`ForslOw
`
`111111
`
`1111111111111111111111111111111111111111111111111111111111111
`US006954790B2
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 6,954, 790 B2
`Oct. 11, 2005
`
`(54) NETWORK-BASED MOBILE WORKGROUP
`SYSTEM
`
`(75)
`
`Inventor: Jan Forsliiw, Stockholm (SE)
`
`(73) Assignee: Interactive People Unplugged AB (SE)
`
`( *) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 777 days.
`
`(21) Appl. No.: 09/729,199
`
`(22) Filed:
`
`Dec. 5, 2000
`
`(65)
`
`Prior Publication Data
`
`US 2002/0069278 A1 Jun. 6, 2002
`
`Int. CI? ............................ G06F 15/16; H04Q 7/20
`(51)
`(52) U.S. Cl. ........................ 709/227; 709/205; 455/461
`(58) Field of Search ................................. 709/203, 224,
`709/227, 204, 205, 229; 370/328, 397,
`352, 401, 329; 455!555, 554.1, 461, 554,
`414
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`5,572,528 A * 11/1996 Shuen ........................ 370/402
`5,825,759 A * 10/1998 Liu ............................ 370/331
`6,424,657 B1 * 7/2002 Voit eta!. ................... 370/412
`6,445,920 B1 * 9/2002 Pfundstein ............... 455/422.1
`6,487,600 B1 * 11/2002 Lynch ........................ 709/229
`6,539,483 B1 * 3/2003 Harrison et a!. ............ 713/201
`6,560,217 B1 * 5!2003 Peirce et a!. ................ 370/351
`6,571,289 B1 * 5!2003 Montenegro ................ 709/227
`6,717,921 B1 * 4/2004 Aggarwal eta!. .......... 370/256
`2001/0033556 A1 * 10/2001 Krishnamurthy et a!. ... 370/329
`2002/0004817 A1 * 1!2002 Pham eta!. ................ 709/203
`2002/0006133 A1 * 1!2002 Kakemizu et a!. .......... 370/401
`2002/0013150 A1 * 1!2002 McKenna et a!.
`.......... 455/430
`
`2003/0179742 A1 * 9/2003 Ogier et a!.
`
`................ 370/351
`
`OTHER PUBLICATIONS
`
`Supporting nomadic users within virtual private networks
`Karnouskos, S. Service Portability and Virtual Customer
`Environments,2000 IEEE, vol., Iss., 2000 pp.: 128-133
`URL: http://ieeexplore.ieee.org/iel5!7 436/20219/00934172.
`pdf?isNumber=20219&prod=STD&. *
`* cited by examiner
`
`Primary Examiner-Aria Etienne
`Assistant Examiner-Uzma Alam
`(74) Attorney, Agent, or Firm-Banner & Witcoff, Ltd.
`
`(57)
`
`ABSTRACT
`
`A network-based mobile workgroup system has consider(cid:173)
`ably wider appeal and application than normal virtual pri(cid:173)
`vate networks in that it provides seamless mobility across a
`number of access technologies at the same time as it offers
`a granular security separation down to workgroup level. The
`mobile workgroup system is an access management system
`for mobile users with VPN and firewall functionality inbuilt.
`The mobile user can access the mobile workgroup system
`over a set of access technologies and select server resources
`and correspondent nodes to access pending their workgroup
`membership approvals. All workgroup policy rules are
`defined in a mobile service manager and pushed down to one
`or more mobile service routers for policy enforcement. The
`mobile service router closest to the mobile client, and being
`part of the mobile virtual private network, performs regular
`authentication checks of the mobile client during service
`execution. At the same time it performs traffic filtering based
`on the mobile user's workgroup memberships. Together,
`these two components constitute an unprecedented security
`lock, effectively isolating a distributed workgroup into a
`mobile virtual private network.
`
`101 Claims, 16 Drawing Sheets
`
`l
`
`1
`
`l
`
`2 0-
`
`Ex. 1007
`Apple v. MPH Techs. Oy
`IPR2019-00820
`
`0001
`
`
`
`U.S. Patent
`U.S. Patent
`
`Oct. 11, 2005
`Oct. 11, 2005
`
`Sheet 1 of 16
`Sheet 1 of 16
`
`US 6,954, 790 B2
`US 6,954,790 B2
`
`1
`
`1
`
`1
`
`
`
`lh....------1
`1
`
`1 0-
`
`FIG.1
`FIG. 1
`
`0002
`
`0002
`
`
`
`U.S. Patent
`
`Oct. 11, 2005
`
`Sheet 2 of 16
`
`US 6,954, 790 B2
`
`' \
`
`\
`\
`
`' \ ' \
`..... ..
`\ -.. ,,, ,
`
`\
`\
`\
`\
`
`20 ,/
`__________ ._. ......
`
`FIG. 2
`
`0003
`
`
`
`N
`~
`Q
`\0
`~
`~
`(It
`\0
`-..a-..
`rJ'l
`e
`
`'"""' 0'1
`0 ......,
`~
`
`~ .....
`'JJ. =(cid:173)~
`
`~
`N c
`'"""' ~
`'"""'
`!"""
`(')
`0
`
`~ = ......
`~ ......
`~
`•
`\Jl
`d •
`
`FIG. 3
`
`20
`
`~~
`
`US 6,954,790 B2
`
`20
`
`Sheet 3 of 16
`
`I
`18
`
`20
`
`U.S. Patent
`
`Oct. 11, 2005
`
`(<O>l_# ~
`
`20
`
`I
`17
`
`FIG.3
`
`0004
`
`
`
`I
`I
`I
`I
`I
`~
`
`,
`
`I
`I
`
`' I
`
`~~
`
`~
`
`I
`I
`
`I
`I
`I
`I
`I
`I
`I
`
`I
`I
`
`I
`
`'
`, I
`'
`'
`'
`I
`I
`~I
`I
`I
`I
`I
`I
`
`I
`I
`I
`
`'
`
`I
`I
`I
`I
`I
`\
`
`,
`
`I
`I
`I
`I
`
`~
`/ ' \
`'
`I
`I
`I
`I
`
`I
`I
`I
`I
`I
`
`I """ I ·~·
`
`I
`I
`I
`I
`I
`I
`\
`
`I
`I
`I
`I
`I
`I
`I
`
`, '
`
`f
`'
`I
`1
`:~:
`I
`I
`
`I
`1
`I
`1
`I
`1
`I
`I
`I
`I
`I
`1
`I
`1
`I
`I
`I
`1
`I
`I
`I
`I
`I
`1
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`1
`I
`I
`I
`1
`I
`I
`I
`I
`I
`1
`I
`I
`I
`I
`I
`I 1
`I
`I
`
`..
`
`I t G
`
`U.S. Patent
`U.S. Patent
`
`Oct. 11, 2005
`Oct. 11, 2005
`
`I
`
`\
`
`, '
`
`I
`I
`I
`I
`I
`I
`I
`
`I
`I
`I
`I
`I
`I
`I
`
`: ~ :
`
`I - I
`I
`I
`I
`I
`'
`I
`I
`I
`I
`
`G ...
`
`I I , '
`
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`
`I
`I
`I
`I
`I
`I
`I
`I
`I
`
`I
`I
`I
`I
`1
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`1
`I
`
`' I
`
`I
`I
`I
`I
`I
`
`Sheet 4 of 16
`Sheet 4 of 16
`
`US 6,954, 790 B2
`US 6,954,790 B2
`
`• <.9
`u..
`
`0005
`
`0005
`
`
`
`U.S. Patent
`U.S. Patent
`
`Oct. 11, 2005
`Oct. 11, 2005
`
`Sheet 5 of 16
`Sheet 5 of 16
`
`~~
`I
`, ,
`, , , ,
`
`\
`I
`I
`\
`\
`\
`
`•
`' •
`
`I
`
`'
`, , ,
`'
`
`I
`
`I , ,
`, I
`, ,
`I ,
`, , ,
`, ,
`, , ,
`I ,
`
`I
`I
`
`' I
`
`US 6,954, 790 B2
`US 6,954,790 B2
`
`SOld
`
`.
`(.!)
`u..
`
`ffiC) Veww ew eee wewe
`
`I
`I
`
`' \
`
`I
`\
`
`"'<t"
`
`....
`\
`\
`
`co.\
`-------,
`
`J"t::::::::::::::l ~~..----1
`
`I
`
`ns
`
`cs
`
`ufMich yOus
`
`0006
`
`0006
`
`
`
`U.S. Patent
`
`Oct. 11, 2005
`
`Sheet 6 of 16
`
`US 6,954, 790 B2
`
`~
`I (cid:173)
`I
`I
`I
`I
`I
`I
`
`I l
`
`30/10
`
`I
`I
`I
`I
`I
`
`·-----------------
`
`)
`19
`
`FIG. 6
`
`0007
`
`
`
`U.S. Patent
`U.S. Patent
`
`Oct. 11, 2005
`Oct. 11, 2005
`
`Sheet 7 of 16
`Sheet 7 of 16
`
`US 6,954, 790 B2
`US 6,954,790 B2
`
`/
`
`LOld
`
`•
`(!)
`LL
`
`l
`
`;
`
`I
`I
`I
`I
`I
`, -4
`I
`I
`I
`I
`
`c.....
`, ._ -
`
`0008
`
`0008
`
`
`
`U.S. Patent
`U.S. Patent
`
`Oct. 11, 2005
`Oct. 11, 2005
`
`Sheet 8 of 16
`Sheet 8 of 16
`
`US 6,954, 790 B2
`US 6,954,790 B2
`
`
`
`ay
`
`|
`
`88
`
`C
`:
`
`aa
`
`_
`Ta
`5
`
`a
`
`22
`
`FIG. 8
`FIG. 8
`
`0009
`
`51
`
`6
`16~
`1B
`ve
`aiwh
`
`{to),
`
`0009
`
`
`
`N
`~
`Q
`\0
`""-l
`-..~
`(It
`\0
`-..a-..
`rJ'l
`e
`
`'"""' 0'1
`0 ......,
`'0
`~ .....
`'JJ. =(cid:173)~
`
`N c c
`!""
`'"""'
`!"""
`(')
`0
`
`Ul
`
`~ = ......
`~ ......
`~
`•
`\Jl
`d •
`
`FIG. 9
`
`US 6,954,790 B2
`
`Sheet 9 of 16
`
`17
`
`Oct. 11, 2005
`
`U.S. Patent
`
`FIG.9
`
`0010
`
`
`
`US 6,954, 790 B2
`US 6,954,790 B2
`
`FIG.10
`
`.
`(!)
`u._
`
`U.S. Patent
`U.S. Patent
`
`Oct. 11, 2005
`Oct. 11, 2005
`
`Sheet 10 of 16
`Sheet 10 of 16
`
`{7 eTlg
`
`16
`
`COW=&LASS
`
`
`0011
`
`0011
`
`
`
`N
`~
`Q
`\0
`~
`~
`(It
`\o
`0'1
`rJ'l
`
`e
`
`'"""' 0'1
`'"""' 0 ......,
`'"""'
`~
`
`'JJ. =(cid:173)~
`
`~
`N c
`'"""' ~
`'"""'
`!l
`0
`
`~ = ......
`~ ......
`~
`•
`\Jl
`d •
`
`~~:A
`lQb
`
`20d
`
`US 6,954,790 B2
`
`n
`
`Sheet 11 of 16
`
`a&
`
`84
`
`U.S. Patent
`
`Oct. 11, 2005
`
`
`
`FIG. 11
`
`v~
`
`FIG.11
`
`52
`
`Co
`wo
`wo
`_—- hl
`
` Cag COCRs
`
`0012
`
`
`
`U.S. Patent
`
`Oct. 11, 2005
`
`Sheet 12 of 16
`
`US 6,954, 790 B2
`
`120 ,,
`
`y
`
`EJ
`
`~
`
`I
`
`I
`
`--·--
`'
`'
`·-·
`: 100b: 1121>
`'
`I
`~----'
`
`M ~ ~
`I
`
`~ r--- 1.22g
`···---~-----·
`' ~ •
`........... -......
`•
`•
`•
`•
`I
`I 11.§
`
`82-......._
`
`FIG. 12
`
`0013
`
`
`
`N
`~
`Q
`\0
`~
`~
`(It
`\0
`_,.a-..
`rJ'l
`e
`
`"""" 0'1
`0 ......,
`"""" ~
`~ .....
`'JJ. =(cid:173)~
`
`~
`N c
`"""" ~
`""""
`!"""
`(')
`0
`
`~ = ......
`~ ......
`~
`•
`\Jl
`d •
`
`U.S. Patent
`
`Oct. 11, 2005
`
`Sheet 13 of 16
`
`US 6,954,790 B2
`
`FIG.13
`
`28-1
`
`FIG. 13
`
`106-·-----
`
`~-----106
`
`82
`
`"
`
`10b
`
`10b
`
`106
`
`-------·------------------
`
`~~; t
`
`17
`
`100
`
`17
`
`'---,
`10a
`
`0014
`
`
`
`U.S. Patent
`
`Oct. 11, 2005
`
`Sheet 14 of 16
`
`US 6,954, 790 B2
`
`74-.....,
`
`141--.,.
`
`142-........
`
`I
`I
`60 ,_
`f'.--H
`) -" H
`~-"" H
`~-["-. H
`6 GGGG
`10 1'"'-,._1 38
`I
`
`HQ
`
`J I
`
`I I
`
`1A2
`
`1il
`
`gJ
`
`~
`
`1§
`
`14.6
`
`148
`
`J
`J
`
`I
`I
`
`1.41
`
`149
`
`145
`
`3/4
`
`44
`
`~
`
`~
`
`~
`
`1.56
`
`FIG. 14
`
`J
`I
`
`136
`
`f.-
`~
`
`137
`5!14
`
`f.-
`r
`f-"'
`J-v
`---
`74 (X.509)
`j- /
`,_
`J-v
`52/124
`r v
`
`r
`
`46/4B/50
`
`6
`j_
`
`r-..
`
`-13 8
`
`0015
`
`
`
`N
`~
`Q
`\0
`~
`~
`(It
`\0
`-..a-..
`rJ'l
`e
`
`'"""' 0'1
`0 ......,
`'"""' Ul
`~ .....
`'JJ. =(cid:173)~
`
`~
`N c
`'"""' ~
`'"""'
`!"""
`(')
`0
`
`~ = .....
`~ .....
`~
`•
`\Jl
`d •
`
`:
`., O
`
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`
`1
`I
`I
`I
`I
`
`~16
`
`: '' l~cmesoo~
`
`I
`I
`I
`I
`I
`I
`I
`
`,,0
`
`: ,, d'
`
`f
`I
`I
`I
`I
`I
`
`n .
`
`I
`I
`I
`I
`I
`I
`
`:
`.
`'
`.
`".
`/r
`i
`~
`T
`~Re:ttd
`11 ~ ufdaleR~Tatle
`
`.
`Nresm.Na
`U
`
`'
`
`I
`
`I
`I
`I
`I
`
`'
`
`.
`
`I I
`I
`I
`:
`I
`
`FIG.15
`'
`
`:
`:
`.
`.
`:
`:
`j ho"""'J' j
`.
`.
`
`:
`I
`I
`I
`
`I
`
`I
`:
`I
`I
`I
`
`I
`
`:
`I
`islralirn:
`
`I
`
`:lim'
`
`I
`
`I
`I
`I
`I
`I
`I
`I
`I
`I
`
`'
`:
`.
`j
`.
`
`I
`1
`:
`
`: n
`
`II ei!her or
`
`'
`:
`.
`Y'
`.
`
`1
`:
`
`:
`
`I
`I
`
`:
`
`I
`I
`
`II seM'oProfile !
`
`g!;!!!j'·
`I ~ II ~ ILKJI ~ II ~ I A
`
`I
`I
`I
`1
`1
`I
`
`I nLf\esource I
`
`1
`
`I
`t
`I
`I
`
`""~~"""'"''~It: J'lfi ,1)
`
`I~
`
`10" 22"
`
`II' II I
`II reg~te!MobieCiient
`
`0016
`
`
`
`N
`~
`Q
`\0
`~
`~
`(It
`\0
`-..a-..
`rJ'l
`e
`
`'"""' 0'1
`0 ......,
`'"""' 0'1
`~ .....
`'JJ. =(cid:173)~
`
`~
`N c
`'"""' ~
`'"""'
`!"""
`(')
`0
`
`~ = ......
`~ ......
`~
`•
`\Jl
`d •
`
`~
`~ H
`. I
`~16
`
`:
`HA
`
`:EQUEST
`
`lDAPJ
`W.AP~
`
`I
`I
`
`1 [SA OPTIONS~
`
`~70
`
`~10a(30)
`
`. . . . .
`
`I
`I
`I
`
`MAMCANSWER
`
`I
`
`AM MC REQUEST . .
`. .
`. . . .
`
`•
`:
`
`\
`
`-~
`_
`
`l FIG. 16
`1
`.
`'
`-~ ~--~-
`1 _ NT BACKDFFICELOGIN
`:
`'
`. .
`
`I
`
`I
`
`0
`
`I
`
`1
`
`! _ __
`' I
`' I
`
`I
`
`l
`-r
`
`'
`
`0
`
`I
`
`:
`~-
`l
`
`IKE {QUia< MODE ~SA SETUP\
`
`I .
`
`: IKE (AGGRESSIVE MODEl
`llANO FA-HA
`:
`
`I ~AME SA ESTABUSHMENT FOR MN-FA. MN-HA.I "1
`
`' ' .
`:
`' '
`DHCPINFORM REQUEST :
`
`DHCPINFORM REPLY
`
`REGISTRATION REPLY
`
`REGISTRATION REQUEST
`
`ROUTER MlVERTISEMEN
`
`:
`A
`~10b(31)
`
`: ROUTER SOUCITATION
`
`~20
`
`,,~"""""''"""'-'"''' ....... A
`
`0017
`
`
`
`US 6,954,790 B2
`
`1
`NETWORK-BASED MOBILE WORKGROUP
`SYSTEM
`
`FIELD OF THE INVENTION
`
`The present invention relates to data communications in
`general, and more specifically, the present invention
`describes a network-based mobile workgroup system that
`provides secure communication to and within an overlaid
`workgroup network while applying mobility management
`for the workgroup members.
`
`20
`
`25
`
`BACKGROUND AND SUMMARY OF THE
`INVENTION
`The following definitions are introduced for the purpose 15
`of clarity.
`AAA, Authentication, Authorization and Accounting.
`AAA is a common name for both RADIUS and
`DIAMETER, i.e. solutions providing for customer care,
`control and billing in a large IP network.
`BGP, Border Gateway Protocol. BGP is a inter-domain
`protocol defined by IETF for sharing routes between ISPs.
`A route is a collection of knowledge of a path from a source
`to a destination (host).
`cdma2000. Code Division Multiple Access 2000 is the
`North American version of the 3rd generation mobile cel(cid:173)
`lular technology (IMT-2000) for access speeds up to 2
`Mbit/s per Mobile Node. cdma2000 is a trade name for 3G
`systems based on the cdma2000 radio access standards, as 30
`well as name identifying the radio access itself.
`DIAMETER. A successor of RADIUS with increased
`security and scalability features. It is standardized by IETF.
`DHCP, Dynamic Host Configuration Protocol. DHCP is
`an Internet Engineering Task Force (IETF) standard for 35
`allocating Internet Protocol addresses to User Systems. User
`Systems can either be Fixed Hosts or Mobile Systems. The
`allocation is done each time when the User System is started.
`The allocation is made by a DHCP server to a DHCP client.
`The DHCP server is controlled by an Internet Service 40
`Provider or an IT-department. The DHCP client is a SW
`embedded in the User System.
`DMZ, De-Militarized Zone is a zone between the Internet
`Service Provider router and Corporate firewall where access
`is allowed from both the Internet and the Intranet. Normally 45
`a subset of the services available on the Intranet is mirrored
`on the DMZ.
`FA, Foreign Agent. The primary responsibility of an FA is
`to act as a tunnel agent which establishes a tunnel to a HA
`on behalf of a mobile node in Mobile IP.
`HA, Home Agent. One responsibility of the HA is to act
`as a tunnel agent which terminates the tunnel, and which
`encapsulates datagrams to be sent to the Mobile Node in
`Mobile IP.
`IETF, Internet Engineering Task Force. IETF is the stan(cid:173)
`dardization organization for the Internet community.
`IP, Internet Protocol. IP is a network layer protocol
`according to the ISO protocol layering. IP is the major
`end-to-end protocol between Mobile and Fixed End(cid:173)
`Systems for Data Communications. It is also used in Radio
`Datacommunications Systems as an underlying transport
`technology for Tunneling Protocols.
`ISP, Internet Service Provider. The ISP is a notation for
`the domain providing basic IP configuration services to
`users, i.e. servers for Domain Name System (DNS) and
`Dynamic Host Configuration Protocol (DHCP).
`
`2
`LDAP, Lightweight Directory Access Protocol is a slim
`variant of the X.SOO Directory Access Protocol for accessing
`data storage areas such as user databases.
`MANET, Mobile Ad hoc Networks is a common name for
`5 a family of protocols that provide multi-hop routing in
`highly dynamic mobile environments.
`MIB, Management Information Base. IETF defines a
`number of MIBs for allowing management via the SNMP
`(Simple Network Management Protocol) of network ele-
`10 ments. The format of a MIB is standard. The content can
`either be proprietary or standardized.
`MIP, Mobile IP. MIP is a standard being defined by IETF
`on making IP networks mobility aware, i.e. having knowl(cid:173)
`edge on where a Mobile Node is attached to the network.
`The standard includes the definition of a Foreign Agent and
`a Home Agent.
`MC, Mobile Client. The MC comprises both the Terminal
`(TE) and the Mobile Termination (MT).
`RADIUS, Remote Authentication Dial-In User Service.
`RADIUS is the currently, widely deployed AAA protocol. It
`is a protocol for carrying authentication, authorization, con(cid:173)
`figuration and accounting information between a network
`access server and an ISP RADIUS server.
`RAN, Radio Access Network. RAN is the common acro(cid:173)
`nym used for various types of radio access networks in 3G
`networks, e.g. cdma2000 and UMTS/WCDMA.
`SLA, Service Level Agreement. SLA is the common
`name for a set of terms agreed with the customer on the
`quality of service that the ISP shall provide. The SLA can
`related to availability, latency and throughput of network
`resources.
`UMTS, Universal Mobile Telecommunications System.
`UMTS is the European version for the 3rd generation mobile
`cellular technology (IMT-2000) for access speeds up to 2
`Mbit/s per Mobile Node. One specie radio technology in
`UMTS is WCDMA.
`VLAN, Virtual Local Area Network is a separation of a
`physical Local Area Network into a set of logical subnets.
`VPN, Virtual Private Network is a secure overlay network
`on a common public infrastructure that allows a corporation
`to maintain its own addressing and routing between its sites
`and to remote users.
`WLAN, Wireless Local Area Network. WLAN is a local
`area solution for radio access mobility with speed up to 11
`Mbit/s per Mobile Node.
`While Internet technologies largely succeed in overcom(cid:173)
`ing the barriers of distance, time and space, existing tech(cid:173)
`nologies have yet to fully accommodate the increasing
`mobility of people with their computers. In order to elimi(cid:173)
`nate this barrier, this invention introduces modifications to
`the very base of how packets are routed over the Internet by
`a mobility routing protocol in the core of a mobile virtual
`55 private network together with using mobile IP at its edge.
`Similarly, as IP networks has evolved to support external
`business partners and remote access traffic, the traditional
`approaches to network security fall short. They do not
`provide the level of granularity needed to control access to
`60 sensitive resources. Here again there is a need to change
`some of the traditional aspects of internetworking. This
`invention proposes changes to the perimeter security of a
`corporate network to include user authentication and work(cid:173)
`group level filtering at the point where a mobile client
`65 attaches to the workgroup network.
`The introduction of 3G mobile networks is all set to make
`a huge difference to the international business community.
`
`50
`
`0018
`
`
`
`US 6,954,790 B2
`
`3
`4
`3G networks will provide sufficient bandwidth to run most
`The further delivery by the home agent to the foreign
`agent requires that each packet intended for the mobile client
`of the business computer applications providing a reason(cid:173)
`be modified/extended so that the care-of address appears as
`able user experience. However, 3G networks are not based
`the destination IP address. This modification of the packet is
`on only one standard, but a set of radio technology standards
`5 sometimes termed a "redirection." The home agent redirects
`such as cdma2000, EDGE and WCDMA. In the light of this,
`packets from the home network to the care-of address by
`a common mobility management framework is required in
`order to allow mobile users to roam between access net(cid:173)
`constructing a new IP header that contains the mobile
`works with little or no manual intervention. IETF has
`client's care-of address as the packet's destination IP
`created a standard for this purpose called mobile IP. Mobile
`address. This new header "encapsulates" the original data
`IP is different compared to other efforts for doing mobility
`10 packet causing the mobile client's home address to have no
`management in the sense that it is not tied to one specific
`effect on the encapsulated packet's routing until it arrives at
`access technology. In earlier mobile cellular standards, such
`the care-of address. This encapsulation is commonly known
`as GSM, the radio resource and mobility management was
`as "tunneling" in the sense that the data packet burrows or
`integrated vertically into one system. On the other hand,
`tunnels using the new "routing" header through the Internet,
`mobile IP is re-using the anchor-based mobility management
`15 while the encapsulated IP header is completely ignored.
`architecture that has been so successfully exploited in GSM
`When the packet arrives at the foreign agent the new
`networks. Mobile IP is defining a home agent as the anchor
`"routing" header is removed and the original packet is sent
`point with which the mobile client always has a relationship,
`to the mobile client for properly processing by whatever
`and a foreign agent, which acts as the local tunnel-endpoint
`higher level protocol (layer 4) that logically receives it from
`at the access network where the mobile client is visiting.
`20 the mobile client's IP (layer 3) processing layer.
`Depending on which subnetwork the mobile client is cur(cid:173)
`Foreign agents regularly broadcast agent advertisements
`rently visiting its point of attachment may change. At each
`that include information about one or more care-of
`point of attachment, mobile IP either requires the availability
`addresses. When a mobile client receives an agent
`of a standalone foreign agent or the usage of a co-located
`care-of address in the mobile client itself.
`advertisement, it can obtain the IP address of that foreign
`25 agent. The mobile client may also broadcast or multicast an
`In general, the Internet protocol routes packets from a
`source to a destination by having routers to forward data
`advertisement solicitation that will be answered by any
`packets from incoming network interfaces to outbound
`foreign agent that receives it. Thus, the agent advertisement
`procedure allows for the detection of foreign agents, lets the
`network interfaces according to routing tables. The routing
`mobile client determine is the network number and status of
`tables typically maintain the next-hop (outbound interface)
`information for each destination IP address. The destination 30 its link to the Internet, and identifies whether it is at home
`IP address typically carries with it information that specifies
`or on a foreign network. Once a mobile client receives a
`the IP client's point of attachment to the network. Correct
`care-of address, a registration process is used to inform the
`delivery of packets to a client's point of attachment depends
`home agent of the care-of address. The registration allows
`on the network identifier portion contained in the client's IP
`the home agent to update its routing table to include the
`35 mobile's home address, current care-of address, and a reg(cid:173)
`address, which however has to change at a new point of
`istration lifetime.
`attachment. To alter the routing of the data packets intended
`for a mobile client to a new point of attachment can be
`In contrast to mobile IP, a completely different approach
`solved by associating a new IP address with that new point
`to mobility is emerging for mobile nodes in conference and
`of network attachment. On the other hand, to maintain
`sensor environments. These mobile users need a way to
`existing transport protocol layer connections as the mobile
`40 deliver packets between wireless stations without the use of
`client moves, the mobile client's IP address must remain the
`an infrastructure, i.e. routers. Mobile Ad hoc Networking
`same.
`(MANET) is a name given by IETF to the creation of such
`This mobility addressing dilemma is handled in mobile IP
`dynamic and multi-hop networks. Mobile nodes create own
`by allowing the mobile client to be associated with two IP
`adhoc networks for their communication purposes as
`addresses: a static, "home" address and a dynamic, "care-of"
`45 needed. Wireless LAN is often cited as the default access
`address that changes at each new point of attachment to the
`technology for this purpose, but also other radio
`Internet. Only the care-of address changes at each new point
`technologies, such as Bluetooth, are showing great promise
`of attachment. The home IP address assigned to the mobile
`to be used as an radio access to MANETs. The lightweight
`client makes it logically appear as if the mobile client is
`implementation of Bluetooth allows very small devices to be
`attached to its home network. It is the IP address where the 50
`part of the adhoc network and opens up for the areas of
`mobile client seems to be reachable for other Internet clients
`wearable computing and personal area networking.
`and services.
`MANET solves the problem of mobility by changing the
`very aspect of routing. Instead of creating tunnels as in
`A mobile agent that is provided in a home network
`receives traffic directed to the mobile client's home IP
`mobile IP on top of the existing Internet routing protocols,
`address when the mobile client is not attached to its home 55
`MANET enhances the routing protocols to be both indepen(cid:173)
`network. When the mobile client is attached to a foreign
`dent of IP address topology and reactive to route changes. A
`fiat topology allows the mobile nodes to change their point
`network, a home agent routes (tunnels) that traffic to a
`of attachment in relation to each other, while still maintain(cid:173)
`foreign agent using the mobile client's current care-of
`address. The care-of address, which identifies the mobile
`ing their network identity, i.e. IP address. Such propagation
`client's current, topological point of attachment to the
`60 of individual routes in an IP network does not scale very well
`Internet, is used by the home agent to route packets to the
`and that is where the second aspect of adhoc networks has
`mobile client. If the mobile client is not attached to a foreign
`its role. Reactive route propagation essentially means that a
`network, the home agent simply arranges to have the packet
`movement of a mobile node is not propagated per default as
`traffic delivered to the mobile client's current point of
`a route change to all other nodes in the network. For
`attachment in the home network. Whenever the mobile
`65 on-going sessions and to immediate peers, the route update
`client moves its point of attachment, it registers a new
`is propagated directly, but for distant nodes that has no
`on-going communication, the route update is not propa-
`care-of address with its home agent.
`
`0019
`
`
`
`US 6,954,790 B2
`
`5
`gated. A distant node will instead retrieve a route
`on-demand, when needed. Economical discovery and propa(cid:173)
`gation of such routes is the challenge of MANET. Simple
`MANET protocols, such as adhoc on-demand distance vec(cid:173)
`tor (AODV), use pure broadcast, while advanced MANET
`protocols, such as topology-based routing based on reverse
`path forwarding (TBRPF), uses unicast or broadcast depend(cid:173)
`ing on the position of the peer in a reverse path tree. In the
`following, we will use the term mobility routing as a
`common name for routing protocols developed for mobile 10
`adhoc networks.
`As it turns out, there are nontrivial issues surrounding the
`simultaneous use of adhoc networks with Mobile IP. Mobile
`users would naturally expect that both should be useful
`together; a foreign agent attached to an adhoc network
`should provide Internet connectivity to every node in the
`adhoc network. On the other hand, manipulation of the route
`table by Mobile IP is not completely consistent with the way
`ad hoc routing protocols may wish to do route table
`management, i.e. not all mobile node routes are available for
`the Mobile IP agent at all times. Furthermore, the rules for
`Mobile IP need to be adjusted so that the agent advertise(cid:173)
`ments can be delivered to every mobile node in the adhoc
`network across multiple router-hops. It is the intention of
`this invention to define a new way of combining mobile IP 25
`with mobility routing protocols in the sense that the mobility
`routing protocol is placed as an overlay rather than an access
`network to mobile IP.
`If Mobile IP and adhoc routing are two sides of the same
`coin, the third aspect of this invention is often placed in stark
`opposition to mobility. Security solutions on the Internet,
`and more specifically the deployment of virtual private
`networks (VPNs), rely on a set of fixed associations main(cid:173)
`tained between clients and gateways as well as between
`gateways themselves. In a site-to-site VPN, a VPN gateway
`that is placed at the enterprise perimeter typically allows any
`VPN client with the correct IP address to send traffic from
`the inside of the intranet cloud out through a VPN tunnel to
`another intranet cloud. This essentially creates a larger
`intranet where all sites are open territory. This may sound
`nice from a mobility perspective, but is hardly encouraging
`from a corporate security perspective. Statistics tells that
`four out of five intrusions come from the inside. For this
`reason end-to-end application layer security are normally
`added to each client-server and peer-to-peer communication 45
`most often leading to a proliferation of pop-up windows on
`the client for entering user identities and passwords for
`every server and application that the user wants to access.
`An administrative nightmare that this invention is eliminat(cid:173)
`ing through the use of a regular, yet for the mobile user 50
`hidden, authentication. The user authentication combined
`with per packet filtering or more advanced firewall func(cid:173)
`tionality is performed by a VPN gateway at each site of the
`VPN in order to provide robust security for the local portion
`of workgroup networks and their individual server
`resources.
`When it comes to remote access to the VPN, typically
`three classes of users need connectivity into the enterprise
`network from the outside:
`Anonymous users who normally access via the Internet,
`External business partners who access through leased
`lines, and
`Corporate users who need remote access to corporate
`resources.
`Remote corporate users want to receive the same level
`and ease of access to corporate resources that they enjoy
`
`6
`when they are physically located on the enterprise LAN. For
`this purpose, the VPN gateway applies strong user authen(cid:173)
`tication and reconfiguration of a VPN client that tries to
`access the intranet from the outside. When inside, the VPN
`5 client can reach any and all resources on the intranet unless
`an application-based authentication is applied as described
`above for the site-to-site VPN case.
`By contrast, Internet users should be able only to access
`the publicly available servers (e.g. web, mail and ftp). This
`is normally done by creating a DMZ (de-militarized zone)
`separate from the intranet, onto which selected resources are
`mirrored for accessibility from the Internet.
`As for external business partners (i.e. extranets), depend(cid:173)
`ing on the business need, access is normally provided to an
`15 isolated sub-network or directly to a particular server on the
`intranet. If a business partner needs to roam into the site, i.e.
`physically work at the company's premises, a separation of
`the access and service network within the intranet is
`required. This is achieved in the following invention through
`20 the creation of an additional leg on the VPN gateway in very
`much the same manner as the DMZ was separated from the
`intranet for publicly available web resources.
`In the following description, the term mobile VPN is used
`for a VPN in which the users are allowed to move around
`within the intranet, extranet and Internet without loosing
`their communication sessions, user privileges or security
`protections. The term mobile workgroup system will simi(cid:173)
`larly be used to denote a subset of the mobile users and
`server resources in the mobile VPN that are grouped
`30 together based on organizational or security aspects to form
`a tightly knit community.
`The following references are also of general interest for
`the understanding of the present invention:
`Alexander, S. et al; DHCP Options and BOOTP Vendor
`35 Extensions; IETF RFC 2132; March 1997
`Bellur, Bhargav et al; Topology Broadcast based on
`Reverse-Path Forwarding (TBRPF); IETF Internet Draft;
`July 2000
`Calhoun, Pat et al; DIAMETER Base Protocol; IETF
`40 Internet Draft; September 2000
`Calhoun, Pat et al; DIAMETER Mobile IP Extensions;
`IETF Internet Draft; September 2000
`Calhoun, Pat et al; Mobile IP Network Access Identifier
`Extension for IPv4; IETF RFC2794March 2000
`Corson S. et al; Mobile Ad hoc Networking (MANET)
`Routing Protocol Performance Issues and Evaluation Con(cid:173)
`siderations; IETF RFC2501; January 1999
`Drams, R.; Dynamic Host Configuration Protocol; IETF
`RFC2131; March 1997
`Handley, M. et al; SIP: Session Initiation Protocol; IETF
`RFC2543; March 1999
`Harkins, D. et al; The Internet Key Exchange (IKE); IETF
`RFC2409; November 1998
`Hiller, Tom et al; 3GPP2 PR0001 vl.O.O/Wireless IP
`55 Network Architecture based on IETF protocols; July 2000
`Hiller, Tom et al; 3GPP2 PS0001-A, vl.O.O/Wireless IP
`Network Standard; July 2000
`Kent, S. et al; Security Architecture for the Internet
`Protocol; IETF RFC2401; November 1998
`Kent, S. et al; IP Encapsulating Security Payload (ESP);
`IETF RFC2406; November 1998
`Kent, S. et al; IP Authentication Header; IETF RFC2402;
`November 1998
`Montenegro, G.; Reverse Tunneling for Mobile IP; IETF
`65 RFC2344; May 1998
`Perkins, Charlie; IP Mobility Support; IETF RFC2002;
`October 1996
`
`60
`
`0020
`
`
`
`US 6,954,790 B2
`
`7
`Perkins, Charlie et al; Ad hoc On-demand Distance Veec(cid:173)
`tor (AODV) Routing; IETF Internet Draft; July 2000
`Sanchez, L. et al; Security Policy Protocol; IETF Internet
`Draft; July 2000
`Veizades, J. et al; Service Location Protocol, Version 2; 5
`IETF RFC2608; June 1997
`
`SUMMARY OF INVENTION
`
`10
`
`8
`FIG. 11 is a function block diagram illustrating the set of
`security associations in the mobile workgroup system,
`FIG. 12 is a function block diagram illustrating the
`security functions in a mobile service router,
`FIG. 13 is a flowchart diagram presenting the security
`aspects in the extranet traffic case of a mobile workgroup
`system,
`FIG. 14 is a function block diagram illustrating in further
`detail the components of the mobile service router,
`FIG. 15 is a flowchart diagram illustrating the interaction
`between the components of the mobile service router at
`mobile client configuration and registration, and
`FIG. 16 is a flowchart diagram illustrating the mobile
`client runtime registration procedure in more detail for th