US20050063352A1 - Method to provide dynamic Internet Protocol security policy service - Google Patents
Method to provide dynamic Internet Protocol security policy service Download PDFInfo
- Publication number
- US20050063352A1 US20050063352A1 US10/965,595 US96559504A US2005063352A1 US 20050063352 A1 US20050063352 A1 US 20050063352A1 US 96559504 A US96559504 A US 96559504A US 2005063352 A1 US2005063352 A1 US 2005063352A1
- Authority
- US
- United States
- Prior art keywords
- filter
- policy
- foreign agent
- internet protocol
- mobile node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W80/00—Wireless network protocols or protocol adaptations to wireless operation
- H04W80/04—Network layer protocols, e.g. mobile IP [Internet Protocol]
Definitions
- the present invention relates generally to network communications. More specifically, it relates to a method for providing dynamic Internet Protocol policy service.
- a mobile node may use the Mobile Internet Protocol (“Mobile IP”) to roam away from its home network, and the mobile node may establish a connection with a foreign network.
- the mobile node may securely communicate with its home network using a protocol such as Internet Protocol security (“IPsec”).
- IPsec may be used communicate between a Foreign Agent (“FA”) and a Home Agent (“HA”).
- FA Foreign Agent
- HA Home Agent
- the FA can receive packets from the mobile node.
- the FA can then use IPsec, for example, to encrypt the packets from the mobile node and forward them through the virtual tunnel to the HA.
- the HA may then receive the packets and decrypt them to retrieve the original message.
- a similar process may be used to send packets from the HA to the FA, which can ultimately be routed to the mobile node.
- a policy may be defined for a mobile node corresponding to a particular FA-HA pair.
- the policy generally specifies parameters for IPsec communication between the FA and the HA when the mobile node roams to the FA's network.
- the policy may be defined and stored by the HA, and a corresponding policy may be defined and stored by the FA.
- the FA and HA can use their respective policies to apply the appropriate IPsec parameters in processing that packet.
- a policy can be configured for each possible FA-HA pair that the mobile node can use.
- the policies-created for the FA-HA pairs should be stored by the HA and also by the corresponding FA. Adding additional FAs that can be accessed by the mobile node increases the number of FA-HA pairs that need to be created. Additionally, when the policies are created, the IP address, or other identifier, of the FA and HA needs to be known. This method for defining FA-HA pairs is not easily scalable, and can require a large amount of time to create and store all the possible FA-HA pairs.
- the FA and the HA both store a filter corresponding to each possible FA-HA pair.
- the filters can be stored in a filter list, and they can be used to determine if a packet should receive IPsec processing. For example, when the FA or HA receives a packet, the FA or HA can search its filter list to determine if there is a filter corresponding to that packet. If there is a filter, then the FA or HA can apply IPsec processing to the packet, for example by using a policy defined for that FA-HA pair and mobile node.
- a FA or HA may each store a large number of filters corresponding to many FA-HA pairs, and therefore its filter list may also be large.
- the FA or HA searches through its filter list to determine whether to apply policy service to the packet. Searching through a large filter list can be a time-consuming and computationally intensive process, and it may slow the speed with which the FA or HA can process the packet.
- a method for providing dynamic Internet Protocol security policy service is provided.
- One aspect of the invention includes a method for dynamically liking a policy to be applied to an Internet Protocol Security session between a foreign agent and a home agent.
- the policy can be applied to packets sent between the foreign agent and the home agent.
- the foreign agent may dynamically link to a policy when it establishes an Internet Protocol security session with the home agent, and the home agent may dynamically link a policy when it establishes an Internet Protocol security session with the foreign agent.
- Another aspect of the invention includes a method for dynamically creating a filter to be applied to an Internet Protocol security session between the foreign agent and the home agent.
- the foreign agent may dynamically create a filter than can be used to identify packets that receive Internet Protocol security processing.
- the home agent can also create a filter that identifies packets that receive Internet Protocol security processing. The filter may be removed from a list of active filters when the IPsec session between the foreign agent and the home agent ends.
- FIG. 1 is a block diagram illustrating an IP packet header
- FIG. 2 is a block diagram illustrating an exemplary Mobile Internet Protocol system
- FIG. 3 is a block diagram illustrating exemplary Mobile Internet Protocol communications in the Mobile Internet Protocol system of FIG. 2 ;
- FIG. 4 is a block diagram illustrating an Internet Protocol security Authentication Header
- FIG. 5 is a block diagram illustrating an Encapsulating Security Payload packet format
- FIG. 6 is a block diagram illustrating various end-to-end security configurations between two endpoints across an Internet Protocol network
- FIG. 7 is a flowchart of a process for dynamically lining a policy and creating a filter.
- LAN local area network
- wireless device may connect to a cellular wireless network. The wireless device may then communicate with other devices connected to the wireless network.
- One or more networks may also be linked together, and a device connected to one network can communicate with a device connected to another network.
- a LAN may provide connectivity to the Internet through an Internet Service Provider (“ISP”).
- ISP Internet Service Provider
- a cellular wireless network may provide connectivity to the public switched telephone network (“PSTN”) or to a packet data serving node (“PDSN”), such as the Internet.
- PSTN public switched telephone network
- PDSN packet data serving node
- a device on one network can exchange data with a device on another connected network.
- a wireless device on a cellular network could connect to a device on the PSTN or to a device on the Internet.
- a network generally supports one or more communication protocols.
- a communication protocol generally provides a format for exchanging data between the devices on the network, and more than one protocol may be used during a communication session.
- a communicate protocol may provide a format for exchanging data between devices connected to different networks.
- TCP Transmission Control Protocol
- IP Internet Protocol
- TCP is a connection-oriented protocol used-to send data over a network, such as the Internet.
- TCP is commonly used in conjunction with IP, and they provide a format for breaking a data message into packets, transmitting the packets over one or more networks to a receiver, and reassembling the packets at the receiver to form the original data message.
- IP can be used to send data between devices on the same network and between devices on different networks.
- a device For IP communications, a device is generally assigned a 32-bit IP address.
- the IP address is generally globally unique across the connected networks, and this allows the destination device to be uniquely identified by its IP address.
- Data is transmitted in an IP packet.
- the IP packet includes a header portion and a data portion.
- FIG. 1 is a block diagram illustrating an IP packet header 50 .
- the IP packet header includes a number of different fields.
- the version field 52 indicates an IP version, such as IPv 4 or IPv 6 .
- the Internet Header Length (“IHL”) field 54 indicates the length of the header.
- the Type-of-Service (“ToS”) field 56 indicates a requested type of service.
- the total length field 58 indicates the length of everything in the IP packet, including the IP header 50 .
- the identification-field 60 may be used for packet fragmentation.
- the fragment offset field 62 is also used for packet fragmentation.
- the Time-To-Live (“TTL”) field 64 may be a hop count, which is used to limit the lifetime of the IP packet.
- the protocol field 66 indicates a protocol used with the IP packet.
- TCP Transmission Control Protocol
- UDP User Datagram Protocol
- ESP Encapsulating Security Payload
- AH Authentication Header
- the header checksum field 68 can be used to verify the contents of the IP packet header 50 .
- the source address field 70 may include a source IP address for a sending endpoint
- the destination address field 72 may include an IP address for a receiving endpoint.
- the options field 74 can be used for security, source routing, error reporting, debugging, time stamping or other information. IP data may be carried in the IP packet data portion, which is below the options-field 74 .
- the IP packet is sent over the network, and, using the destination device's IP address included in the header, appropriately routed to the destination device.
- An IP packet may travel through different devices and across different networks before reaching the destination device.
- the IP address is used to accurately route the packet across the networks and to the correct destination device.
- IP provides a method for uniquely identifying devices across multiple networks, it does not provide a mechanism to assure that packets sent from a source device will be successfully received at the destination device. Packets may be lost during transmission across the networks due to different factors, such as data corruption, buffer overflow, equipment failure or other errors.
- TCP can-be used in conjunction with IP to ensure reliable end-to-end transmission of the packets. Among other functions, TCP handles lost or corrupted packets, and it reassembles packets that arrive at their destination out of order, TCP/IP is one method of establishing a connection between the handset and media server, and many other Internet or network protocols also exist.
- Mobile IP Another protocol that may be used to send data is Mobile IP, which is an extension of IP. While IP can be used to connect devices on separate networks, an IP address is usually associated with just one particular network. A wireless-device may be assigned an IP address, which is associated with the wireless device's home network. During a communication session, however, the wireless device might roam to another network.
- Mobile IP is an extension of the IP protocol that allows a “mobile” node to transparently move between different IP sub-networks (“subnets”) and to still receive data addressed to the IP address associated with the mobile node's home network. While the mobile node dynamically changes its network connectivity, this is transparent to protocol layers above IP (e.g., TCP or UDP).
- IP protocol layers above IP
- Mobile IP is described in detail in the Internet Engineering Task Force Request for Comment 2002, C. Perkins, October 1996, which is incorporated herein by reference in its entirety, and in “Mobile IP : The Internet Unplugged,” by J. D. Solomon, Prentice-Hall 1998, ISBN-0-13-856246-6, which is incorporated herein by reference in its entirety.
- FIG. 2 is a block diagram illustrating an exemplary Mobile IP system 124 .
- the Mobile IP system 126 includes two non-mobile network devices 102 , 104 and a mobile network device (“mobile node”) 106 connected to a home network 100 .
- the home network 100 may include more or fewer non-mobile network devices. It may also include more than one mobile-network device.
- the mobile node 106 may preferably be any wireless device, such as a cellular phone, a personal digital assistant (PDA), a wirelessly equipped computer, or another device; however, it is also possible that the mobile node is a non-wireless device.
- the non-mobile network devices 102 , 104 may be, for example, computers including network interface cards (“NICs”) or other devices. The NICs interface with the home network 100 and provide connectivity to the home network 100 .
- NICs network interface cards
- the home network 100 is a LAN, and the network devices 102 , 104 , 106 connected to the home network 100 communicate using the IEEE 803.2 Ethernet protocol.
- each network device 102 , 104 , 106 on the home network 100 is assigned a subnet network address, which is an Ethernet address of the type supported by the IEEE 803.2 protocol.
- the subnet network address provides a mechanism to identify each network device 102 , 104 , 106 , and it is used to exchange data between the network devices 102 , 104 , 106 on the home network 100 .
- the home network 100 is not limited to a LAN using the IEEE 803.2 protocol. Many different network types exist, and many different protocols and addressing schemes may be used to exchange data between devices on a network. These different network types and protocols may also be used.
- the home network 100 connects to an external network 110 , such as the Internet or an intranet, via a home agent, (“HA”) 108 .
- the home agent 108 is a “gateway router” for the home network 100 .
- a gateway connects networks using different networking protocols or operating at different transmission capacities.
- a router tanslates differences between network protocols and routes data packets to an appropriate network node or network device.
- the subnet network address such as an Ethernet address, assigned to each network device 102 , 104 , 106 on the home network 100 , is generally not a globally routable address. Therefore, it may not support communication between a device on the home network 100 and a device connected to the external network 110 .
- one or more devices on the home network 100 may also be assigned a global address. The global address may be used to identify the device when it is communicating with devices on external networks.
- one or more devices connected to the home network 100 may each be assigned an IP address, which can be a globally routable address used to exchange data with devices connected to the external network 110 .
- the network devices 102 , 104 , 106 on the home network 100 are assigned a globally routable address in addition to their subnet network address
- the network devices 102 , 104 , 106 on the home network 100 exchange data using an addressing scheme that supports communication with devices connected to the external network 110 .
- the subnet network address may be globally routable, and it may be the same as the global address.
- the home network devices 102 , 104 , 106 may communicate with each other using IP or another similar protocol Since IP can be a globally routable address, it would not be necessary to assign the network 102 , 104 , 106 a global address in addition to their subnet address.
- the mobile node 106 is depicted as a dashed box 106 connected to the home network 100 , because the mobile node 106 may “roam” away from its home network 100 and connect to a foreign network 120 .
- the mobile node 106 roams away from its home network 100 , it periodically transmits Mobile IP “agent solicitation” messages to foreign agents, such as the foreign agent (“FA”) 112 .
- the foreign agent 120 is foreign with respect to the mobile node's home network 100 .
- FIG. 2 also depicts a foreign network 120 .
- the foreign network 120 includes two non-mobile nodes 114 , 116 . It is possible, however, that the foreign network may include a greater or fewer number of non-mobile nodes.
- the foreign network 100 may also include one or more mobile nodes for which the foreign network 120 serves as the home network, but no such mobile nodes are depicted in FIG. 2 .
- a foreign agent 112 resides on a foreign network 120 .
- the foreign agent 120 similar to the home agent 108 , is a gateway router for the foreign network 120 .
- the foreign network network devices 114 , 116 are assigned subnet network addresses on the foreign network 120 .
- the subnet network address may be used for communication between devices connect to the foreign network 120 .
- the subnet network addresses are not globally routable and that the network devices 114 , 116 on the foreign network 120 are also assigned globally routable addresses.
- the subnet network addresses e.g., IP addresses
- the subnet network addresses are globally routable and can be used to communicate with devices connected to the external network 110 .
- the roaming mobile node 106 listens for mobile IP “agent advertisement” messages from foreign agents (i.e., foreign gateway routers such as the foreign agent 112 ).
- the agent advertisement message indicates that the roaming mobile node 106 is now on a foreign network 120 .
- the roaming mobile node 106 receives an agent advertisement message from a foreign agent, such as foreign agent 112 , the mobile node 106 registers with the foreign agent (e.g.;, foreign agent 112 ) and also with its home agent (e.g., home agent 108 ). The registration indicates that the mobile node 106 has roamed away from its home network 100 to a foreign network 120 .
- the mobile node 106 uses its home global address on the home network 100 to register with the foreign agent 112 and the home agent 108 . After registration of the mobile node 106 , the foreign agent 112 may accept data packets for the mobile node 106 at the specific home global address for the mobile mode 106 in addition to data packets for network devices 114 , 116 on the foreign network 120 . The foreign agent 112 may also assign a temporary subnet network address on the foreign network 120 to the mobile node 106 .
- FIG. 3 is a block diagram illustrating exemplary Mobile IP communications in an exemplary Mobile IP system 128 .
- the home agent 108 may create a “virtual tunnel” 126 to the foreign agent 112 via the external network 110 .
- the virtual tunnel 126 is not an additional physical connection created between the foreign agent 112 and the home agent 108 , but rather the virtual tunnel 126 represents a conceptual data path for transmitting data between the home agent 108 and the foreign agent 120 .
- the virtual tunnel 126 can be created by encapsulating a data packet inside another data packet and by adding additional tunnel packet headers.
- IP-in-IP tunneling is used.
- IP-in-IP tunneling is described in more detail in the Internet Engineering Task Force Request for Comment 1853, W. Simpson, October 1995, which is incorporated herein by reference in its entirety. Tunneling and data encapsulation are also discussed in Internet Engineering Task Force Request for Comment 2003, C. Perkins, October 1996, which is incorporated herein by reference in its entirety, and in Internet Engineering Task Force Request for Comment 2004, C. Perkins, October 1996, which is incorporated by reference herein in its entirety.
- Other types of virtual tunnels such as UDP tunneling or double IP-in-IP tunneling, can also be created, and these may also be used.
- a network device 130 connected to:the external network 110 may want to send data to the mobile node 106 . While the network device 130 is shown generally connecting to the external network 110 , it may actually be a computer or another type of device connected to a network, such as a LAN. The network may then provide the network device 130 with connectivity to the external network 110 .
- the network device 130 sends a data message addressed to the mobile node 106 . This may be done, for example, by sending the mobile node 106 a packet addressed to its globally routable IP address. The packet travels through the external network 110 and is routed to the home agent 108 . The home agent 108 accepts packets addressed to IP addresses for devices in its subnet, which is the home network 100 . If the mobile node 106 were connected to the home network 100 , the home agent 108 would forward the packet to the mobile-node 106 . However, the mobile node 106 is not connected to the home network 100 . The mobile node 106 is connected to the foreign network 120 , and the packet must be forwarded from the home agent 108 to the foreign network 120 .
- the mobile node 106 previously registered its new subnet location with the home agent 108 and with the foreign agent 112 .
- the home agent 108 encapsulates the packet addressed to the mobile node 106 into a tunnel packet, which is sent to the foreign agent 112 through the virtual tunnel 126 .
- the foreign agent 112 receives the tunnel packet, it removes the tunnel packet header and routes the packet to the mobile node 106 .
- the mobile node 106 periodically transmits “keep-alive” messages using ICMP messages.
- the messages may include standard ICMP messages and other ICMP messages that are unique to Mobile IP.
- the mobile node 106 can roam to foreign networks other than the foreign network 120 depicted in FIG. 3 , and the mobile node 106 can register with other foreign agents using mobile IP. This allows the mobile node 106 to travel to more than one foreign network.
- IP provides an addressing scheme for sending packets between a source device and a destination device, it does not ensure that the source device and the destination device will be the only devices that access and read the data portion of the IP packet.
- Other devices may intercept the IP packet and read its data portion.
- additional security protocols may be employed during IP communications to provide security for the IP packets.
- IPsec Internet Protocol Security
- SA Security Association
- IPsec generally defines two security services, and each security service has an associated header that is added to an IP packet using that service.
- the two security services are an Authentication Header (“AH”) and an Encapsulating Security Payload (“ESP”) header. While IPsec defines these two security services, it is possible that a fewer or greater number of security services can also be used with IPsec.
- AH Authentication Header
- ESP Encapsulating Security Payload
- the AH provides authentication and integrity protection for IP packets.
- the Authentication Header is described in more detail in “IP Authentication Header,” Internet Engineering Task Force Request for Comment 2402, Kent et al., November 1998, which is incorporated herein by reference in its entirety.
- FIG. 4 is a block diagram illustrating an Internet Protocol security Authentication Header 200 .
- the next header field 202 is an 8-bit field that identifies the type of the next payload after the AH.
- the payload- length field 204 specifies the value of an AH in 32-bit words (i.e., 4-bytes).
- the reserved field 206 is a 16-bit field reserved for future use.
- the Security Parameters Index (“SPI”) field 208 is an arbitrary 32-bit value that, in-combination with a destination IP address and a security protocol (e.g. AH or ESP), uniquely identifies a SA for the data packet
- the sequence number field 210 is an unsigned 32-bit field including a monotonically increasing counter value as a sequence number.
- An authentication data field 212 is a variable length field that includes an Integrity Check Value (“ICV”) for a packet.
- IOV Integrity Check Value
- the ESP provides confidentiality as well as authentication and integrity protection.
- the Encapsulating Security Payload is described in more detail in “IP Encapsulating Security Payload (ESP),” Internet Engineering Task Force Request for Comment 2406, Kent et al., November 1998, which is incorporated herein by reference in its entirety.
- FIG. 5 is a block diagram illustrating an ESP packet format 250 .
- a SPI-field 252 is an arbitrary 32-bit value that, in combination with a destination IP address and a security protocol (e.g. AH or ESP), uniquely identifies a SA for the packet.
- a sequence number-field 254 is a 32-bit field that includes a monotonically increasing counter value as a sequence number.
- a payload data-field 256 is a variable length field including data described by the next header field 262 .
- a padding-field 258 is used with the payload data-field 266 for encryption.
- a pad length-field 260 indicates a number of pad bytes immediately preceding it.
- a next header-field 262 is an 8-bit field that includes a type of data included in the payload data-field 256 .
- An authentication data-field 264 is a variable length field including an Integrity Check Value (“ICV”) computed over the whole ESP header 250 minus the authentication data-field 264 .
- ICV Integrity Check Value
- the IPsec protocol headers are identified in the protocol field 66 of the IP packet header 50 .
- An IPsec protocol header specifies a protocol type (i.e., AH or ESP) and includes a numerical value called the Security Parameter Index (“SPI”).
- SPI is a unique identifier associated with a SA by a receiving endpoint. The identifying information is used by a receiving endpoint to help it correctly associate an IP packet with a SA. The association of an IP packet with a SA allows proper IPsec processing.
- the IPsec services can be applied in one of two modes, a “transport mode” or a “tunnel mode.”
- the transport mode generally only the IP packet's data is encrypted.
- the IP packet is routed to the destination devices using a destination address (e.g., the IP destination address 72 ).
- the destination IP address and the source IP address may both be “visible” (i.e., not encrypted) to other devices on the network.
- another device may be able to monitor the number of packets sent between a source device and a destination device.
- the destination device performs the IPsec processing. For example, the destination device may decrypt the data carried in the IP packet according to an agreed encryption method.
- the entire IP packet is encrypted, and it is sent along a virtual tunnel to the destination device.
- a virtual tunnel can be formed using a router or other network device that acts as an IPsec proxy for the source device and the destination device.
- the source device sends an IP packet to a source device endpoint.
- the source device endpoint encrypts the IP packet, and it places the encrypted packet into a new IP packet
- the new IP packet is then sent through the network to a destination device endpoint
- the destination device endpoint decrypts the original IP packet, and it forwards that packet to the destination device.
- an attacker can only determine the endpoints of the tunnel. The attacker cannot determine the actual source and destination addresses of the tunneled packet, and, therefore, the attacker cannot accurately determine how many packets are being sent between two devices.
- FIG. 6 is a block diagram illustrating various end-to-end security configurations 300 between two endpoints across an IP network 318 (e.g., the Internet or an intranet) using AH, ESP and combinations thereof, in the transport and tunnel modes.
- a first end point 302 has a secure connection 304 to a second endpoint 306 .
- a first exemplary data packet 308 includes a first IP address (“IP1”) in a first IP header, an AH header and upper level protocol data.
- a second exemplary data packet 310 includes a first IP address, an ESP header and upper level protocol data.
- a third exemplary data packet 312 includes a first IP address, an AH header, an ESP header, and upper level protocol data.
- the exemplary data packets 308 , 310 and 312 are used in the transport mode.
- One type of data packet layout is typically selected ( 308 , 310 or 312 ) for the transport mode depending on the type of security desired.
- a fourth exemplary data packet 314 includes a tunnel IP header with a tunnel IP address (“TIP”), an AH header, an original IP header with a first IP address (“IP1”) and upper level protocol data.
- a fifth exemplary data packet 316 includes a tunnel IP header with a tunnel IP address, an AH header, an original IP header with a first IP address and upper level protocol data.
- TIP tunnel IP address
- IP1 IP address
- IP1 IP address
- a fifth exemplary data packet 316 includes a tunnel IP header with a tunnel IP address, an AH header, an original IP header with a first IP address and upper level protocol data.
- One type of exemplary data packet 314 or 316 is ordinarily selected for the tunnel mode depending on the security desired.
- IPsec protocols establish and use a Security Association (“SA”) to identify a secure virtual connection between two endpoints.
- SA is a unidirectional connection between two endpoints that represents a single IPsec protocol-mode combination.
- Two termination endpoints i.e., network devices for the transport mode, or intermediate devices for the tunnel mode
- SA defines a secure virtual connection that is protected by IPsec services.
- One of the endpoints sends IP packets, and the other endpoint receives them. Since a SA is unidirectional, a minimum of two SAs are required for secure, bi-directional communication. It is also possible to configure multiple layers of IPsec protocols between two endpoints by combining multiple SAs.
- IPsec In addition to defining a security service (i.e., AH, ESP) and a mode (i.e., tunnel or transport), IPsec allows the use of many different methods for performing encryption, authentication and other functions. These various parameters can also be defined in a SA.
- the SA may indicate which encryption method and which keys will be used in an IPsec communication session. Before successful communication can occur between two devices in an IPsec communication session, the particular SA for that session should be determined.
- IPsec SA The process of establishing an IPsec SA involves negotiation and authentication. During negotiation, the two endpoints agree to which security protocol and mode to use. They also agree on other algorithms to use, such as, specific encryption techniques, associated parameter values and a SPI assignment for each SA that was established. The authentication ensures that each endpoint can trust the identity of the other endpoint during negotiation, and also after the SA is established.
- ISAKMP Internet Security Association and Key Exchange Protocol
- Oakley Oakley Protocol
- IKE Internet Key Exchange
- a SA negotiation is carried out as a sequence of signaling exchanges between two endpoints.
- a first endpoint proposes a security protocol and encryption algorithm, and a second endpoint accepts or counter-proposes.
- relevant security parameter information is exchanged and the endpoints are ready to send or receive on a single unidirectional SA.
- Part of the signaling includes exchange of authentication information, using a Certificate Authority (“CA”).
- CA Certificate Authority
- IP addresses are one “security name space” used for binding public keys to the owners.
- one endpoint supplies another endpoint with its certificate along with a signature that is encrypted with its private key.
- the certificate and signature are verified with a public key.
- a recipient (one at each endpoint) uses a sender's public key from its certificate to validate the signature and the sender's right to use its IP address. Since only the sender has access to the private key, the recipient, once it has verified the signature, is certain of the initiator's “identity.” The identity may be determined by the IP address of the initiator, as IP addresses form the security name space used to bind public keys to their owners. However, other security name spaces could also be used using other than an IP address for an initiator's identity. Certificates are issued with a “Time-to-Live” value, after which they expire and become invalid. The result of negotiation and authentication is a secure connection for one unidirectional SA. A second SA for bidirectional communications may be registered in a similar manner.
- IPsec can be applied to various different communication sessions, and it can be used in communication sessions between various different devices.
- the devices participating in the IPsec session should generally agree on the parameters to be used during the IPsec session.
- the parameters can be specified, for example, in a policy to be applied to that IPsec session. Then, the devices can apply the parameters to communications during the IPsec session.
- a tunnel endpoint such as a FA or an HA, may receive packets from a variety of different sources, and these packets may have to be processed differently.
- a tunnel endpoint may receive some packets that are part of an IPsec communication session, and it may receive other packets that are not part of an IPsec communication session.
- the tunnel endpoint may simply route the packet according to its IP destination address; however, for packets that are part of an IPsec communication session, the tunnel endpoint may perform various IPsec processing functions.
- a tunnel endpoint may receive an IP packet from a source device. The tunnel endpoint may then encrypt the packet and place it in the data portion of a new IP packet that is sent to the other tunnel endpoint. The other tunnel endpoint may then receive the IP packet, decrypt the data portion of the new packet in order to retrieve the original packet and forward the original packet to the destination device.
- a tunnel endpoint may additionally support more than one IPsec communication session.
- Each IPsec session may use different security protocols, different encryption keys or other different parameters. Therefore, a tunnel endpoint may have to apply different processing functions to packets in different IPsec communications sessions. For example, one IPsec session may use ESP, while another IPsec session may use a combination of ESP and AH. The two sessions may use different encryption algorithms; they may use different keys; or, they may have other different parameters. In order to properly service an IPsec packet, the tunnel endpoint should apply the correct processing functions for the IPsec packet.
- each tunnel endpoint ordinarily stores a policy and a filter for that IPsec session.
- the policy generally includes information on how to process an IPsec packet for that IPsec session.
- the policy may include information such as the types of services to use (e.g., AH, ESP or both), the types of encryption to use, the lifetime of keys, the domain of interpretation (“DOI”) rules to negotiate the type of service or other information.
- the policy file may also define other attributes of the IPsec session.
- a filter can be used to identify a subset of packets from a larger set of packets, such as by identifying packets that need IPsec processing.
- the filter can generally specify packets that need IPsec service by maintaining a list of FA-HA pairs that correspond to IPsec sessions.
- the filter may also identify a policy to use for an IPsec packet corresponding to a FA-HA session, or it may specify other information
- the tunnel endpoint determines how to process the packet.
- the tunnel endpoint may maintain a filter list.
- the filter list can cover possible IPsec sessions corresponding to FA-HA pairs. The pairs may be specified in a variety of different manners, but preferably they are based on the 1 P addresses of the devices.
- After a tunnel endpoint receives a packet it can check the source and destination addresses of the packet against the FA-HA pairs in its filter list. If the filter list includes a filter for the IP packet, then the tunnel endpoint may process the packet However, if the filter list doesn't include a filter for the packet, then the tunnel endpoint may simply pass the IP packet through without applying a policy and without performing IPsec processing functions.
- a mobile node roams to a foreign network.
- the mobile node sends packets to the foreign network's foreign agent.
- the FA reads the source IP address, the IP protocol type, the source and destination ports, and the destination IP address of the packet. Then, based on the IP addresses, the FA searches its list of filters to determine if the IP packet needs IPsec processing and which policy to apply. Based on the filter list, the FA determines that the packet needs IPsec processing. Then, the FA processes the packet, for example according to a policy indicated by the filter. Next, the FA sends the packet through the tunnel to the mobile node's HA.
- the HA receives the packet from the FA, and the HA searches its filter list to determine if the incoming packet needs IPsec processing. Based on the filter list the HA can determine that the packet needs IPsec processing and a policy to apply to the packet. Then, the HA can process the packet according to the policy indicated by the filter.
- the mobile node may roam to more than one different foreign network, and each foreign network may have its own FA.
- multiple FA-HA pairs should be identified.
- a policy and filter for the FA-HA pair should be stored by the FA, and a corresponding policy and filter for the FA-HA pair should also be stored by the HA.
- Statically defining the FA-HA pairs and storing their filters and policies can create an inordinately large amount of information that is stored by the FAs and the HA. This can also lead to a delay in processing packets, as-the FA or HA must search through the large number filters to determine whether to apply IPsec processing to a received packet.
- a policy template may be created for a mobile node.
- the policy template may be configured in the mobile node's home network, and it may be stored by the HA.
- the policy template may be stored in an Authentication, Authorization and Accounting (“AAA”) Server, which can be accessed by the HA, or the policy template may be stored in another location.
- AAA Authentication, Authorization and Accounting
- the policy template may also be stored in the foreign network.
- the foreign agent may also store the policy template.
- the policy template may store parameters to be used in IPsec communication between the FA and the HA.
- the FA engages in an authentication procedure with the AAA.
- the AAA may then indicate to the FA that IPsec should be used for communication with the mobile node.
- a policy template can be dynamically linked to the FA, and the policy template can be used to specify parameters for communications between the mobile node and the HA.
- the FA may create a dynamic linkage to the policy template by creating a policy instance.
- a policy instance can be an instance of the policy template as applied to the specific association between a PDSN and HA.
- the policy template may specify various parameters between the FA/PDSN and HA
- the FA and HA may additionally negotiate other parameters that are specific to that session involving the mobile node.
- the FA and HA may additionally negotiate the dynamic pre-shared key used in IKE authentication for an IPSec policy.
- other parameters may also be negotiated. These additional parameters may then become part of the policy instance.
- a policy instance can be derived from the policy template as well as negotiated parameters.
- a policy template can be created for a specific FA-HA pair corresponding to a specific mobile node. However, it is also possible that the policy template can correspond to a particular FA-HA pair. Additionally, a policy template may be used for more than one mobile node, or it may be used for more than one FA-HA pair.
- FIG. 7 is a flowchart illustrating one exemplary process for dynamically linking the policy to a FA and dynamically creating a filter.
- a mobile node requests access to a foreign network.
- the foreign agent on the foreign network contacts an authentication server on the mobile node's home network. If the mobile node is authorized to connect to the home network and needs security service, the authentication server then conveys to the foreign agent- that IPsec service is needed for the mobile node, shown at Step 354 .
- the foreign agent dynamically links to a policy template and it can negotiate additional parameters with the HA.
- the foreign agent creates a filter for the FA-HA pair.
- FIG. 7 is a flowchart illustrating one exemplary process for dynamically linking the policy to a FA and dynamically creating a filter.
- the home agent also creates a filter for the FA-HA pair, and it can use the policy already defined in the home network for the mobile node. ° Finally, at Step 358 , the foreign agent processes packets using the dynamically linked policy and the dynamically created filter.
- a mobile node 106 roams to a foreign network 120 and wants to communicate with its home network 100 .
- the mobile node 106 first initiates a connection with the foreign network 120 , for example by communicating with the foreign network's foreign agent 112 .
- This may be done using a variety of different methods.
- the mobile node 106 may dial into a cellular network and attempt to establish a Mobile IP session by sending the FA 112 (e.g., a PDSN) a Mobile IP registration request.
- the Mobile IP registration request may request that the FA 112 establish a tunnel with the HA 108 .
- the FA 112 may then connect with an AAA server (not shown).
- the AAA server generally belongs to the home network 100 of the mobile node 106 , and it can be used to determine if the mobile node 106 has permission to connect to the home network 100 . If the mobile node 106 has permission to connect to the home network 100 , the HA 108 may return a registration response message including the home IP address of the mobile node. The mobile node 106 can then use that IP address wherever it roams.
- the AAA Server may also determine if the mobile node 106 needs security (e.g., IPsec) when it communicates with the home network 100 .
- security e.g., IPsec
- the security policy for the mobile node's communication with the HA 108 is ordinarily defined in the AAA Server, and the mobile node 106 generally uses the security policy defined in the AAA Server.
- the AAA Server usually only specifies whether the mobile node 106 needs security, it generally doesn't specify specific parameters to be used. For example, the AAA Server may indicate that the mobile node 106 should use IPsec, but it generally would not indicate specific parameters for the IPsec session.
- the AAA Server determines that the mobile node 106 needs to use IPsec, it informs the FA 112 .
- the FA 112 then initiates a connection with the HA 108 , and the HA can dynamically link a security policy template to the FA 112 .
- the FA 112 and the HA 108 can negotiate other IPsec parameters for that session in accordance with the specific parameters specified in the security policy.
- the FA 112 and HA 108 may an appropriate negotiation procedure, such as IKE, to negotiate the other parameters for communication between the FA 112 and the HA 108 .
- the FA 112 may also dynamically create a filter for the FA-HA pair, which can then be stored in a list of filters maintained by the FA 112 . Incoming packets to the FA 112 are then checked against the filters maintained by the FA 112 . If a filter exists for the packet, then the FA 112 may apply the appropriate processing; however, if a filter does not exist, then the FA 112 may simply pass the packet through the node.
- the HA 108 may also dynamically create a filter for the FA-HA pair, and it may use this filter to accurately process packets received from the FA 112 and corresponding to the mobile node 106 .
- the FA-HA pair may create one tunnel for packets sent from the FA 112 to the HA 108 , and it may create another tunnel for packets sent from the HA 108 to the FA 112 .
- One or more policy templates may be linked to the FA 112 for each tunnel created. For example, one policy template may specify a set of parameters for the IPsec session, while a second policy template may specify additional parameters. Additionally, one or more filters may also be created for each tunnel. It is also possible that a tunnel is only created in one direction.
- the tunnel between the FA 112 and the HA 108 may be terminated.
- the filter for the FA-HA pair corresponding to the mobile node 106 may then be removed from the FA's filter list. Removing the filter from the FA's filter list may improve the performance of the FA 112 and speed the processing of packets. For example, incoming packets to the FA 112 should be checked against the PA's filter list to determine if the packet needs special processing (e.g, IPsec processing). If the FA 112 maintains a large list of filters, then checking an incoming packet against each filter in the list can be a time-consuming process.
- the FA's filter list may include only filters for active connections. This can decrease the number of filters stored in the list and increase the efficiency of processing packets.
- a similar procedure may be used for by HA 108 to remove the filter from its list of filters.
- the HA 108 may remove the filter for the FA-HA pair. For instance, the HA 108 may remove the filter when the mobile node registers a new “care-of-address” in a Mobile IP session or otherwise indicates it is no longer using the foreign network's FA 112 . By removing filters that are no longer active, the HA 108 can increase its efficiency in processing incoming packets.
- more than one policy or filter may be defined for a FA-HA pair.
- an IPsec session may have policies for Phase_ 1 and for Phase_ 2 .
- the filters for these phases may be created when the mobile node connects to the FA, which then relays the Mobile IP Registration Request to the HA and gets a response in return.
- the filter for Phase_ 1 may include parameters to specify ISAKMP packets between the FA and the HA. For example, it may specify the IP address for the FA, the IP address for the HA, the IP protocol and the Source and Destination Ports.
- the filter for Phase_ 2 may include parameters to specify tunnel packets between the FA and the HA.
- it may include the IP address for the HA, the IP address for the FA and a protocol type (e.g., IP-in-IP, generic routing encapsulation. (“GRE”), or another type).
- a protocol type e.g., IP-in-IP, generic routing encapsulation. (“GRE”), or another type.
- it may include the IP address for the HA, the IP address for the FA, a protocol type (e.g., UDP, TCP, etc. . . ), and source and destination ports.
- the policy-base services may be used in a variety of different systems. For instance, they may be used in a Network Address Translation (NAT)/Port Address Translation (PAT) system. Additionally, they may be applied in a firewall environment, quality of service (“QoS”) environment, or in another system.
- QoS quality of service
- the policy template may include default priority and policing information.
- the AAA may pass a Diffserv marking and policing information to the PDSN.
- the PDSN may then create an instance of a policy from the policy template, or it may choose to use the policy template from the mobile user.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
- Computer And Data Communications (AREA)
Abstract
A mobile node may roam away from its home network to a foreign network. The mobile node may communicate using the Mobile Internet Protocol, and it may use Internet Protocol security to communicate with its home network. A foreign agent on the foreign network and a home agent on the home network may dynamically link a policy to be used for a Internet Protocol security session between the foreign agent and the home agent. The foreign agent and the home agent may dynamically create a filter to be used for the Internet Protocol Security session.
Description
- The present invention relates generally to network communications. More specifically, it relates to a method for providing dynamic Internet Protocol policy service.
- A mobile node may use the Mobile Internet Protocol (“Mobile IP”) to roam away from its home network, and the mobile node may establish a connection with a foreign network. The mobile node may securely communicate with its home network using a protocol such as Internet Protocol security (“IPsec”). IPsec may be used communicate between a Foreign Agent (“FA”) and a Home Agent (“HA”). The FA can receive packets from the mobile node. The FA can then use IPsec, for example, to encrypt the packets from the mobile node and forward them through the virtual tunnel to the HA. The HA may then receive the packets and decrypt them to retrieve the original message. A similar process may be used to send packets from the HA to the FA, which can ultimately be routed to the mobile node.
- In IPsec, a policy may be defined for a mobile node corresponding to a particular FA-HA pair. The policy generally specifies parameters for IPsec communication between the FA and the HA when the mobile node roams to the FA's network. The policy may be defined and stored by the HA, and a corresponding policy may be defined and stored by the FA. When a packet travels through the virtual tunnel, the FA and HA can use their respective policies to apply the appropriate IPsec parameters in processing that packet.
- In order to allow the mobile node to roam to different foreign networks and to continue to communicate with its HA using IPsec, a policy can be configured for each possible FA-HA pair that the mobile node can use. The policies-created for the FA-HA pairs should be stored by the HA and also by the corresponding FA. Adding additional FAs that can be accessed by the mobile node increases the number of FA-HA pairs that need to be created. Additionally, when the policies are created, the IP address, or other identifier, of the FA and HA needs to be known. This method for defining FA-HA pairs is not easily scalable, and can require a large amount of time to create and store all the possible FA-HA pairs.
- In addition to storing a policy for each FA-HA pair, the FA and the HA both store a filter corresponding to each possible FA-HA pair. The filters can be stored in a filter list, and they can be used to determine if a packet should receive IPsec processing. For example, when the FA or HA receives a packet, the FA or HA can search its filter list to determine if there is a filter corresponding to that packet. If there is a filter, then the FA or HA can apply IPsec processing to the packet, for example by using a policy defined for that FA-HA pair and mobile node.
- A FA or HA may each store a large number of filters corresponding to many FA-HA pairs, and therefore its filter list may also be large. When a packet arrives at a FA or HA, the FA or HA searches through its filter list to determine whether to apply policy service to the packet. Searching through a large filter list can be a time-consuming and computationally intensive process, and it may slow the speed with which the FA or HA can process the packet.
- Therefore, there exists a need for a new and improved way to provide policy service in an IPsec environment.
- In accordance with preferred embodiments of the present invention, some of the problems associated with Internet Protocol security communications are overcome. A method for providing dynamic Internet Protocol security policy service is provided.
- One aspect of the invention includes a method for dynamically liking a policy to be applied to an Internet Protocol Security session between a foreign agent and a home agent. The policy can be applied to packets sent between the foreign agent and the home agent The foreign agent may dynamically link to a policy when it establishes an Internet Protocol security session with the home agent, and the home agent may dynamically link a policy when it establishes an Internet Protocol security session with the foreign agent.
- Another aspect of the invention includes a method for dynamically creating a filter to be applied to an Internet Protocol security session between the foreign agent and the home agent. The foreign agent may dynamically create a filter than can be used to identify packets that receive Internet Protocol security processing. The home agent can also create a filter that identifies packets that receive Internet Protocol security processing. The filter may be removed from a list of active filters when the IPsec session between the foreign agent and the home agent ends.
- These as well as other aspects and advantages of the present invention will become apparent from reading the following detailed description, with appropriate reference to the accompanying drawings;
- An exemplary embodiment of the present invention is described herein with reference to the drawings, in which:
-
FIG. 1 is a block diagram illustrating an IP packet header, -
FIG. 2 is a block diagram illustrating an exemplary Mobile Internet Protocol system; -
FIG. 3 is a block diagram illustrating exemplary Mobile Internet Protocol communications in the Mobile Internet Protocol system ofFIG. 2 ; -
FIG. 4 is a block diagram illustrating an Internet Protocol security Authentication Header, -
FIG. 5 is a block diagram illustrating an Encapsulating Security Payload packet format; : -
FIG. 6 is a block diagram illustrating various end-to-end security configurations between two endpoints across an Internet Protocol network; and -
FIG. 7 is a flowchart of a process for dynamically lining a policy and creating a filter. - Mobile Internet Protocol
- Many different devices can connect to a network and exchange data, and various types of networks may be used to connect devices. For example, one or more computers may connect to, a local area network (“LAN”). Then, the computers connected to the LAN can exchange data across the network. In another example, a wireless device may connect to a cellular wireless network. The wireless device may then communicate with other devices connected to the wireless network.
- One or more networks may also be linked together, and a device connected to one network can communicate with a device connected to another network. For example, a LAN may provide connectivity to the Internet through an Internet Service Provider (“ISP”). Likewise, a cellular wireless network may provide connectivity to the public switched telephone network (“PSTN”) or to a packet data serving node (“PDSN”), such as the Internet. Once the networks are connected to the Internet or to another network, a device on one network can exchange data with a device on another connected network. For example, a wireless device on a cellular network could connect to a device on the PSTN or to a device on the Internet.
- A network generally supports one or more communication protocols. A communication protocol generally provides a format for exchanging data between the devices on the network, and more than one protocol may be used during a communication session. In addition to providing a format for exchanging data between devices on the same network, a communicate protocol may provide a format for exchanging data between devices connected to different networks.
- For example, the Transmission Control Protocol (“TCP”) and the Internet Protocol (“IP”) may be used to send data between devices on the same or on different networks. TCP is a connection-oriented protocol used-to send data over a network, such as the Internet. TCP is commonly used in conjunction with IP, and they provide a format for breaking a data message into packets, transmitting the packets over one or more networks to a receiver, and reassembling the packets at the receiver to form the original data message.
- IP can be used to send data between devices on the same network and between devices on different networks. For IP communications, a device is generally assigned a 32-bit IP address. The IP address is generally globally unique across the connected networks, and this allows the destination device to be uniquely identified by its IP address. Data is transmitted in an IP packet. The IP packet includes a header portion and a data portion.
-
FIG. 1 is a block diagram illustrating anIP packet header 50. The IP packet header includes a number of different fields. Theversion field 52 indicates an IP version, such as IPv4 or IPv6. The Internet Header Length (“IHL”)field 54 indicates the length of the header. The Type-of-Service (“ToS”)field 56 indicates a requested type of service. Thetotal length field 58 indicates the length of everything in the IP packet, including theIP header 50. The identification-field 60 may be used for packet fragmentation. The fragment offsetfield 62 is also used for packet fragmentation. The Time-To-Live (“TTL”)field 64 may be a hop count, which is used to limit the lifetime of the IP packet. Theprotocol field 66 indicates a protocol used with the IP packet. For example, TCP, User Datagram Protocol (“UDP”), Encapsulating Security Payload (“ESP”), and Authentication Header (“AH”) are common protocols that may be used in conjunction with IP. Other protocols may be used as well. Theheader checksum field 68 can be used to verify the contents of theIP packet header 50. Thesource address field 70 may include a source IP address for a sending endpoint, and thedestination address field 72 may include an IP address for a receiving endpoint. The options field 74 can be used for security, source routing, error reporting, debugging, time stamping or other information. IP data may be carried in the IP packet data portion, which is below the options-field 74. - The IP packet is sent over the network, and, using the destination device's IP address included in the header, appropriately routed to the destination device. An IP packet may travel through different devices and across different networks before reaching the destination device. The IP address is used to accurately route the packet across the networks and to the correct destination device.
- Although IP provides a method for uniquely identifying devices across multiple networks, it does not provide a mechanism to assure that packets sent from a source device will be successfully received at the destination device. Packets may be lost during transmission across the networks due to different factors, such as data corruption, buffer overflow, equipment failure or other errors. TCP can-be used in conjunction with IP to ensure reliable end-to-end transmission of the packets. Among other functions, TCP handles lost or corrupted packets, and it reassembles packets that arrive at their destination out of order, TCP/IP is one method of establishing a connection between the handset and media server, and many other Internet or network protocols also exist.
- Another protocol that may be used to send data is Mobile IP, which is an extension of IP. While IP can be used to connect devices on separate networks, an IP address is usually associated with just one particular network. A wireless-device may be assigned an IP address, which is associated with the wireless device's home network. During a communication session, however, the wireless device might roam to another network.
- Mobile IP is an extension of the IP protocol that allows a “mobile” node to transparently move between different IP sub-networks (“subnets”) and to still receive data addressed to the IP address associated with the mobile node's home network. While the mobile node dynamically changes its network connectivity, this is transparent to protocol layers above IP (e.g., TCP or UDP). Mobile IP is described in detail in the Internet Engineering Task Force Request for Comment 2002, C. Perkins, October 1996, which is incorporated herein by reference in its entirety, and in “Mobile IP : The Internet Unplugged,” by J. D. Solomon, Prentice-Hall 1998, ISBN-0-13-856246-6, which is incorporated herein by reference in its entirety.
-
FIG. 2 is a block diagram illustrating an exemplaryMobile IP system 124. TheMobile IP system 126 includes twonon-mobile network devices home network 100. Thehome network 100, however, may include more or fewer non-mobile network devices. It may also include more than one mobile-network device. Themobile node 106 may preferably be any wireless device, such as a cellular phone, a personal digital assistant (PDA), a wirelessly equipped computer, or another device; however, it is also possible that the mobile node is a non-wireless device. Thenon-mobile network devices home network 100 and provide connectivity to thehome network 100. - In one embodiment, the
home network 100 is a LAN, and thenetwork devices home network 100 communicate using the IEEE 803.2 Ethernet protocol. In this protocol eachnetwork device home network 100 is assigned a subnet network address, which is an Ethernet address of the type supported by the IEEE 803.2 protocol. The subnet network address provides a mechanism to identify eachnetwork device network devices home network 100. Thehome network 100 is not limited to a LAN using the IEEE 803.2 protocol. Many different network types exist, and many different protocols and addressing schemes may be used to exchange data between devices on a network. These different network types and protocols may also be used. - The
home network 100 connects to anexternal network 110, such as the Internet or an intranet, via a home agent, (“HA”) 108. Thehome agent 108 is a “gateway router” for thehome network 100. As is known in the art, a gateway connects networks using different networking protocols or operating at different transmission capacities. As is also known in the art, a router tanslates differences between network protocols and routes data packets to an appropriate network node or network device. By connecting to thehome network 100,network devices home network 100 can exchange da with devices connected to theexternal network 110. - The subnet network address, such as an Ethernet address, assigned to each
network device home network 100, is generally not a globally routable address. Therefore, it may not support communication between a device on thehome network 100 and a device connected to theexternal network 110. In order to communicate with devices connected to theexternal network 110, one or more devices on thehome network 100 may also be assigned a global address. The global address may be used to identify the device when it is communicating with devices on external networks. For example, one or more devices connected to thehome network 100 may each be assigned an IP address, which can be a globally routable address used to exchange data with devices connected to theexternal network 110. - While it is possible that the
network devices home network 100 are assigned a globally routable address in addition to their subnet network address, it is also possible that thenetwork devices home network 100 exchange data using an addressing scheme that supports communication with devices connected to theexternal network 110. In this case, the subnet network address may be globally routable, and it may be the same as the global address. For example, thehome network devices network - The
mobile node 106 is depicted as a dashedbox 106 connected to thehome network 100, because themobile node 106 may “roam” away from itshome network 100 and connect to aforeign network 120. When themobile node 106 roams away from itshome network 100, it periodically transmits Mobile IP “agent solicitation” messages to foreign agents, such as the foreign agent (“FA”) 112. Theforeign agent 120 is foreign with respect to the mobile node'shome network 100. -
FIG. 2 also depicts aforeign network 120. Theforeign network 120 includes twonon-mobile nodes foreign network 100 may also include one or more mobile nodes for which theforeign network 120 serves as the home network, but no such mobile nodes are depicted inFIG. 2 . Aforeign agent 112 resides on aforeign network 120. Theforeign agent 120, similar to thehome agent 108, is a gateway router for theforeign network 120. - The foreign
network network devices foreign network 120. The subnet network address may be used for communication between devices connect to theforeign network 120. As was previously explained, it is possible that the subnet network addresses are not globally routable and that thenetwork devices foreign network 120 are also assigned globally routable addresses. For example, one or more of thedevices external network 110. - As the
mobile node 106 travels away from itshome network 100, it may connect to aforeign network 120. The roamingmobile node 106 listens for mobile IP “agent advertisement” messages from foreign agents (i.e., foreign gateway routers such as the foreign agent 112). The agent advertisement message indicates that the roamingmobile node 106 is now on aforeign network 120. When the roamingmobile node 106 receives an agent advertisement message from a foreign agent, such asforeign agent 112, themobile node 106 registers with the foreign agent (e.g.;, foreign agent 112) and also with its home agent (e.g., home agent 108). The registration indicates that themobile node 106 has roamed away from itshome network 100 to aforeign network 120. - The
mobile node 106 uses its home global address on thehome network 100 to register with theforeign agent 112 and thehome agent 108. After registration of themobile node 106, theforeign agent 112 may accept data packets for themobile node 106 at the specific home global address for themobile mode 106 in addition to data packets fornetwork devices foreign network 120. Theforeign agent 112 may also assign a temporary subnet network address on theforeign network 120 to themobile node 106. -
FIG. 3 is a block diagram illustrating exemplary Mobile IP communications in an exemplaryMobile IP system 128. Once themobile node 106 roams to theforeign network 112 and registers its current location (e.g., on theforeign network 112 and on the home network 100), thehome agent 108 may create a “virtual tunnel” 126 to theforeign agent 112 via theexternal network 110. Thevirtual tunnel 126 is not an additional physical connection created between theforeign agent 112 and thehome agent 108, but rather thevirtual tunnel 126 represents a conceptual data path for transmitting data between thehome agent 108 and theforeign agent 120. Thevirtual tunnel 126 can be created by encapsulating a data packet inside another data packet and by adding additional tunnel packet headers. - In one preferred embodiment of the present invention, IP-in-IP tunneling is used. IP-in-IP tunneling is described in more detail in the Internet Engineering Task Force Request for Comment 1853, W. Simpson, October 1995, which is incorporated herein by reference in its entirety. Tunneling and data encapsulation are also discussed in Internet Engineering Task Force Request for Comment 2003, C. Perkins, October 1996, which is incorporated herein by reference in its entirety, and in Internet Engineering Task Force Request for Comment 2004, C. Perkins, October 1996, which is incorporated by reference herein in its entirety. Other types of virtual tunnels, such as UDP tunneling or double IP-in-IP tunneling, can also be created, and these may also be used.
- A
network device 130 connected to:theexternal network 110 may want to send data to themobile node 106. While thenetwork device 130 is shown generally connecting to theexternal network 110, it may actually be a computer or another type of device connected to a network, such as a LAN. The network may then provide thenetwork device 130 with connectivity to theexternal network 110. - The
network device 130 sends a data message addressed to themobile node 106. This may be done, for example, by sending the mobile node 106 a packet addressed to its globally routable IP address. The packet travels through theexternal network 110 and is routed to thehome agent 108. Thehome agent 108 accepts packets addressed to IP addresses for devices in its subnet, which is thehome network 100. If themobile node 106 were connected to thehome network 100, thehome agent 108 would forward the packet to the mobile-node 106. However, themobile node 106 is not connected to thehome network 100. Themobile node 106 is connected to theforeign network 120, and the packet must be forwarded from thehome agent 108 to theforeign network 120. - The
mobile node 106 previously registered its new subnet location with thehome agent 108 and with theforeign agent 112. Thehome agent 108 encapsulates the packet addressed to themobile node 106 into a tunnel packet, which is sent to theforeign agent 112 through thevirtual tunnel 126. When theforeign agent 112 receives the tunnel packet, it removes the tunnel packet header and routes the packet to themobile node 106. - The
mobile node 106 periodically transmits “keep-alive” messages using ICMP messages. The messages may include standard ICMP messages and other ICMP messages that are unique to Mobile IP. Themobile node 106 can roam to foreign networks other than theforeign network 120 depicted inFIG. 3 , and themobile node 106 can register with other foreign agents using mobile IP. This allows themobile node 106 to travel to more than one foreign network. - Internet Protocol Security
- Although IP provides an addressing scheme for sending packets between a source device and a destination device, it does not ensure that the source device and the destination device will be the only devices that access and read the data portion of the IP packet. Other devices may intercept the IP packet and read its data portion. In order to counter other devices from intercepting IP packets and reading their data portion, additional security protocols may be employed during IP communications to provide security for the IP packets.
- Internet Protocol Security (“IPsec”) is one method that may be used to provide security for IP packets. IPsec is described in further detail in “Security Architecture for the Internet Protocol,” Internet Engineering Task Force Request for Comment 2401, Kent et al., November 1998, which is incorporated herein by reference in its entirety, and, it is described in further detail in “Security Properties of the IPsec Protocol Suite,” Internet Engineering Task Force IP Security Working Group Draft, A. Krywaniuk, July 2001, <draft-krywaniuk-ipsec-properties-00.txt, which is incorporated herein by reference in its entirety. IPsec generally improves message authentication, message integrity and message confidentiality for IP packets moving between a source endpoint and a destination endpoint. Starting from a state in which no connection exists between two endpoints, a Security Association (“SA”) can be established based upon IP such that each endpoint trusts the security of the connection and an identity of each endpoint is authenticated to the other endpoint
- IPsec generally defines two security services, and each security service has an associated header that is added to an IP packet using that service. The two security services are an Authentication Header (“AH”) and an Encapsulating Security Payload (“ESP”) header. While IPsec defines these two security services, it is possible that a fewer or greater number of security services can also be used with IPsec.
- The AH provides authentication and integrity protection for IP packets. The Authentication Header is described in more detail in “IP Authentication Header,” Internet Engineering Task Force Request for Comment 2402, Kent et al., November 1998, which is incorporated herein by reference in its entirety.
-
FIG. 4 is a block diagram illustrating an Internet Protocolsecurity Authentication Header 200. Thenext header field 202 is an 8-bit field that identifies the type of the next payload after the AH. The payload-length field 204 specifies the value of an AH in 32-bit words (i.e., 4-bytes). Thereserved field 206 is a 16-bit field reserved for future use. The Security Parameters Index (“SPI”)field 208 is an arbitrary 32-bit value that, in-combination with a destination IP address and a security protocol (e.g. AH or ESP), uniquely identifies a SA for the data packet Thesequence number field 210 is an unsigned 32-bit field including a monotonically increasing counter value as a sequence number. Anauthentication data field 212 is a variable length field that includes an Integrity Check Value (“ICV”) for a packet. - The ESP provides confidentiality as well as authentication and integrity protection. The Encapsulating Security Payload is described in more detail in “IP Encapsulating Security Payload (ESP),” Internet Engineering Task Force Request for Comment 2406, Kent et al., November 1998, which is incorporated herein by reference in its entirety.
-
FIG. 5 is a block diagram illustrating anESP packet format 250. A SPI-field 252 is an arbitrary 32-bit value that, in combination with a destination IP address and a security protocol (e.g. AH or ESP), uniquely identifies a SA for the packet. A sequence number-field 254 is a 32-bit field that includes a monotonically increasing counter value as a sequence number. A payload data-field 256 is a variable length field including data described by thenext header field 262. A padding-field 258 is used with the payload data-field 266 for encryption. A pad length-field 260 indicates a number of pad bytes immediately preceding it. A next header-field 262 is an 8-bit field that includes a type of data included in the payload data-field 256. An authentication data-field 264 is a variable length field including an Integrity Check Value (“ICV”) computed over thewhole ESP header 250 minus the authentication data-field 264. - The IPsec protocol headers are identified in the
protocol field 66 of theIP packet header 50. An IPsec protocol header specifies a protocol type (i.e., AH or ESP) and includes a numerical value called the Security Parameter Index (“SPI”). The SPI is a unique identifier associated with a SA by a receiving endpoint. The identifying information is used by a receiving endpoint to help it correctly associate an IP packet with a SA. The association of an IP packet with a SA allows proper IPsec processing. - The IPsec services can be applied in one of two modes, a “transport mode” or a “tunnel mode.” In the transport mode generally only the IP packet's data is encrypted. The IP packet is routed to the destination devices using a destination address (e.g., the IP destination address 72). In the transport mode the destination IP address and the source IP address may both be “visible” (i.e., not encrypted) to other devices on the network. As a consequence, another device may be able to monitor the number of packets sent between a source device and a destination device. However, since the data is encrypted, the device ordinarily will not be able to determine the contents of the data in the IP packets. Once the transport mode packet reaches its final destination, the destination device performs the IPsec processing. For example, the destination device may decrypt the data carried in the IP packet according to an agreed encryption method.
- In the tunnel mode generally the entire IP packet is encrypted, and it is sent along a virtual tunnel to the destination device. A virtual tunnel can be formed using a router or other network device that acts as an IPsec proxy for the source device and the destination device. The source device sends an IP packet to a source device endpoint. The source device endpoint encrypts the IP packet, and it places the encrypted packet into a new IP packet The new IP packet is then sent through the network to a destination device endpoint The destination device endpoint decrypts the original IP packet, and it forwards that packet to the destination device. Using this mode, an attacker can only determine the endpoints of the tunnel. The attacker cannot determine the actual source and destination addresses of the tunneled packet, and, therefore, the attacker cannot accurately determine how many packets are being sent between two devices.
-
FIG. 6 is a block diagram illustrating various end-to-end security configurations 300 between two endpoints across an IP network 318 (e.g., the Internet or an intranet) using AH, ESP and combinations thereof, in the transport and tunnel modes. Afirst end point 302 has asecure connection 304 to asecond endpoint 306. A firstexemplary data packet 308 includes a first IP address (“IP1”) in a first IP header, an AH header and upper level protocol data. A secondexemplary data packet 310 includes a first IP address, an ESP header and upper level protocol data. A thirdexemplary data packet 312 includes a first IP address, an AH header, an ESP header, and upper level protocol data. Theexemplary data packets - In the tunnel mode, a fourth
exemplary data packet 314 includes a tunnel IP header with a tunnel IP address (“TIP”), an AH header, an original IP header with a first IP address (“IP1”) and upper level protocol data. A fifthexemplary data packet 316 includes a tunnel IP header with a tunnel IP address, an AH header, an original IP header with a first IP address and upper level protocol data. One type ofexemplary data packet - IPsec protocols establish and use a Security Association (“SA”) to identify a secure virtual connection between two endpoints. A SA is a unidirectional connection between two endpoints that represents a single IPsec protocol-mode combination. Two termination endpoints (i.e., network devices for the transport mode, or intermediate devices for the tunnel mode) of a single SA define a secure virtual connection that is protected by IPsec services. One of the endpoints sends IP packets, and the other endpoint receives them. Since a SA is unidirectional, a minimum of two SAs are required for secure, bi-directional communication. It is also possible to configure multiple layers of IPsec protocols between two endpoints by combining multiple SAs.
- In addition to defining a security service (i.e., AH, ESP) and a mode (i.e., tunnel or transport), IPsec allows the use of many different methods for performing encryption, authentication and other functions. These various parameters can also be defined in a SA. For example, the SA may indicate which encryption method and which keys will be used in an IPsec communication session. Before successful communication can occur between two devices in an IPsec communication session, the particular SA for that session should be determined.
- The process of establishing an IPsec SA involves negotiation and authentication. During negotiation, the two endpoints agree to which security protocol and mode to use. They also agree on other algorithms to use, such as, specific encryption techniques, associated parameter values and a SPI assignment for each SA that was established. The authentication ensures that each endpoint can trust the identity of the other endpoint during negotiation, and also after the SA is established.
- A number of standards have been proposed for protocols that establish SAs including an Internet Security Association and Key Exchange Protocol (“ISAKMP”), an Oakley Protocol (“Oakley”), and an Internet Key Exchange (“IKE”) protocol, which incorporates ISAKMP and Oakley. ISAKMP is described in further detail in “Internet Security Association and Key Management Protocol (“ISAKMP”),” Internet Engineering Task Force Request for Comment 2408, Maughan et al., November 1998, which is incorporated herein by reference in its entirety. Oakley is described in further detail in “The OAKLEY Key Determination Protocol,” Internet Engineering Task Force Request for Comment 2412, H. K. Orman, November 1998, which is incorporated herein by reference in its entirety. IKE is described in further detail in “The Internet Key Exchange (IKE),” Internet Engineering Task Force Request for Comment 2409, Harkins et al., November 1998, which is incorporated herein by reference in its entirety.
- Using IKE, for instance, a SA negotiation is carried out as a sequence of signaling exchanges between two endpoints. A first endpoint proposes a security protocol and encryption algorithm, and a second endpoint accepts or counter-proposes. Once the signaling is complete and both endpoints have agreed to the negotiated details, relevant security parameter information is exchanged and the endpoints are ready to send or receive on a single unidirectional SA. Part of the signaling includes exchange of authentication information, using a Certificate Authority (“CA”).
- Authentication is based on a trusted third-party called a Certificate Authority. Each endpoint that participates in IPsec generates a public/private encryption key pair, and has its public key “notarized” by the CA. The CA binds an endpoint's IP address to its public key, generates a certificate and returns it to an owner of the key. Thus, IP addresses are one “security name space” used for binding public keys to the owners.
- During SA negotiation, one endpoint supplies another endpoint with its certificate along with a signature that is encrypted with its private key. The certificate and signature are verified with a public key. A recipient (one at each endpoint) uses a sender's public key from its certificate to validate the signature and the sender's right to use its IP address. Since only the sender has access to the private key, the recipient, once it has verified the signature, is certain of the initiator's “identity.” The identity may be determined by the IP address of the initiator, as IP addresses form the security name space used to bind public keys to their owners. However, other security name spaces could also be used using other than an IP address for an initiator's identity. Certificates are issued with a “Time-to-Live” value, after which they expire and become invalid. The result of negotiation and authentication is a secure connection for one unidirectional SA. A second SA for bidirectional communications may be registered in a similar manner.
- Policy Service
- IPsec can be applied to various different communication sessions, and it can be used in communication sessions between various different devices. In order to properly establish an IPsec session, the devices participating in the IPsec session should generally agree on the parameters to be used during the IPsec session. The parameters can be specified, for example, in a policy to be applied to that IPsec session. Then, the devices can apply the parameters to communications during the IPsec session.
- For example, a tunnel endpoint, such as a FA or an HA, may receive packets from a variety of different sources, and these packets may have to be processed differently. For example, a tunnel endpoint may receive some packets that are part of an IPsec communication session, and it may receive other packets that are not part of an IPsec communication session. For the packets that are not part of an IPsec communication session, the tunnel endpoint may simply route the packet according to its IP destination address; however, for packets that are part of an IPsec communication session, the tunnel endpoint may perform various IPsec processing functions.
- In one example of an IPsec processing function, a tunnel endpoint may receive an IP packet from a source device. The tunnel endpoint may then encrypt the packet and place it in the data portion of a new IP packet that is sent to the other tunnel endpoint. The other tunnel endpoint may then receive the IP packet, decrypt the data portion of the new packet in order to retrieve the original packet and forward the original packet to the destination device.
- A tunnel endpoint may additionally support more than one IPsec communication session. Each IPsec session may use different security protocols, different encryption keys or other different parameters. Therefore, a tunnel endpoint may have to apply different processing functions to packets in different IPsec communications sessions. For example, one IPsec session may use ESP, while another IPsec session may use a combination of ESP and AH. The two sessions may use different encryption algorithms; they may use different keys; or, they may have other different parameters. In order to properly service an IPsec packet, the tunnel endpoint should apply the correct processing functions for the IPsec packet.
- For an IPsec communications session, each tunnel endpoint ordinarily stores a policy and a filter for that IPsec session. The policy generally includes information on how to process an IPsec packet for that IPsec session. For example, the policy may include information such as the types of services to use (e.g., AH, ESP or both), the types of encryption to use, the lifetime of keys, the domain of interpretation (“DOI”) rules to negotiate the type of service or other information. The policy file may also define other attributes of the IPsec session. A filter can be used to identify a subset of packets from a larger set of packets, such as by identifying packets that need IPsec processing. For example, the filter can generally specify packets that need IPsec service by maintaining a list of FA-HA pairs that correspond to IPsec sessions. The filter may also identify a policy to use for an IPsec packet corresponding to a FA-HA session, or it may specify other information
- When a tunnel endpoint receives a packet, the tunnel endpoint determines how to process the packet. The tunnel endpoint may maintain a filter list. The filter list can cover possible IPsec sessions corresponding to FA-HA pairs. The pairs may be specified in a variety of different manners, but preferably they are based on the 1P addresses of the devices. After a tunnel endpoint receives a packet, it can check the source and destination addresses of the packet against the FA-HA pairs in its filter list. If the filter list includes a filter for the IP packet, then the tunnel endpoint may process the packet However, if the filter list doesn't include a filter for the packet, then the tunnel endpoint may simply pass the IP packet through without applying a policy and without performing IPsec processing functions.
- In one exemplary operation, a mobile node roams to a foreign network. The mobile node sends packets to the foreign network's foreign agent. The FA reads the source IP address, the IP protocol type, the source and destination ports, and the destination IP address of the packet. Then, based on the IP addresses, the FA searches its list of filters to determine if the IP packet needs IPsec processing and which policy to apply. Based on the filter list, the FA determines that the packet needs IPsec processing. Then, the FA processes the packet, for example according to a policy indicated by the filter. Next, the FA sends the packet through the tunnel to the mobile node's HA. The HA receives the packet from the FA, and the HA searches its filter list to determine if the incoming packet needs IPsec processing. Based on the filter list the HA can determine that the packet needs IPsec processing and a policy to apply to the packet. Then, the HA can process the packet according to the policy indicated by the filter.
- The mobile node may roam to more than one different foreign network, and each foreign network may have its own FA. In order to support IPsec communications, multiple FA-HA pairs should be identified. A policy and filter for the FA-HA pair should be stored by the FA, and a corresponding policy and filter for the FA-HA pair should also be stored by the HA. Statically defining the FA-HA pairs and storing their filters and policies can create an inordinately large amount of information that is stored by the FAs and the HA. This can also lead to a delay in processing packets, as-the FA or HA must search through the large number filters to determine whether to apply IPsec processing to a received packet.
- In order to provide greater scalability and increased processing efficiency, one or more policies for a FA-HA pair can be dynamically linked and one or more filters dynamically created. For example, a policy template may be created for a mobile node. The policy template may be configured in the mobile node's home network, and it may be stored by the HA. Alternatively, the policy template may be stored in an Authentication, Authorization and Accounting (“AAA”) Server, which can be accessed by the HA, or the policy template may be stored in another location. In addition to being stored on the home network, the policy template may also be stored in the foreign network. For example, the foreign agent may also store the policy template.
- The policy template may store parameters to be used in IPsec communication between the FA and the HA. When the mobile node accesses the foreign network, the FA engages in an authentication procedure with the AAA. The AAA may then indicate to the FA that IPsec should be used for communication with the mobile node. Then, a policy template can be dynamically linked to the FA, and the policy template can be used to specify parameters for communications between the mobile node and the HA. For example, the FA may create a dynamic linkage to the policy template by creating a policy instance. A policy instance can be an instance of the policy template as applied to the specific association between a PDSN and HA. While the policy template may specify various parameters between the FA/PDSN and HA, the FA and HA may additionally negotiate other parameters that are specific to that session involving the mobile node. For example, the FA and HA may additionally negotiate the dynamic pre-shared key used in IKE authentication for an IPSec policy. Of course, other parameters may also be negotiated. These additional parameters may then become part of the policy instance. Thus, a policy instance can be derived from the policy template as well as negotiated parameters.
- A policy template can be created for a specific FA-HA pair corresponding to a specific mobile node. However, it is also possible that the policy template can correspond to a particular FA-HA pair. Additionally, a policy template may be used for more than one mobile node, or it may be used for more than one FA-HA pair.
-
FIG. 7 is a flowchart illustrating one exemplary process for dynamically linking the policy to a FA and dynamically creating a filter. AtStep 350, a mobile node requests access to a foreign network. AtStep 352, the foreign agent on the foreign network contacts an authentication server on the mobile node's home network. If the mobile node is authorized to connect to the home network and needs security service, the authentication server then conveys to the foreign agent- that IPsec service is needed for the mobile node, shown atStep 354. The foreign agent dynamically links to a policy template and it can negotiate additional parameters with the HA. Then, atStep 356, the foreign agent creates a filter for the FA-HA pair. Likewise, although not shown inFIG. 7 , the home agent also creates a filter for the FA-HA pair, and it can use the policy already defined in the home network for the mobile node. ° Finally, atStep 358, the foreign agent processes packets using the dynamically linked policy and the dynamically created filter. - With continued reference to
FIG. 3 , amobile node 106 roams to aforeign network 120 and wants to communicate with itshome network 100. Themobile node 106 first initiates a connection with theforeign network 120, for example by communicating with the foreign network'sforeign agent 112. This may be done using a variety of different methods. For example, themobile node 106 may dial into a cellular network and attempt to establish a Mobile IP session by sending the FA 112 (e.g., a PDSN) a Mobile IP registration request. The Mobile IP registration request may request that theFA 112 establish a tunnel with theHA 108. TheFA 112 may then connect with an AAA server (not shown). The AAA server generally belongs to thehome network 100 of themobile node 106, and it can be used to determine if themobile node 106 has permission to connect to thehome network 100. If themobile node 106 has permission to connect to thehome network 100, theHA 108 may return a registration response message including the home IP address of the mobile node. Themobile node 106 can then use that IP address wherever it roams. - In addition to determining if the
mobile node 106 has permission to connect to thehome network 100, the AAA Server may also determine if themobile node 106 needs security (e.g., IPsec) when it communicates with thehome network 100. The security policy for the mobile node's communication with theHA 108 is ordinarily defined in the AAA Server, and themobile node 106 generally uses the security policy defined in the AAA Server. The AAA Server usually only specifies whether themobile node 106 needs security, it generally doesn't specify specific parameters to be used. For example, the AAA Server may indicate that themobile node 106 should use IPsec, but it generally would not indicate specific parameters for the IPsec session. If the AAA Server determines that themobile node 106 needs to use IPsec, it informs theFA 112. TheFA 112 then initiates a connection with theHA 108, and the HA can dynamically link a security policy template to theFA 112. Then, theFA 112 and theHA 108 can negotiate other IPsec parameters for that session in accordance with the specific parameters specified in the security policy. For example, theFA 112 andHA 108 may an appropriate negotiation procedure, such as IKE, to negotiate the other parameters for communication between theFA 112 and theHA 108. - The
FA 112 may also dynamically create a filter for the FA-HA pair, which can then be stored in a list of filters maintained by theFA 112. Incoming packets to theFA 112 are then checked against the filters maintained by theFA 112. If a filter exists for the packet, then theFA 112 may apply the appropriate processing; however, if a filter does not exist, then theFA 112 may simply pass the packet through the node. TheHA 108 may also dynamically create a filter for the FA-HA pair, and it may use this filter to accurately process packets received from theFA 112 and corresponding to themobile node 106. - Since an IPsec security association is unidirectional, it is possible that two or more security associations are created. For example, the FA-HA pair may create one tunnel for packets sent from the
FA 112 to theHA 108, and it may create another tunnel for packets sent from theHA 108 to theFA 112. One or more policy templates may be linked to theFA 112 for each tunnel created. For example, one policy template may specify a set of parameters for the IPsec session, while a second policy template may specify additional parameters. Additionally, one or more filters may also be created for each tunnel. It is also possible that a tunnel is only created in one direction. - Once the
mobile node 106 roams away from theforeign network 120, the tunnel between theFA 112 and theHA 108 may be terminated. The filter for the FA-HA pair corresponding to themobile node 106 may then be removed from the FA's filter list. Removing the filter from the FA's filter list may improve the performance of theFA 112 and speed the processing of packets. For example, incoming packets to theFA 112 should be checked against the PA's filter list to determine if the packet needs special processing (e.g, IPsec processing). If theFA 112 maintains a large list of filters, then checking an incoming packet against each filter in the list can be a time-consuming process. By dynamically creating a filter for a FA-HA pair and removing that filter when the connection ceases to be active, the FA's filter list may include only filters for active connections. This can decrease the number of filters stored in the list and increase the efficiency of processing packets. - A similar procedure may be used for by
HA 108 to remove the filter from its list of filters. When themobile node 106 roams away from theFA 112, theHA 108 may remove the filter for the FA-HA pair. For instance, theHA 108 may remove the filter when the mobile node registers a new “care-of-address” in a Mobile IP session or otherwise indicates it is no longer using the foreign network'sFA 112. By removing filters that are no longer active, theHA 108 can increase its efficiency in processing incoming packets. - In another embodiment, more than one policy or filter may be defined for a FA-HA pair. In one example, an IPsec session may have policies for Phase_1 and for Phase_2. The filters for these phases may be created when the mobile node connects to the FA, which then relays the Mobile IP Registration Request to the HA and gets a response in return. The filter for Phase_1 may include parameters to specify ISAKMP packets between the FA and the HA. For example, it may specify the IP address for the FA, the IP address for the HA, the IP protocol and the Source and Destination Ports. The filter for Phase_2 may include parameters to specify tunnel packets between the FA and the HA. For example, it may include the IP address for the HA, the IP address for the FA and a protocol type (e.g., IP-in-IP, generic routing encapsulation. (“GRE”), or another type). In another example, it may include the IP address for the HA, the IP address for the FA, a protocol type (e.g., UDP, TCP, etc. . . ), and source and destination ports.
- While the preceding examples illustrate dynamically linking policies and dynamically creating filters in an IPsec environment, the policy-base services may be used in a variety of different systems. For instance, they may be used in a Network Address Translation (NAT)/Port Address Translation (PAT) system. Additionally, they may be applied in a firewall environment, quality of service (“QoS”) environment, or in another system. In QoS, for example, the policy template may include default priority and policing information. The AAA may pass a Diffserv marking and policing information to the PDSN. The PDSN may then create an instance of a policy from the policy template, or it may choose to use the policy template from the mobile user.
- It should be understood that the programs, processes, methods and apparatus described herein are not related or limited to any particular type of computer or network apparatus (hardware or software),.unless indicated otherwise. Various types of general purpose or specialized computer apparatus may be used with or perform operations in accordance with the teachings described herein. While various elements of the preferred embodiments have been described as being implemented in software, in other embodiments in hardware or firmware implementations may alternatively be used, and vice-versa.
- In view of the wide variety of embodiments to which the principles of the present invention can be applied, it should be understood that the illustrated embodiments are exemplary only, and should not be taken as limiting the scope of the present invention. For example, the steps of the flow diagrams may be taken in sequences other than those described, and more, fewer or other elements may be used in the block diagrams.
- The claims should not be read as limited to the described order or elements unless stated to that effect In addition, use of the term “means” in any claim is intended to invoke 35 U.S.C. §112, paragraph 6, and any claim without the word “means” is not so intended. Therefore, all embodiments that come within the scope and spirit of the following claims and equivalents thereto are claimed as the invention.
Claims (44)
1-31. (canceled).
32. A foreign agent for dynamically providing Internet Protocol security policy service, the foreign agent comprising:
a connection component for receiving a connection request sent from a mobile node to the foreign agent, wherein the mobile node uses Mobile Internet Protocol;
a policy creation component for creating at least one policy for the mobile node, wherein the at least one policy includes processing information for Internet Protocol security packets sent between the foreign agent and a home agent for the mobile node;
a filter creating component for creating at least one filter, wherein the at least one filter identifies data packets traveling between the home agent and the foreign agent to receive Internet Protocol security processing, and wherein the at least one filter identifies the at least one policy to apply to the data packets receiving Internet Protocol security processing; and
a filter storing component for storing the at least one filter in a list of filters maintained by the foreign agent, wherein the list of filters identifies data packets in a plurality of Internet Protocol security sessions between the foreign agent and respective home agents of other mobile nodes that are registered with the foreign agent.
33. The foreign agent of claim 32 , further comprising a termination component for terminating a connection with the mobile node, and removing the at least one filter from the list of filters.
34. The foreign agent of claim 32 , further comprising a security parameter negotiation component for negotiating Internet Protocol security parameters with the home agent.
35. The foreign agent of claim 34 , wherein the security parameters are negotiated using Internet Key Exchange or Internet Security Association and Key Management Protocol.
36. The foreign agent of claim 34 , wherein the at least one policy specifies at least one rule used to negotiate a type of Internet Protocol security service.
37. The foreign agent of claim 32 , wherein the at least one policy specifies a type of encryption or a lifetime of a key.
38. The foreign agent of claim 32 , wherein the at least one policy is obtained based on an identity of the mobile node.
39. The foreign agent of claim 32 , wherein the at least one filter includes a first filter and a second filter, wherein the first filter includes parameters to specify end points for Internet Security Association and Key Management Protocol packets, and wherein the second filter includes parameters to specify packets that need Internet Protocol security service.
40. The foreign agent of claim 32 , wherein the at least one policy includes information for a firewall application.
41. The foreign agent of claim 32 , wherein the at least one policy comprises a plurality of policies.
42. The foreign agent of claim 32 , wherein the at least one filter comprises a plurality of filters.
43. A method to dynamically provide policy service to a mobile node, the method comprising:
receiving an authentication request sent from a foreign agent on a foreign network to a AAA server on a home network, wherein the authentication request indicates a mobile node roaming from the home network to the foreign network, and wherein the mobile node uses Mobile Internet Protocol;
determining whether the mobile node needs Internet Protocol security for packets sent between the foreign agent on the foreign network and a home agent on the home network;
informing the foreign agent that the mobile node needs Internet Protocol security for data packets sent between the home agent and the foreign agent; and
linking at least one security policy template for the mobile node to the home agent, wherein the security policy template specifies parameters to be used in Internet Protocol security communications between the foreign agent and the home agent;
creating a filter, wherein the filter identifies packets traveling between the home agent and the foreign agent to receive Internet Protocol security processing, and wherein the filter identifies the policy template to apply to the packets receiving Internet Protocol security processing; and
storing the at least one filter in a list of active filters maintained by the home agent, wherein the list of active filters identifies data packets in a plurality of active Internet Protocol security sessions between the home agent and respective foreign agents of other mobile nodes.
44. The method of claim 43 , further comprising a computer readable medium having stored therein instructions for causing a processor to execute all the steps of the method.
45. The method of claim 43 , further comprising negotiating Internet Protocol security parameters with the foreign agent.
46. The method of claim 45 , wherein the Internet Protocol security parameters are negotiated using Internet Key Exchange, Internet Security Association Key Management Protocol or the OAKLEY protocol.
47. The method of claim 43 , further comprising:
determining the mobile node has roamed off the foreign network; and
removing the filter from the list of active filters maintained by the home agent.
48. The method of claim 43 , further comprising:
starting a registration timer for the at least one filter; and
upon expiration of the timer, removing the at least one filter from the list of active filters.
49. The method of claim 48 , wherein the registration timer for the at least one filter corresponds to a registration timer for the mobile node.
50. A foreign agent for providing policy service in an Internet Protocol security application, the foreign agent comprising:
a request component for receiving a request from a mobile node to establish a secure connection to a home network, wherein the mobile node uses Mobile Internet Protocol;
an authentication component for authenticating the mobile node with the home network;
a security component for receiving an indication to use Internet Protocol security for packets sent between a home agent on the home network and the foreign agent;
a policy linking component for linking to the foreign agent a policy instance for the mobile node, wherein the policy instance identifies processing information for Internet Protocol security packets sent between the foreign agent and the home agent;
a filter creating component for creating a filter for the mobile node, wherein the filter can be used to identify packets traveling between the foreign agent and the home agent that use Internet Protocol security; and
a filter storing component for storing the at least one filter in a list of active filters maintained by the foreign agent, wherein the list of active filters identifies data packets in a plurality of active Internet Protocol security sessions between the foreign agent and respective home agents of other mobile nodes that are registered with the foreign agent.
51. The foreign agent of claim 50 , further comprising a packet processing component for receiving a packet, searching the filter list to determine whether to apply Internet Protocol security processing to the packet; and processing the packet based at least in part on information included in the policy instance.
52. The foreign agent of claim 50 , further comprising a termination component for determining the mobile node has roamed away from the foreign network, destroying the policy instance, and removing the filter from the list of active filters.
53. The foreign agent of claim 50 , further comprising a parameter negotiation component for negotiating Internet Protocol security parameters.
54. The foreign agent of claim 50 , wherein the policy instance identifies a type of Internet Protocol security encryption to use in sending packets between the home agent and the foreign agent.
55. The foreign agent of claim 50 , wherein the policy instance specifies a lifetime of an encryption key used in sending packets between the home agent and the foreign agent.
56. The foreign agent of claim 50 , wherein the policy instance specifies domain of interpretation rules used to negotiate a type of service used to send packets between the home agent and the foreign agent.
57. The foreign agent of claim 50 , further comprising a policy component for retrieving a policy template that identifies processing information for Internet Protocol security packets sent between the foreign agent and the home agent and that may be used for multiple mobile nodes, and for creating the policy instance from the policy template.
58. A method to dynamically provide Internet Protocol security policy service, comprising the steps of:
receiving a connection request for a mobile node at a foreign agent;
obtaining a policy template for the mobile node, wherein the policy template includes processing information for Internet Protocol security packets processed by the foreign agent on behalf of the mobile node;
creating a filter, wherein the filter identifies data packets to receive Internet Protocol security processing, and wherein the filter identifies the policy template to apply to the data packets receiving Internet Protocol security processing; and
storing the filter in a list of filters, wherein filters in the list of filters identify data packets in a plurality of active Internet Protocol security sessions associated with mobile nodes that are registered with the foreign agent.
59. A computer readable medium having stored therein instructions for causing a processor to execute all the steps of the method of claim 58 .
60. The method of claim 58 , wherein obtaining a policy template for the mobile node comprises:
obtaining a first policy template for the mobile node; and
obtaining a second policy template for the mobile node, wherein the second policy template includes additional Internet Protocol security processing information that is not included in the first policy template.
61. The method of claim 58 , wherein creating a filter comprises:
creating a first filter; and
creating a second filter, wherein the second filter uses different criteria to identify data packets than the first filter.
62. The method of claim 61 , wherein storing the filter in a list of filters comprises:
storing the first filter in the list of filters; and
storing the second filter in the list of filters.
63. The method of claim 58 , wherein the policy template is associated with a home agent, wherein the policy template is not limited to any particular mobile node, and wherein obtaining the policy template comprises determining that the policy template is associated with the home agent of the mobile node.
64. The method of claim 58 , wherein the policy template is associated with a plurality of home agents, wherein the policy template is used for sessions between the foreign agent and any one of the plurality of home agents, and wherein obtaining the policy template comprises determining that one of the plurality of home agents is a home agent for the mobile node.
65. A method for a foreign agent to dynamically provide Internet Protocol security policy service, the method comprising:
receiving at the foreign agent a request to establish a session for a mobile node, wherein the foreign agent stores a policy template that specifies Internet Protocol security parameters to be used in communications between the foreign agent and a home agent for the mobile node;
creating a policy instance from the policy template to be used for communications between the foreign agent and the home agent during the session;
creating a filter, wherein the filter identifies data packets to receive Internet Protocol security processing, and wherein the filter identifies the policy instance to apply to the data packets receiving Internet Protocol security processing; and
storing the filter in a list of filters, wherein filters in the list of filters identify data packets in a plurality of Internet Protocol security sessions associated with mobile nodes that are registered with the foreign agent.
66. The method of claim 65 , wherein creating the policy instance comprises negotiating additional Internet Protocol security parameters that are not defined in the policy template.
67. The method of claim 65 , wherein creating a policy instance from the policy template comprises:
creating a first policy instance from the policy template; and
creating a second policy instance from the policy template, wherein the second policy instance specifies additional Internet Protocol security parameters that are not specified in the first policy instance.
68. The method of claim 67 , further comprising:
creating a first filter corresponding to the first policy instance;
creating a second filter corresponding to the second policy instance; and
adding the first and second filters to the active filter list.
69. The method of claim 67 , further comprising:
determining that the mobile node has roamed away from the foreign agent;
destroying the first policy instance;
destroying the second policy instance; and
removing the first and second filters from the active filter list.
70. The method of claim 65 , further comprising:
determining that the mobile node has roamed away from the foreign agent;
destroying the policy instance; and
removing the filter from the list of active filters.
71. The method of claim 65 , further comprising:
starting a registration timer for the filter; and
removing the filter from the list of active filters upon expiration of the registration timer.
72. The method of claim 71 , wherein a duration of the registration timer for the first filter corresponds to a duration of a registration timer for the mobile node.
73. The method of claim 71 , further comprising upon resetting a registration timer for the mobile node, also resetting the registration timer for the first filter.
74. The method of claim 65 , further comprising:
receiving at the foreign agent a request to establish a session for a second mobile node;
creating a second policy instance from the policy template to be used for communications between the foreign agent and the home agent during the session for the second mobile node;
creating a second filter, wherein the filter identifies data packets to receive Internet Protocol security processing, and wherein the filter identifies the second policy instance to apply to the data packets receiving Internet Protocol security processing; and
storing the second filter in a list of active filters.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/965,595 US20050063352A1 (en) | 2002-03-20 | 2004-10-14 | Method to provide dynamic Internet Protocol security policy service |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/101,641 US6839338B1 (en) | 2002-03-20 | 2002-03-20 | Method to provide dynamic internet protocol security policy service |
US10/965,595 US20050063352A1 (en) | 2002-03-20 | 2004-10-14 | Method to provide dynamic Internet Protocol security policy service |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/101,641 Continuation US6839338B1 (en) | 2002-03-20 | 2002-03-20 | Method to provide dynamic internet protocol security policy service |
Publications (1)
Publication Number | Publication Date |
---|---|
US20050063352A1 true US20050063352A1 (en) | 2005-03-24 |
Family
ID=29248157
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/101,641 Expired - Lifetime US6839338B1 (en) | 2002-03-20 | 2002-03-20 | Method to provide dynamic internet protocol security policy service |
US10/965,595 Abandoned US20050063352A1 (en) | 2002-03-20 | 2004-10-14 | Method to provide dynamic Internet Protocol security policy service |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/101,641 Expired - Lifetime US6839338B1 (en) | 2002-03-20 | 2002-03-20 | Method to provide dynamic internet protocol security policy service |
Country Status (6)
Country | Link |
---|---|
US (2) | US6839338B1 (en) |
CN (1) | CN1643947A (en) |
AU (1) | AU2003253587A1 (en) |
BR (1) | BR0308531A (en) |
CA (1) | CA2479770A1 (en) |
WO (1) | WO2003090041A2 (en) |
Cited By (43)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040170188A1 (en) * | 2001-09-07 | 2004-09-02 | Toni Paila | Implementing multicasting |
US20060078119A1 (en) * | 2004-10-11 | 2006-04-13 | Jee Jung H | Bootstrapping method and system in mobile network using diameter-based protocol |
WO2006138408A2 (en) * | 2005-06-14 | 2006-12-28 | Qualcomm Incorporated | Method and apparatus for dynamic home address assignment by home agent in multiple network interworking |
US20070036110A1 (en) * | 2005-08-10 | 2007-02-15 | Alcatel | Access control of mobile equipment to an IP communication network with dynamic modification of the access policies |
US20070177578A1 (en) * | 2005-01-11 | 2007-08-02 | Anspach Steven S | Standard telephone equipment (STE) based deployable secure cellular communication system |
US20070220251A1 (en) * | 2006-03-06 | 2007-09-20 | Rosenberg Jonathan D | Establishing facets of a policy for a communication session |
US20080056251A1 (en) * | 2006-09-05 | 2008-03-06 | Ruobin Zheng | Foreign agent, home agent, mobile node, system of mobile ethernet and method for data transmission |
US20080104692A1 (en) * | 2006-09-29 | 2008-05-01 | Mcalister Donald | Virtual security interface |
US20080148350A1 (en) * | 2006-12-14 | 2008-06-19 | Jeffrey Hawkins | System and method for implementing security features and policies between paired computing devices |
US20080198805A1 (en) * | 2005-06-30 | 2008-08-21 | Kilian Weniger | Optimized Reverse Tunnelling for Packet Switched Mobile Communication Systems |
WO2008099402A2 (en) * | 2007-02-16 | 2008-08-21 | Forescout Technologies | A method and system for dynamic security using authentication server |
EP2007111A1 (en) * | 2007-06-22 | 2008-12-24 | France Telecom | Method for filtering packets coming from a communication network |
US20090077375A1 (en) * | 2003-09-15 | 2009-03-19 | Steve Anspach | Encapsulation of secure encrypted data in a deployable, secure communication system allowing benign, secure commercial transport |
US20090073971A1 (en) * | 2007-09-19 | 2009-03-19 | Pouya Taaghol | Per-packet quality of service support for encrypted ipsec tunnels |
US7512088B1 (en) * | 2002-07-12 | 2009-03-31 | Cisco Technology, Inc. | Routing data packets to a mobile node |
US20090190477A1 (en) * | 2008-01-25 | 2009-07-30 | Osborne Eric W | Selectively forwarding traffic through tunnels in a computer network |
US20100042733A1 (en) * | 2003-04-02 | 2010-02-18 | Palm, Inc. | Task switch between two computing devices |
US20100046517A1 (en) * | 2008-08-19 | 2010-02-25 | Oki Electric Industry Co., Ltd. | Address translator using address translation information in header area on network layer level and a method therefor |
US20100067696A1 (en) * | 2003-09-15 | 2010-03-18 | Anspach Steve S | Standard telephone equipment (STE) based deployable secure communication system |
US20100118774A1 (en) * | 2008-09-12 | 2010-05-13 | Nokia Siemens Networks Oy | Method for changing radio channels, composed network and access router |
US20100202615A1 (en) * | 2003-09-15 | 2010-08-12 | Steve Anspach | Encryption of voice and data in a single data stream in a deployable,secure communication system |
US20100299529A1 (en) * | 2009-03-25 | 2010-11-25 | Pacid Technologies, Llc | Method and system for securing communication |
US20100306816A1 (en) * | 2009-05-30 | 2010-12-02 | Cisco Technology, Inc. | Authentication via monitoring |
US20100316286A1 (en) * | 2009-06-16 | 2010-12-16 | University-Industry Cooperation Group Of Kyung Hee University | Media data customization |
US20110314281A1 (en) * | 2009-03-25 | 2011-12-22 | Pacid Technologies, Llc | Method and system for securing communication |
US8090941B2 (en) | 2003-08-20 | 2012-01-03 | Telecommunication Systems, Inc. | Deployable secure communication system |
US20130130655A1 (en) * | 2007-03-28 | 2013-05-23 | Apple Inc. | Dynamic Foreign Agent-Home Agent Security Association Allocation for IP Mobility Systems |
WO2013109417A2 (en) * | 2012-01-18 | 2013-07-25 | Zte Corporation | Notarized ike-client identity and info via ike configuration payload support |
US8539241B2 (en) | 2009-03-25 | 2013-09-17 | Pacid Technologies, Llc | Method and system for securing communication |
US8620136B1 (en) | 2011-04-30 | 2013-12-31 | Cisco Technology, Inc. | System and method for media intelligent recording in a network environment |
US8667169B2 (en) | 2010-12-17 | 2014-03-04 | Cisco Technology, Inc. | System and method for providing argument maps based on activity in a network environment |
US8726032B2 (en) | 2009-03-25 | 2014-05-13 | Pacid Technologies, Llc | System and method for protecting secrets file |
US8831403B2 (en) | 2012-02-01 | 2014-09-09 | Cisco Technology, Inc. | System and method for creating customized on-demand video reports in a network environment |
US8886797B2 (en) | 2011-07-14 | 2014-11-11 | Cisco Technology, Inc. | System and method for deriving user expertise based on data propagating in a network environment |
US8909624B2 (en) | 2011-05-31 | 2014-12-09 | Cisco Technology, Inc. | System and method for evaluating results of a search query in a network environment |
US8935274B1 (en) | 2010-05-12 | 2015-01-13 | Cisco Technology, Inc | System and method for deriving user expertise based on data propagating in a network environment |
US8959350B2 (en) | 2009-03-25 | 2015-02-17 | Pacid Technologies, Llc | Token for securing communication |
US8990083B1 (en) | 2009-09-30 | 2015-03-24 | Cisco Technology, Inc. | System and method for generating personal vocabulary from network data |
US9201965B1 (en) | 2009-09-30 | 2015-12-01 | Cisco Technology, Inc. | System and method for providing speech recognition using personal vocabulary in a network environment |
US9465795B2 (en) | 2010-12-17 | 2016-10-11 | Cisco Technology, Inc. | System and method for providing feeds based on activity in a network environment |
US11201749B2 (en) | 2019-09-11 | 2021-12-14 | International Business Machines Corporation | Establishing a security association and authentication to secure communication between an initiator and a responder |
US11206144B2 (en) * | 2019-09-11 | 2021-12-21 | International Business Machines Corporation | Establishing a security association and authentication to secure communication between an initiator and a responder |
US20230028147A1 (en) * | 2021-07-20 | 2023-01-26 | Nokia Solutions And Networks Oy | Source route compression |
Families Citing this family (89)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7213144B2 (en) * | 2001-08-08 | 2007-05-01 | Nokia Corporation | Efficient security association establishment negotiation technique |
FI116025B (en) * | 2001-09-28 | 2005-08-31 | Netseal Mobility Technologies | A method and network to ensure the secure transmission of messages |
US7409549B1 (en) | 2001-12-11 | 2008-08-05 | Cisco Technology, Inc. | Methods and apparatus for dynamic home agent assignment in mobile IP |
US7079520B2 (en) * | 2001-12-28 | 2006-07-18 | Cisco Technology, Inc. | Methods and apparatus for implementing NAT traversal in mobile IP |
US7284057B2 (en) * | 2002-02-27 | 2007-10-16 | Cisco Technology, Inc. | Methods and apparatus for Mobile IP Home Agent clustering |
US7380124B1 (en) * | 2002-03-28 | 2008-05-27 | Nortel Networks Limited | Security transmission protocol for a mobility IP network |
KR100425325B1 (en) * | 2002-04-13 | 2004-03-30 | 삼성전자주식회사 | Method for managing IP using NAT in mobile network and apparatus thereof |
US7587498B2 (en) * | 2002-05-06 | 2009-09-08 | Cisco Technology, Inc. | Methods and apparatus for mobile IP dynamic home agent allocation |
US7599370B1 (en) * | 2002-05-07 | 2009-10-06 | Cisco Technology, Inc. | Methods and apparatus for optimizing NAT traversal in Mobile IP |
JP3952860B2 (en) * | 2002-05-30 | 2007-08-01 | 株式会社日立製作所 | Protocol converter |
AU2003244895A1 (en) * | 2002-06-20 | 2004-01-06 | Nokia Corporation | QoS SIGNALING FOR MOBILE IP |
US20040006641A1 (en) * | 2002-07-02 | 2004-01-08 | Nischal Abrol | Use of multi-format encapsulated internet protocol messages in a wireless telephony network |
US7266702B2 (en) * | 2002-10-21 | 2007-09-04 | Solid Information Technology Oy | Method and system for managing security material and services in a distributed database system |
KR100522393B1 (en) * | 2002-11-13 | 2005-10-18 | 한국전자통신연구원 | Method of packet transmitting and receiving for supporting internet handover service in wired/wireless converged network internet service |
US7441043B1 (en) | 2002-12-31 | 2008-10-21 | At&T Corp. | System and method to support networking functions for mobile hosts that access multiple networks |
US7506065B2 (en) * | 2003-11-26 | 2009-03-17 | Hewlett-Packard Development Company, L.P. | Remote mirroring using IP encapsulation |
JP3955025B2 (en) * | 2004-01-15 | 2007-08-08 | 松下電器産業株式会社 | Mobile radio terminal device, virtual private network relay device, and connection authentication server |
US8161547B1 (en) | 2004-03-22 | 2012-04-17 | Cisco Technology, Inc. | Monitoring traffic to provide enhanced network security |
US20050220091A1 (en) * | 2004-03-31 | 2005-10-06 | Lavigne Bruce E | Secure remote mirroring |
US8031672B2 (en) * | 2004-12-28 | 2011-10-04 | Samsung Electronics Co., Ltd | System and method for providing secure mobility and internet protocol security related services to a mobile node roaming in a foreign network |
US8316152B2 (en) * | 2005-02-15 | 2012-11-20 | Qualcomm Incorporated | Methods and apparatus for machine-to-machine communications |
US7529925B2 (en) * | 2005-03-15 | 2009-05-05 | Trapeze Networks, Inc. | System and method for distributing keys in a wireless network |
US7551574B1 (en) * | 2005-03-31 | 2009-06-23 | Trapeze Networks, Inc. | Method and apparatus for controlling wireless network access privileges based on wireless client location |
US8072948B2 (en) * | 2005-07-14 | 2011-12-06 | Interdigital Technology Corporation | Wireless communication system and method of implementing an evolved system attachment procedure |
TWI424724B (en) * | 2005-07-14 | 2014-01-21 | Interdigital Tech Corp | Wireless communication system and method of implementing an evolved system attachment procedure |
CN100446506C (en) * | 2005-09-19 | 2008-12-24 | 华为技术有限公司 | Safety scheme solving method and system for mobile IP network |
US8638762B2 (en) | 2005-10-13 | 2014-01-28 | Trapeze Networks, Inc. | System and method for network integrity |
WO2007044986A2 (en) | 2005-10-13 | 2007-04-19 | Trapeze Networks, Inc. | System and method for remote monitoring in a wireless network |
US7551619B2 (en) * | 2005-10-13 | 2009-06-23 | Trapeze Networks, Inc. | Identity-based networking |
US7573859B2 (en) * | 2005-10-13 | 2009-08-11 | Trapeze Networks, Inc. | System and method for remote monitoring in a wireless network |
US7724703B2 (en) * | 2005-10-13 | 2010-05-25 | Belden, Inc. | System and method for wireless network monitoring |
US20070106778A1 (en) * | 2005-10-27 | 2007-05-10 | Zeldin Paul E | Information and status and statistics messaging method and system for inter-process communication |
US8250587B2 (en) * | 2005-10-27 | 2012-08-21 | Trapeze Networks, Inc. | Non-persistent and persistent information setting method and system for inter-process communication |
US20070106998A1 (en) * | 2005-10-27 | 2007-05-10 | Zeldin Paul E | Mobility system and method for messaging and inter-process communication |
US20070127496A1 (en) * | 2005-12-05 | 2007-06-07 | Paula Tjandra | Method, system and apparatus for creating a reverse tunnel |
US20070127420A1 (en) * | 2005-12-05 | 2007-06-07 | Paula Tjandra | Method, system and apparatus for creating a reverse tunnel |
US8369357B2 (en) * | 2006-02-28 | 2013-02-05 | Cisco Technology, Inc. | System and method for providing simultaneous handling of layer-2 and layer-3 mobility in an internet protocol network environment |
US7715562B2 (en) * | 2006-03-06 | 2010-05-11 | Cisco Technology, Inc. | System and method for access authentication in a mobile wireless network |
US8015594B2 (en) * | 2006-03-17 | 2011-09-06 | Cisco Technology, Inc. | Techniques for validating public keys using AAA services |
US20070260720A1 (en) * | 2006-05-03 | 2007-11-08 | Morain Gary E | Mobility domain |
US7558266B2 (en) | 2006-05-03 | 2009-07-07 | Trapeze Networks, Inc. | System and method for restricting network access using forwarding databases |
US20070268516A1 (en) * | 2006-05-19 | 2007-11-22 | Jamsheed Bugwadia | Automated policy-based network device configuration and network deployment |
US20070268506A1 (en) * | 2006-05-19 | 2007-11-22 | Paul Zeldin | Autonomous auto-configuring wireless network device |
US20070268515A1 (en) * | 2006-05-19 | 2007-11-22 | Yun Freund | System and method for automatic configuration of remote network switch and connected access point devices |
US20070268514A1 (en) * | 2006-05-19 | 2007-11-22 | Paul Zeldin | Method and business model for automated configuration and deployment of a wireless network in a facility without network administrator intervention |
US8966018B2 (en) * | 2006-05-19 | 2015-02-24 | Trapeze Networks, Inc. | Automated network device configuration and network deployment |
US7577453B2 (en) * | 2006-06-01 | 2009-08-18 | Trapeze Networks, Inc. | Wireless load balancing across bands |
US9191799B2 (en) | 2006-06-09 | 2015-11-17 | Juniper Networks, Inc. | Sharing data between wireless switches system and method |
US7912982B2 (en) * | 2006-06-09 | 2011-03-22 | Trapeze Networks, Inc. | Wireless routing selection system and method |
US9258702B2 (en) * | 2006-06-09 | 2016-02-09 | Trapeze Networks, Inc. | AP-local dynamic switching |
US8818322B2 (en) | 2006-06-09 | 2014-08-26 | Trapeze Networks, Inc. | Untethered access point mesh system and method |
US7844298B2 (en) * | 2006-06-12 | 2010-11-30 | Belden Inc. | Tuned directional antennas |
US7724704B2 (en) * | 2006-07-17 | 2010-05-25 | Beiden Inc. | Wireless VLAN system and method |
US7782824B2 (en) * | 2006-07-20 | 2010-08-24 | Cisco Technology, Inc. | Method and system for handling a mobile endpoint in a wireless network |
CN100471160C (en) * | 2006-07-31 | 2009-03-18 | 华为技术有限公司 | Method and system for realizing consulting tactical information between different network |
US8340110B2 (en) * | 2006-09-15 | 2012-12-25 | Trapeze Networks, Inc. | Quality of service provisioning for wireless networks |
DE102006046023B3 (en) * | 2006-09-28 | 2008-04-17 | Siemens Ag | Method for optimizing NSIS signaling in MOBIKE-based mobile applications |
US8072952B2 (en) * | 2006-10-16 | 2011-12-06 | Juniper Networks, Inc. | Load balancing |
US20080107077A1 (en) * | 2006-11-03 | 2008-05-08 | James Murphy | Subnet mobility supporting wireless handoff |
US7974235B2 (en) * | 2006-11-13 | 2011-07-05 | Telecommunication Systems, Inc. | Secure location session manager |
WO2008064719A1 (en) | 2006-11-30 | 2008-06-05 | Telefonaktiebolaget Lm Ericsson (Publ) | Packet handling in a mobile ip architecture |
US20080151844A1 (en) * | 2006-12-20 | 2008-06-26 | Manish Tiwari | Wireless access point authentication system and method |
US7873061B2 (en) * | 2006-12-28 | 2011-01-18 | Trapeze Networks, Inc. | System and method for aggregation and queuing in a wireless network |
WO2008083339A2 (en) * | 2006-12-28 | 2008-07-10 | Trapeze Networks, Inc. | Application-aware wireless network system and method |
US20080226075A1 (en) * | 2007-03-14 | 2008-09-18 | Trapeze Networks, Inc. | Restricted services for wireless stations |
US20080276303A1 (en) * | 2007-05-03 | 2008-11-06 | Trapeze Networks, Inc. | Network Type Advertising |
US8902904B2 (en) * | 2007-09-07 | 2014-12-02 | Trapeze Networks, Inc. | Network assignment based on priority |
US8509128B2 (en) * | 2007-09-18 | 2013-08-13 | Trapeze Networks, Inc. | High level instruction convergence function |
US8238942B2 (en) * | 2007-11-21 | 2012-08-07 | Trapeze Networks, Inc. | Wireless station location detection |
CN101453527B (en) * | 2007-11-30 | 2011-11-30 | 华为技术有限公司 | Method, network system and network appliance for dynamic policy conversion |
US9043862B2 (en) * | 2008-02-06 | 2015-05-26 | Qualcomm Incorporated | Policy control for encapsulated data flows |
US8150357B2 (en) | 2008-03-28 | 2012-04-03 | Trapeze Networks, Inc. | Smoothing filter for irregular update intervals |
EP2111019A1 (en) * | 2008-04-17 | 2009-10-21 | Alcatel Lucent | Roaming method |
US8474023B2 (en) | 2008-05-30 | 2013-06-25 | Juniper Networks, Inc. | Proactive credential caching |
US8978105B2 (en) * | 2008-07-25 | 2015-03-10 | Trapeze Networks, Inc. | Affirming network relationships and resource access via related networks |
US8238298B2 (en) * | 2008-08-29 | 2012-08-07 | Trapeze Networks, Inc. | Picking an optimal channel for an access point in a wireless network |
US8010085B2 (en) * | 2008-11-19 | 2011-08-30 | Zscaler, Inc. | Traffic redirection in cloud based security services |
CN101656961B (en) * | 2009-09-01 | 2012-07-18 | 中兴通讯股份有限公司 | Method and system for accessing mobile IP service of CDMA2000 system |
CN102055733B (en) * | 2009-10-30 | 2013-08-07 | 华为技术有限公司 | Method, device and system for negotiating business bearing tunnels |
CN102347831B (en) * | 2010-07-26 | 2014-12-03 | 华为技术有限公司 | Time message processing method, device and system |
US8542836B2 (en) | 2010-12-01 | 2013-09-24 | Juniper Networks, Inc. | System, apparatus and methods for highly scalable continuous roaming within a wireless network |
JP5329581B2 (en) * | 2011-02-04 | 2013-10-30 | 株式会社東芝 | Wireless communication terminal and wireless communication method |
CN102685792B (en) * | 2011-03-10 | 2015-09-23 | 电信科学技术研究院 | Method, system and equipment that a kind of wireless link is monitored |
CN103188254A (en) * | 2011-12-31 | 2013-07-03 | 北京市国路安信息技术有限公司 | Network security protection method capable of giving consideration to both smoothness and safety of internal and external network information |
US9609023B2 (en) * | 2015-02-10 | 2017-03-28 | International Business Machines Corporation | System and method for software defined deployment of security appliances using policy templates |
US10439774B2 (en) * | 2016-10-07 | 2019-10-08 | Vitanet Japan, Inc. | Data processing using defined data definitions |
US10972261B1 (en) * | 2019-10-18 | 2021-04-06 | Via Science, Inc. | Secure data processing |
CN118523917A (en) * | 2024-07-22 | 2024-08-20 | 北京航空航天大学 | Secure transmission method, device and system for heterogeneous interconnection of space and ground network |
CN118540159A (en) * | 2024-07-24 | 2024-08-23 | 之江实验室 | IPSEC-based multi-session design system and operation method |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020147820A1 (en) * | 2001-04-06 | 2002-10-10 | Docomo Communications Laboratories Usa, Inc. | Method for implementing IP security in mobile IP networks |
US6915437B2 (en) * | 2000-12-20 | 2005-07-05 | Microsoft Corporation | System and method for improved network security |
Family Cites Families (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP3492865B2 (en) * | 1996-10-16 | 2004-02-03 | 株式会社東芝 | Mobile computer device and packet encryption authentication method |
JPH10178421A (en) * | 1996-10-18 | 1998-06-30 | Toshiba Corp | Packet processor, mobile computer, packet transferring method and packet processing method |
JP3651721B2 (en) * | 1996-11-01 | 2005-05-25 | 株式会社東芝 | Mobile computer device, packet processing device, and communication control method |
US6055236A (en) | 1998-03-05 | 2000-04-25 | 3Com Corporation | Method and system for locating network services with distributed network address translation |
US6253321B1 (en) | 1998-06-19 | 2001-06-26 | Ssh Communications Security Ltd. | Method and arrangement for implementing IPSEC policy management using filter code |
US6195705B1 (en) * | 1998-06-30 | 2001-02-27 | Cisco Technology, Inc. | Mobile IP mobility agent standby protocol |
US6542992B1 (en) * | 1999-01-26 | 2003-04-01 | 3Com Corporation | Control and coordination of encryption and compression between network entities |
US6643776B1 (en) * | 1999-01-29 | 2003-11-04 | International Business Machines Corporation | System and method for dynamic macro placement of IP connection filters |
US6330562B1 (en) | 1999-01-29 | 2001-12-11 | International Business Machines Corporation | System and method for managing security objects |
US6507908B1 (en) * | 1999-03-04 | 2003-01-14 | Sun Microsystems, Inc. | Secure communication with mobile hosts |
US6466964B1 (en) * | 1999-06-15 | 2002-10-15 | Cisco Technology, Inc. | Methods and apparatus for providing mobility of a node that does not support mobility |
US6539483B1 (en) * | 2000-01-12 | 2003-03-25 | International Business Machines Corporation | System and method for generation VPN network policies |
US6668282B1 (en) * | 2000-08-02 | 2003-12-23 | International Business Machines Corporation | System and method to monitor and determine if an active IPSec tunnel has become disabled |
US6879690B2 (en) * | 2001-02-21 | 2005-04-12 | Nokia Corporation | Method and system for delegation of security procedures to a visited domain |
-
2002
- 2002-03-20 US US10/101,641 patent/US6839338B1/en not_active Expired - Lifetime
-
2003
- 2003-03-19 CA CA002479770A patent/CA2479770A1/en not_active Abandoned
- 2003-03-19 AU AU2003253587A patent/AU2003253587A1/en not_active Abandoned
- 2003-03-19 WO PCT/US2003/008800 patent/WO2003090041A2/en not_active Application Discontinuation
- 2003-03-19 BR BRPI0308531-7A patent/BR0308531A/en not_active IP Right Cessation
- 2003-03-19 CN CN03805843.XA patent/CN1643947A/en active Pending
-
2004
- 2004-10-14 US US10/965,595 patent/US20050063352A1/en not_active Abandoned
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6915437B2 (en) * | 2000-12-20 | 2005-07-05 | Microsoft Corporation | System and method for improved network security |
US20020147820A1 (en) * | 2001-04-06 | 2002-10-10 | Docomo Communications Laboratories Usa, Inc. | Method for implementing IP security in mobile IP networks |
Cited By (85)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8218545B2 (en) * | 2001-09-07 | 2012-07-10 | Nokia Siemens Networks Oy | Implementing multicasting |
US20040170188A1 (en) * | 2001-09-07 | 2004-09-02 | Toni Paila | Implementing multicasting |
US7512088B1 (en) * | 2002-07-12 | 2009-03-31 | Cisco Technology, Inc. | Routing data packets to a mobile node |
US8175644B1 (en) | 2003-04-02 | 2012-05-08 | Hewlett-Packard Development Company, L.P. | Task switching between two computing devices |
US8175643B1 (en) | 2003-04-02 | 2012-05-08 | Hewlett-Packard Development Company, L.P. | Switching states between two computing devices |
US7844297B2 (en) | 2003-04-02 | 2010-11-30 | Palm, Inc. | Task switch between two computing devices |
US8103308B2 (en) | 2003-04-02 | 2012-01-24 | Hewlett-Packard Development Company, L.P. | Task switching between two computing devices |
US20100042733A1 (en) * | 2003-04-02 | 2010-02-18 | Palm, Inc. | Task switch between two computing devices |
US8090941B2 (en) | 2003-08-20 | 2012-01-03 | Telecommunication Systems, Inc. | Deployable secure communication system |
US20100202615A1 (en) * | 2003-09-15 | 2010-08-12 | Steve Anspach | Encryption of voice and data in a single data stream in a deployable,secure communication system |
US8958416B2 (en) | 2003-09-15 | 2015-02-17 | Telecommunication Systems, Inc. | Standard telephone equipment (STE) based deployable secure communication system |
US8209750B2 (en) | 2003-09-15 | 2012-06-26 | Telecommunication Systems, Inc. | Encryption of voice and data in a single data stream in a deployable, secure communication system |
US8295273B2 (en) | 2003-09-15 | 2012-10-23 | Telecommunication Systems, Inc. | Standard telephone equipment (STE) based deployable secure communication system |
US20090077375A1 (en) * | 2003-09-15 | 2009-03-19 | Steve Anspach | Encapsulation of secure encrypted data in a deployable, secure communication system allowing benign, secure commercial transport |
US20100067696A1 (en) * | 2003-09-15 | 2010-03-18 | Anspach Steve S | Standard telephone equipment (STE) based deployable secure communication system |
US8850179B2 (en) | 2003-09-15 | 2014-09-30 | Telecommunication Systems, Inc. | Encapsulation of secure encrypted data in a deployable, secure communication system allowing benign, secure commercial transport |
US20060078119A1 (en) * | 2004-10-11 | 2006-04-13 | Jee Jung H | Bootstrapping method and system in mobile network using diameter-based protocol |
US20070177578A1 (en) * | 2005-01-11 | 2007-08-02 | Anspach Steven S | Standard telephone equipment (STE) based deployable secure cellular communication system |
US8185935B2 (en) * | 2005-06-14 | 2012-05-22 | Qualcomm Incorporated | Method and apparatus for dynamic home address assignment by home agent in multiple network interworking |
KR100988186B1 (en) * | 2005-06-14 | 2010-10-18 | 퀄컴 인코포레이티드 | Method and apparatus for dynamic home address assignment by home agent in multiple network interworking |
WO2006138408A3 (en) * | 2005-06-14 | 2009-04-23 | Qualcomm Inc | Method and apparatus for dynamic home address assignment by home agent in multiple network interworking |
WO2006138408A2 (en) * | 2005-06-14 | 2006-12-28 | Qualcomm Incorporated | Method and apparatus for dynamic home address assignment by home agent in multiple network interworking |
US20070094709A1 (en) * | 2005-06-14 | 2007-04-26 | Hsu Raymond T | Method and apparatus for dynamic home address assignment by home agent in multiple network interworking |
US20080198805A1 (en) * | 2005-06-30 | 2008-08-21 | Kilian Weniger | Optimized Reverse Tunnelling for Packet Switched Mobile Communication Systems |
US8031674B2 (en) * | 2005-06-30 | 2011-10-04 | Panasonic Corporation | Optimized reverse tunnelling for packet switched mobile communication systems |
US20070036110A1 (en) * | 2005-08-10 | 2007-02-15 | Alcatel | Access control of mobile equipment to an IP communication network with dynamic modification of the access policies |
US8438613B2 (en) * | 2006-03-06 | 2013-05-07 | Cisco Technology, Inc. | Establishing facets of a policy for a communication session |
US8719895B1 (en) | 2006-03-06 | 2014-05-06 | Cisco Technology, Inc. | Determining a policy output for a communication session |
US20070220251A1 (en) * | 2006-03-06 | 2007-09-20 | Rosenberg Jonathan D | Establishing facets of a policy for a communication session |
US8068461B2 (en) * | 2006-09-05 | 2011-11-29 | Huawei Technologies Co., Ltd. | Foreign agent, home agent, mobile node, system of mobile ethernet and method for data transmission |
US20080056251A1 (en) * | 2006-09-05 | 2008-03-06 | Ruobin Zheng | Foreign agent, home agent, mobile node, system of mobile ethernet and method for data transmission |
US20080104692A1 (en) * | 2006-09-29 | 2008-05-01 | Mcalister Donald | Virtual security interface |
US8104082B2 (en) * | 2006-09-29 | 2012-01-24 | Certes Networks, Inc. | Virtual security interface |
US20080148350A1 (en) * | 2006-12-14 | 2008-06-19 | Jeffrey Hawkins | System and method for implementing security features and policies between paired computing devices |
WO2008099402A2 (en) * | 2007-02-16 | 2008-08-21 | Forescout Technologies | A method and system for dynamic security using authentication server |
WO2008099402A3 (en) * | 2007-02-16 | 2010-02-25 | Forescout Technologies | A method and system for dynamic security using authentication server |
US8615658B2 (en) * | 2007-03-28 | 2013-12-24 | Apple Inc. | Dynamic foreign agent—home agent security association allocation for IP mobility systems |
US20130130655A1 (en) * | 2007-03-28 | 2013-05-23 | Apple Inc. | Dynamic Foreign Agent-Home Agent Security Association Allocation for IP Mobility Systems |
EP2007111A1 (en) * | 2007-06-22 | 2008-12-24 | France Telecom | Method for filtering packets coming from a communication network |
US20090073971A1 (en) * | 2007-09-19 | 2009-03-19 | Pouya Taaghol | Per-packet quality of service support for encrypted ipsec tunnels |
US7843918B2 (en) * | 2008-01-25 | 2010-11-30 | Cisco Technology, Inc. | Selectively forwarding traffic through tunnels in a computer network |
US20090190477A1 (en) * | 2008-01-25 | 2009-07-30 | Osborne Eric W | Selectively forwarding traffic through tunnels in a computer network |
US20100046517A1 (en) * | 2008-08-19 | 2010-02-25 | Oki Electric Industry Co., Ltd. | Address translator using address translation information in header area on network layer level and a method therefor |
US8422503B2 (en) * | 2008-08-19 | 2013-04-16 | Oki Electric Industry Co., Ltd. | Address translator using address translation information in header area on network layer level and a method therefor |
US20100118774A1 (en) * | 2008-09-12 | 2010-05-13 | Nokia Siemens Networks Oy | Method for changing radio channels, composed network and access router |
US9654451B2 (en) | 2009-03-25 | 2017-05-16 | Pacid Technologies, Llc | Method and system for securing communication |
US20110314281A1 (en) * | 2009-03-25 | 2011-12-22 | Pacid Technologies, Llc | Method and system for securing communication |
US8539241B2 (en) | 2009-03-25 | 2013-09-17 | Pacid Technologies, Llc | Method and system for securing communication |
US11070530B2 (en) | 2009-03-25 | 2021-07-20 | Pacid Technologies, Llc | System and method for authenticating users |
US10484344B2 (en) | 2009-03-25 | 2019-11-19 | Pacid Technologies, Llc | System and method for authenticating users |
US10171433B2 (en) | 2009-03-25 | 2019-01-01 | Pacid Technologies, Llc | System and method for authenticating users |
US10044689B2 (en) | 2009-03-25 | 2018-08-07 | Pacid Technologies, Llc | System and method for authenticating users |
US8726032B2 (en) | 2009-03-25 | 2014-05-13 | Pacid Technologies, Llc | System and method for protecting secrets file |
US8782408B2 (en) * | 2009-03-25 | 2014-07-15 | Pacid Technologies, Llc | Method and system for securing communication |
US9882883B2 (en) | 2009-03-25 | 2018-01-30 | Pacid Technologies, Llc | Method and system for securing communication |
US9876771B2 (en) | 2009-03-25 | 2018-01-23 | Pacid Technologies, Llc | System and method for authenticating users |
US20100299529A1 (en) * | 2009-03-25 | 2010-11-25 | Pacid Technologies, Llc | Method and system for securing communication |
US9577993B2 (en) | 2009-03-25 | 2017-02-21 | Pacid Technologies, Llc | System and method for authenticating users |
US9411972B2 (en) | 2009-03-25 | 2016-08-09 | Pacid Technologies, Llc | System and method for creating and protecting secrets for a plurality of groups |
US8934625B2 (en) | 2009-03-25 | 2015-01-13 | Pacid Technologies, Llc | Method and system for securing communication |
US9407610B2 (en) | 2009-03-25 | 2016-08-02 | Pacid Technologies, Llc | Method and system for securing communication |
US9172533B2 (en) | 2009-03-25 | 2015-10-27 | Pacid Technologies, Llc | Method and system for securing communication |
US9009484B2 (en) | 2009-03-25 | 2015-04-14 | Pacid Technologies, Llc | Method and system for securing communication |
US9165153B2 (en) | 2009-03-25 | 2015-10-20 | Pacid Technologies, Llc | System and method for protecting secrets file |
US10320765B2 (en) | 2009-03-25 | 2019-06-11 | Pacid Technologies, Llc | Method and system for securing communication |
US8959350B2 (en) | 2009-03-25 | 2015-02-17 | Pacid Technologies, Llc | Token for securing communication |
US8806572B2 (en) * | 2009-05-30 | 2014-08-12 | Cisco Technology, Inc. | Authentication via monitoring |
US20100306816A1 (en) * | 2009-05-30 | 2010-12-02 | Cisco Technology, Inc. | Authentication via monitoring |
US20100316286A1 (en) * | 2009-06-16 | 2010-12-16 | University-Industry Cooperation Group Of Kyung Hee University | Media data customization |
US9008464B2 (en) * | 2009-06-16 | 2015-04-14 | University-Industry Cooperation Group Of Kyung Hee University | Media data customization |
US9201965B1 (en) | 2009-09-30 | 2015-12-01 | Cisco Technology, Inc. | System and method for providing speech recognition using personal vocabulary in a network environment |
US8990083B1 (en) | 2009-09-30 | 2015-03-24 | Cisco Technology, Inc. | System and method for generating personal vocabulary from network data |
US8935274B1 (en) | 2010-05-12 | 2015-01-13 | Cisco Technology, Inc | System and method for deriving user expertise based on data propagating in a network environment |
US9465795B2 (en) | 2010-12-17 | 2016-10-11 | Cisco Technology, Inc. | System and method for providing feeds based on activity in a network environment |
US8667169B2 (en) | 2010-12-17 | 2014-03-04 | Cisco Technology, Inc. | System and method for providing argument maps based on activity in a network environment |
US8620136B1 (en) | 2011-04-30 | 2013-12-31 | Cisco Technology, Inc. | System and method for media intelligent recording in a network environment |
US8909624B2 (en) | 2011-05-31 | 2014-12-09 | Cisco Technology, Inc. | System and method for evaluating results of a search query in a network environment |
US9870405B2 (en) | 2011-05-31 | 2018-01-16 | Cisco Technology, Inc. | System and method for evaluating results of a search query in a network environment |
US8886797B2 (en) | 2011-07-14 | 2014-11-11 | Cisco Technology, Inc. | System and method for deriving user expertise based on data propagating in a network environment |
WO2013109417A2 (en) * | 2012-01-18 | 2013-07-25 | Zte Corporation | Notarized ike-client identity and info via ike configuration payload support |
WO2013109417A3 (en) * | 2012-01-18 | 2013-09-12 | Zte Corporation | Notarized ike-client identity and info via ike configuration payload support |
US8831403B2 (en) | 2012-02-01 | 2014-09-09 | Cisco Technology, Inc. | System and method for creating customized on-demand video reports in a network environment |
US11201749B2 (en) | 2019-09-11 | 2021-12-14 | International Business Machines Corporation | Establishing a security association and authentication to secure communication between an initiator and a responder |
US11206144B2 (en) * | 2019-09-11 | 2021-12-21 | International Business Machines Corporation | Establishing a security association and authentication to secure communication between an initiator and a responder |
US20230028147A1 (en) * | 2021-07-20 | 2023-01-26 | Nokia Solutions And Networks Oy | Source route compression |
Also Published As
Publication number | Publication date |
---|---|
BR0308531A (en) | 2007-01-09 |
CN1643947A (en) | 2005-07-20 |
WO2003090041A3 (en) | 2004-08-19 |
US6839338B1 (en) | 2005-01-04 |
WO2003090041A2 (en) | 2003-10-30 |
CA2479770A1 (en) | 2003-10-30 |
AU2003253587A1 (en) | 2003-11-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6839338B1 (en) | Method to provide dynamic internet protocol security policy service | |
US8437345B2 (en) | Terminal and communication system | |
KR100679882B1 (en) | Communication between a private network and a roaming mobile terminal | |
US7937581B2 (en) | Method and network for ensuring secure forwarding of messages | |
US7028335B1 (en) | Method and system for controlling attacks on distributed network address translation enabled networks | |
US20200007507A1 (en) | Internet Protocol Security Tunnel Maintenance Method, Apparatus, and System | |
KR101165825B1 (en) | Method and apparatus for providing low-latency secure communication between mobile nodes | |
US20040037260A1 (en) | Virtual private network system | |
EP1466458B1 (en) | Method and system for ensuring secure forwarding of messages | |
US8218484B2 (en) | Methods and apparatus for sending data packets to and from mobile nodes in a data network | |
WO2003015360A2 (en) | System and method for secure network roaming | |
JP2010518718A (en) | Network control overhead reduction of data packet by route optimization processing | |
EP1159815B1 (en) | Method and system for distributed network address translation with network security features | |
JP2009528735A (en) | Route optimization to support location privacy | |
Mink et al. | Towards secure mobility support for IP networks | |
JP2003115834A (en) | Security association cutting/continuing method and communication system | |
FI113597B (en) | Method of sending messages over multiple communication connections | |
Hollick | The Evolution of Mobile IP Towards Security | |
KR20090065023A (en) | Method for handling an ipsec tunnel mode | |
Wang et al. | IPSec-based key management in mobile IP networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO PAY ISSUE FEE |