Abstract: There is provided mechanisms for handling transfer of a data object between network domains. A method is performed by a first data controller of a first network domain. The method comprises obtaining a request for transmission of the data object to a second data controller of a second network domain. The method comprises obtaining an identifier identifying allowable transfer of the data object between the first network domain and the second network domain. The method comprises providing a cryptographic integrity signature to the data object. The method comprises enabling transfer of the data object to the second network domain according to the identifier.

Abstract: In order to delegate location update signaling responsibility from a Mobile Node to a Mobile Router, the Mobile Router is provided with a second symmetric key generated by a Mobile Node using a first symmetric key shared between the Mobile Node and a Peer Node. The Mobile Router is additionally provided with a “certificate” authenticating the second symmetric key using the first symmetric key. In this way, the mobile router can sign location update related messages sent to the Peer Node with the second symmetric key, and can provide the Peer Node with the certificate in order to allow the Peer Node to authenticate the right of the Mobile Router to act on behalf of the Mobile Node.

Abstract: A method is presented of establishing communications with a Virtual Machine, VM, in a virtualized computing environment using a 3GPPcommunications network. The method includes establishing a Machine-to-Machine Equipment Platform, M2MEP, which comprises a Communications Module, CM, providing an end-point of a communication channel between the 3GPP network and the VM. A virtual Machine-to-Machine Equipment is established that comprises a VM running on the M2MEP and a downloadable Subscriber Identity Module, associated with the CM. The Subscriber Identity Module includes security data and functions for enabling access via the 3GPP network. The CM utilizes data in the Subscriber Identity Module for controlling communication over the communication channel between the VM and the 3GPP network.

Abstract: A method is presented of providing a subscriber identity for the provision of services on behalf of the subscriber in a virtual computing environment. The method includes receiving a request to establish an execution environment for a virtual machine-to-machine equipment, vM2 M E. The vM2ME is provided, comprising software for execution in the virtual computing environment and a downloadable Subscriber Identity Module. A Communications Module, CM, is set up for execution in a domain of a virtualization platform. The CM provides an end-point for communications between the vM2ME and a 3GPP network. The Subscriber Identity Module is installed for execution together with the CM, the Subscriber Identity Module including a 3GPP identity of the subscriber, security data and functions for enabling access to the vM2ME via the 3GPP network.

Abstract: A method of migrating a virtual machine comprises a first manager, managing a first computing environment (such as a computing cloud), initiates migration of a virtual machine currently executing on a first vM2ME (virtual machine-to-machine equipment) in the first computing environment to a second computing environment (such as another computing cloud). Once the VM has migrated, the first manager disables execution of the first vM2ME.

Abstract: A method of handling mobility-related signalling in a communications system comprising a mobile node, a mobile router, and a peer node. The method comprises providing the mobile router with a delegation certificate that is cryptographically signed by or on behalf of the mobile node. At the mobile router, a mobility-related signalling exchange is initiated with the peer node on behalf of the mobile node, the mobile router providing to the peer node within this exchange, said delegation certificate or an identification of the certificate, and a sequence number associated with the certificate. At the peer node, the received sequence number is compared with a sequence number maintained by the peer node in respect of the delegation certificate, and the exchange authorized in dependence upon the result of the comparison.

Abstract: A method is presented of establishing communications with a Virtual Machine, VM, in a virtualised computing environment using a 3GPPcommunications network. The method includes establishing a Machine-to-Machine Equipment Platform, M2MEP, which comprises a Communications Module, CM, providing an end-point of a communication channel between the 3GPP network and the VM. A virtual Machine-to-Machine Equipment is established that comprises a VM running on the M2MEP and a downloadable Subscriber Identity Module, associated with the CM. The Subscriber Identity Module includes security data and functions for enabling access via the 3GPP network. The CM utilises data in the Subscriber Identity Module for controlling communication over the communication channel between the VM and the 3GPP network.

Abstract: A method is presented of providing a subscriber identity for the provision of services on behalf of the subscriber in a virtual computing environment. The method includes receiving a request to establish an execution environment for a virtual machine-to-machine equipment, vM2 M E. The vM2ME is provided, comprising software for execution in the virtual computing environment and a downloadable Subscriber Identity Module. A Communications Module, CM, is set up for execution in a domain of a virtualisation platform. The CM provides an end-point for communications between the vM2ME and a 3GPP network. The Subscriber Identity Module is installed for execution together with the CM, the Subscriber Identity Module including a 3GPP identity of the subscriber, security data and functions for enabling access to the vM2ME via the 3GPP network.

Abstract: A method of migrating a virtual machine comprises a first manager, managing a first computing environment (such as a computing cloud), initiates migration of a virtual machine currently executing on a first vM2ME (virtual machine-to-machine equipment) in the first computing environment to a second computing environment (such as another computing cloud). Once the VM has migrated, the first manager disables execution of the first vM2ME.

Abstract: Methods of providing packet routing information, according to various embodiments, may include encoding the packet routing information into a compact representation of set membership. The methods may include putting the compact representation of set membership into a header of a packet. Moreover, the methods may include computing the compact representation of set membership using input parameters that include at least one packet-specific, flow-specific or processing-context-specific parameter.

Abstract: Methods and arrangements for supporting a forwarding process in routers when routing data packets through a packet-switched network, by employing hierarchical parameters in which the hops of a predetermined transmission path between a sender and a receiver are encoded. A name server generates and distributes router-associated keys to routers in the network which keys are used for computing the hierarchical parameters.

Abstract: A method of handling mobility-related signalling in a communications system comprising a mobile node, a mobile router, and a peer node. The method comprises providing the mobile router with a delegation certificate that is cryptographically signed by or on behalf of the mobile node. At the mobile router, a mobility-related signalling exchange is initiated with the peer node on behalf of the mobile node, the mobile router providing to the peer node within this exchange, said delegation certificate or an identification of the certificate, and a sequence number associated with the certificate. At the peer node, the received sequence number is compared with a sequence number maintained by the peer node in respect of the delegation certificate, and the exchange authorised in dependence upon the result of the comparison.

Abstract: A method of handling mobility-related signaling in a communications system comprising a mobile node, a mobile router, and a peer node. The method comprises providing the mobile router with a delegation certificate that is cryptographically signed by or on behalf of the mobile node. At the mobile router, a mobility-related signaling exchange is initiated with the peer node on behalf of the mobile node, the mobile router providing to the peer node within this exchange, said delegation certificate or an identification of the certificate, and a sequence number associated with the certificate. At the peer node, the received sequence number is compared with a sequence number maintained by the peer node in respect of the delegation certificate, and the exchange authorized in dependence upon the result of the comparison.

Abstract: A method of generating network identifiers for use by mobile routers of a moving network is provided which enables fast and efficient routing loop avoidance and detection. The method comprises receiving at a mobile router of a sub-network chain, a beacon from a preceding mobile router in the chain, the beacon containing a network identifier of the preceding mobile router, generating a new network identifier by applying a pre-defined function to the received network identifier, and including the new network identifier in beacons broadcast by the receiving mobile router. When preparing for a handover, a mobile router compares the network identifier contained in a received beacon with values generated by applying said function against its own network identifier. This allows the mobile router to identify beacons originating from mobile routers that are downstream in the same chain.

Abstract: A method of providing packet routing information comprises: encoding routing information from a source node to one or more destination nodes into a compact representation of set membership; and putting the compact representation of sets into a header of a packet that is to be sent from the source node to the destination node(s). The compact representation may be obtained by: generating d representations of a set of identifiers; generating d candidate compact representations of set membership from the d representations of the identifiers; and selecting one of the candidate compact representation of set membership. The selection may be made on the basis of which of the candidate compact representations has the lowest rate of returning false positives.

Abstract: Methods and arrangements for supporting a forwarding process in routers when routing data packets through a packet-switched network, by employing hierarchical parameters in which the hops of a predetermined transmission path between a sender and a receiver are encoded. A name server generates and distributes router-associated keys to routers in the network which keys are used for computing the hierarchical parameters.

Abstract: Packet routing information is encoded into a non-static compact representation of set membership, the compact representation of set membership being for inclusion into a header of a packet. The compact representation of set membership is computed using input parameters that include at least one packet-specific, flow-specific or processing-context-specific parameter. By making the compact representation of set membership packet-dependent, flow-dependent or processing-context-dependent it becomes harder for, for example, a potential attacker to obtain information needed to mount a DDoS attack. In a variant of the invention, the packet routing information is represented as a plurality of non-static identifiers for inclusion into a header of a packet.

Abstract: A method of facilitating access to a Host Identity Protocol security procedure by a host connected to a moving network, where the moving network comprises a Host Identity Protocol server responsible for allocating local IP addresses to attached hosts. The method comprises registering at a rendezvous server an IP address prefix for use by said Host Identity Protocol server in allocating said local addresses, together with an externally reachable IP address of the Host Identity Protocol server. The registered IP address prefix is used at the rendezvous server to forward received I1 messages to the Host Identity Protocol server. The rendezvous server controls the allocation and registration of address prefixes to Host Identity Protocol servers in order to prevent collision of local IP addresses.

Abstract: A method of establishing a Host Identity Protocol session between first and second Host Identity Protocol enabled hosts, where at least said second host is located behind a reverse-proxy. The method comprises providing the reverse-proxy with Diffie-Hellman public keying material of the second host, sending said Diffie-Hellman public keying material from the reverse-proxy to the first host as part of the Host Identity Protocol base exchange procedure, this material being bound to the Host Identity of the reverse-proxy for the purpose of the Host Identity Protocol session, and, at the first host, using the Host Identity of the reverse-proxy as the correspondent Host Identity for the Host Identity Protocol session, and, at the second host, using the Host Identity of the reverse-proxy as the originating Host Identity for the Host Identity Protocol session.

Abstract: A method of providing packet routing information comprises: encoding routing information from a source node to one or more destination nodes into a compact representation of set membership; and putting the compact representation of sets into a header of a packet that is to be sent from the source node to the destination node(s). The compact representation may be obtained by: generating d representations of a set of identifiers; generating d candidate compact representations of set membership from the d representations of the identifiers; and selecting one of the candidate compact representation of set membership. The selection may be made on the basis of which of the candidate compact representations has the lowest rate of returning false positives.