Abstract: Methods and apparatus for dynamically generating authentication keys are disclosed. Specifically, a Mobile-Foreign authentication key is separately generated by both the Mobile Node and Foreign Agent. Similarly, a Foreign-Home authentication key is separately generated by the Foreign Agent and the Home Agent. In accordance with one embodiment, generation of the Mobile-Foreign authentication key and Foreign-Home authentication key are accomplished via the Diffie-Hellman key generation scheme.

Abstract: Methods and apparatus for dynamically generating authentication keys are disclosed. Specifically, a Mobile-Foreign authentication key is separately generated by both the Mobile Node and Foreign Agent. Similarly, a Foreign-Home authentication key is separately generated by the Foreign Agent and the Home Agent. In accordance with one embodiment, generation of the Mobile-Foreign authentication key and Foreign-Home authentication key are accomplished via the Diffie-Hellman key generation scheme.

Abstract: In one embodiment, a method includes receiving, at a visited network node, policy for a roaming terminal from a home network of the roaming terminal. The policy is associated with a home Internet Protocol (IP) address of the roaming terminal. The visited network node applies the policy in the visited network to data packets that include the home IP address. Applying the policy to a data packet encompasses either enforcing the policy at the node that applies the policy or sending data that indicates the policy to a different node that applies the policy based on the data sent, or both.

Abstract: Methods and apparatus for applying a single virtual private network (VPN) address to tunnels or connections associated with different access interfaces are disclosed. In one embodiment, a method includes establishing a first tunnel between a node and a VPN server. The first tunnel has a first address. The method also includes assigning a VPN address to the first tunnel, as well as establishing a second tunnel between the node and the VPN server. The second tunnel has a second address. The VPN address is assigned to the second tunnel, and VPN address is accessed by both the first address and the second address.

Abstract: Methods and apparatus are disclosed for reducing latency in a Mobile IP environment. These embodiments are particularly applicable in a 3GPP2 architecture using Mobile IPv6. Each of the features disclosed may be implemented separately or in combination with one another, and include replay protection, duplicate address detection, and updating state information at a PDSN in a system implementing route optimization.

Abstract: Methods and apparatus for implementing proxy Mobile IP in a system implementing multiple VLANs are disclosed. Specifically, a network device such as an Access Point or Foreign Agent supports multiple VLANs on a plurality of interfaces. In addition, the network device implements proxy Mobile IP on at least one interface. The network device ascertains a subnet map of a node, where the subnet map corresponds to a VLAN. It then identifies a Home Agent associated with the subnet map or VLAN via which to register the node. The network device then composes a registration request on behalf of the node, where the registration request identifies the node (e.g., IP address) and includes a Home Agent address associated with the Home Agent. The registration request also directly or indirectly indicates the interface corresponding to the VLAN via which data packets are to be routed. The registration request is then sent on behalf of the node.

Abstract: A method and implementation are disclosed for binding a mobile node to a subnet. The invention comprises steps and implementations for intercepting messages sent by a mobile node to a server, associating a predetermined subnet with the intercepted messages and forwarding the intercepted messages to the server. The invention intercepts reply messages sent by at least one server and selects reply messages that are associated with the predetermined subnet. The selected reply messages are forwarded to the mobile node, and reply messages that are not associated with the predetermined subnet are discarded.

Abstract: Techniques for allowing a home agent to provide location/presence-based services are provided. In one embodiment, a point of attachment of an access network receives a discovery request from a mobile node. A mobile node is associated with a home agent in a home network different from the access network. Location/presence-based information is determined at the point of attachment. The location/presence-based information is added to a registration request at the layer 3 protocol layer. The registration request is then sent from the point of attachment to the home agent. When the registration request is received at the home agent, the home agent parses the registration request to determine the location/presence information from the request. The home agent then performs a location/presence service using the location/presence information.

Abstract: The disclosed embodiments support mobility internal and external to enterprise networks. Service providers provide mobility by providing Home Agent functionality corresponding to each Enterprise network. In this manner, mobility may be provided to Mobile Nodes both internal and external to their enterprise networks. Moreover, data packets may be transmitted by Mobile Nodes to Correspondent Nodes, whether they are within their enterprise network, the Service Provider network, or the Internet.

Abstract: The disclosed embodiments enable service policies to be provisioned for a Mobile Node dynamically. A network device receives a message including at least one of one or more attributes of a Mobile IP session and one or more user preferences associated with the Mobile Node. One or more rules to be applied to the Mobile Node may then be identified. One or more of the identified rules are executed according to at least one of one or more of the attributes of the Mobile IP session and one or more of the user preferences associated with the Mobile Node.

Abstract: Communicating packets along a bearer path includes receiving a home network address and a visited network address at an access terminal. The home network address corresponds to a home anchored bearer path anchored at a home network of the access terminal. The visited network address corresponds to a visited anchored bearer path anchored at a visited network. The access terminal determines whether to use the home anchored bearer path or the visited anchored bearer path, and communicates packets using the home network address or the visited network address in accordance with the determination.

Abstract: Methods and apparatus for registering a mobile device such as a mobile node or mobile router with a Home Agent in an asymmetric link environment. A Foreign Agent associates each of one or more interfaces of the Foreign Agent with a different care-of address. An agent advertisement including the care-of address for the one or more interfaces of the Foreign Agent is then sent via one or more uplinks. A registration request is received via a downlink router. The registration request identifies a care-of address associated with one of the one or more interfaces of the Foreign Agent. One of the interfaces identified by the care-of address is ascertained, thereby identifying the interface to which the mobile device has roamed. The registration request is forwarded to the Home Agent. A registration reply is received from the Home Agent. The registration reply is then forwarded to the mobile device via the ascertained interface.

Abstract: Methods and apparatus for preventing an IP address from being assigned to a client implementing a protocol such as DHCP are disclosed. This is particularly useful in an environment such as a Mobile IP environment in which a network device (e.g., Access Point) performs proxy registration on behalf of the client. When the client transmits a detection packet to detect whether its IP address is still valid (e.g., whether it is on the same sub-network on which the IP address was allocated), a response is transmitted to the client that indicates that the client is still on its home network. This response is transmitted regardless of whether the client is still on its home network. Since the client believes it is still on its home network, a new IP address will not be assigned to the client. As a result, an existing Mobile IP session will not be interrupted.

Abstract: Methods and apparatus for dynamically generating a set of Mobile IP keys are disclosed. The set of Mobile IP keys is dynamically generated using an existing HLR/AuC authentication infrastructure. This is accomplished, in part, by obtaining an International Mobile Subscriber Identity (IMSI) that uniquely identifies a particular Mobile Node. Once a set of Mobile IP keys is generated from authentication information associated with the IMSI, the Mobile Node may register with its Home Agent using the set of Mobile IP keys.

Abstract: In one embodiment, accounting information for a mobile node operating according to Mobile IP Protocol is updated. A network device that supports Mobile IP composes a request packet for the mobile node. The request packet identifies the mobile node and includes at least one counter associated with accounting information pertaining to the mobile node. The request packet is then sent to a server adapted for performing accounting. The server then logs the accounting information for the mobile node. The server may then send a reply packet to the network device acknowledging logging of the accounting information pertaining to the mobile node. A bill for Mobile IP services may then be generated from the accounting information.

Abstract: Methods and apparatus for authenticating a mobile node are disclosed. A server is configured to provide a plurality of security associations associated with a plurality of mobile nodes. A packet identifying a mobile node may then be sent to the server from a network device such as a Home Agent. A security association for the mobile node identified in the packet may then be obtained from the server. The security association may be sent to the network device to permit authentication of the mobile node. Alternatively, authentication of the mobile node may be performed at the server by applying the security association.

Abstract: Methods and apparatus are disclosed for reducing latency in a Mobile IP environment. These embodiments are particularly applicable in a 3GPP2 architecture using Mobile IPv6. Each of the features disclosed may be implemented separately or in combination with one another, and include replay protection, duplicate address detection, and updating state information at a PDSN in a system implementing route optimization.

Abstract: Requesting a network resource includes facilitating a communication session between a mobile node and an endpoint. A trigger event is received at a first anchor point associated with the mobile node. The trigger event indicates that reservation of a network resource is being requested for the communication session. A second anchor point associated with the endpoint is identified. Reservation of the network resources for the communication sessions is initiated over a tunnel between the first anchor point and the second anchor point.

Abstract: Providing a mobility key for a communication session for a mobile station includes facilitating initiation of the communication session. A master key for the communication session is established, where the master key is generated at an authentication server in response to authenticating the mobile station. A mobility key is derived from the authentication key at an access node, where the mobility key is operable to authenticate mobility signaling for the communication session.

Abstract: Methods and apparatus for establishing an optimized route between a Mobile Node and a Correspondent Node are disclosed. In particular, a Correspondent Node is notified of the location of a Mobile Node, thereby enabling the Correspondent Node to communicate directly with the Mobile Node. This is accomplished by sending a HOTi message protected in IPSec transport mode from the Mobile Node to a Home Agent associated with the Mobile Node for modification and transmission of a modified HOTi message to the Correspondent Node. The Mobile Node then receives a HOT message protected in IPSec transport mode from the Home Agent associated with the Mobile Node, the HOT message being received from the Home Agent associated with the Mobile Node after modification has been performed by the Home Agent on an initial HOT message received by the Home Agent from the Correspondent Node.