Abstract: A method and apparatus taught herein provide for transfer of a data flow between two mobile nodes from a cellular connection supported by a cellular communication network to a non-cellular, ad-hoc connection between the mobile nodes. In one embodiment, a network node configured for operation in the cellular communication network detects that the two mobile nodes have moved within an ad-hoc communication range and transfers the data flow from the cellular connection to the ad-hoc connection responsive to the detection. The network node may include a control circuit to perform the detection, and a communication interface to send control signaling to effectuate the transfer. As a non-limiting example, the network node is a base station in the cellular communication network.

Abstract: A method and a Mobile Node are provided for authenticating an Advertisement message received from an Access Router through an Access Point. The Advertisement message comprises a Hashed Nonce Value and a Nonce Index corresponding to a Nonce Value held in the Access Router. Upon receiving the Advertisement message from the Access Point, the Mobile Node initiates a process for configuring an IP address, by use of information received in the Advertisement, for having a session with the Access Point and the Access Router. In parallel, either the Access Point or the Mobile Node sends the Nonce Index directly to the Access Router. The Access Router replies with the Nonce Value sent to the Mobile Node. The Mobile Node hashes the Nonce Value received from the Access Router and compares a Result of the hashing with the Hashed Nonce Value. If the Result matches the Hashed Nonce Value, the Advertisement is considered authenticated and the IP address configured according to the Advertisement is kept in the Mobile Node.

Abstract: In response to a Mobile Access Router (MAR) initially attaching to a Multi-Protocol Label Switching (MPLS) domain through a first Access Router (AR) in the domain, a Mobility Anchor Point (MAP) in the MPLS domain establishes a plurality of Label Switched Paths (LSPs) for the MAR. For example, the MAP establishes an active LSP to the MAR through the AR to which the MAR has initially attached, and further establishes an inactive LSP for the MAR to each of one or more other ARs in the MPLS domain. An inactive LSP established at a given AR for a given MAR is activated when/if that MAR attaches to the AR. Correspondingly, the present invention includes method and apparatus teachings related to the MAP, ARs and the MAR, as regards establishing inactive LSPs, activating inactive LSPs, and extending an activated LSP to the MAR.

Abstract: A method performed by a network element for providing micro-mobility in a network to a mobile node including the steps of receiving a registration request message at the mobility anchor point from an access router that is currently coupled to the mobile node, wherein the registration request message includes an endpoint identifier of the mobile node and a local care-of address of the mobile node, establishing a label switch path (LSP) between the mobility anchor point and the access router, storing the endpoint identifier in a binding entry along with the local care-of address, a regional care-of address, the label switch path and an egress interface, advertising the endpoint identifier with associated regional or local care-of address of the mobile node, and forwarding data packets, received at the mobility anchor point from a corresponding node that have the regional or local care-of address, to the mobile node using the LSP.

Abstract: A network element can include a proxy element that is configured to receive a request from a source node to establish a Transmission Control Protocol (TCP) connection from a first network address of the source node through a Packet Data Network Gateway (PDN GW) to a destination node for an IP flow. The proxy element applies an IP flow offloading policy function to determine that the requested TCP connection for the IP flow should bypass the PDN GW. The proxy element responds to the determination by communicating to the destination node a request for TCP connection with a second network address substituted for the first network address of the source node to establish the TCP connection for the IP flow from the source node to the destination node through a broadband network without passing through the PDN GW.

Abstract: A method implemented by a network element functioning as a home agent (HA) for a mobile node (MN) communicating with a corresponding node (CN) using Mobile Internet Protocol version 6 (MIPv6), the method including selecting by the HA a virtual home agent (VHA) in the network to provide home agent services to the MN with a better quality of service than the HA, sending a flow switch request (FSR) message to the selected VHA, the FSR message including a home keygen token, an address of the CN and a care-of address of the MN, the FSR message to cause the selected VHA to direct the CN to send data traffic for the MN to the selected VHA instead of the HA, and receiving a flow switch acknowledgement (FSA) message from the VHA indicating that the selected VHA has successfully redirected the data traffic from the CN to the MN.

Abstract: A method implemented in a network element functioning as a home agent (HA) for a mobile node (MN) communicating with a corresponding node (CN) using Mobile Internet Protocol version 6 (MIPv6), the method including selecting by the HA a virtual home agent (VHA) to provide home agent services to the MN with a better quality of service than the HA based on pre-defined policies, sending a flow switch request (FSR) message to the selected VHA, the FSR message including transmission control protocol (TCP) parameters and the FSR message including a care-of address for the MN and an address of the CN, the FSR message to initiate a flow redirection at the VHA using multi-path TCP exchange, and receiving a flow switch acknowledgement (FSA) message from the VHA indicating that the VHA is receiving data packets from the CN and tunneling the data packets to the MN at the care-of address.

Abstract: A method implemented in a network element to make a first device assigned an IPv4 private address accessible to a second device using Internet Protocol Version 6 (IPv6), the method comprising receiving an IPv6 formatted data packet, having a virtual IPv6 address as a destination address and having been sent from the second device; determining whether the virtual IPv6 address includes a representation prefix (RP); sending an address map query (AMQ) to a customer premise equipment (CPE), where the CPE stores a mapping between the virtual IPv6 address and a private IPv4 address of the first device; receiving an address map response (AMR) from the CPE with the private IPv4 address corresponding to the virtual IPv6 address; translating the IPv6 formatted data packet into an IPv4 formatted data packet; and sending the translated data packet to the CPE through an IPv4 over IPv6 tunnel.

Abstract: A wireless communication device includes a plurality of different wireless interfaces to facilitate communications with a remote device over a corresponding plurality of networks. The device can switch between the different interfaces to migrate an on-going communications session from one that requires the infrastructure of a fixed wireless communication network to one that does not require the infrastructure of a fixed wireless communication network. Switching between the various interfaces allows the migration to occur while protecting the device against malicious third-party impersonation attacks.

Abstract: A method for maintaining connectivity between a mobile node and a corresponding node when the mobile node connects to a foreign network, where the foreign network and the home network are Internet protocol version 6 (IPv6) networks but the corresponding node is an Internet protocol version 4 (IPv4) node. The method includes receiving at the home agent node an IPv6 care-of address, determining that the IPv6 care-of address belongs to the foreign network and that the foreign NAT64 node has a prefix to to generate virtual IPv6 addresses and sending a prefix binding request message to a home NAT64 node to bind the prefix to the home address of the mobile node for translation between IPv6 and IPv4.

Abstract: In one aspect of the invention, a mobile node (MN) participates in a first return routability procedure with a home agent (HA) and a correspondent node (CN), including generating a first binding management key (Kbm). A first proof of knowledge (PoK) is generated by hashing the first Kbm. The MN participates in a second return routability procedure, including generating a second Kbm. A first binding update and binding acknowledgement (BU/BA) key is generated by hashing the second Kbm and the first PoK. A first binding update (BU) message is transmitted to the CN, where the second BU message is transmitted with the first BU/BA key. In response to a first binding acknowledgement (BA) message received from the CN, the MN authenticates the first BA message using the first BU/BA key.

Abstract: Before actually communicating information/data between two endpoints (C, S) connected to a network a secure and confidential distribution of a special key (K h) is performed to nodes (R j) along a path in the network. This is allowed by performing a path handshaking procedure in which first a hint token is forwarded along the path in a first direction and then a disclosure token is forwarded in the opposite direction. In forwarding the disclosure token it is verified in the nodes against the already received hint token. This assures that only nodes on the particular path will receive the special key or possibly some other information related thereto.

Abstract: A network, a method and devices (i.e., mobile node, access router, home agent, destination home agent) are described herein for enabling an efficient hybrid route optimization between two mobile endpoints so they can re-direct their data traffic to an optimal path without exchanging any mobility signaling messages.

Abstract: A method, a router and a host are introduced for providing secure communication with limited use of processing intensive cryptographic means. Strong cryptographic keys are first used between the host and the router to sign messages therebetween, thereby ensuring that a first communication between the host and the router is secure. The router generates a secret key and forwards it to the host, the secret key being encrypted at the router and decrypted at the host by use of the strong cryptographic keys. Further communication between the host and the router is signed by use of the secret key.

Abstract: A method, a correspondent node and a mobile node provide anonymity and unlinkability to a mobile node in a session with a correspondent node. Sequence values, calculated based on secret data, are added to updates sent from the mobile node towards the correspondent node and are used by the correspondent node to authenticate updates from the mobile node. A home address of the mobile node is not explicitly disclosed. An expected care-of address is calculated at the correspondent node and used by the correspondent node to send data packets to the mobile node.

Abstract: Methods and apparatus for generating, communicating, and/or verifying ownership of expressions are described. Various embodiments are well suited for use in a wireless peer to peer communications systems in which expressions are communicated, e.g., broadcast, in discovery intervals. A first communications device generates an expression from a first public key and an additional input, said first public key corresponding to a private key known to said first communications device. The first device transmits the generated expression on a communications channel used for discovery. A second communications device receives the transmitted expression from the first device. The second device transmits a request signal to the first device associated with the expression; and receives from the first device a signed communication signed using a private key known to said first communications device.

Abstract: A method implemented in a host node for communicating with a corresponding node through one of a plurality of available networks that includes: receiving a request to initiate a connection with the corresponding node from an application executing on a host node, sending a request to a DNS64 node for an address of the corresponding node, receiving a virtual IPv6 address for the corresponding node with a generic prefix, selecting a connection to one of the plurality of networks through which the data is to be forwarded to the corresponding node, and sending the data to the corresponding node using a virtual IPv6 address for the corresponding node with the prefix of the NAT64 node in the network of the selected connection, whereby the host node is able to maintain connectivity with the corresponding node despite having connections to the plurality of networks that each have NAT64 nodes.

Abstract: According to a first aspect of the present invention there is provided a method of re-establishing a session between first and second IP hosts attached to respective first and second IP access routers, the session previously having been conducted via a previous access router to which said first host was attached, and where a security association comprising a shared secret has been established between the hosts. The method comprises sending a connection request from said first host to said first access router, said request containing an IP address claimed by said second host, a new care-of-address for the first host, and a session identifier. Upon receipt of said connection request at said first access router, the router obtains a verified IP address for said second access router and sends an on link presence request to the second access router, the request containing at least an Interface Identifier part of the second host's claimed IP address, said care-of-address, and said session identifier.

Abstract: A method, a mobile node (MN) and a correspondent node (CN) exchanging a Secret Authentication Key (SKbm) within an IPv6 network. The MN has a pair of keys comprising a private key and a public key and a HoA. Upon displacement of the MN from a home portion to a visited portion of the IPv6 network, a CoA is set. Thereafter, an establishment message is sent from the MN to the CN through a Home Agent associated to the MN. Upon reception of the establishment message, the CN tests the HoA and the CoA and therefor sends a first portion and a second portion of a secret data. The MN thereafter sends the secret data back to the CN within a signed message. In response thereto, the CN sends an acknowledgement message to the MN comprising the SKbm encrypted using the public key of the MN.

Abstract: The present application relates to network mobility (e.g., mobility in an IPv6 network). More specifically, the present application discloses systems and methods for enabling mobile nodes to switch to a routing optimization mode using a minimum of mobility messages.