WO2004036332A2 - Virtual private network with mobile nodes - Google Patents
Virtual private network with mobile nodes Download PDFInfo
- Publication number
- WO2004036332A2 WO2004036332A2 PCT/IB2002/005733 IB0205733W WO2004036332A2 WO 2004036332 A2 WO2004036332 A2 WO 2004036332A2 IB 0205733 W IB0205733 W IB 0205733W WO 2004036332 A2 WO2004036332 A2 WO 2004036332A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- network
- gateway
- mobile workstation
- mobile
- internal portion
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
- H04L12/4675—Dynamic sharing of VLAN information amongst network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/28—Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W80/00—Wireless network protocols or protocol adaptations to wireless operation
- H04W80/04—Network layer protocols, e.g. mobile IP [Internet Protocol]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/16—Gateway arrangements
Definitions
- Embodiments of the present invention relate to a virtual private network capable of having a plurality of mobile nodes, to the components of the network and to the methods and processes used within the network.
- a Virtual Private Network provides a network-like connection via a public network, such as the internet. Remote components of the VPN appear to a user as if they are physically connected via dedicated communication cables, when in fact the public network may form at least part of the connection between them.
- IPsec Internet Protocol Security
- the VPN is a packet switching network in which data is sent as packets. Each packet has a data payload and a header. The header includes the address of the origin of the data and the address of the destination of the data.
- the addresses used may be public IP addresses or private IP addresses.
- a public address is a globally unique address, whereas a private address is unique in the VPN but not necessarily globally.
- a SVPN h as a Security G ateway p laced at the interface b etween a private secured network and the public unsecured network.
- the private secured network forms an internal portion of the VPN, whereas those parts of the VPN which are part of the public network are external portions of the VPN.
- SA Security Association
- a Security Association is a context defining a virtual simplex connection between two end points that affords security services to the traffic carried between those end points.
- two Security Associations are required in both nodes.
- each context indicates an authentication and/or encryption algorithm and a secret (a shared key, or appropriate public/private key pair).
- Each node of a SVPN has a Security Policy Database (SPD) and a Security Association Database (SAD).
- SPD Security Policy Database
- SAD Security Association Database
- the SPD specifies the treatment of every inbound and outbound packet. It also indicates which SA or SA bundle in SAD should be used, if any.
- the SPD maps traffic to a SAD entry, which has the SA parameters for the traffic.
- the Encapsulating Security Payload (ESP) [RFC2406] is one type of Security Association and it provides confidentiality, data origin authentication, connectionless integrity, anti-replay service and limited traffic flow confidentiality.
- a virtual private network including an internal secured portion which connects via at least a first gateway and a second gateway to an external portion, the network comprising: a plurality of workstations including at least one mobile workstation in the external portion; the first gateway; the second gateway; and means for automatically changing the point through which the mobile workstation communicates with the internal portion of the network from the first gateway to the second gateway, in response to movement of the mobile workstation.
- a method of optimizing the route by which information travels between a mobile node in an external portion of a network and a correspondent node in an internal portion of a network comprising the steps of: determining when a first serving gateway through which the mobile node communicates with the internal portion of the network, is sub-optimal; identifying a second gateway; and transferring the point through which the mobile node communicates with the internal portion of the network from the first serving gateway to the second gateway.
- a mobile workstation for connecting to an external portion of a network that includes an internal secured portion connected, via a first gateway and a second gateway to the external portion, comprising: means arranged to receive, via the first secure communication means, an identifier of a second gateway; and means arranged to change from communicating with the internal portion of the network through the first gateway to communicating via the second gateway.
- Embodiments of the invention provide for the easy and automatic change of a SG during a session, particularly between SG is remote segments of a VPN.
- T his works automatically on the IP layer and provides optimised routing. T his reduces any delays associated with key generation and exchange.
- Fig. 1A illustrates a virtual private network in which MN1 is located near to SG1 and communicates via SG1 ;
- Fig. 1 B illustrates a virtual private network after MN1 has moved away from SG1 towards SG2 but continues to communicate via SG1 ;
- Fig. 1C illustrates a virtual private network in which MN1 , located near to SG2, communicates via SG2; and Fig 2 illustrates the signaling that allows MN1 to switch from communicating via SG1 to communicating via SG2.
- the virtual private network (VPN) 100 comprises a first segment 102 and a second segment 104.
- the first and second segments are connected via a leased-Iine connection or the internet 132.
- the first segment 102 serves a particular geographical or network-topological area. It comprises an internal portion 102a and an external portion- 102b.
- T he internal portion 102a comprises a first VPN Certificate Authority (VCA1 ) 110, at least a first security gateway (SG1 ) 112, and an internal Home Agent (HA) 114.
- the first security gateway(s) (SG1 ) 112 mediate between the internal portion 102a and the external portion 102b.
- T he external portion 102b comprises a first mobile node (MN1 ) 120, and an external home agent (HA) 122.
- a non-secure communications medium 130 such as the internet, interconnects the first mobile node (MN1) 120, the external HA 122 and SG1 1 12.
- the external home agent 122 manages the external home address (HoA) of MN1 , which is visible in the external portion of the VPN.
- the internal home agent 114 which is present only if the VPN uses private addresses, manages the internal HoA of MN1 , which is visible to the internal portion of the VPN.
- the second segment 104 serves a particular geographical or network-topological area, different to that served by the first segment 102.
- I t comprises an internal portion 104a and an external portion 104b.
- the internal portion 104a comprises a second VPN Certificate Authority (VCA2) 150, at least a second security gateway (SG2) 162, an internal Home Agent (HA) 164 and at least one correspondent node (CN) for MN1.
- the CN is a second mobile node (MN2) 166.
- the security gateway(s) (SG2) mediate between the internal portion 102a and the external portion 102b.
- the external portion 104b comprises an external home agent (HA) 172 interconnected to the second security gateway (SG2) 162 by the non-secure communications medium 130.
- HA external home agent
- MN1 120 has two security associations (uplink and downlink) with SG1 112 and two security associations (uplink and downlink) with VCA1 110. T here are also two security associations (uplink and downlink) between VGA 1 110 and SG1 112. There are also two security associations (uplink and downlink) between VCA2 150 and SG2 162.
- SA security associations
- ESP SA Encapsulating Security Payload Security Associations
- VGA has been described as a separate entity to the SG, it would be possible to integrate them. There are, however, advantages to having them as distinct entities.
- the defense is in one layer (SG only), as opposed to two layers (VCA & SG), the attacker only needs to break into one SG in order to severely affect the VPN service.
- the VCA function is integrated into each SG, then where a segment has several SGs all of them need to have this extra functionality. This proliferation may increase the operating costs of the system.
- a mobile node (MN), security association (SA), Encapsulating Security Payload (ESP), home agent (HA), security gateway (SG) and correspondent node (CN) are terms well understood by a person knowledgeable in Virtual Private Networks, Internet Protocol Security (IPsec) Protocol and Mobile Internet Protocol version 6 (MlPv ⁇ ).
- IPsec Internet Protocol Security
- MlPv ⁇ Mobile Internet Protocol version 6
- the VPN Certificate authority (VCA) is a newly devised component of a VPN and the security associations between VCA1 110 and MN1 are newly implemented security associations.
- MN1 executes a Binding Update with SG1. Therefore SG1 maps the external HoA of MN2 to the external CoA of MN2 and tunnels packets addressed for MN1 from the internal portion 102a to the external CoA of MN2 in the external portion 102b.
- Fig 1A illustrates a VPN 100, in which MN1 120 is in session with CN 166, which in this example is MN2.
- MN1 is in the external portion 102b of the first segment 102 of the VPN 100 and MN2 is in the internal portion 104a of the second segment 104.
- T he MN1 120 uses its existing ESP SAs with the SG1 112 to communicate with the internal portions 102a, 104a of the VPN.
- T he SG1 receives an encapsulated packet from MN1 via this ESP SAs, decapsulates it and routes it to the CN 166.
- a VPN Mobile Node (MN1 120) using ESP Security Associations (SAs) moves to a new location (Fig 1 B)
- the ESP tunnel end point in the Security Gateway (SG 1 112) is no longer the closest or optimal point of attachment to the VPN 100, especially if MN1 has sessions with a node (MN2) close to its current location in the network topology. This is inefficient.
- T he optimum path for communication between MN1 120 and MN2 166 in Fig 1 B would be via SG2 162.
- the first VPN segment 102 from which MN1 moved and the second VPN segment 104 to which it moved cooperate to move the context of MN1 to the new location.
- This context consists of at least the HoA of MN1 , but should also include key material for the creation of new ESP SAs between MN1 and the optimal security gateway (SG2 162).
- T he context information is managed by a set of separate VPN Certificate Authorities (VCA1 and VCA2). 1 1 is moved from SG1 via VCA1 to the VCA2 and onto the SG2. However, before this movement, the identity of the target SGNCA must be resolved.
- MN1 and MN2 (not shown) are in session. I nitially, MN1 communicates with MN2 via SG1 as illustrated in Fig 1 A. M N1 moves so that it is close to SG2, as illustrated in Fig 1 B.
- MN1 detects when it has moved close to another possible node at which to link into the VPN and informs VCA1.
- MN1 obtains a new external CoA using stateless or stateful address autoconfiguration. It then performs a binding update with its HA and SG1.
- the new external CoA of MN1 is sent 230 to SG1.
- the external CoA of MN1 has therefore changed at this point, but MN1 is still communicating via SG1.
- SG1 provides 232 the new location data (e.g. external CoA) for MN1 to the VCA1 using the downlink ESP SA between SG and VCA.
- new location data e.g. external CoA
- VCA1 updates a location database, which is used to automatically resolve whether MN1 is using the optimal SG or whether there should be a hand-over to another SG.
- the location database associates a responsible infrastructure node (VCA and/or SG) with a location.
- VCA and/or SG may be address-space related, geographical or topological.
- the location database can be local or remote. Thus querying the database with the new external CoA of MN1 may return the present VCA/SG or a new optimal VCA/SG.
- VCA1 When a new optimal VCA/SG has been identified which is in a different segment, VCA1 automatically sends 234 the context of MN1 to the VCA of the optimal segment (VCA2).
- VCAs can communicate with AAA attribute-value-pairs (AVP) between segments, and the VCA functionality can be combined with AAA infrastructure.
- AVP AAA attribute-value-pairs
- the information sent may additionally identify the location of MN1 so that VCA2 can determine the optimal SG.
- VCA1 When a new optimal SG has been identified which is in the same segment, VCA1 automatically sends the context of MN1 to the optimal SG (not shown in Fig.2).
- the context information includes at least an identifier of MN1 (its external HoA) and should also includes secret material for setting up ESP SAs between the new SG and MN1.
- the secret material should not be the same as that used for the ESP SAs between MN1 and SG1 or may extend that context and provide new secret material for new ESP SAs between SG2 and MN1.
- the context information is sent to the new SGNCA.
- the M ⁇ context information is protected with the VP ⁇ owner's root c ertificate. All parties have the capability of reliably verifying something that has been certified by the VP ⁇ owner (protected by its certificate). Without this, they would have to trust some other node that only claims to be authoritative, giving rise to the possibility of masquerading attacks.
- VCA2 sends 236 the context information to SG2 using an ESP SA between SG2 and VCA2.
- the SG2 updates its SPD database and SAD database.
- An SPD policy forwards packets to the HoA of MN1 onwards to the appropriate link, which is the downlink ESP SAfrom SG2 to MN1.
- the SAD defines the appropriate ESP SA.
- the ESP SA tunnel uses MN1's external HoA.
- CA1 commands 238 SG1 using one of the ESP SAs between VCA1 and SG1 to automatically send 240 to MN1 any extension to MN1 's context and the address of SG2.
- the MN1 receives the secret(s) extending its context, if any, and the address of SG2. It enters into its Security Association Database (SAD) a new ESP SA to SG2 and a new ESP SA from SG2. Each entry specifies the algorithm to be used and the secret(s) to be used. MN1 modifies its Security Policy Database (SPD) so that traffic destined for MN2 will be encrypted using the first SA of the new SA pair and traffic from the MN2 will be decrypted using the second SA of the new SA pair. MN1 then sends 242 an Acknowledgement message to VCA1 which forwards 244 it to SG2.
- SAD Security Association Database
- SPD Security Policy Database
- the updating of the SPD and SAD at SG2 is illustrated as occurring before the updating of the SPD and SAD at MN1.
- the context is sent to the VCA2 (step 234) before it is sent to the SG1 (step 238).
- This timing is, however, only illustrative.
- the updating of the SPD and SAD at MN1 may precede the updating of the SPD and SAD at MN1.
- the context is sent to the SG1 before it is sent to the VCA2.
- the acknowledgement, in this situation, is sent from the SG2 to the MN1 via the VCAL
- MN1 creates new SAs with VCA2 and starts using SG2 and VCA2 instead of its SG1 and VCA1.
- the packets sent to the session destination MN2 are simply put to the new ESP SA (to SG2) by the SPD.
- the internal HA 114 or external HA 122 of MN1 do not change when the serving SG changes from SG1 to SG2.
- the MN1 receives router advertisements from SG2 after establishing the new ESP SAs with it and allocates to itself a new internal CoA. It then performs return routability and binding procedures with this new internal CoA. MN1 needs to maintain its connection to the SG1 at least until the binding with its internal HA 114 is in place. Thus MN1 may conserve connectivity to SG1 with its original internal CoA at the same time as it has a new CoA. This is a form of 'phased handover' in which MN1 is capable of communicating with both SG1 and SG2.
- Each VPN segment has only one VCA but possibly several SGs.
- Each SG is subject to the VCA of its segment (with implied management and trust relationships).
- the VCA controls all hand-overs between SGs whether or not they are in the same segment as the VCA, using additional VCAs if necessary. This is advantageous, because it is easier for a VCA to know (and maintain a relationship of trust with) a small set of VCAs than a large set of SGs.
- the VCA may only control hand-overs between SGs which are in different segments to it and each SG control the transfer of a context to another SG within the same segment as the VCA.
- the mobile node MN1 may be any suitably configured mobile workstation such as a lap-top computer, a personal digital assistant or a cellular mobile telephone
Abstract
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2002353429A AU2002353429A1 (en) | 2002-10-17 | 2002-12-30 | Virtual private network with mobile nodes |
US10/531,491 US20060111113A1 (en) | 2002-10-17 | 2002-12-30 | Virtual private network with mobile nodes |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/IB2002/004295 WO2004036834A1 (en) | 2002-10-17 | 2002-10-17 | Secured virtual private network with mobile nodes |
IBPCT/IB02/04295 | 2002-10-17 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2004036332A2 true WO2004036332A2 (en) | 2004-04-29 |
WO2004036332A3 WO2004036332A3 (en) | 2007-12-27 |
Family
ID=32104597
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IB2002/004295 WO2004036834A1 (en) | 2002-10-17 | 2002-10-17 | Secured virtual private network with mobile nodes |
PCT/IB2002/005733 WO2004036332A2 (en) | 2002-10-17 | 2002-12-30 | Virtual private network with mobile nodes |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IB2002/004295 WO2004036834A1 (en) | 2002-10-17 | 2002-10-17 | Secured virtual private network with mobile nodes |
Country Status (3)
Country | Link |
---|---|
US (2) | US20060182083A1 (en) |
AU (1) | AU2002353429A1 (en) |
WO (2) | WO2004036834A1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2006113124A2 (en) | 2005-04-13 | 2006-10-26 | Cisco Technology, Inc. | Transferring context information to facilitate node mobility |
WO2008132163A1 (en) * | 2007-04-27 | 2008-11-06 | Nokia Siemens Networks Oy | Method, radio system, and base station |
EP2117201A1 (en) | 2008-05-07 | 2009-11-11 | Alcatel Lucent | Network device and method for local routing of data traffic |
Families Citing this family (59)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP0977828B1 (en) * | 1997-03-07 | 2005-05-11 | The Procter & Gamble Company | Bleach compositions |
US7885644B2 (en) * | 2002-10-18 | 2011-02-08 | Kineto Wireless, Inc. | Method and system of providing landline equivalent location information over an integrated communication system |
CN101715194A (en) | 2002-10-18 | 2010-05-26 | 卡耐特无线有限公司 | Apparatus and method for extending the coverage area of a licensed wireless communication system using an unlicensed wireless communication system |
US7366145B2 (en) * | 2002-11-08 | 2008-04-29 | Nokia Corporation | Fast recovery from unusable home server |
US7489667B2 (en) * | 2002-11-08 | 2009-02-10 | Faccin Stefano M | Dynamic re-routing of mobile node support in home servers |
US7308506B1 (en) * | 2003-01-14 | 2007-12-11 | Cisco Technology, Inc. | Method and apparatus for processing data traffic across a data communication network |
US8391203B1 (en) * | 2003-02-19 | 2013-03-05 | Sprint Spectrum L.P. | System and method for data link layer handoffs in a wireless network |
US7545766B1 (en) * | 2003-05-16 | 2009-06-09 | Nortel Networks Limited | Method for mobile node-foreign agent challenge optimization |
US7697501B2 (en) * | 2004-02-06 | 2010-04-13 | Qualcomm Incorporated | Methods and apparatus for separating home agent functionality |
US10375023B2 (en) * | 2004-02-20 | 2019-08-06 | Nokia Technologies Oy | System, method and computer program product for accessing at least one virtual private network |
US7991854B2 (en) * | 2004-03-19 | 2011-08-02 | Microsoft Corporation | Dynamic session maintenance for mobile computing devices |
US7957348B1 (en) | 2004-04-21 | 2011-06-07 | Kineto Wireless, Inc. | Method and system for signaling traffic and media types within a communications network switching system |
US7567522B2 (en) * | 2004-04-23 | 2009-07-28 | Hewlett-Packard Development Company, L.P. | Suppression of router advertisement |
WO2006061047A1 (en) * | 2004-12-06 | 2006-06-15 | Swisscom Ag | Method and system for mobile network nodes in heterogeneous networks |
US20060245362A1 (en) * | 2005-01-07 | 2006-11-02 | Choyi Vinod K | Method and apparatus for providing route-optimized secure session continuity between mobile nodes |
CN101091372B (en) * | 2005-01-07 | 2013-03-06 | 阿尔卡特朗讯公司 | Method and apparatus for providing route-optimized secure session continuity between mobile nodes |
US8261341B2 (en) * | 2005-01-27 | 2012-09-04 | Nokia Corporation | UPnP VPN gateway configuration service |
JP2007036641A (en) * | 2005-07-27 | 2007-02-08 | Hitachi Communication Technologies Ltd | Home agent device, and communication system |
US7843900B2 (en) | 2005-08-10 | 2010-11-30 | Kineto Wireless, Inc. | Mechanisms to extend UMA or GAN to inter-work with UMTS core network |
US8559921B2 (en) * | 2005-08-17 | 2013-10-15 | Freescale Semiconductor, Inc. | Management of security features in a communication network |
US8165086B2 (en) | 2006-04-18 | 2012-04-24 | Kineto Wireless, Inc. | Method of providing improved integrated communication system data service |
US7769877B2 (en) * | 2006-04-27 | 2010-08-03 | Alcatel Lucent | Mobile gateway device |
US7852817B2 (en) * | 2006-07-14 | 2010-12-14 | Kineto Wireless, Inc. | Generic access to the Iu interface |
US20080039086A1 (en) | 2006-07-14 | 2008-02-14 | Gallagher Michael D | Generic Access to the Iu Interface |
US20080076425A1 (en) * | 2006-09-22 | 2008-03-27 | Amit Khetawat | Method and apparatus for resource management |
US7912004B2 (en) | 2006-07-14 | 2011-03-22 | Kineto Wireless, Inc. | Generic access to the Iu interface |
US8204502B2 (en) | 2006-09-22 | 2012-06-19 | Kineto Wireless, Inc. | Method and apparatus for user equipment registration |
US7995994B2 (en) * | 2006-09-22 | 2011-08-09 | Kineto Wireless, Inc. | Method and apparatus for preventing theft of service in a communication system |
US8073428B2 (en) | 2006-09-22 | 2011-12-06 | Kineto Wireless, Inc. | Method and apparatus for securing communication between an access point and a network controller |
US8036664B2 (en) | 2006-09-22 | 2011-10-11 | Kineto Wireless, Inc. | Method and apparatus for determining rove-out |
US20080076392A1 (en) * | 2006-09-22 | 2008-03-27 | Amit Khetawat | Method and apparatus for securing a wireless air interface |
US7926098B2 (en) * | 2006-12-29 | 2011-04-12 | Airvana, Corp. | Handoff of a secure connection among gateways |
US8019331B2 (en) | 2007-02-26 | 2011-09-13 | Kineto Wireless, Inc. | Femtocell integration into the macro network |
CA2585808A1 (en) * | 2007-03-26 | 2008-09-26 | David Ker | Method and system for implementing a secured and centrally managed virtual ip network on a common ip network infrastructure |
WO2009039318A1 (en) * | 2007-09-18 | 2009-03-26 | Kineto Wireless, Inc. | Method and system for supporting large number of data paths in an integrated communication system |
US20090262703A1 (en) * | 2008-04-18 | 2009-10-22 | Amit Khetawat | Method and Apparatus for Encapsulation of RANAP Messages in a Home Node B System |
EP2272273B1 (en) * | 2008-04-21 | 2017-07-26 | Apple Inc. | System and method for wireless relay frame structure, protocol and operation |
US20100011432A1 (en) * | 2008-07-08 | 2010-01-14 | Microsoft Corporation | Automatically distributed network protection |
AT11799U1 (en) * | 2009-12-15 | 2011-05-15 | Plansee Se | MOLDING |
US8474035B2 (en) | 2010-06-30 | 2013-06-25 | Juniper Networks, Inc. | VPN network client for mobile device having dynamically constructed display for native access to web mail |
US8473734B2 (en) | 2010-06-30 | 2013-06-25 | Juniper Networks, Inc. | Multi-service VPN network client for mobile device having dynamic failover |
US8127350B2 (en) | 2010-06-30 | 2012-02-28 | Juniper Networks, Inc. | Multi-service VPN network client for mobile device |
US8458787B2 (en) | 2010-06-30 | 2013-06-04 | Juniper Networks, Inc. | VPN network client for mobile device having dynamically translated user home page |
US10142292B2 (en) | 2010-06-30 | 2018-11-27 | Pulse Secure Llc | Dual-mode multi-service VPN network client for mobile device |
US8464336B2 (en) | 2010-06-30 | 2013-06-11 | Juniper Networks, Inc. | VPN network client for mobile device having fast reconnect |
US8549617B2 (en) * | 2010-06-30 | 2013-10-01 | Juniper Networks, Inc. | Multi-service VPN network client for mobile device having integrated acceleration |
US8509169B2 (en) * | 2010-12-13 | 2013-08-13 | At&T Intellectual Property I, L.P. | Methods and apparatus to configure virtual private mobile networks |
US9432258B2 (en) | 2011-06-06 | 2016-08-30 | At&T Intellectual Property I, L.P. | Methods and apparatus to configure virtual private mobile networks to reduce latency |
US20120317410A1 (en) * | 2011-06-08 | 2012-12-13 | Cirque Corporation | Protecting data from data leakage or misuse while supporting multiple channels and physical interfaces |
US9386035B2 (en) | 2011-06-21 | 2016-07-05 | At&T Intellectual Property I, L.P. | Methods and apparatus to configure virtual private mobile networks for security |
US8910273B1 (en) | 2011-08-04 | 2014-12-09 | Wyse Technology L.L.C. | Virtual private network over a gateway connection |
US10044678B2 (en) | 2011-08-31 | 2018-08-07 | At&T Intellectual Property I, L.P. | Methods and apparatus to configure virtual private mobile networks with virtual private networks |
US11350254B1 (en) | 2015-05-05 | 2022-05-31 | F5, Inc. | Methods for enforcing compliance policies and devices thereof |
US11757946B1 (en) | 2015-12-22 | 2023-09-12 | F5, Inc. | Methods for analyzing network traffic and enforcing network policies and devices thereof |
US11178150B1 (en) | 2016-01-20 | 2021-11-16 | F5 Networks, Inc. | Methods for enforcing access control list based on managed application and devices thereof |
US10505792B1 (en) | 2016-11-02 | 2019-12-10 | F5 Networks, Inc. | Methods for facilitating network traffic analytics and devices thereof |
US10812266B1 (en) | 2017-03-17 | 2020-10-20 | F5 Networks, Inc. | Methods for managing security tokens based on security violations and devices thereof |
US11122042B1 (en) | 2017-05-12 | 2021-09-14 | F5 Networks, Inc. | Methods for dynamically managing user access control and devices thereof |
US11343237B1 (en) | 2017-05-12 | 2022-05-24 | F5, Inc. | Methods for managing a federated identity environment using security and access control data and devices thereof |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1998059467A2 (en) * | 1997-06-23 | 1998-12-30 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and device for establishing connections between two subscribers in two different subnetworks |
WO2001005122A1 (en) * | 1999-07-12 | 2001-01-18 | Nokia Networks Oy | A scheme to relocate h.323 gatekeeper during a call when endpoint changes its zone |
US20020069278A1 (en) * | 2000-12-05 | 2002-06-06 | Forsloew Jan | Network-based mobile workgroup system |
Family Cites Families (43)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6226748B1 (en) * | 1997-06-12 | 2001-05-01 | Vpnet Technologies, Inc. | Architecture for virtual private networks |
US6370249B1 (en) * | 1997-07-25 | 2002-04-09 | Entrust Technologies, Ltd. | Method and apparatus for public key management |
US6092200A (en) * | 1997-08-01 | 2000-07-18 | Novell, Inc. | Method and apparatus for providing a virtual private network |
US6615347B1 (en) * | 1998-06-30 | 2003-09-02 | Verisign, Inc. | Digital certificate cross-referencing |
US6230266B1 (en) * | 1999-02-03 | 2001-05-08 | Sun Microsystems, Inc. | Authentication system and process |
US6684336B1 (en) * | 1999-04-30 | 2004-01-27 | Hewlett-Packard Development Company, L.P. | Verification by target end system of intended data transfer operation |
US6885658B1 (en) * | 1999-06-07 | 2005-04-26 | Nortel Networks Limited | Method and apparatus for interworking between internet protocol (IP) telephony protocols |
US7079499B1 (en) * | 1999-09-08 | 2006-07-18 | Nortel Networks Limited | Internet protocol mobility architecture framework |
GB2364477B (en) * | 2000-01-18 | 2003-11-05 | Ericsson Telefon Ab L M | Virtual private networks |
GB0001025D0 (en) * | 2000-01-18 | 2000-03-08 | Hewlett Packard Co | Communication initiation method employing an authorisation server |
US7426750B2 (en) * | 2000-02-18 | 2008-09-16 | Verimatrix, Inc. | Network-based content distribution system |
US6978364B1 (en) * | 2000-04-12 | 2005-12-20 | Microsoft Corporation | VPN enrollment protocol gateway |
US6728536B1 (en) * | 2000-05-02 | 2004-04-27 | Telefonaktiebolaget Lm Ericsson | Method and system for combined transmission of access specific access independent and application specific information over public IP networks between visiting and home networks |
JP2001326697A (en) * | 2000-05-17 | 2001-11-22 | Hitachi Ltd | Mobile communication network, terminal, packet communication control method, and gateway unit |
JP3636637B2 (en) * | 2000-05-30 | 2005-04-06 | 三菱電機株式会社 | Route optimization method |
JP4201466B2 (en) * | 2000-07-26 | 2008-12-24 | 富士通株式会社 | VPN system and VPN setting method in mobile IP network |
FI113319B (en) * | 2000-09-29 | 2004-03-31 | Nokia Corp | Selection of a service producing network element in a telecommunication system |
US6915345B1 (en) * | 2000-10-02 | 2005-07-05 | Nortel Networks Limited | AAA broker specification and protocol |
US20020083046A1 (en) * | 2000-12-25 | 2002-06-27 | Hiroki Yamauchi | Database management device, database management method and storage medium therefor |
KR100551867B1 (en) * | 2000-12-28 | 2006-02-13 | 엘지전자 주식회사 | Method of Reporting and Controling for Mobile Node Foreign Agent Handoff |
US7031279B2 (en) * | 2000-12-30 | 2006-04-18 | Lg Electronics Inc. | Gatekeeper supporting handoff and handoff method in IP telephony system |
US7155518B2 (en) * | 2001-01-08 | 2006-12-26 | Interactive People Unplugged Ab | Extranet workgroup formation across multiple mobile virtual private networks |
US7209479B2 (en) * | 2001-01-18 | 2007-04-24 | Science Application International Corp. | Third party VPN certification |
US20020099668A1 (en) * | 2001-01-22 | 2002-07-25 | Sun Microsystems, Inc. | Efficient revocation of registration authorities |
FI110464B (en) * | 2001-04-26 | 2003-01-31 | Nokia Corp | IP security and mobile network connections |
US7107464B2 (en) * | 2001-07-10 | 2006-09-12 | Telecom Italia S.P.A. | Virtual private network mechanism incorporating security association processor |
US7171685B2 (en) * | 2001-08-23 | 2007-01-30 | International Business Machines Corporation | Standard format specification for automatically configuring IP security tunnels |
US7036143B1 (en) * | 2001-09-19 | 2006-04-25 | Cisco Technology, Inc. | Methods and apparatus for virtual private network based mobility |
FI20011949A0 (en) * | 2001-10-05 | 2001-10-05 | Stonesoft Corp | Managing a Virtual Private Network |
KR100450973B1 (en) * | 2001-11-07 | 2004-10-02 | 삼성전자주식회사 | Method for authentication between home agent and mobile node in a wireless telecommunications system |
US6789121B2 (en) * | 2002-02-08 | 2004-09-07 | Nortel Networks Limited | Method of providing a virtual private network service through a shared network, and provider edge device for such network |
US20030224788A1 (en) * | 2002-03-05 | 2003-12-04 | Cisco Technology, Inc. | Mobile IP roaming between internal and external networks |
EP1488577B1 (en) * | 2002-03-18 | 2007-04-18 | Nortel Networks Limited | Resource allocation using an auto-discovery mechanism for provider-provisioned layer-2 and layer-3 virtual private networks |
US7418596B1 (en) * | 2002-03-26 | 2008-08-26 | Cellco Partnership | Secure, efficient, and mutually authenticated cryptographic key distribution |
US7188365B2 (en) * | 2002-04-04 | 2007-03-06 | At&T Corp. | Method and system for securely scanning network traffic |
US20030225854A1 (en) * | 2002-05-28 | 2003-12-04 | Peng Zhang | Digital rights management system on a virtual private network |
US20040203787A1 (en) * | 2002-06-28 | 2004-10-14 | Siamak Naghian | System and method for reverse handover in mobile mesh Ad-Hoc networks |
US7421736B2 (en) * | 2002-07-02 | 2008-09-02 | Lucent Technologies Inc. | Method and apparatus for enabling peer-to-peer virtual private network (P2P-VPN) services in VPN-enabled network |
US7441262B2 (en) * | 2002-07-11 | 2008-10-21 | Seaway Networks Inc. | Integrated VPN/firewall system |
US7581095B2 (en) * | 2002-07-17 | 2009-08-25 | Harris Corporation | Mobile-ad-hoc network including node authentication features and related methods |
US7184530B2 (en) * | 2002-07-25 | 2007-02-27 | Utstarcom, Inc. | Prepaid billing support for simultaneous communication sessions in data networks |
US6999437B2 (en) * | 2002-12-17 | 2006-02-14 | Nokia Corporation | End-to-end location privacy in telecommunications networks |
US7386721B1 (en) * | 2003-03-12 | 2008-06-10 | Cisco Technology, Inc. | Method and apparatus for integrated provisioning of a network device with configuration information and identity certification |
-
2002
- 2002-10-17 US US10/531,653 patent/US20060182083A1/en not_active Abandoned
- 2002-10-17 WO PCT/IB2002/004295 patent/WO2004036834A1/en not_active Application Discontinuation
- 2002-12-30 US US10/531,491 patent/US20060111113A1/en not_active Abandoned
- 2002-12-30 AU AU2002353429A patent/AU2002353429A1/en not_active Abandoned
- 2002-12-30 WO PCT/IB2002/005733 patent/WO2004036332A2/en not_active Application Discontinuation
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1998059467A2 (en) * | 1997-06-23 | 1998-12-30 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and device for establishing connections between two subscribers in two different subnetworks |
WO2001005122A1 (en) * | 1999-07-12 | 2001-01-18 | Nokia Networks Oy | A scheme to relocate h.323 gatekeeper during a call when endpoint changes its zone |
US20020069278A1 (en) * | 2000-12-05 | 2002-06-06 | Forsloew Jan | Network-based mobile workgroup system |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2006113124A2 (en) | 2005-04-13 | 2006-10-26 | Cisco Technology, Inc. | Transferring context information to facilitate node mobility |
EP1869906A2 (en) * | 2005-04-13 | 2007-12-26 | Cisco Technology, Inc. | Transferring context information to facilitate node mobility |
EP1869906A4 (en) * | 2005-04-13 | 2014-11-12 | Cisco Tech Inc | Transferring context information to facilitate node mobility |
WO2008132163A1 (en) * | 2007-04-27 | 2008-11-06 | Nokia Siemens Networks Oy | Method, radio system, and base station |
US8538433B2 (en) | 2007-04-27 | 2013-09-17 | Nokia Siemens Networks Oy | Method, radio system, and base station |
EP2117201A1 (en) | 2008-05-07 | 2009-11-11 | Alcatel Lucent | Network device and method for local routing of data traffic |
WO2009135611A2 (en) * | 2008-05-07 | 2009-11-12 | Alcatel Lucent | Network device and method for local routing of data traffic |
WO2009135611A3 (en) * | 2008-05-07 | 2010-11-04 | Alcatel Lucent | Network device and method for local routing of data traffic |
US8189606B2 (en) | 2008-05-07 | 2012-05-29 | Alcatel Lucent | Network device and method for local routing of data traffic |
KR101495063B1 (en) | 2008-05-07 | 2015-02-24 | 알까뗄 루슨트 | Network device and method for local routing of data traffic |
Also Published As
Publication number | Publication date |
---|---|
WO2004036332A3 (en) | 2007-12-27 |
AU2002353429A1 (en) | 2004-05-04 |
US20060182083A1 (en) | 2006-08-17 |
US20060111113A1 (en) | 2006-05-25 |
AU2002353429A8 (en) | 2004-05-04 |
WO2004036834A1 (en) | 2004-04-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20060111113A1 (en) | Virtual private network with mobile nodes | |
JP5955352B2 (en) | Mobility architecture using pre-authentication, pre-configuration and / or virtual soft handoff | |
US7286671B2 (en) | Secure network access method | |
KR100988186B1 (en) | Method and apparatus for dynamic home address assignment by home agent in multiple network interworking | |
US6999437B2 (en) | End-to-end location privacy in telecommunications networks | |
EP1588535B1 (en) | Establishing communication tunnels | |
US20050195780A1 (en) | IP mobility in mobile telecommunications system | |
JP2003051818A (en) | Method for implementing ip security in mobile ip networks | |
US9043599B2 (en) | Method and server for providing a mobility key | |
US20040266420A1 (en) | System and method for secure mobile connectivity | |
JP2009516435A (en) | Secure route optimization for mobile networks using multi-key encryption generated addresses | |
EP1389375A1 (en) | Ip security and mobile networking | |
JP4468453B2 (en) | Optimized round trip confirmation | |
CN102395129A (en) | Framework of media-independent pre-authentication support for pana | |
US20100175109A1 (en) | Route optimisation for proxy mobile ip | |
CN101091371A (en) | Method and apparatus for providing route-optimized secure session continuity between mobile nodes | |
Xenakis et al. | A secure mobile VPN scheme for UMTS | |
Pacyna | Advances in mobility management for the NG internet | |
Yamada et al. | A lightweight VPN connection in the mobile multimedia metropolitan area network | |
Namal et al. | Security and Mobility Aspects of Femtocell Networks | |
KR20070106496A (en) | Return routability optimisation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SC SD SE SG SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LU MC NL PT SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: DE |
|
ENP | Entry into the national phase |
Ref document number: 2006111113 Country of ref document: US Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 10531491 Country of ref document: US |
|
122 | Ep: pct application non-entry in european phase | ||
WWP | Wipo information: published in national office |
Ref document number: 10531491 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: JP |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: JP |