Location privacy through IP address space scrambling
First Claim
Patent Images
1. A network address assignment method for assigning an address to a host for network communications, the method comprising:
- computing a pseudo prefix incorporating an encryption of a subnet address associated with a subnet associated with the host; and
communicating the pseudo prefix to the host for use as part of said address assigned to the host, the address being for use by the host as the host'"'"'s address in network communications, the address being for use as a destination address in communications sent to the host, wherein the pseudo prefix in the destination address is for being decrypted to obtain the subnet address to route such communications to the host.
0 Assignments
0 Petitions
Accused Products
Abstract
In a network, a router uses some secret information combined with a cryptographic process in determination of a subnet'"'"'s routing prefix. Several methods are disclosed, including using an IP suffix for prefix generation and for decryption, maintaining a pool of pseudo prefixes at the router, using public key encryption and symmetric key encryption.
-
Citations
64 Claims
-
1. A network address assignment method for assigning an address to a host for network communications, the method comprising:
-
computing a pseudo prefix incorporating an encryption of a subnet address associated with a subnet associated with the host; and communicating the pseudo prefix to the host for use as part of said address assigned to the host, the address being for use by the host as the host'"'"'s address in network communications, the address being for use as a destination address in communications sent to the host, wherein the pseudo prefix in the destination address is for being decrypted to obtain the subnet address to route such communications to the host. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 49)
-
-
9. A network address assignment method for assigning an address to a host for network communications, the method comprising:
-
computing a pseudo prefix incorporating an encryption of a subnet address associated with a subnet associated with the host; and communicating the pseudo prefix to the host for use as part of said address assigned to the host, the address being for use by the host as the host'"'"'s address in network communications; wherein; the host and the subnet are part of a privacy domain comprising a plurality of subnets and one or more routers; the pseudo prefix includes an unencrypted portion of the subnet address; the one or more routers inside the privacy domain are provided with cryptographic information for decrypting the pseudo prefix to obtain the subnet address when routing data to the host, but the privacy domain does not provide the cryptographic information to one or more routers outside the privacy domain, the one or more routers outside the privacy domain being operable to route data to at least one router in the privacy domain using the unencrypted portion of the pseudo prefix. - View Dependent Claims (10, 57)
-
-
11. A network address assignment method for assigning an address to a host for network communications, the method comprising:
-
receiving an address request from the host associated with a router in a network; computing a pseudo prefix including logically combining an actual routing prefix and a message authentication code computed over nonce data and a suffix of the address of the host to produce a result; and communicating the pseudo prefix to the host for use as part of said address assigned to the host, the address being for use by the host as the host'"'"'s address in network communications. - View Dependent Claims (12, 13, 14, 15, 16, 50)
-
-
17. A network address assignment method for assigning an address to a host associated with a router in a network, wherein the host and the router are part of a privacy domain, the method comprising:
-
receiving an address request from the host; computing a pseudo prefix, including encrypting an actual routing prefix of the router using an encryption key; and communicating the pseudo prefix to the host, the host using the pseudo prefix to configure the host'"'"'s address, said address being for use as a destination address both in packets destined to the host and originating inside the privacy domain and in packets destined to the host and originating outside the privacy domain; wherein each router inside the privacy domain is provided with cryptographic information for decrypting the pseudo prefix to obtain the actual routing prefix when routing data to the host, but the privacy domain does not provide the cryptographic information to one or more routers outside the privacy domain, the one or more routers outside the privacy domain being operable to forward data to at least one router in the privacy domain without decrypting the pseudo prefix. - View Dependent Claims (18, 51)
-
-
19. A network address assignment method for assigning a network address to a host for network communications, the method comprising:
-
receiving an address request from the host associated with a router in a network; computing a network address, the network address including 1) a common routing prefix shared between all routers in the network, 2) a pseudo prefix portion, 3) data including a number generated by the router, referred to as nonce; and communicating the network address to the host for use by the host as the host'"'"'s network address in network communications. - View Dependent Claims (20, 21, 22, 23, 52, 59)
-
-
24. A method for routing a data packet in a network, the method comprising:
-
receiving the data packet over the network, the data packet comprising a destination address comprising a pseudo prefix comprising an encryption of a subnet address associated with the data packet'"'"'s destination; decrypting the destination address to decrypt said encryption of the subnet address to obtain the subnet address; and forwarding said data packet over a network in accordance with the subnet address to deliver said data packet comprising said destination address comprising said encryption of said subnet address to the data packet'"'"'s destination. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 53)
-
-
34. A method for routing a data packet in a network, the method comprising:
-
receiving the data packet over the network, the data packet comprising a destination address comprising an encryption of a subnet address associated with the data packet'"'"'s destination; decrypting the destination address to obtain the subnet address; and forwarding said data packet over a network in accordance with the subnet address to deliver said data packet comprising said destination address comprising said encryption of said subnet address to the data packet'"'"'s destination; wherein decrypting the destination address to obtain a subnet address comprises; computing a message authentication code, and logically combining the message authentication code with at least a portion of a pseudo prefix of the destination address to produce a result; wherein the message authentication code is keyed with some secret information shared between routers of the network and computed over nonce data contained in the destination address and a suffix of the destination address. - View Dependent Claims (60)
-
-
35. A method for routing a data packet in a network, the method comprising:
-
receiving the data packet over the network, the data packet comprising a destination address comprising an encryption of a subnet address associated with the data packet'"'"'s destination; decrypting the destination address to obtain the subnet address; and forwarding said data packet over a network in accordance with the subnet address to deliver said data packet comprising said destination address comprising said encryption of said subnet address to the data packet'"'"'s destination; wherein decrypting the destination address to obtain a subnet address comprises; generating a decryption key using a portion of the destination address, and decrypting a pseudo prefix of the destination address to produce the routing prefix. - View Dependent Claims (36, 62)
-
-
37. A method for routing a data packet in a network, the method comprising:
-
receiving the data packet over the network, the data packet comprising a destination address comprising a pseudo prefix comprising an encryption of a subnet address associated with the data packet'"'"'s destination; decrypting the destination address to obtain the subnet address; and forwarding said data packet over a network in accordance with the subnet address to deliver said data packet comprising said destination address comprising said encryption of said subnet address to the data packet'"'"'s destination; wherein decrypting the destination address to obtain a subnet address comprises; generating a key using a hash of shared secret information and nonce data of the destination address, and decrypting the destination address using the key to produce the subnet address. - View Dependent Claims (63)
-
-
38. A method for routing a data packet in a network, the method comprising:
-
receiving the data packet over the network, the data packet comprising a destination address comprising an encryption of a subnet address associated with the data packet'"'"'s destination; decrypting the destination address to obtain the subnet address; and forwarding said data packet over a network in accordance with the subnet address to deliver said data packet comprising said destination address comprising said encryption of said subnet address to the data packet'"'"'s destination; wherein decrypting the destination address to obtain a subnet address comprises; using a key, computing a message authentication code over nonce data contained in the destination address; and logically combining the message authentication code with a pseudo prefix contained in the destination address. - View Dependent Claims (64)
-
-
39. A method for configuring a new internet protocol (IP) address, the method comprising:
-
at a network host, requesting an address prefix; receiving a pseudo prefix computed using an encryption of a routing prefix of a router associated with the host; and the host combining the pseudo prefix with a suffix of the host to form the new IP address, and using the new IP address as the host'"'"'s address in network communications. - View Dependent Claims (40, 54, 61)
-
-
41. A method for operating a router in a communication network, the method comprising:
-
receiving a packet; reading a destination address from the packet, the destination address comprising a pseudo prefix; determining a network routing prefix from the destination address, wherein determining the network routing prefix comprises using secret information and a cryptographic process; caching the network routing prefix determined above for later use; and forwarding the packet in accordance with the network routing prefix to deliver the packet comprising said destination address to which the determining operation with the cryptographic process was applied to the packet'"'"'s destination specified by the destination address. - View Dependent Claims (42, 43, 44, 55)
-
- 45. A method for network communication in a network comprising a privacy domain comprising a plurality of networked devices comprising one or more routers, the network domain comprising a plurality of subnets, wherein each of said devices is associated with at least one of said subnets, and each of said subnets is associated with at least one subnet address corresponding to a prefix of an address of a networked device, the method comprising the one or more routers of the privacy domain advertising prefixes associated with the subnet addresses, but at least one of the networked devices in the privacy domain having an address whose prefix is a pseudo prefix which does not coincide with any of the advertised prefixes and yet said at least one of the network devices is for receiving communications with said address as the destination address.
-
48. A method for delivering a data packet over a network to a host in a privacy domain, the data packet having a destination address comprising a pseudo prefix comprising an encrypted portion of a subnet address of a subnet associated with the host and an unencrypted portion of the subnet address, the method comprising:
-
routing the packet by one or more routers outside the privacy domain to a router in the privacy domain using the unencrypted portion of the pseudo prefix without decrypting the encrypted portion; and routing the packet by one or more routers inside the privacy domain by decrypting the encrypted portion, the encrypted portion remaining in the destination address in the packet as the packet is transmitted by the one or more routers inside the privacy domain. - View Dependent Claims (58)
-
Specification