WO2004036834A1 - Secured virtual private network with mobile nodes - Google Patents

Secured virtual private network with mobile nodes Download PDF

Info

Publication number
WO2004036834A1
WO2004036834A1 PCT/IB2002/004295 IB0204295W WO2004036834A1 WO 2004036834 A1 WO2004036834 A1 WO 2004036834A1 IB 0204295 W IB0204295 W IB 0204295W WO 2004036834 A1 WO2004036834 A1 WO 2004036834A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
mobile
mobile workstation
gateway
workstation
Prior art date
Application number
PCT/IB2002/004295
Other languages
French (fr)
Inventor
Junya Nakata
Heikki Waris
Original Assignee
Nokia Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Corporation filed Critical Nokia Corporation
Priority to PCT/IB2002/004295 priority Critical patent/WO2004036834A1/en
Priority to US10/531,653 priority patent/US20060182083A1/en
Priority to AU2002353429A priority patent/AU2002353429A1/en
Priority to US10/531,491 priority patent/US20060111113A1/en
Priority to PCT/IB2002/005733 priority patent/WO2004036332A2/en
Publication of WO2004036834A1 publication Critical patent/WO2004036834A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • H04L12/4675Dynamic sharing of VLAN information amongst network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/16Gateway arrangements

Definitions

  • Embodiments of the present invention relate to a virtual private network capable of having a plurality of mobile nodes, to the components of the network and to the methods and processes used within the network.
  • a Virtual Private Network provides a network-like connection via a public network, such as the internet. Remote components of the VPN appear to a user as if they are physically connected via dedicated communication cables, when in fact the public network may form at least part of the connection between them.
  • IPsec Internet Protocol Security
  • a SVPN has a Security Gateway placed at the interface between a private secured network and the public unsecured network.
  • the private secured network forms an internal portion of the VPN, whereas those parts of the VPN which are part of the public network are external portions of the VPN.
  • the SVPN is a packet switching network in which data is sent as packets.
  • Each packet has a data payload and a header.
  • the header includes the address of the origin of the data and the address of the destination of the data.
  • the addresses used may be public IP addresses or private IP addresses.
  • a public address is a globally unique address, whereas a private address is unique in the VPN but not necessarily globally.
  • SA Security Association
  • a Security Association (SA) is a context defining a virtual simplex connection between two end points that affords security services to the traffic carried between those end points. To secure bi-directional communication between two nodes, two Security Associations (one in each direction) are required in both nodes.
  • each context indicates an authentication and/or encryption algorithm and a secret (a shared key, or appropriate public/private key pair).
  • Each node has a Security Policy Database (SPD) and a Security Association Database (SAD).
  • SPD Security Policy Database
  • SAD Security Association Database
  • the SPD specifies the treatment of every inbound and outbound packet. It also indicates which SA or SA bundle in SAD should be used, if any.
  • the SPD maps traffic to a SAD entry, which has the SA parameters for the traffic.
  • the Encapsulating Security Payload (ESP) [RFC2406] is one type of Security Association and it provides confidentiality, data origin authentication, connectionless integrity, anti-replay service and limited traffic flow confidentiality.
  • MobilelPv ⁇ (MIPv6) allows a mobile node (MN) to move from one link to another without changing the mobile node's IP address (Home Address). Thus a mobile node is always addressable by its Home Address (HoA).
  • HoA Home Address
  • the HoA is an IP address assigned, for an extended period of time, to the mobile node within its home network. It is a "static" identifier and therefore remains unchanged regardless of which link a mobile node uses to link to the network.
  • the home network has a network prefix matching that of a mobile node's HoA and packets destined for a mobile node's HoA will be delivered to the mobile node's Home Network.
  • the mobile node may also be attached to other networks other than the home network, these are called Visited Networks.
  • the MN is able to maintain its static identifier (HoA) and communicate in Visited Networks by associating a dynamic identifier (Care-of -Address) with the static identifier (HoA) while moving outside its home network.
  • the Care-of- Address (CoA) reflects the MN current point of attachment.
  • the association of the HoA and CoA is stored in a Home Agent (HA) and correspondent nodes (CN) and is referred to as a "binding" or "mobility binding" when combined with the lifetime of the association.
  • the HA is a router in the home network which tunnels packets for delivery to the mobile node when it is away from the home network, and maintains current location information for the mobile node.
  • the HA intercepts a packet sent to the HoA of the MN, encapsulates the intercepted packet using Type 2 Routing Header and sends it to the CoA of the MN.
  • the MN receives the packet in its CoA, it removes the Routing Header where the HoA was and forwards the packet internally to the HoA.
  • the mobile node generally uses its HoA as the end point of all its communications, and the CoA as the source address of all IP packets that it sends. These packets are delivered to their destination via normal IP routing mechanisms. Packets sent to the mobile node do not necessarily pass through the HA if the CoA is known to the correspondent node.
  • the MN When the MN moves to a Visited Network, the MN detects this and obtains a CoA on the Visited network. It then sends a Binding Update to the HA and any correspondent node.
  • a correspondent node is a mobile or stationary peer with which a mobile node is communicating.
  • the Binding Update registers the new CoA of the MN.
  • MIPv6 provides for route optimisation via return routability and binding updates.
  • the CoA is sent to the HA and to the CN, therefore CN messages can be routed directly to the CoA and need not go via the HA.
  • IPsec is mandatory for IPv6.
  • MIPv6 confirms the validity of the end points, and IPsec can be used for protecting the actual traffic between those end points.
  • the SAs simply take place between two static addresses, the HoA of the MN and the regular address of the CN.
  • each MN has or creates two pairs of SAs, one with the SG and the other with its HA.
  • the SVPN can be considered to have an internal portion which is connected to the public network via a Security Gateway (SG) and a external portion connected to and forming part of the public network.
  • SG Security Gateway
  • MNl which is in the external portion of the SVPN
  • MN2 which is also in the external portion of the SVPN
  • a gateway for connecting an external portion of a network to an internal secured portion of the network wherein the gateway is arranged to identify automatically when a communication session exists between two mobile workstations both of which are connected in the external portion of the network.
  • Embodiments of this aspect of the invention provide for detection of when two mobile workstations (MNl & MN2) are communicating via the gateway (SG).
  • This detection may, in embodiments of the invention, initiate a mechanism that allows the mobile workstations to communicate without using the gateway as an intermediary. This, in turn, allows the route by which packets are transferred between the first mobile workstation (MNl) and the second mobile workstation (MN2) to be optimised.
  • a network including an internal secured portion which connects, via a gateway to an external portion, the network comprising a plurality of workstations including mobile workstations; the gateway and secure communication means by which information is transferable securely to a first mobile workstation in the external portion of the network via the gateway and by which information is transferable securely to a second mobile workstation in the external portion of the network via the gateway; and information transfer means located within the internal secured portion of the network or within the gateway and arranged to send, using the secure communication means, an identifier of the second mobile workstation to the first mobile workstation for use as an address in a packet originating from the first mobile workstation and destined for the second mobile workstation.
  • Embodiments of this aspect of the invention provide an identifier of the second mobile workstation (MN2) securely to the first mobile workstation (MNl).
  • This identifier may allow the first mobile workstation (MNl) to communicate with the second mobile workstation (MN2) without using the gateway (SG) as an intermediary. This, in turn, allows the route by which packets are transferred between the first mobile workstation (MNl) and the second mobile workstation (MN2) to be optimised.
  • the identifier may be the external Home Address of the second mobile workstation (MN2).
  • a virtual private network including an internal secured portion which connects, via a gateway to an external portion, the network being arranged to communicate within the internal portion of the network using private addresses and comprising: a plurahty of workstations including mobile workstations; the gateway; first secure communication means by which information is transferable securely to a first mobile workstation connected at the external portion of the network via the gateway and by which information is transferable securely to a second mobile workstation connected at the external portion of the network via the gateway; and information transfer means arranged to send first security information to the first mobile workstation and second security information to the second mobile workstation using the first secure communication means, wherein the first mobile workstation uses the first security information and the second mobile workstation uses the second security information to enable a second secure communication means by which further information is transferable securely between the first mobile workstation and the second mobile workstation without passing through the gateway.
  • Embodiments of this aspect of the invention provide, perhaps different, security information to the first mobile workstation (MNl) and the second mobile workstation (MN2) which enables secure communications between the first and second mobile workstations without having to use the gateway as an intermediary to secure communications.
  • a virtual private network including an internal secured portion which connects, via a gateway to an external portion, the network being arranged to communicate within the internal portion of the network using private addresses and comprising: a plurahty of workstations including mobile workstations; the gateway; secure communication means by which information is transferable securely, without passing through the gateway, between a first mobile workstation connected to the external portion of the network and a second mobile workstation connected to the external portion of the network; means for dynamically updating an identifier of the first mobile workstation as it moves within the external portion of the network; means for communicating the updated identifier of the first mobile workstation to the second mobile workstation; and means for sending packets from the second mobile workstation to the first mobile workstation using the secure communication means, wherein the packets are addressed using the updated identifier of the first mobile workstation and are routed without necessarily passing through the gateway.
  • Embodiments of this aspect of the invention provide for secure communications between the first and second mobile workstations without being forced to use the gateway as an intermediary to secure communications. This allows the route by which packets are transferred between the first mobile workstation (MNl) and the second mobile workstation (MN2) to be optimised. ,
  • Fig. 1 is a schematic illustration of a secure virtual private network (SVPN) according to one embodiment of the invention.
  • SVPN secure virtual private network
  • Fig. 2 is a signalling diagram of a secure virtual private network (SVPN) in which two mobile nodes, MNl & MN2, move into an external portion of the SVPN while communicating with each other.
  • SVPN secure virtual private network
  • the virtual private network comprises an internal portion 12 which is protected by a firewall or Security Gateway (SG) 20 and an external portion 14 which uses an unsecured communications medium 30, such as the internet, to communicate with the internal portion 12 via the Security Gateway
  • the VPN 10 has a file server 16 and a plurahty of client workstations 18a, 18b, 18c, 18d, 18e and 18f.
  • the workstations 18a, 18b and 18c are desktop machines within the internal portion 12 of the VPN 10 and are non-mobile nodes of the VPN 10.
  • the workstation 18d is a portable machine, in this case a laptop computer, which is a mobile node (MN) of the VPN 10.
  • MN mobile node
  • the workstation 18d is currently physically located within the internal portion 12.
  • the workstation 18e is a portable machine (a hand-portable personal digital assistant), which is a mobile node MNl of the VPN.
  • the portable workstation 18e is currently physically located in the external portion 14 of the VPN and connected to the gateway 20 via the unsecured communications medium 30.
  • the workstation 18f is a portable machine (a hand-portable cellular radio telephone), which is a mobile node MN2 of the VPN.
  • the portable workstation is currently physically located in the external portion 14 of the VPN and is connected to the gateway 20 via a cellular radio telephone network 32 and then the unsecured communications medium 30.
  • the VPN 10 has a router 22, which provides the functionality of the HA of the mobile nodes of the VPN 10.
  • the file sever 16, the Security Gateway 20, the router 22 or some other intelligence within the internal portion 12 of the VPN may provide the functionality of the VPN Connectivity Manager (VCM), which is described in more detail below.
  • VCM VPN Connectivity Manager
  • This embodiment relates to a Virtual Private Network (VPN) which uses private (not public) addresses.
  • VPN Virtual Private Network
  • the first mobile node MNl has a pair of SAs (uplink and downlink) with the Security Gateway (SG) and another pair of SAs (uplink and downlink) with a VPN Connectivity Manager (VCM).
  • the second mobile node MN2 has a pair of SAs (uplink and downlink) with the Security Gateway (SG) and another pair of SAs (uplink and downlink) with a VPN Connectivity Manager (VCM).
  • the SG has three pairs of SAs (uplink and downlink), one pair with MNl, one pair with MN2 and the other pair with the VCM.
  • the VCM has three pairs of SAs (uplink and downlink), one pair with MNl, one pair with MN2 and the other pair with SG.
  • a mobile node (MN), Security Association (SA), Home Agent (HA), Security Gateway (SG) are terms well understood by a person knowledgeable in Virtual Private Networks, Internet Protocol Security (IPsec) Protocol and Mobile Internet Protocol version 6 (MIPv6).
  • the VPN Connectivity Manager (VCM) is a newly devised component of a
  • the Security Association between a MN and the VCM is an Encapsulating Security Payload (ESP) SA and utilizes internal addresses of the VPN.
  • ESP Encapsulating Security Payload
  • the Security Association between the Security Gateway (SG) and the mobile nodes utilizes the external, public HoA of the MNs as opposed to the VPN internal address.
  • the inbound SA in SG is always active, and the outbound SA is activated when the inbound SPD receives packets from MN2's external HoA and/or the MIPv6 binding cache has a binding with MN2's external HoA.
  • MN2 executes a Binding Update with the SG. Therefore the
  • SG maps the external HoA of MN2 to the external CoA of MN2 and sends packets for the MN2 to the external CoA of MN2.
  • the SG is an intermediate node in communications from and to MN2 using private addresses. It monitors the headers of these communications and stores in a cache the internal addresses of the CNs with which MN2 communicates.
  • the packets addressed to or sent by MN2 can be identified from the HoA or current CoA of MN2 in the headers.
  • the SG sends a message 202 to the VCM with MN2's external HoA.
  • the VCM receives the external HoA and stores it in its MN context database.
  • the MN context comprises the MN internal HoA, the MN external HoA, the internal HoAs of correspondent nodes of the MN, and details of the managed SAs with identification of the relevant secrets and algorithms.
  • the VCM may send an Acknowledgement message 204 to the SG.
  • the SG maps the external HoA of MN2 to the external CoA of MNl and sends packets for the MNl to the external CoA of MNl.
  • the SG is an intermediate node in communications from and to MNl using private addresses. It monitors the headers of these communications and stores in a cache the internal addresses of the CNs with which MNl communicates.
  • the packets addressed to or sent by MNl can be identified from the HoA or current CoA of MNl in the header.
  • the SG sends a message 202 to the VCM with MNl's external HoA.
  • the VCM receives the external HoA and stores it in its MN context database.
  • the MN context comprises the MN Internal HoA, the MN external
  • VCM may send an Acknowledgement message 204 to the SG.
  • the SG also detects that MNl and MN2 are involved in a session.
  • the SG has a binding with MNl, if necessary, and therefore stores information relating the static identifier (HoA) and dynamic identifier (CoA) of MNl.
  • HoA static identifier
  • CoA dynamic identifier
  • the SG has a binding with MN2, if necessary, and therefore stores information relating the static identifier (HoA) and dynamic identifier (CoA) of MN2.
  • HoA static identifier
  • CoA dynamic identifier
  • the SG sends a message 202 to the VCM indicating that MNl and MN2 are having a session.
  • This session indication message could be combined with or be separate from the message informing the VCM of the external HoA of
  • VCM receives the MN1-MN2 session indication message and may send an Acknowledgement message 204 to the SG.
  • the VCM creates information for an SA pair for MN1-MN2 communication. It generates random secrets and stores them in the MN context database in the VCM for the MN1-MN2 session.
  • the secrets are keys the number and length of which depend on the implementation, and are accompanied by other SA material such as algorithm definition.
  • the VCM sends 206 a first secret(s) defining the SA pair between MNl and MN2 and the external HoA of MNl to MN2 via its (internal) ESP SA with MNl.
  • the VCM separately sends 210 a second secret(s) defining the SA pair between MNl and MN2 and the external HoA of MN2 to MNl via its (internal) ESP SA with MN2.
  • the MNl receives the secret(s) and the external HoA of MN2. It enters into its Security Association Database (SAD) a new ESP SA to the MN2 and a new ESP SA from the MN2. Each entry specifies the algorithm to be used and the secret(s) to be used.
  • the MNl modifies its Security Policy Database (SPD) so that traffic destined for MN2 will be encrypted using one of the new SA pair and traffic from MN2 will be decrypted using the other one of the new SA pair.
  • SPD Security Policy Database
  • MNl After first modifying the inbound SPD policy (traffic from MN2), MNl sends an Acknowledgement message 212 to the VCM which forwards it to MN2.
  • the outbound SPD policy (traffic destined for MN2) is only modified after the reception of Acknowledgement message 208 from MN2 via VCM. This ensures that MN2 can idecrypt the packets when they are sent by MNl.
  • the MN2 receives the secret(s) and the external HoA of MNl. It enters into its Security Association Database (SAD) a new ESP SA to the MNl and a new ESP SA from the MNl. Each entry specifies the algorithm to be used and the secret(s) to be used.
  • the MN2 modifies its Security Policy Database (SPD) so that traffic destined for MNl will be encrypted using one of the new SA pair and traffic from MNl will be decrypted using the other one of the new SA pair.
  • SPD Security Policy Database
  • MN2 After first modifying the inbound SPD policy (traffic from MNl), MN2 sends an Acknowledgement message 208 to the VCM which forwards it to MNl.
  • the outbound SPD policy (traffic destined for MNl) is only modified after the reception of Acknowledgement message 212 from MNl via VCM. This ensures that MNl can decrypt the packets when they are sent by MN2.
  • the new ESP SAs provide for end-to-end encryption between the external HoA of MNl and the external HoA of MN2.
  • the packets with internal addresses are exchanged in the crypto tunnel between the external HoAs.
  • the MNl uses the external HoA address to route packets to MN2.
  • MNl first sends a packet 214 encrypted by the new ESP SA to the external HoA of MN2, it first goes to the external HA of MN2 which forwards 216 it to the external CoA of MN2. After this the return routability and binding process between the MNl and MN2 provides 218 the external CoA of MN2 to MNl. MNl uses the external CoA of MN2 to address packets 220 destined for MN2.
  • the MN2 uses the external HoA address to route packets to MNl.
  • MN2 first sends packets encrypted by the new ESP SA to the external HoA of MNl, they first go to the external HA of MNl which forwards them to the external CoA of MNl. After this the return routability and binding process between the MN2 and MNl provides the external CoA of MNl to MN2.
  • MN2 uses the external CoA of MNl to address packets destined for MNl.
  • the return routability and binding process optimises the route between the MNl and MN2 external CoAs and continues to do so as long as both MNs are outside the private network, without SG or VCM intervention.
  • MNl or MN2 moves to a different point of attachment in the external portion of the VPN a handover procedure occurs to the new point of attachment.
  • the procedure is specified by MlPv6. If MNl moves, the CoA of MNl changes and this change is automatically communicated to MN2.
  • the route between MNl and MN2 remains optimised.
  • the SA between that MN and the SG which was used for communication between that MN and the interior of the VPN, no longer receives packets. This is because the MN is now in the internal portion of the VPN and starts to send packets unencrypted within the private network.
  • This movement from the external portion of the VPN to the internal portion of the VPN is detected in the same way as the movement from the internal portion of the VPN to the external portion of the VPN (but vice versa) by the SG which then informs the VCM.
  • the VCM commands the remaining external MN to amend its SAD and/or SPD so that it uses its ESP SA with the SG again for communication with the internal MN.
  • This embodiment relates to a VPN which uses public (not private) addresses, such as IP addresses.
  • public (not private) addresses such as IP addresses.
  • the first mobile node MNl has a pair of SAs (uplink and downlink) with the Security Gateway (SG) and another pair of SAs (uplink and downlink) with a VPN Connectivity Manager (VCM).
  • the second mobile node MN2 has a pair of SAs (uplink and downlink) with the Security Gateway (SG) and another pair of SAs (uplink and downlink) with a VPN Connectivity Manager (VCM).
  • the SG has three pairs of SAs (uplink and downhnk), one pair with MNl, one pair with MN2 and the other pair with the VCM.
  • the VCM has three pairs of SAs (uplink and downlink), one pair with MNl, one pair with MN2 and the other pair with SG.
  • the SAs between the Security Gateway (SG) and the mobile nodes utilize the external, public HoA of the MNs as opposed to VPN internal addresses, which were used in embodiment 1 but represent only a subset of public addresses in this embodiment.
  • the SAs between a MN and the VCM is an Encapsulating Security Payload
  • MN2 executes a Binding Update with the SG. Therefore the SG maps the HoA of MN2 to the CoA of MN2 and sends packets for the MN2 to the CoA of MN2.
  • the SG is an intermediate node in communications between the internal portion of the VPN and MN2. It monitors the headers of these communications and stores in a cache the addresses of the CNs with which MN2 communicates.
  • the packets addressed to or sent by MN2 can be identified from the HoA or current CoA of MN2 in the headers.
  • the SG sends a message 202 to the VCM with MN2's HoA.
  • the VCM receives the HoA and stores it in its MN context database.
  • the MN context comprises the MN HoA, the HoAs of the correspondent nodes of the MN, and details of the managed SAs with identification of the relevant secrets and algorithms.
  • the VCM may send an Acknowledgement message 204 to the SG.
  • MNl executes a Binding Update with the SG. Therefore the SG maps the HoA of MN2 to the CoA of MNl and sends packets for the MNl to the CoA of MNl.
  • the SG is an intermediate node in communications between the internal portion of the VPN and MNl. It monitors the headers of these communications and stores in a cache the addresses of the CNs with which MNl communicates.
  • the packets addressed to or sent by MNl can be identified from the HoA or current CoA of MNl in the header.
  • the SG sends a message 202 to the VCM with MNl's HoA.
  • the VCM receives the HoA and stores it in its MN context database.
  • MN context comprises the MN HoA, the HoAs of the correspondent nodes of the
  • the VCM may send an Acknowledgement message 204 to the SG.
  • the SG also detects that MNl and MN2 are involved in a session.
  • the SG has a binding with MNl, if necessary, and therefore stores information relating the static identifier (HoA) and dynamic identifier (CoA) of MNl.
  • HoA static identifier
  • CoA dynamic identifier
  • the SG has a binding with MN2, if necessary, and therefore stores information relating the static identifier (HoA) and dynamic identifier (CoA) of MN2.
  • HoA static identifier
  • CoA dynamic identifier
  • the SG sends a message 202 to the VCM indicating that MNl and MN2 are having a session.
  • This session indication message could be combined with or be separate from the message mforming the VCM of the external HoA of MNl.
  • VCM receives the MN1-MN2 session indication message and may send an Acknowledgement message 204 to the SG.
  • the VCM creates information for an SA pair for MN1-MN2 communications. It generates random secrets and stores them in the MN context database in the VCM for the MN1-MN2 session.
  • the secrets are keys the number and length of which depend on the implementation, and are accompanied by other SA material such as algorithm definition.
  • the VCM sends 206 a first secret(s) defining the SA pair between MNl and MN2 and the HoA of MNl to MN2 via its (encapsulated) ESP SA with MNl. Thus there will be end-to-end security between the VCM and the MNl.
  • the VCM separately sends 210 a second secret(s) defining the SA pair between MNl and MN2 and the HoA of MN2 to MNl via its (encapsulated) ESP SA with MN2.
  • the SAs between them could also be direct.
  • the encapsulation of those inner SAs inside the outer SAs between the MNs and the SG is not necessary, but when used, improves overall security.
  • the MNl receives the secret(s) and the external HoA of MN2. It enters into its Security Association Database (SAD) a new ESP SA to MN2 and a new ESP SA from MN2. Each entry specifies the algorithm to be used and the secret(s) to be used.
  • the MNl modifies its Security Pohcy Database (SPD) so that traffic destined for MN2 will be encrypted using one of the new SA pair, and traffic from MN2 will be decrypted using the other one of the new SA pair.
  • SPD Security Pohcy Database
  • MNl After first modifying the inbound SPD policy (traffic from MN2), MNl sends an Acknowledgement message 212 to the VCM which forwards it to MN2.
  • the outbound SPD policy (traffic destined for MN2) is only modified after the reception of Acknowledgement message 208 from MN2 via VCM. This ensures that MN2 can decrypt the packets when they are sent by MNl.
  • the MN2 receives the secret(s) and the HoA of MNl. It enters into its Security Association Database (SAD) a new ESP SA to the MNl and a new ESP SA from the MNl. Each entry specifies the algorithm to be used and the secret(s) to be used.
  • the MN2 modifies its Security Policy Database (SPD) so that traffic destined for MNl will be encrypted using one of the new SA pair, and traffic from MNl will be decrypted using the other one of the new SA pair.
  • SPD Security Policy Database
  • MN2 After first modifying the inbound SPD policy (traffic from MNl), MN2 sends an Acknowledgement message 208 to the VCM which forwards it to MNl.
  • the outbound SPD pohcy (traffic destined for MNl) is only modified after the reception of Acknowledgement message 212 from MNl via VCM. This ensures that MNl can decrypt the packets when they are sent by MN2.
  • the HoA received in the message from the VCM is in this embodiment not necessarily used in route optimization between two nodes that already have a session in the external portion of the VPN (because MIPv6 may be used to provide the HoA directly). Instead, it is used for modification of the appropriate SAD entries using the new secret(s), or for securely setting up an SA between the HoAs by utilizing the existing SAs with SG and VCM, or for avoiding the unnecessary default use of direct SAs when MNs are in the internal portion of the VPN.
  • the new ESP SAs provide for end-to-end encryption between the HoA of MNl and the HoA of MN2.
  • the MNl uses the HoA address to route packets to MN2.
  • MNl first sends packet 214 encrypted by the new ESP SA to the HoA of MN2, it first goes to the HA of MN2 which forwards 216 it to the CoA of MN2. After this the return routabihty and binding process between the MNl and MN2 provides 218 the CoA of MN2 to MNl.
  • MNl uses the CoA of MN2 to address packets 220 destined for MN2.
  • the MN2 uses the HoA address to route packets to MNl.
  • MN2 first sends packets encrypted by the new ESP SA to the HoA of MNl, .they first go to the HA of MNl which forwards them to the CoA of MNl. After this the return routability and binding process between the MN2 and MNl provides the CoA of
  • MNl uses the CoA of MNl to address packets destined for MNl.
  • the return routabihty and binding process optimises the route between the MNl and MN2 CoAs and continues to do so as long as the MNs have a session, whether they are in the interior or exterior portion of the VPN, without SG or VCM intervention.
  • MNl or MN2 moves to a different point of attachment in the external portion of the VPN a handover procedure occurs to the new point of attachment.
  • the procedure is specified by MIPv6. If MNl moves, the CoA of MNl changes and this change is automatically communicated to MN2.
  • the route between MNl and MN2 remains optimised.
  • the SA between that MN and the SG which was used for communication between that MN and the interior of the VPN, no longer receives packets. This is because the MN is now in the internal portion of the VPN and starts to send packets unencrypted within the private network.
  • This movement from the external portion of the VPN to the internal portion of the VPN is detected in the same way as the movement from the internal portion of the VPN to the external portion of the VPN (but vice versa) by the SG which then informs the VCM.
  • the VCM commands the remaining external MN to amend its SAD and/or SPD so that it uses its ESP SA with the SG again for communication with the internal MN.
  • the external HA need not be trusted because the existing SAs with SG and VCM guarantee that the exchanged SA secrets defining the SA between MNl and MN2 cannot be spoofed.
  • the first and second secret(s) may be symmetric keys for encryption and decryption.
  • the same key being used for encryption and decryption in both MNs or separate keys may be used for encryption/decryption in one MN and used for corresponding decryption/encryption in the other MN.
  • the secret(s) may be asymmetric keys such as public and private keys.
  • VCM as a separate entity to the SG. This provides some advantages, in that an existing VPN can be modified by the addition of a physical VCM. This provides backwards compatibility. When the VCM is a separate entity from the SG it is necessary for it to have pre- existing SAs with the MNs.
  • the functions of the VCM are incorporated into the SG and there is no physical VCM.
  • This has the advantage of reducing the number of VPN entities but necessitates modification of the SG.
  • This implementation is not necessarily backwards compatible with an existing SG, although it may be effected as a software update to an existing SG.
  • the VCM is part of the SG there will not be separate SAs from the VCM to the MNs. The VCM will use the SAs of the SG to the MNs.
  • An alternative or additional trigger is the detection of both: a) that a VPN node initiating a data transfer session is an 'external' node, and b) that the destination node of the data transfer is an 'external' node.
  • 'Security Association' may at times refer to a unidirectional Security Association, a pair of uni-directional (inbound & outbound) Security Associations and the information stored to effect these Security Associations.
  • MN1/MN2 may be a source and destination of data, a source only or a destination only.

Abstract

A security gateway connects an external portion of a virtual private network to an internal secured portion of the network. The gateway is arranged to identify automatically when a communication session exists between two mobile workstations both of which are connected in the external portion of the network. The mobile workstations are then enabled to communicate with each other without using the gateway as an intermediary. This communication can be secured. The route by which packets are transferred between the workstations may then be optimised.

Description

Secured Virtual Private Network with Mobile Nodes
Embodiments of the present invention relate to a virtual private network capable of having a plurality of mobile nodes, to the components of the network and to the methods and processes used within the network.
A Virtual Private Network (VPN) provides a network-like connection via a public network, such as the internet. Remote components of the VPN appear to a user as if they are physically connected via dedicated communication cables, when in fact the public network may form at least part of the connection between them.
As the VPN may use a public network, security measures must be taken to prevent unauthorised users hacking into the VPN. The Internet Engineering Task Force (IETF) has developed the Internet Protocol Security (IPsec) standard, which is suitable for securing the VPN. The IPsec standard specifies an extension to TCP/IP that utilizes data encryption and digital encryption technology to positively identify a user or network component. Implementation of IPsec, or an equivalent security protocol, on a VPN results in a Secure Virtual Private Network (SVPN).
A SVPN has a Security Gateway placed at the interface between a private secured network and the public unsecured network. The private secured network forms an internal portion of the VPN, whereas those parts of the VPN which are part of the public network are external portions of the VPN.
The SVPN is a packet switching network in which data is sent as packets. Each packet has a data payload and a header. The header includes the address of the origin of the data and the address of the destination of the data. The addresses used may be public IP addresses or private IP addresses. A public address is a globally unique address, whereas a private address is unique in the VPN but not necessarily globally. A Security Association (SA) is a context defining a virtual simplex connection between two end points that affords security services to the traffic carried between those end points. To secure bi-directional communication between two nodes, two Security Associations (one in each direction) are required in both nodes. Among other things each context indicates an authentication and/or encryption algorithm and a secret (a shared key, or appropriate public/private key pair).
Each node has a Security Policy Database (SPD) and a Security Association Database (SAD). The SPD specifies the treatment of every inbound and outbound packet. It also indicates which SA or SA bundle in SAD should be used, if any. The SPD maps traffic to a SAD entry, which has the SA parameters for the traffic. The Encapsulating Security Payload (ESP) [RFC2406] is one type of Security Association and it provides confidentiality, data origin authentication, connectionless integrity, anti-replay service and limited traffic flow confidentiality.
MobilelPvβ (MIPv6) allows a mobile node (MN) to move from one link to another without changing the mobile node's IP address (Home Address). Thus a mobile node is always addressable by its Home Address (HoA).
The HoA is an IP address assigned, for an extended period of time, to the mobile node within its home network. It is a "static" identifier and therefore remains unchanged regardless of which link a mobile node uses to link to the network.
The home network has a network prefix matching that of a mobile node's HoA and packets destined for a mobile node's HoA will be delivered to the mobile node's Home Network. The mobile node may also be attached to other networks other than the home network, these are called Visited Networks.
The MN is able to maintain its static identifier (HoA) and communicate in Visited Networks by associating a dynamic identifier (Care-of -Address) with the static identifier (HoA) while moving outside its home network. The Care-of- Address (CoA) reflects the MN current point of attachment. The association of the HoA and CoA is stored in a Home Agent (HA) and correspondent nodes (CN) and is referred to as a "binding" or "mobility binding" when combined with the lifetime of the association.
The HA is a router in the home network which tunnels packets for delivery to the mobile node when it is away from the home network, and maintains current location information for the mobile node. The HA intercepts a packet sent to the HoA of the MN, encapsulates the intercepted packet using Type 2 Routing Header and sends it to the CoA of the MN. When the MN receives the packet in its CoA, it removes the Routing Header where the HoA was and forwards the packet internally to the HoA.
The mobile node generally uses its HoA as the end point of all its communications, and the CoA as the source address of all IP packets that it sends. These packets are delivered to their destination via normal IP routing mechanisms. Packets sent to the mobile node do not necessarily pass through the HA if the CoA is known to the correspondent node.
When the MN moves to a Visited Network, the MN detects this and obtains a CoA on the Visited network. It then sends a Binding Update to the HA and any correspondent node. A correspondent node is a mobile or stationary peer with which a mobile node is communicating. The Binding Update registers the new CoA of the MN.
MIPv6 provides for route optimisation via return routability and binding updates. The CoA is sent to the HA and to the CN, therefore CN messages can be routed directly to the CoA and need not go via the HA.
IPsec is mandatory for IPv6. In a combination of MlPvβ and IPsec, MIPv6 confirms the validity of the end points, and IPsec can be used for protecting the actual traffic between those end points. From the IPsec point of view, the SAs simply take place between two static addresses, the HoA of the MN and the regular address of the CN. In a SVPN with mobile nodes, each MN has or creates two pairs of SAs, one with the SG and the other with its HA. The SVPN can be considered to have an internal portion which is connected to the public network via a Security Gateway (SG) and a external portion connected to and forming part of the public network.
If internal addressing is used, communication between a MN, which is in the external portion of the SVPN and any other node of the SVPN occurs via the SAs between the MN and the SG. Thus if one MN, e.g. MNl, which is in the external portion of the SVPN, is communicating with another MN, e.g. MN2, which is also in the external portion of the SVPN, then all communications between MNl and MN2 will be via the SG using the SA pairs between MNl and the SG and MN2 and the SG. There should not be direct communication between MNl and MN2 via the public network because the internal addresses are ambiguous (not globally unique) and therefore traffic using them is not properly routable in the public network and also because security could be compromised. This results in inefficient routing.
If external addressing is used, communication between one MN, e.g. MNl, which is in the external portion of the SVPN, and another MN, e.g. MN2, which is also in the external portion of the SVPN, can be directly between MNl and MN2 after they exchange return mutability and binding messages. This provides for efficient but insecure communication unless a pair of up-to-date SAs between MNl and MN2 already exists in both nodes.
It would be desirable to improve secure virtual private networks having mobile nodes by providing efficient and secure routing for communications between mobile nodes of the network.
According to first aspect of the present invention there is provided a gateway for connecting an external portion of a network to an internal secured portion of the network wherein the gateway is arranged to identify automatically when a communication session exists between two mobile workstations both of which are connected in the external portion of the network.
Embodiments of this aspect of the invention provide for detection of when two mobile workstations (MNl & MN2) are communicating via the gateway (SG). This detection may, in embodiments of the invention, initiate a mechanism that allows the mobile workstations to communicate without using the gateway as an intermediary. This, in turn, allows the route by which packets are transferred between the first mobile workstation (MNl) and the second mobile workstation (MN2) to be optimised.
According to another aspect of the invention there is provided a network including an internal secured portion which connects, via a gateway to an external portion, the network comprising a plurality of workstations including mobile workstations; the gateway and secure communication means by which information is transferable securely to a first mobile workstation in the external portion of the network via the gateway and by which information is transferable securely to a second mobile workstation in the external portion of the network via the gateway; and information transfer means located within the internal secured portion of the network or within the gateway and arranged to send, using the secure communication means, an identifier of the second mobile workstation to the first mobile workstation for use as an address in a packet originating from the first mobile workstation and destined for the second mobile workstation.
Embodiments of this aspect of the invention provide an identifier of the second mobile workstation (MN2) securely to the first mobile workstation (MNl). This identifier may allow the first mobile workstation (MNl) to communicate with the second mobile workstation (MN2) without using the gateway (SG) as an intermediary. This, in turn, allows the route by which packets are transferred between the first mobile workstation (MNl) and the second mobile workstation (MN2) to be optimised. The identifier may be the external Home Address of the second mobile workstation (MN2). According to a further aspect of the present invention there is provided a virtual private network including an internal secured portion which connects, via a gateway to an external portion, the network being arranged to communicate within the internal portion of the network using private addresses and comprising: a plurahty of workstations including mobile workstations; the gateway; first secure communication means by which information is transferable securely to a first mobile workstation connected at the external portion of the network via the gateway and by which information is transferable securely to a second mobile workstation connected at the external portion of the network via the gateway; and information transfer means arranged to send first security information to the first mobile workstation and second security information to the second mobile workstation using the first secure communication means, wherein the first mobile workstation uses the first security information and the second mobile workstation uses the second security information to enable a second secure communication means by which further information is transferable securely between the first mobile workstation and the second mobile workstation without passing through the gateway.
Embodiments of this aspect of the invention provide, perhaps different, security information to the first mobile workstation (MNl) and the second mobile workstation (MN2) which enables secure communications between the first and second mobile workstations without having to use the gateway as an intermediary to secure communications.
According to a still further aspect of the present invention there is provided a virtual private network including an internal secured portion which connects, via a gateway to an external portion, the network being arranged to communicate within the internal portion of the network using private addresses and comprising: a plurahty of workstations including mobile workstations; the gateway; secure communication means by which information is transferable securely, without passing through the gateway, between a first mobile workstation connected to the external portion of the network and a second mobile workstation connected to the external portion of the network; means for dynamically updating an identifier of the first mobile workstation as it moves within the external portion of the network; means for communicating the updated identifier of the first mobile workstation to the second mobile workstation; and means for sending packets from the second mobile workstation to the first mobile workstation using the secure communication means, wherein the packets are addressed using the updated identifier of the first mobile workstation and are routed without necessarily passing through the gateway.
Embodiments of this aspect of the invention provide for secure communications between the first and second mobile workstations without being forced to use the gateway as an intermediary to secure communications. This allows the route by which packets are transferred between the first mobile workstation (MNl) and the second mobile workstation (MN2) to be optimised. ,
For a better understanding of the present invention and to understand how the same may be brought into effect reference will now be made by way of example only to the accompanying drawings illustrating embodiments of the invention:
Fig. 1 is a schematic illustration of a secure virtual private network (SVPN) according to one embodiment of the invention; and
Fig. 2 is a signalling diagram of a secure virtual private network (SVPN) in which two mobile nodes, MNl & MN2, move into an external portion of the SVPN while communicating with each other.
The virtual private network (VPN) 10, comprises an internal portion 12 which is protected by a firewall or Security Gateway (SG) 20 and an external portion 14 which uses an unsecured communications medium 30, such as the internet, to communicate with the internal portion 12 via the Security Gateway
20.
The VPN 10 has a file server 16 and a plurahty of client workstations 18a, 18b, 18c, 18d, 18e and 18f. The workstations 18a, 18b and 18c are desktop machines within the internal portion 12 of the VPN 10 and are non-mobile nodes of the VPN 10. The workstation 18d is a portable machine, in this case a laptop computer, which is a mobile node (MN) of the VPN 10. The workstation 18d is currently physically located within the internal portion 12. The workstation 18e is a portable machine (a hand-portable personal digital assistant), which is a mobile node MNl of the VPN. The portable workstation 18e is currently physically located in the external portion 14 of the VPN and connected to the gateway 20 via the unsecured communications medium 30. The workstation 18f is a portable machine (a hand-portable cellular radio telephone), which is a mobile node MN2 of the VPN. The portable workstation is currently physically located in the external portion 14 of the VPN and is connected to the gateway 20 via a cellular radio telephone network 32 and then the unsecured communications medium 30.
The VPN 10 has a router 22, which provides the functionality of the HA of the mobile nodes of the VPN 10. The file sever 16, the Security Gateway 20, the router 22 or some other intelligence within the internal portion 12 of the VPN may provide the functionality of the VPN Connectivity Manager (VCM), which is described in more detail below.
Embodiment 1
This embodiment relates to a Virtual Private Network (VPN) which uses private (not public) addresses. In the following description reference will be made to Fig. 2.
The first mobile node MNl has a pair of SAs (uplink and downlink) with the Security Gateway (SG) and another pair of SAs (uplink and downlink) with a VPN Connectivity Manager (VCM). The second mobile node MN2 has a pair of SAs (uplink and downlink) with the Security Gateway (SG) and another pair of SAs (uplink and downlink) with a VPN Connectivity Manager (VCM). The SG has three pairs of SAs (uplink and downlink), one pair with MNl, one pair with MN2 and the other pair with the VCM. The VCM has three pairs of SAs (uplink and downlink), one pair with MNl, one pair with MN2 and the other pair with SG. A mobile node (MN), Security Association (SA), Home Agent (HA), Security Gateway (SG) are terms well understood by a person knowledgeable in Virtual Private Networks, Internet Protocol Security (IPsec) Protocol and Mobile Internet Protocol version 6 (MIPv6).
The VPN Connectivity Manager (VCM) is a newly devised component of a
VPN and the Security Associations between the VCM and MNl and MN2 are newly implemented Security Associations. The Security Association between a MN and the VCM is an Encapsulating Security Payload (ESP) SA and utilizes internal addresses of the VPN.
The Security Association between the Security Gateway (SG) and the mobile nodes utilizes the external, public HoA of the MNs as opposed to the VPN internal address.
Let us assume that there is an existing session between MNl and MN2 and that MN2 has previously entered the external portion of the VPN.
When MN2 exited the internal portion of the VPN and entered the external portion of the VPN, at least one of the uplink and downlink SAs between MN2 and the SG became active.
This activation took place as a result of the following process. Inside the internal portion of the VPN, either the inbound SPD was receiving only packets with addresses used inside the VPN and/or the MIPv6 binding update list had only bindings with addresses used inside the VPN. When MN2 moved to the external portion of the VPN, the SPD started receiving packets with non- VPN addresses and/or the MIPv6 binding update list had also bindings with non-VPN addresses. Because of these changes, MN2 detected the movement to the external portion of the VPN. At that point, it changed the SPD policy for inbound VPN traffic from "no IPsec" into "use IPsec with default SG->MN2 ESP SA", and it changed the SPD policy for outbound VPN traffic from "no IPsec" into "use IPsec with default MN2->SG ESP SA". In order to avoid attacks where the attacker sets up a fake network where the same addresses are used as inside the VPN, additional SAs may be enforced by the VPN owner to authenticate the messages, e.g. Router Advertisements, sent by nodes in the internal portion of the VPN. In this case, after a change of link, MN would always assume that it is in the external portion of the VPN unless its SPD receives such a packet and the SA processing confirms the authentication (using e.g. an existing Authentication Header (AH) SA between the internal node and MN2).
The inbound SA in SG is always active, and the outbound SA is activated when the inbound SPD receives packets from MN2's external HoA and/or the MIPv6 binding cache has a binding with MN2's external HoA.
If necessary, MN2 executes a Binding Update with the SG. Therefore the
SG maps the external HoA of MN2 to the external CoA of MN2 and sends packets for the MN2 to the external CoA of MN2.
The SG is an intermediate node in communications from and to MN2 using private addresses. It monitors the headers of these communications and stores in a cache the internal addresses of the CNs with which MN2 communicates. The packets addressed to or sent by MN2 can be identified from the HoA or current CoA of MN2 in the headers.
The SG sends a message 202 to the VCM with MN2's external HoA. The
VCM receives the external HoA and stores it in its MN context database. The MN context comprises the MN internal HoA, the MN external HoA, the internal HoAs of correspondent nodes of the MN, and details of the managed SAs with identification of the relevant secrets and algorithms. The VCM may send an Acknowledgement message 204 to the SG.
When MNl exits the internal portion of the VPN and enters the external portion of the VPN, at least one of the uplink and downlink SAs between MNl and the SG becomes active. If necessary, MNl executes a Binding Update with the SG. Therefore the SG maps the external HoA of MN2 to the external CoA of MNl and sends packets for the MNl to the external CoA of MNl.
The SG is an intermediate node in communications from and to MNl using private addresses. It monitors the headers of these communications and stores in a cache the internal addresses of the CNs with which MNl communicates. The packets addressed to or sent by MNl can be identified from the HoA or current CoA of MNl in the header.
The SG sends a message 202 to the VCM with MNl's external HoA.
The VCM receives the external HoA and stores it in its MN context database. The MN context comprises the MN Internal HoA, the MN external
HoA, the internal HoAs of correspondent nodes of the MN, and details of the managed SAs with identification of the relevant secrets and algorithms. The
VCM may send an Acknowledgement message 204 to the SG.
The SG also detects that MNl and MN2 are involved in a session. The SG has a binding with MNl, if necessary, and therefore stores information relating the static identifier (HoA) and dynamic identifier (CoA) of MNl. Thus all packets sent by or to MNl can be identified. The SG has a binding with MN2, if necessary, and therefore stores information relating the static identifier (HoA) and dynamic identifier (CoA) of MN2. Thus all packets sent by or to MN2 can be identified. The SG detects that MNl and MN2 are in a session by detecting when a packet is sent from MNl to MN2 or a packet is sent from MN2 to MNl.
The SG sends a message 202 to the VCM indicating that MNl and MN2 are having a session. This session indication message could be combined with or be separate from the message informing the VCM of the external HoA of
MNl.
VCM receives the MN1-MN2 session indication message and may send an Acknowledgement message 204 to the SG. In response to this message, the VCM creates information for an SA pair for MN1-MN2 communication. It generates random secrets and stores them in the MN context database in the VCM for the MN1-MN2 session. In a preferred Implementation the secrets are keys the number and length of which depend on the implementation, and are accompanied by other SA material such as algorithm definition.
The VCM sends 206 a first secret(s) defining the SA pair between MNl and MN2 and the external HoA of MNl to MN2 via its (internal) ESP SA with MNl. Thus there will be end-to-end security between the VCM and the internal address of the MNl. The VCM separately sends 210 a second secret(s) defining the SA pair between MNl and MN2 and the external HoA of MN2 to MNl via its (internal) ESP SA with MN2. Thus there will be end-to-end security between the VCM and the internal address of the MN2.
The MNl receives the secret(s) and the external HoA of MN2. It enters into its Security Association Database (SAD) a new ESP SA to the MN2 and a new ESP SA from the MN2. Each entry specifies the algorithm to be used and the secret(s) to be used. The MNl modifies its Security Policy Database (SPD) so that traffic destined for MN2 will be encrypted using one of the new SA pair and traffic from MN2 will be decrypted using the other one of the new SA pair. After first modifying the inbound SPD policy (traffic from MN2), MNl sends an Acknowledgement message 212 to the VCM which forwards it to MN2. The outbound SPD policy (traffic destined for MN2) is only modified after the reception of Acknowledgement message 208 from MN2 via VCM. This ensures that MN2 can idecrypt the packets when they are sent by MNl.
The MN2 receives the secret(s) and the external HoA of MNl. It enters into its Security Association Database (SAD) a new ESP SA to the MNl and a new ESP SA from the MNl. Each entry specifies the algorithm to be used and the secret(s) to be used. The MN2 modifies its Security Policy Database (SPD) so that traffic destined for MNl will be encrypted using one of the new SA pair and traffic from MNl will be decrypted using the other one of the new SA pair. After first modifying the inbound SPD policy (traffic from MNl), MN2 sends an Acknowledgement message 208 to the VCM which forwards it to MNl. The outbound SPD policy (traffic destined for MNl) is only modified after the reception of Acknowledgement message 212 from MNl via VCM. This ensures that MNl can decrypt the packets when they are sent by MN2.
The new ESP SAs provide for end-to-end encryption between the external HoA of MNl and the external HoA of MN2. The packets with internal addresses are exchanged in the crypto tunnel between the external HoAs.
The MNl uses the external HoA address to route packets to MN2. When
MNl first sends a packet 214 encrypted by the new ESP SA to the external HoA of MN2, it first goes to the external HA of MN2 which forwards 216 it to the external CoA of MN2. After this the return routability and binding process between the MNl and MN2 provides 218 the external CoA of MN2 to MNl. MNl uses the external CoA of MN2 to address packets 220 destined for MN2.
The MN2 uses the external HoA address to route packets to MNl. When MN2 first sends packets encrypted by the new ESP SA to the external HoA of MNl, they first go to the external HA of MNl which forwards them to the external CoA of MNl. After this the return routability and binding process between the MN2 and MNl provides the external CoA of MNl to MN2. MN2 uses the external CoA of MNl to address packets destined for MNl.
The return routability and binding process optimises the route between the MNl and MN2 external CoAs and continues to do so as long as both MNs are outside the private network, without SG or VCM intervention. When either MNl or MN2 moves to a different point of attachment in the external portion of the VPN a handover procedure occurs to the new point of attachment. The procedure is specified by MlPv6. If MNl moves, the CoA of MNl changes and this change is automatically communicated to MN2. Thus the route between MNl and MN2 remains optimised.
When either MN returns to the private network, the SA between that MN and the SG, which was used for communication between that MN and the interior of the VPN, no longer receives packets. This is because the MN is now in the internal portion of the VPN and starts to send packets unencrypted within the private network. This movement from the external portion of the VPN to the internal portion of the VPN is detected in the same way as the movement from the internal portion of the VPN to the external portion of the VPN (but vice versa) by the SG which then informs the VCM. The VCM commands the remaining external MN to amend its SAD and/or SPD so that it uses its ESP SA with the SG again for communication with the internal MN.
Embodiment 2
This embodiment relates to a VPN which uses public (not private) addresses, such as IP addresses. In the following description reference will be made to Fig. 2.
The first mobile node MNl has a pair of SAs (uplink and downlink) with the Security Gateway (SG) and another pair of SAs (uplink and downlink) with a VPN Connectivity Manager (VCM). The second mobile node MN2 has a pair of SAs (uplink and downlink) with the Security Gateway (SG) and another pair of SAs (uplink and downlink) with a VPN Connectivity Manager (VCM). The SG has three pairs of SAs (uplink and downhnk), one pair with MNl, one pair with MN2 and the other pair with the VCM. The VCM has three pairs of SAs (uplink and downlink), one pair with MNl, one pair with MN2 and the other pair with SG.
The SAs between the Security Gateway (SG) and the mobile nodes utilize the external, public HoA of the MNs as opposed to VPN internal addresses, which were used in embodiment 1 but represent only a subset of public addresses in this embodiment.
The SAs between a MN and the VCM is an Encapsulating Security Payload
(ESP) SA and is encapsulated inside the Security Association between the SG and the MN.
Let us assume that there is an existing session between MNl and MN2 and that MN2 has previously entered the external portion of the VPN.
When MN2 exited the internal portion of the VPN and entered the external portion of the VPN, at least one of the uplink and downlink SAs between MN2 and the SG became active. This process is the same as that described in relation to embodiment 1.
If necessary, MN2 executes a Binding Update with the SG. Therefore the SG maps the HoA of MN2 to the CoA of MN2 and sends packets for the MN2 to the CoA of MN2.
The SG is an intermediate node in communications between the internal portion of the VPN and MN2. It monitors the headers of these communications and stores in a cache the addresses of the CNs with which MN2 communicates. The packets addressed to or sent by MN2 can be identified from the HoA or current CoA of MN2 in the headers.
The SG sends a message 202 to the VCM with MN2's HoA. The VCM receives the HoA and stores it in its MN context database. The MN context comprises the MN HoA, the HoAs of the correspondent nodes of the MN, and details of the managed SAs with identification of the relevant secrets and algorithms. The VCM may send an Acknowledgement message 204 to the SG.
When MNl exits the internal portion of the VPN and enters the external portion of the VPN, at least one of the uplink and downlink SAs between MNl and the SG becomes active.
If necessary, MNl executes a Binding Update with the SG. Therefore the SG maps the HoA of MN2 to the CoA of MNl and sends packets for the MNl to the CoA of MNl.
The SG is an intermediate node in communications between the internal portion of the VPN and MNl. It monitors the headers of these communications and stores in a cache the addresses of the CNs with which MNl communicates. The packets addressed to or sent by MNl can be identified from the HoA or current CoA of MNl in the header.
The SG sends a message 202 to the VCM with MNl's HoA.
The VCM receives the HoA and stores it in its MN context database. The
MN context comprises the MN HoA, the HoAs of the correspondent nodes of the
MN, and details of the managed SAs with identification of the relevant secrets and algorithms. The VCM may send an Acknowledgement message 204 to the SG.
The SG also detects that MNl and MN2 are involved in a session. The SG has a binding with MNl, if necessary, and therefore stores information relating the static identifier (HoA) and dynamic identifier (CoA) of MNl. Thus all packets sent by or to MNl can be identified. The SG has a binding with MN2, if necessary, and therefore stores information relating the static identifier (HoA) and dynamic identifier (CoA) of MN2. Thus all packets sent by or to MN2 can be identified. The SG detects that MNl and MN2 are in a session by detecting when a packet is sent from MNl to MN2 or a packet is sent from MN2 to MNl.
The SG sends a message 202 to the VCM indicating that MNl and MN2 are having a session. This session indication message could be combined with or be separate from the message mforming the VCM of the external HoA of MNl.
VCM receives the MN1-MN2 session indication message and may send an Acknowledgement message 204 to the SG. In response to this message, the VCM creates information for an SA pair for MN1-MN2 communications. It generates random secrets and stores them in the MN context database in the VCM for the MN1-MN2 session. In a preferred implementation the secrets are keys the number and length of which depend on the implementation, and are accompanied by other SA material such as algorithm definition.
The VCM sends 206 a first secret(s) defining the SA pair between MNl and MN2 and the HoA of MNl to MN2 via its (encapsulated) ESP SA with MNl. Thus there will be end-to-end security between the VCM and the MNl. The VCM separately sends 210 a second secret(s) defining the SA pair between MNl and MN2 and the HoA of MN2 to MNl via its (encapsulated) ESP SA with MN2. Thus there will be end-to-end security between the VCM and MN2. Because both the MNs and the VCM are using public addresses, the SAs between them could also be direct. The encapsulation of those inner SAs inside the outer SAs between the MNs and the SG is not necessary, but when used, improves overall security.
The MNl receives the secret(s) and the external HoA of MN2. It enters into its Security Association Database (SAD) a new ESP SA to MN2 and a new ESP SA from MN2. Each entry specifies the algorithm to be used and the secret(s) to be used. The MNl modifies its Security Pohcy Database (SPD) so that traffic destined for MN2 will be encrypted using one of the new SA pair, and traffic from MN2 will be decrypted using the other one of the new SA pair. After first modifying the inbound SPD policy (traffic from MN2), MNl sends an Acknowledgement message 212 to the VCM which forwards it to MN2. The outbound SPD policy (traffic destined for MN2) is only modified after the reception of Acknowledgement message 208 from MN2 via VCM. This ensures that MN2 can decrypt the packets when they are sent by MNl.
The MN2 receives the secret(s) and the HoA of MNl. It enters into its Security Association Database (SAD) a new ESP SA to the MNl and a new ESP SA from the MNl. Each entry specifies the algorithm to be used and the secret(s) to be used. The MN2 modifies its Security Policy Database (SPD) so that traffic destined for MNl will be encrypted using one of the new SA pair, and traffic from MNl will be decrypted using the other one of the new SA pair. After first modifying the inbound SPD policy (traffic from MNl), MN2 sends an Acknowledgement message 208 to the VCM which forwards it to MNl. The outbound SPD pohcy (traffic destined for MNl) is only modified after the reception of Acknowledgement message 212 from MNl via VCM. This ensures that MNl can decrypt the packets when they are sent by MN2.
The HoA received in the message from the VCM is in this embodiment not necessarily used in route optimization between two nodes that already have a session in the external portion of the VPN (because MIPv6 may be used to provide the HoA directly). Instead, it is used for modification of the appropriate SAD entries using the new secret(s), or for securely setting up an SA between the HoAs by utilizing the existing SAs with SG and VCM, or for avoiding the unnecessary default use of direct SAs when MNs are in the internal portion of the VPN.
The new ESP SAs provide for end-to-end encryption between the HoA of MNl and the HoA of MN2.
The MNl uses the HoA address to route packets to MN2. When MNl first sends packet 214 encrypted by the new ESP SA to the HoA of MN2, it first goes to the HA of MN2 which forwards 216 it to the CoA of MN2. After this the return routabihty and binding process between the MNl and MN2 provides 218 the CoA of MN2 to MNl. MNl uses the CoA of MN2 to address packets 220 destined for MN2.
The MN2 uses the HoA address to route packets to MNl. When MN2 first sends packets encrypted by the new ESP SA to the HoA of MNl, .they first go to the HA of MNl which forwards them to the CoA of MNl. After this the return routability and binding process between the MN2 and MNl provides the CoA of
MNl to MN2. MN2 uses the CoA of MNl to address packets destined for MNl.
The return routabihty and binding process optimises the route between the MNl and MN2 CoAs and continues to do so as long as the MNs have a session, whether they are in the interior or exterior portion of the VPN, without SG or VCM intervention. When either MNl or MN2 moves to a different point of attachment in the external portion of the VPN a handover procedure occurs to the new point of attachment. The procedure is specified by MIPv6. If MNl moves, the CoA of MNl changes and this change is automatically communicated to MN2. Thus the route between MNl and MN2 remains optimised. When either MN returns to the private network, the SA between that MN and the SG, which was used for communication between that MN and the interior of the VPN, no longer receives packets. This is because the MN is now in the internal portion of the VPN and starts to send packets unencrypted within the private network. This movement from the external portion of the VPN to the internal portion of the VPN is detected in the same way as the movement from the internal portion of the VPN to the external portion of the VPN (but vice versa) by the SG which then informs the VCM. The VCM commands the remaining external MN to amend its SAD and/or SPD so that it uses its ESP SA with the SG again for communication with the internal MN.
The external HA need not be trusted because the existing SAs with SG and VCM guarantee that the exchanged SA secrets defining the SA between MNl and MN2 cannot be spoofed.
General
The following may relate to any and all embodiments.
The first and second secret(s) may be symmetric keys for encryption and decryption. The same key being used for encryption and decryption in both MNs or separate keys may be used for encryption/decryption in one MN and used for corresponding decryption/encryption in the other MN. Alternatively, the secret(s) may be asymmetric keys such as public and private keys.
The preceding description has described a VCM as a separate entity to the SG. This provides some advantages, in that an existing VPN can be modified by the addition of a physical VCM. This provides backwards compatibility. When the VCM is a separate entity from the SG it is necessary for it to have pre- existing SAs with the MNs.
In another implementation, the functions of the VCM are incorporated into the SG and there is no physical VCM. This has the advantage of reducing the number of VPN entities but necessitates modification of the SG. This implementation is not necessarily backwards compatible with an existing SG, although it may be effected as a software update to an existing SG. When the VCM is part of the SG there will not be separate SAs from the VCM to the MNs. The VCM will use the SAs of the SG to the MNs.
The implementation of embodiments of the invention therefore require a modification to the internal VPN by the introduction of the functionality of the VCM and a modification to mobile nodes and to SGs.
In the above described embodiments, the session already existed between
MNl and MN2 before both MNl and MN2 were in the external portion of the VPN. Thus the trigger was the detection of an existing session between two 'external' MNs. This triggered the process of creating an new SA, using an existing SA, between the two 'external' MNs.
An alternative or additional trigger is the detection of both: a) that a VPN node initiating a data transfer session is an 'external' node, and b) that the destination node of the data transfer is an 'external' node.
This triggers the process of creating a new SA, using an existing SA, between the two 'external' nodes.
The skilled reader will understand that in this document the term 'Security Association' may at times refer to a unidirectional Security Association, a pair of uni-directional (inbound & outbound) Security Associations and the information stored to effect these Security Associations.
Although two-way communications have been described between MNl and MN2, in alternative embodiments of the invention there is only one-way, not two-way, traffic e.g. from MNl to MN2 or from MN2 to MNl. Thus, MN1/MN2 may be a source and destination of data, a source only or a destination only.
Whilst endeavouring in the foregoing specification to draw attention to those features of the invention believed to be of particular importance it should be understood that the AppUcant claims protection in respect of any patentable feature or combination of features hereinbefore described, referred to and/or shown in the drawings, whether or not particular emphasis has been placed thereon.

Claims

Claims
1. A gateway for connecting an external portion of a network to an internal secured portion of the network wherein the gateway is arranged to identify automatically when a communication session exists between two mobile workstations both of which are connected in the external portion of the network.
2. A gateway as claimed in claim 1, having means for monitoring the source and destination of received packets.
3. A gateway as claimed in claim 1 having secure communication means by which information is transferable securely to the two mobile workstations separately.
4. A gateway as claimed in claim 3 wherein the secure communication means includes a first Security Association with a first mobile workstation and a second Security Association with a second mobile workstation.
5. A gateway as claimed in claim 3 or 4, wherein the gateway is arranged to send, using the secure communication means, an identifier of a second mobile workstation to a first mobile workstation for use as an address in a packet originating from the first mobile workstation and destined for the second mobile workstation
6. A gateway as claimed in claim 5 wherein the identifier of the second mobile workstation is a Home Address.
7. A gateway as claimed in any one of claims 3 to 6, wherein the gateway is arranged to send, using the secure communication means, an identifier of the first mobile workstation to the second mobile workstation for use as an address in a packet originating from the second mobile workstation and destined for the first mobile workstation.
8. A gateway as claimed in claim 7 wherein the identifier of the first mobile workstation is a Home Address.
9. A gateway as claimed in any one of claims 3 to 8, wherein the gateway is arranged to send first security information to the first mobile workstation and second security information to the second mobile workstation using the secure communication means, wherein the first mobile workstation uses the first security information and the second mobile workstation uses the second security information to enable a second secure communication means by which further information is transferable securely between the first mobile workstation and the second mobile workstation without passing through the gateway.
10. A gateway as claimed in claim 9, wherein the second secure communication means comprises Security Associations.
11. A gateway as claimed in any one of claims 1 to 10 wherein the gateway is further arranged to identify automatically when a mobile workstation moves between the internal and the external portions of the network.
12. A network including an internal secured portion which connects, via a gateway to an external portion, the network comprising a plurahty of workstations including mobile workstations; the gateway and secure communication means by which information is transferable securely to a first mobile workstation in the external portion of the network via the gateway and by which information is transferable securely to a second mobile workstation in the external portion of the network via the gateway; and information transfer means located within the internal secured portion of the network or within the gateway and arranged to send, using the secure communication means, an identifier of the second mobile workstation to the first mobile workstation for use as an address in a packet originating from the first mobile workstation and destined for the second mobile workstation.
13. A network as claimed in claim 12, wherein the information transfer means is further arranged to send, using the secure communication means, an identifier of the first mobile workstation to the second mobile workstation for use as an address in a packet originating from the second mobile workstation and destined for the first mobile workstation.
14. A network as claimed in claim 12 or 13 wherein the identifier of a mobile workstation is a Home Address of the mobile workstation.
15. A network as claimed in any one of claims 12 to 14 wherein the secure communication means provides an encrypted communications channel to the first mobile workstation and an encrypted communications channel to the second mobile workstation.
16. A network as claimed in any one of claims 12 to 15 wherein the secure communication means comprises a first Security Association and a second
Security Association.
17. A network as claimed in any one of claims 12 to 16 wherein the gateway is arranged to detect a communications session between two mobile workstations which are connected at the external portion of the network.
18. A network as claimed in any one of claims 12 to 17 further comprising: means for dynamically updating an identifier of the first mobile workstation as it moves within the external portion of the network; means for communicating the updated identifier of the first mobile workstation to the second mobile workstation; and means for sending packets from the second mobile workstation to the first mobile workstation using the second secure communication means, wherein the packets are addressed using the updated identifier of the first mobile workstation.
19. A network as claimed in claim 18 wherein the updated identifier is a Care-of-Address.
20. A network as claimed in any one of claims 12 to 19 wherein the network is arranged to use private addresses to communicate within the internal portion of the network and the identifier of the second workstation is a public address.
21. A method of securely routing communications between a first mobile node and a second mobile node of a network including an internal secured portion which connects, via a gateway to an external portion, comprising the steps of: mamtaining a secure communication means by which information is transferable securely to a first mobile node in the external portion of the network via the gateway and by which information is transferable securely to a second mobile node in the external portion of the network via the gateway; sending an identifier of the second mobile node to the first mobile node using the secure communication means; and addressing a packet sent from the first mobile node to the second mobile node using the identifier of the second mobile node and routing the packet, using the identifier of the second mobile node, from the first mobile node to the second mobile node, not necessarily via the gateway.
22. A method as claimed in claim 21 further comprising the steps of: sending an identifier of the first mobile node to the second mobile node using the secure communication means; and addressing a packet sent from the second mobile node to the first mobile node using the identifier of the first mobile node and routing the packet from the second mobile node to the first mobile node, not necessarily via the gateway.
23. A mobile workstation for connecting to an external portion of a network that includes an internal secured portion connected, via a gateway to the external portion, comprising: means for using a secure communication means by which information is transferable securely from the internal portion of the network to the mobile workstation via the gateway; means arranged to receive, via the first secure communication means, an identifier of another mobile workstation also connected to the external portion of the network; and means for including the identifier of the other mobile workstation as an address in a packet for transmission to the other mobile workstation.
24. A virtual private network including an internal secured portion which connects, via a gateway to an external portion, the network being arranged to communicate within the internal portion of the network using private addresses and comprising: a plurahty of workstations including mobile workstations; the gateway; first secure communication means by which information is transferable securely to a first mobile workstation connected at the external portion of the network via the gateway and by which information is transferable securely to a second mobile workstation connected at the external portion of the network via the gateway; and information transfer means arranged to send first security information to the first mobile workstation and second security information to the second mobile workstation using the first secure communication means, wherein the first mobile workstation uses the first security information and the second mobile workstation uses the second security information to enable a second secure communication means by which further information is transferable securely between the first mobile workstation and the second mobile workstation without passing through the gateway.
25. A virtual private network as claimed in claim 24, wherein the further information is transferable in packets using public addresses.
26. A network as claimed in claim 24 or 25, wherein the first secure communication means provides an encrypted communications channel to the first mobile workstation and an encrypted communications channel to the second mobile workstation.
27. A network as claimed in claim 24, 25 or 26 wherein the first secure communication means comprises a first Security Association and a second
Security Association.
28. A network as claimed in any one of claim 27, wherein the first Security Association is from the gateway to the first mobile workstation and the second
Security Association is from the gateway to the second mobile workstation.
29. A network as claimed in claim 28 wherein the first Security Association is from the internal portion of the network to the first mobile workstation and the second Security Association is from the internal portion of the network to the second mobile workstation.
30. A network as claimed in claim 27, 28 or 29, wherein communications using the first and second Security Associations use addresses which are private.
31. A network as claimed in any one of claims 24 to 30, wherein the second secure communication means provides encrypted communications channels between the first and second mobile workstations.
32. A network as claimed in claim 31 wherein the first and second security information define the encryption/decryption of the encrypted communications channels.
33. A network as claimed in any one of claims 24 to 32 wherein the second secure communication means comprises at least a third Security Association from the first mobile workstation to the second mobile workstation.
34. A network as claimed in claim 33 wherein first and second security information defines at least the third Security Association.
35. A network as claimed in any one of claims 24 to 34, wherein at least a portion of the first security information and at least a portion of the second security information are created within the internal portion of the network.
36. A network as claimed in any one of claims 24 to 35, wherein the gateway is arranged to detect a communications session between two mobile workstations which are connected at the external portion of the network.
37. A network as claimed in any one of claims 24 to 36, wherein the second secure communication means is enabled by the adaptation of databases in the first and second mobile workstations.
38. A network as claimed in any one of claims 24 to 37, further comprising: information transfer means arranged to send, using the first secure communication means, an identifier of the second mobile workstation to the first mobile workstation for use as an address in a packet originating from the first mobile workstation and destined for the second mobile workstation.
39. A network as claimed in claim 38 wherein the identifier of the second mobile workstation is a Home Address.
40. A network as claimed in claim 38 or 39, wherein the identifier of the second mobile workstation is a public address.
41. A network as claimed in any one of claims 24 to 40 further comprising: means for dynamically updating an identifier of the first mobile workstation as it moves within the external portion of the network; means for communicating the updated identifier of the first mobile workstation to the second mobile workstation; and means for sending packets from the second mobile workstation to the first mobile workstation using the second secure communication means, wherein the packets are addressed using the updated identifier of the first mobile workstation.
42. A network as claimed in claim 41 wherein the updated identifier is a Care-of-Address.
43. A method of securing communications between a first mobile node and a second mobile node of a virtual private network including an internal secured portion which connects, via a gateway to an external portion, comprising the steps of: communicating within the internal portion of the network using private addresses; mamtaining a first secure communication means by which information is transferable securely to the first mobile node in the external portion of the network via the gateway and by which information is transferable securely to a second mobile node in the external portion of the network via the gateway; sending first security information to the first mobile node using the first secure communication means; sending second security information to the second mobile node using the first secure communication means; creating a second secure communication means in the first mobile node, using the first security information in the first mobile node and the second security information in the second mobile node; and using the second secure communication means, and not the first secure communication means, for transferring further information between the first and second mobile nodes while they both remain in the external portion of the network.
44. A mobile workstation for connecting to a virtual private network that includes an internal secured portion connected, via a gateway to the external portion, and for communicating while in the internal portion using packet addresses which are private to the network, the mobile workstation comprising: means for using a first secure communication means by which packets addressed to the private address of the mobile workstation are transferable securely from the internal portion of the network to the mobile workstation via the gateway; means arranged to receive, via the first secure communication means, first security information for enabling a second secure communication means; and means for using the enabled second secure communication means to securely receive further packets, addressed to a public address of the mobile workstation, from another mobile workstation also in the external portion of the network.
45. A mobile workstation as claimed in claim 44 further comprising a database and means for modifying the database in response to the received first security information.
46. A mobile workstation as claimed in claim 45 wherein the database includes a Security Association Database (SAD) which is modified to include a new Security Association.
47. A mobile workstation as claimed in claim 46 wherein the database includes a Security Pohcy database which is modified so that packets for the other mobile workstation use the new Security Association.
48. A virtual private network including an internal secured portion which connects, via a gateway to an external portion, the network being arranged to communicate within the internal portion of the network using private addresses and comprising: a plurahty of workstations including mobile workstations; the gateway; secure communication means by which information is transferable securely, without passing through the gateway, between a first mobile workstation connected to the external portion of the network and a second mobile workstation connected to the external portion of the network; means for dynamically updating an identifier of the first mobile workstation as it moves within the external portion of the network; means for communicating the updated identifier of the first mobile workstation to the second mobile workstation; and means for sending packets from the second mobile workstation to the first mobile workstation using the secure communication means, wherein the packets are addressed using the updated identifier of the first mobile workstation and are routed without necessarily passing through the gateway.
49. A network as claimed in claim 48 wherein the updated identifier is a Care-of-Address.
50. A network as claimed in claim 48 or 49 wherein the secure communication means provides encrypted communications channels between the first and second mobile workstations.
51. A network as claimed in any one of claims 48 to 50 wherein the secure communication means comprises a Security Association from the first mobile workstation to the second mobile workstation and a Security Association from the second mobile workstation to the first mobile workstation.
52. A network as claimed in any one of claims 48 to 51 wherein the secure communication means is enabled by databases in the first and second mobile workstations.
53. A method of optimising the routing of secure communications between a first mobile node and a second mobile node of a network including an internal secured portion which connects, via a gateway to an external portion,, comprising the steps of: communicating within the internal portion of the network using private addresses; creating a secure communication means by which information is transferable securely, without passing through the gateway, between a first mobile node of the external portion of the network and a second mobile node of the external portion of the network; moving the first mobile node within the external portion of the network; modifying an identifier of the first mobile node in response to its movement; communicating the modified identifier of the first mobile node to the second mobile node; and sending a packet from the second mobile node for reception by the first mobile node, without necessarily passing via the gateway, after addressing it using the updated identifier of the first mobile and securing it using the secure communication means.
54. A mobile workstation for connecting to an external portion of a network that includes an internal secured portion connected, via a gateway to the external portion, comprising: means for conimunicating using private addresses when in the internal portion of the network; means for enabling and using a secure communication means by which information is transferable securely from the mobile workstation, when in the external portion of the network, to another mobile workstation connected to the external portion of the network without passing through the gateway; means for receiving an identifier of the other mobile workstation; and means for sending packets, when in the external portion of the network, to the other mobile workstation using the secure communication means and the received identifier.
55. A mobile workstation as claimed in claim 54 wherein the identifier is a public address.
56. A mobile workstation as claimed in claim 55 wherein the identifier is a Home Address or a Care-of-Address.
PCT/IB2002/004295 2002-10-17 2002-10-17 Secured virtual private network with mobile nodes WO2004036834A1 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
PCT/IB2002/004295 WO2004036834A1 (en) 2002-10-17 2002-10-17 Secured virtual private network with mobile nodes
US10/531,653 US20060182083A1 (en) 2002-10-17 2002-10-17 Secured virtual private network with mobile nodes
AU2002353429A AU2002353429A1 (en) 2002-10-17 2002-12-30 Virtual private network with mobile nodes
US10/531,491 US20060111113A1 (en) 2002-10-17 2002-12-30 Virtual private network with mobile nodes
PCT/IB2002/005733 WO2004036332A2 (en) 2002-10-17 2002-12-30 Virtual private network with mobile nodes

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IB2002/004295 WO2004036834A1 (en) 2002-10-17 2002-10-17 Secured virtual private network with mobile nodes

Publications (1)

Publication Number Publication Date
WO2004036834A1 true WO2004036834A1 (en) 2004-04-29

Family

ID=32104597

Family Applications (2)

Application Number Title Priority Date Filing Date
PCT/IB2002/004295 WO2004036834A1 (en) 2002-10-17 2002-10-17 Secured virtual private network with mobile nodes
PCT/IB2002/005733 WO2004036332A2 (en) 2002-10-17 2002-12-30 Virtual private network with mobile nodes

Family Applications After (1)

Application Number Title Priority Date Filing Date
PCT/IB2002/005733 WO2004036332A2 (en) 2002-10-17 2002-12-30 Virtual private network with mobile nodes

Country Status (3)

Country Link
US (2) US20060182083A1 (en)
AU (1) AU2002353429A1 (en)
WO (2) WO2004036834A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006072890A1 (en) * 2005-01-07 2006-07-13 Alcatel Lucent Method and apparatus for providing low-latency secure session continuity between mobile nodes
WO2008116306A1 (en) * 2007-03-26 2008-10-02 David Ker System and method for implementing a secured and centrally managed virtual ip network over an ip network infrastructure
CN101091372B (en) * 2005-01-07 2013-03-06 阿尔卡特朗讯公司 Method and apparatus for providing route-optimized secure session continuity between mobile nodes

Families Citing this family (59)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0977828B1 (en) * 1997-03-07 2005-05-11 The Procter & Gamble Company Bleach compositions
EP2334127A3 (en) 2002-10-18 2012-07-11 Kineto Wireless, Inc. Method and apparatuses for registration and paging of a telecommunication device
US7885644B2 (en) * 2002-10-18 2011-02-08 Kineto Wireless, Inc. Method and system of providing landline equivalent location information over an integrated communication system
US7489667B2 (en) * 2002-11-08 2009-02-10 Faccin Stefano M Dynamic re-routing of mobile node support in home servers
US7366145B2 (en) * 2002-11-08 2008-04-29 Nokia Corporation Fast recovery from unusable home server
US7308506B1 (en) * 2003-01-14 2007-12-11 Cisco Technology, Inc. Method and apparatus for processing data traffic across a data communication network
US8391203B1 (en) 2003-02-19 2013-03-05 Sprint Spectrum L.P. System and method for data link layer handoffs in a wireless network
US7545766B1 (en) * 2003-05-16 2009-06-09 Nortel Networks Limited Method for mobile node-foreign agent challenge optimization
US7697501B2 (en) * 2004-02-06 2010-04-13 Qualcomm Incorporated Methods and apparatus for separating home agent functionality
US10375023B2 (en) * 2004-02-20 2019-08-06 Nokia Technologies Oy System, method and computer program product for accessing at least one virtual private network
US7991854B2 (en) * 2004-03-19 2011-08-02 Microsoft Corporation Dynamic session maintenance for mobile computing devices
US7957348B1 (en) 2004-04-21 2011-06-07 Kineto Wireless, Inc. Method and system for signaling traffic and media types within a communications network switching system
US7567522B2 (en) * 2004-04-23 2009-07-28 Hewlett-Packard Development Company, L.P. Suppression of router advertisement
WO2006061047A1 (en) * 2004-12-06 2006-06-15 Swisscom Ag Method and system for mobile network nodes in heterogeneous networks
US8261341B2 (en) * 2005-01-27 2012-09-04 Nokia Corporation UPnP VPN gateway configuration service
US7920519B2 (en) * 2005-04-13 2011-04-05 Cisco Technology, Inc. Transferring context information to facilitate node mobility
JP2007036641A (en) * 2005-07-27 2007-02-08 Hitachi Communication Technologies Ltd Home agent device, and communication system
US7843900B2 (en) 2005-08-10 2010-11-30 Kineto Wireless, Inc. Mechanisms to extend UMA or GAN to inter-work with UMTS core network
US8559921B2 (en) * 2005-08-17 2013-10-15 Freescale Semiconductor, Inc. Management of security features in a communication network
US8165086B2 (en) 2006-04-18 2012-04-24 Kineto Wireless, Inc. Method of providing improved integrated communication system data service
US7769877B2 (en) * 2006-04-27 2010-08-03 Alcatel Lucent Mobile gateway device
US7912004B2 (en) 2006-07-14 2011-03-22 Kineto Wireless, Inc. Generic access to the Iu interface
US7852817B2 (en) * 2006-07-14 2010-12-14 Kineto Wireless, Inc. Generic access to the Iu interface
US20090059848A1 (en) * 2006-07-14 2009-03-05 Amit Khetawat Method and System for Supporting Large Number of Data Paths in an Integrated Communication System
US20080076425A1 (en) * 2006-09-22 2008-03-27 Amit Khetawat Method and apparatus for resource management
US20080039086A1 (en) 2006-07-14 2008-02-14 Gallagher Michael D Generic Access to the Iu Interface
US7995994B2 (en) * 2006-09-22 2011-08-09 Kineto Wireless, Inc. Method and apparatus for preventing theft of service in a communication system
US8073428B2 (en) 2006-09-22 2011-12-06 Kineto Wireless, Inc. Method and apparatus for securing communication between an access point and a network controller
US8036664B2 (en) 2006-09-22 2011-10-11 Kineto Wireless, Inc. Method and apparatus for determining rove-out
US20080076392A1 (en) * 2006-09-22 2008-03-27 Amit Khetawat Method and apparatus for securing a wireless air interface
US8204502B2 (en) 2006-09-22 2012-06-19 Kineto Wireless, Inc. Method and apparatus for user equipment registration
US7926098B2 (en) * 2006-12-29 2011-04-12 Airvana, Corp. Handoff of a secure connection among gateways
US8019331B2 (en) 2007-02-26 2011-09-13 Kineto Wireless, Inc. Femtocell integration into the macro network
FI20075297A0 (en) * 2007-04-27 2007-04-27 Nokia Siemens Networks Oy Method, radio system and base station
US20090265543A1 (en) * 2008-04-18 2009-10-22 Amit Khetawat Home Node B System Architecture with Support for RANAP User Adaptation Protocol
JP5512656B2 (en) * 2008-04-21 2014-06-04 アップル インコーポレイテッド Relay station in wireless communication system
EP2117201A1 (en) * 2008-05-07 2009-11-11 Alcatel Lucent Network device and method for local routing of data traffic
US20100011432A1 (en) * 2008-07-08 2010-01-14 Microsoft Corporation Automatically distributed network protection
AT11799U1 (en) * 2009-12-15 2011-05-15 Plansee Se MOLDING
US10142292B2 (en) 2010-06-30 2018-11-27 Pulse Secure Llc Dual-mode multi-service VPN network client for mobile device
US8549617B2 (en) * 2010-06-30 2013-10-01 Juniper Networks, Inc. Multi-service VPN network client for mobile device having integrated acceleration
US8127350B2 (en) 2010-06-30 2012-02-28 Juniper Networks, Inc. Multi-service VPN network client for mobile device
US8474035B2 (en) 2010-06-30 2013-06-25 Juniper Networks, Inc. VPN network client for mobile device having dynamically constructed display for native access to web mail
US8464336B2 (en) 2010-06-30 2013-06-11 Juniper Networks, Inc. VPN network client for mobile device having fast reconnect
US8458787B2 (en) 2010-06-30 2013-06-04 Juniper Networks, Inc. VPN network client for mobile device having dynamically translated user home page
US8473734B2 (en) 2010-06-30 2013-06-25 Juniper Networks, Inc. Multi-service VPN network client for mobile device having dynamic failover
US8509169B2 (en) * 2010-12-13 2013-08-13 At&T Intellectual Property I, L.P. Methods and apparatus to configure virtual private mobile networks
US9432258B2 (en) 2011-06-06 2016-08-30 At&T Intellectual Property I, L.P. Methods and apparatus to configure virtual private mobile networks to reduce latency
WO2012170800A1 (en) * 2011-06-08 2012-12-13 Cirque Corporation Protecting data from data leakage or misuse while supporting multiple channels and physical interfaces
US9386035B2 (en) 2011-06-21 2016-07-05 At&T Intellectual Property I, L.P. Methods and apparatus to configure virtual private mobile networks for security
US9232015B1 (en) 2011-08-04 2016-01-05 Wyse Technology L.L.C. Translation layer for client-server communication
US10044678B2 (en) 2011-08-31 2018-08-07 At&T Intellectual Property I, L.P. Methods and apparatus to configure virtual private mobile networks with virtual private networks
US11350254B1 (en) 2015-05-05 2022-05-31 F5, Inc. Methods for enforcing compliance policies and devices thereof
US11757946B1 (en) 2015-12-22 2023-09-12 F5, Inc. Methods for analyzing network traffic and enforcing network policies and devices thereof
US11178150B1 (en) 2016-01-20 2021-11-16 F5 Networks, Inc. Methods for enforcing access control list based on managed application and devices thereof
US10505792B1 (en) 2016-11-02 2019-12-10 F5 Networks, Inc. Methods for facilitating network traffic analytics and devices thereof
US10812266B1 (en) 2017-03-17 2020-10-20 F5 Networks, Inc. Methods for managing security tokens based on security violations and devices thereof
US11122042B1 (en) 2017-05-12 2021-09-14 F5 Networks, Inc. Methods for dynamically managing user access control and devices thereof
US11343237B1 (en) 2017-05-12 2022-05-24 F5, Inc. Methods for managing a federated identity environment using security and access control data and devices thereof

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010009025A1 (en) * 2000-01-18 2001-07-19 Ahonen Pasi Matti Kalevi Virtual private networks
US20020133534A1 (en) * 2001-01-08 2002-09-19 Jan Forslow Extranet workgroup formation across multiple mobile virtual private networks

Family Cites Families (44)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6226748B1 (en) * 1997-06-12 2001-05-01 Vpnet Technologies, Inc. Architecture for virtual private networks
SE513246C2 (en) * 1997-06-23 2000-08-07 Ericsson Telefon Ab L M Procedure and device in an IP-based network
US6370249B1 (en) * 1997-07-25 2002-04-09 Entrust Technologies, Ltd. Method and apparatus for public key management
US6092200A (en) * 1997-08-01 2000-07-18 Novell, Inc. Method and apparatus for providing a virtual private network
US6615347B1 (en) * 1998-06-30 2003-09-02 Verisign, Inc. Digital certificate cross-referencing
US6230266B1 (en) * 1999-02-03 2001-05-08 Sun Microsystems, Inc. Authentication system and process
US6684336B1 (en) * 1999-04-30 2004-01-27 Hewlett-Packard Development Company, L.P. Verification by target end system of intended data transfer operation
US6885658B1 (en) * 1999-06-07 2005-04-26 Nortel Networks Limited Method and apparatus for interworking between internet protocol (IP) telephony protocols
US6674734B1 (en) * 1999-07-12 2004-01-06 Nokia Corporation Scheme to relocate H. 323 gatekeeper during a call when endpoint changes its zone
US7079499B1 (en) * 1999-09-08 2006-07-18 Nortel Networks Limited Internet protocol mobility architecture framework
GB0001025D0 (en) * 2000-01-18 2000-03-08 Hewlett Packard Co Communication initiation method employing an authorisation server
US7426750B2 (en) * 2000-02-18 2008-09-16 Verimatrix, Inc. Network-based content distribution system
US6978364B1 (en) * 2000-04-12 2005-12-20 Microsoft Corporation VPN enrollment protocol gateway
US6728536B1 (en) * 2000-05-02 2004-04-27 Telefonaktiebolaget Lm Ericsson Method and system for combined transmission of access specific access independent and application specific information over public IP networks between visiting and home networks
JP2001326697A (en) * 2000-05-17 2001-11-22 Hitachi Ltd Mobile communication network, terminal, packet communication control method, and gateway unit
JP3636637B2 (en) * 2000-05-30 2005-04-06 三菱電機株式会社 Route optimization method
JP4201466B2 (en) * 2000-07-26 2008-12-24 富士通株式会社 VPN system and VPN setting method in mobile IP network
FI113319B (en) * 2000-09-29 2004-03-31 Nokia Corp Selection of a service producing network element in a telecommunication system
US6915345B1 (en) * 2000-10-02 2005-07-05 Nortel Networks Limited AAA broker specification and protocol
US6954790B2 (en) * 2000-12-05 2005-10-11 Interactive People Unplugged Ab Network-based mobile workgroup system
US20020083046A1 (en) * 2000-12-25 2002-06-27 Hiroki Yamauchi Database management device, database management method and storage medium therefor
KR100551867B1 (en) * 2000-12-28 2006-02-13 엘지전자 주식회사 Method of Reporting and Controling for Mobile Node Foreign Agent Handoff
US7031279B2 (en) * 2000-12-30 2006-04-18 Lg Electronics Inc. Gatekeeper supporting handoff and handoff method in IP telephony system
US7209479B2 (en) * 2001-01-18 2007-04-24 Science Application International Corp. Third party VPN certification
US20020099668A1 (en) * 2001-01-22 2002-07-25 Sun Microsystems, Inc. Efficient revocation of registration authorities
FI110464B (en) * 2001-04-26 2003-01-31 Nokia Corp IP security and mobile network connections
US7107464B2 (en) * 2001-07-10 2006-09-12 Telecom Italia S.P.A. Virtual private network mechanism incorporating security association processor
US7171685B2 (en) * 2001-08-23 2007-01-30 International Business Machines Corporation Standard format specification for automatically configuring IP security tunnels
US7036143B1 (en) * 2001-09-19 2006-04-25 Cisco Technology, Inc. Methods and apparatus for virtual private network based mobility
FI20011949A0 (en) * 2001-10-05 2001-10-05 Stonesoft Corp Managing a Virtual Private Network
KR100450973B1 (en) * 2001-11-07 2004-10-02 삼성전자주식회사 Method for authentication between home agent and mobile node in a wireless telecommunications system
US6789121B2 (en) * 2002-02-08 2004-09-07 Nortel Networks Limited Method of providing a virtual private network service through a shared network, and provider edge device for such network
US20030224788A1 (en) * 2002-03-05 2003-12-04 Cisco Technology, Inc. Mobile IP roaming between internal and external networks
WO2003079614A1 (en) * 2002-03-18 2003-09-25 Nortel Networks Limited Resource allocation using an auto-discovery mechanism for provider-provisioned layer-2 and layer-3 virtual private networks
US7418596B1 (en) * 2002-03-26 2008-08-26 Cellco Partnership Secure, efficient, and mutually authenticated cryptographic key distribution
US7188365B2 (en) * 2002-04-04 2007-03-06 At&T Corp. Method and system for securely scanning network traffic
US20030225854A1 (en) * 2002-05-28 2003-12-04 Peng Zhang Digital rights management system on a virtual private network
US20040203787A1 (en) * 2002-06-28 2004-10-14 Siamak Naghian System and method for reverse handover in mobile mesh Ad-Hoc networks
US7421736B2 (en) * 2002-07-02 2008-09-02 Lucent Technologies Inc. Method and apparatus for enabling peer-to-peer virtual private network (P2P-VPN) services in VPN-enabled network
US7441262B2 (en) * 2002-07-11 2008-10-21 Seaway Networks Inc. Integrated VPN/firewall system
US7581095B2 (en) * 2002-07-17 2009-08-25 Harris Corporation Mobile-ad-hoc network including node authentication features and related methods
US7184530B2 (en) * 2002-07-25 2007-02-27 Utstarcom, Inc. Prepaid billing support for simultaneous communication sessions in data networks
US6999437B2 (en) * 2002-12-17 2006-02-14 Nokia Corporation End-to-end location privacy in telecommunications networks
US7386721B1 (en) * 2003-03-12 2008-06-10 Cisco Technology, Inc. Method and apparatus for integrated provisioning of a network device with configuration information and identity certification

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010009025A1 (en) * 2000-01-18 2001-07-19 Ahonen Pasi Matti Kalevi Virtual private networks
US20020133534A1 (en) * 2001-01-08 2002-09-19 Jan Forslow Extranet workgroup formation across multiple mobile virtual private networks

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
BRAUN, T.; DANZEISEN, M.;: "Secure mobile IP communication", OCAL COMPUTER NETWORKS, 2001. PROCEEDINGS. LCN 2001.26TH ANNUAL IEEE CONFERENCE, 14 November 2001 (2001-11-14) - 16 November 2001 (2001-11-16), pages 586 - 593, XP010584083 *
ERNST THIERRY: "Network Mobility Support in IPv6", THESIS DEPARTMENT OF MATHEMATICS AND COMPUTER SCIENCE, XX, XX, 29 October 2001 (2001-10-29), pages 1 - 101, XP002215680 *
HANSEN HARRI: "IPsec and Mobile-IP in Mobile Ad Hoc Networking", COMPUTER SCIENCE, 25 April 2000 (2000-04-25), Helsinki University, XP002196707, Retrieved from the Internet <URL:http://www.hut.fi/~hansen/papers/adhoc/index.html> [retrieved on 20020419] *
PERKINS C ET AL: "Route Optimization in Mobile IP. draft-ietf-mobileip-optim-09.txt", INTERNET DRAFT, 15 February 2000 (2000-02-15), XP002151964, Retrieved from the Internet <URL:http://www.ietf.org/internet-drafts/draft-ietf-mobileip-optim-09.txt> [retrieved on 20001103] *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006072890A1 (en) * 2005-01-07 2006-07-13 Alcatel Lucent Method and apparatus for providing low-latency secure session continuity between mobile nodes
WO2006072891A1 (en) * 2005-01-07 2006-07-13 Alcatel Lucent Method and apparatus for providing route-optimized secure session continuity between mobile nodes
JP2008527826A (en) * 2005-01-07 2008-07-24 アルカテル−ルーセント Method and apparatus for providing low-latency security session continuity between mobile nodes
CN101091372B (en) * 2005-01-07 2013-03-06 阿尔卡特朗讯公司 Method and apparatus for providing route-optimized secure session continuity between mobile nodes
WO2008116306A1 (en) * 2007-03-26 2008-10-02 David Ker System and method for implementing a secured and centrally managed virtual ip network over an ip network infrastructure

Also Published As

Publication number Publication date
US20060182083A1 (en) 2006-08-17
WO2004036332A2 (en) 2004-04-29
AU2002353429A1 (en) 2004-05-04
WO2004036332A3 (en) 2007-12-27
AU2002353429A8 (en) 2004-05-04
US20060111113A1 (en) 2006-05-25

Similar Documents

Publication Publication Date Title
US20060182083A1 (en) Secured virtual private network with mobile nodes
KR100679882B1 (en) Communication between a private network and a roaming mobile terminal
US7937581B2 (en) Method and network for ensuring secure forwarding of messages
EP1978698B1 (en) A COMMUNICATION METHOD FOR MIPv6 MOBILE NODES
US8175037B2 (en) Method for updating a routing entry
US20070177550A1 (en) Method for providing virtual private network services to mobile node in IPv6 network and gateway using the same
US20040266420A1 (en) System and method for secure mobile connectivity
CN105376737B (en) Machine-to-machine cellular communication security
JP2003051818A (en) Method for implementing ip security in mobile ip networks
US7804826B1 (en) Mobile IP over VPN communication protocol
US20100325416A1 (en) Method and Apparatus for Use in a Communications Network
JP2007036641A (en) Home agent device, and communication system
US7756061B2 (en) Mobile router device and home agent device
Mink et al. Towards secure mobility support for IP networks
Barton et al. Integration of IP mobility and security for secure wireless communications
WO2009094939A1 (en) Method for protecting mobile ip route optimization signaling, the system, node, and home agent thereof
EP1906615A1 (en) Method and devices for delegating the control of protected connections
US20100150064A1 (en) Ip tunneling optimisation
Dhawale et al. A Robust Secured Mechanism for Mobile IPv6 Threats
Alkhawaja et al. Security issues with Mobile IP
Mun et al. Security in Mobile IP
Park et al. Secure firewall traversal in mobile IP network
Wang et al. IPSec-based key management in mobile IP networks

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): JP US

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LU MC NL PT SE SK TR

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
122 Ep: pct application non-entry in european phase
WWE Wipo information: entry into national phase

Ref document number: 2006182083

Country of ref document: US

Ref document number: 10531653

Country of ref document: US

WWP Wipo information: published in national office

Ref document number: 10531653

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP