WO2005045642A2 - Secure, standards-based communications across a wide-area network - Google Patents

Secure, standards-based communications across a wide-area network Download PDF

Info

Publication number
WO2005045642A2
WO2005045642A2 PCT/US2004/036948 US2004036948W WO2005045642A2 WO 2005045642 A2 WO2005045642 A2 WO 2005045642A2 US 2004036948 W US2004036948 W US 2004036948W WO 2005045642 A2 WO2005045642 A2 WO 2005045642A2
Authority
WO
WIPO (PCT)
Prior art keywords
rnp
protocol
wireless
network
client
Prior art date
Application number
PCT/US2004/036948
Other languages
French (fr)
Other versions
WO2005045642A3 (en
Inventor
Nehru Bhandaru
Michael Carrafiello
Michael Cook
Webster Gaidos
Owais Hassan
Susan Hares
Albert Lew
David Morris
Martin Mueller
Michael Vakulenko
Original Assignee
Nexthop Technologies, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nexthop Technologies, Inc. filed Critical Nexthop Technologies, Inc.
Priority to JP2006539669A priority Critical patent/JP2007532043A/en
Priority to EP04810412A priority patent/EP1692595A2/en
Priority to CA002545272A priority patent/CA2545272A1/en
Publication of WO2005045642A2 publication Critical patent/WO2005045642A2/en
Publication of WO2005045642A3 publication Critical patent/WO2005045642A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4604LAN interconnection over a backbone network, e.g. Internet, Frame Relay
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/50Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/084Access security using delegated authorisation, e.g. open authorisation [OAuth] protocol
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/086Access security using security domains
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/088Access security using filters or firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/02Data link layer protocols

Definitions

  • the invention relates to the field of computer networking, and more specifically, to data encryption techniques used in conjunction with networking protocols.
  • remote connectivity may be used by employees in the following physical locations: Employee homes Branch offices WISPs • Hotels • Pay phones
  • the problem is that remote connectivity requires an enabling overlay infrastructure. This imposes burdens on the IT staff, adding maintenance and capital expenses on top of existing enterprise infrastructure, and generally requires employees to alter their pattern of computer activity depending on their physical locations — i.e., whether they use the enteiprise network from within the enterprise or remotely.
  • remotely connected employees may be restricted in terms of resources they can access; unless special measures are taken by the IT staff, employees often are denied remote access to resources they may routinely use when located within the enterprise.
  • a VPN that operates at layer 3 allows users of the VPN to utilize the high speed of their broadband Internet connections to connect to the enterprise. Since the VPN operates at layer 3, it works independently of whether employees use a cable modem, DSL, fixed wireless, or some other means as their broadband connection to the Internet.
  • VPN approach One problem with the VPN approach is the requirement that users adopt different behaviors when connecting to the enterprise remotely as compared with the familiar pattern of activity local to the enterprise. For instance, local users may either plug into the existing network with an Ethernet cable, or may use an 802.11 enterprise wireless network. However, when users are at a remote site such as their homes, an airport, or a WiFi hotspot, they are required to start their VPN client in order to connect to the enterprise.
  • a VPN generally involves a separate remote-access infrastructure that is deployed independent of the local enterprise edge-access infrastructure. Since the VPN server typically provides only layer 3 connectivity, many legacy layer 2 applications do not work across the VPN. While these legacy applications can be enabled to work across layer 3 networks, e.g., through use of application layer gateways, such additional gateways require even further maintenance and capital expenses from the IT staff.
  • Dialup POTS access for providing layer 2 connectivity can be provided with RAS products. However, dialup is subject to lost connections, consumes a phone line at the home, and has limited bandwidth. DSL access can provide layer 2 connectivity to the enterprise if the enterprise owns the
  • DSLAMs used to terminate the DSL lines are DSLAMs used to terminate the DSL lines.
  • DSL access may be leased from carriers, but this, too, involves high cost.
  • DSL access often cannot be universally provided to employees due to distance restrictions (since DSL will not operate beyond a certain distance) between the employee's DSL line and the DSLAM.
  • Carrier wireless data services over licensed spectrum include high-speed cellular data services provided by carriers such as Sprint and Verizon. These services are not universally available. Also, carrier wireless data services are (currently) limited in bandwidth compared to 802.11 and Ethernet.
  • Proprietary layer 2 clients have existed for many years to provide secure wired and wireless LAN access to enterprise resources using encrypted Ethernet, ATM, and 802.11 technologies.
  • the problem with these approaches is that they involve a dedicated layer 2 wide- area network in order to provide wide-area connectivity back to the enterprise.
  • 802.11 technology cannot be deployed over the wide area due to its limited (300ft indoor, 1km outdoor) range.
  • Ethernet has been deployed only in limited wide-area applications, and due to the same challenge of providing ubiquitous coverage as described above in the DSL scenario.
  • ATM has been implemented over wide-area networks, but providing ATM services to employees for remote access is expensive and generally not instantly available, since the provisioning of dedicated ATM lines to end users is a slow and time-consuming process.
  • the first phase of encryption is over the wireless medium, and uses existing secure layer 2 protocols such as 802. Hi and WPA.
  • the second phase of encryption is over the wired side of the access point.
  • the access point Before encryption begins, however, the access point must be configured to bridge the 802.11 traffic to 802.3 Ethernet, and then utilize a layer 2 tunneling protocol over IP such as L2TP to encapsulate the traffic in IP in order to ready that traffic for transit across a layer 3 Internet.
  • the access point may then encrypt the traffic using IPSec.
  • the traffic may be terminated within the enterprise by an IPSec VPN concentrator, and the L2TP headers stripped out by a router or the VPN concentrator.
  • a wireless client may associate with an access point which forwards the traffic via its RF interfaces to other access points. These in turn may forward the traffic to other access points until the traffic enters the wired network.
  • This point of entry is termed wireless integration service portal in 802.11 terminology.
  • hop-by-hop protection encryption, and integrity
  • PMK Packet-wise Master Key
  • This PMK is a security binding of trust between the wireless client, the authenticator and the trusted authentication server for their domain.
  • the client roams or re-associates to another AP in the same ESS and/or authentication domain, the client is forced to authenticate again adding latency to the roaming process. This latency could potentially interrupt the session (e.g. voice) between the wireless client and another device in the network.
  • the security of the wireless LAN protocols is restricted to enterprise usage by clients within the enterprise campus and cannot be extended across a wide-area layer 3 Internet.
  • This confinement of wireless security to the enterprise campus has at least two sources: 1.
  • the security is terminated locally at the access point, i.e., the wired interface of the access point transmits data free of security restrictions. Therefore, most access points, as well as many lightweight access point / wireless switch combinations that terminate security at the lightweight access point, are not able to securely transport 802.11 layer 2 traffic across a wide-area network. 2.
  • a secure layer 802.11-based protocol such as 802.1 li or WPA
  • Embodiments of the invention extends security from enterprise networks to wide-area networks by allowing secure connectivity to the enterprise layer 2 network across a wide-area layer 3 network, such as the Internet.
  • the benefits of this approach for providing secure layer 2 access to the enterprise network include: • Unified infrastructure. • Allowing enterprises to utilize either lightweight or heavyweight access points. • Extending the layer 2 enterprise network to the home, and public Internet facilities. • Option for simultaneous access to both remote ente ⁇ rise and local resources such as printers, IP fax services, etc. • Option for access to the Internet only through the enterprise to leverage enterprise-based IDS, firewall, and virus scanning. • Simultaneous co-existence of lightweight and heavyweight access points within the enterprise campus, including seamless mobility between these devices. • Standards based secure layer 2 wired connectivity. • Simpler VoIP to cellular roaming.
  • the present invention provides a unified infrastructure that allows enterprises to utilize the same wireless LAN switch for both local-campus wireless access as well as remote access. This feature saves both capital and operational expenditures as well as demands on technical support. It also supports transparent connectivity to end users, by ensuring that the behaviors for remote connectivity and local enterprise connectivity remain the same.
  • the unified infrastructure also facilitates availability to layer 2 networking protocols to remote users, thereby providing the full capability of the enterprise campus network to the remote users. This includes extending any policy-based layer 2 capability that the enterprise may have implemented within its campus to the remote users.
  • Figure 1 illustrates an STA — AP--L2/L3 Network — WVLAN in accordance with embodiments of the invention.
  • Figure 2 illustrates Multiple types of Encryption in accordance with embodiments of the invention.
  • FIG. 3 illustrates and embodiment of RNP protocol
  • FIG. 4 illustrates an embodiment of IP in IP tunnel and Embodiment of GRE tunnel
  • FIG. 5 illustrates embodiment of MPLS Tunnel
  • Figure 6 illustrates embodiment of TE embodiment of Differentiated Services TE tunnel
  • FIG. 7 illustrates an RNP protocol header in accordance with embodiments of the invention.
  • FIG. 8 illustrates an RNP protocol data stream into 5 sub-tunnels via the header in accordance with embodiments of the invention.
  • FIG. 9 illustrates embodiments of the RNP virtual client (RRP) in accordance with embodiments of the invention.
  • FIG. 10 illustrates the operation of and packet flow in a representative WiFi VPN client in accordance with embodiments of the invention.
  • FIG 11 illustrates Layer 2 encrypted in 802. Hi, WPA, WPA2, RC-4 non-encrypted, in accordance with embodiments of the invention..
  • Figure 12 illustrates imprinting steps in accordance with embodiments of the invention.
  • Figure 13 illustrates a state machine for Access Point in accordance with embodiments of the invention.
  • Figure 14 illustrates a message format for RNP-RC messages in accordance with embodiments of the invention.
  • Figure 15 illustrates a per WVLAN per Access Point State machine in accordance with embodiments of the invention.
  • Figure 16 illustrates a Security model with its security key of the tuple (VLAN,BBSID, Security type) in accordance with embodiments of the invention.
  • Figure 17 illustrates LEK/REK encryption of the unicast, broadcast and multicast traffic fiOm the security keys in accordance with embodiments of the invention.
  • FIG 17a illustrates Broadcast/Multicast separation in accordance with embodiments of the invention.
  • FIG. 17b illustrates Unicast Separation in accordance with embodiments of the invention.
  • FIG. 18 illustrates RNP Virtual Client with LEK/REK encryption in accordance with embodiments of the invention.
  • Figure 18a illustrates RNP Virtual Client - LEK, REK Derivation and RNP Virtual Client Encryption in accordance with embodiments of the invention.
  • Figure 18b illustrates RRP Ghent - LEK/REK Derivation and RNP Virtual Client
  • Figure 18c illustrates RRP Client Traffic Decryption by Local AP and WLAN Controller in accordance with embodiments of the invention.
  • Figure 18d illustrates RRP Client Traffic Encryption - By Local AP and WLAN Controller in accordance with embodiments of the invention.
  • FIG 19 illustrates LEK and REK Encrypted frame formats in accordance with embodiments of the invention-
  • FIG. 21 illustrates Wifi VPN in Wireless Mesh in accordance with embodiments of the invention.
  • Figure 22 illustrates PMK Sharing - Example PMK/S-PMK Flows in accordance with embodiments of the invention.
  • Figure 23 illustrates PMK Sharing Packet Flow in accordance with embodiments of the invention.
  • FIG. 24 illustrates Protocol PDUs for RNP-RC packets in accordance with embodiments of the invention.
  • Figure 25 illustrates Protocol PDUs for RNP RC packets in accordance with embodiments of the invention.
  • Figure 26 illustrates Protocol PDUs for RNP RC packets in accordance with embodiments of the invention.
  • Figure 27 illustrates Protocol PDUs for RNP_RC packets in accordance with embodiments of the invention.
  • Figure 28 illustrates Protocol PDUs for RNP-RC packets #5 in accordance with embodiments of the invention.
  • Figure 29 illustrates Protocol PDUS for RNP_RC packets #6 in accordance with embodiments of the invention.
  • FIG. 30 illustrates Protocol Exchanges for RNP_RC
  • Figure 31 illustrates Protocol PDUs for RNP_SM packets #1 in accordance with embodiments of the invention.
  • Figure 32 illustrates RNP PDUs for RNP_SM packets #2 in accordance with embodiments of the invention.
  • Figure 33 illustrates RNP PDUs for RNP_SM packets #3 in accordance with embodiments of the invention.
  • Figure 34 illustrates RNP PDUs for RNP_SM packets #4 in accordance with embodiments of the invention.
  • FIG. 35 illustrates RNP PDUs for RNP_SM packets #5 in accordance with embodiments of the invention.
  • FIG. 36 illustrates RNP PDU Exchanges for RNP-SM sub-protocol
  • FIG. 37 illustrates RNP Exchanges for 802. IX authentication
  • FIG. 38 illustrates RNP packets for RNP-DT sub-protocol in accordance with embodiments of the invention.
  • Figure 39 illustrates RNP packets for RNP-DF sub-protocol (#1) in accordance with embodiments of the invention.
  • Figure 40 illustrates RNP packets for RNP-DF sub-protocol (#2) in accordance with embodiments of the invention.
  • FIG 41 illustrates RNP packets for RNP-WP sub-protocol in accordance with embodiments of the invention.
  • Figure 42 illustrates RNP packet flow Showing SM, and DF for Association in accordance with embodiments of the invention.
  • Figure 43 illustrates RNP packet flow showing re-association in accordance with embodiments of the invention.
  • FIG. 44 illustrates RNP packet flow showing: imprinting and RNP Security in accordance with embodiments of the invention.
  • Figure 45 illustrates RNP PDU Flow for RNP-WP in accordance with embodiments of the invention.
  • FIG. 46 illustrates Enterprise Authentication Over Shared WISP Infrastructure in accordance with embodiments of the invention.
  • FIG. 47 illustrates Enterprise Authentication Over Shared WISP in accordance with embodiments of the invention.
  • a WiFi VPN extends security from an enterprise campus to a wide-area network by allowing secure connectivity to the enterprise layer 2 network across a wide-area layer 3 network, such as the Internet.
  • Embodiments of the invention may include multiple components, which may operate independently or in conjunction. Combinations of such components support a flexible framework for a WiFi VPN.
  • security provisions for an enteiprise network are extended by tunneling 802.11 management and optionally layer 2 data traffic for a wireless station (STA) to a wireless controller/switch using a routed protocol.
  • STA wireless station
  • Non-limiting examples of tunneling protocols that may be routed include: • UDP over IP, or • IP in IP, • IP -sec, • GRE encapsulation, or .
  • MPLS MPLS
  • the tunnel is between the lightweight access point AP and the WLAN switch (Layer2/Layer3), or the wireless chent and the WLAN switch.
  • Wireless encryption is teraiinated on the switch/controller or on the AP. Bridging to 802.3 can happen on the Switch/Controller or the AP.
  • FIG 1 shows the logic of this method.
  • the termination of the WiFi VPN at WLAN switch Figure point 105.
  • Wireless station (101) connects to an Access Point (103) across Wireless network (102).
  • a tunnel is created between the AP (103) and Wireless Controller (105) over a Layer2/Layer 3 network (104).
  • Wireless Point 106 connects over a second wireless network (107) to an lightweight Access Point (108).
  • LWAP (108) to the wireless control (105) a tunnel is created over the IP network (109).
  • FIG 2 shows a non-limiting embodiment of this method of creating and using tunnels between several lightweight Access Points (LWAP) (202, 210, 214) and a Wireless Controller switch router (207) using a variety of protocols.
  • LWAP lightweight Access Points
  • the LWAPs connect several wireless stations (201,208,212) to the Internet.
  • Figure 2 shows 5 types of tunnels: UDP/IP tunnel (203), GRE Tunnel (204), L? in IP tunnel (205), MPLS Label- Switched-Path (LSP) (211), and an IP-Sec (212) running across different networks.
  • LSP MPLS Label- Switched-Path
  • IP-Sec IP-Sec
  • security is provided by the 802.11-based standards-based security protocols such as WPA and 802. Hi.
  • Encapsulation of the layer 2 packets into the WiFi VPN protocol is performed by either a lightweight access point or virtual interface client software within a PC, PDA or VoWLAN phone.
  • WiFi VPN traffic can then be sent securely to the wired interface of a wireless LAN switch, which allows the traffic to be unencrypted and bridged to an enterprise wired networks.
  • the lightweight protocol running over UDP/IP is the Remote Network Protocol (RNP) that communicates between either the lightweight access point and the WVLAN switch, or the wireless client and the WVLAN switch.
  • RNP Remote Network Protocol
  • This invention provides a method to separate AP Management (RC), Station Management (SM), Data Tunneling (DT), Captive Web Portal, and Data Forwarding control endpoints.
  • RC AP Management
  • SM Station Management
  • DT Data Tunneling
  • Captive Web Portal Captive Web Portal
  • Data Forwarding control endpoints may be tem ⁇ iate on other APs or Switches or other devices not necessarily co-located with the Wireless Controller.
  • the tunneling of management and data traffic via the RNP protocol may use one or more of the following sub-tunnels: RNP-RC - radio control, RNP- SM - station management, RNP- DT - Data Tunneling, RNP-WP - Captured portal, and RNP-DF - Data forwarding control
  • the RNP protocol is extensible with respect to further addition of other types of sub-tunnels.
  • FIG. 3 shows the packet encapsulation of RNP protocol header (304) following the
  • UDP header (303), following the IP header (302), over a lower layers headers (MPLS and/or Ethernet header (301).
  • the RNP protocol header has three parts: RNP common header (304), RNP sub-protocol header (305), and RNP sub-protocol specific data (305).
  • the RNP header specifies the sub-protocol in the type field.
  • Figure 3 also shows how the common header splits the protocol into separate sub- protocol streams with sub-protocol headers and data associated with that sub-protocol: • RNP-RC: RNP common header (310), RNP-RC sub-protocol header (311), and RNP-RC sub-protocol data (312), • PvNP-SM: RNP common header (310), RNP-SM sub-protocol header (313), RNP-SM sub-protocol data (314), • RNP-DT: RNP common header (310), RNP-DT sub-protocol header (315), RNP-DT sub-protocol data (316) • RNP-WP: RNP common header (310), RNP-WP sub-protocol header (317), RNP-WP sub-protocol data (318) • RNP-DF: RNP common header (310), RNP-DF sub-protocol header (319), RNP-DF sub-protocol data (320)
  • Figure 4 shows embodiments of this invention with the RNP protocol running over an IP- in-IP tunnel or a GRE tunnel.
  • the RNP protocol header (404, 405, 406) follows the tunnel header for IP in IP (402, and 403).
  • Figure 4 also shows an embodiment of the invention with a GRE tunnel header (411) in front of the RNP headers (412, 413, 414).
  • Figure 5 shows an embodiment of the RNP protocol running over a MPLS Label Switched path as a virtual tunnel and the RNP protocol running over a Differentiated Services logical tunnel based on forwarding queues.
  • Figure 7 shows an embodiment of the RNP protocol's common header version 1.0 of the RNP protocol.
  • Figure 7 expands the field 304 from Figure 3 to show the actual header fields: version (701), security version (702), flag (703), type (704), length (705), and sequence (706).
  • the type field contains the sub-protocol types (RNP-RC, RNP-SM, RNP-DT, RNP-WP, RNP- DF).
  • Figure 8 demonstrates how these RNP sub-protocol streams can split the operation of the lightweight access point (LWAP) over different tunnels.
  • wireless station 801 communicates with LWAP 803 over wireless network (802).
  • LWAP 803 uses the RNP protocol over tunnel, LWAP 803 sends one or more of the following: • the radio control information sent to WLAN controller 1 (805) using RNP-RC messages, • the station management information to WLAN controller 2 (806) using RNP-SM, • the data is sent WLAN controller 3 (808) using RNP-DT and RNP-DF messages, • Captive Web portal information is sent to WLAN controller (808) via RNP-WP messages,
  • Figure 8 also shows a tunnel from a LWAP device (819) to the WLAN controller 3 (809) that carries all RNP messages (816) across a Iayer2/layer3 network (815).
  • Embodiments of the invention extend the tunneling protocol to build a virtual interface at the client, and extend the tunneling protocol to that chent.
  • the virtual interface concept applies to clients with a wireless as well as a wired (Ethernet) network interface.
  • Some such embodiments create a WiFi VPN that uses 802.11 technology across a Layer 3 network.
  • the station can be a PC, PDA or VoP phone.
  • Other suitable instantiations shall be apparent to those skilled in the art.
  • the WiFi VPN client encrypts by using WPA, 802. Hi, or another suitable encryption protocol, and then encapsulates in the Remote Network Protocol (RNP).
  • RNP Remote Network Protocol
  • Figure 9 shows how a virtual chent can run on a PC (901) on a wireless network (902) and communicate across a 3rd part access point (903) that does not support the RNP protocol.
  • the RNP protocol is created on the virtual client on the PC (901) and ships the RNP sub- protocol streams to two different controllers WVLAN controller 1 (904), and the WVLAN controller 2 (905).
  • Figure 9 also shows how a PDA can run the virtual software.
  • the tunnel exists across a wireless network (921) to a LWAP point with this invention.
  • the virtual client passes RNP sub-protocol streams (931) to the WVLAN controller 3 (935).
  • a third option for the use of these virtual clients is illustrated in Figure 3 wherein the connection of the virtual client on the PC (942) connects to a LWAP point (941) across a wireless network (943), and joins a tunnel (952) passing RNP sub-protocol messages (951) to WVLAN controller 2 (934).
  • Step 1 Application data is sent toward a wired host in the enterprise (1001), • Step 2 - Application resolves it to an RNP virtual client via IPv4 stack (1004) to RRP 1007, or via IPv6 stack (1005) to RRP 1007, • Step 3 o a) Client encrypts the packet. As non-limiting examples, the encryption may be performed using 802.1 li, WPA, WPA2, RC4 or other encryption algorithms.
  • client sends via the RNP protocol (RNP-DT, RNP-DF, RNP- WP, RNP-SM) to the controller over a UDP/IPv4 tunnel or a UDP/IPv6 tunnel.
  • Step 4 The remote WVLAN controller 4 processes the RNP packets as other packets.
  • Embodiments of this invention use layer 2 encryption protocols, such as 802.1 li instead of IP layer secure tunnels (such as IP-Sec) to secure wireless data.
  • Figure 11 illustrates an example of a network in which different access points are encrypted with different layer 2 encryptions such as, by ay of non-limiting example, 802.11i, WPA, WPA, RC-4.
  • Embodiments allow each of these access points (1103, 1108, 1110, 1121) to: o encrypt a wireless stations traffic with an encryption, o pass the traffic to the remote WVLAN controller via the RNP protocol (1113, 1114) , and, o decrypt the traffic on the WVLAN controller (1105) .
  • Such embodiments protect the user data between the lightweight access point and the layer2/layer switch without using an IP layer secure protocol (such as IP-Sec).
  • this encrypted data can run in parallel with the non-encrypted data (AP 1108) in the RNP protocol.
  • Embodiments of this invention terminate the encryption of the data on a wireless LAN switch.
  • Other embodiments of this invention terminate the encryption of the data on a Switch/Router.
  • Yet another embodiment of this invention terminates the encryption on another Access Point.
  • Embodiments of this invention has a method for aNextHop WiFi AP to be "imprinted” with information from a Wireless Controller/Switch by implementing a mechanism known as “Imprinting”.
  • “Imprinting” includes one or more of the following steps: 1.
  • the WiFi AP and the Wireless Controller/Switch discover each other over a Layer 2 network using a broadcast RNP-RC (Radio Control) message.
  • the RC- Name-Request message is used for this purpose.
  • the AP storing the discovered addressing information for the controller (e.g. DNS name, IP Address) in its persistent memory e.g. Flash memory 4.
  • the future sessions may be established after moving the AP to a new location.
  • the new location may have a Layer 3/IP network between the AP and the controller. 5.
  • the secondary information is communicated via RNP- RC protocol and is stored in the AP persistent memory.
  • the DNS name or IP address of the controller is provisioned on the AP via a local mterface (e.g. serial interface).
  • a local mterface e.g. serial interface
  • Figure 12 aligned with the RNP messages. Steps 1-5 are listed as items (1200, 1203, 1204, 1205, 1206) respectively in this Figure.
  • Figure 13 provides the state machine for the Access Point in sending RNP- RC messages. In this state machine there are three states: Discovering (1301), Connecting (1302), and Connected (1303).
  • FIG 14 illustrates an example message format for the RNP-RC messages for imprinting.
  • the RNP-RC messages have the RNP common header (304), followed by an RC specific header (1400), followed by a RNP-RC type specific format.
  • the RNP-RC header has the fields for: major version (1401), minor version (1402), primitive (1403), Transaction ID (TID) (1404), length (1405).
  • the RNP-RC messages for imprinting include: o RNP-RC_MSG_NAME_REQUEST_MESSAGE (message body 1406- 1407) o RNP-RCjVISG_CONNECT (message body description is 1408-1410) o RNP-RC _MSG_ACCEPT (message body description 1411-1412), o RNP-RC_MSG_MIGRATE (message body description 1413) o RNP-RC_MSG_DISCONNECT (message body description 1414)
  • Figure 15 shows an embodiment of this method in a state machine for the WVLAN controller supporting an imprinting.
  • This state machine has 5 states: Unknown (1501), Discovered (1502), Connecting (1503), Mine (1504), Connected (1505).
  • the state transitions between these states are caused by the following events: o User interface changes: GUI creation (1520), GUI delete (1521), GUI assignment ( 1522), GUI un-assignment ( 1523), o Timer expirations: discover timer (1524), connect timer (1525), and o RNP-RC messages received: RNP-RC_MSG_NAME_REQUEST (1510), RNP-RCJVISGCAP ABILITIES (1511). Each event may or may not have an action associated with it.
  • VLAN Virtual LAN
  • VLANs Virtual LAN Assignment and Separation of Virtual LANs (VLANs) Over Air Using Different Encryption Keys
  • the 802.11 standard does not define a mechanism to assign VLANs to 802.11 data traffic over the air.
  • an Extended Service Set ESS is mapped to a single VLAN.
  • An ESS, and thus VLAN, typically implements a single type of security protection for the 802.11 data traffic.
  • Embodiments of the invention allow multiple VLANs to be advertised and their traffic segregated over the air. In embodiments, this is accomplished by allowing multiple security types to be associated with each ESS, each of which is assigned a VLAN. In embodiments, if no VLAN is associated with an ESS security type, then the VLAN assigned is determined by the default VLAN configured for the ethernet interface on the AP. In addition, a policy-based VLAN (RFC 3580) may be assigned by a AAA server or a Directory server on a per-user (client station) basis. One restriction on the security types chosen for an ESS is that either all or none of them must provide over the air encryption.
  • Embodiments of the invention include security models as well as methods of encrypting traffic using such security models.
  • a security key is associated with each virtual interface denoted by a tuple, including the tuple denoted ⁇ VLAN, BSSID, Security Type> where "BSSID” denotes the Wireless MAC address of the (potentially virtual) AP which is advertising the ESS, "VLAN” denotes a supported VLAN (either via assignment to Security Type as default, policy or governed by network topology), and "Security Type” is one of the security types supported by the Wireless Network.
  • the security types that may be supported include: • 802.11 Open Authentication with no encryption, • 802.11 Open Authentication with static WEP key, 802. IX with dynamic WEP encryption, WPA (TKIP), WPA2 and 802.1 li (AES), • 802.11 Shared Authentication with static WEP key
  • Figure 16 illustrates the security model with its security key of the tuple ⁇ VLAN,BBSID, Security type> and the security types of: 802.11 Open Authentication with no encryption (1610), 802.11 Open Authentication (1611), and 802.11 Shared Authentication (1612).
  • all broadcast traffic over the air is encrypted with the security key for the virtual interface. All unicast traffic over the air is protected by the pair-wise key negotiated for the security type between the AP and the client.
  • This mechanism supports multiple VLANs over the air for associations via a single (potentially virtual) AP (with a unique BSSID) and achieves the desired VLAN data traffic separation over the air preserving VLAN semantics.
  • Figure 17 illustrates the encryption of the broadcast, multicast and unicast traffic between a wireless station (1701) and an AP (1703).
  • the traffic flows from the wireless station across the wireless network (1702) to the AP (1703) to the wireless controller (1705).
  • the unicast traffic (1711) is encrypted with the pair-wise key (1710) negotiated between the AP and the client and sent in unicast packets (1713, 1714, 1715) to the AP.
  • the broadcast data traffic (1721) is encrypted with the broadcast key for the virtual interface (1720) and sent as packets (1716) across the wireless network(1702).
  • the multicast data (1723) is encrypted with a per group key (1722) and sent across the wireless network (1702).
  • Decryption of the packets occurs on the AP (1703) or the Wireless controller (1705).
  • the un-encryption (decryption) of the packets is based on the type of packet as determined from the packet Layer 2 addressing information.
  • the un- encryption (1706) uses the appropriate key per type of data: Unicast pair-wise key (1710) , Broadcast key (1720), and Multicast (1722).
  • RRP The embodiment of the RNP in the WiFi VPN chent is sometimes referred to by the acronym "RRP".
  • RRP is synonymous with the use of the RNP in the WiFi VPN virtual client.
  • an RRP client allows 802.11/802.1 li based security to be applied to providing a wide-area VPN without use additional infrastructure such as IPSec or PPTP.
  • the RRP client is remotely connected to the Wireless LAN Controller/Switch over a Layer-3 network.
  • One application of such a topology is to a branch office wireless network.
  • both traffic destined to local network e.g. a local printer
  • the remote corporate office share the same 802.11 (802.1 li) based authentication mechanism and policy controlled by the corporate office.
  • the RRP client provides a routing function that works as follows: 1.
  • One or more local encryption keys (LEKs) and one or more remote encryption keys (REKs) are derived from the authentication process. Without limitation, multiple LEKs and REKs may be derived each for a combination of local or remote destination and traffic type (Unicast, Broadcast, and Multicast).
  • Unicast LEK or REK derivation involves the use of one-way hash function over the 802.1 li derived PTK (Pairwise Transient Key) o
  • Broadcast LEK or REK derivation involves use of Unicast LEK or REK to encrypt a random key and passing that key to the chent.
  • multicast LEK or REK derivation involves the use of Multicast LEK or REK per group to encrypt a random key and passing it to the client.
  • the multicast REK is used to encrypt multicast traffic destined for a group. 2. Traffic is segregated into two portions: Traffic that will be sent to the local network and traffic that is destined for a remote network. 3.
  • LK local encryption key
  • REK remote encryption key
  • Figure 18 shows one embodiment of this invention to encrypt local traffic and remote traffic with different keys (LEK, REK).
  • the virtual client running on wireless station (1801) encrypts the locally destined data (1811) with a local encryption key (1810) and sends the data in packets flagged with the "locally" transmitted data (1813 and 1814).
  • the local virtual client (1806) puts the packets (1813 and 1814) through a un-encryptor (1809) with the local key (1810) to decrypt the data.
  • the remote client on WVLAN controller 2 (1808) receives the packets (1822, 1823) across one wireless network (1802), and several wired networks (1804, 1807). Using an un-encryptor (1809) and the REK (1820), the data is unencrypted to restore the original data (1821).
  • This mechanism allows traffic destined to the remote network to be encrypted without additional overhead or VPN to be implemented on the AP.
  • the AP may disambiguate between traffic destined to the local network from the remote network using a special bit in the 802.11 frame fields (e.g. frame control, a special reserved mac address such as address 4 in the frame).
  • Figure 18 also shows this branch office scenario topology that utilizes the "Routing Intelligence" that keys on the special portion of the 802.11 frame and encrypts the local traffic using a LEK and remote traffic using an REK.
  • Figure 18a shows a client uses LEK/REK to encrypt data.
  • Figure 18b shows how a client users LEK/REK to decrypt data.
  • Figure 18c shows how local traffic may be passed unencrypted and remote traffic passed encrypted,
  • Figure 18d shows remote encrypted traffic is demuxed from local traffic. Local traffic in Figure 18d is also encrypted prior to forwarding it.
  • Figure 19 shows the special Frame control field and a special MAC address for unicast traffic.
  • the currently unused 802.11 frame control field values may be used to denote that the frame is encrypted using a REK and that it will be decrypted at the destination.
  • the local AP will simply bridge this frame to the wired network.
  • an optional special message integrity checksum using LEK may be used or this type of bridging is restricted to RNP protocol PDUs to known destinations.
  • This invention includes methods to support the bridging of 802.11 frames via RNP over Wireless (802.11) network infrastructure until the point where it enters (1) the wired network or a wireless LAN switch or an access controller or (2) another device in the network that has the security state to decrypt the client traffic.
  • This approach avoids hop-by-hop encryption that is specified by the current wireless standards and practice when applied to mesh-based wireless networks.
  • 802.11 frames from a wireless chent station enter a RF/Wireless Mesh-based distribution system at an AP and are bridged and routed to the integration service portal via RF interfaces on other APs in the mesh.
  • the system does not terminate 802.1 li or other encryption on the AP where the station traffic enters the RF mesh, but does so at the point where it enters the wired network.
  • Figure 21 shows one embodiment of this invention.
  • the packets from wireless client (2110) are transmitted are encrypted at access point 1 (2103) and transmitted via RNP to the wireless controller (2109).
  • the pathway from AP-1 to the wireless controller is: • via AP- 1 (2103) across the wired network 1 (2104) to AP-2 (2105), • from AP-2 (2105) across the wireless network (2106) to the AP-3 (2107), and • from AP-3 (2107) across the wired network (2108) to the wireless controller (2108).
  • the Wireless LAN Switch or Controller architecture provides an 802.1 li authenticator component that obtains the PMK based on current standards.
  • This PMK is known only to the authenticator for the current client association between a client and a authentication server. However, if the switch contains an authenticator component for more than one AP, the PMK may be shared among the APs (or 802.11 BSSes) without violating security guarantees.
  • the PMK for a given client and the authentication server used by each authenticator may be: • Identical • derived from another PMK for the same client and authentication server, or • combination using implicit or publicly observable information using a one-way cryptographic hash function such as a HMAC-SHA1.
  • This method may be used to avoid the superfluous (re-) authentication to the network while re-associating or roaming to another AP within an ESS or within an authentication domain.
  • One way for the wireless client and the AP to use the above mechanism is to advertise the capability to perform PMK sharing and fast roaming as described here. Such advertisement could use additional 802.11 information elements or additional components (bits) in the capabilities in standard 802.11 informational elements such as 802.1 li RSN an information element. Sharing, such as above, is also possible when roaming between multiple WLAN switches or controllers. It is also possible to share a PMK between a Wireless LAN switch or controller and a traditional fat AP or between fat APs themselves.
  • an authenticator for an AP obtains roaming authorization tokens from the authentication server for the APs in its RF neighborhood when the wireless chent first authenticates to the network.
  • the authenticator may pass the BSSIDs in the Wireless network for the RF neighborhood of the station associating to the authentication server using RADIUS messages. These messages could be the same ones as that which are being used to transport EAP messages from the client.
  • the authenticator may communicate
  • ESS identification e.g. SSID
  • security mechanism e.g. 802. Hi
  • One mechanism for doing this is to use (potentially new or vendor-specific) RADIUS attributes with this information in the case where AAA service is provided by a RADIUS server.
  • Figure 22 show an embodiment of this logical interaction of the PMK tokens with the Radius AAA service.
  • Figure 23 shows a normal packet flows for PMK tokens using the Radius EAP packets.
  • the authentication server Using the ESS, BSS and Security information in the request, the authentication server
  • RADIUS Radius-Accept message
  • the PMK authorization tokens are generated for APs in the RF neighborhood using public key encryption - by encrypting the PMK or material derived from PMK using the target AP public key - if the Access Points (APs) share public keys or public key certificates or part of a public key infrastructure.
  • the authorization tokens may be transmitted on a public network or over the air and can only be decrypted by the corresponding AP to obtain the PMK using a shared secret between the AP and the authentication server or the receiving Access Points (APs) own private key when using the public key mechanism. The superfluous re-authentication process and its resultant latency in a roam are thus avoided.
  • One mechanism of this invention for transferring the PMK or authorization tokens is using the wireless client to transfer the PMK.
  • the tokens may be distributed to the client gratuitously (for example, using a to-be-defined 802.11 management frame or 802. lx frames) or upon request from the client.
  • the chent transfers these tokens to the target AP as part of or prior to the 802.11 re-association procedure. This mechanism preserves the security trust binding of a PMK between the authenticator, the wireless client and the authentication server.
  • Another mechanism for transferring the PMK or authorization tokens is to use a RNP or other protocol frame addressed to the target AP.
  • Yet another mechanism for transferring authorization tokens is to provide these tokens securely encapsulated or encrypted in the standard EAP mechanisms used for authentication (e.g. 802.1 li).
  • An authorization token for to which the wireless client is currently associated may optionally be passed using this mechanism validating the 3 -way trust binding between the chent, authenticator and the AAA server.
  • Embodiments of this invention includes methods for encoding PDUs in the Remote Network Protocol (RNP) packets, as well as the packet exchanges and state machines for handling such packet exchanges
  • RNP Remote Network Protocol
  • Such embodiments support multiple sub-protocols by using a "type" field in the RNP protocol. This method allows the number of sub-protocols to be extensible to large numbers of sub-protocols.
  • Embodiments also allow sub-protocols to further sub-divide into to sub-streams.
  • An embodiment of this invention uses the "primitive" field in the sub-protocol headers to split the sub-protocols.
  • Embodiments of the invention allow ente ⁇ rise authentication to be used by the hotspot provider, rather than a separate authentication. This allows an enteiprise to share the WISP infrastructure, using, by way of non- limiting example, a subscription based business model, while maintaining control of enteiprise access. Some such embodiments also utilize a single authentication for a given client access. Such embodiments also allow two different clients associating with the same WISP AP to be authenticated at different ente ⁇ rises.
  • a late / lazy binding from the client to the wireless LAN Controller/Switch can be made by the WISP AP intercepting the EAPOL start message sent by the client, and returning a EAPOL request identity message.
  • the WISP AP may also send an EAPOL request identity message to the chent gratuitously without waiting for the EAPOL start message.
  • the wireless client may respond to the request identity message with a EAPOL response identity message which includes a cleartext field with the chent's domain name.
  • this domain name can be (1) a DNS name, (2) the name of the chent's ente ⁇ rise that can be looked up against a DNS server or (3) a directory (e.g. LDAP) server to obtain the IP address or DNS address of the wireless LAN Controller/Switch to which the chent will connect.
  • further EAPOL messages are tunneled to the WLAN Controller/Switch using the WiFi VPN (RNP) encapsulation protocol.
  • the authentication is done by the ente ⁇ rise authentication server that terminates the EAP protocol within the ente ⁇ rise.
  • the WISP AP is directed to allow data traffic flow only if the wireless client is successfully authenticated via the RNP protocol.
  • Figure 46 shows the network topology applicable to this invention.
  • Figure 47 illustrates the packet flow for the authentication process.
  • the WISP AP may forward all client data traffic to their respective ente ⁇ rise
  • RNP Remote Network Protocol
  • the RNP protocol runs over the UDP/IP protocol and supports multiple sub-protocols.
  • RNP-RC Radio Control
  • RNP-SM RNP-Station Management
  • RNP-DT RNP-Data Transfer
  • RNP-WP RNP- Web Portal
  • RNP-DF RNP-Data Forwarding
  • the RNP protocol is extensible to any number of sub-protocols via the RNP header methods that specify the type field ( Figure 7 item 704).
  • Figure 3 shows, the information following the RNP common header (Figure 3 item 304) is the RNP sub-protocol specific header ( Figure 3 item 305), followed by the RNP sub-protocol specific data.
  • the sub-protocol header for the RNP-RC sub-protocol contains the following information as shown in Figure 24: • RNP-RC-version (2 bytes) - the version of the RNP-RC sub-protocol (item 2402) • Primitive type - the type of action primitives used to operate the RNP-RC functions (item 2403) » Transaction identifier - If a transaction is initiated by the wireless controller, this field will contain an ID. Responses from the Access Point will contain this identifier to match requests with responses (item 2404) • Content Length - Length of the Message Content (item 2405) • Content - RNP-RC sub-protocol specific data (item 2406)
  • the RNP-RC protocol method further defines the primitives as the table below.
  • AP Access Point
  • SP Wireless Controller Service Point
  • RNP-RC sub-protocol A key benefit of this RNP-RC sub-protocol is the discovery, configuration and management of options (managed wireless station options) names and request.
  • Figures 24 shows an embodiment of the RNP_RC_MSG_CAP ABILITIES packet (2410) and the RNP_RC MSG_ACCEPT packet (2420).
  • Figure 25 shows the RNP_RC_MSG_CONFIGURE packet (2500) and the RNP_RC_MSG_CONF_RESP packet (2510).
  • Figure 26 shows the RNP_RC_MSG_MO_SET packet (2600) and the RNP_RC_MSG_SET_RESP packet (2610).
  • Figure 27 shows the RNP_RC_MSG_MO_GET packet (2700) and
  • FIG. 28 shows the RNP_RC_MSG_TRAP packet (2800), RNP_RC_MSG_MEASUREMENT packet (2810), and the RNP_RC_MSG_NAME_REQUEST packet (2820).
  • Figure 29 shows the
  • RNP_RC_MSG_CONNECT packet (2900)
  • RNP_RC _MSG_LogPacket 2910
  • Figure 30 shows a sample protocol exchange for the RNP-RC sub-protocol.
  • Figures 31 through 35 show an packet formats for the RNP-SM sub-protocol sub-streams packets.
  • the current embodiment of the RNP-DT message does not support sphttmg the RNP-DT sub- protocol into sub-streams RNP DF sub-protocol
  • the DF-Server is a point that connects the tunnel to a wired network.
  • the DF-Client is a point that interfaces the wireless Access Point (AP) to the tunnel.
  • An embodiment of an DF-Client can be an AP.
  • An embodiment of a DF-Server can be an AP or a standalone appliance.
  • Each of these sub-protocol primitives have a field for a request/response.
  • One end of the connection (DF-Server or DF-Client) sends a "request" message, and the remote end of the connection (DF- Server or DF-Client) sends a "response" message.
  • the RNP-WP sub-protocol supports the Web Portal function.
  • the Web Portal functions limits the traffic to information needed to exchange data with a Web Portal to obtain the correct information.
  • the current embodiment of the RNP-WP sub-protocol does not have any sub- protocol primitives.
  • the benefits of this approach for providing secure layer 2 access to the enterprise network include: • Unified infrastructure. • Enterprises can utilize either lightweight or heavyweight access points. • Extends the layer 2 enterprise network to the home, and public Internet facilities. • Option for simultaneous access to both remote enterprise and local resources such as printers, IP fax services, etc. • Option for access to the Internet only through the enterprise to leverage enterprise-based IDS, firewall, and virus scanning. • Simultaneous co-existence of lightweight and heavyweight access points within the enterprise campus, including seamless mobility between these devices. • Standards based secure layer 2 wired connectivity. • Simpler VoIP to cellular roaming.
  • the present invention provides a unified infrastructure that allows enterprises to utilize the same wireless LAN switch for both local-campus wireless access as well as remote access. Unlike currently available remote connectivity solutions, separate infrastructures for LAN and WAN connectivity need not be deployed. For the IT staff, this saves both capital and operational expenditures, including a reduction in the amount of technical support required, because a wireless LAN deployment over the enterprise campus will work for remote access as well. For the end user, this means that the behaviors for remote connectivity and local enterprise connectivity will be the same.
  • the unified infrastructure also means that layer 2 networking protocols and services are available for the remote user, thereby providing the full capability of the ente ⁇ rise campus network to the remote users. This includes extending any policy-based layer 2 capability that the enterprise may have implemented within its campus to the remote users.
  • Enterprises can use either lightweight access points (which are more easily managed by the enterprise), heavyweight access points (less expensive and more ubiquitous at public Internet access facilities), or a combination of both.
  • the lightweight access points can be deployed within the campus to give the ente ⁇ rise centrahzed control of the local radio environment.
  • traditional heavyweight access points can be used in public Internet access settings.
  • Ente ⁇ rises may wish to use either heavyweight or lightweight access points for home and branch office applications, depending upon ente ⁇ rise needs. Within the ente ⁇ rise, a combination of existing heavyweight access points can be augmented with lightweight access points.
  • WiFi VPN can extend the enteiprise network to employees' homes.
  • Employees can open their laptops at home and immediately connect to the enteiprise layer 2 network without the need to invoke special remote VPN client software.
  • Employees may also utilize VoWLAN phones to enable voice communications from the enteiprise to the employees' homes. Still further, employees can initiate voice communications utilizing ente ⁇ rise voice infrastructure from the VoWLAN phone.
  • a WiFi VPN for the branch office allows enteiprises to realize significant cost savings by connecting the branches to the ente ⁇ rise headquarters via an Internet connection, as opposed to an expensive leased line connection.
  • a WiFi VPN operates at layer 2, so employees in branch offices can have access to the same legacy applications available on the ente ⁇ rise campus.
  • the invention also extends pohcy-based layer 2 networking from the ente ⁇ rise and simplifies the IP addressing within the branch offices.
  • the present invention allows a public Internet provider to negotiate a billing arrangement with the employees' ente ⁇ rise to allow connectivity to the public Internet IP address and UDP port number of the ente ⁇ rise's WiFi VPN presence on the Internet.
  • the ente ⁇ rise can then signal the successful connection of a WiFi VPN chent to the provider for billing pmposes.
  • This functionality allows two individuals from different ente ⁇ rises to simply open their PC lids at a hotspot, and they will each be automatically connected to their co ⁇ orate facilities without performing a single keystroke or mouse movement.
  • IP routing can be configured on the WiFi VPN client in the manner of existing layer 3 VPN clients so that devices reachable locally (such as printers, IP fax machines, etc.) using the physical wireless (or wired) interface are routed locally by the client.
  • the WiFi VPN chent can be used for all traffic by configuring the appropriate IP routing tables on the chent device. This forces all traffic between the client hardware and the ente ⁇ rise going out to the Internet to utilize the ente ⁇ rise's Internet connection.
  • ente ⁇ rise tools such as IDS, IDP, firewall, and antivirus programs can be applied to remote users. This may be a desirable security model for ente ⁇ rises seeking to control the software and agents that actually enter the ente ⁇ rise's client hardware devices.
  • WiFi VPN client Another advantage of the WiFi VPN client is that it allows simultaneous coexistence between traditional heavyweight access points and hghtweight access points.
  • seamless lOaming can be accomplished between heavyweight access points and hghtweight access points, both connected to the same network of WLAN switches.
  • all the wireless benefits described in the present invention apply to both heavyweight and lightweight access points.
  • the present invention is applicable both to wireless and wired LANs.
  • the wireless LAN switch can serve as a encrypted wired switch to encrypted wired traffic using the same 802. Ix, WPA, and 802.1 li technology that is used to encrypted wireless LAN traffic.
  • a challenge with VoWLAN is determining how to integrate VoWLAN and cellular voice calls.
  • the VoWLAN call can be terminated at the ente ⁇ rise.
  • One advantage of this mechanism is that any VoWLAN handset can be used at any hotspot, since it will connected back to the enterprise VoIP infrastructure using the WiFi VPN. This means that off-the-shelf VoWLAN handsets can be used with essentially any hotspot for VoWLAN, and that the handset user can be reachable anywhere in the world simply by dialing the ente ⁇ rise extension of the handset user.
  • Integration with the cellular network becomes a simple matter of forwai'ding calls from the cellular phone number of the handset to the DID number of the ente ⁇ rise, and vice versa if the handset if out of range of a hotspot.
  • This also has the advantage of allowing the same handset with the same cellular phone number to be used as an ente ⁇ rise extension with multiple ente ⁇ rises in a serial fashion, as in the case of a contractor / temporary employee.
  • Embodiments of the invention include a Remote Network Protocol (RNP) which has various advantages over existing protocols such as L2TP and GRE.
  • RNP uses separate UDP port numbers for controlling and monitoring the radio, the station authentication, and the station traffic. This reduces the computational load on the switch of classifying packets according to their contents. It also prevents a station authentication packet from blocking a data packet. The packets can instead be classified in hardware based on their port numbers, which improves performance.
  • the UDP nature of the RNP is also very important since TCP has slow start mechanisms and additional processing overhead that increase computational requirements for the hghtweight access point.
  • the RNP together with the switch architecture assumes that all time-insensitive 802.11 MAC layer operations will be performed on the WLAN switch, and that time-sensitive 802.11 operations will be performed on the hghtweight access point.
  • This split of 802.11 layer functionality allows the RNP protocol to be latency-tolerant across wide-area networks with varying latency. With the incorrect split, a similar approach cannot operate properly across a wide-area network.
  • the RRP protocol uses low framing overhead to ensure high performance and low computational overhead on the lightweight access point. The low overhead also assists with performance on the WLAN switch.
  • 802.11 frames from a wireless client station enter a RF/Wireless Mesh-based distribution system at an AP and are bridged and routed to the integration service portal via RF interfaces on other APs in the mesh.
  • the system does not te ⁇ ninate 802.1 li or other encryption on the AP where the station traffic enters the RF mesh.
  • the frames are bridged in the encrypted format via RNP over Wireless (802.11) interface until the point where it enters the wired network or a wireless LAN switch or an access controller or another device in the network that has the security state to decrypt the chent traffic.
  • This approach avoids hop-by-hop encryption that is specified by the current wireless standards and practice.
  • the approach of the RNP protocol with regard to reliability is also unique compared to L2TP and GRE.
  • all traffic is treated identically.
  • all packets must be somehow guaranteed delivery, which can add significant overhead and delay to data frames that do not need guaranteed delivery. If delivery is simply not guaranteed, then successful authentication to the network becomes less reliable, particularly across a wide-area public network such as the Internet in which there is typically a higher packet error rate.
  • application level delivery guarantees are maintained on the UDP port that transports station authentication information, and station traffic rides on a different UDP port without delivery guarantees for high performance.
  • the RNP approach also is higher performance for authentication traffic, since it authenticates each message rather than implementing a TCP-hke sliding window or piggybacking acknowledgements on top of return frames. Since multiple stations may be connected to the same hghtweight access point, the concept of "streams" is used to demultiplex the different stations connected to a radio. This improves performance, because individual stations can be mapped to streams, and also removes the need to open up a new UDP port for every station connected to the lightweight access point.
  • the RNP is flexible, because the endpoints can terminate on different devices.
  • the client has the WiFi VPN client software.
  • RNP-SM, RNP-DT, and RNP-RC originating from an access point, a lightweight access point is used.
  • the termination of the RNP tunnels does not have to be restricted to a single wireless LAN switch.
  • the RNP-RC may terminate on a different device than the RNP-SM, which may terminate on a different device than the RNP-DT. This would allow, for instance, a wireless LAN switch architecture in which one device is optimized to manage a large number of lightweight access points, another device is optimized to terminate 802. Ix authentication, and another device is optimized to perform data encryption and forwarding.
  • the WiFi VPN chent solves numerous problems. Without the WiFi VPN, it would ordinarily be necessary to load the RNP protocol into access points wherever WiFi VPN applications are deployed, including at branch offices, remote home office to ente ⁇ rise connectivity, and hotspot connectivity. In a practical sense, this hmits the ease of deployment of WiFi VPNs. With the WiFi VPN client, by contrast, deployment is much easier because existing heavyweight access points can be used without modification in the clear text (unencrypted) mode of operation to dehver traffic to the wireless LAN switch. The WiFi VPN client also enables encrypted wired LAN traffic by leveraging 802.11 security technology for wired LANs.
  • a wireless station may connect to a network comprising a wireless LAN switch and a mix of heavyweight and lightweight access points.
  • a wireless LAN switch may connect to a network comprising a wireless LAN switch and a mix of heavyweight and lightweight access points.
  • the movement of wireless stations from access point to access point is handled seamlessly.
  • Other approaches with wireless LAN switches utilize IPSec or other layer 3 VPN termination at the wireless LAN switch and do not permit movement of a wireless station from a heavyweight access point to a lightweight access point.
  • the wireless LAN switch terminates both user authentication as well as the wireless LAN encryption algorithms.
  • the different alternatives considered before selection of the current design are detailed in exhibit []. Since no commercially available cipher products are available for high speed wireless LAN encryption ciphers such as RC4, a pu ⁇ ose- built FPGA provides application-specific cryptography.
  • Wireless LAN Switch or Controller architecture provides an 802.1 li authenticator component that obtains the PMK based on crurent standards.
  • the PMK Sharing described in this invention allows the PMK to be shared across wireless network devices, and reduce roaming latency for applications such as Voice-over-IP (over Wireless) while • Preserving the trust binding between the authenticator, wireless client and the authentication server. • Preserving ability and flexibility to control wireless client access to the network.
  • the Authorization token based scheme allows an ente ⁇ rise to prohibit roaming to a specific AP.
  • the WiFi VPN invention allows ente ⁇ rises to share the WISP infrastructure.
  • a WISP can offer hotspot services, say using a subscription based business model to ente ⁇ rises, while allowing them to control access to their networks.
  • this mechanism also utilizes a single authentication for a given client access wherever the WISP provides its services.
  • it also allows different clients to use a single WISP infrastructure everywhere on the internet while securely accessing their respective ente ⁇ rises.

Abstract

A system and method are disclosed to extend security from enterprise networks to wide-area networks by allowing secure connectivity to the enterprise layer-2 network (211) across a wide-area layer-3 network, such as the Internet.

Description

SECURE, STANDARDS-BASED COMMUNICATIONS ACROSS A WIDE- AREA NETWORK
FIELD OF THE INVENTION
The invention relates to the field of computer networking, and more specifically, to data encryption techniques used in conjunction with networking protocols. BACKGROUND
Enterprises typically seek to provide remote connectivity to the enterprise network for their employees. For example, remote connectivity may be used by employees in the following physical locations: Employee homes Branch offices WISPs • Hotels • Pay phones The problem is that remote connectivity requires an enabling overlay infrastructure. This imposes burdens on the IT staff, adding maintenance and capital expenses on top of existing enterprise infrastructure, and generally requires employees to alter their pattern of computer activity depending on their physical locations — i.e., whether they use the enteiprise network from within the enterprise or remotely. Moreover, remotely connected employees may be restricted in terms of resources they can access; unless special measures are taken by the IT staff, employees often are denied remote access to resources they may routinely use when located within the enterprise.
Enterprises typically provide VPN services to their employees to facilitate remote access to the enteiprise network. A VPN that operates at layer 3 allows users of the VPN to utilize the high speed of their broadband Internet connections to connect to the enterprise. Since the VPN operates at layer 3, it works independently of whether employees use a cable modem, DSL, fixed wireless, or some other means as their broadband connection to the Internet.
One problem with the VPN approach is the requirement that users adopt different behaviors when connecting to the enterprise remotely as compared with the familiar pattern of activity local to the enterprise. For instance, local users may either plug into the existing network with an Ethernet cable, or may use an 802.11 enterprise wireless network. However, when users are at a remote site such as their homes, an airport, or a WiFi hotspot, they are required to start their VPN client in order to connect to the enterprise.
For the system administrator, a VPN generally involves a separate remote-access infrastructure that is deployed independent of the local enterprise edge-access infrastructure. Since the VPN server typically provides only layer 3 connectivity, many legacy layer 2 applications do not work across the VPN. While these legacy applications can be enabled to work across layer 3 networks, e.g., through use of application layer gateways, such additional gateways require even further maintenance and capital expenses from the IT staff. Multiple solutions exist for providing layer 2 connectivity to the enterprise so that full access to enterprise resources can be made available remotely. These solutions include: Dialup DSL Carrier wireless data services over licensed spectrum • Proprietary layer 2 clients Wireless access points that perform double encryption
Dialup POTS access for providing layer 2 connectivity can be provided with RAS products. However, dialup is subject to lost connections, consumes a phone line at the home, and has limited bandwidth. DSL access can provide layer 2 connectivity to the enterprise if the enterprise owns the
DSLAMs used to terminate the DSL lines. However, for an enterprise to provide DSL layer 2 connectivity involves considerable expense, the largest of which is providing copper lines from employees to the enterprise. DSL access may be leased from carriers, but this, too, involves high cost. Furthermore, DSL access often cannot be universally provided to employees due to distance restrictions (since DSL will not operate beyond a certain distance) between the employee's DSL line and the DSLAM.
Carrier wireless data services over licensed spectrum include high-speed cellular data services provided by carriers such as Sprint and Verizon. These services are not universally available. Also, carrier wireless data services are (currently) limited in bandwidth compared to 802.11 and Ethernet.
Proprietary layer 2 clients have existed for many years to provide secure wired and wireless LAN access to enterprise resources using encrypted Ethernet, ATM, and 802.11 technologies. The problem with these approaches is that they involve a dedicated layer 2 wide- area network in order to provide wide-area connectivity back to the enterprise. 802.11 technology cannot be deployed over the wide area due to its limited (300ft indoor, 1km outdoor) range. Ethernet has been deployed only in limited wide-area applications, and due to the same challenge of providing ubiquitous coverage as described above in the DSL scenario. ATM has been implemented over wide-area networks, but providing ATM services to employees for remote access is expensive and generally not instantly available, since the provisioning of dedicated ATM lines to end users is a slow and time-consuming process.
Another possibility for providing layer 2 connectivity to an enterprise network is with traditional access points that implement "double encryption." The first phase of encryption is over the wireless medium, and uses existing secure layer 2 protocols such as 802. Hi and WPA. The second phase of encryption is over the wired side of the access point. Before encryption begins, however, the access point must be configured to bridge the 802.11 traffic to 802.3 Ethernet, and then utilize a layer 2 tunneling protocol over IP such as L2TP to encapsulate the traffic in IP in order to ready that traffic for transit across a layer 3 Internet. The access point may then encrypt the traffic using IPSec. The traffic may be terminated within the enterprise by an IPSec VPN concentrator, and the L2TP headers stripped out by a router or the VPN concentrator. The problem with this approach is that a separate remote access infrastructure in the form of a VPN concentrator is still required by the enterprise in order to provide remote connectivity to the end user. This approach may also suffer from poor performance and/or high cost, since it is computationally expensive for an access point to provide double encryption as described above. Furthermore, the encapsulation of data in L2TP and then again in IPSec reduces performance of the link between the access point and VPN concentrator. The additional overhead of this mechanism is likely to have adverse effects on time-sensitive applications such as VoIP, and may also reduce the effective throughput available over the wide-area connection between the access point and the VPN concentrator.
The advent of ubiquitous, low-cost wireless LAN NIC cards and access points for SOHO / consumer use has spurred the development of secure layer 2 protocols such as 802.1 li and WPA for use enterprise environments, which generally need more advanced security. Both 802.1 li and WPA provide strong user authentication and encryption for wireless communications between the wireless client and the wired network.
Yet another possibility is to use a RF/Wireless Mesh-based distribution service to provide Layer 2 connectivity to the enterprise network. In this model, a wireless client may associate with an access point which forwards the traffic via its RF interfaces to other access points. These in turn may forward the traffic to other access points until the traffic enters the wired network. This point of entry is termed wireless integration service portal in 802.11 terminology. One non- optimal approach to secure the traffic over the air is to use hop-by-hop protection (encryption, and integrity) which consumes CPU and memory resources at each hop.
Current 802.11 standards and practice specify an authenticator component of an AP that derives or obtains shared secret key information known as PMK (Pair-wise Master Key) to protect the traffic between a wireless client and the AP over the air once it is associated. This PMK is a security binding of trust between the wireless client, the authenticator and the trusted authentication server for their domain. When the client roams or re-associates to another AP in the same ESS and/or authentication domain, the client is forced to authenticate again adding latency to the roaming process. This latency could potentially interrupt the session (e.g. voice) between the wireless client and another device in the network.
Currently, the security of the wireless LAN protocols is restricted to enterprise usage by clients within the enterprise campus and cannot be extended across a wide-area layer 3 Internet. This confinement of wireless security to the enterprise campus has at least two sources: 1. The security is terminated locally at the access point, i.e., the wired interface of the access point transmits data free of security restrictions. Therefore, most access points, as well as many lightweight access point / wireless switch combinations that terminate security at the lightweight access point, are not able to securely transport 802.11 layer 2 traffic across a wide-area network. 2. There is currently no accepted method for transporting a secure layer 802.11-based protocol, such as 802.1 li or WPA, across a wide-area network.
SUMMARY OF THE INVENTION
Embodiments of the invention extends security from enterprise networks to wide-area networks by allowing secure connectivity to the enterprise layer 2 network across a wide-area layer 3 network, such as the Internet. The benefits of this approach for providing secure layer 2 access to the enterprise network include: • Unified infrastructure. • Allowing enterprises to utilize either lightweight or heavyweight access points. • Extending the layer 2 enterprise network to the home, and public Internet facilities. • Option for simultaneous access to both remote enteφrise and local resources such as printers, IP fax services, etc. • Option for access to the Internet only through the enterprise to leverage enterprise-based IDS, firewall, and virus scanning. • Simultaneous co-existence of lightweight and heavyweight access points within the enterprise campus, including seamless mobility between these devices. • Standards based secure layer 2 wired connectivity. • Simpler VoIP to cellular roaming.
The present invention provides a unified infrastructure that allows enterprises to utilize the same wireless LAN switch for both local-campus wireless access as well as remote access. This feature saves both capital and operational expenditures as well as demands on technical support. It also supports transparent connectivity to end users, by ensuring that the behaviors for remote connectivity and local enterprise connectivity remain the same. The unified infrastructure also facilitates availability to layer 2 networking protocols to remote users, thereby providing the full capability of the enterprise campus network to the remote users. This includes extending any policy-based layer 2 capability that the enterprise may have implemented within its campus to the remote users. These and other aspects of the invention are further described herein.
BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 illustrates an STA — AP--L2/L3 Network — WVLAN in accordance with embodiments of the invention. Figure 2 illustrates Multiple types of Encryption in accordance with embodiments of the invention.
Figure 3 illustrates and embodiment of RNP protocol
Figure 4 illustrates an embodiment of IP in IP tunnel and Embodiment of GRE tunnel
Figure 5 illustrates embodiment of MPLS Tunnel
Figure 6 illustrates embodiment of TE embodiment of Differentiated Services TE tunnel
Figure 7 illustrates an RNP protocol header in accordance with embodiments of the invention.
Figure 8 illustrates an RNP protocol data stream into 5 sub-tunnels via the header in accordance with embodiments of the invention..
Figure 9: illustrates embodiments of the RNP virtual client (RRP) in accordance with embodiments of the invention.
Figure 10 illustrates the operation of and packet flow in a representative WiFi VPN client in accordance with embodiments of the invention.
Figure 11 illustrates Layer 2 encrypted in 802. Hi, WPA, WPA2, RC-4 non-encrypted, in accordance with embodiments of the invention..
Figure 12 illustrates imprinting steps in accordance with embodiments of the invention.
Figure 13 illustrates a state machine for Access Point in accordance with embodiments of the invention.
Figure 14 illustrates a message format for RNP-RC messages in accordance with embodiments of the invention.
Figure 15 illustrates a per WVLAN per Access Point State machine in accordance with embodiments of the invention.
Figure 16 illustrates a Security model with its security key of the tuple (VLAN,BBSID, Security type) in accordance with embodiments of the invention. Figure 17 illustrates LEK/REK encryption of the unicast, broadcast and multicast traffic fiOm the security keys in accordance with embodiments of the invention.
Figure 17a illustrates Broadcast/Multicast separation in accordance with embodiments of the invention.
Figure 17b illustrates Unicast Separation in accordance with embodiments of the invention.
Figure 18 illustrates RNP Virtual Client with LEK/REK encryption in accordance with embodiments of the invention.
Figure 18a illustrates RNP Virtual Client - LEK, REK Derivation and RNP Virtual Client Encryption in accordance with embodiments of the invention.
Figure 18b illustrates RRP Ghent - LEK/REK Derivation and RNP Virtual Client
Figure 18c illustrates RRP Client Traffic Decryption by Local AP and WLAN Controller in accordance with embodiments of the invention.
Figure 18d illustrates RRP Client Traffic Encryption - By Local AP and WLAN Controller in accordance with embodiments of the invention.
Figure 19 illustrates LEK and REK Encrypted frame formats in accordance with embodiments of the invention-
Figure 21 illustrates Wifi VPN in Wireless Mesh in accordance with embodiments of the invention.
Figure 22 illustrates PMK Sharing - Example PMK/S-PMK Flows in accordance with embodiments of the invention.
Figure 23 illustrates PMK Sharing Packet Flow in accordance with embodiments of the invention.
Figure 24: illustrates Protocol PDUs for RNP-RC packets in accordance with embodiments of the invention.
Figure 25: illustrates Protocol PDUs for RNP RC packets in accordance with embodiments of the invention. Figure 26: illustrates Protocol PDUs for RNP RC packets in accordance with embodiments of the invention.
Figure 27: illustrates Protocol PDUs for RNP_RC packets in accordance with embodiments of the invention.
Figure 28: illustrates Protocol PDUs for RNP-RC packets #5 in accordance with embodiments of the invention.
Figure 29: illustrates Protocol PDUS for RNP_RC packets #6 in accordance with embodiments of the invention.
Figure 30: illustrates Protocol Exchanges for RNP_RC
Figure 31 : illustrates Protocol PDUs for RNP_SM packets #1 in accordance with embodiments of the invention.
Figure 32: illustrates RNP PDUs for RNP_SM packets #2 in accordance with embodiments of the invention.
Figure 33: illustrates RNP PDUs for RNP_SM packets #3 in accordance with embodiments of the invention.
Figure 34: illustrates RNP PDUs for RNP_SM packets #4 in accordance with embodiments of the invention.
Figure 35 illustrates RNP PDUs for RNP_SM packets #5 in accordance with embodiments of the invention.
Figure 36 illustrates RNP PDU Exchanges for RNP-SM sub-protocol
Figure 37 illustrates RNP Exchanges for 802. IX authentication
Figure 38 illustrates RNP packets for RNP-DT sub-protocol in accordance with embodiments of the invention.
Figure 39 illustrates RNP packets for RNP-DF sub-protocol (#1) in accordance with embodiments of the invention. Figure 40 illustrates RNP packets for RNP-DF sub-protocol (#2) in accordance with embodiments of the invention.
Figure 41 illustrates RNP packets for RNP-WP sub-protocol in accordance with embodiments of the invention.
Figure 42 illustrates RNP packet flow Showing SM, and DF for Association in accordance with embodiments of the invention.
Figure 43 illustrates RNP packet flow showing re-association in accordance with embodiments of the invention.
Figure 44 illustrates RNP packet flow showing: imprinting and RNP Security in accordance with embodiments of the invention.
Figure 45 illustrates RNP PDU Flow for RNP-WP in accordance with embodiments of the invention.
Figure 46 illustrates Enterprise Authentication Over Shared WISP Infrastructure in accordance with embodiments of the invention.
Figure 47 illustrates Enterprise Authentication Over Shared WISP in accordance with embodiments of the invention.
DESCRIPTION OF THE INVENTION
In accordance with the present invention, a WiFi VPN extends security from an enterprise campus to a wide-area network by allowing secure connectivity to the enterprise layer 2 network across a wide-area layer 3 network, such as the Internet. Embodiments of the invention may include multiple components, which may operate independently or in conjunction. Combinations of such components support a flexible framework for a WiFi VPN.
Extension of Security Provisions from an Enterprise Network Across a Wide- Area by Allowing Security Connectivity for an Enterprise Layer 2 Network Across a Layer Three Network.
In embodiments of the invention, security provisions for an enteiprise network are extended by tunneling 802.11 management and optionally layer 2 data traffic for a wireless station (STA) to a wireless controller/switch using a routed protocol. Non-limiting examples of tunneling protocols that may be routed include: • UDP over IP, or • IP in IP, • IP -sec, • GRE encapsulation, or . MPLS
Other examples shall be apparent to those skilled in the art.
The tunnel is between the lightweight access point AP and the WLAN switch (Layer2/Layer3), or the wireless chent and the WLAN switch. Wireless encryption is teraiinated on the switch/controller or on the AP. Bridging to 802.3 can happen on the Switch/Controller or the AP.
Figure 1 shows the logic of this method. In Figure 1, the termination of the WiFi VPN at WLAN switch (Figure point 105). Wireless station (101) connects to an Access Point (103) across Wireless network (102). At the lightweight Access point (103), a tunnel is created between the AP (103) and Wireless Controller (105) over a Layer2/Layer 3 network (104). In the same manner, Wireless Point 106 connects over a second wireless network (107) to an lightweight Access Point (108). From LWAP (108) to the wireless control (105), a tunnel is created over the IP network (109).
Figure 2 shows a non-limiting embodiment of this method of creating and using tunnels between several lightweight Access Points (LWAP) (202, 210, 214) and a Wireless Controller switch router (207) using a variety of protocols. In the non-limiting example illustrated in Fig.2, the LWAPs connect several wireless stations (201,208,212) to the Internet. Figure 2 shows 5 types of tunnels: UDP/IP tunnel (203), GRE Tunnel (204), L? in IP tunnel (205), MPLS Label- Switched-Path (LSP) (211), and an IP-Sec (212) running across different networks. These are presented for example purposes only; many alternatives shall be apparent to those skilled in the art. Figure 2 illustrates two non-limiting examples: two Ethernet/IP networks [205, 215] and one MPLS core with IP edge (211).
This is accomplished, in one embodiment, by encapsulating 802.11 data packets within a lightweight WiFi VPN protocol that rides on top of UDP / IP. In embodiments, security is provided by the 802.11-based standards-based security protocols such as WPA and 802. Hi. Encapsulation of the layer 2 packets into the WiFi VPN protocol is performed by either a lightweight access point or virtual interface client software within a PC, PDA or VoWLAN phone. WiFi VPN traffic can then be sent securely to the wired interface of a wireless LAN switch, which allows the traffic to be unencrypted and bridged to an enterprise wired networks. In embodiments, the lightweight protocol running over UDP/IP is the Remote Network Protocol (RNP) that communicates between either the lightweight access point and the WVLAN switch, or the wireless client and the WVLAN switch.
Separation ofAP management. Station Management. Data Tunneling. Captive Portal, and Data Forwarding Endpoints
This invention provides a method to separate AP Management (RC), Station Management (SM), Data Tunneling (DT), Captive Web Portal, and Data Forwarding control endpoints. In one embodiment of the invention, the DF endpoints may temώiate on other APs or Switches or other devices not necessarily co-located with the Wireless Controller.
In embodiments of the invention, the tunneling of management and data traffic via the RNP protocol may use one or more of the following sub-tunnels: RNP-RC - radio control, RNP- SM - station management, RNP- DT - Data Tunneling, RNP-WP - Captured portal, and RNP-DF - Data forwarding control
In embodiments of the invention, the RNP protocol is extensible with respect to further addition of other types of sub-tunnels.
Figure 3 shows the packet encapsulation of RNP protocol header (304) following the
UDP header (303), following the IP header (302), over a lower layers headers (MPLS and/or Ethernet header (301). The RNP protocol header has three parts: RNP common header (304), RNP sub-protocol header (305), and RNP sub-protocol specific data (305). The RNP header specifies the sub-protocol in the type field.
Figure 3 also shows how the common header splits the protocol into separate sub- protocol streams with sub-protocol headers and data associated with that sub-protocol: • RNP-RC: RNP common header (310), RNP-RC sub-protocol header (311), and RNP-RC sub-protocol data (312), • PvNP-SM: RNP common header (310), RNP-SM sub-protocol header (313), RNP-SM sub-protocol data (314), • RNP-DT: RNP common header (310), RNP-DT sub-protocol header (315), RNP-DT sub-protocol data (316) • RNP-WP: RNP common header (310), RNP-WP sub-protocol header (317), RNP-WP sub-protocol data (318) • RNP-DF: RNP common header (310), RNP-DF sub-protocol header (319), RNP-DF sub-protocol data (320)
Figure 4 shows embodiments of this invention with the RNP protocol running over an IP- in-IP tunnel or a GRE tunnel. The RNP protocol header (404, 405, 406) follows the tunnel header for IP in IP (402, and 403). Figure 4 also shows an embodiment of the invention with a GRE tunnel header (411) in front of the RNP headers (412, 413, 414). Figure 5 shows an embodiment of the RNP protocol running over a MPLS Label Switched path as a virtual tunnel and the RNP protocol running over a Differentiated Services logical tunnel based on forwarding queues.
Figure 7 shows an embodiment of the RNP protocol's common header version 1.0 of the RNP protocol. Figure 7 expands the field 304 from Figure 3 to show the actual header fields: version (701), security version (702), flag (703), type (704), length (705), and sequence (706). The type field contains the sub-protocol types (RNP-RC, RNP-SM, RNP-DT, RNP-WP, RNP- DF).
Figure 8 demonstrates how these RNP sub-protocol streams can split the operation of the lightweight access point (LWAP) over different tunnels. In Figure 8 wireless station 801 communicates with LWAP 803 over wireless network (802). Using the RNP protocol over tunnel, LWAP 803 sends one or more of the following: • the radio control information sent to WLAN controller 1 (805) using RNP-RC messages, • the station management information to WLAN controller 2 (806) using RNP-SM, • the data is sent WLAN controller 3 (808) using RNP-DT and RNP-DF messages, • Captive Web portal information is sent to WLAN controller (808) via RNP-WP messages, Figure 8 also shows a tunnel from a LWAP device (819) to the WLAN controller 3 (809) that carries all RNP messages (816) across a Iayer2/layer3 network (815).
Extension of the Tunneling Protocol to a Virtual Interface at Client (a WiFi VPN client). Embodiments of the invention extend the tunneling protocol to build a virtual interface at the client, and extend the tunneling protocol to that chent. The virtual interface concept applies to clients with a wireless as well as a wired (Ethernet) network interface. Some such embodiments create a WiFi VPN that uses 802.11 technology across a Layer 3 network. As non-limiting examples, the station can be a PC, PDA or VoP phone. Other suitable instantiations shall be apparent to those skilled in the art. The WiFi VPN client encrypts by using WPA, 802. Hi, or another suitable encryption protocol, and then encapsulates in the Remote Network Protocol (RNP).
Figure 9 shows how a virtual chent can run on a PC (901) on a wireless network (902) and communicate across a 3rd part access point (903) that does not support the RNP protocol. The RNP protocol is created on the virtual client on the PC (901) and ships the RNP sub- protocol streams to two different controllers WVLAN controller 1 (904), and the WVLAN controller 2 (905).
Figure 9 also shows how a PDA can run the virtual software. In Figure 9, the tunnel exists across a wireless network (921) to a LWAP point with this invention. The virtual client passes RNP sub-protocol streams (931) to the WVLAN controller 3 (935). A third option for the use of these virtual clients is illustrated in Figure 3 wherein the connection of the virtual client on the PC (942) connects to a LWAP point (941) across a wireless network (943), and joins a tunnel (952) passing RNP sub-protocol messages (951) to WVLAN controller 2 (934).
Figure 10 shows the steps that may be taken in encapsulating this data: • Step 1 - Application data is sent toward a wired host in the enterprise (1001), • Step 2 - Application resolves it to an RNP virtual client via IPv4 stack (1004) to RRP 1007, or via IPv6 stack (1005) to RRP 1007, • Step 3 o a) Client encrypts the packet. As non-limiting examples, the encryption may be performed using 802.1 li, WPA, WPA2, RC4 or other encryption algorithms. o b) client sends via the RNP protocol (RNP-DT, RNP-DF, RNP- WP, RNP-SM) to the controller over a UDP/IPv4 tunnel or a UDP/IPv6 tunnel. • Step 4 - The remote WVLAN controller 4 processes the RNP packets as other packets.
Utilization of Layer 2 Encryption Instead of IP-Sec Tunnels to Secure Data
Embodiments of this invention use layer 2 encryption protocols, such as 802.1 li instead of IP layer secure tunnels (such as IP-Sec) to secure wireless data. Figure 11 illustrates an example of a network in which different access points are encrypted with different layer 2 encryptions such as, by ay of non-limiting example, 802.11i, WPA, WPA, RC-4. Embodiments allow each of these access points (1103, 1108, 1110, 1121) to: o encrypt a wireless stations traffic with an encryption, o pass the traffic to the remote WVLAN controller via the RNP protocol (1113, 1114) , and, o decrypt the traffic on the WVLAN controller (1105) . Such embodiments protect the user data between the lightweight access point and the layer2/layer switch without using an IP layer secure protocol (such as IP-Sec).
As Figure 11 shows, this encrypted data can run in parallel with the non-encrypted data (AP 1108) in the RNP protocol.
Embodiments of this invention terminate the encryption of the data on a wireless LAN switch. Other embodiments of this invention terminate the encryption of the data on a Switch/Router. Yet another embodiment of this invention terminates the encryption on another Access Point.
Discovery/Imprinting Used by Access Points to Locate Controllers
Embodiments of this invention has a method for aNextHop WiFi AP to be "imprinted" with information from a Wireless Controller/Switch by implementing a mechanism known as "Imprinting". In embodiments of the invention, "Imprinting" includes one or more of the following steps: 1. The WiFi AP and the Wireless Controller/Switch discover each other over a Layer 2 network using a broadcast RNP-RC (Radio Control) message. The RC- Name-Request message is used for this purpose. 2. Optional approval by administrator or policy that allows the AP to be controlled by the Wireless Controller, 3. The AP storing the discovered addressing information for the controller (e.g. DNS name, IP Address) in its persistent memory e.g. Flash memory 4. Use of persistent information stored in the AP to establish future sessions with the Controller. The future sessions may be established after moving the AP to a new location. The new location may have a Layer 3/IP network between the AP and the controller. 5. Optional augmentation of primary controller addressing information with a secondary controller addressing information, to be used when the primary controller is unavailable. The secondary information is communicated via RNP- RC protocol and is stored in the AP persistent memory.
If the AP cannot communicate with its controller via a Layer 2 (Ethernet) broadcast, the DNS name or IP address of the controller is provisioned on the AP via a local mterface (e.g. serial interface).
One embodiment of this method is shown in Figure 12 aligned with the RNP messages. Steps 1-5 are listed as items (1200, 1203, 1204, 1205, 1206) respectively in this Figure. For this embodiment of this method, Figure 13 provides the state machine for the Access Point in sending RNP- RC messages. In this state machine there are three states: Discovering (1301), Connecting (1302), and Connected (1303).
Figure 14 illustrates an example message format for the RNP-RC messages for imprinting. The RNP-RC messages have the RNP common header (304), followed by an RC specific header (1400), followed by a RNP-RC type specific format. The RNP-RC header has the fields for: major version (1401), minor version (1402), primitive (1403), Transaction ID (TID) (1404), length (1405). The RNP-RC messages for imprinting include: o RNP-RC_MSG_NAME_REQUEST_MESSAGE (message body 1406- 1407) o RNP-RCjVISG_CONNECT (message body description is 1408-1410) o RNP-RC _MSG_ACCEPT (message body description 1411-1412), o RNP-RC_MSG_MIGRATE (message body description 1413) o RNP-RC_MSG_DISCONNECT (message body description 1414) Figure 15 shows an embodiment of this method in a state machine for the WVLAN controller supporting an imprinting. This state machine has 5 states: Unknown (1501), Discovered (1502), Connecting (1503), Mine (1504), Connected (1505). In embodiments of the invention, the state transitions between these states are caused by the following events: o User interface changes: GUI creation (1520), GUI delete (1521), GUI assignment ( 1522), GUI un-assignment ( 1523), o Timer expirations: discover timer (1524), connect timer (1525), and o RNP-RC messages received: RNP-RC_MSG_NAME_REQUEST (1510), RNP-RCJVISGCAP ABILITIES (1511). Each event may or may not have an action associated with it.
Virtual LAN (VLAN) Assignment and Separation of Virtual LANs (VLANs) Over Air Using Different Encryption Keys
The 802.11 standard does not define a mechanism to assign VLANs to 802.11 data traffic over the air. Typically, an Extended Service Set ESS is mapped to a single VLAN. An ESS, and thus VLAN, typically implements a single type of security protection for the 802.11 data traffic.
Embodiments of the invention allow multiple VLANs to be advertised and their traffic segregated over the air. In embodiments, this is accomplished by allowing multiple security types to be associated with each ESS, each of which is assigned a VLAN. In embodiments, if no VLAN is associated with an ESS security type, then the VLAN assigned is determined by the default VLAN configured for the ethernet interface on the AP. In addition, a policy-based VLAN (RFC 3580) may be assigned by a AAA server or a Directory server on a per-user (client station) basis. One restriction on the security types chosen for an ESS is that either all or none of them must provide over the air encryption.
Embodiments of the invention include security models as well as methods of encrypting traffic using such security models.
In embodiments, a security key is associated with each virtual interface denoted by a tuple, including the tuple denoted <VLAN, BSSID, Security Type> where "BSSID" denotes the Wireless MAC address of the (potentially virtual) AP which is advertising the ESS, "VLAN" denotes a supported VLAN (either via assignment to Security Type as default, policy or governed by network topology), and "Security Type" is one of the security types supported by the Wireless Network. The security types that may be supported include: • 802.11 Open Authentication with no encryption, • 802.11 Open Authentication with static WEP key, 802. IX with dynamic WEP encryption, WPA (TKIP), WPA2 and 802.1 li (AES), • 802.11 Shared Authentication with static WEP key
Figure 16 illustrates the security model with its security key of the tuple <VLAN,BBSID, Security type> and the security types of: 802.11 Open Authentication with no encryption (1610), 802.11 Open Authentication (1611), and 802.11 Shared Authentication (1612).
In embodiments, all broadcast traffic over the air is encrypted with the security key for the virtual interface. All unicast traffic over the air is protected by the pair-wise key negotiated for the security type between the AP and the client. This mechanism supports multiple VLANs over the air for associations via a single (potentially virtual) AP (with a unique BSSID) and achieves the desired VLAN data traffic separation over the air preserving VLAN semantics.
Figure 17 illustrates the encryption of the broadcast, multicast and unicast traffic between a wireless station (1701) and an AP (1703). The traffic flows from the wireless station across the wireless network (1702) to the AP (1703) to the wireless controller (1705). The unicast traffic (1711) is encrypted with the pair-wise key (1710) negotiated between the AP and the client and sent in unicast packets (1713, 1714, 1715) to the AP. The broadcast data traffic (1721) is encrypted with the broadcast key for the virtual interface (1720) and sent as packets (1716) across the wireless network(1702). The multicast data (1723) is encrypted with a per group key (1722) and sent across the wireless network (1702). Decryption of the packets occurs on the AP (1703) or the Wireless controller (1705). The un-encryption (decryption) of the packets is based on the type of packet as determined from the packet Layer 2 addressing information. The un- encryption (1706) uses the appropriate key per type of data: Unicast pair-wise key (1710) , Broadcast key (1720), and Multicast (1722).
Routing Intelligence in a WiFi Client when an Enterprise is terminated on WLAN controller and Local Traffic is Terminated at the AP
The embodiment of the RNP in the WiFi VPN chent is sometimes referred to by the acronym "RRP". RRP is synonymous with the use of the RNP in the WiFi VPN virtual client.
In embodiments, an RRP client allows 802.11/802.1 li based security to be applied to providing a wide-area VPN without use additional infrastructure such as IPSec or PPTP. When the RRP client is remotely connected to the Wireless LAN Controller/Switch over a Layer-3 network. One application of such a topology is to a branch office wireless network.
In a branch-office scenario, both traffic destined to local network (e.g. a local printer) and to the remote corporate office share the same 802.11 (802.1 li) based authentication mechanism and policy controlled by the corporate office. In order to segregate and properly protect the data traffic, the RRP client provides a routing function that works as follows: 1. One or more local encryption keys (LEKs) and one or more remote encryption keys (REKs) are derived from the authentication process. Without limitation, multiple LEKs and REKs may be derived each for a combination of local or remote destination and traffic type (Unicast, Broadcast, and Multicast). o In embodiments, Unicast LEK or REK derivation involves the use of one-way hash function over the 802.1 li derived PTK (Pairwise Transient Key) o In embodiments, Broadcast LEK or REK derivation involves use of Unicast LEK or REK to encrypt a random key and passing that key to the chent. o In embodiments, multicast LEK or REK derivation involves the use of Multicast LEK or REK per group to encrypt a random key and passing it to the client. The multicast REK is used to encrypt multicast traffic destined for a group. 2. Traffic is segregated into two portions: Traffic that will be sent to the local network and traffic that is destined for a remote network. 3. All the traffic that is destined to the local network (subnet, vlan etc) uses a local encryption key (LEK) is available to local AP (Access Point). 4. All the traffic that is destined to the remote network (subnet ,vlan etc) uses a remote encryption key (REK) that is not available to the local AP but is available to the WVLAN Switch or Controller at the remote destination.
Figure 18 shows one embodiment of this invention to encrypt local traffic and remote traffic with different keys (LEK, REK). The virtual client running on wireless station (1801) encrypts the locally destined data (1811) with a local encryption key (1810) and sends the data in packets flagged with the "locally" transmitted data (1813 and 1814). The local virtual client (1806) puts the packets (1813 and 1814) through a un-encryptor (1809) with the local key (1810) to decrypt the data. The remote client on WVLAN controller 2 (1808) receives the packets (1822, 1823) across one wireless network (1802), and several wired networks (1804, 1807). Using an un-encryptor (1809) and the REK (1820), the data is unencrypted to restore the original data (1821).
This mechanism allows traffic destined to the remote network to be encrypted without additional overhead or VPN to be implemented on the AP. The AP may disambiguate between traffic destined to the local network from the remote network using a special bit in the 802.11 frame fields (e.g. frame control, a special reserved mac address such as address 4 in the frame). Figure 18 also shows this branch office scenario topology that utilizes the "Routing Intelligence" that keys on the special portion of the 802.11 frame and encrypts the local traffic using a LEK and remote traffic using an REK.
Figure 18a shows a client uses LEK/REK to encrypt data. Figure 18b shows how a client users LEK/REK to decrypt data. Figure 18c shows how local traffic may be passed unencrypted and remote traffic passed encrypted, Figure 18d shows remote encrypted traffic is demuxed from local traffic. Local traffic in Figure 18d is also encrypted prior to forwarding it. Figure 19 shows the special Frame control field and a special MAC address for unicast traffic.
For example, the currently unused 802.11 frame control field values may be used to denote that the frame is encrypted using a REK and that it will be decrypted at the destination. The local AP will simply bridge this frame to the wired network. In order to avoid the potential denial of service attack, an optional special message integrity checksum using LEK may be used or this type of bridging is restricted to RNP protocol PDUs to known destinations.
WiFi VPN in Wireless Mesh Networks
This invention includes methods to support the bridging of 802.11 frames via RNP over Wireless (802.11) network infrastructure until the point where it enters (1) the wired network or a wireless LAN switch or an access controller or (2) another device in the network that has the security state to decrypt the client traffic. This approach avoids hop-by-hop encryption that is specified by the current wireless standards and practice when applied to mesh-based wireless networks.
In an embodiment of this invention, 802.11 frames from a wireless chent station enter a RF/Wireless Mesh-based distribution system at an AP and are bridged and routed to the integration service portal via RF interfaces on other APs in the mesh. The system does not terminate 802.1 li or other encryption on the AP where the station traffic enters the RF mesh, but does so at the point where it enters the wired network. Figure 21 shows one embodiment of this invention. The packets from wireless client (2110) are transmitted are encrypted at access point 1 (2103) and transmitted via RNP to the wireless controller (2109). The pathway from AP-1 to the wireless controller is: • via AP- 1 (2103) across the wired network 1 (2104) to AP-2 (2105), • from AP-2 (2105) across the wireless network (2106) to the AP-3 (2107), and • from AP-3 (2107) across the wired network (2108) to the wireless controller (2108).
Methods for Pairwise Master Key (PMK) Sharing
The Wireless LAN Switch or Controller architecture provides an 802.1 li authenticator component that obtains the PMK based on current standards. This PMK is known only to the authenticator for the current client association between a client and a authentication server. However, if the switch contains an authenticator component for more than one AP, the PMK may be shared among the APs (or 802.11 BSSes) without violating security guarantees. In the context of this invention, the PMK for a given client and the authentication server used by each authenticator may be: • Identical • derived from another PMK for the same client and authentication server, or • combination using implicit or publicly observable information using a one-way cryptographic hash function such as a HMAC-SHA1. This method may be used to avoid the superfluous (re-) authentication to the network while re-associating or roaming to another AP within an ESS or within an authentication domain. One way for the wireless client and the AP to use the above mechanism is to advertise the capability to perform PMK sharing and fast roaming as described here. Such advertisement could use additional 802.11 information elements or additional components (bits) in the capabilities in standard 802.11 informational elements such as 802.1 li RSN an information element. Sharing, such as above, is also possible when roaming between multiple WLAN switches or controllers. It is also possible to share a PMK between a Wireless LAN switch or controller and a traditional fat AP or between fat APs themselves. In one mechanism of sharing, an authenticator for an AP obtains roaming authorization tokens from the authentication server for the APs in its RF neighborhood when the wireless chent first authenticates to the network.
The authenticator may pass the BSSIDs in the Wireless network for the RF neighborhood of the station associating to the authentication server using RADIUS messages. These messages could be the same ones as that which are being used to transport EAP messages from the client.
In order to facilitate enterprise policy enforcement, the authenticator may communicate
ESS identification (e.g. SSID) and security mechanism (e.g. 802. Hi) being requested by the chent station for the association to the authentication server. One mechanism for doing this is to use (potentially new or vendor-specific) RADIUS attributes with this information in the case where AAA service is provided by a RADIUS server.
Figure 22 show an embodiment of this logical interaction of the PMK tokens with the Radius AAA service. Figure 23 shows a normal packet flows for PMK tokens using the Radius EAP packets.
Using the ESS, BSS and Security information in the request, the authentication server
(e.g. RADIUS) may generate and return to authenticator the appropriate authorization tokens. In the case of RADRJS based AAA, the tokens may be returned in the Radius-Accept message used to indicate the success of the client authentication
In another mechanism of sharing, the PMK authorization tokens are generated for APs in the RF neighborhood using public key encryption - by encrypting the PMK or material derived from PMK using the target AP public key - if the Access Points (APs) share public keys or public key certificates or part of a public key infrastructure. In some embodiments, the authorization tokens may be transmitted on a public network or over the air and can only be decrypted by the corresponding AP to obtain the PMK using a shared secret between the AP and the authentication server or the receiving Access Points (APs) own private key when using the public key mechanism. The superfluous re-authentication process and its resultant latency in a roam are thus avoided.
One mechanism of this invention for transferring the PMK or authorization tokens is using the wireless client to transfer the PMK. The tokens may be distributed to the client gratuitously (for example, using a to-be-defined 802.11 management frame or 802. lx frames) or upon request from the client. The chent transfers these tokens to the target AP as part of or prior to the 802.11 re-association procedure. This mechanism preserves the security trust binding of a PMK between the authenticator, the wireless client and the authentication server.
Another mechanism for transferring the PMK or authorization tokens is to use a RNP or other protocol frame addressed to the target AP.
Yet another mechanism for transferring authorization tokens is to provide these tokens securely encapsulated or encrypted in the standard EAP mechanisms used for authentication (e.g. 802.1 li). An authorization token for to which the wireless client is currently associated may optionally be passed using this mechanism validating the 3 -way trust binding between the chent, authenticator and the AAA server.
Remote Network Protocol fRNP
Embodiments of this invention includes methods for encoding PDUs in the Remote Network Protocol (RNP) packets, as well as the packet exchanges and state machines for handling such packet exchanges Such embodiments support multiple sub-protocols by using a "type" field in the RNP protocol. This method allows the number of sub-protocols to be extensible to large numbers of sub-protocols.
Embodiments also allow sub-protocols to further sub-divide into to sub-streams. An embodiment of this invention uses the "primitive" field in the sub-protocol headers to split the sub-protocols.
Enterprise authentication over shared- WISP Infrastructure
In the prior art, when WiFi VPN is deployed at a hotspot, a wireless client connecting to the enterprise is authenticated twice — once by the hotspot provider and once by the authentication server at the enteφrise. Embodiments of the invention allow enteφrise authentication to be used by the hotspot provider, rather than a separate authentication. This allows an enteiprise to share the WISP infrastructure, using, by way of non- limiting example, a subscription based business model, while maintaining control of enteiprise access. Some such embodiments also utilize a single authentication for a given client access. Such embodiments also allow two different clients associating with the same WISP AP to be authenticated at different enteφrises.
In embodiments of this invention, when the WiFi VPN is deployed at a hotspot with a lightweight access point, a late / lazy binding from the client to the wireless LAN Controller/Switch can be made by the WISP AP intercepting the EAPOL start message sent by the client, and returning a EAPOL request identity message. The WISP AP may also send an EAPOL request identity message to the chent gratuitously without waiting for the EAPOL start message.
The wireless client may respond to the request identity message with a EAPOL response identity message which includes a cleartext field with the chent's domain name. As non-limiting examples, this domain name can be (1) a DNS name, (2) the name of the chent's enteφrise that can be looked up against a DNS server or (3) a directory (e.g. LDAP) server to obtain the IP address or DNS address of the wireless LAN Controller/Switch to which the chent will connect. Following the initial exchange, further EAPOL messages are tunneled to the WLAN Controller/Switch using the WiFi VPN (RNP) encapsulation protocol. The authentication is done by the enteφrise authentication server that terminates the EAP protocol within the enteφrise. The WISP AP is directed to allow data traffic flow only if the wireless client is successfully authenticated via the RNP protocol.
Figure 46 shows the network topology applicable to this invention. Figure 47 illustrates the packet flow for the authentication process.
Optionally the WISP AP may forward all client data traffic to their respective enteφrise
WLAN Switch/Controller.
Remote Network Protocol (RNP)
In embodiments of the invention, the RNP protocol runs over the UDP/IP protocol and supports multiple sub-protocols. In one embodiment shown Figure 3 there are 5 sub-protocols: RNP- Radio Control (RNP-RC) - items 311 and 312 in Figure 3, • RNP-Station Management (RNP-SM) - item 313 and 314 in Figure 3, RNP-Data Transfer (RNP-DT) - item 315 and 316 in Figure 3, RNP- Web Portal (RNP-WP) ) - item 317 and 318 in Figure 3, and RNP-Data Forwarding (RNP-DF) - item 319 and 320 in Figure 3. The RNP protocol is extensible to any number of sub-protocols via the RNP header methods that specify the type field (Figure 7 item 704). As Figure 3 shows, the information following the RNP common header (Figure 3 item 304) is the RNP sub-protocol specific header (Figure 3 item 305), followed by the RNP sub-protocol specific data. The sub-protocol header for the RNP-RC sub-protocol contains the following information as shown in Figure 24: • RNP-RC-version (2 bytes) - the version of the RNP-RC sub-protocol (item 2402) • Primitive type - the type of action primitives used to operate the RNP-RC functions (item 2403) » Transaction identifier - If a transaction is initiated by the wireless controller, this field will contain an ID. Responses from the Access Point will contain this identifier to match requests with responses (item 2404) • Content Length - Length of the Message Content (item 2405) • Content - RNP-RC sub-protocol specific data (item 2406)
The RNP-RC protocol method further defines the primitives as the table below. (For the table below, Access Point is abbreviated as AP and Wireless Controller Service Point is abbreviated as SP.
RNP-RC Primitives
Figure imgf000029_0001
A key benefit of this RNP-RC sub-protocol is the discovery, configuration and management of options (managed wireless station options) names and request.
Figures 24 shows an embodiment of the RNP_RC_MSG_CAP ABILITIES packet (2410) and the RNP_RC MSG_ACCEPT packet (2420). Figure 25 shows the RNP_RC_MSG_CONFIGURE packet (2500) and the RNP_RC_MSG_CONF_RESP packet (2510). Figure 26 shows the RNP_RC_MSG_MO_SET packet (2600) and the RNP_RC_MSG_SET_RESP packet (2610). Figure 27 shows the RNP_RC_MSG_MO_GET packet (2700) and
RNP_RC_MSG_MO_GET_RESP (2710). Figure 28 shows the RNP_RC_MSG_TRAP packet (2800), RNP_RC_MSG_MEASUREMENT packet (2810), and the RNP_RC_MSG_NAME_REQUEST packet (2820). Figure 29 shows the
RNP_RC_MSG_CONNECT packet (2900), and the RNP_RC _MSG_LogPacket (2910).
Figure 30 shows a sample protocol exchange for the RNP-RC sub-protocol.
RNT-SM Primitives
Figure imgf000031_0001
Figures 31 through 35 show an packet formats for the RNP-SM sub-protocol sub-streams packets.
RNP DT sub-protocol
The current embodiment of the RNP-DT message does not support sphttmg the RNP-DT sub- protocol into sub-streams RNP DF sub-protocol
The DF-Server is a point that connects the tunnel to a wired network. The DF-Client is a point that interfaces the wireless Access Point (AP) to the tunnel. An embodiment of an DF-Client can be an AP. An embodiment of a DF-Server can be an AP or a standalone appliance. Each of these sub-protocol primitives have a field for a request/response. One end of the connection (DF-Server or DF-Client) sends a "request" message, and the remote end of the connection (DF- Server or DF-Client) sends a "response" message.
Figure imgf000032_0001
RNP-WP sub-protocol
The RNP-WP sub-protocol supports the Web Portal function. The Web Portal functions limits the traffic to information needed to exchange data with a Web Portal to obtain the correct information. The current embodiment of the RNP-WP sub-protocol does not have any sub- protocol primitives.
The benefits of this approach for providing secure layer 2 access to the enterprise network include: • Unified infrastructure. • Enterprises can utilize either lightweight or heavyweight access points. • Extends the layer 2 enterprise network to the home, and public Internet facilities. • Option for simultaneous access to both remote enterprise and local resources such as printers, IP fax services, etc. • Option for access to the Internet only through the enterprise to leverage enterprise-based IDS, firewall, and virus scanning. • Simultaneous co-existence of lightweight and heavyweight access points within the enterprise campus, including seamless mobility between these devices. • Standards based secure layer 2 wired connectivity. • Simpler VoIP to cellular roaming.
The present invention provides a unified infrastructure that allows enterprises to utilize the same wireless LAN switch for both local-campus wireless access as well as remote access. Unlike currently available remote connectivity solutions, separate infrastructures for LAN and WAN connectivity need not be deployed. For the IT staff, this saves both capital and operational expenditures, including a reduction in the amount of technical support required, because a wireless LAN deployment over the enterprise campus will work for remote access as well. For the end user, this means that the behaviors for remote connectivity and local enterprise connectivity will be the same. The unified infrastructure also means that layer 2 networking protocols and services are available for the remote user, thereby providing the full capability of the enteφrise campus network to the remote users. This includes extending any policy-based layer 2 capability that the enterprise may have implemented within its campus to the remote users.
Enterprises can use either lightweight access points (which are more easily managed by the enterprise), heavyweight access points (less expensive and more ubiquitous at public Internet access facilities), or a combination of both. The lightweight access points can be deployed within the campus to give the enteφrise centrahzed control of the local radio environment. For remote users, traditional heavyweight access points can be used in public Internet access settings. Enteφrises may wish to use either heavyweight or lightweight access points for home and branch office applications, depending upon enteφrise needs. Within the enteφrise, a combination of existing heavyweight access points can be augmented with lightweight access points. WiFi VPN can extend the enteiprise network to employees' homes. Employees can open their laptops at home and immediately connect to the enteiprise layer 2 network without the need to invoke special remote VPN client software. Employees may also utilize VoWLAN phones to enable voice communications from the enteiprise to the employees' homes. Still further, employees can initiate voice communications utilizing enteφrise voice infrastructure from the VoWLAN phone.
Like traditional layer 3 VPN solutions, a WiFi VPN for the branch office allows enteiprises to realize significant cost savings by connecting the branches to the enteφrise headquarters via an Internet connection, as opposed to an expensive leased line connection. Unlike traditional VPN solutions, a WiFi VPN operates at layer 2, so employees in branch offices can have access to the same legacy applications available on the enteφrise campus. By extending the enteφrise's existing layer 2 network, the invention also extends pohcy-based layer 2 networking from the enteφrise and simplifies the IP addressing within the branch offices.
When employees are on the road and using a public Internet access facility such as a hotel broadband connection, or a hotspot, they typically must log into the public Internet facility using a browser, and then start their remote VPN client. Instead of this cumbersome process, the present invention allows a public Internet provider to negotiate a billing arrangement with the employees' enteφrise to allow connectivity to the public Internet IP address and UDP port number of the enteφrise's WiFi VPN presence on the Internet. The enteφrise can then signal the successful connection of a WiFi VPN chent to the provider for billing pmposes. This functionality allows two individuals from different enteφrises to simply open their PC lids at a hotspot, and they will each be automatically connected to their coφorate facilities without performing a single keystroke or mouse movement.
One potential problem with layer 2 WiFi VPN enteφrise connectivity occurs if all IP traffic is shunted through the layer 2 WiFi VPN connection. This limitation can be overcome through the use of virtual interface software that has the same operational behavior as existing, conventional VPN software, that takes the form of a WiFi VPN client. IP routing can be configured on the WiFi VPN client in the manner of existing layer 3 VPN clients so that devices reachable locally (such as printers, IP fax machines, etc.) using the physical wireless (or wired) interface are routed locally by the client.
Alternatively, if an enteφrise wishes to prevent the wired or wireless interface from reaching local resources, then the WiFi VPN chent can be used for all traffic by configuring the appropriate IP routing tables on the chent device. This forces all traffic between the client hardware and the enteφrise going out to the Internet to utilize the enteφrise's Internet connection. As a result, enteφrise tools such as IDS, IDP, firewall, and antivirus programs can be applied to remote users. This may be a desirable security model for enteφrises seeking to control the software and agents that actually enter the enteφrise's client hardware devices.
Another advantage of the WiFi VPN client is that it allows simultaneous coexistence between traditional heavyweight access points and hghtweight access points. With a WiFi VPN client in accordance with the present invention, seamless lOaming can be accomplished between heavyweight access points and hghtweight access points, both connected to the same network of WLAN switches. In addition to roaming, all the wireless benefits described in the present invention apply to both heavyweight and lightweight access points.
The present invention is applicable both to wireless and wired LANs. When the virtual interface of the WiFi VPN client is connected to the wired LAN, the wireless LAN switch can serve as a encrypted wired switch to encrypted wired traffic using the same 802. Ix, WPA, and 802.1 li technology that is used to encrypted wireless LAN traffic.
A challenge with VoWLAN is determining how to integrate VoWLAN and cellular voice calls. With a WiFi VPN, the VoWLAN call can be terminated at the enteφrise. One advantage of this mechanism is that any VoWLAN handset can be used at any hotspot, since it will connected back to the enterprise VoIP infrastructure using the WiFi VPN. This means that off-the-shelf VoWLAN handsets can be used with essentially any hotspot for VoWLAN, and that the handset user can be reachable anywhere in the world simply by dialing the enteφrise extension of the handset user. Integration with the cellular network becomes a simple matter of forwai'ding calls from the cellular phone number of the handset to the DID number of the enteφrise, and vice versa if the handset if out of range of a hotspot. This also has the advantage of allowing the same handset with the same cellular phone number to be used as an enteφrise extension with multiple enteφrises in a serial fashion, as in the case of a contractor / temporary employee.
Embodiments of the invention include a Remote Network Protocol (RNP) which has various advantages over existing protocols such as L2TP and GRE. In some embodiments, RNP uses separate UDP port numbers for controlling and monitoring the radio, the station authentication, and the station traffic. This reduces the computational load on the switch of classifying packets according to their contents. It also prevents a station authentication packet from blocking a data packet. The packets can instead be classified in hardware based on their port numbers, which improves performance. The UDP nature of the RNP is also very important since TCP has slow start mechanisms and additional processing overhead that increase computational requirements for the hghtweight access point.
The RNP together with the switch architecture assumes that all time-insensitive 802.11 MAC layer operations will be performed on the WLAN switch, and that time-sensitive 802.11 operations will be performed on the hghtweight access point. This split of 802.11 layer functionality allows the RNP protocol to be latency-tolerant across wide-area networks with varying latency. With the incorrect split, a similar approach cannot operate properly across a wide-area network. For data transfer, the RRP protocol uses low framing overhead to ensure high performance and low computational overhead on the lightweight access point. The low overhead also assists with performance on the WLAN switch.
In an embodiment of this invention, 802.11 frames from a wireless client station enter a RF/Wireless Mesh-based distribution system at an AP and are bridged and routed to the integration service portal via RF interfaces on other APs in the mesh. The system does not teπninate 802.1 li or other encryption on the AP where the station traffic enters the RF mesh. Instead the frames are bridged in the encrypted format via RNP over Wireless (802.11) interface until the point where it enters the wired network or a wireless LAN switch or an access controller or another device in the network that has the security state to decrypt the chent traffic. This approach avoids hop-by-hop encryption that is specified by the current wireless standards and practice.
The approach of the RNP protocol with regard to reliability is also unique compared to L2TP and GRE. With generic protocols, all traffic is treated identically. In order to guarantee delivery of critical 802.11 and 802. Ix authentication and association frames with legacy protocols, all packets must be somehow guaranteed delivery, which can add significant overhead and delay to data frames that do not need guaranteed delivery. If delivery is simply not guaranteed, then successful authentication to the network becomes less reliable, particularly across a wide-area public network such as the Internet in which there is typically a higher packet error rate. With the RNP approach, by contrast, application level delivery guarantees are maintained on the UDP port that transports station authentication information, and station traffic rides on a different UDP port without delivery guarantees for high performance. The RNP approach also is higher performance for authentication traffic, since it authenticates each message rather than implementing a TCP-hke sliding window or piggybacking acknowledgements on top of return frames. Since multiple stations may be connected to the same hghtweight access point, the concept of "streams" is used to demultiplex the different stations connected to a radio. This improves performance, because individual stations can be mapped to streams, and also removes the need to open up a new UDP port for every station connected to the lightweight access point.
The RNP is flexible, because the endpoints can terminate on different devices. For example, if the RNP-SM and RNP-DT originate on the client, the client has the WiFi VPN client software. With RNP-SM, RNP-DT, and RNP-RC originating from an access point, a lightweight access point is used. The termination of the RNP tunnels does not have to be restricted to a single wireless LAN switch. For instance, the RNP-RC may terminate on a different device than the RNP-SM, which may terminate on a different device than the RNP-DT. This would allow, for instance, a wireless LAN switch architecture in which one device is optimized to manage a large number of lightweight access points, another device is optimized to terminate 802. Ix authentication, and another device is optimized to perform data encryption and forwarding.
The WiFi VPN chent solves numerous problems. Without the WiFi VPN, it would ordinarily be necessary to load the RNP protocol into access points wherever WiFi VPN applications are deployed, including at branch offices, remote home office to enteφrise connectivity, and hotspot connectivity. In a practical sense, this hmits the ease of deployment of WiFi VPNs. With the WiFi VPN client, by contrast, deployment is much easier because existing heavyweight access points can be used without modification in the clear text (unencrypted) mode of operation to dehver traffic to the wireless LAN switch. The WiFi VPN client also enables encrypted wired LAN traffic by leveraging 802.11 security technology for wired LANs. Another LAN benefit to the WiFi VPN client is that a wireless station may connect to a network comprising a wireless LAN switch and a mix of heavyweight and lightweight access points. In this network, the movement of wireless stations from access point to access point is handled seamlessly. Other approaches with wireless LAN switches utilize IPSec or other layer 3 VPN termination at the wireless LAN switch and do not permit movement of a wireless station from a heavyweight access point to a lightweight access point.
To support WiFi VPN applications, the wireless LAN switch terminates both user authentication as well as the wireless LAN encryption algorithms. The different alternatives considered before selection of the current design are detailed in exhibit []. Since no commercially available cipher products are available for high speed wireless LAN encryption ciphers such as RC4, a puφose- built FPGA provides application-specific cryptography. Wireless LAN Switch or Controller architecture provides an 802.1 li authenticator component that obtains the PMK based on crurent standards.
The PMK Sharing described in this invention allows the PMK to be shared across wireless network devices, and reduce roaming latency for applications such as Voice-over-IP (over Wireless) while • Preserving the trust binding between the authenticator, wireless client and the authentication server. • Preserving ability and flexibility to control wireless client access to the network. For example, the Authorization token based scheme allows an enteφrise to prohibit roaming to a specific AP.
The WiFi VPN invention allows enteφrises to share the WISP infrastructure. With this invention, a WISP can offer hotspot services, say using a subscription based business model to enteφrises, while allowing them to control access to their networks. At the same time this mechanism also utilizes a single authentication for a given client access wherever the WISP provides its services. Furthermore it also allows different clients to use a single WISP infrastructure everywhere on the internet while securely accessing their respective enteφrises.
From the foregoing, it will be appreciated that specific embodiments of the invention have been described herein for puφoses of illustration, but that various modifications may be made without deviating from the spirit and scope of the invention. Accordingly, the invention is not limited except as by the appended claims.

Claims

CLAIMS 1. A method of facilitating secure communications between an enteφrise network and a user communicating over a wide-area network accessible to the enteφrise network, the method comprising: generating a set of encapsulated packets, generating the set of encapsulated packets further including encapsulating, within a first protocol, data packets originating with the user, wherein the user-originated data packets are encoded in a second protocol, and the second protocol is below the first protocol in a hierarchy of protocols; transmitting the encapsulated packets to the enteφrise network over the wide-area network; receiving the encapsulated packets at the enteφrise network; un-encapsulating the encapsulated packets to retrieve the user-originated data packets encoded in the second protocol; forwarding the user-originated data packets across the enteφrise network via the second protocol.
2. The method of claim 1, wherein the hierarchy of protocols is an ISO hierarchy.
3. The method of claim 1, wherein the first protocol is a layer 3 protocol.
4. The method of claim 3, wherein the second protocol is a layer 2 protocol.
5. The method of claim 4 wherein the user communicates with the wide-area network using a wireless protocol.
6. The method of claim 5 wherein the wireless protocol is WiFi.
7. The method of claim 1 wherein the user communicates over a local area network using a wireless protocol.
8. The method of claim 7 wherein the wireless protocol is WiFi.
9. The method of claim 1 wherein first protocol is a WiFi VPN protocol that rides on top of UDP/IP.
10. The method of claim 1, further comprising: encrypting the encapsulated packets prior to transmitting the encapsulated packets to the enteφrise network.
11. The method of claim 10, further comprising: after receiving the encapsulated packets, decrypting the encapsulated packets.
PCT/US2004/036948 2003-11-04 2004-11-04 Secure, standards-based communications across a wide-area network WO2005045642A2 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
JP2006539669A JP2007532043A (en) 2003-11-04 2004-11-04 Secure standard-based communication across wide area networks
EP04810412A EP1692595A2 (en) 2003-11-04 2004-11-04 Secure, standards-based communications across a wide-area network
CA002545272A CA2545272A1 (en) 2003-11-04 2004-11-04 Secure, standards-based communications across a wide-area network

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US51699703P 2003-11-04 2003-11-04
US60/516,997 2003-11-04

Publications (2)

Publication Number Publication Date
WO2005045642A2 true WO2005045642A2 (en) 2005-05-19
WO2005045642A3 WO2005045642A3 (en) 2007-04-19

Family

ID=34572905

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2004/036948 WO2005045642A2 (en) 2003-11-04 2004-11-04 Secure, standards-based communications across a wide-area network

Country Status (5)

Country Link
US (1) US20050223111A1 (en)
EP (1) EP1692595A2 (en)
JP (1) JP2007532043A (en)
CA (1) CA2545272A1 (en)
WO (1) WO2005045642A2 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010503330A (en) * 2006-09-07 2010-01-28 モトローラ・インコーポレイテッド Method and apparatus for establishing a security association between nodes of an ad hoc wireless network
US9531543B2 (en) 2013-03-15 2016-12-27 Qualcomm Incorporated Authentication for relay deployment
WO2018133334A1 (en) * 2017-01-22 2018-07-26 深圳国人通信股份有限公司 L2tp-based wireless access system and interaction method therefor
US10375023B2 (en) 2004-02-20 2019-08-06 Nokia Technologies Oy System, method and computer program product for accessing at least one virtual private network

Families Citing this family (85)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7986937B2 (en) * 2001-12-20 2011-07-26 Microsoft Corporation Public access point
US7120791B2 (en) * 2002-01-25 2006-10-10 Cranite Systems, Inc. Bridged cryptographic VLAN
US7188364B2 (en) 2001-12-20 2007-03-06 Cranite Systems, Inc. Personal virtual bridged local area networks
FR2855697B1 (en) * 2003-05-26 2005-09-23 At & T Corp IPv4-BASED DATA CONVERSION SYSTEM IN IPv6-BASED DATA TO BE TRANSMITTED THROUGH IP-SWITCHED NETWORK
US7639656B2 (en) * 2004-04-28 2009-12-29 Symbol Technologies, Inc. Protocol for communication between access ports and wireless switches
US9232338B1 (en) 2004-09-09 2016-01-05 At&T Intellectual Property Ii, L.P. Server-paid internet access service
JP4074283B2 (en) * 2004-09-28 2008-04-09 株式会社東芝 COMMUNICATION DEVICE, COMMUNICATION SYSTEM, AND COMMUNICATION METHOD
US7734051B2 (en) * 2004-11-30 2010-06-08 Novell, Inc. Key distribution
US20070152076A1 (en) * 2004-12-13 2007-07-05 Chiang Kuo C Monitoring system with a wireless transmitting/receiving module
US20060184651A1 (en) * 2005-02-11 2006-08-17 Srikanthan Tirnumala Architecture for general purpose trusted virtual client and methods therefor
DE112006000618T5 (en) 2005-03-15 2008-02-07 Trapeze Networks, Inc., Pleasanton System and method for distributing keys in a wireless network
US20080195736A1 (en) * 2005-03-16 2008-08-14 Nec Corporation Wireless Network Connection Supporting Apparatus, Connection Supporting System, Connection Supporting Method and Program Using Same
US8126145B1 (en) 2005-05-04 2012-02-28 Marvell International Ltd. Enhanced association for access points
US7746866B2 (en) * 2005-05-13 2010-06-29 Intel Corporation Ordered and duplicate-free delivery of wireless data frames
US7653011B2 (en) * 2005-05-31 2010-01-26 Cisco Technology, Inc. Spanning tree protocol for wireless networks
US7787361B2 (en) * 2005-07-29 2010-08-31 Cisco Technology, Inc. Hybrid distance vector protocol for wireless mesh networks
US7660318B2 (en) * 2005-09-20 2010-02-09 Cisco Technology, Inc. Internetworking support between a LAN and a wireless mesh network
JP4629573B2 (en) * 2005-09-20 2011-02-09 富士通フロンテック株式会社 Wireless system activation and its program
US8638762B2 (en) 2005-10-13 2014-01-28 Trapeze Networks, Inc. System and method for network integrity
WO2007044986A2 (en) 2005-10-13 2007-04-19 Trapeze Networks, Inc. System and method for remote monitoring in a wireless network
US7551619B2 (en) 2005-10-13 2009-06-23 Trapeze Networks, Inc. Identity-based networking
US7573859B2 (en) 2005-10-13 2009-08-11 Trapeze Networks, Inc. System and method for remote monitoring in a wireless network
US7724703B2 (en) 2005-10-13 2010-05-25 Belden, Inc. System and method for wireless network monitoring
US20070106778A1 (en) * 2005-10-27 2007-05-10 Zeldin Paul E Information and status and statistics messaging method and system for inter-process communication
US8250587B2 (en) 2005-10-27 2012-08-21 Trapeze Networks, Inc. Non-persistent and persistent information setting method and system for inter-process communication
US20070110024A1 (en) * 2005-11-14 2007-05-17 Cisco Technology, Inc. System and method for spanning tree cross routes
US20070230470A1 (en) * 2006-03-28 2007-10-04 Redeye Networks, Inc. Virtual collapsed backbone network architecture
US7558266B2 (en) 2006-05-03 2009-07-07 Trapeze Networks, Inc. System and method for restricting network access using forwarding databases
US8966018B2 (en) 2006-05-19 2015-02-24 Trapeze Networks, Inc. Automated network device configuration and network deployment
US8818322B2 (en) 2006-06-09 2014-08-26 Trapeze Networks, Inc. Untethered access point mesh system and method
US9258702B2 (en) 2006-06-09 2016-02-09 Trapeze Networks, Inc. AP-local dynamic switching
US7912982B2 (en) 2006-06-09 2011-03-22 Trapeze Networks, Inc. Wireless routing selection system and method
US9191799B2 (en) 2006-06-09 2015-11-17 Juniper Networks, Inc. Sharing data between wireless switches system and method
US7844298B2 (en) 2006-06-12 2010-11-30 Belden Inc. Tuned directional antennas
US8417868B2 (en) * 2006-06-30 2013-04-09 Intel Corporation Method, apparatus and system for offloading encryption on partitioned platforms
US7724704B2 (en) 2006-07-17 2010-05-25 Beiden Inc. Wireless VLAN system and method
US7793103B2 (en) * 2006-08-15 2010-09-07 Motorola, Inc. Ad-hoc network key management
US7707415B2 (en) * 2006-09-07 2010-04-27 Motorola, Inc. Tunneling security association messages through a mesh network
US7734052B2 (en) * 2006-09-07 2010-06-08 Motorola, Inc. Method and system for secure processing of authentication key material in an ad hoc wireless network
US8340110B2 (en) 2006-09-15 2012-12-25 Trapeze Networks, Inc. Quality of service provisioning for wireless networks
CA2976266C (en) 2006-09-21 2019-10-29 Mark Hanson Wireless device registration, such as automatic registration of a wi-fi enabled device
US8046820B2 (en) * 2006-09-29 2011-10-25 Certes Networks, Inc. Transporting keys between security protocols
US8072952B2 (en) 2006-10-16 2011-12-06 Juniper Networks, Inc. Load balancing
US8332639B2 (en) * 2006-12-11 2012-12-11 Verizon Patent And Licensing Inc. Data encryption over a plurality of MPLS networks
US8161543B2 (en) * 2006-12-22 2012-04-17 Aruba Networks, Inc. VLAN tunneling
US7865713B2 (en) 2006-12-28 2011-01-04 Trapeze Networks, Inc. Application-aware wireless network system and method
US7873061B2 (en) 2006-12-28 2011-01-18 Trapeze Networks, Inc. System and method for aggregation and queuing in a wireless network
US8799648B1 (en) * 2007-08-15 2014-08-05 Meru Networks Wireless network controller certification authority
US8902904B2 (en) 2007-09-07 2014-12-02 Trapeze Networks, Inc. Network assignment based on priority
US8509128B2 (en) 2007-09-18 2013-08-13 Trapeze Networks, Inc. High level instruction convergence function
US8108911B2 (en) * 2007-11-01 2012-01-31 Comcast Cable Holdings, Llc Method and system for directing user between captive and open domains
US8238942B2 (en) 2007-11-21 2012-08-07 Trapeze Networks, Inc. Wireless station location detection
US20090168780A1 (en) * 2007-12-31 2009-07-02 Nortel Networks Limited MPLS P node replacement using a link state protocol controlled ethernet network
US8150357B2 (en) 2008-03-28 2012-04-03 Trapeze Networks, Inc. Smoothing filter for irregular update intervals
EP2277110B1 (en) * 2008-04-14 2018-10-31 Telecom Italia S.p.A. Distributed service framework
US8400990B1 (en) * 2008-04-28 2013-03-19 Dennis Volpano Global service set identifiers
US8474023B2 (en) 2008-05-30 2013-06-25 Juniper Networks, Inc. Proactive credential caching
US8978105B2 (en) 2008-07-25 2015-03-10 Trapeze Networks, Inc. Affirming network relationships and resource access via related networks
US8238298B2 (en) 2008-08-29 2012-08-07 Trapeze Networks, Inc. Picking an optimal channel for an access point in a wireless network
US8271775B2 (en) * 2008-12-17 2012-09-18 Cisco Technology, Inc. Layer two encryption for data center interconnectivity
CN101562813B (en) * 2009-05-12 2012-01-11 中兴通讯股份有限公司 Method for implementing real-time data service, real-time data service system and mobile terminal
US8965380B2 (en) * 2009-08-11 2015-02-24 Cisco Technology, Inc. System and method for providing access in a network environment
US8914520B2 (en) * 2009-11-16 2014-12-16 Cisco Technology, Inc. System and method for providing enterprise integration in a network environment
US8400921B2 (en) * 2010-03-17 2013-03-19 Cisco Technology, Inc. System and method for providing rate control in a network environment
US20110258236A1 (en) * 2010-04-16 2011-10-20 Iyer Pradeep J Secure Hotspot Roaming
US8351354B2 (en) 2010-09-30 2013-01-08 Intel Corporation Privacy control for wireless devices
US8402120B1 (en) * 2010-11-04 2013-03-19 Adtran, Inc. System and method for locating and configuring network device
CN102869012B (en) * 2011-07-05 2018-11-06 横河电机株式会社 Device of wireless local area network access point and system and associated method
US8990892B2 (en) * 2011-07-06 2015-03-24 Cisco Technology, Inc. Adapting extensible authentication protocol for layer 3 mesh networks
JP5891793B2 (en) * 2012-01-05 2016-03-23 村田機械株式会社 Relay server
US9504089B2 (en) * 2012-05-14 2016-11-22 Broadcom Corporation System and method for wireless station bridging
WO2013187709A1 (en) * 2012-06-13 2013-12-19 Samsung Electronics Co., Ltd. Method and system for securing control packets and data packets in a mobile broadband network environment
CN103200172B (en) * 2013-02-19 2018-06-26 中兴通讯股份有限公司 A kind of method and system of 802.1X accesses session keepalive
US10298416B2 (en) * 2013-09-05 2019-05-21 Pismo Labs Technology Limited Method and system for converting a broadcast packet to a unicast packet at an access point
US9413666B2 (en) 2013-10-02 2016-08-09 Cisco Technology, Inc. Reporting radio access network congestion information in a network sharing environment
JP6450257B2 (en) * 2015-05-19 2019-01-09 株式会社Nttドコモ Wireless communication system
US10412088B2 (en) * 2015-11-09 2019-09-10 Silvercar, Inc. Vehicle access systems and methods
US10142886B2 (en) 2016-09-30 2018-11-27 Cisco Technology, Inc. System and method to facilitate group reporting of user equipment congestion information in a network environment
US10785683B2 (en) * 2017-03-30 2020-09-22 Maxlinear, Inc. Native fragmentation in WiFi protected access 2 (WPA2) pass-through virtualization protocol
WO2018182604A1 (en) * 2017-03-30 2018-10-04 Intel Corporation Wifi protected access 2 (wpa2) pass-through virtualization
US11283694B2 (en) * 2017-07-20 2022-03-22 Movius Interactive Corportion System and method providing usage analytics for a mobile device
US20190037613A1 (en) * 2017-07-31 2019-01-31 Qualcomm Incorporated Public wireless internet service (wisp) with authentication supported by mobile network operator (mno)
US10826945B1 (en) * 2019-06-26 2020-11-03 Syniverse Technologies, Llc Apparatuses, methods and systems of network connectivity management for secure access
US11582196B2 (en) 2020-11-02 2023-02-14 Datto, Inc. System for managing and controlling mesh virtual private network and method associated therewith
US20220330024A1 (en) * 2021-04-09 2022-10-13 Saudi Arabian Oil Company Third party remote access point on enterprise network

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6366563B1 (en) * 1999-12-22 2002-04-02 Mci Worldcom, Inc. Method, computer program product, and apparatus for collecting service level agreement statistics in a communication network
US7113996B2 (en) * 2000-07-21 2006-09-26 Sandy Craig Kronenberg Method and system for secured transport and storage of data on a network

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6081524A (en) * 1997-07-03 2000-06-27 At&T Corp. Frame relay switched data service
US6463285B1 (en) * 2000-02-09 2002-10-08 Lucent Technologies Inc. Arrangement for data exchange in a wireless communication system
AU2001240005B2 (en) * 2000-03-03 2005-11-17 Qualcomm Incorporated Method and apparatus for participating in group communication services in an existing communication system
US6856624B2 (en) * 2001-02-21 2005-02-15 Alcatel Temporary unique private address
US6944168B2 (en) * 2001-05-04 2005-09-13 Slt Logic Llc System and method for providing transformation of multi-protocol packets in a data stream
US7126952B2 (en) * 2001-09-28 2006-10-24 Intel Corporation Multiprotocol decapsulation/encapsulation control structure and packet protocol conversion method
CN101715193A (en) * 2002-10-18 2010-05-26 卡耐特无线有限公司 Apparatus and method for extending the coverage area of a licensed wireless communication system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6366563B1 (en) * 1999-12-22 2002-04-02 Mci Worldcom, Inc. Method, computer program product, and apparatus for collecting service level agreement statistics in a communication network
US7113996B2 (en) * 2000-07-21 2006-09-26 Sandy Craig Kronenberg Method and system for secured transport and storage of data on a network

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10375023B2 (en) 2004-02-20 2019-08-06 Nokia Technologies Oy System, method and computer program product for accessing at least one virtual private network
US11258765B2 (en) 2004-02-20 2022-02-22 Nokia Technologies Oy System, method and computer program product for accessing at least one virtual private network
JP2010503330A (en) * 2006-09-07 2010-01-28 モトローラ・インコーポレイテッド Method and apparatus for establishing a security association between nodes of an ad hoc wireless network
US9531543B2 (en) 2013-03-15 2016-12-27 Qualcomm Incorporated Authentication for relay deployment
WO2018133334A1 (en) * 2017-01-22 2018-07-26 深圳国人通信股份有限公司 L2tp-based wireless access system and interaction method therefor

Also Published As

Publication number Publication date
EP1692595A2 (en) 2006-08-23
CA2545272A1 (en) 2005-05-19
JP2007532043A (en) 2007-11-08
US20050223111A1 (en) 2005-10-06
WO2005045642A3 (en) 2007-04-19

Similar Documents

Publication Publication Date Title
US20050223111A1 (en) Secure, standards-based communications across a wide-area network
US7441043B1 (en) System and method to support networking functions for mobile hosts that access multiple networks
EP1378093B1 (en) Authentication and encryption method and apparatus for a wireless local access network
US6970459B1 (en) Mobile virtual network system and method
KR100826736B1 (en) A method of dynamically connecting a client node to a serving network, a method of connecting a client node to multiple internet service providers, and a method of connecting a client node to a serving network
JP3778129B2 (en) Wireless network and authentication method in wireless network
US8335490B2 (en) Roaming Wi-Fi access in fixed network architectures
EP3096497B1 (en) Method, apparatus, and network system for terminal to traverse private network to communicate with server in ims core network
EP3459318B1 (en) Using wlan connectivity of a wireless device
CA2439568C (en) Hybrid network
JP2004312257A (en) Base station, repeating device and communication system
RU2292648C2 (en) System, device, and method designed for sim based authentication and for encryption with wireless local area network access
Li et al. Public access mobility LAN: extending the wireless Internet into the LAN environment
Xenakis et al. Dynamic network-based secure VPN deployment in GPRS
Nishimura A distributed authentication mechanism for sharing an overlay network among multiple organizations
Zhang The solution and management of VPN based IPSec technology
Persaud Core network mobility: Active MPLS
Casole et al. Secure access to corporate resources in a multi-access perspective: needs, problems, and solutions
Sara 2.3 Virtual Private Networking Solutions
Ramezani Coordinated Robust Authentication In Wireless Networks
KIPRUTO TERM PAPER: VPLS SECURITY
Kim et al. Security and handover designs for VoWLAN system

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2545272

Country of ref document: CA

WWE Wipo information: entry into national phase

Ref document number: 2006539669

Country of ref document: JP

DPEN Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed from 20040101)
WWE Wipo information: entry into national phase

Ref document number: 1512/KOLNP/2006

Country of ref document: IN

WWE Wipo information: entry into national phase

Ref document number: 2004810412

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 1020067011080

Country of ref document: KR

WWP Wipo information: published in national office

Ref document number: 2004810412

Country of ref document: EP

WWW Wipo information: withdrawn in national office

Ref document number: 2004810412

Country of ref document: EP