System and method for integrating mobile networking with security-based VPNs

US 7,616,597 B2
Filed: 12/19/2002
Issued: 11/10/2009
Est. Priority Date: 12/19/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method for providing a secure network path between network nodes, the method comprising:

providing a home agent module on a network device on a foreign network side of an external firewall and providing a foreign agent module within a network zone created by the external firewall and an internal firewall, the home agent module and the foreign agent module creating a mobile IP proxy;

establishing a secure data tunnel between the home agent module and the foreign agent module of the mobile IP (MIP) proxy;

receiving a first registration request from a mobile node, said registration request including a permanent network address for the mobile node;

sending a second registration request to a home agent specifying the permanent network address and a proxy care-of address;

creating a network data tunnel between the mobile node and the mobile IP proxy;

creating a first security association between the mobile node and a VPN gateway using the permanent network address for the mobile node;

creating a second security association between the home agent and the VPN gateway;

utilizing, by the home agent, a mobile IP proxy IP address as the care-of address for the VPN gateway;

processing, by the mobile IP proxy, network data received from the mobile node as a surrogate home agent;

receiving by the home agent a packet of data from a corresponding node;

routing the packet of data to the mobile IP proxy;

processing, by the mobile IP proxy, the packet of data received from the home agent as a surrogate mobile node, the processing including routing the packet of data by the mobile IP proxy to the VPN gateway;

encapsulating the packet of data in a security layer by the VPN gateway;

receiving the encapsulated data by the mobile IP proxy from the VPN gateway; and

routing the encapsulated data from the mobile IP proxy to the mobile node.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods provide a secure network path through an inner and outer firewall pair between a mobile node on a foreign network and a corresponding node on a home network. One aspect of the systems and methods includes providing a mobile IP proxy between the mobile node and a VPN gateway inside the firewalls. The mobile IP proxy acts as a surrogate home agent to the mobile node, and acts as a surrogate mobile node to a home agent residing on the home network.

39 Citations

View as Search Results

18 Claims

1. A method for providing a secure network path between network nodes, the method comprising:
- providing a home agent module on a network device on a foreign network side of an external firewall and providing a foreign agent module within a network zone created by the external firewall and an internal firewall, the home agent module and the foreign agent module creating a mobile IP proxy;
  
  establishing a secure data tunnel between the home agent module and the foreign agent module of the mobile IP (MIP) proxy;
  
  receiving a first registration request from a mobile node, said registration request including a permanent network address for the mobile node;
  
  sending a second registration request to a home agent specifying the permanent network address and a proxy care-of address;
  
  creating a network data tunnel between the mobile node and the mobile IP proxy;
  
  creating a first security association between the mobile node and a VPN gateway using the permanent network address for the mobile node;
  
  creating a second security association between the home agent and the VPN gateway;
  
  utilizing, by the home agent, a mobile IP proxy IP address as the care-of address for the VPN gateway;
  
  processing, by the mobile IP proxy, network data received from the mobile node as a surrogate home agent;
  
  receiving by the home agent a packet of data from a corresponding node;
  
  routing the packet of data to the mobile IP proxy;
  
  processing, by the mobile IP proxy, the packet of data received from the home agent as a surrogate mobile node, the processing including routing the packet of data by the mobile IP proxy to the VPN gateway;
  
  encapsulating the packet of data in a security layer by the VPN gateway;
  
  receiving the encapsulated data by the mobile IP proxy from the VPN gateway; and
  
  routing the encapsulated data from the mobile IP proxy to the mobile node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising sending a home agent reply code received from the home agent to the mobile node.
  - 3. The method of claim 1, wherein processing network data received from the home agent includes sending the network data to a Virtual Private Network (VPN) gateway for encapsulating in a security layer.
  - 4. The method of claim 3, wherein encapsulating in a security layer comprises encapsulating in an IP Security (IPSec) layer and using the permanent network address for the mobile node as a source or destination address.
  - 5. The method of claim 3, further comprising:
    - receiving network data destined for the mobile node from the VPN gateway; and
      
      sending the network data to the mobile node.
  - 6. The method of claim 1, wherein the security association is an IPSec security association.
  - 7. The method of claim 1, and further comprising:
    - receiving a registration request from a MIP proxy specifying a permanent network address associated with a mobile node and a care-of address associated with the MIP proxy;
      
      establishing a security association between the home agent and a VPN gateway; and
      
      establishing a binding specifying the care-of address associated with the MIP proxy as a care-of address for the VPN gateway.
  - 8. The method of claim 7, wherein the security association is an IPSec security association.
  - 9. The method of claim 7, further comprising tunneling the data in a mobile IP layer.

10. A tangible computer-readable medium encoded with a computer program including instructions to cause one or more processors to perform a method for providing a secure network path between nodes in a network, the method comprising:
- providing a home agent module on a network device on a foreign network side of an external firewall and providing a foreign agent module within a network zone created by the external firewall and an internal firewall, the home agent module and the foreign agent module creating a mobile IP proxy;
  
  establishing a secure data tunnel between the home agent module and the foreign agent module of the mobile IP proxy;
  
  receiving a first registration request from a mobile node, said registration request including a permanent network address for the mobile node;
  
  sending a second registration request to a home agent specifying the permanent network address and a proxy care-of address;
  
  creating a network data tunnel between a mobile node and the mobile IP proxy;
  
  creating a first security association between the mobile node and a VPN gateway using the permanent network address associated for the mobile node;
  
  creating a second security association between the home agent and the VPN gateway;
  
  utilizing by the home agent a mobile IP proxy IP address as the care-of address for the VPN gateway;
  
  processing, by the mobile IP proxy, network data received from the mobile node as a surrogate home agent;
  
  receiving by the home agent a packet of data from a corresponding node;
  
  routing the packet of data to the MIP proxy;
  
  processing, by the mobile IP proxy, packet of data received from the home agent as a surrogate mobile node, the processing including routing the packet of data by the mobile IP proxy to the VPN gateway;
  
  encapsulating the packet of data in a security layer by the VPN gateway;
  
  receiving the encapsulated data by the MIP proxy from the VPN gateway; and
  
  routing the encapsulated data from the MIP proxy to the mobile node.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The tangible computer-readable medium of claim 10, further comprising sending a home agent reply code received from the home agent to the mobile node.
  - 12. The tangible computer-readable medium of claim 10, wherein processing network data received from the home agent includes sending the network data to a Virtual Private Network (VPN) gateway for encapsulating in a security layer.
  - 13. The tangible computer-readable medium of claim 12, wherein encapsulating in a security layer comprises encapsulating in an IP Security (IPSec) layer and using the permanent network address for the mobile node as a source or destination address.
  - 14. The tangible computer-readable medium of claim 12, further comprising:
    - receiving network data destined for the mobile node from the VPN gateway; and
      
      sending the network data to the mobile node.
  - 15. The tangible computer-readable medium of claim 10, wherein the security association is an IPSec security association.
  - 16. The tangible computer-readable medium of claim 10, wherein the method further comprises:
    - receiving a registration request from a MIP proxy specifying a permanent network address associated with the mobile node and a care-of address associated with the MIP proxy;
      
      establishing a security association between the home agent and a VPN gateway; and
      
      establishing a binding specifying the care-of address associated with the MIP proxy as a care-of address for the VPN gateway.
  - 17. The tangible computer-readable medium of claim 16, wherein the security association is an IPSec security association.
  - 18. The tangible computer-readable medium of claim 16, further comprising tunneling the data in a mobile IP layer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Liu, Changwen, Andrews, Michael B., Iyer, Prakash
Primary Examiner(s)
Patel; Jayanti K
Assistant Examiner(s)
ZHU, BO HUI ALVIN

Application Number

US10/325,657
Publication Number

US 20040120295A1
Time in Patent Office

2,518 Days
Field of Search

370/328, 370/400, 370/401, 370/474, 370/475
US Class Current

370/328
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/164   at the network layer

H04W 12/033   of the user plane, e.g. use...

H04W 60/00   Affiliation to network, e.g...

H04W 80/04   Network layer protocols, e....

H04W 88/182   Network node acting on beha...

System and method for integrating mobile networking with security-based VPNs

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

39 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for integrating mobile networking with security-based VPNs

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links