System and method for providing selective bearer security in a network environment
First Claim
1. A method, comprising:
- receiving a message related to a bearer or an Internet Protocol (IP) flow, wherein the message includes selectors indicating whether an Internet Protocol security (IPsec) feature is designated for the bearer or the IP flow, and wherein the selectors can facilitate adjusting IPsec security policy databases in network elements using, at least in part, control plane signaling messages between the network elements and a packet data network gateway, wherein the IPsec security policy databases are adjusted at the flow level and not the encapsulating security payload bearer level, wherein policy control and charging extensions adjust the IPsec security policy databases on both a sending side and a receiving side such that the sending side and the receiving side are synchronized;
mapping a communication flow to the bearer or the IP flow, wherein an Internet Key Exchange (IKE) is used to establish a security association for a serving gateway associated with the communication flow, and wherein the selectors are provided at a bearer level or at an IP flow level such that network traffic associated with the communication flow is designated for the IPsec feature, wherein signaling for user plane and control plane network elements are extended to indicate whether the bearer or the IP flow is designated for the IPsec feature; and
applying the IPsec feature to the bearer or the IP flow.
1 Assignment
0 Petitions
Accused Products
Abstract
An example method includes receiving a message related to a bearer or an Internet Protocol (IP) flow, the message includes an extension indicating whether an Internet Protocol security (IPsec) feature is designated for the bearer or the IP flow. The method further includes mapping a communication flow to the bearer or the IP flow, and applying the IPsec feature to the bearer or the IP flow. In other embodiments, the method can include communicating the extension to a next destination, and updating a security policy to indicate that the bearer or the IP flow is designated for the IPsec feature. In yet other embodiments, an Internet Key Exchange (IKE) is used to establish a security association for a serving gateway associated with the communication flow. The extension is provided at an IP flow level or at a bearer level such that network traffic is designated for the IPsec feature.
-
Citations
19 Claims
-
1. A method, comprising:
-
receiving a message related to a bearer or an Internet Protocol (IP) flow, wherein the message includes selectors indicating whether an Internet Protocol security (IPsec) feature is designated for the bearer or the IP flow, and wherein the selectors can facilitate adjusting IPsec security policy databases in network elements using, at least in part, control plane signaling messages between the network elements and a packet data network gateway, wherein the IPsec security policy databases are adjusted at the flow level and not the encapsulating security payload bearer level, wherein policy control and charging extensions adjust the IPsec security policy databases on both a sending side and a receiving side such that the sending side and the receiving side are synchronized; mapping a communication flow to the bearer or the IP flow, wherein an Internet Key Exchange (IKE) is used to establish a security association for a serving gateway associated with the communication flow, and wherein the selectors are provided at a bearer level or at an IP flow level such that network traffic associated with the communication flow is designated for the IPsec feature, wherein signaling for user plane and control plane network elements are extended to indicate whether the bearer or the IP flow is designated for the IPsec feature; and applying the IPsec feature to the bearer or the IP flow. - View Dependent Claims (2, 3, 4, 5, 6, 18, 19)
-
-
7. Logic encoded in one or more non-transitory tangible media that includes code for execution and when executed by a processor operable to perform operations comprising:
-
receiving a message related to a bearer or an Internet Protocol (IP) flow, wherein the message includes selectors indicating whether an Internet Protocol security (IPsec) feature is designated for the bearer or the IP flow, and wherein the selectors can facilitate adjusting IPsec security policy databases in network elements using, at least in part, control plane signaling messages between the network elements and a packet data network gateway, wherein the IPsec security policy databases are adjusted at the flow level and not the encapsulating security payload bearer level, wherein policy control and charging extensions adjust the IPsec security policy databases on both a sending side and a receiving side such that the sending side and the receiving side are synchronized; mapping a communication flow to the bearer or the IP flow, wherein an Internet Key Exchange (IKE) is used to establish a security association for a serving gateway associated with the communication flow, and wherein the selectors are provided at a bearer level or at an IP flow level such that network traffic associated with the communication flow is designated for the IPsec feature, wherein signaling for user plane and control plane network elements are extended to indicate whether the bearer or the IP flow is designated for the IPsec feature; and applying the IPsec feature to the bearer or the IP flow. - View Dependent Claims (8, 9, 10, 11)
-
-
12. An apparatus, comprising:
-
a memory element configured to store data; a processor operable to execute instructions associated with the data; and a bearer security module configured to interface with the processor in order to; receive a message related to a bearer or an Internet Protocol (IP) flow, wherein the message includes selectors indicating whether an Internet Protocol security (IPsec) feature is designated for the bearer or the IP flow, wherein the selectors can facilitate adjusting IPsec security policy databases in network elements using, at least in part, control plane signaling messages between the network elements and a packet data network gateway, wherein the IPsec security policy databases are adjusted at the flow level and not the encapsulating security payload bearer level, wherein policy control and charging extensions adjust the IPsec security policy databases on both the sending and receiving side such that the sending side and the receiving side are synchronized; map a communication flow to the bearer or the IP flow, wherein an Internet Key Exchange (IKE) is used to establish a security association for a serving gateway associated with the communication flow, and wherein the selectors are provided at a bearer level or at an IP flow level such that network traffic associated with the communication flow is designated for the IPsec feature, wherein signaling for user plane and control plane network elements are extended to indicate whether the bearer or the IP flow is designated for the IPsec feature; and apply the IPsec feature to the bearer or the IP flow. - View Dependent Claims (13, 14, 15, 16, 17)
-
Specification