Surety is performing system maintenance this weekend. Electronic date stamps on new Prior Art Database disclosures may be delayed.
Browse Prior Art Database

System and Method for Configuration Management Policy Update Delivering

IP.com Disclosure Number: IPCOM000242899D
Original Publication Date: 2015-Aug-27
Included in the Prior Art Database: 2015-Aug-27
Document File: 5 page(s) / 361K

Publishing Venue


Related People

Aleksandrov, Vasilii: INVENTOR [+3]


- Using an existing IKE connection between the VPN server and the MVPN clients running on the handheld devices to notify clients about policy update. - New IKE Payload type for pushing notifications from server and transmitting policy revision and delay time. Acronyms: IKE - The Internet Key Exchange (RFC 2409)

This text was extracted from a Microsoft Word document.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 54% of the total text.

System and Method for Configuration Management Policy Update Delivering

By Vasilii Aleksandrov, Igor Zakharov, Yegor Uttcov

Motorola Solutions



In this paper system and method for configuration management policies update delivering are described. The described method solves the problem of big time difference between the moment when update becomes available, and the moment when update gets applied in case of periodically polling method. Also this described method solves the problems of impacting the network by creating client-server sessions periodically in case of using the polling method, and keeping a lot of auxiliary connections in case of using the PUSH notifications method.


The configuration policy allows VPN client (301) to have its settings updated remotely from Configuration Management (CM) server (303). Each configuration policy contains policy revision field and configuration itself. Common implementation of VPN’s policy update mechanism (300) requires periodical polling the CM server from the client side.

The VPN client (301) should periodically send a request (309) to the CM server (303) to know if the policy update is available; if yes (311), the client should download the policy (312, 313) itself and apply the update.

This implementation has two major problems:

1.    The big time difference between the moment when the policy update becomes available on the CM server, and the moment when it gets applied on the client.

2.    Impacting the network by creating client-server sessions periodically.


The solution is to implement server-side notifications that are pushed to the clients by using the existing IKE connection (solves problem 2). These notifications are secure as IKE connection is encrypted.

This connection is existing all time while the client is connected to the server.

Once the client is notified, it may download the update immediately or after some delay defined in the notification, and apply it (solves problem 1).

The notification should contain the policy revision to allow the client to decide if the update is required or not. The notification should also contain the delay time to...