a security policies module, and an IM Subscriber Identity Module (ISIM) application or a Universal Subscriber Identity Module (USIM) application;

  • the key derivation module obtains cryptographic keys for encryption and/or authentication of data packets by deriving the keys from the ISIM/USIM application;

    the tunneling protocol module supports at least one tunneling protocol that enables at least two private networks to exchange data packets over a public network in such a way that the private networks appear to be one single network to hosts connected to them;

    the tunneling protocol module supports at least one cryptographic suite that it can apply to incoming and outgoing data packets to encrypt/decrypt and/or authenticate the packets using keys provided by another module;

    the tunnel management module supports dynamic establishment and release of secure tunnels to remote devices; and

    the security policies module determines the at least one cryptographic suite to be used with each tunneling protocol supported by the tunneling protocol module;

    the apparatus comprising;

    a non-volatile memory configured to store a first routing table that maps host addresses and IMS addresses of security devices allowing access to those hosts, such that when an application running in the IMS device requests communication to a host address, the apparatus initiates a Session Initiation Protocol (SIP) session establishment by sending a SIP INVITE request to the IMS address to which the host address is mapped;

    wherein the INVITE request includes a Session Description Protocol (SDP) body that contains, for each tunneling protocol supported by the tunneling protocol module, data about the local tunnel endpoint, an identifier corresponding to the tunneling protocol, and identifiers corresponding to the cryptographic suite(s) supported by the cryptographic module that may be applied together with the tunneling protocol, as determined by a query from the apparatus to the security policies module; and

    the memory is configured to store a second routing table that maps addresses of security devices to host addresses to which the security devices allow access, such that when receiving a SIP INVITE request from a peer device including an SDP body that contains one or more identifiers of tunneling protocols, the IMS device checks that the local tunnel endpoint included in the SDP body corresponds to a security device included in the second routing table, and if so, the IMS device removes from the SDP body data relative to those tunneling protocols not supported by its tunneling protocol module and includes the remaining identifiers in the SDP body of an affirmative response to the INVITE request.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×