EP2266286A2 - Method for switching a mobile terminal from a first access router to a second access router - Google Patents
Method for switching a mobile terminal from a first access router to a second access routerInfo
- Publication number
- EP2266286A2 EP2266286A2 EP09730543A EP09730543A EP2266286A2 EP 2266286 A2 EP2266286 A2 EP 2266286A2 EP 09730543 A EP09730543 A EP 09730543A EP 09730543 A EP09730543 A EP 09730543A EP 2266286 A2 EP2266286 A2 EP 2266286A2
- Authority
- EP
- European Patent Office
- Prior art keywords
- router
- terminal
- identifier
- context
- access router
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/033—Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/0005—Control or signalling for completing the hand-off
- H04W36/0011—Control or signalling for completing the hand-off for data sessions of end-to-end connection
- H04W36/0033—Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
- H04W36/0038—Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/08—Access point devices
Definitions
- the present invention relates to the management of security when switching a mobile terminal of a first access router, to which the terminal is initially connected securely, to a second access router.
- IPsec IP Security Protocol
- a phase of establishment of this tunnel includes a negotiation of security parameters necessary for the security of communications, such as for example keys that will be used to encrypt communications between the two entities, cryptographic algorithms, etc.
- a protocol has been defined to negotiate security settings when using the IPSec protocol. This is the IKE protocol (for "Internet Key Exchange”) in version 2, noted IKEv2.
- a security association is a data structure that groups together all the parameters associated with a given secure connection between two peers: the security parameters negotiated in IKEv2 exchanges and the source and destination peer IP addresses involved in the connection. communication, such as the terminal and the access router.
- SA Security Association
- a database of security associations is used (the term commonly used is the term “Security Association Database”, or "SAD").
- SAD Security Parameter Index
- the communication context comprises the IPsec and IKEv2 parameters related to the terminal and the access router: the security associations relating to the communications between the terminal and the access router, their identifiers in the security association base, as well as a security policy that defines what should be applied in terms of security to packets received or transmitted.
- the context therefore includes all the negotiated security parameters, the IP addresses of the terminal and the access router and the security association identifiers, or SPIs.
- a first IPsec tunnel is established, and this IPsec tunnel is associated with a communication context comprising at least one security association identified by an index.
- a second IPSec tunnel When this mobile terminal moves from a first area covered by this first access router to a second area covered by a second access router, a second IPSec tunnel must be established between the mobile terminal and the second router. Establishing this second IPsec tunnel requires restarting IPsec message exchanges from the beginning, including exchanges on the negotiation of security settings. Such an operation is time consuming. In the case of real-time services, such as for example a voice over IP service, or a streaming video streaming service (the term commonly used is the term "streaming video”), it may then be difficult to ensure continuity of service during the mobility of the terminal. To overcome this drawback, it is known to use a context transfer mechanism to transfer the IPSec and IKEv2 context relative to the mobile terminal, from the first router to the second router.
- a context transfer mechanism to transfer the IPSec and IKEv2 context relative to the mobile terminal, from the first router to the second router.
- the IPSec and IKEv2 context is then transferred from the first router to the second router during the mobility of the terminal.
- certain parameters of the received context must be updated by the second router:
- security association identifiers between the terminal and the access router, if they are already used to identify other active security associations at the second access router.
- MOBIKE for "IKEv2 mobility and multihoming protocol”
- IKEv2 mobility and multihoming protocol is adapted to update and modify IP addresses of the access router and the terminal in security associations during a context transfer.
- security association identifiers it is not possible to update security association identifiers in the case where an identifier transferred in a context during the mobility of a terminal of a first router to a second router is identical to a identifier in use on the second router.
- the IPSec tunnel can not benefit from context transfer; it must therefore be completely rebuilt, which, in the case of real-time services, does not ensure continuity of service.
- the invention responds to this need by proposing a method of switching a mobile terminal from a first access router to a second access router, the terminal having previously established a secure connection with the first access router.
- said context which is associated with a communication context between the terminal and the first router, said context comprising at least one identifier relating to a set of security parameters of the connection, in which method said context is transferred to the second router during the switching of the terminal, characterized in that it comprises, in the case where the at least one identifier in the transferred context is already used by said second router, a step of sending to the terminal by the second router a new identifier for said set security settings.
- the method according to the invention makes it possible to minimize the time required for the switching of a terminal from an access router to a second access router. Indeed, it allows, during a context transfer and in the event of a collision between at least one context security association identifier transferred with one of the identifiers already used by the second router to manage active security associations, negotiate a new identifier between the terminal and the second router. This negotiation makes it possible to update the security parameters of the context and thus to establish the secure connection from the updated context information. Thus, it is not necessary to renegotiate from the beginning the security settings between the terminal and the second router. It is thus possible to guarantee continuity of service for real-time services running on the mobile terminal.
- the method comprises, in the case where the new identifier received from the second router is already used by the terminal, a step of sending to the second router of another new identifier for said set of security settings.
- a terminal that receives a proposal from the second access router of a new identifier is adapted to send to the second router a counterproposal in the case where the new identifier received from the second router collides with an identifier already used by the terminal.
- the invention also relates to a signal carrying a notification message intended to be transmitted between a terminal and a second router during a switching of said terminal from a first router to said second router, the terminal having previously established a secure connection with the first access router with which is associated a communication context between the terminal and the first router, said context comprising at least one identifier relating to a set of security parameters of the connection, said message comprising:
- the message is in accordance with the IKEv2 NOTIFY protocol.
- the notification message used by a router to propose a new identifier to a terminal, or by a terminal to send to a router a counter-proposal containing another new identifier is in accordance with an existing message of a standardized protocol. No new message needs to be defined.
- the invention also relates to an access router, adapted to manage a switching of a mobile terminal from a first access router to said access router, a secure connection being established between the terminal and the first access router.
- an access router adapted to manage a switching of a mobile terminal from a first access router to said access router, a secure connection being established between the terminal and the first access router.
- said context comprising at least one identifier relating to a set of security parameters of the connection
- said router comprising means for receiving said context during the switching of the terminal, and being characterized in that it further comprises:
- detection means arranged to detect that the at least one identifier in the transferred context is already used by said access router
- the means for sending arranged to send to the terminal a new identifier for said set of security parameters in the case where the detection means detect that the at least one identifier in the transferred context is already used by said access router.
- the invention also relates to a mobile terminal adapted to switch from a first access router to a second access router, said terminal being arranged to establish in advance a secure connection with the first access router, to which is associated a context of communication between the terminal and the first router, said context comprising at least one identifier relating to a set of security parameters of the connection, characterized in that it comprises: means for receiving and processing a new identifier transmitted by the second router, arranged to substitute said new identifier for the identifier relative to the set of security parameters in the communication context when the terminal is switched to the second router.
- the terminal further comprises:
- detection means arranged to detect whether the new identifier received from the second router is already used by the terminal, and
- generating and sending means arranged to generate and send to the second router another new identifier for said set of security parameters, controlled by said detection means.
- the invention also relates to a computer program for an access router, comprising:
- code instructions for, in case of transfer to the router of a communication context associated with a secure connection between a terminal and another router and comprising at least one identifier relating to a set of security parameters of the connection, detect if the at least one identifier of the transferred context is already used by said access router, and
- the invention also relates to a data carrier on which the computer program for an access router according to the invention is stored.
- the invention also relates to a computer program for a terminal, comprising code instructions for, in case of transfer from a first router to a second router of a communication context associated with a secure connection between the terminal and the terminal.
- first router the secure connection being associated with a communication context comprising at least one identifier relating to a set of security parameters of the connection, replacing said identifier with a new identifier received from the second router, when the program is executed by a processor.
- the invention also relates to a data carrier on which the computer program for a terminal according to the invention is stored.
- FIG. 1 illustrates the principle of the transfer of a communication context that is implemented by the invention
- FIG. 2 illustrates the message exchanges during a transfer of context from a first router to a second router according to the prior state of the art
- FIG. 3 shows the steps of the method of the invention according to a particular embodiment
- FIG. 4a, respectively 4b is a schematic representation of a structure of a notification message according to the prior art, respectively of a notification message according to a particular embodiment of the invention
- FIG. 5 is a functional block representation of an access router according to one embodiment of the invention
- FIG. 6 is a functional block representation of a terminal according to one embodiment of the invention.
- FIG. 1 illustrates a principle implemented by the method of the invention.
- a mobile terminal T attached to a pRA access router accesses the Internet in a secure manner.
- the terminal T has established a secure connection with the access router pRA, represented in the figure by a tunnel pT between the terminal T and the access router pRA.
- the secure connection is established according to the "IPsec" protocol (for "IP security protocol"), for example according to a mode called “tunnel mode”.
- IPsec for "IP security protocol”
- the pT tunnel called “IPsec tunnel” makes it possible to secure the communications between the mobile terminal T and the access router pRA.
- Protocol exchanges are necessary to establish the IPsec tunnel, they include first exchanges to negotiate security parameters that are used to secure the communications between the mobile terminal T and the access router pRA.
- the first exchanges that make it possible to negotiate the security parameters are compliant, for example with the "IKE" protocol (for "Internet Key Exchange") in version 2, denoted "IKEv2".
- the parameters negotiated during IKEv2 exchanges are, for example, cryptographic algorithms, encryption keys, a mode, for example tunnel mode, to be used for securing peer-to-peer communications, such as the terminal T and the access router pRA. It is also during the IKEv2 exchanges that data structures called "security associations" (the term commonly used is the term “Security Association”) are defined.
- a security association is a data structure that groups together all the parameters associated with a given secure connection between two peers: the security parameters negotiated in IKEv2 exchanges, and the source and destination peer IP addresses respectively.
- IKEv2 exchanges two types of security association are created: - security associations used by the IPsec protocol, once the secure tunnel has been established, to secure peer-to-peer communications; these security associations are later noted as “IPsec security associations”, - security associations used by the IKEv2 protocol to protect the negotiation of IPsec security associations; these security associations are later referred to as "IKE security associations”.
- the security associations are stored in unrepresented databases, at the terminal T and the access router pRA.
- the databases are called security association databases (the term commonly used is the term “Security Association Database”, also referred to as “SAD”).
- SAD Secure Association Database
- each security association is uniquely identified by an identifier called security parameter index (the term commonly used is the term “Security Parameter Index”, or "SPI”).
- SPI Security Parameter Index
- a security association is directional: for a given peer, a security association is applied to a packet reception by that peer, and another security association is applied to a packet transmission by that peer.
- a communication context associated with the secure tunnel pT.
- the communication context includes IPsec and IKEv2 parameters related to the terminal T and the access router pRA, and more specifically: the security associations relating to the communications between the terminal and the access router,
- a security policy that defines what should be applied in terms of security to packets received or transmitted.
- the mobile terminal T which, during a movement, detects a second access router nRA.
- the mobile terminal T decides, according to its own criteria to access the network via the second access router nRA.
- the terminal T must firstly detach from the router pRA through which he accessed the network so far, and secondly attach to the second router nRA. It is said that the terminal T switches the pRA router to the second router nRA.
- the terminal T To access the network via the second nRA router in a secure manner, the terminal T must establish a secure connection with the second nRA access router. This connection is represented by a tunnel nT.
- a context is transferred including parameters IKEv2 and IPSec linked to the terminal T and to the first pRA access router.
- the transferred context includes the security associations relating to the communications between the terminal T and the first pRA access router, the identifiers of these security associations, as well as a security policy that defines what must be applied in terms of security. to packets received or transmitted.
- the context transfer from the first router pRA to the second router nRA is shown schematically by a dotted arrow from the router pRA to the second router nRA.
- This context transfer between access routers makes it possible to establish a secure connection between the terminal T and the second router nRA while avoiding a complete negotiation between the terminal T and the second router nRA, in particular the negotiation of the parameters. security using the IKEv2 protocol.
- the context that is transferred from the router pRA to the second router nRA is then activated on the second router nRA. This activation corresponds to the setting up of the context on the second router nRA.
- the second nRA router then processes the context. In particular, the context is updated by the second router nRA:
- a new IP address of the terminal T is specified, insofar as the latter, while moving, has acquired a new IP address
- an IP address of the access router to which the terminal T is attached is updated with the address of the second access router nRA,
- security association identifiers used to uniquely identify security associations between the terminal and the access router, if these identifiers are already used to identify other active security associations at the second nRA router.
- the method for updating the security association identifiers is described in connection with FIG.
- An existing protocol, "MOBIKE"("IKEv2 mobility and multihoming protocol") is used to update the IP addresses of the router and the terminal.
- the context transfer makes it possible to transfer from the router pRA to the second router nRA relevant information that is immediately reusable by the second router nRA. As a result of the context transfer, time is saved during switching from the terminal T of the router pRA to the second router nRA.
- the mobile terminal T attaches to the access router pRA, it negotiates security parameters between the terminal T and the router pRA to establish a secure connection with the access router pRA .
- the negotiation takes place by means of message exchanges, not detailed, in accordance with the IKEv2 protocol.
- a communication context is available at the mobile terminal T and the first access router pRA.
- the context includes the IPsec and IKEv2 security associations associated with the secure connections between the T terminal and the pRA router, the security association identifiers, and a security policy that defines how to handle, in terms of security, packets received or issue.
- the communication context between the terminal T and the access router pRA comprises the security parameters necessary for securing communications between the terminal T and the access router pRA, the IP addresses of the terminal T and the access router pRA, and the identifiers, or SPI, of the security associations in the base of the security associations SAD.
- the secure connection is established between the terminal T and the router pRA by means of an IPsec tunnel t20.
- a context transfer step 21 during which the mobile terminal T moves to the second access router nRA, the communication context established in step 20 is transferred from the access router pRA to second nRA access router.
- the transfer is carried out by means of message exchanges, not detailed, in accordance with the "CXTP" protocol (of the English "Context Transfer Protocol") between the router pRA, the second router nRA and the terminal T.
- the messages exchanged to transfer the communication context of the router pRA to the router nRA being known to those skilled in the art and not part of the invention, they will not be further described in the present description.
- the security associations are updated in the T terminal security association databases and the second nRA access router.
- the terminal T attaches to the second access router nRA. It is assumed here that the second access router nRA detects a collision between at least one of the security association identifiers received in the context and one of the security association identifiers that it already uses itself.
- a step 22 of attachment of the terminal T to the second access router nRA comparable to the initial step 20, security parameters are renegotiated between the terminal T and the second access router nRA.
- a secure connection is established between the terminal T and the second access router nRA. It is represented by a new tunnel t22. It will be noted that, in the prior art, the establishment of the new tunnel t22 necessitates restarting the IKEv2 protocol exchanges from the beginning.
- the second access router nRA activates the context received and processes it.
- the second nRA router updates the communication context associated with the communication between the terminal T and the router nRA. For this purpose, messages conforming to the MOBIKE protocol are exchanged between the second router nRA and the terminal T in order to update the IP addresses of the terminal T and the second router nRA in the security associations. The secure connection between the terminal T and the second router nRA is then established.
- step initial 30 comparable to step 20 of Figure 2, the mobile terminal T attaches to the access router pRA.
- security parameters negotiation of security parameters to establish the secure connection between the terminal T and the access router pRA.
- the communication context associated with the secure connection between the two peers is defined at the mobile terminal T and the access router pRA.
- the secure connection is established between the terminal T and the router pRA by means of an IPsec tunnel t30.
- the terminal T attaches to the second access router nRA.
- the second access router nRA detects a collision between at least one of the security association identifiers received in the communication context, and one of the security association identifiers that it already uses. The collision may concern one or more identifiers.
- the identifiers that he already uses correspond, for example, to secure connections he has established with other unrepresented terminals.
- the second nRA router activates the received context and begins processing it.
- the old IPsec tunnel t30 which secured the communications between the terminal T and the access router pRA has been transferred between the terminal T and the second access router nRA.
- This tunnel is represented by an old tunnel transferred 131.
- the context associated with the old tunnel transferred t31 has not yet been updated.
- the second access router nRA updates the communication context associated with the secure connection between the terminal T and the second access router nRA. For this purpose, messages conforming to the MOBIKE protocol are exchanged between the second router nRA and the terminal T in order to update the IP addresses of the terminal T and the second access router nRA in the security associations associated with the secure connection. and, according to the invention, to negotiate new security association identifiers between the terminal and the access router nRA, replacing the identifier or identifiers for which a collision has been detected.
- the purpose of negotiating new identifiers is to find security association identifiers for the secure communication between the terminal and the access router nRA which are not already used by the second access router nRA and, if appropriate by means of the terminal T.
- an "INFORMATIONAL" message m32-1 carrying at least one notification datum is sent.
- the message m32-1 carries an update notification of peer IP addresses, denoted "N (UPDATE_SA_ADDRESSES)" and as many notifications according to the invention, denoted "N (UPDATE_SPI)" and each comprising a new security association identifier, than identifiers detected as already used during the attachment sub-step 310.
- N UPDATE_SA_ADDRESSES
- N UPDATE_SPI
- the terminal T which receives a proposal for at least one security association identifier in the message m32-1, detects a collision between the identifier received. the second access router nRA and a security association identifier that it already uses to manage a secure connection with another peer not shown. The terminal then sends in a message m32-2 according to the invention a proposal for another new identifier.
- the proposal relates to one or more identifiers depending on whether there is a collision with one or more identifiers managed by the terminal T.
- the latter sends a proposal for at least one security association identifier in an m32-3 message.
- a message according to the invention used to propose new identifiers of security associations in the event of a collision detected by the second router nRA during a transfer of context from the access router pRA will now be described in connection with Figures 4a and 4b.
- Figure 4a is a representation of a protocol-compliant message
- IKEv2 of INFORMATIONAL type containing NOTIFY type data Such a message is usually used during MOBIKE-compliant exchanges to convey a message about an error or notification. It can for example be transmitted such a message to notify a recipient peer a new IP address of the sending peer. In the latter case, the transmitted notification uses a type "UPDATE_SA_ADDRESSES".
- the "Protocol ID" field specifies the type of the security association: IKE or IPsec.
- the "SPI size" field specifies the length of the SPI identifier or zero.
- the "Notify Message Type” field specifies the type of the notification message. For example, "UPDATE_SA_ADDRESSES”.
- the "Security Parameter Index" field contains the SPI identifier.
- the "Notification Data” field specifies the informational data, or the error transmitted in addition to the "Notify Message Type”.
- a new type of notification adapted to enable a peer to propose a new security association identifier when this peer detects a collision between an identifier is defined. that he is already using and a security association identifier he receives.
- the detection of a collision between identifiers can take place during a transfer of context from an access router to a second access router. In another case, the detection can take place after receiving a message containing a proposal for a new identifier according to the invention.
- the message according to the invention is comparable to a notification message as described in relation with FIG. 4a.
- a new type "UPDATE_SPI” makes it possible to characterize the type of the notification.
- a message of type "UPDATE_SPI” is adapted to propose a new security association identifier instead of an identifier already used.
- the "Security Parameter Index” field includes the SPI identifier to be replaced.
- the "New Security Parameter Index” field includes the new identifier, generated to avoid collision with the identifier of the "Security Parameter Index” field.
- a "D” direction flag makes it possible to specify whether the identifier to be modified is on the terminal side, or on the access router side.
- the flag is coded on one bit and is "O” if it is on the terminal side, and "1" if it is on the access router side.
- the IKEv2 message includes several "UPDATE_SPI" type notifications.
- An access router 50 provides a basic function of a router: the routing of packets.
- it allows a terminal to access one or more networks.
- it is adapted to establish a secure connection with the terminal that attaches to him to access the network.
- secure connections are established using the IPsec protocol.
- the router 50 according to the invention is adapted to receive and transmit to other routers communication contexts, associated with secure connections established with peers such as terminals. It is also adapted to negotiate with these peers new security association identifiers associated with secure connections when it detects collisions between at least one identifier present in a context that it receives, and one of the identifiers that it uses.
- the access router 50 comprises several modules: network interfaces 51, a memory 52, a reception and context transfer module 53, a detection module 54, a sending and receiving module 55 a proposal for at least one new security association identifier, a generation module 56 and databases 57.
- the modules 51, 52, 53, 54, 55, 56 and 57 are connected to a microprocessor 58 :
- the network interfaces 51 allow on one hand a terminal or another access router to communicate with the access router 50 according to different technologies, for example according to a WiFi mode, WiMax, and they also allow the access router 50 to access one or more networks, for example the Internet and thus provide network access to the terminal or router that has attached to it; databases 57 are dynamically created when establishing secure connections between the router and peers.
- These bases include the SAD database of security associations and a security policy database (the term commonly used is the term "Security Poiicy Database", or "SPD”) which defines what should be applied, in terms of security, to packets received or transmitted.
- the memory 52 makes it possible to perform calculations, to manage the databases 57, to load software instructions corresponding to the steps of the switching management method described above, and to execute them by the microprocessor 58; the microprocessor 58, or "CPU" (of the English "Central Processing
- Unit is a processing unit
- a receiving and context transfer module 53 arranged to receive from another access router a context associated with a secure communication previously established between the other access router and the terminal, and to transfer an associated context secure communication to another router;
- a detection module 54 arranged to detect collisions between at least one of the security association identifiers received during the transfer of a context associated with a terminal from another router, and one of the security association identifiers that it already uses, for example in the context of secure communications already established with another terminal; a module 55 for sending and receiving at least one proposal for a new identifier;
- a generation module 56 arranged to generate at least one new identifier in the case where the detection module detects a collision between at least one identifier that it receives in a context that is transferred to it by another router or enters least an identifier that it receives from a terminal in an identifier proposal, and at least one identifier that it already uses. It is also arranged to generate a proposal relating to this at least one new identifier.
- the sending and receiving modules 55 and the generating module 56 cooperate to send a new security association identifier when a collision has been detected by the detection module 54.
- the modules 53, 54, 55 and 56 are arranged to implement those of the steps of the switching method described above which are implemented by the access router. These are preferably software modules comprising software instructions for executing the steps of the switching method described above, implemented by a processor of an access router.
- the invention therefore also relates to: a computer program comprising instructions for implementing the switching method as described above when this program is executed by a processor;
- the software modules can be stored in, or transmitted by, a data carrier.
- a data carrier This may be a hardware storage medium, for example a CD-ROM, a magnetic diskette or a hard disk, or a transmission medium such as a signal or a telecommunications network.
- a mobile terminal 60 according to the invention has conventional functions of access to a network, for example the Internet, by attachment to an access router.
- the mobile terminal 60 is arranged to establish a secure connection with an access router to which it attaches.
- the mobile terminal 60 comprises several modules: network interfaces 61, a memory 62, a module 63 for receiving and processing a new security association identifier, a module 64 for generating and sending a new identifier. security association, a detection module 65 and databases 66.
- the modules 61, 62, 63, 64, 65 and 66 are connected to a microprocessor 67:
- the network interfaces 61 are adapted to access a network by attachment to access routers and to detect the presence of access routers in a geographical area.
- the attachment to an access router can be done according to different technologies, for example according to a WiFi mode;
- the databases 66 are dynamically created during the establishment of secure connections between the terminal and routers. These bases include the SAD base of security associations and a security policy SPD which defines what must be applied in terms of security to packets received or transmitted.
- the memory 62 makes it possible to perform calculations, to manage the databases 66, to load software instructions corresponding to the steps of the method of processing a new identifier by the mobile terminal described above, and to have them executed by the microprocessor 67;
- the microprocessor 67 or "CPU” is a processing unit;
- the module 63 for receiving and processing a new identifier is arranged for, when switching the terminal of a first router to a second router and in the case where a collision between identifiers of security associations relating to a set of security parameters is detected, receive a new identifier transmitted by the second router and substitute it for an identifier used by the terminal for a security association in the security association database;
- the module 64 for generating and sending new identifier is arranged to generate and send, if necessary, a new identifier to the access router in the case where the identifier received from the access router is already used by the terminal to identify an active security association.
- the detection module 65 is arranged to detect, upon receipt of a security association identifier sent by an access router, the identifier is already used by the terminal to identify an active security association;
- the modules 63, 64 and 65 are arranged to implement those of the previously described steps of the switching method that are implemented by the mobile terminal. These are preferably software modules comprising software instructions for executing the steps of the switching method of a mobile terminal by the terminal.
- the invention therefore also relates to: a computer program comprising instructions for implementing the method of switching a terminal as described above when this program is executed by a processor;
- the software modules can be stored in or transmitted by a data carrier.
- This may be a hardware storage medium, for example a CD-ROM, a magnetic diskette or a hard disk, or a transmission medium such as a signal, or a telecommunications network.
Abstract
Description
Claims
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0852092 | 2008-03-31 | ||
PCT/FR2009/050539 WO2009125153A2 (en) | 2008-03-31 | 2009-03-30 | Method for switching a mobile terminal from a first access router to a second access router |
Publications (1)
Publication Number | Publication Date |
---|---|
EP2266286A2 true EP2266286A2 (en) | 2010-12-29 |
Family
ID=39941877
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP09730543A Withdrawn EP2266286A2 (en) | 2008-03-31 | 2009-03-30 | Method for switching a mobile terminal from a first access router to a second access router |
Country Status (3)
Country | Link |
---|---|
US (1) | US20110067089A1 (en) |
EP (1) | EP2266286A2 (en) |
WO (1) | WO2009125153A2 (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110302416A1 (en) * | 2010-03-15 | 2011-12-08 | Bigband Networks Inc. | Method and system for secured communication in a non-ctms environment |
CN102065428B (en) * | 2010-12-28 | 2013-06-12 | 广州杰赛科技股份有限公司 | User terminal switching method of safe wireless metropolitan area network |
CN103731407B (en) * | 2012-10-12 | 2017-08-11 | 华为技术有限公司 | The method and system of IKE message negotiations |
US10116754B2 (en) * | 2014-01-30 | 2018-10-30 | Comcast Cable Communications, Llc | Dynamic configuration of interface identifiers |
US10848524B2 (en) * | 2018-02-23 | 2020-11-24 | Cisco Technology, Inc. | On-demand security association management |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6823461B2 (en) * | 2002-06-27 | 2004-11-23 | Nokia Corporation | Method and system for securely transferring context updates towards a mobile node in a wireless network |
US8186026B2 (en) * | 2004-03-03 | 2012-05-29 | Rockstar Bidco, LP | Technique for maintaining secure network connections |
US20050273853A1 (en) * | 2004-05-24 | 2005-12-08 | Toshiba America Research, Inc. | Quarantine networking |
US8230212B2 (en) * | 2006-08-29 | 2012-07-24 | Alcatel Lucent | Method of indexing security keys for mobile internet protocol authentication |
-
2009
- 2009-03-30 WO PCT/FR2009/050539 patent/WO2009125153A2/en active Application Filing
- 2009-03-30 US US12/935,062 patent/US20110067089A1/en not_active Abandoned
- 2009-03-30 EP EP09730543A patent/EP2266286A2/en not_active Withdrawn
Non-Patent Citations (1)
Title |
---|
See references of WO2009125153A2 * |
Also Published As
Publication number | Publication date |
---|---|
US20110067089A1 (en) | 2011-03-17 |
WO2009125153A2 (en) | 2009-10-15 |
WO2009125153A3 (en) | 2009-12-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10389831B2 (en) | Method, apparatus and system for provisioning a push notification session | |
KR101291501B1 (en) | Technique for maintaining secure network connections | |
JP6505710B2 (en) | TLS protocol extension | |
EP2266286A2 (en) | Method for switching a mobile terminal from a first access router to a second access router | |
EP2156600B1 (en) | Method of distributing an authentication key, corresponding terminal, mobility server and computer programs | |
JP2011176395A (en) | IPsec COMMUNICATION METHOD AND IPsec COMMUNICATION SYSTEM | |
US11943209B2 (en) | Rekeying a security association SA | |
CN110365570B (en) | IPSec (Internet protocol Security) traffic forwarding method and device and electronic equipment | |
JP2008301072A (en) | Encryption communication line restoration method, encryption communications device, and encryption communication system | |
CN115150179B (en) | Soft and hard life aging control method and related device, chip, medium and program | |
US20210273799A1 (en) | Rekeying A Security Association SA | |
WO2021205124A1 (en) | Method implemented by an intermediate entity for managing communication between two communication devices | |
CN116016633A (en) | Communication establishment method and system | |
EP3348090B1 (en) | Method and device for establishing and maintaining internet access through the use of a wireless communication protocol in a local computer network from a mobile client station | |
EP4222994A1 (en) | Methods for configuring a user apparatus, negotiating with a network entity, and managing a connection, and associated devices | |
CN117896151A (en) | Message sending and receiving method and device | |
WO2008087355A2 (en) | Wireless network roaming method | |
EP2469959B1 (en) | Method and apparatus for managing a service session between a multi-mode terminal and an ANDSF server | |
CN116566736A (en) | Communication proxy method, device, equipment and storage medium | |
CN116405346A (en) | VPN channel establishment method, device, equipment and medium | |
FR3122796A1 (en) | Method of defense against a disconnection attempt between two entities, associated system | |
JP2012177942A (en) | Encryption communication line restoration method, encryption communications device, and encryption communication system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20101026 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO SE SI SK TR |
|
AX | Request for extension of the european patent |
Extension state: AL BA RS |
|
RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: COMBES, JEAN-MICHEL Inventor name: BOURNELLE, JULIEN Inventor name: ALLARD, FABIEN |
|
RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: COMBES, JEAN-MICHEL Inventor name: BOURNELLE, JULIEN Inventor name: ALLARD, FABIEN |
|
DAX | Request for extension of the european patent (deleted) | ||
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: COMBES, JEAN-MICHEL Inventor name: BOURNELLE, JULIEN Inventor name: ALLARD, FABIEN |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN |
|
18D | Application deemed to be withdrawn |
Effective date: 20120110 |