Abstract: A method of routing IP traffic to and from a mobile terminal able to connect to the Internet via two or more gateway nodes. The method comprises implementing a multi-addressing multi-homing protocol at each gateway node on behalf of the mobile terminal, and sharing protocol state information between gateway nodes to allow gateway nodes to update state information at the corresponding node when the mobile terminal changes gateway node.

Abstract: A method of forwarding IP packets, sent to an old care-of-address of a mobile node, to the mobile node following a handover of the mobile node from a first old access router to a second new access router. The method comprises, prior to completion of said handover, providing said first router or another proxy node with information necessary to determine the new IP care-of address to be used by the mobile node when the mobile node is transferred to the second access router. At said first router or said proxy node, the new care-of-address for the mobile node is determined using said information and ownership of the new care-of-address by the mobile node confirmed, and subsequently packets received at said first access network and destined for said old care-of-address are forwarded to the predicted care-of-address address.

Abstract: A method is provided for use in interworking a single sign-on authentication architecture and a further authentication architecture in a split terminal scenario. The split terminal scenario is one in which authentication under the single sign-on authentication architecture is required of a browsing agent (8) being used to access a relying party and in response, due to the interworking in the split terminal scenario, an associated authentication under the further authentication architecture is performed in relation to a separate authentication agent (7). A controlling agent (4) sends (C3) a token to the authentication agent (7). The controlling agent (4) sends (C4) a request to the browsing agent (8) to return a token for comparing with the token sent to the authentication agent (7).

Abstract: A method of forwarding IP packets, sent to an old care-of-address of a mobile node, to the mobile node following a handover of the mobile node from a first old access router to a second new access router. The method comprises, prior to completion of said handover, providing said first router or another proxy node with information necessary to determine the new IP care-of address to be used by the mobile node when the mobile node is transferred to the second access router. At said first router or said proxy node, the new care-of-address for the mobile node is determined using said information and ownership of the new care-of-address by the mobile node confirmed, and subsequently packets received at said first access network and destined for said old care-of-address are forwarded to the predicted care-of-address address.

Abstract: A method of handling mobility of a sender in a multicast packet sending scenario. The method comprises firstly establishing a multicast tree across a packet data network and transmitting multicast packets from the sender to a plurality of receivers via said multicast tree. Prior to a mobility event in respect of said sender, a suitable transfer anchor node is identified within said network, and the tree re-rooted to that transfer anchor node. Subsequently, multicast packets are transmitted from said sender to said transfer anchor node and injected into the multicast tree at said transfer anchor node. Following said mobility event, said sender continues to send multicast packets to said transfer anchor node for injection into the multicast tree.

Abstract: A method of facilitating Internet Protocol access by a mobile node to an access Network, the method comprising: sending an attachment request from the mobile node to an access router of the access network, the request containing a mobile node identifier and an Interface Identifier or means for deriving an Interface Identifier, and being signed by the mobile node to allow the message to be authenticated as originating at that mobile node; receiving the request at the access router and authenticating the message there using the signature, and in response to the receipt and authentication of the message, performing a predefined set of tasks delegated to the access node and which are required to facilitate said access; and returning an acknowledgment from the access router to the mobile node confirming the access permission, the acknowledgement containing a network routing prefix and means for authenticating the access router to the mobile node.

Abstract: A modified Host Identity Protocol, HIP, base exchange method is provided for use by first and second HIP hosts (Initiator and Responder) having a shared state from a pre-existing relationship. In the modified HIP base exchange method, an authentication message (I2?) is sent (S2) from the first host (Initiator) to the second host (Responder) comprising an identifier (HITI) of the first host (Initiator) and a cryptographic item (PF). The authentication message (I2?) is received (S3) at the second host (Responder). Following receipt, the identifier and information relating to the shared state are used (S4) to authenticate the cryptographic item (PF). If the cryptographic item, and the rest of the authentication message, is authenticated, a confirmation message (R2?) is sent from the second host (Responder) to the first host (Initiator) to indicate successful authentication.

Abstract: A method of providing packet routing information comprises: encoding routing information from a source node to one or more destination nodes into a compact representation of set membership; and putting the compact representation of sets into a header of a packet that is to be sent from the source node to the destination node(s). The compact representation may be obtained by: generating d representations of a set of identifiers; generating d candidate compact representations of set membership from the d representations of the identifiers; and selecting one of the candidate compact representation of set membership. The selection may be made on the basis of which of the candidate compact representations has the lowest rate of returning false positives.

Abstract: A method of securely initializing subscriber and security data in a mobile routing system when the subscribers are also subscribers of a radio communication network. The method comprises, within the mobile routing system, authenticating subscribers to the mobile routing system using an authentication procedure defined for the radio communication network, collecting subscriber information from relevant nodes of the radio network, and agreeing upon keys by which further communications between the subscribers and the mobile routing system can take place, and using the subscriber information and keys in the provision of mobility services to subscriber mobile nodes and correspondent nodes.

Abstract: A method of controlling traffic flow through a service node located within a packet network, which traffic flow originates at a plurality of sending nodes and is destined for a receiving node. The service node is one of a multiplicity of service nodes configured in a tree or other acyclic structure, e.g. of an overlay network. The method comprises receiving a challenge from said receiving node or a downstream service node, generating and caching a further challenge, and combining that further challenge with the received challenges to generate a modified challenge. The modified challenge is then sent to a sending node or to an upstream service node. Subsequently, a request is received, destined for said receiving node and originating at a sending node. A solution accompanying said request is validated using the cached further challenge, and the request forwarded towards said receiving node only if the solution is valid. Otherwise, the request is dropped.

Abstract: A method of using the Host Identity Protocol (HIP) to at least partially secure communications between a first host operating in a first network environment and a second, HIP-enabled, host operating in a second network environment, with a gateway node forming a gateway between the two environments. An identifier is associated with the first host, stored at the gateway node, and sent to the first host. The identifier is then used as a source address in a subsequent session initiation message sent from the first host to the gateway node, having an indication that the destination of the message is the second host. The stored identifier at the gateway node is then used to negotiate a secure HIP connection to the second host. The first network environment may be a UMTS or GPRS environment, in which case the gateway node may be a Gateway GPRS Support Node (GGSN).

Abstract: A method of verifying a request made in respect of an IPv6 address comprising a network routing prefix and a cryptographically generated Interface Identifier. The request includes a delegation certificate containing a public key of the host, one or more further parameters or a formula or formulae for generating one or more further parameters, a specification of a range or set of IPv6 network routing prefixes, an identity of a delegated host, and a digital signature taken over at least the identity and the specification of a range or set of IPv6 network routing prefixes using a private key associated with the public key. The method verifies that the network routing prefix of said IPv6 address is contained within the specification, verifying that the public key and the further parameter(s) can be used to generate the cryptographically generated Interface Identifier, and verifying said signature using the public key.

Abstract: A method of making data, published on a first publication/subscribe (pubsub) network, available to hosts within a second publication/subscribe network where the networks are interconnected via the Internet. The method comprises registering a publication identity of said data within a rendezvous system located within the Internet, forwarding Subscribe requests associated with said publication identity from said second network to said rendezvous system and, at the rendezvous system, identifying a location of said data within said first network. The Subscribe request can then be forwarded to said first network, and said data delivered from said first network to said second network via the Internet.

Abstract: A mobile wireless terminal, the terminal comprising a generator configured to generate and store a first numerical chain comprising a series of n values using a one-way coding function such that a given value within the chain is easily obtainable from a subsequent value, but the subsequent value is not easily obtainable from that given value, and an authentication requester configured to disclose a value from the numerical chain to an access node, in order to allow the access node to authenticate the mobile wireless terminal, wherein the disclosed value succeeds any values in the chain already disclosed by the mobile wireless terminal.

Abstract: A network comprises a plurality of Access Routers arranged in one or more NetLMM domains. A domain comprises distributed routing information in the form of one or more Bloom filters or Bloom filter equivalents. In one embodiment, each Access Router may have an associated Local Bloom filter or Bloom filter equivalent that provides information as to which mobile nodes are currently behind the respective Access Router. Each Access Router sends its associated Local Bloom filter or Bloom filter equivalent to every other Access Router of the domain. An Access Router uses the Bloom filters or Bloom filter equivalents received from every other Access Router of the domain to determine to which Access Router to send a packet destined to a specified Mobile Node. Another embodiment uses partly-distributed routing information.

Abstract: A network comprises a NetLMM domain having at least one Host Identity Protocol proxy coupled to one or more Access Points for communicating with a Mobile Node and acting, in use, as an Access Router for the NetLMM domain. Use of an HIP proxy as an Access Router allows the Access Router itself to be mobile. Furthermore, the Access Router can reside in IPv4 networks, and can even be behind NAT boxes located between the Access Router and a Local Mobility Anchor to which the Access Router is registered. The invention may be applied using a hierarchical architecture in which each domain comprises a respective Local Mobility Anchor coupled to each HIP proxy acting as an Access Router in the domain. The Local Mobility Anchor of a domain may itself be an HIP Local Mobility Anchor. Alternatively, the HIP proxies in a domain may be arranged in a distributed manner.

Abstract: In order to delegate location update signaling responsibility from a Mobile Node to a Mobile Router, the Mobile Router is provided with a second symmetric key generated by a Mobile Node using a first symmetric key shared between the Mobile Node and a Peer Node. The Mobile Router is additionally provided with a “certificate” authenticating the second symmetric key using the first symmetric key. In this way, the mobile router can sign location update related messages sent to the Peer Node with the second symmetric key, and can provide the Peer Node with the certificate in order to allow the Peer Node to authenticate the right of the Mobile Router to act on behalf of the Mobile Node.

Abstract: A method of forwarding IP packets, sent to an old care-of-address of a mobile node, to the mobile node following a handover of the mobile node from a first old access router to a second new access router. The method comprises, prior to completion of said handover, providing said first router or another proxy node with information necessary to determine the new IP care-of address to be used by the mobile node when the mobile node is transferred to the second access router. At said first router or said proxy node, the new care-of-address for the mobile node is determined using said information and ownership of the new care-of-address by the mobile node confirmed, and subsequently packets received at said first access network and destined for said old care-of-address are forwarded to the predicted care-of-address address.

Abstract: A mobile wireless terminal, the terminal comprising a generator configured to generate and store a first numerical chain comprising a series of n values using a one-way coding function such that a given value within the chain is easily obtainable from a subsequent value, but the subsequent value is not easily obtainable from that given value, and an authentication requester configured to disclose a value from the numerical chain to an access node, in order to allow the access node to authenticate the mobile wireless terminal, wherein the disclosed value succeeds any values in the chain already disclosed by the mobile wireless terminal.

Abstract: A method of authenticating a mobile node to a communication system is provided, the communication system comprising a plurality of access nodes, the method comprising the steps of (a) generating a numerical chain comprising a seriesof values using a one-way coding function such that a given value within the chain is easily obtainable from a subsequent value, but the subsequent value is not easily obtainable from that given value; (b) sending a value from the first numerical chain from the mobile node to an access node to which the mobile node wishes to attach; and (c) using the sent value at the access node to authenticate the mobile node.