US20050152305A1 - Apparatus, method, and medium for self-organizing multi-hop wireless access networks - Google Patents
Apparatus, method, and medium for self-organizing multi-hop wireless access networks Download PDFInfo
- Publication number
- US20050152305A1 US20050152305A1 US10/929,772 US92977204A US2005152305A1 US 20050152305 A1 US20050152305 A1 US 20050152305A1 US 92977204 A US92977204 A US 92977204A US 2005152305 A1 US2005152305 A1 US 2005152305A1
- Authority
- US
- United States
- Prior art keywords
- wireless
- network
- node
- network node
- devices
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/54—Organization of routing tables
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/065—Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/162—Implementing security features at a particular protocol layer at the data link layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/062—Pre-authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W40/00—Communication routing or communication path finding
- H04W40/02—Communication route or path selection, e.g. power-based or shortest path routing
- H04W40/20—Communication route or path selection, e.g. power-based or shortest path routing based on geographic position or location
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W40/00—Communication routing or communication path finding
- H04W40/24—Connectivity information management, e.g. connectivity discovery or connectivity update
- H04W40/248—Connectivity information update
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W40/00—Communication routing or communication path finding
- H04W40/24—Connectivity information management, e.g. connectivity discovery or connectivity update
- H04W40/26—Connectivity information management, e.g. connectivity discovery or connectivity update for hybrid routing by combining proactive and reactive routing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/18—Self-organising networks, e.g. ad-hoc networks or sensor networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/02—Terminal devices
- H04W88/04—Terminal devices adapted for relaying to or from another terminal or user
Definitions
- the present invention is related to using multi-hop wireless networks to provide network access services, and, to a particular security scheme for a multi-hop wireless access network.
- the IEEE 802.11 standard (“Part 11: Wireless LAN Medium Access Control (MAC) and physical layer specifications”, IEEE, 1999, and including all variations) is known in the art.
- MAC Medium Access Control
- WLAN architecture mobile clients connect wirelessly to Access Points (APs) to acquire connectivity to a backbone network to which the APs are attached.
- APs Access Points
- the backbone network is typically wired and is then connected to the rest of the organizational network.
- the WLAN architecture is ideal for network administrators who wish to wirelessly extend the boundary of their existing wired campus or corporate networks and to provide campus-wide mobility support. Under this architecture, mobile clients are no longer constrained by network cables and wall jacks as long as they maintain direct wireless contacts with some AP. Due to a number of dynamic configuration protocols such as the DHCP, mobile clients can easily join the WLAN with little or no user configuration effort. A user can move freely within the coverage area of the APs. When the user moves across the boundaries of the service areas of APs, WLAN and bridge protocols can update the link layer connectivity for the user so that on going communication sessions are not interrupted by the handoff and actual communication carrier (radio frequency) switch.
- radio frequency radio frequency
- WLAN Wireless Local Area Network
- APs need to be interconnected via a backbone network, typically a wired LAN. Therefore network cables must be installed to connect the APs to the existing network infrastructure. Electrical wires must also be in place to supply operating power to the APs.
- WLAN planners need to predict wireless usage and conduct site surveys to determine the radio propagation characteristics. Operating channels also need to be allocated to each AP to keep the interference between neighboring communication cells to a minimum. After the deployment, it becomes another costly task to change the placement of the APs since the cables and wires need to be changed as well. If the usage pattern changes, oftentimes the WLAN is not able to be dynamically reconfigured to adapt to the changes.
- WEP Wired Equivalency Privacy
- WEP uses a shared secret key of 40 bits (or 104 bits in a later version).
- a 24 bit Initial Vector (IV) is concatenated with the shared key to create a 64 bit (or 128 bit in the later standard) seed.
- the seed is then fed to a RC4 Pseudo Random Number Generator (PRNG) to generate a random bit sequence, which is used as the frame encryption key stream.
- PRNG RC4 Pseudo Random Number Generator
- the IV is enclosed as clear text in each data frame so that the receiver may concatenate the received IV with the shared secret key to produce the RC4 PRNG seed and compute the decryption key stream.
- the limited IV size there are only 2 ⁇ circumflex over ( ) ⁇ 24, about 16 million, distinct key streams. Given the size of an average data frame and the transmission rate supported by IEEE 802.11, a busy AP may exhaust the distinct key stream space very quickly and be forced to reuse the encryption key stream. Since the IVs are enclosed as clear text in each data frame, it is relatively easy for an attacker to recognize a reused key stream. The attacker may collect pieces of cipher text that are encrypted with the same key stream and perform statistical analysis to attack and recover the plaintext.
- IEEE 802.11 APs provide two methods to protect against unauthorized accesses: Medium Access Control (MAC) address filtering and WEP-based shared-key authentication.
- MAC Medium Access Control
- WEP-based shared-key authentication simply drops all data frames whose destination or source addresses are not listed in a pre-defined “allowed list”.
- MAC addresses can easily be sniffed and forged by any attacker, the MAC address filter offers little protection against unauthorized network accesses.
- the shared-key authentication process involves both parties (named initiator and responder) encrypting the same challenge using WEP with the same shared-key but different IVs. Since the shared-key authentication algorithm authorizes network access to those who have the shared-key, it would be effective only if unauthorized parties cannot recover the shared-key. However, with WEP being breakable, the shared-key authentication becomes only an illusion.
- IEEE's 802.11i (802.11i, IEEE 802.11 Task Group I, work in progress) standard, which is developed to replace the current WEP based security mechanism of the 802.11 WLAN.
- the IEEE's 802.1x (Port Based Network Access Control) standard (“Port-Based Network Access Control”, IEEE, 2001), which is used as a component of 802.11i, specifies an architectural framework that is designed to provide user authentication, network access control, and dynamic key management.
- a system can use various specific authentication schemes and algorithms. The actual algorithm that is used to determine whether a user is authentic is left open and multiple algorithms are possible.
- One known popular algorithm is the Remote Authentication Dial In User Service (RADIUS) (IETF RFC 2965, June 2000).
- EAPOL Extensible Authentication Protocol over LAN
- EAP Extensible Authentication Protocol
- PPP Extensible Authentication Protocol
- IETF RFC 2284 March, 1998)
- EAP is built around the challenge-response communication paradigm that is common in network security solutions. Although originally designed as an authentication method for PPP connection, it can also be used for a wide range of LAN types such as Ethernet, token ring, or WLANs.
- the IEEE 802.1x protocol is briefly explained.
- the IEEE 802.1x is a port-based, access control framework for wired or wireless networks that decides whether a client is authorized to use the network access service and then implements the decision.
- a supplicant is a client who wishes to use the network access service.
- An authenticator is a device which separates the supplicant from the rest of the network, i.e. an AP, and prevents unauthorized access.
- the authentication server is a backend server which makes the decision of granting or denying the supplicant's request. After the decision, the authenticator either blocks the supplicant's data traffic or lets it pass through.
- IEEE 802.1x messages are transmitted using two versions of the EAP over two types of connections: 1) the link layer (LAN or WLAN) connections between the authenticators and supplicants and 2) the transport layer connections between the authenticators and the authentication server.
- IEEE 802.1x defines the Extensible Authentication Protocol over LAN (EAPOL).
- EAPOL Extensible Authentication Protocol over LAN
- the IEEE 802.1x does not define its own protocol, installations have been using a protocol based on the specifications defined by the “EAP over RADIUS” standard (C. Rigney, W. Willats, and P. Calhoun, “RADIUS Extensions”, IETF RFC2869, 2000).
- the Remote Access Dial-In User Services itself is defined in (C. Rigney, W. Willens, A. Rubens, and W. Simpson, “Remote Authentication Dial In User Service (RADIUS)”, IETF RFC2865, 2000).
- a typical IEEE 802.1x authentication session starts when the client (supplicant) sends an EAPOL-Start message to an access point (authenticator) indicating its interest in using network access service. Upon receiving this message, the authenticator sends back an EAP-Request/Identity message. The supplicant must respond with an EAP-Response/Identity message. After receiving the supplicant's identity, the authenticator then needs to contact the authentication server by forwarding the supplicant's identity response to it. From this point on, the authentication message exchanges are between the supplicant and the authentication server. The details of the message exchanges depend on the actual authentication (referred to as Upper Layer Authentication or ULA) algorithm being used.
- ULA Upper Layer Authentication
- the IEEE 802.1x supports a number of such ULA mechanisms such as the Transport Layer Security (TLS) (T. Dierks, and C. Allen, “The TLS Protocol Version 1.0”, IETF RFC2246, 1999) and the Kerberos V5 (J. Kohl, and C. Neuman, “The Kerberos Network Authentication Service (V5)”, IETF RFC1510, 1993).
- TLS Transport Layer Security
- V5 Kerberos Network Authentication Service
- the authentication server makes a decision of either granting or denying the supplicant's access request. The decision is sent to the supplicant in an EAP-Success or EAP-Failure message.
- EAP-Success EAP-Failure message
- WPA′ method of using keys is now explained. Instead of using a single shared key for everything, WPA uses four 128-bit keys for protecting each pairwise communication: one pair of keys for protecting data encryption and data integrity and one pair of keys for protecting the communication between the two devices during their initial handshake. Collectively these four keys together are known as the Pairwise Transient Keys (PTK). Similarly each one-to-many group communication session is also protected by a Group Transient Key (GTK). The transient keys are changed for every data packet sent.
- PTK Pairwise Transient Keys
- GTK Group Transient Key
- WPA only requires the configuration of one single key, the master key, for each pair of communicating devices or each group communication source. All other keys are derived from the master keys. Such a key organization is called a key hierarchy.
- the pairwise master keys are a by-product of the authentication process as they are the session keys established by the RADIUS server at the end of the authentication procedure.
- Group master keys are separately selected by the group communication sources.
- the PTKs are never exchanged between a pair of communicating nodes. Instead, they are computed independently by these two nodes.
- a four-way handshake is designed as part of TKIP to exchange the PTK computing parameters between a pair of nodes.
- the key generating parameters include such values that with extremely high confidence, the resulting transient key will be different for every time and every pair of nodes.
- both sides will have the same key generating parameters so they can generate the same PTK. Also proven during the handshake is that both sides know the same master key and therefore mutual authentication is achieved.
- GTKs are computed only by group communication sources and delivered to receivers via the already secured pairwise communications between the sources and receivers. GTKs may need to be re-computed and re-distributed from time to time due to group changes.
- the data encryption keys of the PTKs and GTKs are then used by TKIP to generate a per-packet key, which is sent to an RC4 algorithm along with an IV to generate the key stream.
- TKIP performs per-packet key mixing and only the result is used by RC4.
- the data encryption key of TKIP is much better protected.
- the TKIP IVs are 48 bits long. With such a huge IV space, IV collision is not expected to occur and known weak keys can also be avoided.
- the IVs are also used by TKIP as data frame sequence numbers to prevent replay attacks.
- FIG. 1 shows the components involved in IEEE 802.1x authentication operations.
- a client also known as a supplicant
- the AP 104 opens an unauthorized port for the client 102 , which only allows EAP messages to or from the supplicant (client) 102 to pass through.
- the supplicant 102 exchanges EAP messages with the authenticator 104 and the authentication server 106 , which is a backend server executing the authentication algorithms.
- the authentication server 106 returns an “accept” or “reject” instruction back to the authenticator 104 .
- the AP 104 opens the regular network access port for the client 102 to allow normal traffic for this client 102 to go through.
- WPA Wi-Fi Protected Access
- TKIP Temporal Key Integrity Protocol
- the WPA specification does not handle ad hoc links. Only its superset standard, IEEE 802.11i, contains any specifications for providing security to ad hoc links, and in this each ad hoc link is managed individually.
- IEEE 802.1x type of authentication is not used, as ad hoc links are thought to be typically created in an infrastructureless network where there would rarely be a RADIUS server available.
- Two devices interested in communicating via an ad hoc link must have a “pre-shared” key. This key, typically configured manually, is used as the master key in the subsequent WPA transient key generation.
- the device with lower MAC address will act as the supplicant and initiate the 4-way WPA key material exchange handshake. After the handshake is completed, each end sends its own group key to the other end.
- IEEE 802.1d employs a spanning tree protocol, which is its method of forming a packet forwarding topology while preventing forwarding loops within a network of bridging devices.
- each bridge includes multiple ports. These ports are attached to a number of LAN segments.
- one bridge acts as the “root” of the spanning tree. It is the bridge with the highest priority bridge identifier (the priority identifier of a bridge is either derived from the unique ID of the bridge, which is typically the lowest MAC address among those of the bridge's ports, or configured by the network administrator).
- each bridge uses each of its ports to report the following to its neighboring bridges: its own identity, the identity of the transmitting port, the identity of the bridge that the transmitting bridge believes to be the root, and the cost of the path from the transmitting port to the root bridge.
- Each bridge starts by assuming itself to be the root. If a bridge receives information that is “better” than what it currently has, it will re-compute its information based on the newly received information and then send out updated control messages to its neighboring bridges. What is considered “better information” includes information such as a bridge being a better root (with higher priority bridge identifier), a shorter path towards the root, lower cost routes, etc.
- the present invention provides methods and apparatus for constructing secure, portable, wireless, and multi-hop networks to provide wireless data access service.
- a multi-hop wireless access network can provide a rapidly deployable, mobile communications infrastructure that is suitable for many applications such as home or office networks, emergency response networks and sensor network scenarios.
- Such a network based on popular wireless local area network (WLAN) protocols can be economically built, allowing client devices such as cell phones, PDAs or sensors equipped with standard WLAN network interface components to communicate beyond their own communication ranges.
- WLAN wireless local area network
- SNOWNET Secure Nomadic Wireless Network
- SNOWNET Secure Nomadic Wireless Network
- the secure, portable, wireless, and multi-hop network is referred to as the Secure Nomadic Wireless Network (SNOWNET), which implements a collection of access networks interconnected via a wireless ad hoc backbone network.
- the SNOWNET is a hierarchical network with a dynamic wireless ad hoc backbone network interconnecting a number of local access service areas.
- the wireless ad hoc backbone network is formed by a number of SNOWNET nodes.
- Each SNOWNET node includes a router that has both an access service and a wireless backbone interface.
- the backbone network is automatically formed and configured as an ad hoc network among the routers using MANET-style routing schemes for data forwarding.
- the installation process can be reduced to the placing of SNOWNET nodes in the field of operation, powering them up, and optionally orienting the external antenna attached to these nodes to connect to other SNOWNET nodes.
- Any configuration parameters such as the identity of neighboring devices, address assignments and message routes, will be determined autonomously by the collaborative operations of a set of such SNOWNET nodes.
- the communications between SNOWNET nodes as well as between SNOWNET nodes and mobile clients will be secure. Only authorized devices (both SNOWNET nodes and mobile clients) are allowed to access and be served by the SNOWNET.
- the present invention includes a self-organized security method to provide data protection through encryption of the data, and authentication for client users such as attached sensor devices and for SNOWNET nodes that may dynamically join and exit from the backbone network.
- the present invention includes a method of applying the WPA protocol beyond a single-link case to a store-and-forward wireless network.
- the extended WPA protocol is included in a SNOWNET system as a modification to the security aspect of SNOWNET as disclosed in U.S. patent application Ser. No. 10/463,857, and U.S. Provisional Application No. 60/428,700, the contents of all of which are incorporated herein by reference.
- the present invention includes a computer network, a method, and a computer-readable medium including a backbone network including backbone network nodes authenticated to each other and in communication with each other.
- the configuration of the backbone network and the organization of data forwarding within the backbone network are self-organized.
- Each node may be connected to a wireless access network to which clients may attach.
- Data can be forwarded between clients and nodes within the overall network consisting of the backbone network and all access networks attached to backbone nodes, as well as any external networks to which backbone nodes may connect.
- the above computer network also includes a master authenticator node and proxy authenticator nodes among the backbone network nodes.
- an unauthenticated new node requests authentication to the backbone network and the unauthenticated new node is in communication with at least one of the backbone network nodes, the at least one of the backbone network nodes becoming the proxy authenticator node for the unauthenticated new node and communicates with the master authenticator node to authenticate the unauthenticated new node to the backbone network.
- FIG. 1 is a diagram of a wireless local area network (LAN) with IEEE 802.1x.
- FIG. 2 of system architecture of the present invention.
- FIG. 3 shows a diagram of the hardware architecture of a SNOWNET node 302 of the present invention.
- FIG. 4 is a diagram of the software components of a node of the present invention.
- FIGS. 5A and 5B are diagrams of SNOWNET implementation of IEEE 802.1x.
- FIG. 5C is a diagram of messages exchanged during authentication of a new node in the present invention.
- FIG. 6 is a diagram of an example of a SNOWNET spanning tree of the present invention.
- FIG. 7 is a diagram of a SNOWNET Bridging Table contents.
- FIG. 8 is a diagram of IEEE 802.11 Data Frame Address Field Contents.
- FIG. 9 is a diagram of a SNOWNET Routing Table contents.
- FIG. 10 is a diagram of Routing Update Message Contents.
- the authentication method of the present invention is applicable to wireless networks in general, and, more particularly, to the Secure Nomadic Wireless Network (SNOWNET) disclosed in U.S. Provisional Patent Application No. 60/507,934, U.S. patent application Ser. No. 10/463,857, and U.S. Provisional Application No. 60/428,700, the contents of all of which are incorporated herein by reference.
- SNOWNET Secure Nomadic Wireless Network
- the authentication method of the present invention is disclosed with reference to SNOWNET, the authentication method of the present invention is not limited to such implementation.
- SNOWNET The Secure Nomadic Wireless Network
- SNOWNET combines a wireless multi-hop backbone network with infrastructure-mode IEEE 802.11 network access services.
- SNOWNET router nodes may have multiple WLAN radios and are used as both standard WLAN Access Points (APs) and backbone routers.
- APs WLAN Access Points
- SNOWNET One advantage of using SNOWNET is that in order to extend WLAN coverage to a new area that does not have an existing infrastructure network, new SNOWNET nodes need only to be deployed in the new coverage area and will automatically form a wireless multi-hop data forwarding network connecting the new area to the rest of the SNOWNET. At the same time these new SNOWNET nodes provide AP access service to their coverage areas. Clients or sensor devices that are equipped with standard IEEE 802.11 client network interface cards, attach to a nearby SNOWNET router providing access service.
- SNOWNET forwards the client or sensor data within the network or to gateway routers.
- SNOWNETs are applicable to SoHo WLANs, sensor and surveillance networks, emergency responder communications, embedded WLAN networks, and hotspots extensions where cabling is not feasible.
- the present invention provides a high level of security in SNOWNET for clients, devices such as sensors, and for the multi-hop backbone network.
- the present invention supports standard WLAN network interface devices as clients without requiring modifications to clients and self-organizes the backbone network for ease of deployment and portability.
- the present invention includes extensions to the typical link-based security mechanisms that are required to operate in a multi-hop environment.
- SNOWNET The architecture of the SNOWNET, the functions and design of SNOWNET nodes, and the protocols executed by SNOWNET nodes, of the present invention are now disclosed, with reference to FIGS. 2-10 .
- FIG. 2 illustrates the architecture of a SNOWNET system network 300 of the present invention.
- Each SNOWNET node 302 is equipped with at least one wireless network interface, which is used for communications between peer SNOWNET nodes 302 .
- Links 304 are formed between SNOWNET nodes 302 dynamically if wireless communication can be established between them.
- the network including only the SNOWNET nodes 302 and the links 304 between them are referred to as the SNOWNET backbone network 306 .
- the interface dedicated by each SNOWNET node 302 for backbone communication is referred to as the backbone interface.
- Optional external antennas may also be used to extend the communication range of the backbone interfaces.
- a SNOWNET node 302 is typically equipped with additional interfaces to provide local network access services to mobile clients 310 .
- all three example SNOWNET nodes 302 have at least two wireless interfaces, one for backbone communications, and the other for providing local access services.
- the local service interface can be of any LAN technology such as an IEEE 802.3 network interface, an IEEE 802.11 interface running in AP mode, Bluetooth, etc.
- the interface dedicated by a SNOWNET node 302 for client communication service is referred to as the service interface.
- a SNOWNET node 302 When a SNOWNET node 302 is equipped with wireless service interface(s), it provides wireless client coverage 308 for clients 310 within its service interface's wireless communication coverage. This is referred to as the SNOWNET node 302 providing Local Access Service for the clients 310 in its coverage area. If a SNOWNET node 302 is equipped with a wired LAN interface such as an IEEE 802.3 (Ethernet) interface, it is also possible for such a SNOWNET node 302 to provide wired local access service to clients with a matching wired communication interface via a wired Local Area Network (LAN) connected to the Ethernet interface of the SNOWNET node 302 . This traffic would then be forwarded on the wireless backbone network, thus SNOWNET is capable of wirelessly connecting multiple wired networks.
- LAN Local Area Network
- the preferred method is to configure the communication technology used by the backbone interfaces of the SNOWNET 300 to run under peer-to-peer (also called Independent Basic Service Set, or IBSS) mode.
- peer-to-peer also called Independent Basic Service Set, or IBSS
- the interfaces should run in 802.11 Ad Hoc mode.
- Optional external antennas may be used to extend the communication range of the backbone interfaces.
- backbone network 306 configurations For instance if the backbone network 306 forms a “star” topology, the backbone interface of the center node may be configured as an access point (AP) and backbone interfaces of the other nodes as clients.
- AP access point
- Links 304 of the backbone network 306 it is not necessary for all links 304 of the backbone network 306 to use the same link technology. Nodes with backbone interfaces of the same technology may form sub-backbones. Sub-backbones are connected together to form the overall backbone network 306 by nodes 302 with multiple backbone interfaces of different technologies that are simultaneously residing on multiple sub-backbones.
- SNOWNET nodes may also have an additional network interface(s) 312 connected to the rest of an organizational network (e.g. the corporate headquarter network), the global Internet or some other external network.
- SNOWNET gateways act as gateways for the SNOWNET 300 to reach the Internet or other external networks.
- These links may be of various link technologies, e.g. an Ethernet cable connected to a LAN for a fixed-group network, a wireless LAN interface to an AP, a Point-to-Point Protocol (PPP) connection, or a 3G wide-area wireless communication interface, etc.
- PPP Point-to-Point Protocol
- Some network interfaces of the SNOWNET node 302 may even be virtual interfaces.
- a physical interface may be multiplexed or time-shared to create multiple virtual interfaces that can be used for different purposes.
- the SNOWNET node 302 of the present invention may allow algorithms to be built so that the same IEEE 802.11 interface may run in ad hoc mode in some time slots to act as the backbone interface and in AP mode in other time slots to act as the local access service interface.
- a SNOWNET node may dynamically change one of its AP interfaces to a backbone interface or vice versa.
- SNOWNET nodes 302 provide access services to sensors and other regular clients 310 with matching standard network interfaces. Hence, normal clients 310 may connect to SNOWNET 300 in the same fashion as they connect to any other standard wired or wireless LAN.
- SNOWNET nodes 302 form a wireless backbone network 306 among themselves. Thus the deployment topology of the wireless network 306 is not constrained by the fixed connections to a wired network infrastructure, permitting changes in SNOWNET node 302 locations.
- SNOWNET nodes 302 relay communication between these two levels. Therefore a typical intra-SNOWNET communication path between two clients receiving local service from different SNOWNET nodes 302 may include the link between the source mobile client 310 and the SNOWNET node 302 serving the source client 310 , a number of SNOWNET backbone links, and finally the link between the destination client 310 and its access service SNOWNET node 302 . If the destination is on another external network, then the communication path would include the SNOWNET gateway node that is forwarding traffic for that network.
- Backbone links 304 between SNOWNET nodes 302 are dynamically established subject to the communication parameters and range constraints of the physical environment. Through topology information exchange, the SNOWNET data forwarding protocol is able to dynamically adjust and self-organize the data forwarding routes based on the current topology of the wireless backbone 306 and the current attachment distribution of clients 310 . Thus, SNOWNET nodes 302 are portable and the configuration of the network 300 can adapt to changing usage patterns by adding, deleting or moving of SNOWNET nodes 302 .
- an extension to the data forwarding protocol of storing-and-forwarding of IP traffic includes the link layer identities (e.g., MAC addresses) of the SNOWNET nodes 302 in the topology information exchange and route computation. This enables the extended forwarding protocol to compute routes for data link layer frames even if the destination is several hops (or nodes 302 ) away.
- link layer identities e.g., MAC addresses
- an encapsulation mechanism called SNOWNET envelopes, forwards data link layer frames across an arbitrary network layer topology 300 .
- FIG. 3 shows a diagram of the hardware architecture of a SNOWNET node 302 of the present invention.
- Each SNOWNET node 302 can be implemented as an embedded system comprising a processor 402 , system memory (RAM) 403 , data storage memory (Flash) 404 for software and security related data such as certificates and keys, one or more network interfaces 406 , and a system bus 408 connecting these components.
- Each node 302 has a manageable and portable form factor as well as protective casing.
- each node 302 may be equipped with external antennas 410 to extend the communication ranges of its wireless network interfaces 406 .
- These network interfaces 406 provide local wired or wireless access, wireless backbone access, or wired or wireless gateway access.
- a SNOWNET node 302 configuration depends on its specific intended use in the network.
- the typical SNOWNET node 302 in a remote location would have two wireless interfaces 406 : one for backbone communication and one for local access service.
- a SNOWNET gateway node 302 may have these two wireless network interfaces plus a third network interface 406 , such as a wired Ethernet interface to connect to the external network.
- a SNOWNET node 302 uses DC power that can be supplied by batteries as the main power source 412 .
- DC power can be provided from AC converters from the electric outlet, battery charging devices, solar energy devices, automobile battery outlets, or other power generating devices.
- SNOWNET nodes 302 implement power management procedures to preserve battery power when possible.
- the file system 404 on a SNOWNET node 302 is an encrypted file system. All information stored in data storage 404 is encrypted.
- the operator provides a decryption key supplier (i.e. a Smartcard, a USB key, etc).
- the boot up sequence of the node 302 locates and loads the decryption key from the supplier. Only then can the file system 404 be accessed.
- Critical operational system files are decrypted and loaded into system memory 403 to be executed.
- a node 302 is disconnected from the authentication and communication key management server of the SNOWNET (the SNOWNET master authenticator as detailed later), i.e. not receiving key management messages from the server, for a certain period of time, an automatic power shut down is performed. Other tampering with the SNOWNET node 302 is prevented by physical security methods on the node 302 .
- the above-mentioned feature of the present invention reduces the risk to the whole SNOWNET 300 if one SNOWNET node 302 is compromised by an unauthorized user. Without a valid connection to the decryption key supplier, the SNOWNET node 302 is inoperable after it has been powered down unless a valid decryption key supplier is applied. Even in the case that the attacker maintains a power supply to the SNOWNET node 302 , the node 302 will be isolated from the other SNOWNET node population 300 using this timeout mechanism.
- One embodiment of the present invention is implemented as a Soekris Engineering Net4521 Board with a 133 MHz AMD Elan SC520 system-on-chip CPU with interfaces including 2 PCMCIA, 1 CF, 1 Serial, 1 Mini-PCI, and 2 Ethernet; dual wireless interfaces including two 802.11 cards for backbone and access points, and a gateway configuration including a PCMCIA card for wireless uplink and a card for 802.11 backbone; OpenBSD or FreeBSD Operating Systems; and open software including Free Radius, HOSTAPD, Xsupplicant, and Xauthenticator.
- FIG. 4 is a diagram showing the SNOWNET node 302 software architecture components 500 .
- the SNOWNET node 302 software components 500 are stored in the data storage memory 404 of each SNOWNET node 302 .
- the software components 500 include operating system kernel space drivers 502 for various network interfaces, including drivers for Ethernet 504 , IEEE 802.11 Network Interface Card (NIC) in Host AP mode 506 , and 802.11 NIC in Ad Hoc mode 508 . All other SNOWNET components reside in user space 510 , or in kernel space 502 to improve performance.
- a Network Address Translation (NAT) module 532 resides in kernel space to provide the translation between external Internet addresses and the internal SNOWNET address space if necessary.
- NAT Network Address Translation
- SNOWNET software modules There are two major SNOWNET software modules, a SNOWNET network layer 512 and a SNOWNET API 514 .
- SNOWNET network layer 512 the functions of SNOWNET node authentication 516 and SNOWNET Routing/Bridging 518 are implemented.
- SNOWNET nodes providing client device access service a standard DHCP module is included to dynamically assign addresses to clients.
- the SNOWNET Application Programmers Interface (API) 514 offers an application development interface so that other applications 520 and services 522 can access lower-level, SNOWNET specific features such as Routing Table information (shown in FIG. 9 ). Examples of applications that could be implemented in a SNOWNET network 300 include Wireless Voice, streaming data and many other network functions.
- the API is defined and implemented for the Network Layer 512 and the Client Authentication Module 526 and includes program calls in the C language.
- the SNOWNET network layer 512 is implemented as a network service to the other middleware components of a SNOWNET node 302 .
- These optional SNOWNET middleware components may include Quality of Service module 524 , the Security of Service module 524 , trust management algorithms 530 .and client authentication module 526 .
- the Quality of Service module 524 controls the share of the communication bandwidth given to each client.
- the Security of service 524 provides levels of additional security depending on the needs of the client.
- the trust management algorithms deal with rules for initial bootstrapping of the system and for allowing unknown clients and routers to become part of the system.
- the client authentication module 526 implements the 802.1x policy for admitting and identifying clients and is discussed further below.
- Each SNOWNET node 302 also includes a module supporting secure roaming for clients 528 .
- This is the module 528 that transfers the “trust and credentials” of a client from one SNOWNET node 302 to another when the client 310 moves from one SNOWNET node's local service area to another node's local service area.
- the client 310 does not need to go through the entire authentication phase again in the new local service area.
- the time gap between the client 310 being served by two SNOWNET nodes is relatively smaller and the handoff is relatively smoother.
- a SNOWNET node 302 may optionally host an authentication server 534 such as a RADIUS server 303 that will provide all of the necessary checking of credentials, generation of keys and storage of credential information.
- an authentication server 534 such as a RADIUS server 303 that will provide all of the necessary checking of credentials, generation of keys and storage of credential information.
- SNOWNET Security features of the SNOWNET of the present invention, including the SNOWNET implementation of client authentication and access communication encryption 526 , SNOWNET node authentication and communication encryption extended 516 , for SNOWNET, and authentication and security during handoff, are now discussed.
- the SNOWNET implementation of of client authentication and access communication (communication between clients and their service SNOWNET nodes) encryption is now discussed, with reference to FIG. 5A .
- Two variations of the method are disclosed. They are an extended IEEE 802.1x client authentication and encryption method and a standard WPA client authentication and encryption method.
- a supplicant (or client) 310 accesses the SNOWNET 300 through the access point interface of a SNOWNET node 302 .
- the SNOWNET node 302 serves as an authenticator, and is in communication with an Authentication Server 303 .
- SNOWNET 300 uses an existing organizational RADIUS server as the backend authentication server 303 .
- RADIUS server C. Rigney, A. Rubens, W. Simpson, and S. Willens, “Remote Authentication Dial In USER SERVICES (RADIUS)”, RFC 2138, April, 1997)
- SNOWNET 300 uses an existing organizational RADIUS server as the backend authentication server 303 .
- one SNOWNET node 302 can be configured as an authentication server 303 by running the RADIUS server software. Before SNOWNET deployment, this node 303 downloads all necessary certificates into its system memory 404 so it can carry out the authentication duties. Such certificates include those for SNOWNET nodes 302 as well as for all authorized clients.
- Additional hardware resources such as system memory and a higher-performance CPU may be installed on an authorization server node 303 to improve performance.
- the RADIUS server node 303 must be activated before any other SNOWNET nodes 302 are turned on and remain active until all other SNOWNET nodes 302 are turned off.
- SNOWNET nodes 302 that provide local network access services act as authenticators in the IEEE 802.1x architecture using its Client Authentication Module 526 .
- Regular mobile clients 310 are supplicants.
- SNOWNET is compatible with many existing off-the-shelf client side implementations of supplicant functionality, e.g. Windows XP, Xsupplicant, etc.
- the Client Authentication Module 526 in SNOWNET nodes 302 run the Open1X Authenticator software, an open source implementation of the IEEE 802.1x authenticator (Open1x, on the world wide web at open1x.org) 526 .
- SNOWNET Client Authentication Module 526 enhances the standard IEEE 802.1x security by offering additional features such as mutual authentication between the mobile clients and the network and dynamic key rotation.
- Mutual authentication between mobile clients 310 and the SNOWNET network 300 is supported through the successful completion of the authentication process, as this can only be accomplished if both the client 310 and SNOWNET nodes 302 are properly identified using a public key infrastructure.
- Dynamic keys in which the security encryption keys are changed periodically and redistributed through the SNOWNET network 300 is one of the features supported by SNOWNET 300 .
- the details of the Client and Network Mutual Authentication procedure in SNOWNET 300 are as follows.
- the client 310 sends an EAP start message and the SNOWNET node 302 returns an EAP message requesting the user's identity.
- the client 310 returns his certificate encrypted using a public key encryption mechanism with the authentication server's 303 public key.
- the authenticator 302 then forwards this encrypted certificate to the authentication server 303 .
- the authentication server 303 verifies the client certificate and if the certificate is valid, the authentication server 303 generates a session key for the client and sends the session key to both the client 310 and authenticator 303 .
- the AP 302 encrypts the local shared WEP key and sends the encrypted shared key to the client 310 .
- the authentication server 303 also encrypts the certificate for the whole SNOWNET 300 using the client's 310 public key and sends the encrypted certificate to the client 310 so the client 310 can authenticate the network 300 as well. If the client 310 accepts the network certificate, the client 310 decrypts the local shared WEP key, configures the shared key into its IEEE 802.11 device, and begins to access the network 300 .
- SNOWNET 300 dynamically and periodically updates the shared keys used for communications between clients 310 and APs 302 .
- SNOWNET 300 does not need to update the shared keys when a client 310 disconnects from the network 300 because the shared key used at that moment will soon be replaced by periodical key refreshing.
- SNOWNET assumes that a WPA-capable RADIUS server is either running within the SNOWNET or is reachable from the SNOWNET through a gateway service.
- Each SNOWNET node that provides AP service supports the functions of an IEEE 802.1x authenticator.
- a client When a client is requesting network access service, it begins with an EAPOL-Start message; then, the standard WPA authentication procedure continues.
- the IEEE 802.1x authentication execution completes, both the client 310 and the SNOWNET AP node 302 providing local access service will receive a session key from the RADIUS server.
- the session key is used as the master key for WPA transient key generation.
- the current group transient key is also generated and sent to the client by the SNOWNET AP node 302 .
- the AP node needs to update the group transient key.
- the new group key is then sent to each attached client of the AP node 302 using EAP-Key messages.
- SNOWNET also supports older style security for clients that do not support WPA.
- the session key is used as the shared WEP key directly.
- the SNOWNET AP node 302 will automatically regenerate and install new session keys periodically.
- the Client Authentication Module 526 is integrated into the AP function of the SNOWNET nodes as part of the HostAP module 506
- Backbone Authentication and Security of the present invention for SNOWNET is now explained.
- the Backbone Authentication and Security of the present invention is included in the Authentication Module 516 of the present invention.
- the backbone network 306 is wireless and dynamic, permitting new SNOWNET nodes 302 to join and others to leave the backbone network 306 during normal operation. Before these new nodes 302 can provide network access and authentication services to regular mobile clients 310 , the nodes 302 first need to be admitted to the backbone network 306 . In other words, SNOWNET nodes 302 themselves must also be authenticated within the SNOWNET 300 .
- the new SNOWNET node 302 Only after being admitted to the backbone network 306 may the new SNOWNET node 302 begin to offer network access services to its local clients 310 .
- FIG. 5B illustrates the typical components involved in SNOWNET authentication operations.
- SNOWNET backbone security extends standard IEEE 802.11 security mechanisms, which are designed for single hop wireless networks, to multi-hop networks.
- SNOWNET data security is based on WPA security, with modifications accommodating the special characteristics of SNOWNET.
- FIG. 5B shows a SNOWNET authentication architecture 1000 in which SNOWNET nodes 302 are coupled to each other by a wireless 802.11 backbone connection, SNOWNET nodes 302 are coupled to clients 310 by wireless 802.11 infrastructure-mode access connection points, and SNOWNET nodes 302 , RADIUS server 303 , and router 1002 are coupled to Ethernet 1001 by wired connections.
- the WPA's security model is extended to cover the entire backbone network 306 .
- the IEEE 802.1x authentication is extended by the present invention to support multi-hop wireless network.
- all SNOWNET nodes communicate using a common key, following the WPA group security. After SNOWNET nodes are authenticated, they are provided with the group transient key. This key is also updated periodically.
- a RADIUS server 303 is assumed to be reachable from the SNOWNET. This server 303 may or may not be the same RADIUS server 303 handling client device 310 authentications.
- This server 303 may or may not be the same RADIUS server 303 handling client device 310 authentications.
- one node 305 is designated as the authenticator for the entire backbone network 306 . This node 305 is named the “Master Authenticator (MA)” 305 .
- MA Master Authenticator
- the identity of the MA 305 is included in SNOWNET topology exchange messages and sent to all authenticated backbone nodes 302 already on the backbone.
- the identity of the RADIUS server 303 is known to the MA 305 .
- the MA 305 is deployed before any other SNOWNET nodes 302 and is assumed to be able to reach the backbone RADIUS server 303 .
- New backbone nodes 302 are added to the SNOWNET backbone 306 in an iterative manner as they are authenticated by the MA 305 and RADIUS server 303 .
- EAPOL messages are link layer data frames and cannot be transmitted between nodes 302 separated by other store-and-forward nodes operating at the network layer, as in SNOWNET.
- the SNOWNET backbone 306 is capable of forwarding network layer data packets.
- EAPOL frames are encapsulated in special IP or higher layer packets.
- a special SNOWNET packet format is defined for encapsulating EAPOL packets, called Envelopes.
- SNOWNET Envelopes are transmitted across the backbone network just like other user data messages encoded with the encryption mechanism of the SNOWNET backbone 306 .
- the SNOWNET Envelope packets are network-or-above layer packets.
- a TCP packet is used as the method, although IP or UDP packet may also be used depending on each individual system's requirement and implementation details.
- IP or UDP packet may also be used depending on each individual system's requirement and implementation details.
- additional mechanisms may be needed to increase delivery reliability.
- the sender is able to find out if the receiver has received the packet via a link layer acknowledgement.
- a similar acknowledgement function is provided by the SNOWNET Envelope packets.
- the embodiment of the SNOWNET 1000 shown in FIG. 5B includes an Ethernet 1001 network coupled to the MA 305 , RADIUS server 303 coupled to the Ethernet 1001 , a router 1002 , a firewall 1003 coupled to the Internet 316 , hubs 1004 , workstations 1006 , and servers 1008 .
- FIG. 5C shows the backbone authentication messaging sequence 1100 of the present invention.
- the messages being exchanged during the authentication stage are illustrated in FIG. 5C .
- the new SNOWNET node 302 - 1 acts as a supplicant and sends out an EAPOL-Start message.
- Any SNOWNET backbone node 302 that is within range may receive the EAPOL-Start message.
- the backbone node 302 hence becomes a proxy authenticator whom we name EAP Proxy (EP) 302 - 2 for the new node 302 - 1 and encapsulates the message within a SNOWNET Envelope message addressed to the MA 305 .
- Multiple SNOWNET nodes 302 may actually receive and forward the EAPOL-Start message as an EP 302 - 2 .
- the Envelope message After being forwarded by the SNOWNET backbone 306 , the Envelope message reaches the MA 305 and the outer Envelope specific fields are peeled off and the EAPOL-Start message is revealed and passed to the authenticator function of the MA 305 .
- the authenticator 305 selects one of the EP's 302 - 2 as the preferred EP 302 - 2 and then replies with a standard IEEE 802.1x EAP-Request/ID message. Again, this EAP message is encapsulated in another SNOWNET Envelope message and the Envelope is addressed to the preferred EP 302 - 2 . From this point on, the standard IEEE 802.1x style authentication is carried out among the supplicant 302 - 1 , the MA 305 , and the backend RADIUS server 303 .
- the EP 302 - 2 For EAP messages from the supplicant 302 - 1 to MA 305 (or RADIUS server 303 ), the EP 302 - 2 receives the link layer frames from the supplicant 302 - 1 , encapsulates them in SNOWNET Envelopes and sends them towards the MA 305 .
- the MA 305 encapsulates those using SNOWNET Envelops addressed to the EP 302 - 2 .
- the EP 302 - 2 then unencapsulates the EAP frames from the Envelopes and forwards the resulting EAP frames to the supplicant 302 - 1 over the ad hoc link between them.
- the new supplicant 302 - 1 will not know a priori the identity of an EP 302 - 2 . This is different from authentication between a client 310 and an AP, where the identity of the AP is known to the client 310 .
- the EAPOL-Start message is sent in plaintext using a link layer broadcast address. Any SNOWNET backbone node 302 who receives and reacts to the message becomes an EP 302 - 2 and there may be multiple EPs 302 - 2 that forward the EAP-Start message to the MA 305 .
- the MA 305 selects a preferred EP 302 - 2 according to various criteria, such as link quality, least loaded node or first arrival, and only uses this EP 302 - 2 to correspond with in subsequent steps. EAP messages in subsequent steps from the MA 305 to the supplicant 302 - 1 are explicitly addressed to the preferred EP 302 - 2 and similarly on the return path. The remaining EPs 302 - 2 will drop out of the communications unless a new EAPOL-Start is received.
- various criteria such as link quality, least loaded node or first arrival
- a session key is established between the new SNOWNET backbone node 302 - 1 and the MA 305 and the WPA pairwise transient key is generated from that.
- the MA 305 forwards the current group key to the new node 302 - 1 .
- the group key is used to protect the communications among all backbone nodes 302 .
- the MA 305 It is also the MA 305 's responsibility to generate and update the group key.
- the MA 305 renews the group key.
- the MA 305 will generate this new key on a periodic basis. The choice of a good lifetime of each group key is dependent on the dynamics of the network 300 .
- a new group key is delivered from the MA 305 to all SNOWNET backbone nodes 302 individually via EAP-Key messages protected with the pairwise EAP-Key encryption keys and integrity keys derived from the authentication procedure.
- Newly generated and distributed group keys are not effective immediately but are scheduled to be used at a future time.
- the gap between the current time and the new key effective time is long enough to assure that the new group key is received by all backbone nodes 302 with high likelihood and to allow for any backbone node 302 to specifically request the new key if it is believed to have missed the delivery of the new key (e.g. because of lost packets).
- the new group key is not used immediately, it is installed into the IEEE 802.11 hardware as a secondary key. After the new group key goes into effect, the old group key is also kept in the hardware as a secondary key for a short period of time.
- the MA 305 is included in SNOWNET backbone security as the pairwise security binding is only between the MA 305 and other SNOWNET backbone nodes 302 .
- the total number of WPA transient keys the MA 305 needs to maintain for a backbone network 306 of N nodes 302 is N, with N-1 TKIP pairwise transient keys and 1 group key.
- the number of keys being managed by the network 306 grows as O(N).
- SNOWNET backbone communications are encrypted with the group transient keys.
- This transient group key is used as the temporal key in the TKIP phase 1 key mixing. If TKIP is not supported in a particular implementation of SNOWNET node 302 hardware and firmware, the group key may also be directly used as a WEP key (a hash function is needed to format the transient group key into a key format compatible to WEP). However, in this case most of the problems associated with WEP would remain unsolved.
- An advantage of using the SNOWNET security mechanism in this case is that the MA 305 is able to generate and deliver new group keys to all backbone nodes 302 across a multi-hop network so that each group key only has a short lifetime and during which attackers are unlikely to gather enough packets to break the key.
- the first event to occur is a link layer handoff. That is, upon some predefined triggering event, the communication link between the mobile client and its current AP is broken and a new communication link between the mobile client and a new AP is established. Then the system performs the network layer handoff. That is, the mobile client establishes its new topological attachment (to its new AP) and propagates the information to the whole network so that data traffic from/to the mobile client can be properly directed.
- the issues related to authentication and security during link layer handoff are addressed.
- network layer handoff is discussed.
- link layer handoff is done in a “break-before-make” fashion.
- the mobile client may send out a disassociation message to its current AP to notify the current AP of the departure so that the AP can remove any states stored for the mobile client. Then the mobile client performs a scan over all channels to determine available APs and their characteristics and the selects its new target AP.
- the 802.11 standard specifies an authentication procedure for the mobile client by the new AP.
- the shared-key authentication scheme of 802.11 is not effective.
- many deployed 802.11 systems are open systems in which any mobile client is authenticated by default.
- the mobile client After authentication, the mobile client tries to connect to the new AP by sending to the new AP an Association Request. Upon the receipt of an Association Request, the AP sends back an Association Response. If the request is accepted, this response contains a “successful” value. After receiving an Association Response with “successful”, the mobile client acknowledges the message. Then the new connection is established and the mobile client can send and receive via the new AP.
- SNOWNET 300 when a mobile client 310 roams from one SNOWNET node's 302 access service area to that of another, the mobile client 310 executes the functions of scan, authentication, and association.
- SNOWNET 300 employs an optimized scan scheme to reduce the time needed to complete a scan.
- the reason for a mobile client 310 to perform a scan over all channels is that the client 310 does not know which SNOWNET nodes 302 are available in the area of the mobile client 310 .
- Putting the network interface of the mobile client 310 into promiscuous mode does not solve the problem because the SNOWNET nodes 302 may operate on different channels than the client's 310 current channel and thus still can not be heard.
- the clients 310 may perform scan operations even during normal operation to constantly monitor the availability of nearby SNOWNET nodes 302 and their characteristics. This monitoring scan is only done under the condition of not interrupting ongoing communication and is not performed when battery lifetime becomes a concern.
- the mobile client 310 may focus only on those SNOWNET nodes 302 that are on the “recently heard” list and have good signal quality. Thus, the need for a full channel scan is avoided and the time the mobile client 310 takes to select its new service node 302 is reduced. In cases when the “recently heard “list is created very recently, the mobile client 310 may immediately select its new service node directly from the list without additional scanning.
- the association procedure in SNOWNET 300 is similar to what the current 802.11 standard specifies and thus is not discussed here.
- the focus of this section is on authentication and security with respect to roaming.
- the present invention includes an authentication and security handoff mechanism that smoothly and securely relocates the mobile client 310 to its new access service area with minimal delay.
- the mechanism is based on a public key system. It is assumed that all SNOWNET nodes 302 have a pair of keys, one public and one private. Each SNOWNET node 302 is aware of the public keys of other neighboring SNOWNET nodes 302 . Each mobile client 310 also knows the public keys of the nearby SNOWNET nodes 302 . This feature is fulfilled by either pre-installation or an external public key exchanging protocol.
- a mobile client 310 needs to request that its current SNOWNET service node 302 provide a ticket.
- This ticket includes information such as the mobile client's identity and its current access service SNOWNET node's identity.
- the ticket includes other fields such as the time when the ticket is issued, its expiration time, a session key transmission key, check sum, etc.
- the ticket may also include some random bit padding before and after the real fields.
- This ticket is encrypted by the SNOWNET node 302 using its private key. This encrypted ticket is then sent to the requesting mobile client 310 . Because the delivery of this ticket is over an established secure communication session between the mobile client 310 and its current SNOWNET service node 302 , such a delivery is secure.
- the SNOWNET node 302 may encrypt the already encrypted ticket (with the SNOWNET node's private key) again with the mobile client's public key.
- the mobile client 310 decrypts the ticket using the mobile client's private key and stores the ticket (still encrypted with the service node's public key). This way, even if such a ticket is captured by a third party; the third party can not decrypt the ticket.
- the mobile client 310 After the mobile client 310 selects its new SNOWNET service node 302 , the mobile client 310 sends to the new SNOWNET node 302 a re-authenticate request message.
- This message includes its own identity, the identity of its previous service node, and the stored ticket. The message is encrypted using the new service node's public key.
- the new service node 302 Upon receiving such a re-authentication message, the new service node 302 first decrypts the message using its own private key. Then the new service node 302 decrypts the ticket (still encrypted with the previous service node's private key) included inside of the message using the public key of the previous service node. If the ticket is valid, the service node 302 generates a temporary communication session key for the mobile client 310 . The service node 302 sends back to the client 310 a re-authentication response message with a “successful” flag. The message is encrypted with the session key transmission key included in the ticket and sent to the mobile client 310 over the open channel. After receiving the temporary communication session key, the mobile client 310 may send and receive message traffic via the new service node 302 .
- the temporary communication session key is only valid for a short period of time. After the temporary communication session key is expired, use of the temporary communication session key is not permitted for communication between the mobile client 310 and its new service node 302 . Thus, during the valid window of this temporary communication session key, the mobile client 310 must complete the normal mobile client authentication procedure as described earlier in this section. That is, the mobile client's credential needs to be transmitted to the RADIUS server 303 of the SNOWNET 300 for the client 302 to be authenticated. After being authenticated by the RADIUS server 303 , the RADIUS server 303 will start to issue and manage session keys for the communication between the mobile client 310 and service node 302 in the normal fashion.
- SNOWNET nodes may have multiple communication interfaces, each having a globally unique identifier known as the hardware address or MAC address of the interface. Because MAC addresses are assigned to communication interface hardware by the manufacturers and they are globally unique, they are also commonly used as unique identifiers of their hosting devices. They are also used in SNOWNET. For SNOWNET nodes with more than one communication interface, and thus multiple MAC addresses, the lowest MAC address is used as the unique node identifier of the SNOWNET node.
- IP addresses are only used for direct LAN communication between network interfaces reside on the same LAN.
- IP Internet Protocol
- SNOWNET IP address management of the present invention is described. As discussed in greater detail later, SNOWNET may operate in two different data forwarding modes: bridging mode and routing mode. The IP address management is done differently in these two modes.
- SNOWNET When SNOWNET operates in bridging mode, its IP address management is very simple.
- a special SNOWNET node is configured as a DHCP server and manages IP address assignment for the whole network, or a DHCP server is reachable from the SNOWNET.
- the DHCP server has a pool of addresses for it to lease to clients and SNOWNET node devices. IP addresses of expired leases are returned to the address pool for future assignments.
- a SNOWNET node or a client device After a new device, either a SNOWNET node or a client device, is authenticated, it will issue a DHCP request asking for an IP address assignment and other related IP communication parameters such as the addresses of the default routers for the SNOWNET and Domain Name Servers (DNS).
- DNS Domain Name Servers
- This request is broadcast to all devices in the SNOWNET, including the DHCP server. All other nodes will ignore the request except the DHCP server node, which will reply to the request with an IP address allocated from its IP address pool. Other requested parameters are also included in the reply message.
- the reply is sent back to the new device and the new device may use the assigned IP address and other parameters to configure itself.
- each SNOWNET node providing local access services will have its own sub-networks and manage the addressing within these sub-networks.
- each such access service providing SNOWNET node has a DHCP server running for assigning IP addresses to clients connected to its service interfaces.
- a separate sub-network address space is allocated for the backbone interfaces of the SNOWNET nodes.
- the administrator of a routing mode SNOWNET needs to configure the address space of this separate backbone sub-network.
- What need to be configured for each new SNOWNET node are the IP address from the backbone IP address space for its backbone interface, and one IP address block for each of its access service interfaces so the DHCP server can be appropriately configured.
- the first method is a distributed method. After a new SNOWNET node is accepted into the network, it will send an Address Request to the SNOWNET node acting as its EAP Proxy (EP) asking for addresses for its backbone interfaces and address spaces for its local service interfaces. By consulting its routing table for known addresses and address spaces of the SNOWNET, the EP node assigns unused addresses and address spaces to the new node and sends these assignments back to the requesting node.
- EAP Proxy EAP Proxy
- the above address assignment may still conflict with other nodes within the SNOWNET. This is either because of the imperfect knowledge of the EP node about address usage in the whole network or because there are other new nodes at a distant portion of the same SNOWNET requesting addresses from a different EP node at the same time. If such a conflict does occur and is detected later, it is resolved based on the identifier of the nodes involved.
- the SNOWNET node with lower node identifier is able to keep its addresses and the other party needs to relinquish its addresses and go through the address request and selection procedure again.
- a second method of SNOWNET IP address management of the present invention is also described here.
- This is a centralized approach where one SNOWNET node is configured as an IP address management server, which manages an IP address pool for the whole SNOWNET in the same fashion as a standard DHCP server.
- IP address management server which manages an IP address pool for the whole SNOWNET in the same fashion as a standard DHCP server.
- a new SNOWNET node requests IP addresses for its backbone interface and service interfaces, it sends its request to its EP node.
- the EP forwards the request to the IP address management server.
- the server replies with address assignment.
- the address assignments are received by the EP node and forwarded to the new SNOWNET node.
- the reason for the address request and response messages to go through the EP node is that at the time of IP address requesting, the new SNOWNET node has not participated in SNOWNET forwarding algorithm execution, thus it does not have a route to the IP address management server.
- IP addresses Due to the shortage of IP addresses, a common practice is for an administrator to use “private addresses” for computers within the network under his management and apply Network Address Translation (NAT) at gateway nodes.
- NAT Network Address Translation
- the SNOWNET addressing schemes introduced above works with both private addresses and public addresses so the administrator of the SNOWNET may select either method, depending on how many IP addresses are available to allocate for the SNOWNET. If private addresses are used for the SNOWNET, the gateway SNOWNET nodes can be configured to provide NAT functionality.
- SNOWNET 300 data forwarding, including bridging and routing, is now disclosed.
- SNOWNET 300 provides two separate levels of security by using independent shared WPA key management procedures for the backbone communications and the communications between a SNOWNET node 302 and its mobile clients 310 .
- Data packets originating from a source client 310 are encrypted using the local encryption key managed by the SNOWNET node 302 serving this client 310 .
- the packet is received on the AP interface and decrypted by the SNOWNET node 302 .
- the packet is then encrypted again by the SNOWNET node 302 with the encryption key managed by the master authenticator.
- SNOWNET nodes 302 may operate in one of two data forwarding modes: bridging mode and routing mode. Each mode is disclosed herein below.
- SNOWNET nodes 302 When SNOWNET nodes 302 operate in bridging mode, as shown in FIG. 6 , the SNOWNET nodes 302 execute the IEEE 802.1d MAC Bridge protocol, discussed herein above. SNOWNET nodes 302 may be referred to as “SNOWNET bridges” 309 when the SNOWNET nodes 302 are operating in bridging mode.
- SNOWNET bridges 309 execute a spanning tree protocol to configure their forwarding topology within the backbone network 306 .
- the spanning tree protocol for SNOWNET bridges 309 incorporate the IEEE 802.1d protocol, modified such that SNOWNET Bridge ports are a mix of physical and virtual entities.
- the local service access network interfaces of SNOWNET bridges are considered as physical ports by SNOWNET bridges 309 .
- backbone “ports” are virtual and there is one port assigned for each backbone network link. That is, each virtual port is identified by the pair-wise combination of local backbone interface identity and the backbone interface identity on a neighboring bridge.
- the communication between a bridge and all its neighboring bridges may share the same physical interface, as occurs in a broadcast link.
- All ports, virtual or physical, are identified before SNOWNET nodes 302 start the spanning tree protocol.
- the status of active ports is monitored constantly by a combination of passive traffic listening and active probing. If the status changes, the reconfiguration operation of the spanning tree protocol is executed.
- SNOWNET bridges 309 After SNOWNET bridges 309 form a spanning tree, the SNOWNET bridges 309 enter the learning and forwarding phase. In learning, each bridge 309 remembers through which port each endpoint MAC address can be reached.
- FIG. 6 shows an example of a SNOWNET network 300 with a spanning tree created atop of the SNOWNET backbone network 306 .
- the spanning tree includes SNOWNET nodes 302 configured as SNOWNET bridges 309 .
- the SNOWNET backbone network 306 comprises SNOWNET bridges 309 (B 1 , B 2 , and B 3 ), which provide local access services (AP 1 , AP 2 , and AP 3 , respectively) for clients 310 (C 1 through C 5 ).
- FIG. 7 is a table of SNOWNET Bridging Table 400 Contents.
- Each SNOWNET bridge 309 of FIG. 6 includes a SNOWNET Bridging Table 400 stored in data storage memory 404 as shown in FIG. 7 .
- the table 400 of FIG. 7 illustrates what is stored in each bridge's table after the topology learning phase is complete.
- the “port” column in standard MAC bridges is replaced by two columns in SNOWNET bridges 309 : local interface and neighboring interface. These two addresses together identify a SNOWNET “bridge port”, either logical or physical.
- FIG. 8 shows the IEEE 802.11 Data Frame Address Field contents and possible values of the “To DS” and “From DS” fields 700 .
- the IEEE 802.11 standard refers to the backbone network connecting the APs 104 as a “Distribution System (DS)”.
- DS Distribution System
- AP access point
- C 1 in FIG. 6 the “To DS” bit is set to FALSE while the “From DS” bit is set to TRUE.
- a SNOWNET When a SNOWNET is operating in bridge mode, it uses the frame format specified by the 4 th row of 700 , or the WDS format, for forwarding data over the backbone. Such a data frame is identified if both the “To DS” and “From DS” fields of the data frame are set to 1.
- a SNOWNET bridge 309 will always forward data frames for clients C attached to its local access service.
- SNOWNET bridge B 2 will forward data frames for clients C 2 and C 3 . If both the source (for example, C 2 ) and destination (for example, C 3 ) of a data frame are using its local network access service AP 2 , the data frame is forwarded directly over the local access interface AP 2 .
- their address fields are set as specified by the 802.11 protocol standard. Its “To DS” field is set to 1 while the “From DS” field is set to 0.
- the first address is the BSSID of the access point to which the mobile client C attaches, which in SNOWNET 300 is provided by the local service access interface of the SNOWNET bridge.
- the second field contains the mobile client's own address while the third address is the address for the destination client C.
- the fourth address is left unused.
- the SNOWNET network 300 of the present invention uses this format for client C to SNOWNET bridge 309 communications.
- the SNOWNET bridge B 2 After the first SNOWNET bridge 309 (for example B 2 ) receives a data frame from one of its clients (C 3 ) that is destined for a device (such as client C 1 ) not attached to the bridge B 2 , the SNOWNET bridge B 2 reformats the frame to be forwarded through the backbone network 306 . It uses the WDS format by setting both “to DS” and “from DS” fields to 1, with the destination and source fields set to the MAC addresses of the destination and source clients. The transmitter address is set to its own backbone interface address and the receiver address is set to the backbone interface address of the next hop SNOWNET node towards the destination. Which SNOWNET node is the next node towards a particular destination can be found out from the Bridging table 400 .
- a SNOWNET bridge Upon receiving a data frame forwarded by a SNOWNET bridge (for example, B 2 ), a SNOWNET bridge (for example B 3 ) decides if it will further forward the frame by using a mechanism similar to the filter mechanism of IEEE 802.1d.
- a SNOWNET bridge B 3 will only forward a data frame when the previous forwarder (the SNOWNET bridge from which the bridge received the data frame, as identified by the transmitter address field in the WDS data frame 700 , such as B 2 ) is listed as an active neighbor bridge and the destination and the source of the data frame are on different sides of the bridge as indicated by the bridging table 400 (i.e., the destination and the source are listed as reachable via different ports).
- the bridge updates the transmitter address in the data frame to the address of its own transmitting (backbone) interface and the receiver address to the next SNOWNET bridge's backbone interface address.
- each SNOWNET node participating in the forwarding modifies the transmitter and receiver addresses accordingly and keeps the source and destination address unchanged.
- the source and destination addresses are also used in updating the Bridging tables 400 on SNOWNET nodes in the same way the standard IEEE 802.1d learning procedure updates bridge tables.
- the data frame is converted again to the “from DS” type of data frame in the appropriate format and sent to the destination client C 5 .
- An advantage of running SNOWNET 300 in bridge mode is to simplify network layer roaming and Internetwork Protocol (IP) address management. Since an entire SNOWNET 300 typically shares the same IP address space, there is no need for each SNOWNET bridge 309 to manage client IP addresses. One dedicated DHCP server within the SNOWNET 300 can serve the whole network 300 . When a client C moves from one AP coverage area to another, there is no need to change its IP address. Other advantages of this situation include the simplified support of multicast and other link layer management protocols.
- IP Internetwork Protocol
- the Bridging Table 400 (shown in FIG. 7 ) corresponds to a per-host routing table, such a method may not scale well when the size of the SNOWNET network 300 grows.
- a spanning tree forwarding topology limits the shape and efficiency of data forwarding paths. In some cases the shortest forwarding path between two communicating clients cannot be used because their links are not part of the spanning tree. This is frequently the case in broadcast environments.
- bridges 309 update their address databases 400 and spanning tree by periodically exchanging “heartbeat” messages.
- the backbone 306 topology changes or a client C changes its attached AP it may take a relatively long period of time for the network to converge to a new state that reflects the new topology and attachments. Data packets may be lost during this transient period. In the worst case, the updates may not be able to catch up with the changes in the topology and the network becomes unstable.
- the SNOWNET bridge mode is relatively simple, but it is best suited for small and moderately dynamic SNOWNETs 300 .
- SNOWNET 300 in routing mode, however, overcomes the above-mentioned problems of Bridging mode.
- SNOWNET routing includes link state routing for the multi-hop backbone network 306 in which a node 302 periodically detects it neighbors and updates its known topology with new neighbor information. The node 302 then sends out its updated topology to its neighbors 302 . After receiving a new topology from a neighbor, the node 302 updates its known topology with the new information. Every time the topology is updated, the routing algorithm computes new routes and makes corresponding changes to the routing table if necessary.
- each SNOWNET node 302 is identified by its IP address and IP subnet mask. Each subnet attached to a SNOWNET node 302 's access service interface is represented in the topology as a subnet node.
- the SNOWNET node 302 connected to the subnet includes the subnet node 302 in the routing information exchange.
- the Internet 316 is represented as “0” subnet.
- a SNOWNET node 302 also includes the identities of any foreign clients, which are clients with IP address outside of the SNOWNET node 302 's service IP address space as a result of the clients roaming off the service areas of their original SNOWNET service nodes, under its service in the routing information exchange.
- the overall topology includes SNOWNET nodes 302 , subnet nodes, foreign client nodes, and the Internet node 316 .
- a Dijkstra shortest path (fewest hops) algorithm for route computation is used, and a longest match rule for route selection is used.
- SNOWNET nodes 302 When SNOWNET nodes 302 operate in the routing mode, the SNOWNET nodes 302 form a flat routing space over the backbone network 306 (as opposed to hierarchical or clustered approaches). These SNOWNET nodes 302 are referred to as SNOWNET routers when operating in routing mode.
- the backbone network 306 is viewed as a variation of a Mobile Ad hoc Network (MANET) (IETF Mobile Ad-hoc Networks (manet) Working Group and research results on MANET routing algorithms can be borrowed for SNOWNET routing (C. Perkins, E. Belding-Royer, and S. Das, “Ad hoc On-Demand Distance Vector (AODV) Routing”, IETF Internet Draft, Work in Progress, June 2002; D. Johnson, D. Maltz, Y. Hu, and J. Jetcheva, “The Dynamic Source Routing Protocol for Mobile Ad Hoc Networks (DSR)”, IETF Internet Draft, Work in Progress, February 2002; etc.).
- MANET
- SNOWNET 300 represents an important special case within the class of MANETs.
- SNOWNET 300 there are two distinct types of entities in the network that can be mobile: clients 310 and SNOWNET nodes 302 .
- current MANET research treats the whole MANET as a flat routing space in which there is no structure in the MANET topology and each client is a node that participates equally in data forwarding. This typically imposes special requirements to enable MANET functionality on all nodes in the network.
- the special requirements on mobile clients 310 are limited so that users may employ standard typical mobile computers such as Laptops, PDAs and other commercially available devices with standard client communication devices such as widely available 802.11b PCMCIA cards.
- directly applying an existing MANET approach by configuring both clients and SNOWNET nodes 302 as MANET nodes is not a viable solution.
- SNOWNET routers 302 With SNOWNET routers 302 , a hybrid approach is used. In this approach, only the SNOWNET routers 302 are configured as MANET nodes and participate in MANET-like routing algorithms. All router backbone interfaces share the same IP address space and execute the routing protocols and exchange routing information among themselves. Eventually they together build routes for reaching any backbone nodes.
- each SNOWNET router 302 is also allocated mask-able address space segments from which addresses are dynamically assigned to this router's local clients.
- DHCP server software is installed on each router to allocate IP addresses for local mobile clients.
- backbone nodes also advertise for their local service subnets. In other words, the backbone nodes proxy for their local service subnets by including this information in their reachable network list.
- This special requirement requires modifications to a “normal” MANET routing protocol specification by requiring an additional field in the SNOWNET routing protocol messages to include these proxy subnets. This field may include multiple entries and hence is referred to as the “proxy list”.
- each SNOWNET router 302 is responsible for providing a proxy service for a number of “foreign mobile clients”, which are mobile clients 310 currently attached to the router but with addresses outside of the router's address spaces.
- the advertisement of these foreign client addresses is included in the SNOWNET routing protocol message in the same way as the local service subnets, as entries in the proxy list.
- Each SNOWNET router 302 maintains a Routing Table 500 , shown in FIG. 9 .
- the Routing Table 500 specifies the local interface and the neighboring interface to the respective portable network node device that is the next hop-destination in a routing path.
- each routing table 500 there are two types of route entries: subnet routes and host routes.
- the former are aggregated route entries where each entry describes routes for all the hosts within the corresponding address space, expressed in traditional format as a combination of network address and network mask.
- the latter are for the routes towards specific mobile nodes 302 , either the backbone interface of SNOWNET nodes or foreign mobile clients.
- the entries for B 1 , B 2 , and B 3 are host routes for SNOWNET node backbone interfaces
- the entries for C 5 are a host route for a foreign client
- the entries for AP 1 , AP 2 , and AP 3 subnets are subnet routes.
- a longest match rule (W. Doeringer, G. Karjoth, and M. Nassehi, “Routing on longest-matching prefixes, IEEE/ACM Transactions on Networking (TON), Vol. 4, Issue 1, February, 1996) can be applied during route lookups.
- a client C may wander off the service coverage area of one SNOWNET router and move to the coverage area of another SNOWNET router.
- SNOWNET 300 supports client roaming so that there is no data interruption during the change of client attachment.
- IP addresses serve both as identifiers and location indicators. However, when an IP address is assigned to a mobile client 310 , these two properties contradict each other when the mobile client changes its attachment. In one embodiment, the IP address should the same so that the integrity of the client identity is maintained. In another embodiment, the client should acquire a new address to reflect its current network access attachment for efficient routing.
- the SNOWNET router 302 solves this problem by allowing two types of routes to co-exist. For those clients 310 who stay with their original SNOWNET routers, the subnet routes for their subnets represent their routes. There is no specific route for each individual client of this type. For those clients who have left their original subnet and become “foreign clients” for other routers, each routing table explicitly lists their routes. Because of the support for “foreign mobile client”, there is no need for the client to acquire a new IP address in the address space of its current attachment environment while it is still within the SNOWNET 300 .
- the mobile client 310 When a mobile client 310 moves to a new subnet, the mobile client 310 informs its previous router 302 about its new attachment by forwarding to its previous router 302 a Routing Update Message 600 (an example of which is shown in FIG. 10 ).
- FIG. 10 shows a Routing Update Message 600 , also referred to as a notification, in which a mobile client 310 notifies its previous service SNOWNET node 302 about the address of its current service SNOWNET node.
- the message 600 includes the identities of the three parties involved in the activities, as well as security related information such as a certificate encrypted using the client's private key and the previous service SNOWNET node's public key.
- This notification 600 shortens the time period or gap between the time the client breaks off from its previous router and the time its new route is inserted into every routing table in the backbone network. During this time period, data packets destined for this mobile client 310 is delivered towards the client's previous service router 302 and the previous service router 302 is not able to further forward data packets to the mobile client. With the notification, the previous router is able to forward data packets to the new router before all routing tables 500 on involved SNOWNET routers are updated. Such a notification 600 will not totally eliminate the gap, but significantly reduces the duration of the gap to the period from the time the client breaks off from its previous router to the time that the client's Routing Update Message 600 arrives at its previous service router.
- Each router 302 may optionally cache data packets for a client 310 if the data packets cannot be delivered to the clients. Once the notification 600 about the client's new router 302 arrives, cached data packets are forwarded to the new router 302 . Also, upon receiving such a notification 600 , if the client 310 is a foreign client on its previous router 302 , the client 310 is removed from the previous router's “foreign client” list.
- a foreign client in SNOWNET 300 is served differently by the network from how a mobile client 310 is served by a foreign agent as specified in the well known Mobile IP (C. Perkins, “IP Mobility Support”, IETF RFC 2002, October, 1996).
- Mobile IP when a mobile client is attached to a network other than its home network, the mobile client acquires a local IP address, termed “foreign address”, from its current network.
- the network to which the mobile client currently attaches is known as the “foreign network”.
- the mobile client always maintains its address on its home network. This address is known as the mobile client's home address or permanent address. When other hosts on the Internet want to communicate with the mobile client, they will address their communications using the mobile client's home address.
- the mobile client When the mobile client is on a foreign network, it receives incoming traffic with the help of an entity on its home network, its home agent. Incoming traffic is sent to the mobile client's home network by the Internet. Then the home agent captures the packets for the mobile client and forwards them to the mobile client's current location using its new local address. For this scheme to work, the mobile client is required to report its local address on a foreign network to its home agent. By using two addresses (home address and foreign address) simultaneously, the Mobile IP solves the conflict between the attachment and identity purposes of addressing.
- SNOWNET 300 of the present invention there is no need for a mobile client 310 to receive a new IP address.
- the mobile client enters SNOWNET 300 for the first time, the mobile client receives an IP address from the SNOWNET node 302 it is associated with.
- the network 300 is capable of forwarding data for specific hosts, it is not necessary for a mobile client to obtain new foreign address when it moves to the coverage area of a SNOWNET node 302 that is different from its initial node.
- the network 300 propagates routes for the mobile client reflecting its current attachment.
- SNOWNET 300 has such a capability because it operates on a scale that is much smaller than the Mobile IP's environment. Thus SNOWNET 300 can install per-host routes in the network for these mobile clients.
- SNOWNET 300 can easily support Mobile IP as well.
- a Mobile IP-capable mobile client may simply report its SNOWNET address to its home agent as its foreign address. This results in more efficient operation of Mobile IP in a SNOWNET 300 environment.
- SNOWNET comprises a mobile network solution which provides secure and portable wireless networking service to mobile users with devices equipped with wireless network interfaces.
- the Secure Nomadic Wireless Network, or SNOWNET follows a hierarchical approach. Special SNOWNET nodes are deployed in the area where networking service is needed and form a backbone network. At the same time, SNOWNET nodes provide local access service to regular mobile clients.
- the SNOWNET of the present invention is portable and can be rapidly deployed in an environment where there is no existing networking infrastructure.
- SNOWNET is secure.
- SNOWNET extensions to the WPA algorithm all traffic transmitted within SNOWNET is highly protected.
- SNOWNET also provides an enhanced scheme for transferring authentication and security during handoff to support smooth, rapid mobile client roaming.
- SNOWNET offers two operation modes for automatically forwarding messages and that provide seamless roaming between different local service cells.
- SNOWNET can be used in several different scenarios. Here are some examples. SNOWNET can be setup as a secure fast-deployable standalone networking infrastructure to provide instant networking services to a field where there is no trusted networking environment. Typical usages may include battle field situations, disaster relief operations, scientific exploration tasks, and robotics applications. SNOWNET can be installed as a cost-efficient multi-hop wireless LAN to provide wireless networking coverage for any organization or in any home. With a flexible, multi-hop, self-organized, and self configured wireless backbone, SNOWNET saves customers costs for cabling, installation and maintenance. SNOWNET may also be used as a stub network to connect isolated LANs to an organizational network. For instance, a school may use SNOWNET to “glue” a LAN installed in a remote building to its existing campus network.
- a new routing algorithm that is a hybrid approach based on traditional MANET routing algorithms.
- the system also includes permanent or removable storage, such as magnetic and optical discs, RAM, ROM, etc. on which the process and data structures of the present invention can be stored and distributed.
- the processes can also be distributed via, for example, downloading over a network such as the Internet.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Small-Scale Networks (AREA)
Abstract
A wireless computer network includes a backbone network including backbone network nodes authenticated to each other and in communication with each other. The wireless computer network also includes a master authenticator node and a proxy authenticator node among the backbone network nodes. When an unauthenticated new node requests authentication to the backbone network and the unauthenticated new node is in communication with at least one of the backbone network nodes, the at least one of the backbone network nodes becoming the proxy authenticator node for the unauthenticated new node and communicates with the master authenticator node to authenticate the unauthenticated new node to the backbone network.
Description
- This application is related, and claims the benefit of priority, to U.S. Provisional Patent Application Ser. No. 60/507,934, filed Oct. 3, 2003, in the U.S. Patent and Trademark Office, the contents of which are incorporated herein by reference.
- This application is related to, and claims the benefit of priority to, U.S. Provisional Patent Application Ser. No. 60/428,700, filed Nov. 25, 2002, in the U.S. Patent and Trademark Office, the contents of which are incorporated herein by reference.
- This application is a Continuation-In-Part of U.S. patent application Ser. No. 10/463,857, filed Jun. 18, 2003 in the U.S. Patent and Trademark Office, the contents of which are incorporated herein by reference and priority to which is claimed.
- 1. Field of the Invention
- The present invention is related to using multi-hop wireless networks to provide network access services, and, to a particular security scheme for a multi-hop wireless access network.
- 2. Description of the Related Art
- The IEEE 802.11 standard (“Part 11: Wireless LAN Medium Access Control (MAC) and physical layer specifications”, IEEE, 1999, and including all variations) is known in the art. In the current 802.11 WLAN architecture, mobile clients connect wirelessly to Access Points (APs) to acquire connectivity to a backbone network to which the APs are attached. The backbone network is typically wired and is then connected to the rest of the organizational network.
- The WLAN architecture is ideal for network administrators who wish to wirelessly extend the boundary of their existing wired campus or corporate networks and to provide campus-wide mobility support. Under this architecture, mobile clients are no longer constrained by network cables and wall jacks as long as they maintain direct wireless contacts with some AP. Due to a number of dynamic configuration protocols such as the DHCP, mobile clients can easily join the WLAN with little or no user configuration effort. A user can move freely within the coverage area of the APs. When the user moves across the boundaries of the service areas of APs, WLAN and bridge protocols can update the link layer connectivity for the user so that on going communication sessions are not interrupted by the handoff and actual communication carrier (radio frequency) switch.
- While mobile clients can enjoy the convenience of wireless network connectivity, on the other hand, it is not a trivial task to deploy a WLAN. APs need to be interconnected via a backbone network, typically a wired LAN. Therefore network cables must be installed to connect the APs to the existing network infrastructure. Electrical wires must also be in place to supply operating power to the APs. In addition, in order to determine the locations for the APs, WLAN planners need to predict wireless usage and conduct site surveys to determine the radio propagation characteristics. Operating channels also need to be allocated to each AP to keep the interference between neighboring communication cells to a minimum. After the deployment, it becomes another costly task to change the placement of the APs since the cables and wires need to be changed as well. If the usage pattern changes, oftentimes the WLAN is not able to be dynamically reconfigured to adapt to the changes.
- Another problem with the existing IEEE 802.11 WLAN lies in its current security mechanism. In a WLAN, all transmitted bits are delivered over the air, which is an open communication medium to which anyone has access if he/she is within the radio signal range and has a radio device capable of receiving WLAN radio signals. Thus, encryption must be applied to sensitive data so that only the intended recipients can reconstruct and comprehend the data.
- The IEEE 802.11 standard relies on the Wired Equivalency Privacy (WEP) protocol for its data protection. WEP uses a shared secret key of 40 bits (or 104 bits in a later version). A 24 bit Initial Vector (IV) is concatenated with the shared key to create a 64 bit (or 128 bit in the later standard) seed. The seed is then fed to a RC4 Pseudo Random Number Generator (PRNG) to generate a random bit sequence, which is used as the frame encryption key stream. The IV may be changed for every data frame encrypted so that the seed for the RC4 PRNG is different for every data frame. Thus, a different key stream is generated for encrypting each data frame. The IV is enclosed as clear text in each data frame so that the receiver may concatenate the received IV with the shared secret key to produce the RC4 PRNG seed and compute the decryption key stream. However, due to the limited IV size, there are only 2{circumflex over ( )}24, about 16 million, distinct key streams. Given the size of an average data frame and the transmission rate supported by IEEE 802.11, a busy AP may exhaust the distinct key stream space very quickly and be forced to reuse the encryption key stream. Since the IVs are enclosed as clear text in each data frame, it is relatively easy for an attacker to recognize a reused key stream. The attacker may collect pieces of cipher text that are encrypted with the same key stream and perform statistical analysis to attack and recover the plaintext. An attacker may also build up a dictionary of all possible key streams. In addition to vulnerabilities to these types of attacks, the security research community has also identified other weaknesses of the WEP protocol (N. Borisov, I. Goldberg, and D. Wagner, “Intercepting Mobile Communications: The Insecurity of 802.11”, MOBICOM 2001, 2001).
- The authentication scheme of IEEE 802.11 also has known problems that are related to the weaknesses in its encryption scheme. IEEE 802.11 APs provide two methods to protect against unauthorized accesses: Medium Access Control (MAC) address filtering and WEP-based shared-key authentication. A MAC address filter simply drops all data frames whose destination or source addresses are not listed in a pre-defined “allowed list”. However, because MAC addresses can easily be sniffed and forged by any attacker, the MAC address filter offers little protection against unauthorized network accesses. The shared-key authentication process involves both parties (named initiator and responder) encrypting the same challenge using WEP with the same shared-key but different IVs. Since the shared-key authentication algorithm authorizes network access to those who have the shared-key, it would be effective only if unauthorized parties cannot recover the shared-key. However, with WEP being breakable, the shared-key authentication becomes only an illusion.
- Also known in the art is the IEEE's 802.11i (802.11i, IEEE 802.11 Task Group I, work in progress) standard, which is developed to replace the current WEP based security mechanism of the 802.11 WLAN. The IEEE's 802.1x (Port Based Network Access Control) standard (“Port-Based Network Access Control”, IEEE, 2001), which is used as a component of 802.11i, specifies an architectural framework that is designed to provide user authentication, network access control, and dynamic key management. Within the IEEE 802.1x framework, a system can use various specific authentication schemes and algorithms. The actual algorithm that is used to determine whether a user is authentic is left open and multiple algorithms are possible. One known popular algorithm is the Remote Authentication Dial In User Service (RADIUS) (IETF RFC 2965, June 2000).
- In addition, the Extensible Authentication Protocol over LAN (EAPOL) and other variations of the Extensible Authentication Protocol (EAP), L. Blunk and J. Vollbrecht, “PPP Extensible Authentication Protocol (EAP)”, IETF RFC 2284, March, 1998) are known in the art due to their roles in the IEEE 802.1x and 802.11i protocols. EAP is built around the challenge-response communication paradigm that is common in network security solutions. Although originally designed as an authentication method for PPP connection, it can also be used for a wide range of LAN types such as Ethernet, token ring, or WLANs.
- The IEEE 802.1x protocol is briefly explained. The IEEE 802.1x is a port-based, access control framework for wired or wireless networks that decides whether a client is authorized to use the network access service and then implements the decision. There are three types of entities in the IEEE 802.1x framework: supplicants, authenticators, and an authentication server. A supplicant is a client who wishes to use the network access service. An authenticator is a device which separates the supplicant from the rest of the network, i.e. an AP, and prevents unauthorized access. The authentication server is a backend server which makes the decision of granting or denying the supplicant's request. After the decision, the authenticator either blocks the supplicant's data traffic or lets it pass through.
- IEEE 802.1x messages are transmitted using two versions of the EAP over two types of connections: 1) the link layer (LAN or WLAN) connections between the authenticators and supplicants and 2) the transport layer connections between the authenticators and the authentication server. For the first type of connection, IEEE 802.1x defines the Extensible Authentication Protocol over LAN (EAPOL). For the second type of connections, although the IEEE 802.1x does not define its own protocol, installations have been using a protocol based on the specifications defined by the “EAP over RADIUS” standard (C. Rigney, W. Willats, and P. Calhoun, “RADIUS Extensions”, IETF RFC2869, 2000). The Remote Access Dial-In User Services itself is defined in (C. Rigney, W. Willens, A. Rubens, and W. Simpson, “Remote Authentication Dial In User Service (RADIUS)”, IETF RFC2865, 2000).
- A typical IEEE 802.1x authentication session starts when the client (supplicant) sends an EAPOL-Start message to an access point (authenticator) indicating its interest in using network access service. Upon receiving this message, the authenticator sends back an EAP-Request/Identity message. The supplicant must respond with an EAP-Response/Identity message. After receiving the supplicant's identity, the authenticator then needs to contact the authentication server by forwarding the supplicant's identity response to it. From this point on, the authentication message exchanges are between the supplicant and the authentication server. The details of the message exchanges depend on the actual authentication (referred to as Upper Layer Authentication or ULA) algorithm being used. The IEEE 802.1x supports a number of such ULA mechanisms such as the Transport Layer Security (TLS) (T. Dierks, and C. Allen, “The TLS Protocol Version 1.0”, IETF RFC2246, 1999) and the Kerberos V5 (J. Kohl, and C. Neuman, “The Kerberos Network Authentication Service (V5)”, IETF RFC1510, 1993). Although all ULA messages pass through the authenticator, the authenticator needs not understand any of them. At the end of the authentication sequence, the authentication server makes a decision of either granting or denying the supplicant's access request. The decision is sent to the supplicant in an EAP-Success or EAP-Failure message. When the authenticator is forwarding this final Success/Failure message to the supplicant, it too understands the message and hence executes the decision to either allow or block the supplicant's data traffic.
- WPA′ method of using keys is now explained. Instead of using a single shared key for everything, WPA uses four 128-bit keys for protecting each pairwise communication: one pair of keys for protecting data encryption and data integrity and one pair of keys for protecting the communication between the two devices during their initial handshake. Collectively these four keys together are known as the Pairwise Transient Keys (PTK). Similarly each one-to-many group communication session is also protected by a Group Transient Key (GTK). The transient keys are changed for every data packet sent.
- Despite the fact that so many keys are used, WPA only requires the configuration of one single key, the master key, for each pair of communicating devices or each group communication source. All other keys are derived from the master keys. Such a key organization is called a key hierarchy. In WPA, the pairwise master keys are a by-product of the authentication process as they are the session keys established by the RADIUS server at the end of the authentication procedure. Group master keys are separately selected by the group communication sources.
- The PTKs are never exchanged between a pair of communicating nodes. Instead, they are computed independently by these two nodes. A four-way handshake is designed as part of TKIP to exchange the PTK computing parameters between a pair of nodes. The key generating parameters include such values that with extremely high confidence, the resulting transient key will be different for every time and every pair of nodes. At the end of this four-way handshake, both sides will have the same key generating parameters so they can generate the same PTK. Also proven during the handshake is that both sides know the same master key and therefore mutual authentication is achieved. After the PTKs are computed, GTKs are computed only by group communication sources and delivered to receivers via the already secured pairwise communications between the sources and receivers. GTKs may need to be re-computed and re-distributed from time to time due to group changes.
- The data encryption keys of the PTKs and GTKs are then used by TKIP to generate a per-packet key, which is sent to an RC4 algorithm along with an IV to generate the key stream. Unlike in WEP where the shared key is used directly by RC4, TKIP performs per-packet key mixing and only the result is used by RC4. Hence the data encryption key of TKIP is much better protected. In addition the TKIP IVs are 48 bits long. With such a huge IV space, IV collision is not expected to occur and known weak keys can also be avoided. The IVs are also used by TKIP as data frame sequence numbers to prevent replay attacks.
- The following is a description of 802.1x-based authentication and dynamic encryption.
FIG. 1 shows the components involved in IEEE 802.1x authentication operations. In aWLAN 100 with IEEE 802.1x, a client (also known as a supplicant) 102 requests access service to an AP (or an authenticator) 104. TheAP 104 opens an unauthorized port for the client 102, which only allows EAP messages to or from the supplicant (client) 102 to pass through. Through this unauthorized port, the supplicant 102 exchanges EAP messages with theauthenticator 104 and theauthentication server 106, which is a backend server executing the authentication algorithms. At the end of the authentication algorithm, theauthentication server 106 returns an “accept” or “reject” instruction back to theauthenticator 104. Upon receiving an “accept” message, theAP 104 opens the regular network access port for the client 102 to allow normal traffic for this client 102 to go through. - Also known in the art is the Wi-Fi Protected Access (WPA). WPA is a subset of the IEEE 802.11i standard, which only contains the authentication process and an encryption algorithm known as the Temporal Key Integrity Protocol (TKIP). Since WPA can be supported by most current WLAN hardware chipsets, it is considered the transition standard towards full IEEE 802.11i compliance, which requires new chipset and hardware design.
- The WPA specification does not handle ad hoc links. Only its superset standard, IEEE 802.11i, contains any specifications for providing security to ad hoc links, and in this each ad hoc link is managed individually. The IEEE 802.1x type of authentication is not used, as ad hoc links are thought to be typically created in an infrastructureless network where there would rarely be a RADIUS server available. Two devices interested in communicating via an ad hoc link must have a “pre-shared” key. This key, typically configured manually, is used as the master key in the subsequent WPA transient key generation. The device with lower MAC address will act as the supplicant and initiate the 4-way WPA key material exchange handshake. After the handshake is completed, each end sends its own group key to the other end.
- IEEE 802.1d MAC Bridge protocol (“Part 3: Media Access Control (MAC) Bridges”, IEEE, 1998 (IEEE 802.1d); “Part 3: Media Access Control (MAC) Bridges—Amendment 2: Rapid Reconfiguration”, IEEE, 2001 (IEEE 802.1w)) is known in the art.
- IEEE 802.1d employs a spanning tree protocol, which is its method of forming a packet forwarding topology while preventing forwarding loops within a network of bridging devices. In an arbitrarily connected network, each bridge includes multiple ports. These ports are attached to a number of LAN segments. Among all bridges in a network, one bridge acts as the “root” of the spanning tree. It is the bridge with the highest priority bridge identifier (the priority identifier of a bridge is either derived from the unique ID of the bridge, which is typically the lowest MAC address among those of the bridge's ports, or configured by the network administrator).
- In this protocol, each bridge uses each of its ports to report the following to its neighboring bridges: its own identity, the identity of the transmitting port, the identity of the bridge that the transmitting bridge believes to be the root, and the cost of the path from the transmitting port to the root bridge. Each bridge starts by assuming itself to be the root. If a bridge receives information that is “better” than what it currently has, it will re-compute its information based on the newly received information and then send out updated control messages to its neighboring bridges. What is considered “better information” includes information such as a bridge being a better root (with higher priority bridge identifier), a shorter path towards the root, lower cost routes, etc. Eventually through information propagation, all bridges learn the active spanning tree topology and configure their ports to forward data frames accordingly. On each bridge, the port that is the closest to the root is known as the “root port”. On each LAN segment, the bridge that can provide the shortest path towards the root is known as the “designated bridge” for the LAN segment.
- Further known in the art are additional standard network protocols and schemes such as DHCP, NAT, ARP, reverse ARP and Proxy ARP.
- The present invention provides methods and apparatus for constructing secure, portable, wireless, and multi-hop networks to provide wireless data access service.
- A multi-hop wireless access network can provide a rapidly deployable, mobile communications infrastructure that is suitable for many applications such as home or office networks, emergency response networks and sensor network scenarios. Such a network based on popular wireless local area network (WLAN) protocols can be economically built, allowing client devices such as cell phones, PDAs or sensors equipped with standard WLAN network interface components to communicate beyond their own communication ranges. However, automated configuration and self-organized data forwarding mechanisms and improved security for these extended multi-hop WLANs are required.
- The present invention is explained with reference to the Secure Nomadic Wireless Network (SNOWNET), a secure, portable wireless multi-hop network, but is not limited to use with the SNOWNET and is applicable to wireless networks in general.
- Briefly, the secure, portable, wireless, and multi-hop network is referred to as the Secure Nomadic Wireless Network (SNOWNET), which implements a collection of access networks interconnected via a wireless ad hoc backbone network. The SNOWNET is a hierarchical network with a dynamic wireless ad hoc backbone network interconnecting a number of local access service areas. The wireless ad hoc backbone network is formed by a number of SNOWNET nodes. Each SNOWNET node includes a router that has both an access service and a wireless backbone interface. The backbone network is automatically formed and configured as an ad hoc network among the routers using MANET-style routing schemes for data forwarding.
- It is an aspect of the present invention to configure the backbone network of the SNOWNET and organize data forwarding within the SNOWNET so that a SNOWNET can be quickly deployed in any area, regardless of the existing communication and power infrastructure, to provide secure network connectivity to authenticated mobile clients. Specifically, the installation process can be reduced to the placing of SNOWNET nodes in the field of operation, powering them up, and optionally orienting the external antenna attached to these nodes to connect to other SNOWNET nodes. Any configuration parameters, such as the identity of neighboring devices, address assignments and message routes, will be determined autonomously by the collaborative operations of a set of such SNOWNET nodes. The communications between SNOWNET nodes as well as between SNOWNET nodes and mobile clients will be secure. Only authorized devices (both SNOWNET nodes and mobile clients) are allowed to access and be served by the SNOWNET.
- It is an aspect of the present invention to extend the WPA protocol for security on an IEEE 802.11 WLAN to operate on an ad hoc wireless multi-hop network.
- More particularly, it is an another aspect of the present invention to provide a method of authenticating a new node to a secure multi-hop ad hoc wireless network using an existing wireless network node as a proxy to authenticate the new node to a master authenticator and authentication server.
- The present invention includes a self-organized security method to provide data protection through encryption of the data, and authentication for client users such as attached sensor devices and for SNOWNET nodes that may dynamically join and exit from the backbone network.
- The present invention includes a method of applying the WPA protocol beyond a single-link case to a store-and-forward wireless network. The extended WPA protocol is included in a SNOWNET system as a modification to the security aspect of SNOWNET as disclosed in U.S. patent application Ser. No. 10/463,857, and U.S. Provisional Application No. 60/428,700, the contents of all of which are incorporated herein by reference.
- That is, the present invention includes a computer network, a method, and a computer-readable medium including a backbone network including backbone network nodes authenticated to each other and in communication with each other. The configuration of the backbone network and the organization of data forwarding within the backbone network are self-organized. Each node may be connected to a wireless access network to which clients may attach. Data can be forwarded between clients and nodes within the overall network consisting of the backbone network and all access networks attached to backbone nodes, as well as any external networks to which backbone nodes may connect.
- The above computer network also includes a master authenticator node and proxy authenticator nodes among the backbone network nodes. When an unauthenticated new node requests authentication to the backbone network and the unauthenticated new node is in communication with at least one of the backbone network nodes, the at least one of the backbone network nodes becoming the proxy authenticator node for the unauthenticated new node and communicates with the master authenticator node to authenticate the unauthenticated new node to the backbone network.
- These together with other aspects and advantages which will be subsequently apparent, reside in the details of construction and operation as more fully hereinafter described and claimed, reference being had to the accompanying drawings forming a part hereof, wherein like numerals refer to like parts throughout.
-
FIG. 1 is a diagram of a wireless local area network (LAN) with IEEE 802.1x. -
FIG. 2 of system architecture of the present invention. -
FIG. 3 shows a diagram of the hardware architecture of aSNOWNET node 302 of the present invention. -
FIG. 4 is a diagram of the software components of a node of the present invention. -
FIGS. 5A and 5B are diagrams of SNOWNET implementation of IEEE 802.1x. -
FIG. 5C is a diagram of messages exchanged during authentication of a new node in the present invention. -
FIG. 6 is a diagram of an example of a SNOWNET spanning tree of the present invention. -
FIG. 7 is a diagram of a SNOWNET Bridging Table contents. -
FIG. 8 is a diagram of IEEE 802.11 Data Frame Address Field Contents. -
FIG. 9 is a diagram of a SNOWNET Routing Table contents. -
FIG. 10 is a diagram of Routing Update Message Contents. - The authentication method of the present invention is applicable to wireless networks in general, and, more particularly, to the Secure Nomadic Wireless Network (SNOWNET) disclosed in U.S. Provisional Patent Application No. 60/507,934, U.S. patent application Ser. No. 10/463,857, and U.S. Provisional Application No. 60/428,700, the contents of all of which are incorporated herein by reference.
- Although the authentication method of the present invention is disclosed with reference to SNOWNET, the authentication method of the present invention is not limited to such implementation.
- A brief overview of SNOWNET is now presented, with disclosure of the application of the present invention to SNOWNET following.
- The Secure Nomadic Wireless Network (SNOWNET) is a wireless access network technology that is portable, rapidly deployable, and secure. SNOWNET combines a wireless multi-hop backbone network with infrastructure-mode IEEE 802.11 network access services. SNOWNET router nodes may have multiple WLAN radios and are used as both standard WLAN Access Points (APs) and backbone routers.
- One advantage of using SNOWNET is that in order to extend WLAN coverage to a new area that does not have an existing infrastructure network, new SNOWNET nodes need only to be deployed in the new coverage area and will automatically form a wireless multi-hop data forwarding network connecting the new area to the rest of the SNOWNET. At the same time these new SNOWNET nodes provide AP access service to their coverage areas. Clients or sensor devices that are equipped with standard IEEE 802.11 client network interface cards, attach to a nearby SNOWNET router providing access service.
- SNOWNET forwards the client or sensor data within the network or to gateway routers. SNOWNETs are applicable to SoHo WLANs, sensor and surveillance networks, emergency responder communications, embedded WLAN networks, and hotspots extensions where cabling is not feasible.
- The present invention provides a high level of security in SNOWNET for clients, devices such as sensors, and for the multi-hop backbone network. The present invention supports standard WLAN network interface devices as clients without requiring modifications to clients and self-organizes the backbone network for ease of deployment and portability. The present invention includes extensions to the typical link-based security mechanisms that are required to operate in a multi-hop environment.
- The architecture of the SNOWNET, the functions and design of SNOWNET nodes, and the protocols executed by SNOWNET nodes, of the present invention are now disclosed, with reference to
FIGS. 2-10 . -
FIG. 2 illustrates the architecture of aSNOWNET system network 300 of the present invention. EachSNOWNET node 302 is equipped with at least one wireless network interface, which is used for communications betweenpeer SNOWNET nodes 302.Links 304 are formed betweenSNOWNET nodes 302 dynamically if wireless communication can be established between them. The network including only theSNOWNET nodes 302 and thelinks 304 between them are referred to as theSNOWNET backbone network 306. The interface dedicated by eachSNOWNET node 302 for backbone communication is referred to as the backbone interface. Optional external antennas may also be used to extend the communication range of the backbone interfaces. - In addition to backbone interface(s), as shown in
FIG. 2 , aSNOWNET node 302 is typically equipped with additional interfaces to provide local network access services tomobile clients 310. InFIG. 2 , all threeexample SNOWNET nodes 302 have at least two wireless interfaces, one for backbone communications, and the other for providing local access services. The local service interface can be of any LAN technology such as an IEEE 802.3 network interface, an IEEE 802.11 interface running in AP mode, Bluetooth, etc. The interface dedicated by aSNOWNET node 302 for client communication service is referred to as the service interface. - When a
SNOWNET node 302 is equipped with wireless service interface(s), it provideswireless client coverage 308 forclients 310 within its service interface's wireless communication coverage. This is referred to as theSNOWNET node 302 providing Local Access Service for theclients 310 in its coverage area. If aSNOWNET node 302 is equipped with a wired LAN interface such as an IEEE 802.3 (Ethernet) interface, it is also possible for such aSNOWNET node 302 to provide wired local access service to clients with a matching wired communication interface via a wired Local Area Network (LAN) connected to the Ethernet interface of theSNOWNET node 302. This traffic would then be forwarded on the wireless backbone network, thus SNOWNET is capable of wirelessly connecting multiple wired networks. - There are many ways to organize the
SNOWNET backbone network 306. The preferred method is to configure the communication technology used by the backbone interfaces of theSNOWNET 300 to run under peer-to-peer (also called Independent Basic Service Set, or IBSS) mode. In the case of using IEEE 802.11 network interfaces as the backbone interfaces, the interfaces should run in 802.11 Ad Hoc mode. Optional external antennas may be used to extend the communication range of the backbone interfaces. There are also special cases providingdifferent backbone network 306 configurations. For instance if thebackbone network 306 forms a “star” topology, the backbone interface of the center node may be configured as an access point (AP) and backbone interfaces of the other nodes as clients. - It is not necessary for all
links 304 of thebackbone network 306 to use the same link technology. Nodes with backbone interfaces of the same technology may form sub-backbones. Sub-backbones are connected together to form theoverall backbone network 306 bynodes 302 with multiple backbone interfaces of different technologies that are simultaneously residing on multiple sub-backbones. - Some SNOWNET nodes may also have an additional network interface(s) 312 connected to the rest of an organizational network (e.g. the corporate headquarter network), the global Internet or some other external network. These nodes, called SNOWNET gateways act as gateways for the
SNOWNET 300 to reach the Internet or other external networks. These links may be of various link technologies, e.g. an Ethernet cable connected to a LAN for a fixed-group network, a wireless LAN interface to an AP, a Point-to-Point Protocol (PPP) connection, or a 3G wide-area wireless communication interface, etc. - Some network interfaces of the
SNOWNET node 302 may even be virtual interfaces. For instance, a physical interface may be multiplexed or time-shared to create multiple virtual interfaces that can be used for different purposes. For example, theSNOWNET node 302 of the present invention may allow algorithms to be built so that the same IEEE 802.11 interface may run in ad hoc mode in some time slots to act as the backbone interface and in AP mode in other time slots to act as the local access service interface. Moreover, a SNOWNET node may dynamically change one of its AP interfaces to a backbone interface or vice versa. - Communications in a
SNOWNET 300 are organized into two levels: backbone communication and local access communication. In the bottom level of the two-layerhierarchical network 300,SNOWNET nodes 302 provide access services to sensors and otherregular clients 310 with matching standard network interfaces. Hence,normal clients 310 may connect to SNOWNET 300 in the same fashion as they connect to any other standard wired or wireless LAN. In the top level,SNOWNET nodes 302 form awireless backbone network 306 among themselves. Thus the deployment topology of thewireless network 306 is not constrained by the fixed connections to a wired network infrastructure, permitting changes inSNOWNET node 302 locations. -
SNOWNET nodes 302 relay communication between these two levels. Therefore a typical intra-SNOWNET communication path between two clients receiving local service fromdifferent SNOWNET nodes 302 may include the link between the sourcemobile client 310 and theSNOWNET node 302 serving thesource client 310, a number of SNOWNET backbone links, and finally the link between thedestination client 310 and its accessservice SNOWNET node 302. If the destination is on another external network, then the communication path would include the SNOWNET gateway node that is forwarding traffic for that network. -
Backbone links 304 betweenSNOWNET nodes 302 are dynamically established subject to the communication parameters and range constraints of the physical environment. Through topology information exchange, the SNOWNET data forwarding protocol is able to dynamically adjust and self-organize the data forwarding routes based on the current topology of thewireless backbone 306 and the current attachment distribution ofclients 310. Thus,SNOWNET nodes 302 are portable and the configuration of thenetwork 300 can adapt to changing usage patterns by adding, deleting or moving ofSNOWNET nodes 302. - In an embodiment of the security mechanism of the present invention, an extension to the data forwarding protocol of storing-and-forwarding of IP traffic includes the link layer identities (e.g., MAC addresses) of the
SNOWNET nodes 302 in the topology information exchange and route computation. This enables the extended forwarding protocol to compute routes for data link layer frames even if the destination is several hops (or nodes 302) away. - In an embodiment of the invention, an encapsulation mechanism, called SNOWNET envelopes, forwards data link layer frames across an arbitrary
network layer topology 300. -
SNOWNET Node 302 hardware is now disclosed.FIG. 3 shows a diagram of the hardware architecture of aSNOWNET node 302 of the present invention. - Each
SNOWNET node 302 can be implemented as an embedded system comprising aprocessor 402, system memory (RAM) 403, data storage memory (Flash) 404 for software and security related data such as certificates and keys, one ormore network interfaces 406, and asystem bus 408 connecting these components. Eachnode 302 has a manageable and portable form factor as well as protective casing. Optionally, eachnode 302 may be equipped withexternal antennas 410 to extend the communication ranges of its wireless network interfaces 406. These network interfaces 406 provide local wired or wireless access, wireless backbone access, or wired or wireless gateway access. - A
SNOWNET node 302 configuration depends on its specific intended use in the network. Thetypical SNOWNET node 302 in a remote location would have two wireless interfaces 406: one for backbone communication and one for local access service. ASNOWNET gateway node 302 may have these two wireless network interfaces plus athird network interface 406, such as a wired Ethernet interface to connect to the external network. - Since a
SNOWNET node 302 is portable, aSNOWNET node 302 uses DC power that can be supplied by batteries as themain power source 412. DC power can be provided from AC converters from the electric outlet, battery charging devices, solar energy devices, automobile battery outlets, or other power generating devices. - In certain operational scenarios when a battery is the only possible energy source, it is important for the
collaborative network 300 formed by thesenodes 302 to be both power-efficient and power-aware.SNOWNET nodes 302 implement power management procedures to preserve battery power when possible. - The
file system 404 on aSNOWNET node 302 is an encrypted file system. All information stored indata storage 404 is encrypted. When thenode 302 is booted up, the operator provides a decryption key supplier (i.e. a Smartcard, a USB key, etc). The boot up sequence of thenode 302 locates and loads the decryption key from the supplier. Only then can thefile system 404 be accessed. Critical operational system files are decrypted and loaded intosystem memory 403 to be executed. When anode 302 is disconnected from the authentication and communication key management server of the SNOWNET (the SNOWNET master authenticator as detailed later), i.e. not receiving key management messages from the server, for a certain period of time, an automatic power shut down is performed. Other tampering with theSNOWNET node 302 is prevented by physical security methods on thenode 302. - The above-mentioned feature of the present invention reduces the risk to the
whole SNOWNET 300 if oneSNOWNET node 302 is compromised by an unauthorized user. Without a valid connection to the decryption key supplier, theSNOWNET node 302 is inoperable after it has been powered down unless a valid decryption key supplier is applied. Even in the case that the attacker maintains a power supply to theSNOWNET node 302, thenode 302 will be isolated from the otherSNOWNET node population 300 using this timeout mechanism. - One embodiment of the present invention is implemented as a Soekris Engineering Net4521 Board with a 133 MHz AMD Elan SC520 system-on-chip CPU with interfaces including 2 PCMCIA, 1 CF, 1 Serial, 1 Mini-PCI, and 2 Ethernet; dual wireless interfaces including two 802.11 cards for backbone and access points, and a gateway configuration including a PCMCIA card for wireless uplink and a card for 802.11 backbone; OpenBSD or FreeBSD Operating Systems; and open software including Free Radius, HOSTAPD, Xsupplicant, and Xauthenticator.
-
FIG. 4 is a diagram showing theSNOWNET node 302software architecture components 500. TheSNOWNET node 302software components 500 are stored in thedata storage memory 404 of eachSNOWNET node 302. - The
software components 500 include operating systemkernel space drivers 502 for various network interfaces, including drivers forEthernet 504, IEEE 802.11 Network Interface Card (NIC) inHost AP mode 506, and 802.11 NIC inAd Hoc mode 508. All other SNOWNET components reside inuser space 510, or inkernel space 502 to improve performance. In particular, a Network Address Translation (NAT)module 532 resides in kernel space to provide the translation between external Internet addresses and the internal SNOWNET address space if necessary. - There are two major SNOWNET software modules, a
SNOWNET network layer 512 and aSNOWNET API 514. Within theSNOWNET network layer 512, the functions ofSNOWNET node authentication 516 and SNOWNET Routing/Bridging 518 are implemented. For SNOWNET nodes providing client device access service, a standard DHCP module is included to dynamically assign addresses to clients. The SNOWNET Application Programmers Interface (API) 514 offers an application development interface so thatother applications 520 andservices 522 can access lower-level, SNOWNET specific features such as Routing Table information (shown inFIG. 9 ). Examples of applications that could be implemented in aSNOWNET network 300 include Wireless Voice, streaming data and many other network functions. In an embodiment, the API is defined and implemented for theNetwork Layer 512 and theClient Authentication Module 526 and includes program calls in the C language. - The
SNOWNET network layer 512 is implemented as a network service to the other middleware components of aSNOWNET node 302. These optional SNOWNET middleware components may include Quality ofService module 524, the Security ofService module 524, trust management algorithms 530.andclient authentication module 526. The Quality ofService module 524 controls the share of the communication bandwidth given to each client. The Security ofservice 524 provides levels of additional security depending on the needs of the client. The trust management algorithms deal with rules for initial bootstrapping of the system and for allowing unknown clients and routers to become part of the system. Theclient authentication module 526 implements the 802.1x policy for admitting and identifying clients and is discussed further below. - Each
SNOWNET node 302 also includes a module supporting secure roaming forclients 528. This is themodule 528 that transfers the “trust and credentials” of a client from oneSNOWNET node 302 to another when theclient 310 moves from one SNOWNET node's local service area to another node's local service area. With the help of thismodule 528, theclient 310 does not need to go through the entire authentication phase again in the new local service area. Thus the time gap between theclient 310 being served by two SNOWNET nodes is relatively smaller and the handoff is relatively smoother. - A
SNOWNET node 302 may optionally host anauthentication server 534 such as aRADIUS server 303 that will provide all of the necessary checking of credentials, generation of keys and storage of credential information. - Security features of the SNOWNET of the present invention, including the SNOWNET implementation of client authentication and
access communication encryption 526, SNOWNET node authentication and communication encryption extended 516, for SNOWNET, and authentication and security during handoff, are now discussed. - The SNOWNET implementation of of client authentication and access communication (communication between clients and their service SNOWNET nodes) encryption is now discussed, with reference to
FIG. 5A . Two variations of the method are disclosed. They are an extended IEEE 802.1x client authentication and encryption method and a standard WPA client authentication and encryption method. - As shown in
FIG. 5A , a supplicant (or client) 310 accesses theSNOWNET 300 through the access point interface of aSNOWNET node 302. TheSNOWNET node 302 serves as an authenticator, and is in communication with anAuthentication Server 303. - If the network environment of the
SNOWNET 300 permits connectivity to a RADIUS server (C. Rigney, A. Rubens, W. Simpson, and S. Willens, “Remote Authentication Dial In USER SERVICES (RADIUS)”, RFC 2138, April, 1997),SNOWNET 300 uses an existing organizational RADIUS server as thebackend authentication server 303. Otherwise, oneSNOWNET node 302 can be configured as anauthentication server 303 by running the RADIUS server software. Before SNOWNET deployment, thisnode 303 downloads all necessary certificates into itssystem memory 404 so it can carry out the authentication duties. Such certificates include those forSNOWNET nodes 302 as well as for all authorized clients. Additional hardware resources such as system memory and a higher-performance CPU may be installed on anauthorization server node 303 to improve performance. During deployment, theRADIUS server node 303 must be activated before anyother SNOWNET nodes 302 are turned on and remain active until all otherSNOWNET nodes 302 are turned off. - In the first
method SNOWNET nodes 302 that provide local network access services act as authenticators in the IEEE 802.1x architecture using itsClient Authentication Module 526. Regularmobile clients 310 are supplicants. SNOWNET is compatible with many existing off-the-shelf client side implementations of supplicant functionality, e.g. Windows XP, Xsupplicant, etc. To execute the authenticator functions, theClient Authentication Module 526 inSNOWNET nodes 302 run the Open1X Authenticator software, an open source implementation of the IEEE 802.1x authenticator (Open1x, on the world wide web at open1x.org) 526. SNOWNETClient Authentication Module 526 enhances the standard IEEE 802.1x security by offering additional features such as mutual authentication between the mobile clients and the network and dynamic key rotation. Mutual authentication betweenmobile clients 310 and theSNOWNET network 300 is supported through the successful completion of the authentication process, as this can only be accomplished if both theclient 310 andSNOWNET nodes 302 are properly identified using a public key infrastructure. Dynamic keys in which the security encryption keys are changed periodically and redistributed through theSNOWNET network 300 is one of the features supported bySNOWNET 300. - The details of the Client and Network Mutual Authentication procedure in
SNOWNET 300 are as follows. During the EAP handshake between themobile client 310 and authenticatingSNOWNET node 302, theclient 310 sends an EAP start message and theSNOWNET node 302 returns an EAP message requesting the user's identity. Theclient 310 returns his certificate encrypted using a public key encryption mechanism with the authentication server's 303 public key. Theauthenticator 302 then forwards this encrypted certificate to theauthentication server 303. Theauthentication server 303 verifies the client certificate and if the certificate is valid, theauthentication server 303 generates a session key for the client and sends the session key to both theclient 310 andauthenticator 303. Using this session key, theAP 302 encrypts the local shared WEP key and sends the encrypted shared key to theclient 310. To support mutual authentication, theauthentication server 303 also encrypts the certificate for thewhole SNOWNET 300 using the client's 310 public key and sends the encrypted certificate to theclient 310 so theclient 310 can authenticate thenetwork 300 as well. If theclient 310 accepts the network certificate, theclient 310 decrypts the local shared WEP key, configures the shared key into its IEEE 802.11 device, and begins to access thenetwork 300. - Using the
same RADIUS server 303,SNOWNET 300 dynamically and periodically updates the shared keys used for communications betweenclients 310 andAPs 302.SNOWNET 300 does not need to update the shared keys when aclient 310 disconnects from thenetwork 300 because the shared key used at that moment will soon be replaced by periodical key refreshing. - In the second method, the standard WPA style client authentication and encryption scheme is supported. SNOWNET assumes that a WPA-capable RADIUS server is either running within the SNOWNET or is reachable from the SNOWNET through a gateway service. Each SNOWNET node that provides AP service supports the functions of an IEEE 802.1x authenticator. When a client is requesting network access service, it begins with an EAPOL-Start message; then, the standard WPA authentication procedure continues. After the IEEE 802.1x authentication execution completes, both the
client 310 and theSNOWNET AP node 302 providing local access service will receive a session key from the RADIUS server. The session key is used as the master key for WPA transient key generation. The current group transient key is also generated and sent to the client by theSNOWNET AP node 302. When a client disassociates from aSNOWNET AP node 302, the AP node needs to update the group transient key. The new group key is then sent to each attached client of theAP node 302 using EAP-Key messages. In addition to WPA security, SNOWNET also supports older style security for clients that do not support WPA. In this case the session key is used as the shared WEP key directly. TheSNOWNET AP node 302 will automatically regenerate and install new session keys periodically. - In a different embodiment of the client authentication and access communication encryption function of the present invention, the
Client Authentication Module 526 is integrated into the AP function of the SNOWNET nodes as part of theHostAP module 506 - Backbone Authentication and Security of the present invention for SNOWNET is now explained. The Backbone Authentication and Security of the present invention is included in the
Authentication Module 516 of the present invention. - In the previous section the focus has been on how authorization and encryption key management are done between mobile clients (supplicants) 310 and
authenticators 302. In this section the topic is authorization and key management among theSNOWNET nodes 302 themselves. - When IEEE 802.1x is adopted for typical 802.11 WLANs, there is an implicit assumption of an existing wired infrastructure (including access points and network cables interconnecting the access points) in which the topology of the network between the access points (APs) is static and the APs are trusted entities. Hence, there is a clear separation between the roles of supplicants (mobile clients) and authenticators (APs) and there is no need to raise the issue of the authenticity of the APs because they are already installed and connected via relatively secure wired connections and therefore assumed to be secure and authentic.
- In
SNOWNET 300, thebackbone network 306 is wireless and dynamic, permittingnew SNOWNET nodes 302 to join and others to leave thebackbone network 306 during normal operation. Before thesenew nodes 302 can provide network access and authentication services to regularmobile clients 310, thenodes 302 first need to be admitted to thebackbone network 306. In other words,SNOWNET nodes 302 themselves must also be authenticated within theSNOWNET 300. - Only after being admitted to the
backbone network 306 may thenew SNOWNET node 302 begin to offer network access services to itslocal clients 310. -
FIG. 5B illustrates the typical components involved in SNOWNET authentication operations. SNOWNET backbone security extends standard IEEE 802.11 security mechanisms, which are designed for single hop wireless networks, to multi-hop networks. SNOWNET data security is based on WPA security, with modifications accommodating the special characteristics of SNOWNET. - More particularly,
FIG. 5B shows aSNOWNET authentication architecture 1000 in whichSNOWNET nodes 302 are coupled to each other by a wireless 802.11 backbone connection,SNOWNET nodes 302 are coupled toclients 310 by wireless 802.11 infrastructure-mode access connection points, andSNOWNET nodes 302,RADIUS server 303, androuter 1002 are coupled toEthernet 1001 by wired connections. - Security in the backbone network of SNOWNET is now discussed. In an embodiment of the present invention, the WPA's security model is extended to cover the
entire backbone network 306. For authenticating SNOWNET nodes, the IEEE 802.1x authentication is extended by the present invention to support multi-hop wireless network. For securing communication among SNOWNET nodes, since the current WPA pairwise security does not support peer-to-peer communications, all SNOWNET nodes communicate using a common key, following the WPA group security. After SNOWNET nodes are authenticated, they are provided with the group transient key. This key is also updated periodically. - A
RADIUS server 303 is assumed to be reachable from the SNOWNET. Thisserver 303 may or may not be thesame RADIUS server 303handling client device 310 authentications. Within theSNOWNET backbone 306, onenode 305 is designated as the authenticator for theentire backbone network 306. Thisnode 305 is named the “Master Authenticator (MA)” 305. The identity of theMA 305 is included in SNOWNET topology exchange messages and sent to all authenticatedbackbone nodes 302 already on the backbone. The identity of theRADIUS server 303 is known to theMA 305. During SNOWNET deployment, theMA 305 is deployed before anyother SNOWNET nodes 302 and is assumed to be able to reach thebackbone RADIUS server 303.New backbone nodes 302 are added to theSNOWNET backbone 306 in an iterative manner as they are authenticated by theMA 305 andRADIUS server 303. - A problem is that EAPOL messages are link layer data frames and cannot be transmitted between
nodes 302 separated by other store-and-forward nodes operating at the network layer, as in SNOWNET. - The
SNOWNET backbone 306 is capable of forwarding network layer data packets. In an embodiment of the present invention, EAPOL frames are encapsulated in special IP or higher layer packets. A special SNOWNET packet format is defined for encapsulating EAPOL packets, called Envelopes. SNOWNET Envelopes are transmitted across the backbone network just like other user data messages encoded with the encryption mechanism of theSNOWNET backbone 306. - The SNOWNET Envelope packets are network-or-above layer packets. In an embodiment of the invention, a TCP packet is used as the method, although IP or UDP packet may also be used depending on each individual system's requirement and implementation details. However, in the case when an IP packet or UDP packet is used as SNOWNET Envelopes, additional mechanisms may be needed to increase delivery reliability. When an EAPOL packet is delivered over a single WLAN link, the sender is able to find out if the receiver has received the packet via a link layer acknowledgement. A similar acknowledgement function is provided by the SNOWNET Envelope packets.
- The embodiment of the
SNOWNET 1000 shown inFIG. 5B includes anEthernet 1001 network coupled to theMA 305,RADIUS server 303 coupled to theEthernet 1001, arouter 1002, afirewall 1003 coupled to theInternet 316,hubs 1004, workstations 1006, and servers 1008. - Backbone Message Exchange
-
FIG. 5C shows the backboneauthentication messaging sequence 1100 of the present invention. - The messages being exchanged during the authentication stage are illustrated in
FIG. 5C . When a new SNOWNET node 302-1 tries to join thebackbone network 306, the new SNOWNET node 302-1 acts as a supplicant and sends out an EAPOL-Start message. AnySNOWNET backbone node 302 that is within range may receive the EAPOL-Start message. Thebackbone node 302 hence becomes a proxy authenticator whom we name EAP Proxy (EP) 302-2 for the new node 302-1 and encapsulates the message within a SNOWNET Envelope message addressed to theMA 305.Multiple SNOWNET nodes 302 may actually receive and forward the EAPOL-Start message as an EP 302-2. - After being forwarded by the
SNOWNET backbone 306, the Envelope message reaches theMA 305 and the outer Envelope specific fields are peeled off and the EAPOL-Start message is revealed and passed to the authenticator function of theMA 305. Theauthenticator 305 selects one of the EP's 302-2 as the preferred EP 302-2 and then replies with a standard IEEE 802.1x EAP-Request/ID message. Again, this EAP message is encapsulated in another SNOWNET Envelope message and the Envelope is addressed to the preferred EP 302-2. From this point on, the standard IEEE 802.1x style authentication is carried out among the supplicant 302-1, theMA 305, and thebackend RADIUS server 303. - For EAP messages from the supplicant 302-1 to MA 305 (or RADIUS server 303), the EP 302-2 receives the link layer frames from the supplicant 302-1, encapsulates them in SNOWNET Envelopes and sends them towards the
MA 305. For EAP messages of the opposite direction, theMA 305 encapsulates those using SNOWNET Envelops addressed to the EP 302-2. The EP 302-2 then unencapsulates the EAP frames from the Envelopes and forwards the resulting EAP frames to the supplicant 302-1 over the ad hoc link between them. - Due to the ad hoc and dynamic nature of the
network 300, the new supplicant 302-1 will not know a priori the identity of an EP 302-2. This is different from authentication between aclient 310 and an AP, where the identity of the AP is known to theclient 310. Thus the EAPOL-Start message is sent in plaintext using a link layer broadcast address. AnySNOWNET backbone node 302 who receives and reacts to the message becomes an EP 302-2 and there may be multiple EPs 302-2 that forward the EAP-Start message to theMA 305. - The
MA 305 selects a preferred EP 302-2 according to various criteria, such as link quality, least loaded node or first arrival, and only uses this EP 302-2 to correspond with in subsequent steps. EAP messages in subsequent steps from theMA 305 to the supplicant 302-1 are explicitly addressed to the preferred EP 302-2 and similarly on the return path. The remaining EPs 302-2 will drop out of the communications unless a new EAPOL-Start is received. - Backbone Key Handling
- As a result of the IEEE 802.1x authentication procedure, a session key is established between the new SNOWNET backbone node 302-1 and the
MA 305 and the WPA pairwise transient key is generated from that. After the WPA pairwise transient key is established, theMA 305 forwards the current group key to the new node 302-1. The group key is used to protect the communications among allbackbone nodes 302. - It is also the
MA 305's responsibility to generate and update the group key. When a currentSNOWNET backbone node 302 leaves thebackbone network 306, theMA 305 renews the group key. In addition, since not allnode 302 departures are immediately known to theMA 305, theMA 305 will generate this new key on a periodic basis. The choice of a good lifetime of each group key is dependent on the dynamics of thenetwork 300. A new group key is delivered from theMA 305 to allSNOWNET backbone nodes 302 individually via EAP-Key messages protected with the pairwise EAP-Key encryption keys and integrity keys derived from the authentication procedure. - Newly generated and distributed group keys are not effective immediately but are scheduled to be used at a future time. The gap between the current time and the new key effective time is long enough to assure that the new group key is received by all
backbone nodes 302 with high likelihood and to allow for anybackbone node 302 to specifically request the new key if it is believed to have missed the delivery of the new key (e.g. because of lost packets). Although the new group key is not used immediately, it is installed into the IEEE 802.11 hardware as a secondary key. After the new group key goes into effect, the old group key is also kept in the hardware as a secondary key for a short period of time. There is a time window during which both new and old group keys are accepted for decryption to accomplish the key synchronization among all backbone nodes. Since typical IEE 802.11 WLAN interface hardware supports at least four encryption keys at any time, depending on the settings of various timer values, more than one group key may be transmitted to the new node. Among these keys, one is used as the current effective communication key and the rest will be used as future communication keys. - The
MA 305 is included in SNOWNET backbone security as the pairwise security binding is only between theMA 305 and otherSNOWNET backbone nodes 302. The total number of WPA transient keys theMA 305 needs to maintain for abackbone network 306 ofN nodes 302 is N, with N-1 TKIP pairwise transient keys and 1 group key. The number of keys being managed by thenetwork 306 grows as O(N). - SNOWNET backbone communications are encrypted with the group transient keys. This transient group key is used as the temporal key in the
TKIP phase 1 key mixing. If TKIP is not supported in a particular implementation ofSNOWNET node 302 hardware and firmware, the group key may also be directly used as a WEP key (a hash function is needed to format the transient group key into a key format compatible to WEP). However, in this case most of the problems associated with WEP would remain unsolved. - An advantage of using the SNOWNET security mechanism in this case is that the
MA 305 is able to generate and deliver new group keys to allbackbone nodes 302 across a multi-hop network so that each group key only has a short lifetime and during which attackers are unlikely to gather enough packets to break the key. - An explanation of SNOWNET in which the present invention is included now continues.
- Authentication and Security During Client Handoff is now explained.
- When a
mobile client 310 moves from the service area of oneSNOWNET node 302 to that of anotherSNOWNET node 302, several tasks are performed to ensure themobile client 310 receives uninterrupted data traffic. - Generally when roaming in an 802.11 WLAN, the first event to occur is a link layer handoff. That is, upon some predefined triggering event, the communication link between the mobile client and its current AP is broken and a new communication link between the mobile client and a new AP is established. Then the system performs the network layer handoff. That is, the mobile client establishes its new topological attachment (to its new AP) and propagates the information to the whole network so that data traffic from/to the mobile client can be properly directed. In this section, the issues related to authentication and security during link layer handoff are addressed. In the following section, network layer handoff is discussed.
- The details of the link layer handoff operations vary depending on the link layer technology. In the case of current IEEE 802.11 WLAN technology, link layer handoff is done in a “break-before-make” fashion. When a mobile client discovers that the quality of the signal from its current AP drops below a predefined threshold, the mobile client will try to find a new AP with better signal quality. Optionally the mobile client may send out a disassociation message to its current AP to notify the current AP of the departure so that the AP can remove any states stored for the mobile client. Then the mobile client performs a scan over all channels to determine available APs and their characteristics and the selects its new target AP.
- After the new AP is selected, the 802.11 standard specifies an authentication procedure for the mobile client by the new AP. However, as discussed herein above, the shared-key authentication scheme of 802.11 is not effective. On the other hand, many deployed 802.11 systems are open systems in which any mobile client is authenticated by default.
- After authentication, the mobile client tries to connect to the new AP by sending to the new AP an Association Request. Upon the receipt of an Association Request, the AP sends back an Association Response. If the request is accepted, this response contains a “successful” value. After receiving an Association Response with “successful”, the mobile client acknowledges the message. Then the new connection is established and the mobile client can send and receive via the new AP.
- Similarly, in
SNOWNET 300 when amobile client 310 roams from one SNOWNET node's 302 access service area to that of another, themobile client 310 executes the functions of scan, authentication, and association. -
SNOWNET 300 employs an optimized scan scheme to reduce the time needed to complete a scan. The reason for amobile client 310 to perform a scan over all channels is that theclient 310 does not know whichSNOWNET nodes 302 are available in the area of themobile client 310. Putting the network interface of themobile client 310 into promiscuous mode does not solve the problem because theSNOWNET nodes 302 may operate on different channels than the client's 310 current channel and thus still can not be heard. InSNOWNET 300, theclients 310 may perform scan operations even during normal operation to constantly monitor the availability ofnearby SNOWNET nodes 302 and their characteristics. This monitoring scan is only done under the condition of not interrupting ongoing communication and is not performed when battery lifetime becomes a concern. With such a list of recently heardnearby SNOWNET nodes 302, when a handoff is needed, themobile client 310 may focus only on thoseSNOWNET nodes 302 that are on the “recently heard” list and have good signal quality. Thus, the need for a full channel scan is avoided and the time themobile client 310 takes to select itsnew service node 302 is reduced. In cases when the “recently heard “list is created very recently, themobile client 310 may immediately select its new service node directly from the list without additional scanning. - The association procedure in
SNOWNET 300 is similar to what the current 802.11 standard specifies and thus is not discussed here. The focus of this section is on authentication and security with respect to roaming. - Authentication is a lengthy process which requires both communication and processing resources. Thus, it is desirable that authentication will not be performed during handoff. The present invention includes an authentication and security handoff mechanism that smoothly and securely relocates the
mobile client 310 to its new access service area with minimal delay. The mechanism is based on a public key system. It is assumed that allSNOWNET nodes 302 have a pair of keys, one public and one private. EachSNOWNET node 302 is aware of the public keys of other neighboringSNOWNET nodes 302. Eachmobile client 310 also knows the public keys of thenearby SNOWNET nodes 302. This feature is fulfilled by either pre-installation or an external public key exchanging protocol. - When such an authentication and security handoff service is needed, a
mobile client 310 needs to request that its currentSNOWNET service node 302 provide a ticket. This ticket includes information such as the mobile client's identity and its current access service SNOWNET node's identity. The ticket includes other fields such as the time when the ticket is issued, its expiration time, a session key transmission key, check sum, etc. The ticket may also include some random bit padding before and after the real fields. This ticket is encrypted by theSNOWNET node 302 using its private key. This encrypted ticket is then sent to the requestingmobile client 310. Because the delivery of this ticket is over an established secure communication session between themobile client 310 and its currentSNOWNET service node 302, such a delivery is secure. - Optionally, if the
mobile client 310 supports public key cryptography and has the computing resources to decrypt a message encrypted using asymmetric cryptography, theSNOWNET node 302 may encrypt the already encrypted ticket (with the SNOWNET node's private key) again with the mobile client's public key. Upon receiving such a double encrypted ticket; themobile client 310 decrypts the ticket using the mobile client's private key and stores the ticket (still encrypted with the service node's public key). This way, even if such a ticket is captured by a third party; the third party can not decrypt the ticket. - After the
mobile client 310 selects its newSNOWNET service node 302, themobile client 310 sends to the new SNOWNET node 302 a re-authenticate request message. This message includes its own identity, the identity of its previous service node, and the stored ticket. The message is encrypted using the new service node's public key. - Upon receiving such a re-authentication message, the
new service node 302 first decrypts the message using its own private key. Then thenew service node 302 decrypts the ticket (still encrypted with the previous service node's private key) included inside of the message using the public key of the previous service node. If the ticket is valid, theservice node 302 generates a temporary communication session key for themobile client 310. Theservice node 302 sends back to the client 310 a re-authentication response message with a “successful” flag. The message is encrypted with the session key transmission key included in the ticket and sent to themobile client 310 over the open channel. After receiving the temporary communication session key, themobile client 310 may send and receive message traffic via thenew service node 302. - The temporary communication session key is only valid for a short period of time. After the temporary communication session key is expired, use of the temporary communication session key is not permitted for communication between the
mobile client 310 and itsnew service node 302. Thus, during the valid window of this temporary communication session key, themobile client 310 must complete the normal mobile client authentication procedure as described earlier in this section. That is, the mobile client's credential needs to be transmitted to theRADIUS server 303 of theSNOWNET 300 for theclient 302 to be authenticated. After being authenticated by theRADIUS server 303, theRADIUS server 303 will start to issue and manage session keys for the communication between themobile client 310 andservice node 302 in the normal fashion. - SNOWNET IP Address Management
- Before describing how data is forwarded within SNOWNET, how addresses are managed is first described in more detail.
- SNOWNET nodes may have multiple communication interfaces, each having a globally unique identifier known as the hardware address or MAC address of the interface. Because MAC addresses are assigned to communication interface hardware by the manufacturers and they are globally unique, they are also commonly used as unique identifiers of their hosting devices. They are also used in SNOWNET. For SNOWNET nodes with more than one communication interface, and thus multiple MAC addresses, the lowest MAC address is used as the unique node identifier of the SNOWNET node.
- MAC addresses are only used for direct LAN communication between network interfaces reside on the same LAN. Internet Protocol (IP) addresses are also assigned to network interfaces so they can be globally addressed because IP addresses reflect the attachment of network interfaces in the global Internet. Now SNOWNET IP address management of the present invention is described. As discussed in greater detail later, SNOWNET may operate in two different data forwarding modes: bridging mode and routing mode. The IP address management is done differently in these two modes.
- When SNOWNET operates in bridging mode, its IP address management is very simple. The whole SNOWNET, including all clients and SNOWNET nodes, includes a single broadcast domain. All devices including both SNOWNET devices and client devices share the same IP address space. Either, a special SNOWNET node is configured as a DHCP server and manages IP address assignment for the whole network, or a DHCP server is reachable from the SNOWNET. The DHCP server has a pool of addresses for it to lease to clients and SNOWNET node devices. IP addresses of expired leases are returned to the address pool for future assignments. After a new device, either a SNOWNET node or a client device, is authenticated, it will issue a DHCP request asking for an IP address assignment and other related IP communication parameters such as the addresses of the default routers for the SNOWNET and Domain Name Servers (DNS). This request is broadcast to all devices in the SNOWNET, including the DHCP server. All other nodes will ignore the request except the DHCP server node, which will reply to the request with an IP address allocated from its IP address pool. Other requested parameters are also included in the reply message. The reply is sent back to the new device and the new device may use the assigned IP address and other parameters to configure itself.
- When SNOWNET operates in routing mode, the address management is more complicated. The typical configuration is that each SNOWNET node providing local access services will have its own sub-networks and manage the addressing within these sub-networks. For managing client IP addresses for clients, each such access service providing SNOWNET node has a DHCP server running for assigning IP addresses to clients connected to its service interfaces.
- A separate sub-network address space is allocated for the backbone interfaces of the SNOWNET nodes. The administrator of a routing mode SNOWNET needs to configure the address space of this separate backbone sub-network. What need to be configured for each new SNOWNET node are the IP address from the backbone IP address space for its backbone interface, and one IP address block for each of its access service interfaces so the DHCP server can be appropriately configured. We include two different methods of managing these IP addresses for SNOWNET in the present invention, a distributed method and a centralized method
- The first method is a distributed method. After a new SNOWNET node is accepted into the network, it will send an Address Request to the SNOWNET node acting as its EAP Proxy (EP) asking for addresses for its backbone interfaces and address spaces for its local service interfaces. By consulting its routing table for known addresses and address spaces of the SNOWNET, the EP node assigns unused addresses and address spaces to the new node and sends these assignments back to the requesting node.
- Because of the distributed nature of the problem, the above address assignment may still conflict with other nodes within the SNOWNET. This is either because of the imperfect knowledge of the EP node about address usage in the whole network or because there are other new nodes at a distant portion of the same SNOWNET requesting addresses from a different EP node at the same time. If such a conflict does occur and is detected later, it is resolved based on the identifier of the nodes involved. The SNOWNET node with lower node identifier is able to keep its addresses and the other party needs to relinquish its addresses and go through the address request and selection procedure again.
- A second method of SNOWNET IP address management of the present invention is also described here. This is a centralized approach where one SNOWNET node is configured as an IP address management server, which manages an IP address pool for the whole SNOWNET in the same fashion as a standard DHCP server. When a new SNOWNET node requests IP addresses for its backbone interface and service interfaces, it sends its request to its EP node. The EP then forwards the request to the IP address management server. The server them replies with address assignment. The address assignments are received by the EP node and forwarded to the new SNOWNET node. The reason for the address request and response messages to go through the EP node is that at the time of IP address requesting, the new SNOWNET node has not participated in SNOWNET forwarding algorithm execution, thus it does not have a route to the IP address management server.
- Due to the shortage of IP addresses, a common practice is for an administrator to use “private addresses” for computers within the network under his management and apply Network Address Translation (NAT) at gateway nodes.
- The SNOWNET addressing schemes introduced above works with both private addresses and public addresses so the administrator of the SNOWNET may select either method, depending on how many IP addresses are available to allocate for the SNOWNET. If private addresses are used for the SNOWNET, the gateway SNOWNET nodes can be configured to provide NAT functionality.
- Data Forwarding
-
SNOWNET 300 data forwarding, including bridging and routing, is now disclosed. -
SNOWNET 300 provides two separate levels of security by using independent shared WPA key management procedures for the backbone communications and the communications between aSNOWNET node 302 and itsmobile clients 310. - Data packets originating from a
source client 310 are encrypted using the local encryption key managed by theSNOWNET node 302 serving thisclient 310. The packet is received on the AP interface and decrypted by theSNOWNET node 302. Then if the packet is to be sent on thebackbone 306, the packet is then encrypted again by theSNOWNET node 302 with the encryption key managed by the master authenticator. -
SNOWNET nodes 302 may operate in one of two data forwarding modes: bridging mode and routing mode. Each mode is disclosed herein below. - Bridging Mode
- When
SNOWNET nodes 302 operate in bridging mode, as shown inFIG. 6 , theSNOWNET nodes 302 execute the IEEE 802.1d MAC Bridge protocol, discussed herein above.SNOWNET nodes 302 may be referred to as “SNOWNET bridges” 309 when theSNOWNET nodes 302 are operating in bridging mode. - SNOWNET bridges 309 execute a spanning tree protocol to configure their forwarding topology within the
backbone network 306. The spanning tree protocol for SNOWNET bridges 309 incorporate the IEEE 802.1d protocol, modified such that SNOWNET Bridge ports are a mix of physical and virtual entities. The local service access network interfaces of SNOWNET bridges are considered as physical ports by SNOWNET bridges 309. On the other hand, backbone “ports” are virtual and there is one port assigned for each backbone network link. That is, each virtual port is identified by the pair-wise combination of local backbone interface identity and the backbone interface identity on a neighboring bridge. In an embodiment, the communication between a bridge and all its neighboring bridges may share the same physical interface, as occurs in a broadcast link. All ports, virtual or physical, are identified beforeSNOWNET nodes 302 start the spanning tree protocol. During normal operation, the status of active ports is monitored constantly by a combination of passive traffic listening and active probing. If the status changes, the reconfiguration operation of the spanning tree protocol is executed. - After SNOWNET bridges 309 form a spanning tree, the SNOWNET bridges 309 enter the learning and forwarding phase. In learning, each bridge 309 remembers through which port each endpoint MAC address can be reached.
-
FIG. 6 shows an example of aSNOWNET network 300 with a spanning tree created atop of theSNOWNET backbone network 306. The spanning tree includesSNOWNET nodes 302 configured as SNOWNET bridges 309. - As shown in
FIG. 6 , theSNOWNET backbone network 306 comprises SNOWNET bridges 309 (B1, B2, and B3), which provide local access services (AP1, AP2, and AP3, respectively) for clients 310 (C1 through C5). -
FIG. 7 is a table of SNOWNET Bridging Table 400 Contents. Each SNOWNET bridge 309 ofFIG. 6 includes a SNOWNET Bridging Table 400 stored indata storage memory 404 as shown inFIG. 7 . The table 400 ofFIG. 7 illustrates what is stored in each bridge's table after the topology learning phase is complete. Compared to standard MAC bridges as specified by IEEE 802.1d, the difference is that the “port” column in standard MAC bridges is replaced by two columns in SNOWNET bridges 309: local interface and neighboring interface. These two addresses together identify a SNOWNET “bridge port”, either logical or physical. - An important requirement for bridge devices is that when they forward data frames, the original source and final destination MAC address must be preserved along the forwarding, no matter how many bridge devices the frames travel. Unfortunately this is not easily supported by the IEEE 802.11 protocol. Normally an IEEE 802.11 frame header only contains three MAC addresses, namely the sender MAC address, the receiver MAC address, and the AP MAC address. Thus when a frame is forwarded over multiple IEEE 802.11 links, it is impossible to preserve both the source and destination MAC addresses within the IEEE 802.11 frame header. Only recently, a frame format with four MAC addresses, which makes the preservation of both source and destination MAC address possible during forwarding over multiple 802.11 links, are supported by IEEE 802.11 devices. Such a format is known as the Wireless Distribution System (WDS) format.
-
FIG. 8 shows the IEEE 802.11 Data Frame Address Field contents and possible values of the “To DS” and “From DS” fields 700. The IEEE 802.11 standard refers to the backbone network connecting theAPs 104 as a “Distribution System (DS)”. In each data frame, there are two bits, namely the “To DS” bit and “From DS” bit. Together they describe the transmission direction of the data frame and the operation mode of the protocol. For instance when a data frame is sent from an access point (AP), such as AP1 inFIG. 6 , to a client, such as C1 inFIG. 6 , the “To DS” bit is set to FALSE while the “From DS” bit is set to TRUE. When a SNOWNET is operating in bridge mode, it uses the frame format specified by the 4th row of 700, or the WDS format, for forwarding data over the backbone. Such a data frame is identified if both the “To DS” and “From DS” fields of the data frame are set to 1. - A SNOWNET bridge 309 will always forward data frames for clients C attached to its local access service. For example, SNOWNET bridge B2 will forward data frames for clients C2 and C3. If both the source (for example, C2) and destination (for example, C3) of a data frame are using its local network access service AP2, the data frame is forwarded directly over the local access interface AP2. When data frames are originated from a mobile client C, their address fields are set as specified by the 802.11 protocol standard. Its “To DS” field is set to 1 while the “From DS” field is set to 0. The first address is the BSSID of the access point to which the mobile client C attaches, which in
SNOWNET 300 is provided by the local service access interface of the SNOWNET bridge. The second field contains the mobile client's own address while the third address is the address for the destination client C. The fourth address is left unused. TheSNOWNET network 300 of the present invention uses this format for client C to SNOWNET bridge 309 communications. Similarly, a SNOWNET bridge 309 of the present invention uses the standard AP to client C format (To DS=0, From DS=1) to deliver frames to its attached clients C, again leaving the fourth address unused. - After the first SNOWNET bridge 309 (for example B2) receives a data frame from one of its clients (C3) that is destined for a device (such as client C1) not attached to the bridge B2, the SNOWNET bridge B2 reformats the frame to be forwarded through the
backbone network 306. It uses the WDS format by setting both “to DS” and “from DS” fields to 1, with the destination and source fields set to the MAC addresses of the destination and source clients. The transmitter address is set to its own backbone interface address and the receiver address is set to the backbone interface address of the next hop SNOWNET node towards the destination. Which SNOWNET node is the next node towards a particular destination can be found out from the Bridging table 400. - Upon receiving a data frame forwarded by a SNOWNET bridge (for example, B2), a SNOWNET bridge (for example B3) decides if it will further forward the frame by using a mechanism similar to the filter mechanism of IEEE 802.1d. A SNOWNET bridge B3 will only forward a data frame when the previous forwarder (the SNOWNET bridge from which the bridge received the data frame, as identified by the transmitter address field in the WDS data frame 700, such as B2) is listed as an active neighbor bridge and the destination and the source of the data frame are on different sides of the bridge as indicated by the bridging table 400 (i.e., the destination and the source are listed as reachable via different ports). Before the data frame is forwarded, the bridge updates the transmitter address in the data frame to the address of its own transmitting (backbone) interface and the receiver address to the next SNOWNET bridge's backbone interface address.
- Thus when the frame is forwarded within the backbone, each SNOWNET node participating in the forwarding modifies the transmitter and receiver addresses accordingly and keeps the source and destination address unchanged. The source and destination addresses are also used in updating the Bridging tables 400 on SNOWNET nodes in the same way the standard IEEE 802.1d learning procedure updates bridge tables.
- At the bridge B3 that provides access services to the destination client C5, the data frame is converted again to the “from DS” type of data frame in the appropriate format and sent to the destination client C5.
- An advantage of running
SNOWNET 300 in bridge mode is to simplify network layer roaming and Internetwork Protocol (IP) address management. Since anentire SNOWNET 300 typically shares the same IP address space, there is no need for each SNOWNET bridge 309 to manage client IP addresses. One dedicated DHCP server within theSNOWNET 300 can serve thewhole network 300. When a client C moves from one AP coverage area to another, there is no need to change its IP address. Other advantages of this situation include the simplified support of multicast and other link layer management protocols. - Since the Bridging Table 400 (shown in
FIG. 7 ) corresponds to a per-host routing table, such a method may not scale well when the size of theSNOWNET network 300 grows. In addition, a spanning tree forwarding topology limits the shape and efficiency of data forwarding paths. In some cases the shortest forwarding path between two communicating clients cannot be used because their links are not part of the spanning tree. This is frequently the case in broadcast environments. Finally, bridges 309 update theiraddress databases 400 and spanning tree by periodically exchanging “heartbeat” messages. Thus, when thebackbone 306 topology changes or a client C changes its attached AP, it may take a relatively long period of time for the network to converge to a new state that reflects the new topology and attachments. Data packets may be lost during this transient period. In the worst case, the updates may not be able to catch up with the changes in the topology and the network becomes unstable. - In summary, the SNOWNET bridge mode is relatively simple, but it is best suited for small and moderately
dynamic SNOWNETs 300. - The use of
SNOWNET 300 in routing mode, however, overcomes the above-mentioned problems of Bridging mode. - Routing Mode
- As shown in
FIG. 2 , SNOWNET routing includes link state routing for themulti-hop backbone network 306 in which anode 302 periodically detects it neighbors and updates its known topology with new neighbor information. Thenode 302 then sends out its updated topology to itsneighbors 302. After receiving a new topology from a neighbor, thenode 302 updates its known topology with the new information. Every time the topology is updated, the routing algorithm computes new routes and makes corresponding changes to the routing table if necessary. In a SNOWNET topology, eachSNOWNET node 302 is identified by its IP address and IP subnet mask. Each subnet attached to aSNOWNET node 302's access service interface is represented in the topology as a subnet node. TheSNOWNET node 302 connected to the subnet includes thesubnet node 302 in the routing information exchange. TheInternet 316 is represented as “0” subnet. ASNOWNET node 302 also includes the identities of any foreign clients, which are clients with IP address outside of theSNOWNET node 302's service IP address space as a result of the clients roaming off the service areas of their original SNOWNET service nodes, under its service in the routing information exchange. The overall topology includesSNOWNET nodes 302, subnet nodes, foreign client nodes, and theInternet node 316. A Dijkstra shortest path (fewest hops) algorithm for route computation is used, and a longest match rule for route selection is used. - When
SNOWNET nodes 302 operate in the routing mode, theSNOWNET nodes 302 form a flat routing space over the backbone network 306 (as opposed to hierarchical or clustered approaches). TheseSNOWNET nodes 302 are referred to as SNOWNET routers when operating in routing mode. In this case, thebackbone network 306 is viewed as a variation of a Mobile Ad hoc Network (MANET) (IETF Mobile Ad-hoc Networks (manet) Working Group and research results on MANET routing algorithms can be borrowed for SNOWNET routing (C. Perkins, E. Belding-Royer, and S. Das, “Ad hoc On-Demand Distance Vector (AODV) Routing”, IETF Internet Draft, Work in Progress, June 2002; D. Johnson, D. Maltz, Y. Hu, and J. Jetcheva, “The Dynamic Source Routing Protocol for Mobile Ad Hoc Networks (DSR)”, IETF Internet Draft, Work in Progress, February 2002; etc.). - However,
SNOWNET 300 represents an important special case within the class of MANETs. InSNOWNET 300 there are two distinct types of entities in the network that can be mobile:clients 310 andSNOWNET nodes 302. However, current MANET research treats the whole MANET as a flat routing space in which there is no structure in the MANET topology and each client is a node that participates equally in data forwarding. This typically imposes special requirements to enable MANET functionality on all nodes in the network. In theSNOWNET service model 300, the special requirements onmobile clients 310 are limited so that users may employ standard typical mobile computers such as Laptops, PDAs and other commercially available devices with standard client communication devices such as widely available 802.11b PCMCIA cards. Thus, directly applying an existing MANET approach by configuring both clients andSNOWNET nodes 302 as MANET nodes is not a viable solution. - With
SNOWNET routers 302, a hybrid approach is used. In this approach, only theSNOWNET routers 302 are configured as MANET nodes and participate in MANET-like routing algorithms. All router backbone interfaces share the same IP address space and execute the routing protocols and exchange routing information among themselves. Eventually they together build routes for reaching any backbone nodes. - Among the differences in SNOWNET routing and MANET routing is that each
SNOWNET router 302 is also allocated mask-able address space segments from which addresses are dynamically assigned to this router's local clients. DHCP server software is installed on each router to allocate IP addresses for local mobile clients. During routing information exchanges, in addition to advertising for their own IP addresses, backbone nodes also advertise for their local service subnets. In other words, the backbone nodes proxy for their local service subnets by including this information in their reachable network list. This special requirement requires modifications to a “normal” MANET routing protocol specification by requiring an additional field in the SNOWNET routing protocol messages to include these proxy subnets. This field may include multiple entries and hence is referred to as the “proxy list”. - In order to support roaming, in addition to the local service subnets, each
SNOWNET router 302 is responsible for providing a proxy service for a number of “foreign mobile clients”, which aremobile clients 310 currently attached to the router but with addresses outside of the router's address spaces. The advertisement of these foreign client addresses is included in the SNOWNET routing protocol message in the same way as the local service subnets, as entries in the proxy list. - Each
SNOWNET router 302 maintains a Routing Table 500, shown inFIG. 9 . The Routing Table 500 specifies the local interface and the neighboring interface to the respective portable network node device that is the next hop-destination in a routing path. - In each routing table 500, there are two types of route entries: subnet routes and host routes. The former are aggregated route entries where each entry describes routes for all the hosts within the corresponding address space, expressed in traditional format as a combination of network address and network mask. The latter are for the routes towards specific
mobile nodes 302, either the backbone interface of SNOWNET nodes or foreign mobile clients. In the example routing table 500, the entries for B1, B2, and B3 are host routes for SNOWNET node backbone interfaces, the entries for C5 are a host route for a foreign client, and the entries for AP1, AP2, and AP3 subnets are subnet routes. A longest match rule (W. Doeringer, G. Karjoth, and M. Nassehi, “Routing on longest-matching prefixes, IEEE/ACM Transactions on Networking (TON), Vol. 4,Issue 1, February, 1996) can be applied during route lookups. - A client C may wander off the service coverage area of one SNOWNET router and move to the coverage area of another SNOWNET router.
SNOWNET 300 supports client roaming so that there is no data interruption during the change of client attachment. For stationary computers, IP addresses serve both as identifiers and location indicators. However, when an IP address is assigned to amobile client 310, these two properties contradict each other when the mobile client changes its attachment. In one embodiment, the IP address should the same so that the integrity of the client identity is maintained. In another embodiment, the client should acquire a new address to reflect its current network access attachment for efficient routing. - The
SNOWNET router 302 solves this problem by allowing two types of routes to co-exist. For thoseclients 310 who stay with their original SNOWNET routers, the subnet routes for their subnets represent their routes. There is no specific route for each individual client of this type. For those clients who have left their original subnet and become “foreign clients” for other routers, each routing table explicitly lists their routes. Because of the support for “foreign mobile client”, there is no need for the client to acquire a new IP address in the address space of its current attachment environment while it is still within theSNOWNET 300. - When a
mobile client 310 moves to a new subnet, themobile client 310 informs itsprevious router 302 about its new attachment by forwarding to its previous router 302 a Routing Update Message 600 (an example of which is shown inFIG. 10 ). - More particularly,
FIG. 10 shows aRouting Update Message 600, also referred to as a notification, in which amobile client 310 notifies its previousservice SNOWNET node 302 about the address of its current service SNOWNET node. Themessage 600 includes the identities of the three parties involved in the activities, as well as security related information such as a certificate encrypted using the client's private key and the previous service SNOWNET node's public key. - This
notification 600 shortens the time period or gap between the time the client breaks off from its previous router and the time its new route is inserted into every routing table in the backbone network. During this time period, data packets destined for thismobile client 310 is delivered towards the client'sprevious service router 302 and theprevious service router 302 is not able to further forward data packets to the mobile client. With the notification, the previous router is able to forward data packets to the new router before all routing tables 500 on involved SNOWNET routers are updated. Such anotification 600 will not totally eliminate the gap, but significantly reduces the duration of the gap to the period from the time the client breaks off from its previous router to the time that the client'sRouting Update Message 600 arrives at its previous service router. Sincemobile clients 310 typically move between neighboring coverage areas, it is likely that their previous andcurrent service routers 302 are very close in distance (or number of link hops) in thebackbone network 306 topology. Thus the notification will arrive relatively quickly. Eachrouter 302 may optionally cache data packets for aclient 310 if the data packets cannot be delivered to the clients. Once thenotification 600 about the client'snew router 302 arrives, cached data packets are forwarded to thenew router 302. Also, upon receiving such anotification 600, if theclient 310 is a foreign client on itsprevious router 302, theclient 310 is removed from the previous router's “foreign client” list. - A foreign client in
SNOWNET 300 is served differently by the network from how amobile client 310 is served by a foreign agent as specified in the well known Mobile IP (C. Perkins, “IP Mobility Support”, IETF RFC 2002, October, 1996). In Mobile IP, when a mobile client is attached to a network other than its home network, the mobile client acquires a local IP address, termed “foreign address”, from its current network. The network to which the mobile client currently attaches is known as the “foreign network”. The mobile client always maintains its address on its home network. This address is known as the mobile client's home address or permanent address. When other hosts on the Internet want to communicate with the mobile client, they will address their communications using the mobile client's home address. When the mobile client is on a foreign network, it receives incoming traffic with the help of an entity on its home network, its home agent. Incoming traffic is sent to the mobile client's home network by the Internet. Then the home agent captures the packets for the mobile client and forwards them to the mobile client's current location using its new local address. For this scheme to work, the mobile client is required to report its local address on a foreign network to its home agent. By using two addresses (home address and foreign address) simultaneously, the Mobile IP solves the conflict between the attachment and identity purposes of addressing. - In
SNOWNET 300 of the present invention, there is no need for amobile client 310 to receive a new IP address. When the mobile client entersSNOWNET 300 for the first time, the mobile client receives an IP address from theSNOWNET node 302 it is associated with. Because thenetwork 300 is capable of forwarding data for specific hosts, it is not necessary for a mobile client to obtain new foreign address when it moves to the coverage area of aSNOWNET node 302 that is different from its initial node. Thenetwork 300 propagates routes for the mobile client reflecting its current attachment.SNOWNET 300 has such a capability because it operates on a scale that is much smaller than the Mobile IP's environment. Thus SNOWNET 300 can install per-host routes in the network for these mobile clients. On the other hand,SNOWNET 300 can easily support Mobile IP as well. A Mobile IP-capable mobile client may simply report its SNOWNET address to its home agent as its foreign address. This results in more efficient operation of Mobile IP in aSNOWNET 300 environment. - As disclosed herein above, SNOWNET comprises a mobile network solution which provides secure and portable wireless networking service to mobile users with devices equipped with wireless network interfaces. The Secure Nomadic Wireless Network, or SNOWNET, follows a hierarchical approach. Special SNOWNET nodes are deployed in the area where networking service is needed and form a backbone network. At the same time, SNOWNET nodes provide local access service to regular mobile clients.
- The SNOWNET of the present invention is portable and can be rapidly deployed in an environment where there is no existing networking infrastructure. SNOWNET is secure. Using SNOWNET extensions to the WPA algorithm, all traffic transmitted within SNOWNET is highly protected. SNOWNET also provides an enhanced scheme for transferring authentication and security during handoff to support smooth, rapid mobile client roaming. Finally, SNOWNET offers two operation modes for automatically forwarding messages and that provide seamless roaming between different local service cells.
- SNOWNET can be used in several different scenarios. Here are some examples. SNOWNET can be setup as a secure fast-deployable standalone networking infrastructure to provide instant networking services to a field where there is no trusted networking environment. Typical usages may include battle field situations, disaster relief operations, scientific exploration tasks, and robotics applications. SNOWNET can be installed as a cost-efficient multi-hop wireless LAN to provide wireless networking coverage for any organization or in any home. With a flexible, multi-hop, self-organized, and self configured wireless backbone, SNOWNET saves customers costs for cabling, installation and maintenance. SNOWNET may also be used as a stub network to connect isolated LANs to an organizational network. For instance, a school may use SNOWNET to “glue” a LAN installed in a remote building to its existing campus network.
- Features of the present invention described above include:
- The SNOWNET architecture for a 2-level secure, portable wireless router network device with security based on extensions to the WPA WLAN security.
- The extended WPA security algorithm for securely adding and authenticating a router to an existing SNOWNET.
- A self-configured address management scheme for SNOWNET to allocate addresses for their backbone interfaces and local service networks.
- A bridging protocol involving adaptation of with the IEEE 802.1d and 802.1w bridging standards for multi-hop IEEE 802.11 networks.
- A new routing algorithm that is a hybrid approach based on traditional MANET routing algorithms.
- Support for efficient network level roaming for mobile clients between difference service areas of the SNOWNET.
- Support for an enhanced mechanism for efficient handoff of authentication and security when mobile client is roaming between difference service areas of the SNOWNET.
- The system also includes permanent or removable storage, such as magnetic and optical discs, RAM, ROM, etc. on which the process and data structures of the present invention can be stored and distributed. The processes can also be distributed via, for example, downloading over a network such as the Internet.
- The many features and advantages of the invention are apparent from the detailed specification and, thus, it is intended by the appended claims to cover all such features and advantages of the invention that fall within the true spirit and scope of the invention. Further, since numerous modifications and changes will readily occur to those skilled in the art, it is not desired to limit the invention to the exact construction and operation illustrated and described, and accordingly all suitable modifications and equivalents may be resorted to, falling within the scope of the invention.
Claims (96)
1. A wireless computer network in communication with mobile client computing devices comprising client wireless devices, the wireless computer network comprising:
a wireless backbone network providing a wireless networking service to the mobile client computing devices, the wireless backbone network comprising:
portable wireless network node devices providing wireless local access service to the mobile client computing devices in their respective coverage areas and providing the wireless networking service to forward and deliver communication data of the mobile client computing devices on the wireless backbone network in a multi-hop manner to other of the mobile client computing devices or to other networks in communication with the wireless computer network, one or more of the portable wireless network node devices performing routing and storing a routing table comprising first data of subnet routes of network layer addresses for the mobile client computing devices and portable wireless network node devices, and second data of subnet routes to gateways for external network addresses and per-host routes of network layer addresses for the mobile client computing devices that have roamed from their initial access service network node coverage area, and per-host routes of link layer addresses for the mobile client computing devices and portable wireless network node devices,
wherein a backbone network node configured as a master authenticator node and another computer configured as authentication server, authenticating an unauthenticated new network node to the backbone network with the assistance of another backbone node configured as a proxy authenticator node for the unauthenticated new network node
2. The wireless computer network as in claim 1 , wherein the routing table specifies the local interface and the neighboring interface to the respective wireless network node device that is the next hop-destination in a routing path, and wherein the wireless network node devices performing routing updating their routing table by periodically exchanging routing update control messages that include IP addresses and link layer addresses.
3. The wireless computer network as in claim 2 , wherein one or more of the portable wireless network node devices provides a gateway service and comprises multiple interfaces, wherein each gateway service node device having one of the multiple interfaces provides communication to the wireless backbone network and at least one of the multiple interfaces provides communication to the other network in communication with the wireless computer network.
4. The wireless computer network as in claim 2 , wherein the portable wireless network node devices comprises multiple wireless interfaces, wherein at least one of the multiple wireless interfaces providing local access service for the mobile client computing devices and at least one of the multiple wireless interfaces providing communication with the wireless backbone service.
5. The wireless computer network as in claim 2 , wherein each of the portable wireless network node devices comprising internal tables controlling communications forwarding through one of bridging and routing, wherein the wireless computer network automatically and dynamically adjusting for the movement of the portable wireless network node devices within the wireless computer network, the introduction of additional portable wireless network node devices to the wireless computer network, and the deletion or failure of current portable wireless network node devices by updating its internal tables controlling communications forwarding either through the bridging or the routing implemented in the portable wireless network node devices.
6. The wireless computer network as in claim 5 , wherein when the network is operating in routing mode the wireless computer network shares an Internet-style, network layer, address space among the portable wireless network node devices and the mobile client computing devices.
7. The wireless computer network as in claim 6 , wherein a portable wireless network node device serving as an address manager dynamically assigns a backbone network layer address as well as one or more address space segments from the address space of the wireless computer network to a new portable wireless network node device after the new portable wireless network node device is authenticated to the wireless computer network.
8. The wireless computer network as in claim 7 , wherein the wireless network node device provides an internal routable address for the mobile client computing device from the assigned address space segment of the wireless network node device using a procedure comprising a DHCP function on the wireless network node device.
9. The wireless computer network as in claim 5 , wherein the wireless network node devices forward communication data on behalf of the mobile client computing devices using a dynamic routing protocol adapted to the wireless network node devices.
10. The wireless computer network as in claim 5 , wherein the wireless network node devices forward communication data on behalf of mobile client computing devices using a dynamic bridging protocol adapted to the wireless network node devices.
11. The wireless computer network as in claim 10 , wherein the bridging protocol is based on the IEEE 802.11 WDS links that are dynamically created and removed by the network nodes based on their current local neighboring network node connections.
12. The wireless computer network as in claim 10 , wherein the wireless network node devices performing bridging store a Bridging Table comprising a local interface and neighboring interfaces to the respective wireless network node devices that are the next hop destination in the bridging path.
13. The wireless computer network as in claim 12 , wherein the wireless network node devices performing bridging update their Bridging Table by periodically exchanging bridging update control messages that includes link layer addresses for all attached devices and clients.
14. The wireless computer network as in claim 2 , wherein at least one of the wireless network node devices serves as a gateway to another network in communication with the wireless computer network, and the network routing protocol, periodically executed by the wireless network node devices, automatically determines the shortest path routes between mobile client computing devices in the wireless computer network or to the gateway.
15. The wireless computer network as in claim 5 , wherein the network wireless node devices transfer authentication information between themselves when a mobile client computing device roams from the coverage area of one wireless network node device to another wireless network node device to establish authentication and local access at the wireless network node device to provide access service.
16. The wireless computer network as in claim 15 , wherein the mobile client computing device that roams from the coverage area of one of the wireless network node devices to another of the wireless network node devices maintains the same address and the routing protocol continues to efficiently route communication data to the mobile client computing device by automatically updating a client-specific host address entry in the routing tables of the wireless network node devices
17. The wireless computer network as in claim 2 wherein secure communications are provided by encryption of messages and authentication of the wireless network node devices and the mobile client computing devices.
18. The wireless computer network as in claim 2 , further comprising an authentication server in communication with the wireless network node devices, wherein the wireless network node devices automatically configure themselves for communication forwarding in the wireless computer network by initiating their operating systems, determining their network addresses when operating in routing mode, contacting the authentication server, obtaining encryption keys and authentication, setting their backbone wireless network and local access service channels, and initiating a dynamic routing or bridging protocol that discovers neighboring wireless network node devices and establishes communication forwarding paths on the backbone wireless network.
19. The wireless computer network as in claim 17 , the unauthenticated new node in communication with at least one of the already authenticated backbone network nodes as the proxy authenticator node to request authentication to the backbone network, the proxy authenticator node communicating with the master authenticator node to authenticate the unauthenticated new node to the backbone network.
20. The wireless computer network as in claim 19 , wherein when operating in a routing mode, the unauthenticated new node transmitting identification data to neighboring proxy authenticator nodes, the proxy authenticator nodes receiving the identification data, encapsulating the identification data in a message envelope, and forwarding the encapsulated data to the master authenticator using the routing scheme.
21. The wireless computer network as in claim 19 , wherein the master authenticator node selects one backbone node as the proxy authenticator node if more than one backbone node receives and forwards the new node identification data to the master authenticator.
22. The wireless computer network as in claim 21 , further comprising an authentication server in communication with the master authenticator node and authenticating the unauthenticated new node to the backbone network.
23. The wireless computer network as in claim 22 , wherein the new node, once authenticated to the backbone network, is enabled to become a proxy authenticator for an unauthenticated new wireless node.
24. The wireless computer network as in claim 17 , wherein a common group key is used as part of the encryption scheme for the backbone communications, the group key is used by another key generating method to produce the actual per packet communication encryption key, and the group key is changed periodically and is only valid for a specified period of time, denoted by a start and end time.
25. The wireless computer network as in claim 24 , wherein the master authenticator periodically generates a new group key and transmits the new group key to each node in the backbone network by encrypting the group key using a public key based method that only that destination node can decrypt.
26. The wireless computer network as in claim 24 , wherein the master authenticator transmits the current active group key to a newly authenticated node by encrypting the group key using a public key based method that only the new node can decrypt, the new node then uses the group key to encrypt backbone communication.
27. The wireless computer network as in claim 24 , wherein each key periodically generated by the master authenticator has a specific valid period, which is specified in each new key transmission, and the received newly generated group key is stored by backbone node devices and only loaded into encryption/decryption engine during the key effective period.
28. The wireless computer network as in claim 27 , wherein the valid periods of consecutively generated group keys by the master authenticator may overlap at the beginning and ending of their valid periods, during which both group keys are valid and the encrypting node devices use the newer group key to encrypt messages but the decrypting node devices may need to try both to decrypt messages, to ensure smooth group key change.
29. The wireless computer network as in claim 17 , wherein a wireless network node providing access service to at least one of the mobile client computing devices becoming an authenticator for authenticating client devices.
30. The wireless computer network as in claim 29 , wherein one of the wireless network nodes providing access service to at least one of the mobile client computing devices or a separate computer in communication with the wireless network node, being configured as an authentication server for the mobile client computing devices.
31. The wireless computer network as in claim 30 , wherein at least one of the mobile client computing devices is authenticated by an authenticator and an authentication server using the IEEE 802.1x protocol.
32. The wireless computer network as in claim 17 in which the authentication and encryption mechanisms are the WiFi Protected Access (WPA) scheme modified to allow the authenticator, master authenticator and authentication server to communicate over multiple hops.
33. A method of wireless computer network in communication with mobile client computing devices comprising client wireless devices, the method of the wireless computer network comprising:
providing, by a wireless backbone network, a wireless networking service to the mobile client computing devices, comprising:
providing, by portable wireless network node devices of the wireless backbone network, wireless local access service to the mobile client computing devices in their respective coverage areas,
providing the wireless networking service to forward and deliver communication data of the mobile client computing devices on the wireless backbone network in a multi-hop manner to other of the mobile client computing devices or to other networks in communication with the wireless computer network,
performing routing, by one or more of the portable wireless network node devices,
storing, by the one or more of the portable wireless network node devices, a routing table comprising first data of subnet routes of wireless network layer addresses for the mobile client computing devices and portable wireless network node devices, and second data of subnet routes to gateways for external network addresses and per-host routes of network layer addresses for the mobile client computing devices that have roamed from their initial access service network node coverage area, and per-host routes of link layer addresses for the mobile client computing devices and portable wireless network node devices, and
authenticating, by a backbone network node configured as a master authenticator node and another backbone node configured as an authentication server, an unauthenticated new network node to the backbone network with the assistance of another backbone node configured as a proxy authenticator node for the unauthenticated new network node.
34. The method of claim 33 , further comprising:
specifying, by the routing table, the local interface and the neighboring interface to the respective wireless network node device that is the next hop-destination in a routing path, and
updating, by the wireless network node devices performing routing, their routing table by periodically exchanging routing update control messages that include IP addresses and link layer addresses.
35. The method as in claim 34 , further comprising:
providing, by one or more of the portable wireless network node devices, a gateway service, the one or more of the portable network node devices comprising multiple interfaces,
providing, by each gateway service node device having one of the multiple interfaces provides, communication to the wireless backbone network, and
providing, by at least one of the multiple interfaces, communication to the other network in communication with the wireless computer network.
36. The method as in claim 34 , wherein the portable wireless network node devices comprises multiple wireless interfaces, the method further comprising:
providing, by at least one of the multiple wireless interfaces, local access service for the mobile client computing devices, and
providing, by at least one of the multiple wireless interfaces, communication with the wireless backbone service.
37. The method as in claim 34 , further comprising:
controlling, by internal tables provided in each of the portable wireless network node devices, communications forwarding through one of bridging and routing,
automatically and dynamically, by the wireless computer network, adjusting for the movement of the portable wireless network node devices within the wireless computer network, the introduction of additional portable wireless network node devices to the wireless computer network, and the deletion or failure of current portable wireless network node devices by updating its internal tables controlling communications forwarding either through the bridging or the routing implemented in the portable wireless network node devices.
38. The method as in claim 37 , wherein when the network is operating in routing mode, sharing, by the wireless computer network, an Internet-style, network layer, address space among the portable wireless network node devices and the mobile client computing devices.
39. The method as in claim 37 , further comprising serving, by a portable wireless network node device, as an address manager dynamically assigns a backbone network layer address as well as one or more address space segments from the address space of the wireless computer network to a new portable wireless network node device after the new portable wireless network node device is authenticated to the wireless computer network.
40. The method as in claim 39 , further comprising providing, by the wireless network node device, an internal routable address for the mobile client computing device from the assigned address space segment of the wireless network node device using a procedure comprising a DHCP function on the wireless network node device.
41. The method as in claim 37 , wherein the wireless network node devices forwarding communication data on behalf of the mobile client computing devices using a dynamic routing protocol adapted to the wireless network node devices.
42. The method as in claim 37 , wherein the wireless network node devices forwarding communication data on behalf of mobile client computing devices using a dynamic bridging protocol adapted to the wireless network node devices.
43. The method as in claim 42 , wherein the bridging protocol is based on the IEEE 802.11 WDS links that are dynamically created and removed by the network nodes based on their current local neighboring network node connections.
44. The method as in claim 42 , wherein the wireless network node devices performing bridging store a Bridging Table comprising a local interface and neighboring interfaces to the respective wireless network node devices that are the next hop destination in the bridging path.
45. The method as in claim 44 , wherein the wireless network node devices performing bridging update their Bridging Table by periodically exchanging bridging update control messages that includes link layer addresses for all attached devices and clients.
46. The method as in claim 34 , further comprising serving, by at least one of the wireless network node devices, as a gateway to another network in communication with the wireless computer network, and
automatically determining, in accordance with the network routing protocol, periodically executed by the wireless network node devices, the shortest path routes between mobile client computing devices in the wireless computer network or to the gateway.
47. The method as in claim 37 , further comprising transferring, by the network wireless node devices, authentication information between themselves when a mobile client computing device roams from the coverage area of one wireless network node device to another wireless network node device to establish authentication and local access at the wireless network node device to provide access service.
48. The method as in claim 47 , further comprising maintaining, by the mobile client computing device that roams from the coverage area of one of the wireless network node devices to another of the wireless network node devices, the same address and the routing protocol continues to efficiently route communication data to the mobile client computing device by automatically updating a client-specific host address entry in the routing tables of the wireless network node devices
49. The method as in claim 34 , further comprising providing secure communications by encryption of messages and authentication of the wireless network node devices and the mobile client computing devices.
49. The method as in claim 34 , wherein the wireless computer network further comprising an authentication server in communication with the wireless network node devices, the method further comprising automatically configuring, by the wireless network node devices, themselves for communication forwarding in the wireless computer network by initiating their operating systems, determining their network addresses when operating in routing mode, contacting the authentication server, obtaining encryption keys and authentication, setting their backbone wireless network and local access service channels, and initiating a dynamic routing or bridging protocol that discovers neighboring wireless network node devices and establishes communication forwarding paths on the backbone wireless network.
51. The method as in claim 49 , further comprising requesting, by the unauthenticated new network node, authentication to the backbone network, the unauthenticated new node in communication with at least one of the already authenticated backbone network nodes, one of these backbone network nodes becoming the proxy authenticator node for the unauthenticated new node and communicating with the master authenticator node to authenticate the unauthenticated new node to the backbone network.
52. The method as in claim 51 , wherein when operating in a routing mode, further comprising:
transmitting, by the unauthenticated new node, identification data to neighboring proxy authenticator nodes,
receiving, by the proxy authenticator nodes, the identification data,
encapsulating the identification data in a message envelope, and
forwarding the encapsulated data to the master authenticator using the routing scheme.
53. The method as in claim 51 , further comprising selecting, by the master authenticator node, one backbone node as the proxy authenticator node if more than one backbone node receives and forwards the new node identification data to the master authenticator.
54. The method as in claim 53 , wherein the wireless computer network further comprising an authentication server in communication with the master authenticator node and authenticating the unauthenticated new node to the backbone network.
55. The method as in claim 54 , further comprising enabling the new node, once authenticated to the backbone network, to become a proxy authenticator for an unauthenticated new wireless node.
56. The method as in claim 49 , further comprising using a common group key as part of the encryption scheme for the backbone communications, wherein the group key is used by another key generating method to produce the actual per packet communication encryption key, and the group key is changed periodically and is only valid for a specified period of time, denoted by a start and end time.
57. The method as in claim 56 , further comprising periodically generating, by the master authenticator, a new group key and transmitting the new group key to each node in the backbone network by encrypting the group key using a public key based method that only that destination node can decrypt.
58. The method as in claim 56 , further comprising transmitting, by the master authenticator, the current active group key to a newly authenticated node by encrypting the group key using a public key based method that only the new node can decrypt, the new node then uses the group key to encrypt backbone communication.
59. The method as in claim 56 , wherein each key periodically generated by the master authenticator has a specific valid period, which is specified in each new key transmission, and the received newly generated group key is stored by backbone node devices and only loaded into encryption/decryption engine during the key effective period.
60. The method as in claim 59 , wherein the valid periods of consecutively generated group keys by the master authenticator may overlap at the beginning and ending of their valid periods, during which both group keys are valid and the encrypting node devices use the newer group key to encrypt messages but the decrypting node devices may need to try both to decrypt messages, to ensure smooth group key change.
61. The method as in claim 59 , further comprising providing, by a wireless network node, access service to at least one of the mobile client computing devices becoming an authenticator for authenticating client devices.
62. The method as in claim 61 , wherein one of the wireless network nodes providing access service to at least one of the mobile client computing devices or a separate computer in communication with the wireless network node, being configured as an authentication server for the mobile client computing devices.
63. The method as in claim 62 , further comprising authenticating at least one of the mobile client computing devices by an authenticator and an authentication server using the IEEE 802.1x protocol.
64. The method as in claim 49 , wherein the authentication and encryption mechanisms are the WiFi Protected Access (WPA) scheme modified to allow the authenticator, master authenticator and authentication server to communicate over multiple hops.
65. A computer-readable medium storing a program executed by a wireless computer network in communication with mobile client computing devices comprising client wireless devices, the program causing the wireless computer network to execute the functions further comprising:
providing, by a wireless backbone network, a wireless networking service to the mobile client computing devices, comprising:
providing, by portable wireless network node devices of the wireless backbone network, wireless local access service to the mobile client computing devices in their respective coverage areas,
providing the wireless networking service to forward and deliver communication data of the mobile client computing devices on the wireless backbone network in a multi-hop manner to other of the mobile client computing devices or to other networks in communication with the wireless computer network,
performing routing, by one or more of the portable wireless network node devices,
storing, by the one or more of the portable wireless network node devices, a routing table comprising first data of subnet routes of network layer addresses for the mobile client computing devices and portable wireless network node devices, and second data of subnet routes to gateways for external network addresses and per-host routes of network layer addresses for the mobile client computing devices that have roamed from their initial access service network node coverage area, and per-host routes of link layer addresses for the mobile client computing devices and portable wireless network node devices, and
authenticating, by a backbone network node configured as a master authenticator node and another backbone node configured as an authentication server, an unauthenticated new network node to the backbone network with the assistance of another backbone node configured as a proxy authenticator node for the unauthenticated new network node.
66. The medium as in claim 65 , further comprising:
specifying, by the routing table, the local interface and the neighboring interface to the respective wireless network node device that is the next hop-destination in a routing path, and
updating, by the wireless network node devices performing routing, their routing table by periodically exchanging routing update control messages that include IP addresses and link layer addresses.
67. The computer-readable medium as in claim 66 , further comprising:
providing, by one or more of the portable wireless network node devices, a gateway service, the one or more of the portable network node devices comprising multiple interfaces,
providing, by each gateway service node device having one of the multiple interfaces provides, communication to the wireless backbone network, and
providing, by at least one of the multiple interfaces, communication to the other network in communication with the wireless computer network.
68. The computer-readable medium as in claim 66 , wherein the portable wireless network node devices comprises multiple wireless interfaces, the functions further comprising:
providing, by at least one of the multiple wireless interfaces, local access service for the mobile client computing devices, and
providing, by at least one of the multiple wireless interfaces, communication with the wireless backbone service.
69. The computer-readable medium as in claim 66 , further comprising:
controlling, by internal tables provided in each of the portable wireless network node devices, communications forwarding through one of bridging and routing,
automatically and dynamically, by the wireless computer network, adjusting for the movement of the portable wireless network node devices within the wireless computer network, the introduction of additional portable wireless network node devices to the wireless computer network, and the deletion or failure of current portable wireless network node devices by updating its internal tables controlling communications forwarding either through the bridging or the routing implemented in the portable wireless network node devices.
70. The computer-readable medium as in claim 69 , wherein when the network is operating in routing mode, sharing, by the wireless computer network, an Internet-style, network layer, address space among the portable wireless network node devices and the mobile client computing devices.
71. The computer-readable medium as in claim 70 , further comprising serving, by a portable wireless network node device, as an address manager dynamically assigns a backbone network layer address as well as one or more address space segments from the address space of the wireless computer network to a new portable wireless network node device after the new portable wireless network node device is authenticated to the wireless computer network.
72. The computer-readable medium as in claim 71 , further comprising providing, by the wireless network node device, an internal routable address for the mobile client computing device from the assigned address space segment of the wireless network node device using a procedure comprising a DHCP function on the wireless network node device.
73. The computer-readable medium as in claim 69 , wherein the wireless network node devices forwarding communication data on behalf of the mobile client computing devices using a dynamic routing protocol adapted to the wireless network node devices.
74. The computer-readable medium as in claim 69 , wherein the wireless network node devices forwarding communication data on behalf of mobile client computing devices using a dynamic bridging protocol adapted to the wireless network node devices.
75. The computer-readable medium as in claim 74 , wherein the bridging protocol is based on the IEEE 802.11 WDS links that are dynamically created and removed by the network nodes based on their current local neighboring network node connections.
76. The computer-readable medium as in claim 74 , wherein the wireless network node devices performing bridging store a Bridging Table comprising a local interface and neighboring interfaces to the respective wireless network node devices that are the next hop destination in the bridging path.
77. The computer-readable medium as in claim 76 , wherein the wireless network node devices performing bridging update their Bridging Table by periodically exchanging bridging update control messages that includes link layer addresses for all attached devices and clients.
78. The computer-readable medium as in claim 66 , further comprising serving, by at least one of the wireless network node devices, as a gateway to another network in communication with the wireless computer network, and
automatically determining, in accordance with the network routing protocol, periodically executed by the wireless network node devices, the shortest path routes between mobile client computing devices in the wireless computer network or to the gateway.
79. The computer-readable medium as in claim 69 , further comprising transferring, by the network wireless node devices, authentication information between themselves when a mobile client computing device roams from the coverage area of one wireless network node device to another wireless network node device to establish authentication and local access at the wireless network node device to provide access service.
80. The computer-readable medium as in claim 79 , further comprising maintaining, by the mobile client computing device that roams from the coverage area of one of the wireless network node devices to another of the wireless network node devices, the same address and the routing protocol continues to efficiently route communication data to the mobile client computing device by automatically updating a client-specific host address entry in the routing tables of the wireless network node devices
81. The computer-readable medium as in claim 66 , further comprising providing secure communications by encryption of messages and authentication of the wireless network node devices and the mobile client computing devices.
82. The computer-readable medium as in claim 66 , wherein the wireless computer network further comprising an authentication server in communication with the wireless network node devices, the functions further comprising automatically configuring, by the wireless network node devices, themselves for communication forwarding in the wireless computer network by initiating their operating systems, determining their network addresses when operating in routing mode, contacting the authentication server, obtaining encryption keys and authentication, setting their backbone wireless network and local access service channels, and initiating a dynamic routing or bridging protocol that discovers neighboring wireless network node devices and establishes communication forwarding paths on the backbone wireless network.
83. The computer-readable medium as in claim 81 , further comprising requesting, by the unauthenticated new network node, authentication to the backbone network, the unauthenticated new node in communication with at least one of the already authenticated backbone network nodes, one of these backbone network nodes becoming the proxy authenticator node for the unauthenticated new node and communicating with the master authenticator node to authenticate the unauthenticated new node to the backbone network.
84. The computer-readable medium as in claim 83 , wherein when operating in a routing mode, further comprising:
transmitting, by the unauthenticated new node, identification data to neighboring proxy authenticator nodes,
receiving, by the proxy authenticator nodes, the identification data,
encapsulating the identification data in a message envelope, and
forwarding the encapsulated data to the master authenticator using the routing scheme.
85. The computer-readable medium as in claim 83 , further comprising selecting, by the master authenticator node, one backbone node as the proxy authenticator node if more than one backbone node receives and forwards the new node identification data to the master authenticator.
86. The computer-readable medium as in claim 85 , wherein the wireless computer network further comprising an authentication server in communication with the master authenticator node and authenticating the unauthenticated new node to the backbone network.
87. The computer-readable medium as in claim 86 , further comprising enabling the new node, once authenticated to the backbone network, to become a proxy authenticator for an unauthenticated new wireless node.
88. The computer-readable medium as in claim 81 , further comprising using a common group key as part of the encryption scheme for the backbone communications, wherein the group key is used by another key generating method to produce the actual per packet communication encryption key, and the group key is changed periodically and is only valid for a specified period of time, denoted by a start and end time.
89. The computer-readable medium as in claim 88 , further comprising periodically generating, by the master authenticator, a new group key and transmitting the new group key to each node in the backbone network by encrypting the group key using a public key based method that only that destination node can decrypt.
90. The computer-readable medium as in claim 88 , further comprising transmitting, by the master authenticator, the current active group key to a newly authenticated node by encrypting the group key using a public key based method that only the new node can decrypt, the new node then uses the group key to encrypt backbone communication.
91. The computer-readable medium as in claim 88 , wherein each key periodically generated by the master authenticator has a specific valid period, which is specified in each new key transmission, and the received newly generated group key is stored by backbone node devices and only loaded into encryption/decryption engine during the key effective period.
92. The computer-readable medium as in claim 91 , wherein the valid periods of consecutively generated group keys by the master authenticator may overlap at the beginning and ending of their valid periods, during which both group keys are valid and the encrypting node devices use the newer group key to encrypt messages but the decrypting node devices may need to try both to decrypt messages, to ensure smooth group key change.
93. The computer-readable medium as in claim 91 , further comprising providing, by a wireless network node, access service to at least one of the mobile client computing devices becoming an authenticator for authenticating client devices.
94. The computer-readable medium as in claim 93 , wherein one of the wireless network nodes providing access service to at least one of the mobile client computing devices or a separate computer in communication with the wireless network node, being configured as an authentication server for the mobile client computing devices.
95. The computer-readable medium as in claim 94 , further comprising authenticating at least one of the mobile client computing devices by an authenticator and an authentication server using the IEEE 802.1x protocol.
96. The computer-readable medium as in claim 81 , wherein the authentication and encryption mechanisms are the WiFi Protected Access (WPA) scheme modified to allow the authenticator, master authenticator and authentication server to communicate over multiple hops.
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/929,772 US20050152305A1 (en) | 2002-11-25 | 2004-08-31 | Apparatus, method, and medium for self-organizing multi-hop wireless access networks |
JP2004290631A JP4578917B2 (en) | 2003-10-03 | 2004-10-01 | Apparatus, method and medium for self-organizing multi-hop radio access network |
US12/929,662 US8630275B2 (en) | 2002-11-25 | 2011-02-07 | Apparatus, method, and medium for self-organizing multi-hop wireless access networks |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US42870002P | 2002-11-25 | 2002-11-25 | |
US10/463,857 US7634230B2 (en) | 2002-11-25 | 2003-06-18 | Methods and apparatus for secure, portable, wireless and multi-hop data networking |
US50793403A | 2003-10-03 | 2003-10-03 | |
US10/929,772 US20050152305A1 (en) | 2002-11-25 | 2004-08-31 | Apparatus, method, and medium for self-organizing multi-hop wireless access networks |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/463,857 Continuation-In-Part US7634230B2 (en) | 2002-11-25 | 2003-06-18 | Methods and apparatus for secure, portable, wireless and multi-hop data networking |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/929,662 Continuation US8630275B2 (en) | 2002-11-25 | 2011-02-07 | Apparatus, method, and medium for self-organizing multi-hop wireless access networks |
Publications (1)
Publication Number | Publication Date |
---|---|
US20050152305A1 true US20050152305A1 (en) | 2005-07-14 |
Family
ID=46205335
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/929,772 Abandoned US20050152305A1 (en) | 2002-11-25 | 2004-08-31 | Apparatus, method, and medium for self-organizing multi-hop wireless access networks |
US12/929,662 Expired - Fee Related US8630275B2 (en) | 2002-11-25 | 2011-02-07 | Apparatus, method, and medium for self-organizing multi-hop wireless access networks |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/929,662 Expired - Fee Related US8630275B2 (en) | 2002-11-25 | 2011-02-07 | Apparatus, method, and medium for self-organizing multi-hop wireless access networks |
Country Status (1)
Country | Link |
---|---|
US (2) | US20050152305A1 (en) |
Cited By (184)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040103278A1 (en) * | 2002-11-27 | 2004-05-27 | Microsoft Corporation | Native wi-fi architecture for 802.11 networks |
US20040208154A1 (en) * | 2003-03-17 | 2004-10-21 | Junji Suetsugu | Network reconfiguration method, node and link change method, network reconfiguration program, link change program, and recording medium recording the program |
US20040221154A1 (en) * | 2003-05-02 | 2004-11-04 | Sudhir Aggarwal | Mobile security architecture |
US20050041675A1 (en) * | 2003-06-24 | 2005-02-24 | Docomo Communications Laboratories Usa, Inc. | Location privacy for internet protocol networks using cryptographically protected prefixes |
US20050047381A1 (en) * | 2003-01-27 | 2005-03-03 | Proxim Corporation, A Delaware Corporation | System and method for a topology map related to access point usage in a wireless network |
US20050091483A1 (en) * | 2003-09-08 | 2005-04-28 | Koolspan | Subnet box |
US20050215234A1 (en) * | 2004-03-26 | 2005-09-29 | Yasuko Fukuzawa | Common key sharing method and wireless communication terminal in ad hoc network |
US20050220063A1 (en) * | 2004-04-02 | 2005-10-06 | Samsung Electronics Co., Ltd. | Method and apparatus for communicating between coordinator-based wireless networks connected through backbone network |
US20050239456A1 (en) * | 2004-04-26 | 2005-10-27 | Samsung Electronics Co., Ltd. | Method and system for communication between coordinator-based wireless networks |
US20050237993A1 (en) * | 2004-04-26 | 2005-10-27 | Samsung Electronics Co., Ltd. | Method and apparatus for communicating between coordinator-based wireless networks connected through a backbone network |
US20050243787A1 (en) * | 2004-04-29 | 2005-11-03 | Samsung Electronics Co., Ltd. | Method and apparatus for communication between coordinator-based wireless network and different type of network which are interconnected through a backbone network |
US20050265372A1 (en) * | 2004-05-25 | 2005-12-01 | Samsung Electronics Co., Ltd. | Method for communication in coordinator-based wireless network and method for communication between coordinator-based wireless networks connected through backbone network |
US20060058029A1 (en) * | 2004-09-15 | 2006-03-16 | Samsung Electronics Co., Ltd. | Wireless network device and method for reassociation between wireless networks using the wireless network device |
US20060057963A1 (en) * | 2004-09-15 | 2006-03-16 | Samsung Electronics Co., Ltd. | Wireless network device and communication method using the wireless network device |
US20060067246A1 (en) * | 2004-09-24 | 2006-03-30 | Samsung Electronics Co., Ltd. | Method and apparatus assigning network addresses for network devices |
US20060121883A1 (en) * | 2004-08-11 | 2006-06-08 | Stefano Faccin | Apparatus, and associated methods, for facilitating secure, make-before-break hand-off in a radio communication system |
US20060133613A1 (en) * | 2004-12-07 | 2006-06-22 | Eriko Ando | Authentication method of ad hoc network and wireless communication terminal thereof |
US20060168648A1 (en) * | 2005-01-26 | 2006-07-27 | Lockdown Networks, Inc. | Enabling dynamic authentication with different protocols on the same port for a switch |
US20060164199A1 (en) * | 2005-01-26 | 2006-07-27 | Lockdown Networks, Inc. | Network appliance for securely quarantining a node on a network |
US20060218398A1 (en) * | 2005-03-24 | 2006-09-28 | Intel Corporation | Communications security |
US20060215672A1 (en) * | 2005-02-04 | 2006-09-28 | Level 3 Communications, Inc. | Ethernet-based systems and methods for improved network routing |
US20060236377A1 (en) * | 2005-04-19 | 2006-10-19 | Metke Anthony R | System and methods for providing multi-hop access in a communications network |
US20060265601A1 (en) * | 2005-05-20 | 2006-11-23 | Microsoft Corporation | Jpeg2000 syntax-compliant encryption with full scalability |
US20060271676A1 (en) * | 2005-05-06 | 2006-11-30 | Broadcom Corporation | Asynchronous event notification |
US20060268800A1 (en) * | 2005-05-10 | 2006-11-30 | Shigeru Sugaya | Wireless communication system, wireless communication apparatus, wireless communication method, and computer program |
US20070005971A1 (en) * | 2005-07-01 | 2007-01-04 | Cisco Technology, Inc. | Facilitating mobility for a mobile station |
WO2007012786A2 (en) * | 2005-07-29 | 2007-02-01 | France Telecom | Method for using a sequence of authentications |
US20070036110A1 (en) * | 2005-08-10 | 2007-02-15 | Alcatel | Access control of mobile equipment to an IP communication network with dynamic modification of the access policies |
US20070047477A1 (en) * | 2005-08-23 | 2007-03-01 | Meshnetworks, Inc. | Extensible authentication protocol over local area network (EAPOL) proxy in a wireless network for node to node authentication |
WO2007025857A1 (en) * | 2005-08-29 | 2007-03-08 | Siemens Aktiengesellschaft | Method and arrangement for the secure transmission of data in a multi-hop communication system |
EP1763177A1 (en) * | 2005-09-13 | 2007-03-14 | Roke Manor Research Limited | Method of authenticating access points of a wireless network |
US20070060128A1 (en) * | 2005-08-19 | 2007-03-15 | Tae-Young Kil | Apparatus and method for detecting data transmission mode of access point in wireless terminal |
WO2007036402A1 (en) * | 2005-09-29 | 2007-04-05 | Siemens Enterprise Communications Gmbh & Co. Kg | Access element and method for controlling access of a network element |
US20070086429A1 (en) * | 2005-02-04 | 2007-04-19 | Level 3 Communications, Inc. | Systems and Methods for Network Routing in a Multiple Backbone Network Architecture |
US20070091871A1 (en) * | 2005-10-26 | 2007-04-26 | Intel Corporation | Mesh network portal node and method for bridging in mesh networks |
WO2006055197A3 (en) * | 2004-11-15 | 2007-04-26 | Harris Corp | Predictive mobile ad hoc networking including associated systems and methods |
US20070097934A1 (en) * | 2005-11-03 | 2007-05-03 | Jesse Walker | Method and system of secured direct link set-up (DLS) for wireless networks |
US20070101159A1 (en) * | 2005-10-31 | 2007-05-03 | Microsoft Corporation | Total exchange session security |
US20070104160A1 (en) * | 2005-11-10 | 2007-05-10 | The Boeing Company | Interoperable mobile ad hoc network |
US20070110012A1 (en) * | 2005-11-14 | 2007-05-17 | Abu-Amara Hosame H | Device and method for tracking usage of content distributed to media devices of a local area network |
US20070127393A1 (en) * | 2003-11-18 | 2007-06-07 | 4G Systems Gmbh | Device and method for setting up ad hoc networks |
US20070127497A1 (en) * | 2003-01-27 | 2007-06-07 | Terabeam. Inc. | System and method for sending data to a mobile device in a wireless network |
US20070130456A1 (en) * | 2005-12-01 | 2007-06-07 | Airespider Networks, Inc. | On-demand services by wireless base station virtualization |
EP1796339A1 (en) * | 2005-12-08 | 2007-06-13 | Hsin-Hsu Cho | Wireless mobile communication system |
WO2007077619A1 (en) * | 2005-12-28 | 2007-07-12 | Matsushita Electric Industrial Co., Ltd. | Method for selective distribution of communications infrastructure |
US20070162750A1 (en) * | 2005-12-01 | 2007-07-12 | Hartmut Konig | Method for changing a group key in a group of network elements in a network system |
US20070171859A1 (en) * | 2006-01-20 | 2007-07-26 | Cisco Technology Inc. | Intelligent Association of Nodes with PAN Coordinator |
WO2007092700A2 (en) * | 2006-02-03 | 2007-08-16 | Motorola, Inc. | Method and system for facilitating command of a group |
US20070195870A1 (en) * | 2005-11-14 | 2007-08-23 | Lewis James E | Wireless mesh data acquisition network |
US20070218888A1 (en) * | 2004-03-19 | 2007-09-20 | Swisscom Mobile Ag | Wlan Handover |
US20070249324A1 (en) * | 2006-04-24 | 2007-10-25 | Tyan-Shu Jou | Dynamic authentication in secured wireless networks |
US20070263561A1 (en) * | 2006-05-10 | 2007-11-15 | Zohar Tsaba | Techniques to control access point transmissions in wireless networks |
EP1860830A1 (en) * | 2006-05-24 | 2007-11-28 | ista Shared Services GmbH | Method for installing a hierarchical network |
DE102006036109A1 (en) * | 2006-06-01 | 2007-12-06 | Nokia Siemens Networks Gmbh & Co.Kg | Method and system for providing a mesh key |
US20080014954A1 (en) * | 2006-07-13 | 2008-01-17 | Nec Communication Systems, Ltd. | Resource allocation apparatus, central control apparatus, wireless base station, wireless communication system, resource allocation method and resource allocation program in computer-readable medium |
US20080031155A1 (en) * | 2006-08-02 | 2008-02-07 | Motorola, Inc. | Managing establishment and removal of security associations in a wireless mesh network |
US20080045180A1 (en) * | 2006-07-07 | 2008-02-21 | Arcadyan Technology Corporation | Data transmitting method and apparatus applying wireless protected access to a wireless distribution system |
WO2008019943A1 (en) | 2006-08-17 | 2008-02-21 | Siemens Enterprise Communications Gmbh & Co. Kg | Method and arrangement for the creation of a wireless mesh network |
DE102006038592A1 (en) * | 2006-08-17 | 2008-02-21 | Siemens Ag | Method and device for providing a wireless mesh network |
US20080060076A1 (en) * | 2005-01-19 | 2008-03-06 | Lockdown Networks, Inc. | Network appliance for vulnerability assessment auditing over multiple networks |
US20080065884A1 (en) * | 2006-09-07 | 2008-03-13 | Motorola, Inc. | Method and apparatus for establishing security association between nodes of an ad hoc wireless network |
WO2008036660A2 (en) | 2006-09-18 | 2008-03-27 | Marvell International Ltd. | Establishment of ad-hoc networks between multiple devices |
US20080076420A1 (en) * | 2006-09-22 | 2008-03-27 | Amit Khetawat | Method and apparatus for user equipment registration |
US20080076383A1 (en) * | 2006-09-21 | 2008-03-27 | Steve Barrett | Network for confined hazardous or other extreme environments |
US20080076412A1 (en) * | 2006-09-22 | 2008-03-27 | Amit Khetawat | Method and apparatus for registering an access point |
US20080083022A1 (en) * | 2006-09-28 | 2008-04-03 | Yong Lee | Authentication apparatus and method in wireless mesh network |
US20080082698A1 (en) * | 2006-09-29 | 2008-04-03 | Rosemount, Inc. | Wireless handheld configuration device for a securable wireless self-organizing mesh network |
US20080086760A1 (en) * | 2006-10-05 | 2008-04-10 | Microsoft Corporation | Extensible network discovery |
US7370350B1 (en) * | 2002-06-27 | 2008-05-06 | Cisco Technology, Inc. | Method and apparatus for re-authenticating computing devices |
US20080151863A1 (en) * | 2006-02-03 | 2008-06-26 | Level 3 Communications Llc | System and method for switching traffic through a network |
US20080162939A1 (en) * | 2006-12-28 | 2008-07-03 | Yong Lee | Multi-hop wireless network system and authentication method thereof |
US7400733B1 (en) * | 2002-02-27 | 2008-07-15 | Atheros Communications, Inc. | Key refresh at the MAC layer |
DE102007003492A1 (en) * | 2007-01-24 | 2008-08-07 | Siemens Enterprise Communications Gmbh & Co. Kg | Wireless local area network providing method, involves performing authentication and establishment of links based on information correlative to existence of connection by two communication devices |
US20080209524A1 (en) * | 2007-02-23 | 2008-08-28 | Microsoft Corporation | Caching public objects with private connections |
FR2913546A1 (en) * | 2007-03-05 | 2008-09-12 | Bouygues Telecom Sa | METHOD OF EXCHANGING DATA BETWEEN A CONTACTLESS COMMUNICATION TERMINAL AND A MOBILE TELEPHONY TERMINAL. |
US20080226071A1 (en) * | 2007-03-12 | 2008-09-18 | Motorola, Inc. | Method for establishing secure associations within a communication network |
US20080259816A1 (en) * | 2007-04-19 | 2008-10-23 | Archer Charles J | Validating a Cabling Topology in a Distributed Computing System |
US20090010269A1 (en) * | 2004-11-11 | 2009-01-08 | Peter Larsson | Method And Apparatus For Routing Packets |
US20090052674A1 (en) * | 2005-03-04 | 2009-02-26 | Matsushita Electric Industrial Co., Ltd. | Key distribution control apparatus, radio base station apparatus, and communication system |
US20090063851A1 (en) * | 2006-03-20 | 2009-03-05 | Nijdam Mark J | Establishing communications |
US20090077609A1 (en) * | 2006-01-17 | 2009-03-19 | Guillaume Bichot | Gateway For Receiving Digital Television Broadcast Services, Terminal and Corresponding Methods |
US20090089300A1 (en) * | 2007-09-28 | 2009-04-02 | John Vicente | Virtual clustering for scalable network control and management |
US20090086973A1 (en) * | 2007-09-27 | 2009-04-02 | Milind Madhav Buddhikot | Method and Apparatus for Authenticating Nodes in a Wireless Network |
US20090089410A1 (en) * | 2007-09-28 | 2009-04-02 | John Vicente | Entropy-based (self-organizing) stability management |
US7522628B1 (en) * | 2003-11-17 | 2009-04-21 | Bbn Technologies Corp. | Systems and methods for implementing coordinated optical channel access |
US20090109995A1 (en) * | 2007-10-26 | 2009-04-30 | Microsoft Corporation | Ad hoc wireless networking |
WO2009056679A2 (en) * | 2007-10-31 | 2009-05-07 | Eads Secure Networks Oy | End-to-end encrypted communication |
US20090187644A1 (en) * | 2008-01-22 | 2009-07-23 | Fujitsu Limited | Address distribution system and method and program for the same |
US20090185536A1 (en) * | 2005-04-15 | 2009-07-23 | Kapil Sood | Apparatus, system and method capable of pre-allocating and communicating IP address information during wireless communication |
US20090235075A1 (en) * | 2005-06-10 | 2009-09-17 | Seok-Heon Cho | Method for managing group traffic encryption key in wireless portable internet system |
US7599309B2 (en) | 2004-09-17 | 2009-10-06 | Samsung Electronics Co., Ltd. | Method and apparatus for managing cell-by-cell demodulation timings of a user equipment in an asynchronous mobile telecommunication system |
US20090287922A1 (en) * | 2006-06-08 | 2009-11-19 | Ian Herwono | Provision of secure communications connection using third party authentication |
WO2009155231A1 (en) * | 2008-06-19 | 2009-12-23 | Symbol Technologies, Inc. | Methods and apparatus for automatically configuring computing devices for wireless network connections |
US7639652B1 (en) * | 2005-09-28 | 2009-12-29 | Rockwell Collins, Inc. | Inter-channel bridge node communications protocol for TDMA networks |
US20090323972A1 (en) * | 2008-06-27 | 2009-12-31 | University Of Washington | Privacy-preserving location tracking for devices |
US20100002698A1 (en) * | 2008-07-01 | 2010-01-07 | Twisted Pair Solutions, Inc. | Method, apparatus, system, and article of manufacture for reliable low-bandwidth information delivery across mixed-mode unicast and multicast networks |
US20100014444A1 (en) * | 2006-10-12 | 2010-01-21 | Reza Ghanadan | Adaptive message routing for mobile ad hoc networks |
US20100023752A1 (en) * | 2007-12-27 | 2010-01-28 | Motorola, Inc. | Method and device for transmitting groupcast data in a wireless mesh communication network |
US20100042831A1 (en) * | 2005-06-13 | 2010-02-18 | Michael Bahr | Method and System for Secure Transmission of Data in an Ad Hoc Network |
US20100208896A1 (en) * | 2007-12-05 | 2010-08-19 | Canon Kabushiki Kaisha | Communication apparatus and control method thereof |
US20100208897A1 (en) * | 2007-12-05 | 2010-08-19 | Canon Kabushiki Kaisha | Communication apparatus, control method thereof, and storage medium |
US20100265845A1 (en) * | 2005-09-15 | 2010-10-21 | Lampen Patrik | Wireless Local Area Network, Adapter Unit and Equipment |
US20100313246A1 (en) * | 2007-10-05 | 2010-12-09 | Iti Scotland Limited | Distributed protocol for authorisation |
US20100309894A1 (en) * | 2007-09-07 | 2010-12-09 | Telefonaktiebolaget L M Ericsson (Publ) | Method and Apparatuses for Allowing a Nomadic Terminal to Access a Home Network on Layer 2 Level |
US7899188B2 (en) | 2007-05-31 | 2011-03-01 | Motorola Mobility, Inc. | Method and system to authenticate a peer in a peer-to-peer network |
US20110055553A1 (en) * | 2009-08-26 | 2011-03-03 | Lee Sung-Young | Method for controlling user access in sensor networks |
US20110069691A1 (en) * | 2005-05-18 | 2011-03-24 | Samsung Electronics Co., Ltd. | Method of transmitting and receiving data in network environment with wired and wireless networks bridged using relay portal |
US20110107267A1 (en) * | 2009-10-30 | 2011-05-05 | Samsung Electronics Co., Ltd. | Image forming apparatus and menu select and display method thereof |
US20110182426A1 (en) * | 2010-01-25 | 2011-07-28 | Cisco Technology, Inc. | Dynamic Group Creation for Managed Key Servers |
US8036664B2 (en) | 2006-09-22 | 2011-10-11 | Kineto Wireless, Inc. | Method and apparatus for determining rove-out |
US20110283344A1 (en) * | 2010-05-17 | 2011-11-17 | Telefonaktiebolaget L M Ericsson (Publ) | Systems and methods for host authentication |
EP2365673A3 (en) * | 2010-03-03 | 2011-11-23 | Kabushiki Kaisha Toshiba | Electronic apparatus and terminal |
US20120023564A1 (en) * | 2009-04-07 | 2012-01-26 | Telefonaktiebolaget L M Ericsson (Publ) | Attaching a sensor to a wsan |
US20120033652A1 (en) * | 2010-08-03 | 2012-02-09 | Texas Instruments Incorporated | System and Method for Simultaneous Infrastructure and Ad Hoc Networked Communications |
US20120051346A1 (en) * | 2010-08-24 | 2012-03-01 | Quantenna Communications, Inc. | 3-address mode bridging |
CN102404772A (en) * | 2011-10-24 | 2012-04-04 | 深圳市深信服电子科技有限公司 | Method, system and device for analyzing wireless local area network (WLAN) service data |
US8160588B2 (en) | 2001-02-26 | 2012-04-17 | Kineto Wireless, Inc. | Method and apparatus for supporting the handover of a telecommunication session between a licensed wireless system and an unlicensed wireless system |
US20120163180A1 (en) * | 2010-12-28 | 2012-06-28 | Deepak Goel | Systems and Methods for Policy Based Routing for Multiple Hops |
US20120163376A1 (en) * | 2010-12-22 | 2012-06-28 | Juniper Networks, Inc. | Methods and apparatus to route fibre channel frames using reduced forwarding state on an fcoe-to-fc gateway |
US8234264B2 (en) | 2008-02-08 | 2012-07-31 | International Business Machines Corporation | System and method for preferred services in nomadic environments |
US8281392B2 (en) * | 2006-08-11 | 2012-10-02 | Airdefense, Inc. | Methods and systems for wired equivalent privacy and Wi-Fi protected access protection |
KR101207319B1 (en) | 2010-11-04 | 2012-12-03 | 삼성에스디에스 주식회사 | Ieee 802.1x authentication system and method for password management and authentication using the same |
US20120330380A1 (en) * | 2006-08-18 | 2012-12-27 | Medtronic, Inc. | Secure telemetric link |
US20130107792A1 (en) * | 2011-10-28 | 2013-05-02 | Pak Kit Lam | Relaying devices for wireless mesh network |
US8520512B2 (en) * | 2005-01-26 | 2013-08-27 | Mcafee, Inc. | Network appliance for customizable quarantining of a node on a network |
US20130301553A1 (en) * | 2012-05-14 | 2013-11-14 | Broadcom Corporation | System and method for wireless station bridging |
US20130322438A1 (en) * | 2012-05-31 | 2013-12-05 | Red Hat, Inc. | System and method for identifying frames |
US20130343257A1 (en) * | 2008-05-09 | 2013-12-26 | Huawei Technologies Co., Ltd. | Scalable wlan gateway |
US20140036728A1 (en) * | 2011-04-25 | 2014-02-06 | Korea University Research And Business Foundation | Apparatus and method for controlling a backbone network for a sensor network |
US20140056293A1 (en) * | 2005-10-05 | 2014-02-27 | Qualcomm Incorporated | Peer-to-peer communication in ad hoc wireless network |
US20140092765A1 (en) * | 2012-09-25 | 2014-04-03 | Parallel Wireless Inc. | Heterogeneous Self-Organizing Network for Access and Backhaul |
EP2723139A1 (en) * | 2012-10-16 | 2014-04-23 | Roke Manor Research Limited | Method and system for WLAN connection control |
US20140112196A1 (en) * | 2007-07-20 | 2014-04-24 | Broadcom Corporation | Method and system for establishing a connection outside a mesh by including network connectivity information in router configuration messages |
US20140126416A1 (en) * | 2012-11-07 | 2014-05-08 | Haihua YU | Area-limited self-organized network management method, communications apparatus, and system |
US20140126410A1 (en) * | 2012-09-25 | 2014-05-08 | Parallel Wireless Inc. | Heterogeneous Self-Organizing Network for Access and Backhaul |
US8787383B2 (en) | 2007-03-29 | 2014-07-22 | Twisted Pair Solutions, Inc. | Method, apparatus, system, and article of manufacture for providing distributed convergence nodes in a communication network environment |
US20140215572A1 (en) * | 2013-01-30 | 2014-07-31 | Hewlett-Packard Development Company, L.P. | Authenticating Applications to a Network Service |
US20140230013A1 (en) * | 2008-10-22 | 2014-08-14 | Personal Capital Technology Corporation | Secure Network Computing |
US20140250379A1 (en) * | 2007-12-24 | 2014-09-04 | Lg Electronics Inc. | Terminal provided with networking module and method for receiving and transmitting data using the same |
US20140313048A1 (en) * | 2013-04-22 | 2014-10-23 | Ashok Sabata | iCelsius Wireless: Wireless Monitoring with Smart Phones and Tablets |
US20140357214A1 (en) * | 2010-03-04 | 2014-12-04 | Ipcomm Llc | Wireless Social and Safety Network |
US9008312B2 (en) | 2007-06-15 | 2015-04-14 | Koolspan, Inc. | System and method of creating and sending broadcast and multicast data |
US20150139124A1 (en) * | 2013-11-15 | 2015-05-21 | Ricoh Company, Ltd. | Channel power adjustment based on positional information of area restricted self-organizing subnets |
US9071583B2 (en) | 2006-04-24 | 2015-06-30 | Ruckus Wireless, Inc. | Provisioned configuration for automatic wireless connection |
US9092610B2 (en) | 2012-04-04 | 2015-07-28 | Ruckus Wireless, Inc. | Key assignment for a brand |
WO2015175115A1 (en) * | 2014-05-16 | 2015-11-19 | Qualcomm Incorporated | Establishing reliable routes without expensive mesh peering |
US9226146B2 (en) | 2012-02-09 | 2015-12-29 | Ruckus Wireless, Inc. | Dynamic PSK for hotspots |
US20160021595A1 (en) * | 2014-07-21 | 2016-01-21 | Ipcomm Llc | Integrating Mobile Femto-cell Access Point Into Home Appliance Network |
US20160103990A1 (en) * | 2014-02-28 | 2016-04-14 | Ncr Corporation | Unattended Secure Device Authorization |
US20160182683A1 (en) * | 2014-12-22 | 2016-06-23 | Qualcomm Incorporated | Dynamic server/client transition for networked devices |
US20160192241A1 (en) * | 2014-12-25 | 2016-06-30 | Delta Electronics, Inc. | Establishing method for self-organization network of wireless nodes |
CN105743670A (en) * | 2014-12-09 | 2016-07-06 | 华为技术有限公司 | Access control method, system, and access point |
US9608939B2 (en) | 2010-12-22 | 2017-03-28 | Juniper Networks, Inc. | Methods and apparatus to reduce forwarding state on an FCoE-to-FC gateway using port-specific MAC addresses |
US9769655B2 (en) | 2006-04-24 | 2017-09-19 | Ruckus Wireless, Inc. | Sharing security keys with headless devices |
US9792188B2 (en) | 2011-05-01 | 2017-10-17 | Ruckus Wireless, Inc. | Remote cable access point reset |
US9871894B2 (en) | 2008-03-17 | 2018-01-16 | Canon Kabushiki Kaisha | Wireless communication apparatus and processing method thereby |
TWI616110B (en) * | 2017-01-09 | 2018-02-21 | 智易科技股份有限公司 | System and method for backhaul connection management in a lan |
US20180070392A1 (en) * | 2015-08-19 | 2018-03-08 | Yamaha Corporation | Connection method of communication device and the communication device |
CN108200014A (en) * | 2017-12-18 | 2018-06-22 | 北京深思数盾科技股份有限公司 | The method, apparatus and system of server are accessed using intelligent key apparatus |
US10009092B2 (en) | 2013-05-07 | 2018-06-26 | Elbit Systems Land And C4I Ltd. | Mobile ad-hoc network with satellite node |
US10171434B2 (en) * | 2016-04-14 | 2019-01-01 | Airwatch Llc | Managed device scatternet administration |
EP3361824A4 (en) * | 2015-10-09 | 2019-03-06 | Withwin Technology Shenzhen Co., Ltd | Method of controlling radio access equipment and device utilizing same |
US10277686B2 (en) * | 2015-07-29 | 2019-04-30 | Cisco Technology, Inc. | Service discovery optimization in a network based on bloom filter |
US10292047B1 (en) * | 2015-09-23 | 2019-05-14 | Symantec Corporation | Systems and methods for preventing tracking of mobile devices |
US10298561B2 (en) * | 2015-06-30 | 2019-05-21 | Vmware, Inc. | Providing a single session experience across multiple applications |
US10320738B2 (en) * | 2014-12-18 | 2019-06-11 | Huawei Technologies Co., Ltd. | Address allocation method, CGN device, and CGN dual-active system |
US10420170B2 (en) | 2013-10-08 | 2019-09-17 | Parallel Wireless, Inc. | Parameter optimization and event prediction based on cell heuristics |
US10477415B1 (en) * | 2013-09-11 | 2019-11-12 | Star Solutions International Inc. | Portable cellular network system |
US10505845B2 (en) * | 2005-07-21 | 2019-12-10 | Firetide, Inc. | Techniques for enabling the efficient operation of arbitrarily interconnected mesh networks |
CN110708179A (en) * | 2018-07-10 | 2020-01-17 | 福建省天奕网络科技有限公司 | Block chain-based data communication bridging method and storage medium |
AU2016301035B2 (en) * | 2015-07-29 | 2020-10-22 | Airbus Ds Sas | Method for discovering a node of an ad hoc network |
US20210242929A1 (en) * | 2015-12-30 | 2021-08-05 | Futurewei Technologies, Inc. | System and Method for Inter-Basic Service Set Communications |
US11151231B2 (en) | 2007-09-27 | 2021-10-19 | Clevx, Llc | Secure access device with dual authentication |
US11190936B2 (en) * | 2007-09-27 | 2021-11-30 | Clevx, Llc | Wireless authentication system |
US11233630B2 (en) | 2007-09-27 | 2022-01-25 | Clevx, Llc | Module with embedded wireless user authentication |
WO2022040624A1 (en) * | 2020-08-21 | 2022-02-24 | Kara Partners Llc | Opcodeless computing and multi-path encryption systems, methods, and devices |
US11357061B2 (en) * | 2012-11-01 | 2022-06-07 | Samsung Electronics Co., Ltd. | System and method of connecting devices via Wi-Fi network |
CN115085964A (en) * | 2021-03-16 | 2022-09-20 | 西门子股份公司 | Authentication of devices in a communication network of an automation installation |
US11463425B2 (en) * | 2013-02-21 | 2022-10-04 | Fortinet, Inc. | Restricting broadcast and multicast traffic in a wireless network to a VLAN |
US11570205B1 (en) * | 2020-03-20 | 2023-01-31 | Loyalty Iot, Inc. | Anonymous contact tracing with network based hyperlocal authentication |
US11595390B2 (en) * | 2014-12-23 | 2023-02-28 | Mcafee, Llc | Self-organizing trusted networks |
US11811642B2 (en) | 2018-07-27 | 2023-11-07 | GoTenna, Inc. | Vine™: zero-control routing using data packet inspection for wireless mesh networks |
US11899801B2 (en) | 2014-08-12 | 2024-02-13 | NEXRF Corp. | Proximity based authentication system and method |
US11929907B2 (en) | 2022-03-08 | 2024-03-12 | T-Mobile Usa, Inc. | Endpoint assisted selection of routing paths over multiple networks |
Families Citing this family (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8239563B2 (en) | 2004-10-27 | 2012-08-07 | Marvell International Ltd. | Method and apparatus for using multiple links at a handheld device |
US9888393B2 (en) * | 2005-03-10 | 2018-02-06 | Qualocmm Incorporated | Method and apparatus for automatic configuration of wireless communication networks |
CN102474532B (en) * | 2009-08-13 | 2014-08-06 | 国际商业机器公司 | Automatic address range detection for IP networks |
US9026805B2 (en) | 2010-12-30 | 2015-05-05 | Microsoft Technology Licensing, Llc | Key management using trusted platform modules |
WO2012143941A2 (en) * | 2011-04-18 | 2012-10-26 | Ineda Systems Pvt. Ltd | Wireless interface sharing |
JP5838320B2 (en) * | 2011-04-28 | 2016-01-06 | パナソニックIpマネジメント株式会社 | Communication device, authentication device, communication method, and authentication method |
US20130148641A1 (en) * | 2011-12-13 | 2013-06-13 | Cisco Technology, Inc. | Techniques to achieve zero roaming time for workgroup bridge devices |
US9008316B2 (en) | 2012-03-29 | 2015-04-14 | Microsoft Technology Licensing, Llc | Role-based distributed key management |
US9349018B1 (en) * | 2012-07-19 | 2016-05-24 | Mobile Iron, Inc. | Preventing content data leak on mobile devices |
US10015720B2 (en) | 2014-03-14 | 2018-07-03 | GoTenna, Inc. | System and method for digital communication between computing devices |
CN105744524B (en) * | 2016-05-06 | 2019-03-22 | 重庆邮电大学 | Mobile device networking authentication method in a kind of WIA-PA industry wireless network |
US10813169B2 (en) | 2018-03-22 | 2020-10-20 | GoTenna, Inc. | Mesh network deployment kit |
US11456957B2 (en) | 2020-06-25 | 2022-09-27 | Softbank Corp. | Reduced forwarding rules for aerospace net work nodes |
EP4060947B1 (en) * | 2021-03-16 | 2024-08-14 | Siemens Aktiengesellschaft | Authentification of a node in a communication network of an automation system |
Citations (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5768381A (en) * | 1993-09-14 | 1998-06-16 | Chantilley Corporation Limited | Apparatus for key distribution in an encryption system |
US5822309A (en) * | 1995-06-15 | 1998-10-13 | Lucent Technologies Inc. | Signaling and control architecture for an ad-hoc ATM LAN |
US6185612B1 (en) * | 1998-10-29 | 2001-02-06 | Novell, Inc. | Secure distribution and use of weighted network topology information |
US20010033556A1 (en) * | 2000-02-12 | 2001-10-25 | Srikanth Krishnamurthy | Scalable unidirectional routing with zone routing protocol extensions for mobile AD-HOC networks |
US20020031086A1 (en) * | 2000-03-22 | 2002-03-14 | Welin Andrew M. | Systems, processes and integrated circuits for improved packet scheduling of media over packet |
US20020138440A1 (en) * | 2001-03-21 | 2002-09-26 | Vijay Vaidyanathan | Method and system for automatically distributing fees, including a reseller commission, during a digital file transaction |
US20020143855A1 (en) * | 2001-01-22 | 2002-10-03 | Traversat Bernard A. | Relay peers for extending peer availability in a peer-to-peer networking environment |
US20020151300A1 (en) * | 2001-03-16 | 2002-10-17 | Hirohito Suda | Wireless communication system using access points that can be freely set up by users |
US20030016678A1 (en) * | 2001-07-19 | 2003-01-23 | Nec Corporation | Communications network with routing tables for establishing a path without failure by avoiding unreachable nodes |
US20030126262A1 (en) * | 2001-12-27 | 2003-07-03 | Fuji Xerox Co., Ltd. | Method for assigning setting information for conection to external network |
US20040005878A1 (en) * | 2000-09-26 | 2004-01-08 | Hakan Olin | Access point for mobile devices in a packet based network and a method and system for billing in such a network |
US20040064693A1 (en) * | 2002-09-26 | 2004-04-01 | Pabla Kuldipsingh A. | Distributed indexing of identity information in a peer-to-peer network |
US20040078480A1 (en) * | 1997-10-14 | 2004-04-22 | Boucher Laurence B. | Parsing a packet header |
US20040139201A1 (en) * | 2002-06-19 | 2004-07-15 | Mobility Network Systems, Inc. | Method and system for transparently and securely interconnecting a WLAN radio access network into a GPRS/GSM core network |
US20040252715A1 (en) * | 2001-10-16 | 2004-12-16 | Takuro Noda | Transmission/reception apparatus, transmission/reception method, and transmission/reception system |
US20060117113A1 (en) * | 2002-05-16 | 2006-06-01 | Elliott Brig B | Rapidly deployable ad hoc network |
US7664119B2 (en) * | 2001-03-30 | 2010-02-16 | Intel Corporation | Method and apparatus to perform network routing |
Family Cites Families (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6453159B1 (en) | 1999-02-25 | 2002-09-17 | Telxon Corporation | Multi-level encryption system for wireless network |
DE60142750D1 (en) | 2000-10-26 | 2010-09-16 | British Telecomm | OPTIMAL ROUTE PLANNING IN HANDOVER SCENARIOS |
US7155518B2 (en) | 2001-01-08 | 2006-12-26 | Interactive People Unplugged Ab | Extranet workgroup formation across multiple mobile virtual private networks |
US20020183038A1 (en) | 2001-05-31 | 2002-12-05 | Palm, Inc. | System and method for crediting an account associated with a network access node |
US7206294B2 (en) | 2001-08-15 | 2007-04-17 | Meshnetworks, Inc. | Movable access points and repeaters for minimizing coverage and capacity constraints in a wireless communications network and a method for using the same |
US6947768B2 (en) | 2001-09-28 | 2005-09-20 | Kabushiki Kaisha Toshiba | Base station apparatus and terminal apparatus |
US7181214B1 (en) | 2001-11-13 | 2007-02-20 | Meshnetworks, Inc. | System and method for determining the measure of mobility of a subscriber device in an ad-hoc wireless network with fixed wireless routers and wide area network (WAN) access points |
US6925069B2 (en) | 2002-04-19 | 2005-08-02 | Meshnetworks, Inc. | Data network having a wireless local area network with a packet hopping wireless backbone |
US7203487B2 (en) | 2002-04-22 | 2007-04-10 | Intel Corporation | Pre-notification of potential connection loss in wireless local area network |
AU2002255000A1 (en) | 2002-05-01 | 2003-11-17 | Telefonaktiebolaget Lm Ericsson (Publ) | System, apparatus and method for sim-based authentication and encryption in wireless local area network access |
US6879574B2 (en) | 2002-06-24 | 2005-04-12 | Nokia Corporation | Mobile mesh Ad-Hoc networking |
US6850503B2 (en) | 2002-08-06 | 2005-02-01 | Motorola, Inc. | Method and apparatus for effecting a handoff between two IP connections for time critical communications |
DE50207674D1 (en) | 2002-08-16 | 2006-09-07 | Togewa Holding Ag | METHOD AND SYSTEM FOR GSM AUTHENTICATION IN WLAN ROAMING |
-
2004
- 2004-08-31 US US10/929,772 patent/US20050152305A1/en not_active Abandoned
-
2011
- 2011-02-07 US US12/929,662 patent/US8630275B2/en not_active Expired - Fee Related
Patent Citations (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5768381A (en) * | 1993-09-14 | 1998-06-16 | Chantilley Corporation Limited | Apparatus for key distribution in an encryption system |
US5822309A (en) * | 1995-06-15 | 1998-10-13 | Lucent Technologies Inc. | Signaling and control architecture for an ad-hoc ATM LAN |
US20040078480A1 (en) * | 1997-10-14 | 2004-04-22 | Boucher Laurence B. | Parsing a packet header |
US6185612B1 (en) * | 1998-10-29 | 2001-02-06 | Novell, Inc. | Secure distribution and use of weighted network topology information |
US20010033556A1 (en) * | 2000-02-12 | 2001-10-25 | Srikanth Krishnamurthy | Scalable unidirectional routing with zone routing protocol extensions for mobile AD-HOC networks |
US20020031086A1 (en) * | 2000-03-22 | 2002-03-14 | Welin Andrew M. | Systems, processes and integrated circuits for improved packet scheduling of media over packet |
US20040005878A1 (en) * | 2000-09-26 | 2004-01-08 | Hakan Olin | Access point for mobile devices in a packet based network and a method and system for billing in such a network |
US20020143855A1 (en) * | 2001-01-22 | 2002-10-03 | Traversat Bernard A. | Relay peers for extending peer availability in a peer-to-peer networking environment |
US20020151300A1 (en) * | 2001-03-16 | 2002-10-17 | Hirohito Suda | Wireless communication system using access points that can be freely set up by users |
US20020138440A1 (en) * | 2001-03-21 | 2002-09-26 | Vijay Vaidyanathan | Method and system for automatically distributing fees, including a reseller commission, during a digital file transaction |
US7664119B2 (en) * | 2001-03-30 | 2010-02-16 | Intel Corporation | Method and apparatus to perform network routing |
US20030016678A1 (en) * | 2001-07-19 | 2003-01-23 | Nec Corporation | Communications network with routing tables for establishing a path without failure by avoiding unreachable nodes |
US20040252715A1 (en) * | 2001-10-16 | 2004-12-16 | Takuro Noda | Transmission/reception apparatus, transmission/reception method, and transmission/reception system |
US20030126262A1 (en) * | 2001-12-27 | 2003-07-03 | Fuji Xerox Co., Ltd. | Method for assigning setting information for conection to external network |
US20060117113A1 (en) * | 2002-05-16 | 2006-06-01 | Elliott Brig B | Rapidly deployable ad hoc network |
US20040139201A1 (en) * | 2002-06-19 | 2004-07-15 | Mobility Network Systems, Inc. | Method and system for transparently and securely interconnecting a WLAN radio access network into a GPRS/GSM core network |
US20040064693A1 (en) * | 2002-09-26 | 2004-04-01 | Pabla Kuldipsingh A. | Distributed indexing of identity information in a peer-to-peer network |
Cited By (376)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8160588B2 (en) | 2001-02-26 | 2012-04-17 | Kineto Wireless, Inc. | Method and apparatus for supporting the handover of a telecommunication session between a licensed wireless system and an unlicensed wireless system |
US7400733B1 (en) * | 2002-02-27 | 2008-07-15 | Atheros Communications, Inc. | Key refresh at the MAC layer |
US7370350B1 (en) * | 2002-06-27 | 2008-05-06 | Cisco Technology, Inc. | Method and apparatus for re-authenticating computing devices |
US9265088B2 (en) | 2002-11-27 | 2016-02-16 | Microsoft Technology Licensing, Llc | Native Wi-Fi architecture for 802.11 networks |
US8327135B2 (en) | 2002-11-27 | 2012-12-04 | Microsoft Corporation | Native WI-FI architecture for 802.11 networks |
US7698550B2 (en) * | 2002-11-27 | 2010-04-13 | Microsoft Corporation | Native wi-fi architecture for 802.11 networks |
US20070118742A1 (en) * | 2002-11-27 | 2007-05-24 | Microsoft Corporation | Native WI-FI architecture for 802.11 networks |
US20040103278A1 (en) * | 2002-11-27 | 2004-05-27 | Microsoft Corporation | Native wi-fi architecture for 802.11 networks |
US20070127497A1 (en) * | 2003-01-27 | 2007-06-07 | Terabeam. Inc. | System and method for sending data to a mobile device in a wireless network |
US20050047381A1 (en) * | 2003-01-27 | 2005-03-03 | Proxim Corporation, A Delaware Corporation | System and method for a topology map related to access point usage in a wireless network |
US7502349B2 (en) | 2003-01-27 | 2009-03-10 | Proxim Wireless Corporation | System and method for sending data to a mobile device in a wireless network |
US7342899B2 (en) * | 2003-03-17 | 2008-03-11 | Sharp Kabushiki Kaisha | Network reconfiguration method, node and link change method, network reconfiguration program, link change program, and recording medium recording the program |
US20040208154A1 (en) * | 2003-03-17 | 2004-10-21 | Junji Suetsugu | Network reconfiguration method, node and link change method, network reconfiguration program, link change program, and recording medium recording the program |
US7506370B2 (en) * | 2003-05-02 | 2009-03-17 | Alcatel-Lucent Usa Inc. | Mobile security architecture |
US20040221154A1 (en) * | 2003-05-02 | 2004-11-04 | Sudhir Aggarwal | Mobile security architecture |
US7916739B2 (en) * | 2003-06-24 | 2011-03-29 | Ntt Docomo, Inc. | Location privacy for internet protocol networks using cryptographically protected prefixes |
US20050041675A1 (en) * | 2003-06-24 | 2005-02-24 | Docomo Communications Laboratories Usa, Inc. | Location privacy for internet protocol networks using cryptographically protected prefixes |
US7934005B2 (en) * | 2003-09-08 | 2011-04-26 | Koolspan, Inc. | Subnet box |
US20050091483A1 (en) * | 2003-09-08 | 2005-04-28 | Koolspan | Subnet box |
US7522628B1 (en) * | 2003-11-17 | 2009-04-21 | Bbn Technologies Corp. | Systems and methods for implementing coordinated optical channel access |
US20070127393A1 (en) * | 2003-11-18 | 2007-06-07 | 4G Systems Gmbh | Device and method for setting up ad hoc networks |
US7693107B2 (en) * | 2004-03-19 | 2010-04-06 | Swisscom Mobile Ag | WLAN handover for a mobile terminal moving from a first to a second network |
US20070218888A1 (en) * | 2004-03-19 | 2007-09-20 | Swisscom Mobile Ag | Wlan Handover |
US20050215234A1 (en) * | 2004-03-26 | 2005-09-29 | Yasuko Fukuzawa | Common key sharing method and wireless communication terminal in ad hoc network |
US7567673B2 (en) * | 2004-03-26 | 2009-07-28 | Hitachi, Ltd. | Common key sharing method and wireless communication terminal in ad hoc network |
US20050220063A1 (en) * | 2004-04-02 | 2005-10-06 | Samsung Electronics Co., Ltd. | Method and apparatus for communicating between coordinator-based wireless networks connected through backbone network |
US7430194B2 (en) * | 2004-04-02 | 2008-09-30 | Samsung Electronics Co., Ltd. | Method and apparatus for communication between coordinator-based wireless networks connected through backbone network |
US20050239456A1 (en) * | 2004-04-26 | 2005-10-27 | Samsung Electronics Co., Ltd. | Method and system for communication between coordinator-based wireless networks |
US20050237993A1 (en) * | 2004-04-26 | 2005-10-27 | Samsung Electronics Co., Ltd. | Method and apparatus for communicating between coordinator-based wireless networks connected through a backbone network |
US7349413B2 (en) * | 2004-04-26 | 2008-03-25 | Samsung Electronics Co., Ltd. | Method and apparatus for communicating between coordinator-based wireless networks connected through a backbone network |
US7376137B2 (en) * | 2004-04-26 | 2008-05-20 | Samsung Electronics Co., Ltd. | Method and system for communication between coordinator-based wireless networks |
US7417996B2 (en) * | 2004-04-29 | 2008-08-26 | Samsung Electronics Co., Ltd. | Method and apparatus for communication between coordinator-based wireless network and different type of network which are interconnected through a backbone network |
US20050243787A1 (en) * | 2004-04-29 | 2005-11-03 | Samsung Electronics Co., Ltd. | Method and apparatus for communication between coordinator-based wireless network and different type of network which are interconnected through a backbone network |
US7417997B2 (en) * | 2004-05-25 | 2008-08-26 | Samsung Electronics Co., Ltd. | Method for communication in coordinator-based wireless network and method for communication between coordinator-based wireless networks connected through backbone network |
US20050265372A1 (en) * | 2004-05-25 | 2005-12-01 | Samsung Electronics Co., Ltd. | Method for communication in coordinator-based wireless network and method for communication between coordinator-based wireless networks connected through backbone network |
US8019344B2 (en) * | 2004-08-11 | 2011-09-13 | Nokia Corporation | Apparatus, and associated methods, for facilitating secure, make-before-break hand-off in a radio communication system |
US20060121883A1 (en) * | 2004-08-11 | 2006-06-08 | Stefano Faccin | Apparatus, and associated methods, for facilitating secure, make-before-break hand-off in a radio communication system |
US20060057963A1 (en) * | 2004-09-15 | 2006-03-16 | Samsung Electronics Co., Ltd. | Wireless network device and communication method using the wireless network device |
US7417998B2 (en) * | 2004-09-15 | 2008-08-26 | Samsung Electronics Co., Ltd. | Wireless network device and communication method using the wireless network device |
US7450597B2 (en) * | 2004-09-15 | 2008-11-11 | Samsung Electronics Co., Ltd. | Wireless network device and method for reassociation between wireless networks using the wireless network device |
US20060058029A1 (en) * | 2004-09-15 | 2006-03-16 | Samsung Electronics Co., Ltd. | Wireless network device and method for reassociation between wireless networks using the wireless network device |
US7599309B2 (en) | 2004-09-17 | 2009-10-06 | Samsung Electronics Co., Ltd. | Method and apparatus for managing cell-by-cell demodulation timings of a user equipment in an asynchronous mobile telecommunication system |
US20060067246A1 (en) * | 2004-09-24 | 2006-03-30 | Samsung Electronics Co., Ltd. | Method and apparatus assigning network addresses for network devices |
US8139587B2 (en) * | 2004-11-11 | 2012-03-20 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and apparatus for routing packets |
US20090010269A1 (en) * | 2004-11-11 | 2009-01-08 | Peter Larsson | Method And Apparatus For Routing Packets |
US8717940B2 (en) | 2004-11-15 | 2014-05-06 | Harris Corporation | Predictive mobile ad hoc networking including associated systems and methods |
WO2006055197A3 (en) * | 2004-11-15 | 2007-04-26 | Harris Corp | Predictive mobile ad hoc networking including associated systems and methods |
US7869601B2 (en) * | 2004-12-07 | 2011-01-11 | Hitachi, Ltd. | Authentication method of ad hoc network and wireless communication terminal thereof |
US20060133613A1 (en) * | 2004-12-07 | 2006-06-22 | Eriko Ando | Authentication method of ad hoc network and wireless communication terminal thereof |
US9306967B2 (en) | 2005-01-19 | 2016-04-05 | Callahan Cellular L.L.C. | Network appliance for vulnerability assessment auditing over multiple networks |
US10154057B2 (en) | 2005-01-19 | 2018-12-11 | Callahan Cellular L.L.C. | Network appliance for vulnerability assessment auditing over multiple networks |
US8554903B2 (en) | 2005-01-19 | 2013-10-08 | Vadarro Services Limited Liability Company | Network appliance for vulnerability assessment auditing over multiple networks |
US20080060076A1 (en) * | 2005-01-19 | 2008-03-06 | Lockdown Networks, Inc. | Network appliance for vulnerability assessment auditing over multiple networks |
US11595424B2 (en) | 2005-01-19 | 2023-02-28 | Callahan Cellular L.L.C. | Network appliance for vulnerability assessment auditing over multiple networks |
US8520512B2 (en) * | 2005-01-26 | 2013-08-27 | Mcafee, Inc. | Network appliance for customizable quarantining of a node on a network |
US7810138B2 (en) | 2005-01-26 | 2010-10-05 | Mcafee, Inc. | Enabling dynamic authentication with different protocols on the same port for a switch |
US20100333176A1 (en) * | 2005-01-26 | 2010-12-30 | Mcafee, Inc., A Delaware Corporation | Enabling Dynamic Authentication With Different Protocols on the Same Port for a Switch |
US20060164199A1 (en) * | 2005-01-26 | 2006-07-27 | Lockdown Networks, Inc. | Network appliance for securely quarantining a node on a network |
US8522318B2 (en) | 2005-01-26 | 2013-08-27 | Mcafee, Inc. | Enabling dynamic authentication with different protocols on the same port for a switch |
US9374353B2 (en) | 2005-01-26 | 2016-06-21 | Mcafee, Inc. | Enabling dynamic authentication with different protocols on the same port for a switch |
US10110638B2 (en) | 2005-01-26 | 2018-10-23 | Mcafee, Llc | Enabling dynamic authentication with different protocols on the same port for a switch |
US20060168648A1 (en) * | 2005-01-26 | 2006-07-27 | Lockdown Networks, Inc. | Enabling dynamic authentication with different protocols on the same port for a switch |
US20070086429A1 (en) * | 2005-02-04 | 2007-04-19 | Level 3 Communications, Inc. | Systems and Methods for Network Routing in a Multiple Backbone Network Architecture |
US20090141632A1 (en) * | 2005-02-04 | 2009-06-04 | Level 3 Communication, Llc | Systems and methods for network routing in a multiple backbone network architecture |
US8526446B2 (en) | 2005-02-04 | 2013-09-03 | Level 3 Communications, Llc | Ethernet-based systems and methods for improved network routing |
US8259713B2 (en) | 2005-02-04 | 2012-09-04 | Level 3 Communications, Llc | Systems and methods for network routing in a multiple backbone network architecture |
US8064467B2 (en) * | 2005-02-04 | 2011-11-22 | Level 3 Communications, Llc | Systems and methods for network routing in a multiple backbone network architecture |
US8995451B2 (en) | 2005-02-04 | 2015-03-31 | Level 3 Communications, Llc | Systems and methods for network routing in a multiple backbone network architecture |
US20060215672A1 (en) * | 2005-02-04 | 2006-09-28 | Level 3 Communications, Inc. | Ethernet-based systems and methods for improved network routing |
US7907734B2 (en) * | 2005-03-04 | 2011-03-15 | Panasonic Corporation | Key distribution control apparatus, radio base station apparatus, and communication system |
US20090052674A1 (en) * | 2005-03-04 | 2009-02-26 | Matsushita Electric Industrial Co., Ltd. | Key distribution control apparatus, radio base station apparatus, and communication system |
US7624271B2 (en) * | 2005-03-24 | 2009-11-24 | Intel Corporation | Communications security |
US20060218398A1 (en) * | 2005-03-24 | 2006-09-28 | Intel Corporation | Communications security |
US8300599B2 (en) * | 2005-04-15 | 2012-10-30 | Intel Corporation | Apparatus, system and method capable of pre-allocating and communicating IP address information during wireless communication |
US20090185536A1 (en) * | 2005-04-15 | 2009-07-23 | Kapil Sood | Apparatus, system and method capable of pre-allocating and communicating IP address information during wireless communication |
US20060236377A1 (en) * | 2005-04-19 | 2006-10-19 | Metke Anthony R | System and methods for providing multi-hop access in a communications network |
US8850194B2 (en) * | 2005-04-19 | 2014-09-30 | Motorola Solutions, Inc. | System and methods for providing multi-hop access in a communications network |
US8203964B2 (en) * | 2005-05-06 | 2012-06-19 | Broadcom Corporation | Asynchronous event notification |
US20060271676A1 (en) * | 2005-05-06 | 2006-11-30 | Broadcom Corporation | Asynchronous event notification |
US7804804B2 (en) * | 2005-05-10 | 2010-09-28 | Sony Corporation | Wireless communication system, wireless communication apparatus, wireless communication method, and computer program |
US20060268800A1 (en) * | 2005-05-10 | 2006-11-30 | Shigeru Sugaya | Wireless communication system, wireless communication apparatus, wireless communication method, and computer program |
US20110069691A1 (en) * | 2005-05-18 | 2011-03-24 | Samsung Electronics Co., Ltd. | Method of transmitting and receiving data in network environment with wired and wireless networks bridged using relay portal |
US8081755B2 (en) * | 2005-05-20 | 2011-12-20 | Microsoft Corporation | JPEG2000 syntax-compliant encryption with full scalability |
US20060265601A1 (en) * | 2005-05-20 | 2006-11-23 | Microsoft Corporation | Jpeg2000 syntax-compliant encryption with full scalability |
US20090235075A1 (en) * | 2005-06-10 | 2009-09-17 | Seok-Heon Cho | Method for managing group traffic encryption key in wireless portable internet system |
US8160254B2 (en) * | 2005-06-10 | 2012-04-17 | Samsung Electronics Co., Ltd. | Method for managing group traffic encryption key in wireless portable internet system |
US20100042831A1 (en) * | 2005-06-13 | 2010-02-18 | Michael Bahr | Method and System for Secure Transmission of Data in an Ad Hoc Network |
US20070005971A1 (en) * | 2005-07-01 | 2007-01-04 | Cisco Technology, Inc. | Facilitating mobility for a mobile station |
US8775634B2 (en) | 2005-07-01 | 2014-07-08 | Cisco Technology, Inc. | Facilitating mobility for a mobile station |
US7813511B2 (en) * | 2005-07-01 | 2010-10-12 | Cisco Technology, Inc. | Facilitating mobility for a mobile station |
US20110007742A1 (en) * | 2005-07-01 | 2011-01-13 | Cisco Technology, Inc. | Facilitating Mobility for a Mobile Station |
US10505845B2 (en) * | 2005-07-21 | 2019-12-10 | Firetide, Inc. | Techniques for enabling the efficient operation of arbitrarily interconnected mesh networks |
WO2007012786A3 (en) * | 2005-07-29 | 2007-03-15 | France Telecom | Method for using a sequence of authentications |
WO2007012786A2 (en) * | 2005-07-29 | 2007-02-01 | France Telecom | Method for using a sequence of authentications |
US20070036110A1 (en) * | 2005-08-10 | 2007-02-15 | Alcatel | Access control of mobile equipment to an IP communication network with dynamic modification of the access policies |
US20070060128A1 (en) * | 2005-08-19 | 2007-03-15 | Tae-Young Kil | Apparatus and method for detecting data transmission mode of access point in wireless terminal |
US7801095B2 (en) * | 2005-08-19 | 2010-09-21 | Samsung Electronics Co., Ltd. | Apparatus and method for detecting data transmission mode of access point in wireless terminal |
US20070047477A1 (en) * | 2005-08-23 | 2007-03-01 | Meshnetworks, Inc. | Extensible authentication protocol over local area network (EAPOL) proxy in a wireless network for node to node authentication |
WO2007024357A3 (en) * | 2005-08-23 | 2007-06-07 | Meshnetworks Inc | Extensible authentication protocol over local area network (eapol) proxy in a wireless network for node to node authentication |
KR101008791B1 (en) * | 2005-08-23 | 2011-01-14 | 메시네트웍스, 인코포레이티드 | Extensible authentication protocol over local area networkeapol proxy in a wireless network for node to node authentication |
WO2007025857A1 (en) * | 2005-08-29 | 2007-03-08 | Siemens Aktiengesellschaft | Method and arrangement for the secure transmission of data in a multi-hop communication system |
US20090265550A1 (en) * | 2005-08-29 | 2009-10-22 | Michael Bahr | Method and arrangement for transmitting data in a communication system that employs a multi-hop method |
EP1763177A1 (en) * | 2005-09-13 | 2007-03-14 | Roke Manor Research Limited | Method of authenticating access points of a wireless network |
US20100265845A1 (en) * | 2005-09-15 | 2010-10-21 | Lampen Patrik | Wireless Local Area Network, Adapter Unit and Equipment |
US7639652B1 (en) * | 2005-09-28 | 2009-12-29 | Rockwell Collins, Inc. | Inter-channel bridge node communications protocol for TDMA networks |
US20090165118A1 (en) * | 2005-09-29 | 2009-06-25 | Oliver Veits | Method and Arrangement for Position-Dependent Configuration of a Mobile Appliance |
US9119066B2 (en) | 2005-09-29 | 2015-08-25 | Unify Gmbh & Co. Kg | Method and arrangement for position-dependent configuration of a mobile appliance |
WO2007036402A1 (en) * | 2005-09-29 | 2007-04-05 | Siemens Enterprise Communications Gmbh & Co. Kg | Access element and method for controlling access of a network element |
US20140056293A1 (en) * | 2005-10-05 | 2014-02-27 | Qualcomm Incorporated | Peer-to-peer communication in ad hoc wireless network |
US8942133B2 (en) * | 2005-10-05 | 2015-01-27 | Qualcomm Incorporated | Peer-to-peer communication in ad hoc wireless network |
US8942130B2 (en) | 2005-10-05 | 2015-01-27 | Qualcomm Incorporated | Peer-to-peer communication in ad hoc wireless network |
US20070091871A1 (en) * | 2005-10-26 | 2007-04-26 | Intel Corporation | Mesh network portal node and method for bridging in mesh networks |
US20070101159A1 (en) * | 2005-10-31 | 2007-05-03 | Microsoft Corporation | Total exchange session security |
US8417949B2 (en) * | 2005-10-31 | 2013-04-09 | Microsoft Corporation | Total exchange session security |
US20100070767A1 (en) * | 2005-11-03 | 2010-03-18 | Intel Corporation | Method and system of secured direct link set-up (DLS) for wireless networks |
US20070097934A1 (en) * | 2005-11-03 | 2007-05-03 | Jesse Walker | Method and system of secured direct link set-up (DLS) for wireless networks |
US7995546B2 (en) * | 2005-11-03 | 2011-08-09 | Intel Corporation | Method and system of secured direct link set-up (DLS) for wireless networks |
US9380457B2 (en) | 2005-11-03 | 2016-06-28 | Intel Corporation | Method and system of secured direct link set-up (DLS) for wireless networks |
US7756094B2 (en) * | 2005-11-10 | 2010-07-13 | The Boeing Company | Interoperable mobile ad hoc network |
US20070104160A1 (en) * | 2005-11-10 | 2007-05-10 | The Boeing Company | Interoperable mobile ad hoc network |
US20070110012A1 (en) * | 2005-11-14 | 2007-05-17 | Abu-Amara Hosame H | Device and method for tracking usage of content distributed to media devices of a local area network |
US20070195870A1 (en) * | 2005-11-14 | 2007-08-23 | Lewis James E | Wireless mesh data acquisition network |
WO2007059380A3 (en) * | 2005-11-14 | 2008-04-17 | Motorola Inc | Method for tracking usage of content distributed to lan media devices |
US8009644B2 (en) * | 2005-12-01 | 2011-08-30 | Ruckus Wireless, Inc. | On-demand services by wireless base station virtualization |
US20140066112A1 (en) * | 2005-12-01 | 2014-03-06 | Ruckus Wireless, Inc. | On-demand services by wireless base station virtualization |
US20150133089A1 (en) * | 2005-12-01 | 2015-05-14 | Ruckus Wireless, Inc. | On-demand services by wireless base station virtualization |
US9313798B2 (en) * | 2005-12-01 | 2016-04-12 | Ruckus Wireless, Inc. | On-demand services by wireless base station virtualization |
US20110281609A1 (en) * | 2005-12-01 | 2011-11-17 | Ruckus Wireless, Inc. | On-demand services by wireless base station virtualization |
US7957320B2 (en) * | 2005-12-01 | 2011-06-07 | Brandenburgishe Technishe Universitat Cottbus | Method for changing a group key in a group of network elements in a network system |
US8605697B2 (en) * | 2005-12-01 | 2013-12-10 | Ruckus Wireless, Inc. | On-demand services by wireless base station virtualization |
US20070130456A1 (en) * | 2005-12-01 | 2007-06-07 | Airespider Networks, Inc. | On-demand services by wireless base station virtualization |
US8923265B2 (en) * | 2005-12-01 | 2014-12-30 | Ruckus Wireless, Inc. | On-demand services by wireless base station virtualization |
US20070162750A1 (en) * | 2005-12-01 | 2007-07-12 | Hartmut Konig | Method for changing a group key in a group of network elements in a network system |
EP1796339A1 (en) * | 2005-12-08 | 2007-06-13 | Hsin-Hsu Cho | Wireless mobile communication system |
WO2007077619A1 (en) * | 2005-12-28 | 2007-07-12 | Matsushita Electric Industrial Co., Ltd. | Method for selective distribution of communications infrastructure |
US20100202422A1 (en) * | 2005-12-28 | 2010-08-12 | Panasonic Corporation | Method for selective distribution of communications infrastructure |
EP2373115A1 (en) * | 2005-12-28 | 2011-10-05 | Panasonic Corporation | Method for selective distribution of communications infrastructure |
US8098641B2 (en) | 2005-12-28 | 2012-01-17 | Panasonic Corporation | Method for selective distribution of communications infrastructure |
US20090077609A1 (en) * | 2006-01-17 | 2009-03-19 | Guillaume Bichot | Gateway For Receiving Digital Television Broadcast Services, Terminal and Corresponding Methods |
US20070171859A1 (en) * | 2006-01-20 | 2007-07-26 | Cisco Technology Inc. | Intelligent Association of Nodes with PAN Coordinator |
US8355363B2 (en) * | 2006-01-20 | 2013-01-15 | Cisco Technology, Inc. | Intelligent association of nodes with PAN coordinator |
WO2007092700A3 (en) * | 2006-02-03 | 2008-01-10 | Motorola Inc | Method and system for facilitating command of a group |
US20080151863A1 (en) * | 2006-02-03 | 2008-06-26 | Level 3 Communications Llc | System and method for switching traffic through a network |
US9426092B2 (en) | 2006-02-03 | 2016-08-23 | Level 3 Communications Llc | System and method for switching traffic through a network |
WO2007092700A2 (en) * | 2006-02-03 | 2007-08-16 | Motorola, Inc. | Method and system for facilitating command of a group |
KR100988988B1 (en) | 2006-02-03 | 2010-10-20 | 모토로라 인코포레이티드 | Method and system for facilitating command of a group |
US20090063851A1 (en) * | 2006-03-20 | 2009-03-05 | Nijdam Mark J | Establishing communications |
US9769655B2 (en) | 2006-04-24 | 2017-09-19 | Ruckus Wireless, Inc. | Sharing security keys with headless devices |
US8607315B2 (en) | 2006-04-24 | 2013-12-10 | Ruckus Wireless, Inc. | Dynamic authentication in secured wireless networks |
US20110055898A1 (en) * | 2006-04-24 | 2011-03-03 | Tyan-Shu Jou | Dynamic Authentication in Secured Wireless Networks |
US8272036B2 (en) * | 2006-04-24 | 2012-09-18 | Ruckus Wireless, Inc. | Dynamic authentication in secured wireless networks |
US7788703B2 (en) * | 2006-04-24 | 2010-08-31 | Ruckus Wireless, Inc. | Dynamic authentication in secured wireless networks |
US7669232B2 (en) * | 2006-04-24 | 2010-02-23 | Ruckus Wireless, Inc. | Dynamic authentication in secured wireless networks |
US20090092255A1 (en) * | 2006-04-24 | 2009-04-09 | Ruckus Wireless, Inc. | Dynamic Authentication in Secured Wireless Networks |
US9131378B2 (en) | 2006-04-24 | 2015-09-08 | Ruckus Wireless, Inc. | Dynamic authentication in secured wireless networks |
US20070249324A1 (en) * | 2006-04-24 | 2007-10-25 | Tyan-Shu Jou | Dynamic authentication in secured wireless networks |
US9071583B2 (en) | 2006-04-24 | 2015-06-30 | Ruckus Wireless, Inc. | Provisioned configuration for automatic wireless connection |
US20070263561A1 (en) * | 2006-05-10 | 2007-11-15 | Zohar Tsaba | Techniques to control access point transmissions in wireless networks |
EP1860830A1 (en) * | 2006-05-24 | 2007-11-28 | ista Shared Services GmbH | Method for installing a hierarchical network |
US20090307483A1 (en) * | 2006-06-01 | 2009-12-10 | Nokia Siemens Networks Gmbh & Co.Kg | Method and system for providing a mesh key |
DE102006036109B4 (en) * | 2006-06-01 | 2008-06-19 | Nokia Siemens Networks Gmbh & Co.Kg | Method and system for providing a mesh key |
DE102006036109A1 (en) * | 2006-06-01 | 2007-12-06 | Nokia Siemens Networks Gmbh & Co.Kg | Method and system for providing a mesh key |
US8959333B2 (en) | 2006-06-01 | 2015-02-17 | Nokia Siemens Networks Gmbh & Co. Kg | Method and system for providing a mesh key |
US8738898B2 (en) | 2006-06-08 | 2014-05-27 | British Telecommunications Plc | Provision of secure communications connection using third party authentication |
US20090287922A1 (en) * | 2006-06-08 | 2009-11-19 | Ian Herwono | Provision of secure communications connection using third party authentication |
US20080045180A1 (en) * | 2006-07-07 | 2008-02-21 | Arcadyan Technology Corporation | Data transmitting method and apparatus applying wireless protected access to a wireless distribution system |
US20080014954A1 (en) * | 2006-07-13 | 2008-01-17 | Nec Communication Systems, Ltd. | Resource allocation apparatus, central control apparatus, wireless base station, wireless communication system, resource allocation method and resource allocation program in computer-readable medium |
US8095138B2 (en) * | 2006-07-13 | 2012-01-10 | Nec Communication Systems, Ltd. | Resource allocation apparatus, central control apparatus, wireless base station, wireless communication system, resource allocation method and resource allocation program in computer-readable medium |
US20080031155A1 (en) * | 2006-08-02 | 2008-02-07 | Motorola, Inc. | Managing establishment and removal of security associations in a wireless mesh network |
US7804807B2 (en) * | 2006-08-02 | 2010-09-28 | Motorola, Inc. | Managing establishment and removal of security associations in a wireless mesh network |
US8281392B2 (en) * | 2006-08-11 | 2012-10-02 | Airdefense, Inc. | Methods and systems for wired equivalent privacy and Wi-Fi protected access protection |
DE102006038591B4 (en) * | 2006-08-17 | 2008-07-03 | Siemens Ag | Method and device for providing a wireless mesh network |
US8495360B2 (en) | 2006-08-17 | 2013-07-23 | Siemens Enterprise Communications Gmbh & Co. Kg | Method and arrangement for providing a wireless mesh network |
WO2008019943A1 (en) | 2006-08-17 | 2008-02-21 | Siemens Enterprise Communications Gmbh & Co. Kg | Method and arrangement for the creation of a wireless mesh network |
US8122249B2 (en) | 2006-08-17 | 2012-02-21 | Siemens Enterprise Communications Gmbh & Co. Kg | Method and arrangement for providing a wireless mesh network |
US20100228980A1 (en) * | 2006-08-17 | 2010-09-09 | Siemens Enterprise Communications GmbH & Co. | Method and Arrangement for Providing a Wireless Mesh Network |
DE102006038592B4 (en) * | 2006-08-17 | 2008-07-03 | Siemens Ag | Method and device for providing a wireless mesh network |
US20090172398A1 (en) * | 2006-08-17 | 2009-07-02 | Rainer Falk | Method and Arrangement for Providing a Wireless Mesh Network |
DE102006038591A1 (en) * | 2006-08-17 | 2008-02-21 | Siemens Ag | Method and device for providing a wireless mesh network |
DE102006038592A1 (en) * | 2006-08-17 | 2008-02-21 | Siemens Ag | Method and device for providing a wireless mesh network |
US20120330380A1 (en) * | 2006-08-18 | 2012-12-27 | Medtronic, Inc. | Secure telemetric link |
US9960916B2 (en) * | 2006-08-18 | 2018-05-01 | Medtronic, Inc. | Secure telemetric link |
US8578159B2 (en) * | 2006-09-07 | 2013-11-05 | Motorola Solutions, Inc. | Method and apparatus for establishing security association between nodes of an AD HOC wireless network |
US20080065884A1 (en) * | 2006-09-07 | 2008-03-13 | Motorola, Inc. | Method and apparatus for establishing security association between nodes of an ad hoc wireless network |
KR101434613B1 (en) * | 2006-09-18 | 2014-08-26 | 마벨 인터내셔널 리미티드 | Establishment of ad-hoc networks between multiple devices |
EP2064829A4 (en) * | 2006-09-18 | 2014-01-01 | Marvell Int Ltd | Establishment of ad-hoc networks between multiple devices |
US9025493B2 (en) | 2006-09-18 | 2015-05-05 | Marvell World Trade Ltd. | Establishment of ad-hoc networks between multiple devices |
EP2064829A2 (en) * | 2006-09-18 | 2009-06-03 | Marvell International Ltd. | Establishment of ad-hoc networks between multiple devices |
WO2008036660A2 (en) | 2006-09-18 | 2008-03-27 | Marvell International Ltd. | Establishment of ad-hoc networks between multiple devices |
US20080076383A1 (en) * | 2006-09-21 | 2008-03-27 | Steve Barrett | Network for confined hazardous or other extreme environments |
US8005100B2 (en) * | 2006-09-21 | 2011-08-23 | Active Control Technology Inc. | Network for confined hazardous or other extreme environments |
US20080076420A1 (en) * | 2006-09-22 | 2008-03-27 | Amit Khetawat | Method and apparatus for user equipment registration |
US8204502B2 (en) | 2006-09-22 | 2012-06-19 | Kineto Wireless, Inc. | Method and apparatus for user equipment registration |
US20080076412A1 (en) * | 2006-09-22 | 2008-03-27 | Amit Khetawat | Method and apparatus for registering an access point |
US8036664B2 (en) | 2006-09-22 | 2011-10-11 | Kineto Wireless, Inc. | Method and apparatus for determining rove-out |
US20080083022A1 (en) * | 2006-09-28 | 2008-04-03 | Yong Lee | Authentication apparatus and method in wireless mesh network |
WO2008042074A2 (en) | 2006-09-29 | 2008-04-10 | Rosemount, Inc. | Wireless handheld configuration device for a securable wireless self-organizing mesh network |
WO2008042074A3 (en) * | 2006-09-29 | 2008-08-07 | Rosemount Inc | Wireless handheld configuration device for a securable wireless self-organizing mesh network |
EP2074844A2 (en) * | 2006-09-29 | 2009-07-01 | Rosemount, Inc. | Wireless handheld configuration device for a securable wireless self-organizing mesh network |
US20080082698A1 (en) * | 2006-09-29 | 2008-04-03 | Rosemount, Inc. | Wireless handheld configuration device for a securable wireless self-organizing mesh network |
US9167423B2 (en) | 2006-09-29 | 2015-10-20 | Rosemount Inc. | Wireless handheld configuration device for a securable wireless self-organizing mesh network |
EP2074844A4 (en) * | 2006-09-29 | 2013-07-10 | Rosemount Inc | Wireless handheld configuration device for a securable wireless self-organizing mesh network |
US20080086760A1 (en) * | 2006-10-05 | 2008-04-10 | Microsoft Corporation | Extensible network discovery |
US8245284B2 (en) | 2006-10-05 | 2012-08-14 | Microsoft Corporation | Extensible network discovery |
US7656851B1 (en) * | 2006-10-12 | 2010-02-02 | Bae Systems Information And Electronic Systems Integration Inc. | Adaptive message routing for mobile ad HOC networks |
US20100014444A1 (en) * | 2006-10-12 | 2010-01-21 | Reza Ghanadan | Adaptive message routing for mobile ad hoc networks |
US8423772B2 (en) | 2006-12-28 | 2013-04-16 | Samsung Electronics Co., Ltd. | Multi-hop wireless network system and authentication method thereof |
US20080162939A1 (en) * | 2006-12-28 | 2008-07-03 | Yong Lee | Multi-hop wireless network system and authentication method thereof |
DE102007003492A1 (en) * | 2007-01-24 | 2008-08-07 | Siemens Enterprise Communications Gmbh & Co. Kg | Wireless local area network providing method, involves performing authentication and establishment of links based on information correlative to existence of connection by two communication devices |
DE102007003492B4 (en) * | 2007-01-24 | 2010-04-08 | Siemens Enterprise Communications Gmbh & Co. Kg | Method and device for providing a wireless mesh network |
US8091124B2 (en) | 2007-02-23 | 2012-01-03 | Microsoft Corporation | Caching public objects with private connections |
US20080209524A1 (en) * | 2007-02-23 | 2008-08-28 | Microsoft Corporation | Caching public objects with private connections |
WO2008107437A1 (en) * | 2007-03-05 | 2008-09-12 | Bouygues Telecom | Method of exchanging data between a contactless communication port and a mobile telephone terminal |
FR2913546A1 (en) * | 2007-03-05 | 2008-09-12 | Bouygues Telecom Sa | METHOD OF EXCHANGING DATA BETWEEN A CONTACTLESS COMMUNICATION TERMINAL AND A MOBILE TELEPHONY TERMINAL. |
US20080226071A1 (en) * | 2007-03-12 | 2008-09-18 | Motorola, Inc. | Method for establishing secure associations within a communication network |
US8175272B2 (en) * | 2007-03-12 | 2012-05-08 | Motorola Solutions, Inc. | Method for establishing secure associations within a communication network |
US8787383B2 (en) | 2007-03-29 | 2014-07-22 | Twisted Pair Solutions, Inc. | Method, apparatus, system, and article of manufacture for providing distributed convergence nodes in a communication network environment |
US20080259816A1 (en) * | 2007-04-19 | 2008-10-23 | Archer Charles J | Validating a Cabling Topology in a Distributed Computing System |
US9330230B2 (en) * | 2007-04-19 | 2016-05-03 | International Business Machines Corporation | Validating a cabling topology in a distributed computing system |
US7899188B2 (en) | 2007-05-31 | 2011-03-01 | Motorola Mobility, Inc. | Method and system to authenticate a peer in a peer-to-peer network |
US9008312B2 (en) | 2007-06-15 | 2015-04-14 | Koolspan, Inc. | System and method of creating and sending broadcast and multicast data |
US20140112196A1 (en) * | 2007-07-20 | 2014-04-24 | Broadcom Corporation | Method and system for establishing a connection outside a mesh by including network connectivity information in router configuration messages |
US9198096B2 (en) * | 2007-07-20 | 2015-11-24 | Broadcom Corporation | Method and system for establishing a connection outside a mesh by including network connectivity information in router configuration messages |
US20100309894A1 (en) * | 2007-09-07 | 2010-12-09 | Telefonaktiebolaget L M Ericsson (Publ) | Method and Apparatuses for Allowing a Nomadic Terminal to Access a Home Network on Layer 2 Level |
US9225548B2 (en) * | 2007-09-07 | 2015-12-29 | Telefonaktiebolaget L M Ericsson (Publ) | Method and apparatuses for allowing a nomadic terminal to access a home network on layer 2 level |
US11971967B2 (en) | 2007-09-27 | 2024-04-30 | Clevx, Llc | Secure access device with multiple authentication mechanisms |
US20090086973A1 (en) * | 2007-09-27 | 2009-04-02 | Milind Madhav Buddhikot | Method and Apparatus for Authenticating Nodes in a Wireless Network |
US9198033B2 (en) * | 2007-09-27 | 2015-11-24 | Alcatel Lucent | Method and apparatus for authenticating nodes in a wireless network |
US11190936B2 (en) * | 2007-09-27 | 2021-11-30 | Clevx, Llc | Wireless authentication system |
US11233630B2 (en) | 2007-09-27 | 2022-01-25 | Clevx, Llc | Module with embedded wireless user authentication |
US11151231B2 (en) | 2007-09-27 | 2021-10-19 | Clevx, Llc | Secure access device with dual authentication |
US20090089300A1 (en) * | 2007-09-28 | 2009-04-02 | John Vicente | Virtual clustering for scalable network control and management |
US20090089410A1 (en) * | 2007-09-28 | 2009-04-02 | John Vicente | Entropy-based (self-organizing) stability management |
US8954562B2 (en) | 2007-09-28 | 2015-02-10 | Intel Corporation | Entropy-based (self-organizing) stability management |
US7996510B2 (en) * | 2007-09-28 | 2011-08-09 | Intel Corporation | Virtual clustering for scalable network control and management |
US20100313246A1 (en) * | 2007-10-05 | 2010-12-09 | Iti Scotland Limited | Distributed protocol for authorisation |
US7911990B2 (en) * | 2007-10-26 | 2011-03-22 | Microsoft Corporation | Ad hoc wireless networking |
US8681655B2 (en) | 2007-10-26 | 2014-03-25 | Microsoft Corporation | Ad hoc wireless networking |
US20090109995A1 (en) * | 2007-10-26 | 2009-04-30 | Microsoft Corporation | Ad hoc wireless networking |
US20110134799A1 (en) * | 2007-10-26 | 2011-06-09 | Microsoft Corporation | Ad hoc wireless networking |
US9872202B2 (en) | 2007-10-26 | 2018-01-16 | Microsoft Technology Licensing, Llc | Ad hoc wireless networking |
US9374850B2 (en) | 2007-10-26 | 2016-06-21 | Microsoft Technology Licensing, Llc | Ad hoc wireless networking |
CN101889421A (en) * | 2007-10-31 | 2010-11-17 | 伊兹安全网络有限公司 | End-to-end encrypted communication |
WO2009056679A2 (en) * | 2007-10-31 | 2009-05-07 | Eads Secure Networks Oy | End-to-end encrypted communication |
KR101482696B1 (en) | 2007-10-31 | 2015-01-14 | 까씨디앙 핀란드 오와이 | End-to-end encrypted communication |
WO2009056679A3 (en) * | 2007-10-31 | 2009-07-02 | Eads Secure Networks Oy | End-to-end encrypted communication |
RU2495532C2 (en) * | 2007-10-31 | 2013-10-10 | Кассидиан Финланд Ой | Method and apparatus for end-to-end encrypted communication |
US20100208896A1 (en) * | 2007-12-05 | 2010-08-19 | Canon Kabushiki Kaisha | Communication apparatus and control method thereof |
EP2220809A1 (en) * | 2007-12-05 | 2010-08-25 | Canon Kabushiki Kaisha | Communication apparatus and control method thereof |
US9112676B2 (en) | 2007-12-05 | 2015-08-18 | Canon Kabushiki Kaisha | Communication apparatus, control method thereof, and storage medium |
US8447040B2 (en) * | 2007-12-05 | 2013-05-21 | Canon Kabushiki Kaisha | Communication apparatus, control method thereof, and storage medium |
US20100208897A1 (en) * | 2007-12-05 | 2010-08-19 | Canon Kabushiki Kaisha | Communication apparatus, control method thereof, and storage medium |
EP2220809A4 (en) * | 2007-12-05 | 2014-12-03 | Canon Kk | Communication apparatus and control method thereof |
US9401940B2 (en) | 2007-12-24 | 2016-07-26 | Lg Electronics Inc. | Terminal provided with networking module and method for receiving and transmitting data using the same |
US20140250379A1 (en) * | 2007-12-24 | 2014-09-04 | Lg Electronics Inc. | Terminal provided with networking module and method for receiving and transmitting data using the same |
US20100023752A1 (en) * | 2007-12-27 | 2010-01-28 | Motorola, Inc. | Method and device for transmitting groupcast data in a wireless mesh communication network |
US8335840B2 (en) * | 2008-01-22 | 2012-12-18 | Fujitsu Limited | Address distribution system and method and program for the same |
US20090187644A1 (en) * | 2008-01-22 | 2009-07-23 | Fujitsu Limited | Address distribution system and method and program for the same |
US8234264B2 (en) | 2008-02-08 | 2012-07-31 | International Business Machines Corporation | System and method for preferred services in nomadic environments |
US8688680B2 (en) | 2008-02-08 | 2014-04-01 | International Business Machines Corporation | System and method for preferred services in nomadic environments |
US9378291B2 (en) | 2008-02-08 | 2016-06-28 | International Business Machines Corporation | System and method for preferred services in nomadic environments |
US9871894B2 (en) | 2008-03-17 | 2018-01-16 | Canon Kabushiki Kaisha | Wireless communication apparatus and processing method thereby |
US10659575B2 (en) | 2008-03-17 | 2020-05-19 | Canon Kabushiki Kaisha | Wireless communication apparatus and processing method thereby deciding a providing apparatus for providing a communication parameter for a wireless network |
US20130343257A1 (en) * | 2008-05-09 | 2013-12-26 | Huawei Technologies Co., Ltd. | Scalable wlan gateway |
US10952073B2 (en) * | 2008-05-09 | 2021-03-16 | Huawei Technologies Co., Ltd. | Scalable WLAN gateway |
US9883487B2 (en) * | 2008-05-09 | 2018-01-30 | Huawei Technologies Co., Ltd. | Scalable WLAN gateway |
US11457358B2 (en) * | 2008-05-09 | 2022-09-27 | Huawei Technologies Co., Ltd. | Scalable WLAN gateway |
US10327228B2 (en) * | 2008-05-09 | 2019-06-18 | Huawei Technologies Co., Ltd. | Scalable WLAN gateway |
US20190357179A1 (en) * | 2008-05-09 | 2019-11-21 | Huawei Technologies Co., Ltd. | Scalable wlan gateway |
WO2009155231A1 (en) * | 2008-06-19 | 2009-12-23 | Symbol Technologies, Inc. | Methods and apparatus for automatically configuring computing devices for wireless network connections |
US20090319644A1 (en) * | 2008-06-19 | 2009-12-24 | Symbol Technologies, Inc. | Methods and apparatus for automatically configuring computing devices for wireless network connections |
US8848924B2 (en) * | 2008-06-27 | 2014-09-30 | University Of Washington | Privacy-preserving location tracking for devices |
US20090323972A1 (en) * | 2008-06-27 | 2009-12-31 | University Of Washington | Privacy-preserving location tracking for devices |
US20100002698A1 (en) * | 2008-07-01 | 2010-01-07 | Twisted Pair Solutions, Inc. | Method, apparatus, system, and article of manufacture for reliable low-bandwidth information delivery across mixed-mode unicast and multicast networks |
US8340094B2 (en) * | 2008-07-01 | 2012-12-25 | Twisted Pair Solutions, Inc. | Method, apparatus, system, and article of manufacture for reliable low-bandwidth information delivery across mixed-mode unicast and multicast networks |
US9001826B2 (en) | 2008-07-01 | 2015-04-07 | Twisted Pair Solutions, Inc. | Method, apparatus, system, and article of manufacture for reliable low-bandwidth information delivery across mixed-mode unicast and multicast networks |
US9246901B2 (en) * | 2008-10-22 | 2016-01-26 | Personal Capital Technology Corporation | Secure network computing |
US20140230013A1 (en) * | 2008-10-22 | 2014-08-14 | Personal Capital Technology Corporation | Secure Network Computing |
US20120023564A1 (en) * | 2009-04-07 | 2012-01-26 | Telefonaktiebolaget L M Ericsson (Publ) | Attaching a sensor to a wsan |
US9154476B2 (en) * | 2009-04-07 | 2015-10-06 | Telefonaktiebolaget L M Ericsson (Publ) | Attaching a sensor to a WSAN |
US20110055553A1 (en) * | 2009-08-26 | 2011-03-03 | Lee Sung-Young | Method for controlling user access in sensor networks |
US20110107267A1 (en) * | 2009-10-30 | 2011-05-05 | Samsung Electronics Co., Ltd. | Image forming apparatus and menu select and display method thereof |
US8750507B2 (en) * | 2010-01-25 | 2014-06-10 | Cisco Technology, Inc. | Dynamic group creation for managed key servers |
US20110182426A1 (en) * | 2010-01-25 | 2011-07-28 | Cisco Technology, Inc. | Dynamic Group Creation for Managed Key Servers |
US8635667B2 (en) | 2010-03-03 | 2014-01-21 | Kabushiki Kaisha Toshiba | Electronic apparatus and terminal |
EP2365673A3 (en) * | 2010-03-03 | 2011-11-23 | Kabushiki Kaisha Toshiba | Electronic apparatus and terminal |
US9210271B2 (en) * | 2010-03-04 | 2015-12-08 | Ipcomm | Wireless social and safety network |
US20140357214A1 (en) * | 2010-03-04 | 2014-12-04 | Ipcomm Llc | Wireless Social and Safety Network |
WO2011154861A1 (en) * | 2010-05-17 | 2011-12-15 | Telefonaktiebolaget Lm Ericsson (Publ) | Systems and methods for host authentication |
US20110283344A1 (en) * | 2010-05-17 | 2011-11-17 | Telefonaktiebolaget L M Ericsson (Publ) | Systems and methods for host authentication |
US8495713B2 (en) * | 2010-05-17 | 2013-07-23 | Telefonaktiebolaget L M Ericsson (Publ) | Systems and methods for host authentication |
US8644278B2 (en) * | 2010-08-03 | 2014-02-04 | Texas Instruments Incorporated | System and method for simultaneous infrastructure and ad hoc networked communications |
US20120033652A1 (en) * | 2010-08-03 | 2012-02-09 | Texas Instruments Incorporated | System and Method for Simultaneous Infrastructure and Ad Hoc Networked Communications |
US20120051346A1 (en) * | 2010-08-24 | 2012-03-01 | Quantenna Communications, Inc. | 3-address mode bridging |
KR101207319B1 (en) | 2010-11-04 | 2012-12-03 | 삼성에스디에스 주식회사 | Ieee 802.1x authentication system and method for password management and authentication using the same |
US10027603B1 (en) | 2010-12-22 | 2018-07-17 | Juniper Networks, Inc. | Methods and apparatus to reduce forwarding state on an FCoE-to-FC gateway using port-specific MAC addresses |
US20150245115A1 (en) * | 2010-12-22 | 2015-08-27 | Juniper Networks, Inc. | Methods and apparatus to route fibre channel frames using reduced forwarding state on an fcoe-to-fc gateway |
US9414136B2 (en) * | 2010-12-22 | 2016-08-09 | Juniper Networks, Inc. | Methods and apparatus to route fibre channel frames using reduced forwarding state on an FCoE-to-FC gateway |
US9031072B2 (en) * | 2010-12-22 | 2015-05-12 | Juniper Networks, Inc. | Methods and apparatus to route fibre channel frames using reduced forwarding state on an FCOE-to-FC gateway |
US20120163376A1 (en) * | 2010-12-22 | 2012-06-28 | Juniper Networks, Inc. | Methods and apparatus to route fibre channel frames using reduced forwarding state on an fcoe-to-fc gateway |
US9608939B2 (en) | 2010-12-22 | 2017-03-28 | Juniper Networks, Inc. | Methods and apparatus to reduce forwarding state on an FCoE-to-FC gateway using port-specific MAC addresses |
US20120163180A1 (en) * | 2010-12-28 | 2012-06-28 | Deepak Goel | Systems and Methods for Policy Based Routing for Multiple Hops |
CN103384989A (en) * | 2010-12-28 | 2013-11-06 | 思杰系统有限公司 | Systems and methods for policy based routing for multiple next hops |
US9178805B2 (en) * | 2010-12-28 | 2015-11-03 | Citrix Systems, Inc. | Systems and methods for policy based routing for multiple next hops |
US9380402B2 (en) * | 2011-04-25 | 2016-06-28 | Korea University Research and Business Machines | Apparatus and method for controlling a backbone network for a sensor network |
US20140036728A1 (en) * | 2011-04-25 | 2014-02-06 | Korea University Research And Business Foundation | Apparatus and method for controlling a backbone network for a sensor network |
US9792188B2 (en) | 2011-05-01 | 2017-10-17 | Ruckus Wireless, Inc. | Remote cable access point reset |
CN102404772A (en) * | 2011-10-24 | 2012-04-04 | 深圳市深信服电子科技有限公司 | Method, system and device for analyzing wireless local area network (WLAN) service data |
US20130107792A1 (en) * | 2011-10-28 | 2013-05-02 | Pak Kit Lam | Relaying devices for wireless mesh network |
US9474100B2 (en) * | 2011-10-28 | 2016-10-18 | P2 Mobile Technologies Limited | Relaying devices for wireless mesh network |
US9596605B2 (en) | 2012-02-09 | 2017-03-14 | Ruckus Wireless, Inc. | Dynamic PSK for hotspots |
US9226146B2 (en) | 2012-02-09 | 2015-12-29 | Ruckus Wireless, Inc. | Dynamic PSK for hotspots |
US10182350B2 (en) | 2012-04-04 | 2019-01-15 | Arris Enterprises Llc | Key assignment for a brand |
US9092610B2 (en) | 2012-04-04 | 2015-07-28 | Ruckus Wireless, Inc. | Key assignment for a brand |
US9504089B2 (en) * | 2012-05-14 | 2016-11-22 | Broadcom Corporation | System and method for wireless station bridging |
US20130301553A1 (en) * | 2012-05-14 | 2013-11-14 | Broadcom Corporation | System and method for wireless station bridging |
US20130322438A1 (en) * | 2012-05-31 | 2013-12-05 | Red Hat, Inc. | System and method for identifying frames |
US9712559B2 (en) * | 2012-05-31 | 2017-07-18 | Red Hat, Inc. | Identifying frames |
US20140126410A1 (en) * | 2012-09-25 | 2014-05-08 | Parallel Wireless Inc. | Heterogeneous Self-Organizing Network for Access and Backhaul |
US10015681B2 (en) | 2012-09-25 | 2018-07-03 | Parallel Wireless, Inc. | Heterogeneous self-organizing network for access and backhaul |
US20140092765A1 (en) * | 2012-09-25 | 2014-04-03 | Parallel Wireless Inc. | Heterogeneous Self-Organizing Network for Access and Backhaul |
US9107092B2 (en) * | 2012-09-25 | 2015-08-11 | Parallel Wireless, Inc. | Heterogeneous self-organizing network for access and backhaul |
US9113352B2 (en) * | 2012-09-25 | 2015-08-18 | Parallel Wireless, Inc. | Heterogeneous self-organizing network for access and backhaul |
US9380633B2 (en) | 2012-10-16 | 2016-06-28 | Roke Manor Research Limited | Method and system for WLAN connection control |
EP2723139A1 (en) * | 2012-10-16 | 2014-04-23 | Roke Manor Research Limited | Method and system for WLAN connection control |
US11357061B2 (en) * | 2012-11-01 | 2022-06-07 | Samsung Electronics Co., Ltd. | System and method of connecting devices via Wi-Fi network |
US11818779B2 (en) | 2012-11-01 | 2023-11-14 | Samsung Electronics Co., Ltd. | System and method of connecting devices via Wi-Fi network |
US20140126416A1 (en) * | 2012-11-07 | 2014-05-08 | Haihua YU | Area-limited self-organized network management method, communications apparatus, and system |
US9326315B2 (en) * | 2012-11-07 | 2016-04-26 | Ricoh Company, Ltd. | Area-limited self-organized network management method, communications apparatus, and system |
US10104060B2 (en) * | 2013-01-30 | 2018-10-16 | Hewlett Packard Enterprise Development Lp | Authenticating applications to a network service |
US20140215572A1 (en) * | 2013-01-30 | 2014-07-31 | Hewlett-Packard Development Company, L.P. | Authenticating Applications to a Network Service |
US11463425B2 (en) * | 2013-02-21 | 2022-10-04 | Fortinet, Inc. | Restricting broadcast and multicast traffic in a wireless network to a VLAN |
US20140313048A1 (en) * | 2013-04-22 | 2014-10-23 | Ashok Sabata | iCelsius Wireless: Wireless Monitoring with Smart Phones and Tablets |
US9706267B2 (en) * | 2013-04-22 | 2017-07-11 | Aginova Inc. | iCelsius wireless: wireless monitoring with smart phones and tablets |
US10009092B2 (en) | 2013-05-07 | 2018-06-26 | Elbit Systems Land And C4I Ltd. | Mobile ad-hoc network with satellite node |
US10477415B1 (en) * | 2013-09-11 | 2019-11-12 | Star Solutions International Inc. | Portable cellular network system |
US10420170B2 (en) | 2013-10-08 | 2019-09-17 | Parallel Wireless, Inc. | Parameter optimization and event prediction based on cell heuristics |
US9544858B2 (en) * | 2013-11-15 | 2017-01-10 | Ricoh Company, Ltd. | Channel power adjustment based on positional information of area restricted self-organizing subnets |
US20150139124A1 (en) * | 2013-11-15 | 2015-05-21 | Ricoh Company, Ltd. | Channel power adjustment based on positional information of area restricted self-organizing subnets |
US9946866B2 (en) * | 2014-02-28 | 2018-04-17 | Ncr Corporation | Unattended secure device authorization |
US20160103990A1 (en) * | 2014-02-28 | 2016-04-14 | Ncr Corporation | Unattended Secure Device Authorization |
CN106416184A (en) * | 2014-05-16 | 2017-02-15 | 高通股份有限公司 | Establishing reliable routes without expensive mesh peering |
US9392525B2 (en) | 2014-05-16 | 2016-07-12 | Qualcomm Incorporated | Establishing reliable routes without expensive mesh peering |
WO2015175115A1 (en) * | 2014-05-16 | 2015-11-19 | Qualcomm Incorporated | Establishing reliable routes without expensive mesh peering |
US20160021595A1 (en) * | 2014-07-21 | 2016-01-21 | Ipcomm Llc | Integrating Mobile Femto-cell Access Point Into Home Appliance Network |
US9674759B2 (en) * | 2014-07-21 | 2017-06-06 | Ipcomm | Integrating mobile femto-cell access point into home appliance network |
US11899801B2 (en) | 2014-08-12 | 2024-02-13 | NEXRF Corp. | Proximity based authentication system and method |
CN105743670A (en) * | 2014-12-09 | 2016-07-06 | 华为技术有限公司 | Access control method, system, and access point |
US10289504B2 (en) | 2014-12-09 | 2019-05-14 | Huawei Technologies Co., Ltd. | Access control method and system, and access point |
US10320738B2 (en) * | 2014-12-18 | 2019-06-11 | Huawei Technologies Co., Ltd. | Address allocation method, CGN device, and CGN dual-active system |
US20160182683A1 (en) * | 2014-12-22 | 2016-06-23 | Qualcomm Incorporated | Dynamic server/client transition for networked devices |
WO2016106082A3 (en) * | 2014-12-22 | 2016-09-15 | Qualcomm Incorporated | Dynamic server/client transition for networked devices |
US11595390B2 (en) * | 2014-12-23 | 2023-02-28 | Mcafee, Llc | Self-organizing trusted networks |
US20160192241A1 (en) * | 2014-12-25 | 2016-06-30 | Delta Electronics, Inc. | Establishing method for self-organization network of wireless nodes |
US9801218B2 (en) * | 2014-12-25 | 2017-10-24 | Delta Electronics, Inc. | Establishing method for self-organization network of wireless nodes |
US10298561B2 (en) * | 2015-06-30 | 2019-05-21 | Vmware, Inc. | Providing a single session experience across multiple applications |
US10277686B2 (en) * | 2015-07-29 | 2019-04-30 | Cisco Technology, Inc. | Service discovery optimization in a network based on bloom filter |
AU2016301035B2 (en) * | 2015-07-29 | 2020-10-22 | Airbus Ds Sas | Method for discovering a node of an ad hoc network |
US10912009B2 (en) * | 2015-07-29 | 2021-02-02 | Airbus Defence And Space Sas | Method for discovering a node of an ad hoc network |
US20180070392A1 (en) * | 2015-08-19 | 2018-03-08 | Yamaha Corporation | Connection method of communication device and the communication device |
US10694553B2 (en) * | 2015-08-19 | 2020-06-23 | Yamaha Corporation | Connection method of communication device and the communication device |
US10292047B1 (en) * | 2015-09-23 | 2019-05-14 | Symantec Corporation | Systems and methods for preventing tracking of mobile devices |
EP3361824A4 (en) * | 2015-10-09 | 2019-03-06 | Withwin Technology Shenzhen Co., Ltd | Method of controlling radio access equipment and device utilizing same |
US20210242929A1 (en) * | 2015-12-30 | 2021-08-05 | Futurewei Technologies, Inc. | System and Method for Inter-Basic Service Set Communications |
US10171434B2 (en) * | 2016-04-14 | 2019-01-01 | Airwatch Llc | Managed device scatternet administration |
TWI616110B (en) * | 2017-01-09 | 2018-02-21 | 智易科技股份有限公司 | System and method for backhaul connection management in a lan |
CN108200014A (en) * | 2017-12-18 | 2018-06-22 | 北京深思数盾科技股份有限公司 | The method, apparatus and system of server are accessed using intelligent key apparatus |
CN110708179A (en) * | 2018-07-10 | 2020-01-17 | 福建省天奕网络科技有限公司 | Block chain-based data communication bridging method and storage medium |
US11811642B2 (en) | 2018-07-27 | 2023-11-07 | GoTenna, Inc. | Vine™: zero-control routing using data packet inspection for wireless mesh networks |
US11570205B1 (en) * | 2020-03-20 | 2023-01-31 | Loyalty Iot, Inc. | Anonymous contact tracing with network based hyperlocal authentication |
US11876830B2 (en) | 2020-03-20 | 2024-01-16 | Loyalty Iot, Inc. | Network based hyperlocal authentication |
WO2022040624A1 (en) * | 2020-08-21 | 2022-02-24 | Kara Partners Llc | Opcodeless computing and multi-path encryption systems, methods, and devices |
US11843696B2 (en) * | 2020-08-21 | 2023-12-12 | Kara Partners Llc | Opcodeless computing and multi-path encryption systems, methods, and devices |
EP4060946A1 (en) * | 2021-03-16 | 2022-09-21 | Siemens Aktiengesellschaft | Authentification of a device in a communication network of an automation system |
CN115085964A (en) * | 2021-03-16 | 2022-09-20 | 西门子股份公司 | Authentication of devices in a communication network of an automation installation |
US11929907B2 (en) | 2022-03-08 | 2024-03-12 | T-Mobile Usa, Inc. | Endpoint assisted selection of routing paths over multiple networks |
Also Published As
Publication number | Publication date |
---|---|
US20110200026A1 (en) | 2011-08-18 |
US8630275B2 (en) | 2014-01-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8630275B2 (en) | Apparatus, method, and medium for self-organizing multi-hop wireless access networks | |
US8688041B2 (en) | Methods and apparatus for secure, portable, wireless and multi-hop data networking | |
JP4578917B2 (en) | Apparatus, method and medium for self-organizing multi-hop radio access network | |
US8270382B2 (en) | System and method for securing mesh access points in a wireless mesh network, including rapid roaming | |
KR101054202B1 (en) | Secure authentication and key management within infrastructure-based wireless multihop networks | |
US7814322B2 (en) | Discovery and authentication scheme for wireless mesh networks | |
US8661510B2 (en) | Topology based fast secured access | |
WO2014040481A1 (en) | Authentication method and system for wireless mesh network | |
AU2009251887A1 (en) | Authentication and key establishment in wireless sensor networks | |
KR20080041266A (en) | Extensible authentication protocol over local area network(eapol) proxy in a wireless network for node to node authentication | |
Qazi et al. | Securing wireless mesh networks with ticket-based authentication | |
KR100686736B1 (en) | The method of joining in the mobile ad-hoc network through the authentication | |
Lee et al. | Dynamic distributed authentication scheme for wireless LAN-based mesh networks | |
Lee | A novel design and implementation of DoS-resistant authentication and seamless handoff scheme for enterprise WLANs | |
Moustafa | Providing authentication, trust, and privacy in wireless mesh networks | |
Lee et al. | Efficient distributed authentication method with local proxy for wireless mesh networks | |
DeCarlo et al. | Distributed trust relationship and polynomial key generation for IEEE 802.16 m networks | |
Saay | Toward authentication mechanisms for Wi-Fi mesh networks | |
Li et al. | Self-organizing security scheme for multi-hop wireless access networks | |
Dunmore et al. | of Deliverable: Framework for the Support of IPv6 Wireless LANs |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: FUJITSU LIMITED, JAPAN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:JI, LUSHENG;FELDMAN, BRIAN;AGRE, JONATHAN RUSSELL;REEL/FRAME:016412/0083;SIGNING DATES FROM 20050304 TO 20050321 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |