Abstract: A method is provided for use in a Mobile IP network in which it is determined whether a Mobile Node (10) in a visited network is reachable on a new claimed Care-of Address for the Mobile Node (10) using information relating to a pre-established cryptographic relationship between the Mobile Node (10) and an Access Router (20) of the visited network. It may be determined, through communication between a Home Agent (30) for the Mobile Node (10) in the Mobile Node 10's home network and the Access Router (20), whether such a pre-established cryptographic relationship exists. The existence of such a pre-established relationship would indicate that the Mobile Node (10) is reachable on the claimed Care-of Address.

Abstract: Aspects describe enabling two peers that have already paired together under some circumstances to re-identify themselves under different circumstances so that the peers can bypass performing another pairing only to discover that they are already paired. A Bloom filter is constructed from an available pool of locally selected identifiers and is sent to a peer node in a first message. Upon receiving the message with the Bloom filter, peer node checks all its known identifiers. If peer node finds that one of its identifiers is a member of the Bloom filter, peer node sends a reply in order to achieve a mutual identification.

Abstract: A method of performing hand-off of a Mobile Node from a previous Access Point to a new Access Point within a WLAN domain, where the previous and new Access Points are connected respectively to previous and new Access Routers. The method comprises, following a MAC authentication exchange between the Mobile Node and the new Access Point, sending a MAC Reassociation Request from the Mobile Node to the New Access Point, forwarding said Reassociation Request to said new Access Router, and sending the Reassociation Request from said new Access Router to said previous Access Router within an IP hand-off request, and authenticating the Reassociation Request at the previous Access Router and initiating the tunnelling of IP packets received at the previous Access Router and destined for said Mobile Node, towards said new Access Router.

Abstract: A method and apparatus for establishing a cryptographic relationship between a first node and a second node in a communications network. The first node receives at least part of a cryptographic attribute of the second node, uses the received at least part of the cryptographic attribute to generate an identifier for the first node. The cryptographic attribute may a public key belonging to the second node, and the identifier may be a Cryptographically Generated IP address. The cryptographic relationship allows the second node to establish with a third node that it is entitled to act on behalf of the first node.

Abstract: A system, method, and node for protecting a telecommunication system against a mobile and multi-homed attacker, MMA (10). The telecommunication system includes one or more correspondent nodes, CN, (102, 104) for transferring data packets. A mobile and multi-homed network node, MMN, (108) associated with the MMA communicates and receives data packets with the CN. An access router, AR, (106) transferring data between the MMN and the CN performs a reachability test with the MMN to determine if the MMN is still reachable. The AR sends a message to the CN to flush cached information associated with the MMN if the MMN is not reachable by the AR. The CN, upon receiving the message to flush cached information, flushes binding cache entries associated with the MMN from the CN.

Abstract: A method of establishing a route optimisation mode between a mobile node and a correspondent node across a mobile IP network. The method comprises establishing a bi-directional security association between a proxy mobile agent to which the mobile node is attached or to which the mobile node will attach, and the correspondent node. On behalf of the mobile node, the proxy mobile agent performs a reachability test with the correspondent node via a home agent of the mobile node, and sends a binding update to the correspondent node.

Abstract: A node arranged in use to communicate over an IP network, the node comprising means for receiving an IP packet either from a peer node or from a higher protocol layer within the node, means for XORing a header of the packet or part thereof with a pad to translate the header or part thereof, and means for sending the packet to a peer node or for delivering the packet to a higher protocol layer within the node.

Abstract: A method of securing IP traffic sent from a first host to a second host attached respectively to first and second access points. The method comprises establishing a shared secret between said first and second hosts, and for each packet to be sent, using the next value in a pseudo-random number sequence as an interface identifier part of the source IP address.

Abstract: A method of at least partially creating a network connection from a computing device to a network wherein the method comprises determining the bandwidth associated with the network connection that it is desired to make to the computing device from the network and assessing whether this bandwidth is available from the network before commencing creating the connection. Generally, this method will be used during a hand-over process from an existing network to the network.

Abstract: There is disclosed a method, and a communication system, and a communication node for implementing the claimed method, for attempting to enhance legitimacy assessment and thwart a man-in-the middle or similar false-location attack by evaluating the topology of a communication-session requesting node relative to the proposed communication path through a network between the requesting node and the requested node. Upon receiving the request, a PRD (Prefix Reachability Detection) protocol is initiated, either after or during a secure key exchange, if any, which if performed preferably includes an ART (address reachability text). The PRD is executed by sending a message to the communication node challenging the location-authenticity of the requesting device. The communication node, which may be for example an access router through which the requesting node accesses the network, determines if the requesting node is positioned behind the communication node topologically, and reports the result to the requested node.

Abstract: A MN, a method and a VMAP for increasing efficiency of handover of the MN from a AR1 to a AR2. The VMAP is hierarchically below a MAP and above the AR1. The MN has a RCoA valid under the MAP and a LCoA valid under the AR1. The VMAP comprises an OMM Function capable of receiving a PathUM thereby informing the VMAP that the MN 412 is handing over to the AR2, computing a LCoA2 valid under the AR2 and forwarding traffic received on the LCoA to the LCoA2. A VMAP Binding Cache Entry for the MN comprises at least the MN's RCoA, the MN's LCoA and a unique value associated with the MN. The VMAP, therewith, computes the LCoA2 using a same function as in the MN. Prior to receiving the PathUM, the VMAP could receive an E-LBA issued from the MAP and addressed to the LCoA comprising the MN's RCoA and the unique value associated with the MN and thereafter, creating or updating the VBCE for the MN using information included therein.

Abstract: Methods, Mobile Node and Mobility Access gateway for enabling vertical handoff of the Mobile Node between a first and second network interfaces using a pad translator.

Abstract: Methods and apparatuses for combining internet protocol layer authentication and mobility signaling are disclosed. Various embodiments for providing authentication and mobility signaling when a mobile node moves from a 3GPP access network to a non 3GPP access network and vice versa are described.

Abstract: A method and Mobility Anchor Point (MAP) are provided for authenticating an update message received at the MAP from a Mobile Node (MN). A table entry is created in the MAP, following receipt of a first message comprising a public key of the MN, a first pointer and a first comparison data, information elements received from the first message being stored in the table entry. The MAP then receives an update message requesting binding of a Local Care-of Address (LCoA) with a Regional Care-of Address (RCoA). The update message further comprises a second pointer and a second comparison data. The MAP locates the table entry by use of the second pointer. The MAP then authenticates the second message by hashing one of the first or second comparison data and comparing a result of the hashing with the other one of the first and second comparison data. If a match is found, the second message is authenticated and the MAP binds the LCoA and the RCoA by storing both addresses in the table entry.

Abstract: A Mobile Node, A Network Node and a method performed in a visited network of a telecommunications network. The Mobile Node has a home address (HoA) valid in a Mobile Node's home network of the telecommunications network or knows how to generate one. The HoA is used in the visited network. A Pad Translator Generator module generates a Pad Translator (PaT) from at least one protection parameter by applying at least one exclusive-or (XOR) thereon and a Pad Translator Applicator module applies the PaT on at least a portion of a header of a packet using an exclusive-or (XOR) function thereby enabling protection of at least a portion of the HoA in the visited network.

Abstract: A method, a router and a host are introduced for providing secure communication with limited use of processing intensive cryptographic means. Strong cryptographic keys are first used between the host and the router to sign messages therebetween, thereby ensuring that a first communication between the host and the router is secure. The router generates a secret key and forwards it to the host, the secret key being encrypted at the router and decrypted at the host by use of the strong cryptographic keys. Further communication between the host and the router is signed by use of the secret key.

Abstract: A wireless LAN comprises an access point with a data communicator for data communicated over different channels, each using a respective wireless technology, and at least one mobile communications device with a data communicator for data communicated over the channels and using the wireless technologies. A first of the channels uses a wireless technology operating at a first frequency bandwidth, and a second of the channels uses a different wireless technology operating at a second, non-overlapping frequency bandwidth. The wireless technology used for the downlink channel operates at a higher data rate than the wireless technology used for the uplink channel. The controller controls data communications over the downlink channel and the uplink channel to maximise the downlink data communication QoS.

Abstract: Systems and methods are described which delegate reachability testing for mobility signaling in communication networks. A mobile node transmits a mobility signaling package to other network nodes, which can use the information contained therein to perform the delegated reachability testing.

Abstract: A method, a correspondent node and a mobile node provide anonymity and unlinkability to a mobile node in a session with a correspondent node. Sequence values, calculated based on secret data, are added to updates sent from the mobile node towards the correspondent node and are used by the correspondent node to authenticate updates from the mobile node. A home address of the mobile node is not explicitly disclosed. An expected care-of address is calculated at the correspondent node and used by the correspondent node to send data packets to the mobile node.

Abstract: Methods and home agent for building a plurality of individual binding updates in the home agent on behalf of a mobile node. One of the methods and the home agent is directed to receiving an Aggregated Binding Update (ABU) at the home agent from the mobile node, building the plurality of individual binding updates from the ABU and sending from the home agent each of the plurality of individual binding updates toward each of the different destination addresses. Each of the plurality of individual binding updates has a different destination address, which is specified in the ABU. Another of the methods and the home agent is directed to intercepting a plurality of binding acknowledgments destined to the mobile node, building an Aggregated Binding Acknowledgment (ABA) from the plurality of binding acknowledgments and sending the ABA toward the mobile node.