The present invention relates to a communication system and in particular but not exclusively to a communication system having an end user connected to a WLAN and able to obtain services provided by or via a mobile operator domain.
A communication system can be seen as a facility that enables communication between two or more entities such as user equipment and/or other nodes associated with the system. The communication may comprise, for example, communication of voice, data, multimedia and so on.
A communication system typically operates in accordance with a given standard or specification, which sets out what the various elements of the system are permitted to do and how that should be achieved. For example, the standard or specification may define if the user or more precisely user equipment or terminal is provided with the circuit switched service and or a packet switched service.
Communication protocols and/or parameters, which should be used for the connection may also be defined. In other words, a specific set of rules on which a communication can be based need to be defined to enable communication by means of a system.
Public wireless local area networks WLAN have been proposed. Operators of mobile telephone (or other user equipment) networks generally want to offer WLAN services to their clients but at least some of these mobile operators do not want to build the WLAN access networks themselves. One proposal is that wireless Internet service providers (WISP) will build and operate the access zones. The mobile operators will want to provide added services for the WLAN end user as easily as possible from the perspective of the end user.
With the current proposals, authorization for services provided by or via the mobile operator's service infrastructure require tight end-user traffic control from the WISP operated WLAN access zone. However, the reality of the situation is that the existing WLAN networks are built using equipment that is not able to easily provide this kind of traffic control functionality.
Whilst it may be possible to replace the existing WISP access zone equipment with equipment that can tightly control the end user traffic from the WLAN access zone, the business realities are such that this kind of replacement will not take place in practice.
It is an aim of embodiments of the present invention to address the above described problems.
According to a first aspect of the invention, there is provided a communication system comprising a user equipment, an access network to which said user equipment is attachable and an access controller connected to said access network and a domain, said access controller being arranged to receive a query from said user equipment for a service provided by said domain or a service accessible via said domain, to check if said user equipment is authorized and if so to permit said user equipment to obtain said service from or via said domain.
According to a second aspect of the invention there is provided, an access controller for use in a communication system which also comprises a user equipment, an access network to which said user equipment is attachable, said access controller being connectable to said access network and a domain, said access controller being arranged to receive a query from said user equipment for a service provided by said domain or a service accessible via said domain, to check if said user equipment is authorized and if so to permit said user equipment to obtain said service from or via said domain.
According to a third aspect of the invention, there is provided a communication method comprising receiving at an access controller a query from user equipment attached to an access network for a service provided by a domain or a service accessible via said domain, checking if said user equipment is authorized and if so to permitting said user equipment to obtain said service from or via said domain.
For a better understanding of the present invention and as to how the same may be carried into effect, reference will now be made by way of example only to the accompanying drawings in which:
Reference will now be made to FIGS. 1 to 4 to describe embodiments of the present invention.
Reference will first be made to
In step S2, access authentication is carried out. This will be described in more detail in relation to
In step S3, the access controller 16 establishes a session for the terminal 10 if the terminal is authorized by the back-end of the AAA-Server.
In step S4, the mobile operator access controller 16 may act as a service control system by itself or it may be a forwarding element towards the mobile operator's service control system. In the latter case the connection to elements handling the service controlling functions is established during the end-user access authentication.
In step S5, the terminal 10 sends a query identifying the service or Internet site (foo.bar in this example) to which the user wishes to be connected. This query is sent to the mobile operator access controller 16.
In step S6, the access controller sends a DNS query to a WISP DNS server 14(or any other DNS server that is representing the Internet Domain Name Space—this phase follows the normal Domain Name System (DNS) procedures) . In step S7, the WISP DNS server provides the name of the server back to the mobile operator access controller. In step S8, the mobile operator access controller sends the DNS query to the identified service, that is foo.bar 24. In reply, in step S9, an address corresponding to foo.bar is sent back from the service to the mobile operator access controller 16. This address is sent in step S10 from the mobile operator access controller 16 to the terminal 10. In step S11, there is user traffic between the terminal 10 and the service foo.bar 24.
In step S12, the terminal 10 wishes to access a mobile operator hosted service and sends a DNS query to resolve the IP address for that service (my server.operator.com in the example) to the mobile operator access controller 16. In step S13, the mobile operator access controller 16 checks the end user session. If the terminal 10 has been authorized, then a DNS query is sent in step S14 to the mobile operator DNS server 20. This DNS server may be the access controller itself or a nominated server for this region only. In the example shown in
If the next step is S14, then that will be followed by step S15 where an IP address is provided from the mobile operator DNS server 20 to the mobile operator access controller 16. This address is forwarded by the mobile operator access controller 16 in step S16 to the terminal 10. In step S17, the mobile operator access controller or service control system authorizes user traffic to the mobile operator service.
The service control system is the system that is able to authorize end-users to mobile operator's services.
Reference will now be made to
In
The WISP network including the WISP access controller (the WISP network is reference 12 for simplicity) provides the mobile operator access controller 16 with an IP address for the end user or terminal 10. In case the AAA-protocol is Radius, then IP address is resolved in the mobile operator access controller 16 from the attribute named framed-IP-address in the access-request or accounting-start message. It should appreciated that this is also compatible with the authentication defined in the IEEE standard 802.1x where the IP address is resolved from the framed-IP-address in the accounting-start message. The resolved IP address is sent by the mobile operator access controller 16 to the authorization arrangement 18. In the embodiment shown in
The profile database may contain subscription information, the user name, passwords, attributes, access gateways associated with the end user or the like.
Reference is now made to
The end user has sent a query. In the example shown, the end user 10 wishes to access a service hosted by the mobile operator. The query therefore takes the form of service.operator.com. This corresponds to request S12 shown in
It should be appreciated that the mobile operator access controller 16 effectively acts an AAA proxy.
Reference is now made to
The service control system 22 routes the packet to the required operator service 28. It is likely that either in mobile operator's access controller or in the service control system address translation (NAT) will take place in order that data packets can be returned to the end user via the same route. The operator services are thus provided via the mobile operator IP domain.
Reference is now made to
a shows the DNS query procedure. The end user sends a query identifying the third party service, which is in this example WWW.CNN.com. This is forwarded via the WISP network 12 to the mobile operator access controller 16. As with the arrangement shown in
The mobile operator access controller 16 resolves the named server for an authorized user to the domain CNN.com. The rest of the domains, which are unnamed would be resolved via the WISP DNS server 14. Where the name server is resolved for an authorized user, the query is then set to the mobile operator DNS server 20. This replies with information identifying the service i.e. WWW.CNN.com and its IP address. This address is sent to the WISP network 12.
b shows the traffic control in this embodiment. The end user sends a data packet to the WISP network 12. The packet sent by the end user identifies the source address of the end user and the destination address corresponding to WWW.CNN.com. The WISP network uses the routing table 13 to route the data packet via the mobile operator access controller 16. The data packet is then sent to the service control system 22. A network address translator is provided either in the access controller 16 or the service control system 22. The service control system automatically authorizes mobile operator users to select services in the CNN.com domain 30. The service control system 22 is part of the mobile operator IP domain. This allows the end user to access services provided by WWW.CNN.com, which may require authorization of the user.
For completeness sake,
The access controller 16 receives this information and sends it to the WISP network 12.
The traffic flow is shown in
Embodiments of the present invention mean that at the same time the end user is authenticated to get the WLAN access service, the end user is also authorized to the mobile operator's service infrastructure. Affectively, this allows traffic control with out actually controlling the traffic itself. Thus, embodiments of the present invention allow the control of end user traffic based on the domain name system. This DNS based traffic control allows the mobile operator to control how to route the end user traffic even in the cases where the actual routers are operated by a third party service provider.
Embodiments of the present invention provide the possibility of controlling end user traffic without requiring new functionality in the WISP access zone equipment. Automatic service authorization may be provided to WLAN subscribers. This is very compatible with the public WLAN business model. The advantage of preferred embodiments of the present invention is that the plain Internet traffic, which has nothing to do with the mobile operator domain, is not forced to go through the operator network and thus does not unnecessarily load the mobile operator's equipment.
Additionally, as the embodiments of the present invention do not require any changes to the WISP architecture nor any new features for the WISP's network elements, this means that embodiments of the invention are backwards compatible.
The mobile operator access controller in embodiments of the present invention thus acts as an AAA proxy and establishes the state for the end users i.e. whether or not the end user is authorized. This end user state may include DNS specific information based on the end user's subscription. When the end user is requesting address information for predefined domains, the access controller participates in the DNS resolution process either by answering from its own database or by sending a DNS referral to the correct DNS server based on the end user status.
Embodiments of the present invention have been described in a WLAN context. However, it should be appreciated that embodiments of the present invention have wider application. For example, embodiments of the present invention can be implemented in a an IP based network independent of access method; a WLAN; a xDSL network; an Ethernet; a GPRS network, a 3G network; and a Bluetooth network. Embodiments of the present invention can be implemented where a user is connected to a first access network, which allows the user to be connected to a mobile operator network where the access network is not part of the mobile operator's network.
Embodiments of the present invention control the end user traffic only if the end user tries to access the server or gateway in the mobile operator operated domain or to predefined other domains. This enables service authorization for the WLAN end user in all existing access zone topologies. Embodiments of the present invention are independent of the access authentication methods. Embodiments of the present invention may support both open systems and the IEEE 802.1x authentication. This embodiment of the present invention enables all features that the service control system can offer for GTP tunnelled WLAN users.
Embodiments of the present invention enable service authorization for WLAN end users in all existing access zone topologies. Embodiments of the present invention can be generically applied. Access technology which use Radius or Diameter can be supported. Radius and Diameter are defined in:
The mobile operator DNS server is given as the primary DNS server in the DHCP query phase.
Embodiments of the present invention require the access controller to make use of Radius signalling based end user session awareness. Before the access controller DNS queries the next DNS server, the access controller verifies that the requesting IP address has a valid session and checks end user specific DNS settings. The DNS settings for the WLAN in the user profile are transferred from the application server to the access controller in Radius messages from the AAA server.
In some embodiments of the present invention the operator may have a WLAN specific DNS server or servers in the case of the operator network topology requires that.
The service authorization may rely on the IP address.
The DNS resolution process used in embodiments of the present invention is as follows: The end user sends a query to a first server. The first server may then query a second server. If that second server is unable to provide the required information, the second server may refer the first server to one or more other servers (third and fourth servers). The first server would be the access controller.
Number | Date | Country | Kind |
---|---|---|---|
0324878.8 | Oct 2003 | GB | national |