Method and apparatus for providing secure connectivity in mobile and other intermittent computing environments

US 20030182431A1
Filed: 01/13/2003
Published: 09/25/2003
Est. Priority Date: 06/11/1999
Status: Active Grant

First Claim

Patent Images

1. A method of maintaining network communications with a mobile or other intermittently connected computing device executing at least one networked application that participates in at least one network application session, comprising:

(a) detecting the occurrence of an event affecting network communications with the computing device, and (b) in response to said detection, terminating, instantiating, and/or reinstantiating an IP Security session for use by said computing device while maintaining said network application session(s).

View all claims

18 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and apparatus for enabling secure connectivity using standards-based Virtual Private Network (VPN) IPSEC algorithms in a mobile and intermittently connected computing environment enhance the current standards based algorithms by allowing migratory devices to automatically (re)establish security sessions as the mobile end system roams across homogeneous or heterogeneous networks while maintaining network application session. The transitions between and among networks occur seamlessly—shielding networked applications from interruptions in connectivity. The applications and/or users need not be aware of these transitions, although intervention is possible. The method does not require modification to existing network infrastructure and/or modification to networked applications.

496 Citations

60 Claims

1. A method of maintaining network communications with a mobile or other intermittently connected computing device executing at least one networked application that participates in at least one network application session, comprising:
- (a) detecting the occurrence of an event affecting network communications with the computing device, and (b) in response to said detection, terminating, instantiating, and/or reinstantiating an IP Security session for use by said computing device while maintaining said network application session(s).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein said detecting comprises detecting a change in network point of attachment.
  - 3. The method of claim 1 wherein said detecting comprises detecting that an interruption of network connectivity has caused a previous IP Security session to be terminated.
  - 4. The method of claim 1 wherein said detecting comprises detecting that the mobile device'"'"'s network identity has changed.
  - 5. The method of claim 1 wherein said detecting comprises detecting that the mobile device has roamed to a different network or subnetwork.
  - 6. The method of claim 1 wherein said step (b) comprises negotiating a new IP Security session to replace a previous, lost IP Security session in a manner that is transparent to the networked application.
  - 7. The method of claim 1 wherein said step (b) includes using IPSec to create a secure tunnel through the network.
  - 8. The method of claim 1 further including applying policy rules to selectively allow, deny or delay the flow of network communications over said IP Security session.
  - 9. The method of claim 1 further including centrally managing and distributing policy regarding the establishment of said IP Security session from a central authority.
  - 10. The method of claim 1 further including securely proxying said mobile device communications.
  - 11. The method of claim 1 further including terminating a previous IP Security session based on said detecting.

12. A method of modifying an operating environment having at least one software component, said operating environment using transport engine protocols and running at least one application, the method comprising:
- (a) transparently and selectively injecting computer instructions into said operating environment; and
  
  (b) redirecting the execution path of said at least one software component to achieve additional functionality while maintaining binary compatibility with said operating environment component(s), said transport engine protocols and said applications.
- View Dependent Claims (13)
- - 13. The method of claim 12 wherein said redirecting is performed based on process name.

14. A method of providing data communications in a mobile computing environment, said environment including at least one device using at least one network interface for network applications and operating system components, comprising:
- (a) selectively and transparently virtualizing said at least one network interface, thereby shielding said network applications and operating system components from at least some characteristics of said mobile computing environment, and (b) allowing other said components to remain cognizant of at least interruptions in connectivity and changes in network point of attachment.

15. A method for providing data communications in an environment including at least one device using at least one network interface for network applications and operating system components, comprising:
- (a) selectively virtualizing said at least one network interface, thereby shielding said network applications and operating system components from at least some adverse events that may otherwise disturb communications; and
  
  (b) using said virtualized network interface to conduct data communications.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15 wherein said adverse events include changes in network point of attachment.
  - 17. The method of claim 15 wherein said adverse events include periods of network disconnectedness.

18. A method for using plural IP Security sessions over a plurality of network interfaces associated with at least one network point of attachment, comprising:
- (a) distributing network application communications to simultaneously flow over said plural IP Security sessions, and (b) multiplexing/demultiplexing said distributed communication flows into corresponding higher layer communications sessions.
- View Dependent Claims (19, 20, 48)
- - 19. The method of claim 18 further including applying policy rules to selectively allow, deny, or delay the flow of network communications over at least one of said plural IP Security sessions.
  - 20. The method of claim 18 further including centrally managing and distributing policy regarding the establishment of said plural IP Security sessions from a central authority.
  - 48. The system of claim 18 further including applying policy rules to selectively allow, deny, or delay the flow of network communications over at least one of said plural IP Security sessions.

21. A method comprising:
- (a) facilitating the creation of plural IP Security sessions; and
  
  (b) selectively allowing, denying and/or delaying the flow of network communications over at least one of said plural IP Security sessions based at least in part on applying policy rules.
- View Dependent Claims (22)
- - 22. The method of claim 21 further including centrally managing and distributing said policy rules from a central authority.

23. A method of administering secure network connections comprising:
- (a) establishing IP Security sessions within a computing network; and
  
  (b) centrally managing and distributing policy regarding the establishment of said IP Security sessions from a central authority.

24. A method of proxying mobile communications comprising:
- (a) establishing communications with a mobile device;
  
  (b) establishing communications with an ultimate peer of said mobile device; and
  
  (b) instantiating at least one of a possible plurality of IP Security sessions with said ultimate peer on behalf of said mobile device.
- View Dependent Claims (25)
- - 25. The method of claim 24 wherein said mobile device includes a client and (a) comprises establishing client-server communications.

26. A method of proxying mobile communications comprising:
- (a) establishing at least one IP Security session between said mobile device and a communication peer thereof; and
  
  (b) maintaining said IP Security session with said communication peer during periods when said mobile device is unreachable.

27. A method of managing IP Security sessions between a mobility server and an ultimate communications peer, comprising:
- (a) establishing at least one IP Security session between said mobility server and said ultimate communications peer; and
  
  (b) automatically terminating said IP Security session in response to occurrence of a predetermined event.
- View Dependent Claims (28)
- - 28. The method of claim 27 wherein the predetermined event is selected from the group comprising link activity, application session inactivity, and termination of a communications end point.

29. A method of providing secure communications between a mobility client having a network identity, a mobility server and an ultimate communications peer, comprising:
- (a) establishing at least one IP Security session between the mobility server and the ultimate peer; and
  
  (b) securely maintaining said IP Security session even when the network identity of said mobility client changes.

30. In a system for maintaining network communications with a mobile or other intermittently connected computing device executing at least one networked application that participates in at least one network application session, said system comprising:
- a detector that detects the occurrence of an event affecting network communications with the computing device, and a security module that, in response to said detection, instantiates or reinstantiates an IP Security session for use by said computing device while maintaining said network application session(s).
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 31. The system of claim 30 wherein said detector detects a change in network point of attachment.
  - 32. The system of claim 30 wherein said detector detects that an interruption of network connectivity has caused a previous IP Security session to be terminated.
  - 33. The system of claim 30 wherein said detector detects that the mobile device'"'"'s network identity has changed.
  - 34. The system of claim 30 wherein said detector detects that the mobile device has roamed to a different network or subnetwork.
  - 35. The system of claim 30 wherein said security module negotiates a new IP Security session to replace a previous, lost IP Security session in a manner that is transparent to the networked application.
  - 36. The system of claim 30 wherein said security module uses IPSec to create a secure session through the network communication.
  - 37. The system of claim 30 further including a policy manager that applies policy rules to selectively allow, deny or delay the flow of network communications over said IP Security session.
  - 38. The system of claim 30 further including a central policy management authority that centrally manages and distributes policy regarding the establishment of said IP Security session.
  - 39. The system of claim 30 further including a mobility server that securely proxies said mobile device communications.
  - 40. The system of claim 30 wherein the security module terminates a previous IP Security session based on said detection.

41. An operating environment having at least one software component, said operating environment using transport engine protocols and running at least one application, the environment further comprising computer instructions transparently and selectively injected therein, wherein the injected computer instructions include a redirector that redirects the execution path of said at least one software component to achieve additional functionality while maintaining binary compatibility with said operating environment component(s), said transport engine protocols and said applications.
- View Dependent Claims (42)
- - 42. The environment of claim 41 wherein said redirector redirects said execution path based on process name.

43. A mobile computing environment including at least one device using at least one network interface for network applications and operating system components, said environment comprising:
- (a) instructions that selectively and transparently virtualize said at least one network interface, thereby shielding said network applications and operating system components from at least some characteristics of said mobile computing environment, and (b) further instructions that allow other said components to remain cognizant of at least interruptions in connectivity and changes in network point of attachment.

44. An environment including at least one device using at least one network interface for network applications and operating system components, said environment comprising:
- instructions that selectively virtualize said at least one network interface, thereby shielding said network applications and operating system components from at least some adverse events that may otherwise disturb communications; and
  
  additional structure that uses said virtualized network interface to conduct data communications.
- View Dependent Claims (45, 46)
- - 45. The environment of claim 44 wherein said adverse events include network point of attachment.
  - 46. The environment of claim 44 wherein said adverse events include periods of network disconnectedness.

47. A system for using plural IP Security sessions over a plurality of network interfaces associated with at least one network point of attachment, comprising:
- a data distributor that distributes network application communications to simultaneously flow over said plural IP Security sessions, and (b) a multiplexer/demultiplexer that multiplexes and demultiplexes said distributed communication flows into corresponding higher layer communications sessions.
- View Dependent Claims (49)
- - 49. The system of claim 47 further including a central authority that centrally manages and distributes policy regarding the establishment of said plural IP Security sessions.

50. A system comprising:
- (a) a security framework that facilitates the creation of plural IP Security sessions; and
  
  (b) a policy agent that selectively allows, denies and/or delays the flow of network communications over at least one of said plural IP Security sessions based at least in part on policy rules.
- View Dependent Claims (51)
- - 51. The system of claim 50 further including a central authority that centrally manages and distributes said policy rules.

52. A system for administering secure network connections comprising:
- a security framework that establishes IP Security sessions within a computing network; and
  
  a central authority that centrally manages and distributes policy regarding the establishment of said IP Security sessions.

53. A mobility proxy comprising:
- a communications structure that establishes communications with a mobile device and with an ultimate peer of said mobile device; and
  
  a security component that instantiates at least one of a possible plurality of IP Security sessions with said ultimate peer on behalf of said mobile device.
- View Dependent Claims (54)
- - 54. The system of claim 53 wherein said mobile device includes a client and mobility proxy comprises a server.

55. A system for proxying mobile communications comprising:
- communications means for establishing at least one IP Security session with said mobile device and a communication peer thereof; and
  
  a means for maintaining said IP Security session with said communication peer during periods when said mobile device is unreachable.

56. A system for managing IP Security sessions between a mobility server and an ultimate communications peer, comprising:
- means for establishing at least one IP Security session between said mobility server and said ultimate communications peer; and
  
  means for automatically terminating said IP Security session in response to occurrence of a predetermined event.
- View Dependent Claims (57)
- - 57. The system of claim 56 wherein the predetermined event is selected from the group comprising link activity, application session inactivity, and termination of a communications end point.

58. A system for providing secure communications between a mobility client having a network identity, a mobility server and an ultimate communications peer, comprising:
- means for establishing at least one IP Security session between the mobility server and the ultimate peer and the mobility client and the mobility server; and
  
  means for securely maintaining said IP Security session even when the network identity of said mobility client changes.

59. A storage medium storing:
- a first set of instructions that inserts a policy agent hooking runtime linkable module into an operating system having a policy agent and an IPSec infrastructure, said hooking module informing the policy agent of network state changes; and
  
  a second set of instructions that inserts a network interface virtualizing driver into said operating system, said virtualizing driver virtualizing a client module network and initiating mobility server connections while selectively allowing the IPSec infrastructure to continue to be informed about network state changes.

60. A method of preparing a mobile device for secure communications, said mobile device having an operating environment including a policy agent and an IPSec infrastructure, said method comprising:
- downloading over a computer network onto the mobile device and executing with the mobile device, a first set of instructions that insert a policy agent hooking run-time linkable module into the operating environment, said hooking module informing the policy agent of network state changes; and
  
  downloading over the computer network and executing with the mobile device a second set of instructions that inserts a network interface virtualizing driver into said operating environment, said virtualizing driver virtualizing a client module network and initiating mobility server connections while selectively allowing the IPSec infrastructure to continue to be informed about network state changes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Netmotion Wireless Holdings, Inc. (NetMotion Software, Inc.)
Original Assignee
Netmotion Wireless Incorporated
Inventors
Sturniolo, Emil, Stavens, Aaron, Savarese, Joseph T.

Granted Patent

US 7,882,247 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/227
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

H04L 69/161   Implementation details of T...

H04W 12/03   Protecting confidentiality,...

H04W 76/20   Manipulation of established...

H04W 80/04   Network layer protocols, e....

Method and apparatus for providing secure connectivity in mobile and other intermittent computing environments

First Claim

18 Assignments

0 Petitions

Accused Products

Abstract

496 Citations

60 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing secure connectivity in mobile and other intermittent computing environments

First Claim

18 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

496 Citations

60 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links