Patent•
Communication between a private network and a roaming mobile terminal
15 Mar 2004-
TL;DR: In this paper, the authors propose a protocol that includes a security association between the mobile node and the gateway for inbound communication and another security association for outbound communication, which provides security protection for the private network.
Abstract: Communication between a private network (1) and a roamning mobile terminal (4), the private network (1) including a home agent (5) for the mobile terminal and a gateway (2, 3) through which, the communicationpassesand which-provides security protection for the private network (1).The protocolsof thecommunication Including security association bundles each include a security association between the mobile terminal (4) and the gateway (2, 3) for inbound communication and another security association for outbound communication. In response to a handover of communication causing an IP address. (MN Co c) of the mobile terminal (4), to change to a new IP address (MN: New Co c), the mobile termlnal updates its inbound security association from the, gateway (2, 3) so that it can receive packets sent to it with the new IP address (MN New Co c) as destination. It sends a first signalllng message with: the home agent (5) as destination: in a secure tunnel (20') to the gateway (2, 3), indicating the new IP address (MN,New Co c) in secure form to the home agent (5). The inbound security association of the gateway (2, 3 ) from the mobile terminal (4) accets,the first signalling message without cheking its source address. The gatewa (2, 3) forwards the first signalling message within the private network (1) to the home agent (5), the home agent (5) checks the validity of the first signalling message and, if It is valid, updates its address data and sends a second signalling message to the gateway (2,3) indicating the new address (MN New Co c). The gateway (2, 3) updates its outbound security association with the mobile terminal (4) in response to the new address (MN New Co c) indicated. Preferably, communication between the mobile node (4) and the gateway (2, 3) is in accordance with IPsec and an Encapsulating Security Paypepad protocol used in tunnel mode. Peferably, a registration reply for the mobile node (4) is included In the second signalling message
Citations
More filters
Patent•
15 Nov 2007TL;DR: In this article, a mobile device is configured to remotely access a private network via a gateway coupled to the private network, and the first and second network parameters are stored on the mobile device.
Abstract: Configuring a mobile device to remotely access a private network involves determining, via the private network, first network parameters that enable the mobile device utilize to a computing service of the private network. The device also determines, via a gateway coupled to the private network, second network parameters that allow the mobile to utilize the computing service via a public network. The first and second network parameters are stored on the mobile device. A request is received from a user of the mobile device to access the computing service. It is determined that the mobile device is not on the private network. In response to determining that the mobile device is not on the private network, the second network parameters are utilized to access the computing service via the gateway in response to the request.
222 citations
Patent•
29 Oct 2004TL;DR: Secure tunneled multicast transmission and reception through a network is provided in this article, where a join request may be received from a second tunnel endpoint, the join request indicating a multicast group to be joined.
Abstract: Secure tunneled multicast transmission and reception through a network is provided. A join request may be received from a second tunnel endpoint, the join request indicating a multicast group to be joined. Group keys may be transmitted to the second tunnel endpoint, where the group keys are based at least on the multicast group. A packet received at the first tunnel endpoint may be cryptographically processed to generate an encapsulated payload. A header may be appended to the encapsulated payload to form an encapsulated packet, wherein the header includes information associated with the second tunnel endpoint. A tunnel may be established between the first tunnel endpoint and the second tunnel endpoint based on the appended header. The encapsulated packet may be transmitted through the tunnel to the second tunnel endpoint. The second tunnel endpoint may receive the encapsulated packet. Cryptographic processing of the encapsulated packet may reveal the packet having a second header. The packet may then be forwarded on an interface toward at least one multicast recipient identified in the second header.
83 citations
Patent•
23 Jul 2012
TL;DR: In this article, the authors describe a mobile virtual private network (VPN) in which service provider networks cooperate to dynamically extend a virtual routing area of a home service provider network to the edge of a visited service providers network and thereby enable IP address continuity for a roaming wireless device.
Abstract: In general, a mobile virtual private network (VPN) is described in which service provider networks cooperate to dynamically extend a virtual routing area of a home service provider network to the edge of a visited service provider network and thereby enable IP address continuity for a roaming wireless device. In one example, a home service provider network allocates an IP address to a wireless device and establishes a mobile VPN. The home service provider network dynamically provisions a visited service provider network with the mobile VPN, when the wireless device attaches to an access network served by the visited service provider network, to enable the wireless device to exchange network traffic with the visited service provider network using the IP address allocated by the home service provider network.
77 citations
Patent•
21 Aug 2007TL;DR: In this paper, a method for a wireless communication system determining a location in time of a sub-frame when SFN transmission for data will occur is presented, wherein the transmission patterns indicate the symbols and tones of a Sub-frame to use for reference signals.
Abstract: The application discloses a method for a wireless communication system determining a location in time of a sub-frame when SFN transmission for data will occur. Determining a first transmission pattern and a second transmission pattern for reference signals, wherein the transmission patterns indicate the symbols and tones of a sub-frame to use for reference signals. Selecting for use, between the first transmission pattern and second transmission pattern for reference signals depending on whether SFN data will be transmitted in the sub-frame. Broadcasting information about the selected transmission pattern prior to use thereof.
59 citations
Patent•
28 Apr 2006TL;DR: In this article, the authors proposed a mechanism for establishing a secure communication between network elements in a communication network by using a secure channel between the authentication network element and the gateway element.
Abstract: There is proposed a mechanism for establishing a secure communication between network elements in a communication network. The network nodes execute an authentication procedure with an authentication network element. The authentication network may also one of the network elements as a gateway element. Then, a respective data key for the network elements authenticated is generated and distributed to the gateway element by using a secure channel between the authentication network element and the gateway element. The data keys are stored the data keys in the gateway element. When a secure communication is to be setup, a respective session key is generated in the network elements intending to participate in the secure communication. The session keys are exchanged between the network elements intending to participate in the secure communication via secure channels between the gateway element and the network elements .
45 citations
References
More filters
Patent•
05 Dec 2000
TL;DR: In this article, the authors propose a network-based mobile workgroup system, which provides seamless mobility across a number of access technologies at the same time as it offers a granular security separation down to workgroup level.
Abstract: A network-based mobile workgroup system has considerably wider appeal and application than normal virtual private networks in that it provides seamless mobility across a number of access technologies at the same time as it offers a granular security separation down to workgroup level. The mobile workgroup system is an access management system for mobile users with VPN and firewall functionality inbuilt. The mobile user can access the mobile workgroup system over a set of access technologies and select server resources and correspondent nodes to access pending their workgroup membership approvals. All workgroup policy rules are defined in a mobile service manager and pushed down to one or more mobile service routers for policy enforcement. The mobile service router closest to the mobile client, and being part of the mobile virtual private network, performs regular authentication checks of the mobile client during service execution. At the same time it performs traffic filtering based on the mobile user's workgroup memberships. Together, these two components constitute an unprecedented security lock, effectively isolating a distributed workgroup into a mobile virtual private network.
545 citations
01 Jun 2004
TL;DR: This document discusses these requirements in more depth, illustrates the used packet formats, describes suitable configuration procedures, and shows how implementations can process the packets in the right order.
Abstract: Mobile IPv6 uses IPsec to protect signaling between the home agent and the mobile node. Mobile IPv6 base document defines the main requirements these nodes must follow. This document discusses these requirements in more depth, illustrates the used packet formats, describes suitable configuration procedures, and shows how implementations can process the packets in the right order.
250 citations
Patent•
08 Mar 2001TL;DR: In this article, a VPN setting service using an IP Sec. Sec. tunnel between optional terminals without requiring these terminals to have a specific VPN function is presented, where a home authentication server extracts from the VPN database the VPN information of a user who has requested the authentication at the time of making a position registration request from the mobile terminal.
Abstract: Linked with a position registration procedure in a mobile IP, the invention provides a VPN setting service using an IP Sec. tunnel between optional terminals without requiring these terminals to have a specific VPN function. This service is provided by a mobile terminal, authentication servers, a VPN database, and network apparatuses. A home authentication server extracts from the VPN database the VPN information of a user who has requested the authentication at the time of making a position registration request from the mobile terminal. The home authentication server then posts the VPN information to each network apparatus using a predetermined position registration message and an authentication response message. Based on the posted VPN information, the network apparatuses set a VPN path by the IP Sec. to between a home network apparatus and an external network apparatus, between the home network apparatus and a predetermined network apparatus, and/or the external network apparatus and the predetermined network apparatus, respectively.
159 citations
Patent•
01 Sep 1998TL;DR: In this paper, a dependency mask can be used to query a cache of active sessions being processed by the firewall, such that a rule can be selected based on the number of sessions that satisfy the query.
Abstract: The invention provides improved computer network firewalls which include one or more features for increased processing efficiency. A firewall in accordance with the invention can support multiple security policies, multiple users or both, by applying any one of several distinct sets of access rules. The firewall can also be configured to utilize "stateful" packet filtering which involves caching rule processing results for one or more packets, and then utilizing the cached results to bypass rule processing for subsequent similar packets. To facilitate passage to a user, by a firewall, of a separate later transmission which is properly in response to an original transmission, a dependency mask can be set based on session data items such as source host address, destination host address, and type of service. The mask can be used to query a cache of active sessions being processed by the firewall, such that a rule can be selected based on the number of sessions that satisfy the query. Dynamic rules may be used in addition to pre-loaded access rules in order to simplify rule processing. To unburden the firewall of application proxies, the firewall can be enabled to redirect a network session to a separate server for processing.
92 citations
Patent•
30 Jul 1999TL;DR: In this article, a method for negotiating access to a private network for a mobile node that has migrated beyond the private network is described, where a plurality of tunnel segments are composed with these tunnel segments composing a chain of a registration request from the mobile node to the private networks.
Abstract: What is disclosed is a method for negotiating access to a private network for a mobile node that has migrated beyond the private network. A plurality of tunnel segments are composed with these tunnel segments composing a chain of a registration request from the mobile node to the private network.
77 citations