IP mobility security control

US 9,408,078 B2
Filed: 12/18/2009
Issued: 08/02/2016
Est. Priority Date: 12/18/2009
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

causing establishment of an internet protocol (IP) mobility binding with an indication of a security mode for a mobile node connected to an IP sub-network and identified in the IP sub-network by a care of address,detecting a trigger to adapt the security mode for the mobile node connected to the IP sub-network, wherein there is no update to the IP mobility binding and the care of address, and wherein the mobile node continues to be connected to the IP sub-network and continues to be identified in the IP sub-network by the same care of address,adapting, in response to the trigger, the security mode for the mobile node connected to the IP sub-network and identified by the care of address; and

causing a binding update message to be transmitted to indicate an applied security mode or a need to change the security mode, wherein the binding update message is associated with a flag that is indicative of whether user plane traffic will be encrypted or unencrypted.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, apparatus, and computer program product are provided for adapting security level between a mobile node and a mobility anchor. In the context of a method, an IP mobility binding with an indication of a security mode is established for a mobile node connected to an IP sub-network and identified in the IP sub-network by a care of address. A trigger to adapt the security mode for the mobile node connected to the IP sub-network is detected. The security mode for the mobile mode connected to the IP sub-network and identified by the care of address is adapted in response to the trigger.

23 Citations

View as Search Results

23 Claims

1. A method comprising:
- causing establishment of an internet protocol (IP) mobility binding with an indication of a security mode for a mobile node connected to an IP sub-network and identified in the IP sub-network by a care of address,detecting a trigger to adapt the security mode for the mobile node connected to the IP sub-network, wherein there is no update to the IP mobility binding and the care of address, and wherein the mobile node continues to be connected to the IP sub-network and continues to be identified in the IP sub-network by the same care of address,adapting, in response to the trigger, the security mode for the mobile node connected to the IP sub-network and identified by the care of address; and
  
  causing a binding update message to be transmitted to indicate an applied security mode or a need to change the security mode, wherein the binding update message is associated with a flag that is indicative of whether user plane traffic will be encrypted or unencrypted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein detecting a trigger comprises detecting movement of the mobile node to a new access network or node inside the IP sub-network by applying a data link layer mobility protocol.
  - 3. The method of claim 1, wherein detecting a trigger comprises detecting movement of the mobile node to a geographical location associated with security requirements requiring adaptation of the security mode.
  - 4. The method of claim 1, wherein detecting a trigger comprises detecting a need to establish a new IP flow with a different security mode or to modify the security mode of an existing IP flow for the mobile node.
  - 5. The method of claim 1, wherein an indication of the required security level is received from a policy server, and the security mode is adapted in accordance with the indication of the security level.
  - 6. The method of claim 1, wherein adapting the security mode comprises re-negotiating or establishing an Internet protocol security architecture security association or a transport layer security connection to enable encryption of user plane traffic associated with the mobile node.
  - 7. The method of claim 1, wherein causing establishment of an IP mobility binding, detecting a trigger and adapting the security mode are carried out by the mobile node to modify the security mode between the mobile node and a mobility anchor or a correspondent node without changing the care of address.
  - 8. The method of claim 7, wherein detecting a trigger comprises detecting a Mobile IP binding signalling message received from a home agent and with an indication to trigger an update to the Mobile IP binding, wherein the Mobile IP binding signaling message comprises an indication of a user plane encryption.
  - 9. The method of claim 1, wherein causing establishment of an IP mobility binding, detecting a trigger and adapting the security mode are carried out by a mobile IP home agent to modify the security mode between the home agent and the mobile node without changing the care of address.
  - 10. The method of claim 1, wherein causing establishment of an internet protocol (IP) mobility binding further comprises a Mobile IP binding signalling message from the mobile node comprising at least one of information on location of the mobile node, information of new access point or network of the mobile node within the IP sub-network, and an indication of a security mode to be applied for the mobile node.
  - 11. The method of claim 1, wherein causing establishment of an IP mobility binding, detecting a trigger and adapting the security mode are carried out by a correspondent node in response to a binding update message from the mobile node.

12. An apparatus comprising:
- at least one processor, and at least one memory comprising computer program code, wherein the at least one memory and the computer program code are configured, with the at least one processor of the apparatus, to cause the apparatus at least to;
  
  cause establishment of an internet protocol (IP) mobility binding with an indication of a security mode for a mobile node connected to an IP sub-network and identified in the IP sub-network by a care of address,detect a trigger to adapt the security mode for the mobile node connected to the IP sub-network, wherein there is no update to the IP mobility binding and the care of address, and wherein the mobile node continues to be connected to the IP sub-network and continues to be identified in the IP sub-network by the same care of address,adapt, in response to the trigger, the security mode for the mobile node connected to the IP sub-network and identified by the care of address; and
  
  cause a binding update message to be transmitted to indicate an applied security mode or a need to change the security mode, wherein the binding update message is associated with a flag that is indicative of whether user plane traffic will be encrypted or unencrypted.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The apparatus of claim 12, wherein the apparatus is configured to adapt the security mode in response to detecting movement of the mobile node to a new access network or node inside the IP sub-network by applying a data link layer mobility protocol.
  - 14. The apparatus of claim 12, wherein the apparatus is configured to adapt the security mode in response to detecting movement of the mobile node to a geographical location associated with security requirements requiring adaptation of the security mode.
  - 15. The apparatus of claim 12, wherein the apparatus is configured to adapt the security mode in response to detecting a need to establish a new IP flow or to modify an existing IP flow for the mobile node.
  - 16. The apparatus of claim 12, wherein the apparatus is configured to adapt the security mode in accordance with an indication of the required security level from a policy server.
  - 17. The apparatus of claim 12, wherein the apparatus is configured to adapt the security mode by re-negotiating or establishing an Internet protocol security architecture security association or a transport layer security connection to enable encryption of user plane traffic associated with the mobile node.
  - 18. The apparatus of claim 12, wherein the apparatus is a mobile communications terminal device embodying the mobile node configured to register the care of address to a Mobile IP home agent or a correspondent node and configured to modify the security mode between the mobile node and a mobility anchor or a correspondent node without changing the care of address without changing the care of address.
  - 19. The apparatus of claim 18, wherein the apparatus is configured to adapt the security mode in response to a Mobile IP binding signalling message with an indication to trigger an update to the Mobile IP binding from the home agent, or to send a binding update message in response to the Mobile IP signalling message, wherein the Mobile IP binding signaling message comprises an indication of a user plane encryption.
  - 20. The apparatus of claim 12, wherein the apparatus embodies a Mobile IP home agent.
  - 21. The apparatus of claim 12, wherein causing establishment of an internet protocol (IP) mobility binding further comprises a Mobile IP binding signalling message from the mobile node comprising at least one of information on location of the mobile node, information of new access point or network of the mobile node within the IP sub-network, and an indication of security mode to be applied between the home agent and the mobile node.
  - 22. The apparatus of claim 12, wherein the apparatus embodies a correspondent node configured to adapt the security mode in response to a binding update message from the mobile node.

23. A non-transitory computer-readable storage medium storing a computer program comprising one or more sequences of one or more instructions which, when executed by one or more processors of the apparatus, cause the apparatus to at least:
- cause establishment of an internet protocol (IP) mobility binding with an indication of a security mode for a mobile node connected to an IP sub-network and identified in the IP sub-network by a care of address,detect a trigger to adapt the security mode for the mobile node connected to the IP sub-network, wherein there is no update to the IP mobility binding and the care of address, and wherein the mobile node continues to be connected to the IP sub-network and continues to be identified in the IP sub-network by the same care of address,adapt, in response to the trigger, the security mode for the mobile node connected to the IP sub-network and identified by the care of address; and
  
  cause a binding update message to be transmitted to indicate an applied security mode or a need to change the security mode, wherein the binding update message is associated with a flag that is indicative of whether user plane traffic will be encrypted or unencrypted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Technologies Oy (Nokia Corporation)
Original Assignee
Nokia Technologies Oy (Nokia Corporation)
Inventors
Basavaraj, Patil, Savolainen, Teemu Ilmari, Gabor, Bajko
Primary Examiner(s)
SIMITOSKI, MICHAEL J

Application Number

US12/642,230
Publication Number

US 20110154432A1
Time in Patent Office

2,419 Days
Field of Search

380/270, 726/1
US Class Current

1/1
CPC Class Codes

G06F 2221/2105   Dual mode as a secondary as...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/0428   wherein the data content is...

H04L 63/105   Multiple levels of security

H04L 63/166   at the transport layer

H04L 69/24   Negotiation of communicatio...

H04W 12/02   Protecting privacy or anony...

H04W 12/033   of the user plane, e.g. use...

H04W 12/08   Access security

H04W 60/04   using triggered events

H04W 80/04   Network layer protocols, e....

IP mobility security control

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

IP mobility security control

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others