System and method for providing selective bearer security in a network environment

US 9,215,588 B2
Filed: 04/30/2010
Issued: 12/15/2015
Est. Priority Date: 04/30/2010
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving a message related to a bearer or an Internet Protocol (IP) flow, wherein the message includes selectors indicating whether an Internet Protocol security (IPsec) feature is designated for the bearer or the IP flow, and wherein the selectors can facilitate adjusting IPsec security policy databases in network elements using, at least in part, control plane signaling messages between the network elements and a packet data network gateway, wherein the IPsec security policy databases are adjusted at the flow level and not the encapsulating security payload bearer level, wherein policy control and charging extensions adjust the IPsec security policy databases on both a sending side and a receiving side such that the sending side and the receiving side are synchronized;

mapping a communication flow to the bearer or the IP flow, wherein an Internet Key Exchange (IKE) is used to establish a security association for a serving gateway associated with the communication flow, and wherein the selectors are provided at a bearer level or at an IP flow level such that network traffic associated with the communication flow is designated for the IPsec feature, wherein signaling for user plane and control plane network elements are extended to indicate whether the bearer or the IP flow is designated for the IPsec feature; and

applying the IPsec feature to the bearer or the IP flow.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An example method includes receiving a message related to a bearer or an Internet Protocol (IP) flow, the message includes an extension indicating whether an Internet Protocol security (IPsec) feature is designated for the bearer or the IP flow. The method further includes mapping a communication flow to the bearer or the IP flow, and applying the IPsec feature to the bearer or the IP flow. In other embodiments, the method can include communicating the extension to a next destination, and updating a security policy to indicate that the bearer or the IP flow is designated for the IPsec feature. In yet other embodiments, an Internet Key Exchange (IKE) is used to establish a security association for a serving gateway associated with the communication flow. The extension is provided at an IP flow level or at a bearer level such that network traffic is designated for the IPsec feature.

109 Citations

19 Claims

1. A method, comprising:
- receiving a message related to a bearer or an Internet Protocol (IP) flow, wherein the message includes selectors indicating whether an Internet Protocol security (IPsec) feature is designated for the bearer or the IP flow, and wherein the selectors can facilitate adjusting IPsec security policy databases in network elements using, at least in part, control plane signaling messages between the network elements and a packet data network gateway, wherein the IPsec security policy databases are adjusted at the flow level and not the encapsulating security payload bearer level, wherein policy control and charging extensions adjust the IPsec security policy databases on both a sending side and a receiving side such that the sending side and the receiving side are synchronized;
  
  mapping a communication flow to the bearer or the IP flow, wherein an Internet Key Exchange (IKE) is used to establish a security association for a serving gateway associated with the communication flow, and wherein the selectors are provided at a bearer level or at an IP flow level such that network traffic associated with the communication flow is designated for the IPsec feature, wherein signaling for user plane and control plane network elements are extended to indicate whether the bearer or the IP flow is designated for the IPsec feature; and
  
  applying the IPsec feature to the bearer or the IP flow.
- View Dependent Claims (2, 3, 4, 5, 6, 18, 19)
- - 2. The method of claim 1, further comprising:
    - communicating the selectors to a next destination; and
      
      updating a security policy to indicate that the bearer or the IP flow is designated for the IPsec feature.
  - 3. The method of claim 1, wherein the selectors are provided at a user level such that network traffic associated with a particular user is designated for the IPsec feature.
  - 4. The method of claim 1, wherein the selectors are provided at an access point name (APN) level such that network traffic associated with a particular APN is designated for the IPsec feature.
  - 5. The method of claim 1, wherein the selectors are communicated in conjunction with communicating a quality of service (QoS) characteristic, or a charging characteristic for the communication flow.
  - 6. The method of claim 1, wherein the selectors are associated with a voice over IP (VoIP) call that is designated for the IPsec feature.
  - 18. The method of claim 1, wherein a security parameter index identifying a security association is added to the message if security is to be applied.
  - 19. The method of claim 1, wherein the bearer or the IP flow originated from an electronic device and a second bearer or a second IP flow from the electronic device does not have the IPsec feature applied.

7. Logic encoded in one or more non-transitory tangible media that includes code for execution and when executed by a processor operable to perform operations comprising:
- receiving a message related to a bearer or an Internet Protocol (IP) flow, wherein the message includes selectors indicating whether an Internet Protocol security (IPsec) feature is designated for the bearer or the IP flow, and wherein the selectors can facilitate adjusting IPsec security policy databases in network elements using, at least in part, control plane signaling messages between the network elements and a packet data network gateway, wherein the IPsec security policy databases are adjusted at the flow level and not the encapsulating security payload bearer level, wherein policy control and charging extensions adjust the IPsec security policy databases on both a sending side and a receiving side such that the sending side and the receiving side are synchronized;
  
  mapping a communication flow to the bearer or the IP flow, wherein an Internet Key Exchange (IKE) is used to establish a security association for a serving gateway associated with the communication flow, and wherein the selectors are provided at a bearer level or at an IP flow level such that network traffic associated with the communication flow is designated for the IPsec feature, wherein signaling for user plane and control plane network elements are extended to indicate whether the bearer or the IP flow is designated for the IPsec feature; and
  
  applying the IPsec feature to the bearer or the IP flow.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The logic of claim 7, the operations further comprising:
    - communicating the selectors to a next destination; and
      
      updating a security policy to indicate that the bearer or the IP flow is designated for the IPsec feature.
  - 9. The logic of claim 7, wherein the inter-process communication is used to maintain the session for the subscriber when the subscriber is attached to different networks.
  - 10. The logic of claim 7, wherein the selectors are provided at a user level such that network traffic associated with a particular user is designated for the IPsec feature.
  - 11. The logic of claim 7, wherein the selectors are communicated in conjunction with communicating a quality of service (QoS) characteristic for the communication flow.

12. An apparatus, comprising:
- a memory element configured to store data;
  
  a processor operable to execute instructions associated with the data; and
  
  a bearer security module configured to interface with the processor in order to;
  
  receive a message related to a bearer or an Internet Protocol (IP) flow, wherein the message includes selectors indicating whether an Internet Protocol security (IPsec) feature is designated for the bearer or the IP flow, wherein the selectors can facilitate adjusting IPsec security policy databases in network elements using, at least in part, control plane signaling messages between the network elements and a packet data network gateway, wherein the IPsec security policy databases are adjusted at the flow level and not the encapsulating security payload bearer level, wherein policy control and charging extensions adjust the IPsec security policy databases on both the sending and receiving side such that the sending side and the receiving side are synchronized;
  
  map a communication flow to the bearer or the IP flow, wherein an Internet Key Exchange (IKE) is used to establish a security association for a serving gateway associated with the communication flow, and wherein the selectors are provided at a bearer level or at an IP flow level such that network traffic associated with the communication flow is designated for the IPsec feature, wherein signaling for user plane and control plane network elements are extended to indicate whether the bearer or the IP flow is designated for the IPsec feature; and
  
  apply the IPsec feature to the bearer or the IP flow.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The apparatus of claim 12, further comprising:
    - a security policy database configured to store the bearer information associated with particular security settings, wherein a security policy stored in the security policy database can be updated to indicate that the bearer or the IP flow is designated for the IPsec feature.
  - 14. The apparatus of claim 12, wherein the selectors are provided at a user level such that network traffic associated with a particular user is designated for the IPsec feature.
  - 15. The apparatus of claim 12, wherein the selectors are provided at an access point name (APN) level such that network traffic associated with a particular APN is designated for the IPsec feature.
  - 16. The apparatus of claim 12, wherein the selectors are communicated in conjunction with communicating a quality of service (QoS) characteristic, a charging characteristic, or a deep packet inspection (DPI) characteristic for the communication flow.
  - 17. The apparatus of claim 12, wherein the selectors are associated with a voice over IP (VoIP) call that is designated for the IPsec feature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Andreasen, Flemming S.
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
BEHESHTI SHIRAZI, SAYED ARESH

Application Number

US12/771,574
Publication Number

US 20110271320A1
Time in Patent Office

2,055 Days
Field of Search

726/1, 726/5, 726/6, 370/310, 370/437, 370/465
US Class Current

1/1
CPC Class Codes

H04L 63/0869   for achieving mutual authen...

H04L 63/164   at the network layer

H04W 12/062   Pre-authentication

System and method for providing selective bearer security in a network environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

109 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing selective bearer security in a network environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links