Abstract: A method for maintaining connectivity between a mobile node and a corresponding node when the mobile node connects to a foreign network, where the foreign network and the home network are Internet protocol version 6 (IPv6) networks but the corresponding node is an Internet protocol version 4 (IPv4) node. The method includes receiving at the home agent node an IPv6 care-of address, determining that the IPv6 care-of address belongs to the foreign network and that the foreign NAT64 node has a prefix to to generate virtual IPv6 addresses and sending a prefix binding request message to a home NAT64 node to bind the prefix to the home address of the mobile node for translation between IPv6 and IPv4.

Abstract: A method implemented in a host node for communicating with a corresponding node through one of a plurality of available networks that includes: receiving a request to initiate a connection with the corresponding node from an application executing on a host node, sending a request to a DNS64 node for an address of the corresponding node, receiving a virtual IPv6 address for the corresponding node with a generic prefix, selecting a connection to one of the plurality of networks through which the data is to be forwarded to the corresponding node, and sending the data to the corresponding node using a virtual IPv6 address for the corresponding node with the prefix of the NAT64 node in the network of the selected connection, whereby the host node is able to maintain connectivity with the corresponding node despite having connections to the plurality of networks that each have NAT64 nodes.

Abstract: A method implemented in a network element to make a first device assigned an IPv4 private address accessible to a second device using Internet Protocol Version 6 (IPv6), the method comprising receiving an IPv6 formatted data packet, having a virtual IPv6 address as a destination address and having been sent from the second device; determining whether the virtual IPv6 address includes a representation prefix (RP); sending an address map query (AMQ) to a customer premise equipment (CPE), where the CPE stores a mapping between the virtual IPv6 address and a private IPv4 address of the first device; receiving an address map response (AMR) from the CPE with the private IPv4 address corresponding to the virtual IPv6 address; translating the IPv6 formatted data packet into an IPv4 formatted data packet; and sending the translated data packet to the CPE through an IPv4 over IPv6 tunnel.

Abstract: A method performed by a network element for providing micro-mobility in a network to a mobile node including the steps of receiving a registration request message at the mobility anchor point from an access router that is currently coupled to the mobile node, wherein the registration request message includes an endpoint identifier of the mobile node and a local care-of address of the mobile node, establishing a label switch path (LSP) between the mobility anchor point and the access router, storing the endpoint identifier in a binding entry along with the local care-of address, a regional care-of address, the label switch path and an egress interface, advertising the endpoint identifier with associated regional or local care-of address of the mobile node, and forwarding data packets, received at the mobility anchor point from a corresponding node that have the regional or local care-of address, to the mobile node using the LSP.

Abstract: Methods and apparatus for facilitating access to public wireless access points in a fixed-mobile convergence system. A mobile terminal is pre-provisioned with one or more security parameters corresponding to one or more WLAN access points that the mobile terminal might need to access should a current WLAN access point fail or otherwise become unreachable. The WLAN access points are similarly pre-provisioned with a security parameter corresponding to the mobile terminal. With these pro-provisioned security parameters, the mobile terminal and any one of the potential target WLAN access points conduct an abbreviated authentication process in the event that a switch-over becomes necessary.

Abstract: A method implemented in a network element for controlling access to a set of resources on a per-application basis, the set of resources including subsets of the resources where each subset is accessible to a set of one or more applications through the use of a separate group key, the method comprising the steps of receiving an authentication request from a node communicatively connected to the network element through a first network interface of the network element, the authentication request including a certificate for the node, validating the certificate for the node, determining that the certificate has been authorized for the set of one or more applications through a query of a certificate database, retrieving each group key that corresponds to the set of one or more applications through a query of a group key database, and returning each group key retrieved from the group key database to the node.

Abstract: A method of performing hand-off of a Mobile Node from a previous Access Point to a new Access Point within a WLAN domain, where the previous and new Access Points are connected respectively to previous and new Access Routers. The method comprises, following a MAC authentication exchange between the Mobile Node and the new Access Point, sending a MAC Reassociation Request from the Mobile Node to the New Access Point, forwarding said Reassociation Request to said new Access Router, and sending the Reassociation Request from said new Access Router to said previous Access Router within an IP hand-off request, and authenticating the Reassociation Request at the previous Access Router and initiating the tunnelling of IP packets received at the previous Access Router and destined for said Mobile Node, towards said new Access Router.

Abstract: A method of securing IP traffic sent from a first host to a second host attached respectively to first and second access points. The method comprises establishing a shared secret between said first and second hosts, and for each packet to be sent, using the next value in a pseudo-random number sequence as an interface identifier part of the source IP address.

Abstract: In one aspect of the invention, a mobile node (MN) participates in a first return routability procedure with a home agent (HA) and a correspondent node (CN), including generating a first binding management key (Kbm). A first proof of knowledge (PoK) is generated by hashing the first Kbm. The MN participates in a second return routability procedure, including generating a second Kbm. A first binding update and binding acknowledgement (BU/BA) key is generated by hashing the second Kbm and the first PoK. A first binding update (BU) message is transmitted to the CN, where the second BU message is transmitted with the first BU/BA key. In response to a first binding acknowledgement (BA) message received from the CN, the MN authenticates the first BA message using the first BU/BA key.

Abstract: A method implemented in a network element functioning as a home agent (HA) for a mobile node (MN) communicating with a corresponding node (CN) using Mobile Internet Protocol version 6 (MIPv6), the method including selecting by the HA a virtual home agent (VHA) to provide home agent services to the MN with a better quality of service than the HA based on pre-defined policies, sending a flow switch request (FSR) message to the selected VHA, the FSR message including transmission control protocol (TCP) parameters and the FSR message including a care-of address for the MN and an address of the CN, the FSR message to initiate a flow redirection at the VHA using multi-path TCP exchange, and receiving a flow switch acknowledgement (FSA) message from the VHA indicating that the VHA is receiving data packets from the CN and tunneling the data packets to the MN at the care-of address.

Abstract: A method implemented by a network element to track IPv6 addresses of devices in a home network, wherein the network element provides DHCPv6 service to the home network and a home network router on the home network assigns IPv6 address to the devices using a prefix provided by the DHCPv6 service, the method including receiving a DHCPv6 request for a prefix delegation from a home network router, sending a DHCPv6 message including an assigned prefix to the home network router, the DHCPv6 message including a request for notification of configured IPv6 addresses, receiving a first ICMP message from the home network router, including a MAC address and corresponding IPv6 address for a configured device, and sending the home network router a second ICMP message to acknowledge recording the IPv6 address for the configured device, enabling the network element to provide services and forward traffic directly to the configured device.

Abstract: A method implemented by a network element of an Internet service provider to provide network access through a visited network associated with a visited network owner to a device of a visiting user connecting to the visited networker. The visited network owner is a customer of the Internet service provider. The network element configures the visited network to provide access to resources of a remote home network to the device of the visiting user. The remote home network is in communication with the visited network over a wide area network. Connecting to a virtual gateway controller of the remote home network to obtain configuration information to establish a connection between the device and the remote home network. Establishing a connection between the device of the visiting user and a second access point. Providing access to the resource of the remote home network through the second access point.

Abstract: A method is provided for use in a Mobile IP network in which it is determined whether a Mobile Node (10) in a visited network is reachable on a new claimed Care-of Address for the Mobile Node (10) using information relating to a pre-established cryptographic relationship between the Mobile Node (10) and an Access Router (20) of the visited network. It may be determined, through communication between a Home Agent (30) for the Mobile Node (10) in the Mobile Node 10's home network and the Access Router (20), whether such a pre-established cryptographic relationship exists. The existence of such a pre-established relationship would indicate that the Mobile Node (10) is reachable on the claimed Care-of Address.

Abstract: A wireless communication device includes a plurality of different wireless interfaces to facilitate communications with a remote device over a corresponding plurality of networks. The device can switch between the different interfaces to migrate an on-going communications session from one that requires the infrastructure of a fixed wireless communication network to one that does not require the infrastructure of a fixed wireless communication network. Switching between the various interfaces allows the migration to occur while protecting the device against malicious third-party impersonation attacks.

Abstract: A network, a method and devices (i.e., mobile node, access router, home agent, destination home agent) are described herein for enabling an efficient hybrid route optimization between two mobile endpoints so they can re-direct their data traffic to an optimal path without exchanging any mobility signaling messages.

Abstract: A method and apparatus to establish trust between two nodes in a communications network. A first node receives from a network node authentication data unique to the first node, which can be used to derive a compact representation of verification data for the first node. The first node also receives a certified compact representation of verification data of all nodes in the network. The first node derives trust information from the authentication data for the node, and sends to a second node a message that includes the trust information and part of the authentication data. The second node has its own copy of the certified compact representation of verification data of all nodes in the network, and verifies the authenticity of the message from the first node using the compact representation of verification data of all nodes in the network and the received trust information and authentication data.

Abstract: A network element is described. In one embodiment includes receiving a packet from the host in the first domain at the network element in the first domain, the packet including a destination address to the host in the second domain, the destination address being formed by replacing an Interface Identifier of an IP address by a second domain label and a shortened Media Access Control (MAC) address, the second domain label identifying the second domain. A routing label and the shortened MAC address are attached to the received packet, and the packet is sent on a label switched path indicated by the label to the second domain.

Abstract: Methods of assigning radio resources in a wireless communications network with user equipment are provided. The methods include connecting a user equipment unit to a vehicle having a mobile communication module associated therewith. The user equipment unit is authenticated at the vehicle and is associated with the user equipment unit with the vehicle. Connection credentials are received at the mobile communication module from the user equipment unit if the user equipment unit is authenticated and associated. At least one wireless interface is activated at the mobile communication module responsive to the received connection credentials. A local wireless connection is established between the user equipment unit and the mobile communication module associated with the vehicle using the at least one wireless interface. Related mobile communication modules and intermediary devices are also provided.

Abstract: A method and apparatus for establishing a cryptographic relationship between a first node and a second node in a communications network. The first node receives at least part of a cryptographic attribute of the second node, uses the received at least part of the cryptographic attribute to generate an identifier for the first node. The cryptographic attribute may a public key belonging to the second node, and the identifier may be a Cryptographically Generated IP address. The cryptographic relationship allows the second node to establish with a third node that it is entitled to act on behalf of the first node.

Abstract: A method implemented in a network element for controlling access to a set of resources on a per-application basis, the set of resources including subsets of the resources where each subset is accessible to a set of one or more applications through the use of a separate group key, the method comprising the steps of receiving an authentication request from a node communicatively connected to the network element through a first network interface of the network element, the authentication request including a certificate for the node, validating the certificate for the node, determining that the certificate has been authorized for the set of one or more applications through a query of a certificate database, retrieving each group key that corresponds to the set of one or more applications through a query of a group key database, and returning each group key retrieved from the group key database to the node.