公开(公告)号：US08065432B2

公开(公告)日：2011-11-22

申请号：US12573005

申请日：2009-10-02

申请人： Paul Shala Henry ,  Hui Luo

发明人： Paul Shala Henry ,  Hui Luo

IPC分类号： G06F13/00

CPC分类号： G06F13/387 ,  H04L1/1867 ,  H04W36/023 ,  H04W36/14

摘要： A method and system for preventing packet loss during handoff of a mobile host between access networks. In accordance with an aspect of the invention, a home agent on a network maintains a FIFO (First In-First Out) buffer for every mobile host that it serves. When a packet destined for a particular mobile host is received at the home agent, it is assigned an incremental sequence number, encapsulated as an IP packet, and forwarded to the mobile host with the sequence number as an identifier. The packet and sequence number are thereafter stored in the buffer for a period of time after the packet was forwarded to the mobile host. After hand-off to the arriving network is completed, the mobile host sends the sequence number of the last-received IP packet to the home agent and the new care-of IP address. Using this sequence number, the home agent then determines whether any incoming packets had been routed to the previous care-of IP address. These are retrieved from the buffer, and resent to the new care-of IP address.

摘要翻译： 一种在接入网络之间防止移动主机切换期间的分组丢失的方法和系统。 根据本发明的一个方面，网络上的归属代理为其服务的每个移动主机维护FIFO（先进先出）缓冲器。 当在归属代理处接收到去往特定移动主机的分组时，向其分配增量序列号，封装为IP分组，并以序列号作为标识符转发给移动主机。 然后，在分组被转发到移动主机之后，分组和序列号被存储在缓冲器中一段时间​​。 在到达网络的切换完成后，移动主机将最后接收的IP分组的序列号发送到归属代理和新的转交IP地址。 使用该序列号，归属代理然后确定是否将任何传入的分组路由到之前转交的IP地址。 这些从缓冲区检索，并重新发送到新的转交IP地址。

公开(公告)号：US07929528B2

公开(公告)日：2011-04-19

申请号：US12242771

申请日：2008-09-30

申请人： Paul Shala Henry ,  Zhimei Jiang ,  Byoung-Jo J Kim ,  Kin K Leung ,  Hui Luo ,  Nemmara K. Shankaranarayanan

发明人： Paul Shala Henry ,  Zhimei Jiang ,  Byoung-Jo J Kim ,  Kin K Leung ,  Hui Luo ,  Nemmara K. Shankaranarayanan

IPC分类号： H04L12/28 ,  H04W4/00

CPC分类号： H04L29/1233 ,  H04L29/125 ,  H04L61/2564 ,  H04L61/2592 ,  H04L63/0272 ,  H04L63/0815 ,  H04L63/164 ,  H04L69/18 ,  H04W12/06 ,  H04W80/04 ,  H04W88/08

摘要： An IP-based corporate network architecture and method for providing seamless secure mobile networking across office WLAN, home WLAN, public WLAN, and 2.5 G/3 G cellular networks for corporate wireless data users. The system includes Internet roaming clients (IRCs), a secure mobility gateway (SMG), optional secure IP access (SIA) gateways, and a virtual single account (VSA) server. The IRC is a special client tool installed on a mobile computer (laptop or PDA) equipped with a WLAN adaptor and a cellular modem. It is responsible for establishing and maintaining a mobile IPsec tunnel between the mobile computer and a corporate intranet. The SMG is a mobile IPsec gateway installed between the corporate intranet and the Internet. It works in conjunction with the IRC to maintain the mobile IPsec tunnel when the mobile computer is connected on the Internet via a home WLAN, a public WLAN, or a cellular network. The SIA gateway is a special IPsec gateway installed in the middle of the wired corporate intranet and an office WLAN. It works with the IRC to ensure data security and efficient use of corporate IP addresses when the mobile computer is connected to the office WLAN. The VSA server manages authentication credentials for every corporate user based on a virtual single account concept. The Internet Roaming system can provide secure, always-on office network connectivity for corporate users no matter where they are located using best available wireless networks.

摘要翻译： 一种基于IP的企业网络架构和方法，用于为企业无线数据用户提供跨办公室WLAN，家庭WLAN，公共WLAN和2.5 G / 3G蜂窝网络的无缝安全移动网络。 该系统包括互联网漫游客户端（IRC），安全移动网关（SMG），可选的安全IP接入（SIA）网关和虚拟单一帐户（VSA）服务器。 IRC是安装在配有WLAN适配器和蜂窝调制解调器的移动计算机（笔记本电脑或PDA）上的特殊客户端工具。 它负责在移动计算机和公司内部网之间建立和维护移动IPsec隧道。 SMG是安装在企业内部网和互联网之间的移动IPsec网关。 它与IRC一起工作，以便在移动计算机通过家庭WLAN，公共WLAN或蜂窝网络在因特网上连接时维护移动IPsec隧道。 SIA网关是安装在有线企业内部网和办公室WLAN中间的专用IPsec网关。 它与IRC一起工作，以确保在移动计算机连接到办公室WLAN时数据安全并有效利用公司IP地址。 VSA服务器根据虚拟单一帐户概念管理每个公司用户的身份验证凭据。 互联网漫游系统可以为企业用户提供安全，永远在线的办公网络连接，无论他们所在的地方使用最佳可用无线网络。

公开(公告)号：US07768980B1

公开(公告)日：2010-08-03

申请号：US11403767

申请日：2006-04-13

申请人： Paul Shala Henry ,  Zhimei Jiang ,  Byoung-Jo J Kim ,  Kin K Leung ,  Hui Luo

发明人： Paul Shala Henry ,  Zhimei Jiang ,  Byoung-Jo J Kim ,  Kin K Leung ,  Hui Luo

IPC分类号： H04L12/66 ,  H04Q7/24 ,  G06F15/173

CPC分类号： H04L61/2007 ,  H04L61/6022 ,  H04L69/324 ,  H04W8/26 ,  H04W76/11 ,  H04W80/04 ,  H04W88/06 ,  H04W88/182

摘要： A method and apparatus to enable IP networking for mobile hosts without requiring changes to be made to the TCP/IP stack in the operating system installed on the mobile hosts. The apparatus is an “intelligent device” that can be installed on or connected to a mobile host, and may comprise a software-only logical module, physical hardware, or a combination of both. To a mobile host, the intelligent device emulates a network interface such as an Ethernet card or a telephone modem. The intelligent device appears to an access network just like any regular IP host connected to the access network through a physical network interface device. The intelligent device handles all mobile networking functions for the mobile host, and may control multiple different physical network interface devices to enable a connection to the “best” access network available to the mobile user at his location.

摘要翻译： 一种用于为移动主机启用IP网络的方法和装置，而不需要对安装在移动主机上的操作系统中的TCP / IP栈进行更改。 该装置是可以安装在移动主机上或连接到移动主机的“智能设备”，并且可以包括仅软件逻辑模块，物理硬件或两者的组合。 对于移动主机，智能设备模拟诸如以太网卡或电话调制解调器之类的网络接口。 就像通过物理网络接口设备连接到接入网的任何常规IP主机一样，智能设备就像接入网络一样出现。 智能设备处理移动主机的所有移动网络功能，并且可以控制多个不同的物理网络接口设备，以便连接到他所在位置的移动用户可用的“最佳”接入网络。

公开(公告)号：US07028104B1

公开(公告)日：2006-04-11

申请号：US10138099

申请日：2002-05-02

申请人： Paul Shala Henry ,  Meng-Ju Lin ,  Hui Luo

发明人： Paul Shala Henry ,  Meng-Ju Lin ,  Hui Luo

IPC分类号： G06F15/16 ,  G06F15/177

CPC分类号： H04L69/16 ,  H04L69/12 ,  H04L69/161 ,  H04W80/04

摘要： A network interface driver embodied in a processor readable medium comprising executable program instructions that, when executed by a processor, independently process internetworking protocols for a host computer (or other network access device) with another computer on a remote network. The driver appears to the operating system as a regular network interface driver, but it can support enhanced kernel-level internetworking protocols by using a state machine to generate, drop, and change incoming and outgoing IP packets in a manner transparent to the operating system.

摘要翻译： 一种包含在处理器可读介质中的网络接口驱动器，包括可执行程序指令，所述可执行程序指令在由处理器执行时，独立地处理与远程网络上的另一计算机的主计算机（或其他网络访问设备）的互联协议。 驱动程序作为常规网络接口驱动程序出现在操作系统中，但它可以通过使用状态机以对操作系统透明的方式生成，删除和更改传入和传出IP数据包来支持增强的内核级互联协议协议。

公开(公告)号：US06856800B1

公开(公告)日：2005-02-15

申请号：US10145301

申请日：2002-05-14

申请人： Paul Shala Henry ,  Zhimei Jiang ,  Hui Luo

发明人： Paul Shala Henry ,  Zhimei Jiang ,  Hui Luo

IPC分类号： H04L29/06 ,  H04W12/06 ,  H04W12/08 ,  H04M1/66 ,  H04Q7/20

CPC分类号： H04L63/0823 ,  H04L9/3268 ,  H04L63/0442 ,  H04L63/062 ,  H04L63/108 ,  H04W12/06 ,  H04W12/08 ,  H04W36/0038

摘要： A fast authentication and access control method of authenticating a network access device to a communications network having an access point communicating with a remote authentication (home AAA) server for the network access device. The method includes the step of receiving an access request having an authentication credential from the network access device at the access point. The authentication credential includes a security certificate having a public key for the network access device and an expiration time. The security certificate is signed with a private key for the remote authentication server. The access point locally validates the authentication credential by accessing the public key of the remote authentication server from a local database, and checking the signature and expiration time of the security certificate. If the authentication credential is validated at the access point, the access point grants the network access device conditional access to the network by sending an access granted message to the network access device. The access granted message includes a session key encrypted with a public key for the network access device. The session key is stored in a database associated with the access point. The access point contacts the remote authentication server to check a revocation status of the security certificate for the network access device. If the access point receives a message from the remote authentication server that the authentication credential for the network access device has been revoked, it suspends network access for the network access device.

摘要翻译： 一种用于向具有与用于网络接入设备的远程认证（家庭AAA）服务器通信的接入点的通信网络）认证网络接入设备的快速认证和接入控制方法。 该方法包括在接入点从网络接入设备接收具有认证凭证的接入请求的步骤。 认证凭证包括具有用于网络访问设备的公钥的安全证书和到期时间。 安全证书使用远程认证服务器的私钥进行签名。 访问点通过从本地数据库访问远程认证服务器的公钥，并检查安全证书的签名和到期时间来本地验证认证凭证。 如果验证凭证在接入点被验证，则接入点通过向网络接入设备发送访问许可消息来授权网络访问设备对网络的条件访问。 访问许可消息包括用网络访问设备的公开密钥加密的会话密钥。 会话密钥存储在与接入点相关联的数据库中。 接入点与远程认证服务器联系，检查网络接入设备的安全证书的撤销状态。 如果接入点从远程认证服务器接收到网络接入设备的认证凭证已经被撤销的消息，则它挂起网络接入设备的网络接入。

公开(公告)号：US08462748B2

公开(公告)日：2013-06-11

申请号：US12829360

申请日：2010-07-01

申请人： Paul Shala Henry ,  Zhimei Jiang ,  Byoung-Jo J Kim ,  Kin K Leung ,  Hui Luo

发明人： Paul Shala Henry ,  Zhimei Jiang ,  Byoung-Jo J Kim ,  Kin K Leung ,  Hui Luo

IPC分类号： H04W4/00 ,  H04L12/28 ,  G06F15/173

CPC分类号： H04L61/2007 ,  H04L61/6022 ,  H04L69/324 ,  H04W8/26 ,  H04W76/11 ,  H04W80/04 ,  H04W88/06 ,  H04W88/182

摘要： A method and apparatus to enable IP networking for mobile hosts without requiring changes to be made to the TCP/IP stack in the operating system installed on the mobile hosts. The apparatus is an “intelligent device” that can be installed on or connected to a mobile host, and may comprise a software-only logical module, physical hardware, or a combination of both. To a mobile host, the intelligent device emulates a network interface such as an Ethernet card or a telephone modem. The intelligent device appears to an access network just like any regular IP host connected to the access network through a physical network interface device. The intelligent device handles all mobile networking functions for the mobile host, and may control multiple different physical network interface devices to enable a connection to the “best” access network available to the mobile user at his location.

摘要翻译： 一种用于为移动主机启用IP网络的方法和装置，而不需要对安装在移动主机上的操作系统中的TCP / IP栈进行更改。 该装置是可以安装在移动主机上或连接到移动主机的“智能设备”，并且可以包括仅软件逻辑模块，物理硬件或两者的组合。 对于移动主机，智能设备模拟诸如以太网卡或电话调制解调器之类的网络接口。 就像通过物理网络接口设备连接到接入网的任何常规IP主机一样，智能设备就像接入网络一样出现。 智能设备处理移动主机的所有移动网络功能，并且可以控制多个不同的物理网络接口设备，以便连接到他所在位置的移动用户可用的“最佳”接入网络。

公开(公告)号：US20100014485A1

公开(公告)日：2010-01-21

申请号：US12573005

申请日：2009-10-02

申请人： Paul Shala Henry ,  Hui Luo

发明人： Paul Shala Henry ,  Hui Luo

IPC分类号： H04W36/00 ,  H04L12/56

CPC分类号： G06F13/387 ,  H04L1/1867 ,  H04W36/023 ,  H04W36/14

摘要： A method and system for preventing packet loss during handoff of a mobile host between access networks. In accordance with an aspect of the invention, a home agent on a network maintains a FIFO (First In-First Out) buffer for every mobile host that it serves. When a packet destined for a particular mobile host is received at the home agent, it is assigned an incremental sequence number, encapsulated as an IP packet, and forwarded to the mobile host with the sequence number as an identifier. The packet and sequence number are thereafter stored in the buffer for a period of time after the packet was forwarded to the mobile host. After hand-off to the arriving network is completed, the mobile host sends the sequence number of the last-received IP packet to the home agent and the new care-of IP address. Using this sequence number, the home agent then determines whether any incoming packets had been routed to the previous care-of IP address. These are retrieved from the buffer, and resent to the new care-of IP address.

摘要翻译： 一种在接入网络之间防止移动主机切换期间的分组丢失的方法和系统。 根据本发明的一个方面，网络上的归属代理为其服务的每个移动主机维护FIFO（先进先出）缓冲器。 当在归属代理处接收到去往特定移动主机的分组时，向其分配增量序列号，封装为IP分组，并以序列号作为标识符转发给移动主机。 然后，在分组被转发到移动主机之后，分组和序列号被存储在缓冲器中一段时间​​。 在到达网络的切换完成后，移动主机将最后接收的IP分组的序列号发送到归属代理和新的转交IP地址。 使用该序列号，归属代理然后确定是否将任何传入的分组路由到之前转交的IP地址。 这些从缓冲区检索，并重新发送到新的转交IP地址。

公开(公告)号：US08046577B2

公开(公告)日：2011-10-25

申请号：US10317694

申请日：2002-12-12

申请人： Paul Shala Henry ,  Hui Luo ,  Bruce Edwin McNair ,  Nemmara K. Shankaranarayanan

发明人： Paul Shala Henry ,  Hui Luo ,  Bruce Edwin McNair ,  Nemmara K. Shankaranarayanan

IPC分类号： H04L29/06

CPC分类号： H04L63/061 ,  H04L61/2015 ,  H04L63/0869 ,  H04L63/1458

摘要： A protocol framework for a Secure IP Access (SIA) method, and supporting components deployed on IP hosts and IP networks. Using this method, an IP host can establish a secure data channel within an IP network over an insecure shared link while requesting IP address and networking configuration parameters from the IP network. A system administrator can implement strong access control against various attacks that an edge IP network may have to face, such as a denial-of-service attack that exhausts assignable IP addresses. This is a lightweight, scalable, and backward-compatible solution that can improve security performance for public and corporate LANs having open access such as wireless access points and Ethernet jacks.

摘要翻译： 用于安全IP接入（SIA）方法的协议框架，以及部署在IP主机和IP网络上的支持组件。 使用这种方法，IP主机可以通过不安全的共享链路在IP网络内建立安全数据通道，同时从IP网络请求IP地址和网络配置参数。 系统管理员可以对边缘IP网络可能必须面对的各种攻击实施强大的访问控制，例如耗尽可分配IP地址的拒绝服务攻击。 这是一个轻量级的，可扩展的和向后兼容的解决方案，可以提高具有开放访问权限的公共和公司LAN（如无线接入点和以太网插孔）的安全性能。

公开(公告)号：US07546385B1

公开(公告)日：2009-06-09

申请号：US11216794

申请日：2005-08-31

申请人： Paul Shala Henry ,  Meng-Ju Lin ,  Hui Luo

发明人： Paul Shala Henry ,  Meng-Ju Lin ,  Hui Luo

IPC分类号： G06F15/16 ,  H04J3/16 ,  H04J3/22 ,  G06F15/177

CPC分类号： H04L69/16 ,  H04L69/12 ,  H04L69/161 ,  H04W80/04

摘要： A network interface driver embodied in a processor readable medium comprising executable program instruction that, when executed by a processor, independently process internetworking protocols for a hot computer (or other network access device) with another computer on a remote network. The driver appears to the operating system as a regular network interface driver, but it can support enhanced kernel-level internetworking protocols by using a state machine to generate, drop, and change incoming and outgoing IP packets in a manner transparent to the operating system.

摘要翻译： 一种包含在处理器可读介质中的网络接口驱动器，包括可执行程序指令，当由处理器执行时，可独立地处理热计算机（或其他网络访问设备）与远程网络上的另一计算机的互联协议。 驱动程序作为常规网络接口驱动程序出现在操作系统中，但它可以通过使用状态机以对操作系统透明的方式生成，删除和更改传入和传出IP数据包来支持增强的内核级互联协议协议。

公开(公告)号：US08316424B2

公开(公告)日：2012-11-20

申请号：US12845449

申请日：2010-07-28

申请人： Paul Shala Henry ,  Zhimei Jiang ,  Hui Luo ,  Frederick Kenneth Schmidt, Jr.

发明人： Paul Shala Henry ,  Zhimei Jiang ,  Hui Luo ,  Frederick Kenneth Schmidt, Jr.

IPC分类号： G06F7/04

CPC分类号： G06F21/31 ,  G06Q40/00 ,  H04L9/0863 ,  H04L9/3226 ,  H04L63/0815 ,  H04L63/083 ,  H04L2209/80

摘要： A Virtual Single Account (VSA) system and method that provides a mobile user with automatic authentication and connection to a remote network via local access networks with a single password, where the local access networks may be independent of the remote network. A mobile user has a single authentication credential for one VSA that is utilized by a VSA client installed on a mobile computing device. The VSA client provides for automatically authenticating and connecting the user's mobile device to a current local access network, and the target remote network such as the user's office network. All authentication credentials are encrypted using a key generated from the user's VSA password that is generated from the user's single password. The VSA client derives the key from the submitted VSA password and decrypts all authentication credentials that are required in order to connect the mobile device to the current local access network and thereafter to the office network.

摘要翻译： 虚拟单一帐户（VSA）系统和方法，其通过具有单个密码的本地接入网络向移动用户提供自动认证和连接到远程网络，其中本地接入网络可以独立于远程网络。 移动用户具有用于安装在移动计算设备上的VSA客户端使用的一个VSA的单个认证凭证。 VSA客户端提供自动认证和连接用户的移动设备到当前的本地接入网络，以及目标远程网络，如用户的办公室网络。 所有认证凭证都是使用从用户的单一密码生成的用户的VSA密码生成的密钥加密的。 VSA客户端从提交的VSA密码中获取密钥，并解密所需的所有认证凭据，以便将移动设备连接到当前的本地接入网络，然后再到办公室网络。