Showing papers on "IPsec published in 2004"

Using IPsec to Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Agents

Abstract: Mobile IPv6 uses IPsec to protect signaling between the home agent and the mobile node. Mobile IPv6 base document defines the main requirements these nodes must follow. This document discusses these requirements in more depth, illustrates the used packet formats, describes suitable configuration procedures, and shows how implementations can process the packets in the right order.

Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)

Abstract: This document describes the use of Advanced Encryption Standard (AES) Counter Mode, with an explicit initialization vector, as an IPsec Encapsulating Security Payload (ESP) confidentiality mechanism.

IPv6 Neighbor Discovery (ND) Trust Models and Threats

Abstract: The existing IETF standards specify that IPv6 Neighbor Discovery (ND) and Address Autoconfiguration mechanisms may be protected with IPsec Authentication Header (AH). However, the current specifications limit the security solutions to manual keying due to practical problems faced with automatic key management. This document specifies three different trust models and discusses the threats pertinent to IPv6 Neighbor Discovery. The purpose of this discussion is to define the requirements for Securing IPv6 Neighbor Discovery.

Just fast keying: Key agreement in a hostile internet

Abstract: We describe Just Fast Keying (JFK), a new key-exchange protocol, primarily designed for use in the IP security architecture. It is simple, efficient, and secure; we sketch a proof of the latter property. JFK also has a number of novel engineering parameters that permit a variety of tradeoffs, most notably the ability to balance the need for perfect forward secrecy against susceptibility to denial-of-service attacks.

Layer 2 and 3 virtual private networks: taxonomy, technology, and standardization efforts

Abstract: Virtual private network services are often classified by the OSI layer at which the VPN service provider's systems interchange VPN reachability information with customer sites. Layer 2 and 3 VPN services are currently being designed and deployed, even as the related standards are being developed. This article describes the wide range of emerging L2 and L3 VPN architectures and technical solutions or approaches, and discusses the status of standards work. Some specific L2VPN and L3VPN technologies described here include virtual private LAN service, transparent LAN service, BGP/MPLS-based VPNs (RFC 2547bis), virtual router, and IPSec VPN approaches. We discuss recent and continuing standards efforts in the IETF 12vpn and 13vpn working groups, and related work in the pseudo-wire emulation edge-to-edge working group, as well as in some other standards fora, and describe some mechanisms that provide membership, reachability, topology, security, and management functions.

Applying multicast protocols and VPN tunneling techniques to achieve high quality of service for real time media transport across IP networks

Abstract: As prior art systems fail to produce end-to-end transport and routing mechanisms capable of secure, accurate, and timely delivery of real-time media, the present invention prescribes the method and process to facilitate server-less, IP based sessions across all of public and private network infrastructure without regard for network hardware or carrier makeup. The method and process claimed herein defines the application of well known standards in a unique fashion so as to facilitate transportation of TCP and UDP packets associated with a real-time multicast session in a secure manner while achieving unencumbered access through firewalls and across multiple carrier, public networks through IPSec based virtual networking.

CWC: A High-Performance Conventional Authenticated Encryption Mode

Abstract: We introduce CWC, a new block cipher mode of operation for protecting both the privacy and the authenticity of encapsulated data. CWC is the first such mode having all five of the following properties: provable security, parallelizability, high performance in hardware, high performance in software, and no intellectual property concerns. We believe that having all five of these properties makes CWC a powerful tool for use in many performance-critical cryptographic applications. CWC is also the first appropriate solution for some applications; e.g., standardization bodies like the IETF and NIST prefer patent-free modes, and CWC is the first such mode capable of processing data at 10Gbps in hardware, which will be important for future IPsec (and other) network devices. As part of our design, we also introduce a new parallelizable universal hash function optimized for performance in both hardware and software.

Design and implementation of a private and public key crypto processor and its application to a security system

Abstract: This paper presents the design and implementation of a crypto processor, a special-purpose microprocessor optimized for the execution of cryptography algorithms. This crypto processor can be used for various security applications such as storage devices, embedded systems, network routers, security gateways using IPSec and SSL protocol, etc. The crypto processor consists of a 32-bit RISC processor block and coprocessor blocks dedicated to the AES, KASUMI, SEED, triple-DES private key crypto algorithms and ECC and RSA public key crypto algorithm. The dedicated coprocessor block permits fast execution of encryption, decryption, and key scheduling operations. The 32-bit RISC processor block can be used to execute various crypto algorithms such as Hash and other application programs such as user authentication and IC card interface. The crypto processor has been designed and implemented using an FPGA, and some parts of crypto algorithms has been fabricated as a single VLSI chip using 0.5 /spl mu/m CMOS technology. To test and demonstrate the capabilities of this chip, a custom board providing real-time data security for a data storage device has been developed.

Performance analysis of cryptographic protocols on handheld devices

Abstract: The past few years have witnessed an explosive growth in the use of wireless mobile handheld devices as the enabling technology for accessing Internet-based services, as well as for personal communication needs in ad hoc networking environments. Most studies indicate that it is impossible to utilize strong cryptographic functions for implementing security protocols on handheld devices. Our work refutes this. Specifically, we present a performance analysis focused on three of the most commonly used security protocols for networking applications, namely SSL, S/MIME and IPsec. Our results show that the time taken to perform cryptographic functions is small enough not to significantly impact real-time mobile transactions and that there is no obstacle to the use of quite sophisticated cryptographic protocols on handheld mobile devices.

IPsec-Network Address Translation (NAT) Compatibility Requirements

Abstract: This document describes known incompatibilities between Network Address Translation (NAT) and IPsec, and describes the requirements for addressing them. Perhaps the most common use of IPsec is in providing virtual private networking capabilities. One very popular use of Virtual Private Networks (VPNs) is to provide telecommuter access to the corporate Intranet. Today, NATs are widely deployed in home gateways, as well as in other locations likely to be used by telecommuters, such as hotels. The result is that IPsec-NAT incompatibilities have become a major barrier in the deployment of IPsec in one of its principal uses.

Dynamics of key management in secure satellite multicast

Abstract: Security is an important concern in today's information age and particularly so in satellite systems, where eavesdropping can be easily performed. This paper addresses efficient key management for encrypted multicast traffic transmitted via satellite. We consider the topic of encrypting traffic in large multicast groups, where the group size and dynamics have a significant impact on the network load. We consider life cycle key management costs of a multicast connection, and show for a logical key hierarchy (LKH) how member preregistration and periodic admission reduces the initialization cost, and how the optimum outdegree of a hierarchical tree varies with the expected member volatility and rekey factor. This improves network utilization, but encryption at the network layer can pose problems on satellite links. We, therefore, propose and analyze an interworking solution between multilayer Internet protocol security (IPSEC) and LKH that also reduces key management traffic while enabling interworking with performance enhancing modules used on satellite links.

A multilayer IP security protocol for TCP performance enhancement in wireless networks

Abstract: Transmission control protocol (TCP) performance enhancement proxy (PEP) mechanisms have been proposed, and in some cases widely deployed, to improve TCP performance in all-Internet protocol (IP) wireless networks. However, this technique is conflicted with IP-security (IPsec)-a standard IP security protocol that will make inroad into wireless networks. This paper analyzes the fundamental problem behind this conflict and develops a solution called multilayer IP-security (ML-IPsec). The basic principle is to use a multilayer protection model and a fine grain access control to make IP security protocols compatible with TCP PEP. It allows wireless network operators or service providers to grant base stations or wireless routers limited and controllable access to the TCP headers for performance enhancement purposes. Through careful design, implementation, and evaluation, we show that we can easily add ML-IPsec to existing IPsec software and the overhead is low. We conclude that ML-IPsec can help wireless networks provide both security and performance.

Two Parallel Engines for High Speed Transmit IPSEC Processing

Abstract: The invention relates to a network interface system for interfacing a host system with a network. The network interface system includes a bus interface system, a media access control system, and a security system. The network interface offloads IPsec processing from the host processor. According to the invention, the security system includes two processors for encrypting and authenticating the outgoing data. Outgoing data packets are sent alternately to one or the other processor, whereby transmission processing can be accelerated relative to receive processing.

A Technical Comparison of IPSec and SSL.

Abstract: IPSec IP Security and SSL Secure Socket Layer have been the most robust and most potential tools available for securing communications over the Inter net Both IPSec and SSL have advantages and short comings Yet no paper has been found comparing the two protocols in terms of characteristic and functional ity Our objective is to present an analysis of security and performance properties for IPSec and SSL

Secure communication methods and systems

Abstract: Methods and systems for secure communications are provided. Secure end-to-end connections are established as separate multiple secure connections, illustratively between a first system and an intermediate system and between a second system and an intermediate system. The multiple secure connections may be bound, by binding Internet Protocol Security Protocol (IPSec) Security Associations (SAs) for the multiple connections, for example, to establish the end-to-end connection. In the event of a change in operating conditions which would normally require the entire secure connection to be re-established, only one of the multiple secure connections which form the end-to-end connection is re-established. Separation of end-to-end connections in this manner may reduce processing resource requirements and latency normally associated with re-establishing secure connections.

Use of static Diffie-Hellman key with IPSec for authentication

Abstract: Embodiments of the invention authenticate devices and establish secure connections between devices using static Diffie-Hellman key pairs. A first device obtains in a trusted manner a static DH public key of a second device prior to negotiation. The second device negotiates a secure connection to the first device using a shared secret created from the static DH public key, which serves as both a claim on the second device's identity and an encryption key. The static DH public key can be used to establish subsequent secure, authenticated communications sessions.

Security gateway utilizing ssl protocol protection and related method

Abstract: A security gateway, for use in a network system for linking at least a client end and a server end, includes a user interface, a SSL VPN driver, a connection interface and an IPSEC VPN driver. The security gateway supports IPSEC and SSL protocols. Before establishing an IPSEC VPN between a client end and a server end, the security gateway will perform ID authentication for the user of the client end with a widely-used SSL protocol, so as to establish a SSL VPN between a server end and a client end. When the ID of the client end is authorized, a configuration file comprising the SA is generated and then safely sent to the client end through the SSL VPN tunnel. After the client end receives and executes the configuration file having the SA, an IPSEC VPN tunnel between the server end and the client end is established.

High-throughput programmable cryptocoprocessor

Abstract: High-speed Internet protocol security (IPsec) applications require high throughput and flexible security engines. A loosely coupled cryptocoprocessor based on the advanced encryption standard combines high throughput with programmability. using domain-specific instructions and design principles such as control hierarchy and block pipelining, the security engine supports Internet protocol security and other networking applications.

Network mobility and protocol interoperability in ad hoc networks

Abstract: The integration of various network-level functions, including routing, management, and security, is critical to the efficient operation of a mobile ad hoc network. In this article we focus on network mobility (rather than node mobility), implying the movement of entire subnetworks with respect to one another, while individual users initially associated with one such subnetwork may also move to other domains. One example is a battlefield network that includes ships, aircraft, and ground troops. In this "network of networks", subnets (e.g. shipboard networks) may be interconnected via a terrestrial mobile wireless network (e.g., between moving ships). We discuss the design and implementation of a new ad hoc routing protocol, a suite of solutions for policy-based network management, and approaches for key management and deployment of IPsec in a MANET. These solutions, in turn, are integrated with real-time middleware, a secure radio link, and a topology monitoring tool. We briefly describe each component of the solution, and focus on the challenges and approaches to integrating these components into a cohesive system to support network mobility. We evaluate the effectiveness of the system through experiments conducted in a wireless ad hoc testbed.

Transparent ipsec processing inline between a framer and a network component

Abstract: A method and apparatus for transparent processing of IPsec network traffic by a security processor (103) in line between a framer (101) and a network processor (105). Security processor (103) parses packet header and tail information to determine if encryption or decryption is required. After encryption or decryption is completed, packet header and tail information is modified to reflect the changes in the packet such as length of the packet. The modified packet is then passed on to the network processor (105) or framer (101).

Entry control system

Abstract: An integrated security system which seamlessly assimilates with current generation logical security systems. The integrated security system incorporates a security controller having standard network interface capabilities including IEEE 802.x and takes advantage of the convenience and security offered by smart cards and related devices for both physical and logical security purposes. The invention is based on standard remote authentication dial-in service (RADIUS) protocols or TCP/IP using SSL, TLS, PCT or IPsec and stores a shared secret required by the secure communication protocols in a secure access module coupled to the security controller. The security controller is intended to be a networked client or embedded intelligent device controlled remotely by to an authentication server. In another embodiment of the invention one or more life cycle management transactions are performed with the secure access module. These transactions allow for the updating, replacement, deletion and creation of critical security parameters, cryptographic keys, user data and applications used by the secure access module and/or security token. In another embodiment of the invention a security access module associated with the security controller locally performs local authentication transactions which are recorded in a local access list used to update a master access list maintained by the authentication server.

Deriving, Attacking and Defending the GDOI Protocol

Abstract: As a part of a continued effort towards a logical framework for incremental reasoning about security, we attempted a derivational reconstruction of GDOI, the protocol proposed in IETF RFC 3547 for authenticated key agreement in group communication over IPsec. The difficulties encountered in deriving one of its authentication properties led us to derive an attack that had not surfaced in the previous extensive analyses of this protocol. The derivational techniques turned out to be helpful not only for constructing, analyzing and modifying protocols, but also attacks on them. We believe that the presented results demonstrate the point the derivational approach, which tracks and formalizes the way protocols are designed informally: by refining and composing basic protocol components.

Policy-based dynamic provision of IP services in a secure VPN coalition scenario

Abstract: This article describes a recent R&D result in supporting secure and dynamic coalition internetworking scenarios, where a number of military and civil subnetworks are combined using IPsec in a higher-level IP secure military network. It is part of the work undertaken in the VPN workshop initiative, where a set of national defense and research organizations are meeting together to align their vision and requirements on what an IPv4 or IPv6 secure and dynamic IPsec-based virtual private network should be, and how to deploy it in an international multidomain scenario.

Communication between a private network and a roaming mobile terminal

Abstract: Communication between a private network (1) and a roamning mobile terminal (4), the private network (1) including a home agent (5) for the mobile terminal and a gateway (2, 3) through which, the communicationpassesand which-provides security protection for the private network (1).The protocolsof thecommunication Including security association bundles each include a security association between the mobile terminal (4) and the gateway (2, 3) for inbound communication and another security association for outbound communication. In response to a handover of communication causing an IP address. (MN Co c) of the mobile terminal (4), to change to a new IP address (MN: New Co c), the mobile termlnal updates its inbound security association from the, gateway (2, 3) so that it can receive packets sent to it with the new IP address (MN New Co c) as destination. It sends a first signalllng message with: the home agent (5) as destination: in a secure tunnel (20') to the gateway (2, 3), indicating the new IP address (MN,New Co c) in secure form to the home agent (5). The inbound security association of the gateway (2, 3 ) from the mobile terminal (4) accets,the first signalling message without cheking its source address. The gatewa (2, 3) forwards the first signalling message within the private network (1) to the home agent (5), the home agent (5) checks the validity of the first signalling message and, if It is valid, updates its address data and sends a second signalling message to the gateway (2,3) indicating the new address (MN New Co c). The gateway (2, 3) updates its outbound security association with the mobile terminal (4) in response to the new address (MN New Co c) indicated. Preferably, communication between the mobile node (4) and the gateway (2, 3) is in accordance with IPsec and an Encapsulating Security Paypepad protocol used in tunnel mode. Peferably, a registration reply for the mobile node (4) is included In the second signalling message

Network security first-step

Abstract: 1. Here There Be Hackers! Essentials First: Looking for a Target. Hacking Innocent Information. Targets of Opportunity. Are You a Target of Opportunity? Targets of Choice. Are You a Target of Choice? The Process of an Attack. Reconnaissance and Footprinting (a.k.a. Casing the Joint). Scanning. Enumeration. Gaining Access. Application Attacks. Misconfiguration Attacks. Script Attacks. Escalating Privilege. Covering Tracks. Network Security Organizations. SANS. Center for Internet Security (CIS). SCORE. Internet Storm Center. ICAT Metabase. Security Focus. Learning from the Network Security Organizations. Overview of Common Attacks and Exploits. Chapter Summary. Chapter Review. 2. Security Policies and Responses. Defining Trust. Acceptable Use Policy. Policy Overview. Purpose. Scope General Use and Ownership. Security and Proprietary Information. Unacceptable Use. E-mail and Communications Activities. Enforcement. Conclusion. Password Policy. Overview. Purpose. Scope. General Policy. General Password Construction Guidelines. Password Protection Standards. Enforcement. Conclusion. Virtual Private Network (VPN) Security Policy. Scope. Policy. Conclusion. Extranet Connection Policy. Scope. Security Review. Third-Party Connection Agreement. Business Case. Point of Contact. Establishing Connectivity. Modifying or Changing Connectivity and Access. Terminating Access. Conclusion. ISO Certification and Security. Sample Security Policies on the Internet. Chapter Summary. Chapter Review. 3. Overview of Security Technologies. Security First Design Concepts. Packet Filtering via Access Control Lists (ACLs). Limitations of Packet Filtering. Stateful Packet Inspection (SPI). Detailed Packet Flow Using SPI. Limitations of Stateful Packet Inspection. Network Address Translation (NAT). NAT's Limitations. Proxies and Application Level Protection. Content Filters. Public Key Infrastructure (PKI). AAA Technologies. Authorization. Accounting. Remote Authentication Dial-In User Service (RADIUS). Terminal Access Controller Access Control System (TACACS). TACACS+ Versus RADIUS. Chapter Summary. Chapter Review Questions. 4. Security Protocols. DES Encryption. Limitations of DES. Triple DES Encryption. Limitations of 3DES. Message Digest 5 Algorithm. Point-to-Point Tunneling Protocol (PPTP). Limitations of PPTP. Layer 2 Tunneling Protocol (L2TP). Benefits of L2TP. L2TP Operation. Secure Shell (SSH). SSH Operation. Tunneling and Port Forwarding. Limitations of SSH. Chapter Summary. Chapter Review Questions. 5. Firewalls. Firewall Frequently Asked Questions. Why Do I Need a Firewall? Do I Have Anything Worth Protecting? What Does a Firewall Do? Firewalls Are "The Security Policy". Firewall Operational Overview. Implementing a Firewall. Determine the Inbound Access Policy. Determine Outbound Access Policy. Essentials First: Life in the DMZ. Case Studies. Case Study: Firewall Deployment with Mail Server Inside the Protected (Internal). Case Study: Firewall Deployment with Mail Server in DMZ. Firewall Limitations. Chapter Summary. Chapter Review Questions. 6. Router Security. Edge Router as a Choke Point. Edge Router as a Packet Inspector. Content-Based Packet Inspection. Intrusion Detection with Cisco IOS. When to Use the FFS IDS. FFS IDS Operational Overview. FFS Limitations. Secure IOS Template. Chapter Summary. Chapter Review Questions. 7. IPSec Virtual Private Networks (VPNs). Analogy: VPNs Connect IsLANds Securely. VPN Overview. VPN Benefits and Goals. VPN Implementation Strategies. Split Tunneling. Overview of IPSec VPNs. Tunneling Data. Encryption Modes. Transport Mode. IPSec Protocols. Internet Key Exchange (IKE). ISAKMP Overview. IPSec Operational Overview. IKE Phase 2. Diffie-Hellman Algorithm. Router Configuration as VPN Peer. Configuring IPSec. Step 2: Create the IPSec Transforms. Step 3: Create the Crypto Map. Step 4: Apply the Crypto Map to an Interface. Firewall VPN Configuration for Client Access. Chapter Summary. Chapter Review Questions. 8. Wireless Security. Essentials First: Wireless LANs. Benefits of Wireless LANs. Wireless Equals Radio Frequency. Wireless Networking. Coverage. Bandwidth Availability. WarGames Wirelessly. WarDriving. WarFlying. WarSpamming. WarSpying. Wireless Threats. Denial of Service Attacks. Rogue/Unauthorized Access Points. Incorrectly Configured Access Points. Network Abuses. Wireless Security. Device and Access Point Association. Wired Equivalent Privacy (WEP). MAC Address Filtering. Extensible Authentication Protocol (EAP). LEAP (EAP-Cisco). EAP-TLS EAP-TTLS. Essentials First: Wireless Hacking Tools. Wireless Packet Sniffers. AirSNORT. Chapter Summary. Chapter Review Questions. 9. Intrusion Detection and Honeypots. Essentials First: Intrusion Detection. IDS Functional Overview. Host Intrusion Detection System (HIDS). How Are Intrusions Detected? Protocol Analysis. Anomaly Detection. Signature/Pattern Matching. Log Analysis. Combining Methods. Intrusion Prevention. IPS Responses and Actions. IDS Products. Essentials First: Honeypots. Honeypot Limitations. Chapter Summary. Chapter Review Questions. 10. Tools of the Trade. Essentials First: Vulnerability Analysis. Fundamental Attacks. Packet Sniffers. Denial of Service (DoS) Attacks. Man-in-the-Middle Attacks. Back Doors. Miscellaneous Attacks. Security Assessments and Penetration Testing. Internal Vulnerability and Penetration Assessment. External Penetration and Vulnerability Assessment. Physical Security Assessment. Miscellaneous Assessments. Vulnerability Scanners. Features and Benefits of Vulnerability Scanners. Nessus. In Their Own Words. Scan and Detection Accuracy. Documentation and Support. Reporting. Vulnerability Updates. Retina. Scan and Detection Accuracy. Documentation and Support. Reporting. Vulnerability Updates. Penetration Testing Products. Scan and Detection Accuracy. Documentation. Documentation and Support. Vulnerability Updates. Core Impact In Action. Chapter Summary. Chapter Review Questions. Appendix A: Answers to Chapter Review Questions

A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers

Abstract: This document describes the method detecting a dead Internet Key Exchange (IKE) peer that is presently in use by a number of vendors. The method, called Dead Peer Detection (DPD) uses IPSec traffic patterns to minimize the number of IKE messages that are needed to confirm liveness. DPD, like other keepalive mechanisms, is needed to determine when to perform IKE peer failover, and to reclaim lost resources.

The Internet and Its Protocols: A Comparative Approach

Abstract: The view presented in The Internet and Its Protocols is at once broad and deep. It covers all the common protocols and how they combine to create the Internet in its totality. More importantly, it describes each one completely, examining the requirements it addresses and the exact means by which it does its job. These descriptions include message flows, full message formats, and message exchanges for normal and error operation. They are supported by numerous diagrams and tables. This book's comparative approach gives you something more valuable: insight into the decisions you face as you build and maintain your network, network device, or network application. Author Adrian Farrel?s experience and advice will dramatically smooth your path as you work to offer improved performance and a wider range of services. * Provides comprehensive, in-depth, and comparative coverage of the Internet Protocol (both IPv4 and IPv6) and its many related technologies. * Written for developers, operators, and managers, and designed to be used as both an overview and a reference. * Discusses major concepts in traffic engineering, providing detailed looks at MPLS and GMPLS and how they control both IP and non-IP traffic. * Covers protocols for governing routing and transport, and for managing switches, components, and the network as a whole, along with higher-level application protocols. * Offers thoughtful guidance on choosing between protocols, selecting features within a protocol, and other service- and performance-related decisions. Table of Contents Ch 1 Overview of Essentials ? Ch 2 The Internet Protocol ? Ch 3 Multicast ? Ch 4 Routing ? Ch 5 Concepts in IP Security ? Ch 6 IP Service Management ? Ch 7 Transport Over IP ? Ch 8 Traffic Engineering ? Ch 9 MPLS (Multiprotocol Label Switching) ? Ch 10 Generalized MPLS ? Ch 11 Managing Switches and Components ? Ch 12 Network Management ? Ch 13 Application Protocols ? Ch 14 Advanced Applications ? Ch 15 Future Developments

An adaptive cryptographic engine for internet protocol security architectures

Abstract: Architectures that implement the Internet Protocol Security (IPSec) standard have to meet the enormous computing demands of cryptographic algorithms. In addition, IPSec architectures have to be flexible enough to adapt to diverse security parameters. This article proposes an FPGA-based Adaptive Cryptographic Engine (ACE) for IPSec architectures. By taking advantage of FPGA technology, ACE can adapt to diverse security parameters on the fly while providing superior performance compared with software-based solutions. In this paper, we focus on performance issues. A diverse set of private-key cryptographic algorithms is utilized to demonstrate the applicability of the proposed cryptographic engine. The time performance metrics are throughput and key-setup latency. The latency metric is the most important measure for IPSec where a small amount of data is processed per key and key context switching occurs repeatedly. We are not aware of any published results that include extensive key-setup latency results.

Flow-based Fast Handover method for Mobile IPv6 network

Abstract: Mobile IPv6 provides comprehensive mobility management for the IPv6 protocol. It provides many benefits compared to Mobile IPv4, such as reroute optimization, protocol extensions and IP Security (IPSec). One problem still remains; the handover time is relatively long. This is a big problem at least in real-time connections. This paper presents a new method for faster handover in IPv6 networks, called Flow based Fast Handover for MIPv6 (FFHMIPv6), which uses the features of the IPv6 protocol and benefits from IPv6 traffic control.

System and method for secure mobile connectivity

Abstract: The present invention discloses a methods and systems for securely connecting mobile nodes to an internal private network using IPsec based Virtual Private Network (VPN) technology. The system employs a proxy home agent (PHA) coupled to a home network associated with a mobile node that is located within a secure network, a home agent (HA) that is located outside of the secure network, and a VPN gateway to provide VPN services to a mobile device that changes its current address during the VPN session. The HA and PHA are configured to provide Mobile IP Home Agent functionality through a distributed system.