US2005063352A1PendingUtilityA1
Method to provide dynamic Internet Protocol security policy service
Est. expiryMar 20, 2022(expired)· nominal 20-yr term from priority
H04L 63/20H04W 80/04H04L 63/0823H04L 63/061H04L 63/0227H04L 63/0272H04L 69/22H04L 63/164
46
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
A mobile node may roam away from its home network to a foreign network. The mobile node may communicate using the Mobile Internet Protocol, and it may use Internet Protocol security to communicate with its home network. A foreign agent on the foreign network and a home agent on the home network may dynamically link a policy to be used for a Internet Protocol security session between the foreign agent and the home agent. The foreign agent and the home agent may dynamically create a filter to be used for the Internet Protocol Security session.
Claims
exact text as granted — not AI-modified1 - 31 . (canceled).
32 . A foreign agent for dynamically providing Internet Protocol security policy service, the foreign agent comprising:
a connection component for receiving a connection request sent from a mobile node to the foreign agent, wherein the mobile node uses Mobile Internet Protocol; a policy creation component for creating at least one policy for the mobile node, wherein the at least one policy includes processing information for Internet Protocol security packets sent between the foreign agent and a home agent for the mobile node; a filter creating component for creating at least one filter, wherein the at least one filter identifies data packets traveling between the home agent and the foreign agent to receive Internet Protocol security processing, and wherein the at least one filter identifies the at least one policy to apply to the data packets receiving Internet Protocol security processing; and a filter storing component for storing the at least one filter in a list of filters maintained by the foreign agent, wherein the list of filters identifies data packets in a plurality of Internet Protocol security sessions between the foreign agent and respective home agents of other mobile nodes that are registered with the foreign agent.
33 . The foreign agent of claim 32 , further comprising a termination component for terminating a connection with the mobile node, and removing the at least one filter from the list of filters.
34 . The foreign agent of claim 32 , further comprising a security parameter negotiation component for negotiating Internet Protocol security parameters with the home agent.
35 . The foreign agent of claim 34 , wherein the security parameters are negotiated using Internet Key Exchange or Internet Security Association and Key Management Protocol.
36 . The foreign agent of claim 34 , wherein the at least one policy specifies at least one rule used to negotiate a type of Internet Protocol security service.
37 . The foreign agent of claim 32 , wherein the at least one policy specifies a type of encryption or a lifetime of a key.
38 . The foreign agent of claim 32 , wherein the at least one policy is obtained based on an identity of the mobile node.
39 . The foreign agent of claim 32 , wherein the at least one filter includes a first filter and a second filter, wherein the first filter includes parameters to specify end points for Internet Security Association and Key Management Protocol packets, and wherein the second filter includes parameters to specify packets that need Internet Protocol security service.
40 . The foreign agent of claim 32 , wherein the at least one policy includes information for a firewall application.
41 . The foreign agent of claim 32 , wherein the at least one policy comprises a plurality of policies.
42 . The foreign agent of claim 32 , wherein the at least one filter comprises a plurality of filters.
43 . A method to dynamically provide policy service to a mobile node, the method comprising:
receiving an authentication request sent from a foreign agent on a foreign network to a AAA server on a home network, wherein the authentication request indicates a mobile node roaming from the home network to the foreign network, and wherein the mobile node uses Mobile Internet Protocol; determining whether the mobile node needs Internet Protocol security for packets sent between the foreign agent on the foreign network and a home agent on the home network; informing the foreign agent that the mobile node needs Internet Protocol security for data packets sent between the home agent and the foreign agent; and linking at least one security policy template for the mobile node to the home agent, wherein the security policy template specifies parameters to be used in Internet Protocol security communications between the foreign agent and the home agent; creating a filter, wherein the filter identifies packets traveling between the home agent and the foreign agent to receive Internet Protocol security processing, and wherein the filter identifies the policy template to apply to the packets receiving Internet Protocol security processing; and storing the at least one filter in a list of active filters maintained by the home agent, wherein the list of active filters identifies data packets in a plurality of active Internet Protocol security sessions between the home agent and respective foreign agents of other mobile nodes.
44 . The method of claim 43 , further comprising a computer readable medium having stored therein instructions for causing a processor to execute all the steps of the method.
45 . The method of claim 43 , further comprising negotiating Internet Protocol security parameters with the foreign agent.
46 . The method of claim 45 , wherein the Internet Protocol security parameters are negotiated using Internet Key Exchange, Internet Security Association Key Management Protocol or the OAKLEY protocol.
47 . The method of claim 43 , further comprising:
determining the mobile node has roamed off the foreign network; and removing the filter from the list of active filters maintained by the home agent.
48 . The method of claim 43 , further comprising:
starting a registration timer for the at least one filter; and upon expiration of the timer, removing the at least one filter from the list of active filters.
49 . The method of claim 48 , wherein the registration timer for the at least one filter corresponds to a registration timer for the mobile node.
50 . A foreign agent for providing policy service in an Internet Protocol security application, the foreign agent comprising:
a request component for receiving a request from a mobile node to establish a secure connection to a home network, wherein the mobile node uses Mobile Internet Protocol; an authentication component for authenticating the mobile node with the home network; a security component for receiving an indication to use Internet Protocol security for packets sent between a home agent on the home network and the foreign agent; a policy linking component for linking to the foreign agent a policy instance for the mobile node, wherein the policy instance identifies processing information for Internet Protocol security packets sent between the foreign agent and the home agent; a filter creating component for creating a filter for the mobile node, wherein the filter can be used to identify packets traveling between the foreign agent and the home agent that use Internet Protocol security; and a filter storing component for storing the at least one filter in a list of active filters maintained by the foreign agent, wherein the list of active filters identifies data packets in a plurality of active Internet Protocol security sessions between the foreign agent and respective home agents of other mobile nodes that are registered with the foreign agent.
51 . The foreign agent of claim 50 , further comprising a packet processing component for receiving a packet, searching the filter list to determine whether to apply Internet Protocol security processing to the packet; and processing the packet based at least in part on information included in the policy instance.
52 . The foreign agent of claim 50 , further comprising a termination component for determining the mobile node has roamed away from the foreign network, destroying the policy instance, and removing the filter from the list of active filters.
53 . The foreign agent of claim 50 , further comprising a parameter negotiation component for negotiating Internet Protocol security parameters.
54 . The foreign agent of claim 50 , wherein the policy instance identifies a type of Internet Protocol security encryption to use in sending packets between the home agent and the foreign agent.
55 . The foreign agent of claim 50 , wherein the policy instance specifies a lifetime of an encryption key used in sending packets between the home agent and the foreign agent.
56 . The foreign agent of claim 50 , wherein the policy instance specifies domain of interpretation rules used to negotiate a type of service used to send packets between the home agent and the foreign agent.
57 . The foreign agent of claim 50 , further comprising a policy component for retrieving a policy template that identifies processing information for Internet Protocol security packets sent between the foreign agent and the home agent and that may be used for multiple mobile nodes, and for creating the policy instance from the policy template.
58 . A method to dynamically provide Internet Protocol security policy service, comprising the steps of:
receiving a connection request for a mobile node at a foreign agent; obtaining a policy template for the mobile node, wherein the policy template includes processing information for Internet Protocol security packets processed by the foreign agent on behalf of the mobile node; creating a filter, wherein the filter identifies data packets to receive Internet Protocol security processing, and wherein the filter identifies the policy template to apply to the data packets receiving Internet Protocol security processing; and storing the filter in a list of filters, wherein filters in the list of filters identify data packets in a plurality of active Internet Protocol security sessions associated with mobile nodes that are registered with the foreign agent.
59 . A computer readable medium having stored therein instructions for causing a processor to execute all the steps of the method of claim 58 .
60 . The method of claim 58 , wherein obtaining a policy template for the mobile node comprises:
obtaining a first policy template for the mobile node; and obtaining a second policy template for the mobile node, wherein the second policy template includes additional Internet Protocol security processing information that is not included in the first policy template.
61 . The method of claim 58 , wherein creating a filter comprises:
creating a first filter; and creating a second filter, wherein the second filter uses different criteria to identify data packets than the first filter.
62 . The method of claim 61 , wherein storing the filter in a list of filters comprises:
storing the first filter in the list of filters; and storing the second filter in the list of filters.
63 . The method of claim 58 , wherein the policy template is associated with a home agent, wherein the policy template is not limited to any particular mobile node, and wherein obtaining the policy template comprises determining that the policy template is associated with the home agent of the mobile node.
64 . The method of claim 58 , wherein the policy template is associated with a plurality of home agents, wherein the policy template is used for sessions between the foreign agent and any one of the plurality of home agents, and wherein obtaining the policy template comprises determining that one of the plurality of home agents is a home agent for the mobile node.
65 . A method for a foreign agent to dynamically provide Internet Protocol security policy service, the method comprising:
receiving at the foreign agent a request to establish a session for a mobile node, wherein the foreign agent stores a policy template that specifies Internet Protocol security parameters to be used in communications between the foreign agent and a home agent for the mobile node; creating a policy instance from the policy template to be used for communications between the foreign agent and the home agent during the session; creating a filter, wherein the filter identifies data packets to receive Internet Protocol security processing, and wherein the filter identifies the policy instance to apply to the data packets receiving Internet Protocol security processing; and storing the filter in a list of filters, wherein filters in the list of filters identify data packets in a plurality of Internet Protocol security sessions associated with mobile nodes that are registered with the foreign agent.
66 . The method of claim 65 , wherein creating the policy instance comprises negotiating additional Internet Protocol security parameters that are not defined in the policy template.
67 . The method of claim 65 , wherein creating a policy instance from the policy template comprises:
creating a first policy instance from the policy template; and creating a second policy instance from the policy template, wherein the second policy instance specifies additional Internet Protocol security parameters that are not specified in the first policy instance.
68 . The method of claim 67 , further comprising:
creating a first filter corresponding to the first policy instance; creating a second filter corresponding to the second policy instance; and adding the first and second filters to the active filter list.
69 . The method of claim 67 , further comprising:
determining that the mobile node has roamed away from the foreign agent; destroying the first policy instance; destroying the second policy instance; and removing the first and second filters from the active filter list.
70 . The method of claim 65 , further comprising:
determining that the mobile node has roamed away from the foreign agent; destroying the policy instance; and removing the filter from the list of active filters.
71 . The method of claim 65 , further comprising:
starting a registration timer for the filter; and removing the filter from the list of active filters upon expiration of the registration timer.
72 . The method of claim 71 , wherein a duration of the registration timer for the first filter corresponds to a duration of a registration timer for the mobile node.
73 . The method of claim 71 , further comprising upon resetting a registration timer for the mobile node, also resetting the registration timer for the first filter.
74 . The method of claim 65 , further comprising:
receiving at the foreign agent a request to establish a session for a second mobile node; creating a second policy instance from the policy template to be used for communications between the foreign agent and the home agent during the session for the second mobile node; creating a second filter, wherein the filter identifies data packets to receive Internet Protocol security processing, and wherein the filter identifies the second policy instance to apply to the data packets receiving Internet Protocol security processing; and storing the second filter in a list of active filters.Join the waitlist — get patent alerts
Track US2005063352A1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.