Abstract: Methods and apparatus for event distribution and routing in peer-to-peer overlay networks. A method is provided for event distribution and routing in a peer-to-peer overlay network that comprises a plurality of nodes. The method includes identifying a plurality of buckets on the overlay network, wherein each bucket includes one or more nodes, respectively, identifying bucket groups, wherein each bucket group includes a selected number of buckets, respectively, distributing events based on the bucket groups, and updating a routing table based on the events. A node includes a transceiver and a processor coupled to the transceiver and configured to identify a plurality of buckets on the overlay network, wherein each bucket includes one or more nodes, respectively, identify bucket groups, wherein each bucket group includes a selected number of buckets, respectively, distribute events based on the bucket groups, and update a routing table based on the events.

Abstract: Methods and apparatus for reducing the effectiveness of chosen location attacks in a peer-to-peer overlay network. A method includes determining that new node identifiers are to be generated for a plurality of nodes in the network, inputting parameters to a hash function to generate a selected node identifier, and adopting a location in the network associated with the selected node identifier. Another method includes receiving a node identifier associated with a selected node, inputting parameters associated with the selected node to a hash function to generate a corresponding node identifier, comparing the node identifier with the corresponding node identifier, and determining that the selected node is a potential attacker if the node identifiers do not match. Another method includes detecting responsibility for initiating an update to one or more node identifiers, generating parameters to generate the node identifiers, and transmitting the parameters on the network.

Abstract: All nodes within a communication system (100) will create an IP address based on a shared-secret key. The shared-secret key is unique for every node within the communication system and is known only to the node (102) and a server (103). The router (101) can validate that the node (102) owns the IP address.

Abstract: Methods and apparatus for proxying of devices and services using overlay networks. A method for operating a proxy includes obtaining meta-data associated with at least one of a device and a service, generating a searchable index of the meta-data, and publishing the searchable index on the overlay network as at least one of a distributed index and a centralized index. Another method includes receiving a request from a device or a service using a non overlay protocol to receive at least one of data and services from the overlay network, searching an index of meta-data on the overlay network based on the request, identifying a node associated with the at least one of data and services based on the index, establishing a direct connection with the node, and obtaining the at least one of data and services using the direct connection.

Abstract: Methods and apparatus for optimal participation of devices in a peer-to-peer overlay network. A method for dynamically configuring a node includes operating on an overlay network using a first participation mode, obtaining at least one configuration parameter, selecting a second participation mode for operation on the overlay network based on local policy and the at least one configuration parameter, and configuring the node to participate on the overlay network based on the second participation mode. An apparatus for dynamic node configuration includes a memory coupled to a processor and configured to operate on an overlay network using a first participation mode, obtain at least one configuration parameter, select a second participation mode for operation on the overlay network based on local policy and the at least one configuration parameter, and configure the node to participate on the overlay network based on the second participation mode.

Abstract: Methods and apparatus for discovery of peer-to-peer overlay networks. In an aspect, a method includes receiving a request to discover information about overlay networks of interest, generating a search query that comprises at least one parameter associated with the overlay networks of interest, and transmitting the search query to nodes on a local area network. In another aspect, an apparatus includes a memory comprising an overlay database of meta-data associated with one or more known overlay networks and a processor coupled to the memory and configured to obtain a search query that comprises at least one parameter associated with overlay networks of interest, determine one or more selected overlay networks from the overlay database based on the at least one parameter, and transmit meta-data associated with the one or more selected overlay networks in response to the search query.

Abstract: A novel group key distribution and management scheme for broadcast message security is provided that allows an access terminal to send a single copy of a broadcast message encrypted with a group key. Access nodes that are members of an active set of access nodes for the access terminal may decrypt and understand the message. The group key is generated and distributed by the access terminal to the access nodes in its active set using temporary unicast keys to secure the group key during distribution. A new group key is provided every time an access node is removed from the active set of access nodes for the access terminal.

Abstract: An intermediate device of a network includes network and transport layers, a dispatcher, a splitter and a connections database. The splitter intercepts a message packet in the network layer and modifies the network routing header and transport header of the message packet to form a modified message packet. The dispatcher receives modified message packets from the transport layer, recovers information from the message packets, passes the modified message packets back to the transport layer and adapts the transport layer to adapt communication dependent upon the information recovered from the message packets. The connections database stores the original source address, the original destination address, the original source port identifier and the original destination port identifier of an incoming message packet. A message packet is modified, with reference to the connections database, so that message packets from the first and second nodes are routed through the dispatcher.

Abstract: A method is provided for securing a PMIP tunnel between a serving gateway and a new access node through which an access terminal communicates. A PMIP key hierarchy unique to each access terminal is maintained by the gateway. The gateway uses a first node key to secure PMIP tunnels when authentication of the access terminal has been performed. A PMIP key is generated based on the first node key and the PMIP key is sent to the new access node to assist in establishing and securing a PMIP tunnel between the gateway and the new access node. Otherwise, when authentication of the access terminal has not been performed, the gateway generates a second node key and sends it to an intermediary network node which then generates and sends a PMIP key to the new access node. This second key is then used to secure the PMIP tunnel.

Abstract: Disclosed is a method for multiple EAP-based authentications in a wireless communication system. In the method, a first master session key (MSK) is generated in a first EAP-based authentication for a first-type access. A first temporal session key (TSK) is generated from the first master session key (MSK). A second EAP-based authentication is performed, using the first temporal session key (TSK), for a second-type access. First-type access and second-type access are provided after the first and second EAP-based authentications are successfully completed.

Abstract: An authentication server may be adapted to (a) authenticate an authentication peer seeking to establish communications via a first network access node; (b) retrieve user profile information associated with the authentication peer; and/or (c) send the user profile information to a network gateway node that facilitates communication services for the authentication peer. A PMIP network node may be adapted to (a) provide wireless network connectivity to an authentication peer via a first network access node; (b) provide a PMIP key to both ends of a PMIP tunnel between the first network access node and a PMIP network node used to provide communications to the authentication peer; (c) provide the PMIP key to a first authenticator associated the first network access node; (d) receive a request at the PMIP network node from a requesting entity to reroute communications for the authentication peer; and/or (e) verify whether the requesting entity knows the PMIP key.

Abstract: Methods and apparatus for efficient routing in communication networks. In an aspect, a method is provided for traffic routing between first and second nodes in a communication network. The method includes detecting traffic transmitted between the first and second nodes, transmitting a request to a mobility agent associated with the first node to request authorization for a route optimization between the first and second nodes, receiving a response that authorizes the route optimization, and establishing an optimized route. In an aspect, an apparatus includes detector logic for detecting traffic transmitted between the first and second nodes, transmitting logic for transmitting a request to a mobility agent associated with the first node to request authorization for a route optimization between the first and second nodes, receiving logic for receiving a response that authorizes the route optimization, and connection logic for establishing an optimized route.

Abstract: A method for using Internet mobility protocols with non Internet mobility protocols is described. A first gateway node communicates with a second gateway node using a first protocol. The first protocol is a non Internet mobility protocol. A home address (HoA) for a mobile node is managed by the second gateway node. Updates regarding the location of the mobile node within a domain are received using a second protocol. The second protocol is an Internet mobility protocol. Intra-domain mobility for the mobile node is managed by the second gateway node using the second protocol.

Abstract: A method for transmitting a packet from a transmitting node to a destination node in a communication network can enable improved network efficiency. The method includes receiving and storing identification information concerning at least one foreign node that is directly reachable in the communication network (block 505). It is then determined, using the identification information, whether the destination node is directly reachable in the communication network (block 510). Based on whether the destination node is directly reachable in the communication network, it is then determined whether to transmit the packet to the destination node using a tunneling protocol or without using a tunneling protocol (block 515). The packet is then transmitted from the transmitting node to the destination node (block 520).

Abstract: A method for implementing proxy mobile Internet protocol (PMIP) in mobile IP foreign agent care-of-address mode may include determining a home address of an access terminal. The method may also include communicating with a home agent in order to bind an address of the network node with the home address of the access terminal and establish a tunnel between the network node and the home agent. The method may also include receiving first packets destined for the access terminal from the home agent via the tunnel and sending the first packets to the access terminal. The method may also include receiving second packets sent by the access terminal that are destined for a correspondent node and sending the second packets to the home agent via the tunnel.

Abstract: A sending device replace an original Internet Protocol (IP) header in a packet with a shim that includes some information copied from the IP header, such that the resultant packet being sent from a source device to a destination device has a shim that is smaller in byte size than the header that it replaces. The receiving device copies some different information from the original header into another header. The sending device can further optimize the packet by: eliminating an IP header associated with a security protocol; eliminating a mobility tunnel for a node behind a mobile router (MR); and selective use of a security tunnel for the MR. A receiving device, upon receiving the optimized packet, restores the original IP header using the information in the shim (and other header(s)) and restores any other headers that were removed prior to forwarding the packet toward its intended destination.

Abstract: A novel key management approach is provided for securing communication handoffs between and access terminal and two access points. This approach provides for securely handing off communications between an access terminal and access point without risking exposure a master key for the access terminal. Temporary master keys are derived for low latency handoffs and secure authentication between a new access point and the access terminal. In one aspect, a distributive key management scheme is provided in which a current access point generates a new security key (based on its own security key) that is used by the next access point with which an access terminal communicates. In another aspect, a centralized key management scheme is provided in which a central authenticator maintains, generates, and distributes new security keys (based on a master security key associated with the access terminal) to access points.

Abstract: System and method are provided for establishing internet protocol (IP) communication between a mobile node (MN) and one or more mobile networks. The method includes receiving (100) a request from a MN when the MN joins a first mobile network, creating (105) routing information indicating a home address of the MN, and announcing (110) the home address to the nodes of the mobile network(s). The request indicates the home address of the MN.

Abstract: Techniques for binding multiple authentications for a peer are described. In one design, multiple authentications for the peer may be bound based on a unique identifier for the peer. The unique identifier may be a pseudo-random number and may be exchanged securely between the peer, an authentication server, and an authenticator in order to prevent a man-in-the-middle attack. Data for all authentications bound by the unique identifier may be exchanged securely based on one or more cryptographic keys generated by all or a subset of these authentications. In another design, multiple levels of security may be used for multiple authentications for a peer. The peer may perform a first authentication with a first authentication server and obtain a first cryptographic key and may also perform a second authentication with the first authentication server or a second authentication server and obtain a second cryptographic key. The peer may thereafter securely exchange data using the two keys using nested security.

Abstract: A method for minimizing tunnels in a network, apparatus and computer-readable storage medium having computer readable code stored thereon for programming a computer to perform the method. The method includes the steps of: obtaining state information associated with a first node connected to a mobile network behind a mobile node; receiving a first message sent between the first node and a correspondent node, wherein a first header was removed from the first message prior to sending the first message; recreating, in one of the mobile node and a mobility agent, the first header using the state information; and sending the first message with the first header.