Patent Application
20060146732
The invention is based on a priority application EP 05 290 030.5 which is hereby incorporated by reference.
The invention relates to a method to configure a connection between at least one Home Internet Protocol Plug and a Home Internet Protocol Plug Controller according to the specifying features of claim 1.
It is planned to provide new and better services via Digital Subscriber Line. These services require a communication between an Auto Configuration Server, ACS, located in an access network or in a core network and a Customer Premises Equipment, CPE, on the subscriber side. Both, the CPE and the ACS are connected via a Digital Subscriber Line, DSL, a Digital Subscriber Line Access Multiplexer, DSLAM, and the access network with each other. The communication shall allow the ACS to configure and to manage the CPE or any other end-user device that is Internet Protocol, IP, addressable, e.g. a DSL modem. In the following, IP addressable CPEs and other IP addressable end user devices will be subsumed under the term Home IP Plug, HIPP. The ACS and other similar devices will be subsumed under the term Home IP Plug Controller, HIPP-C.
To achieve a worldwide technical standard for providing these services, a standardization body, the DSL Forum Standardization Body, has been constituted to work on this purpose.
The DSLHome working group, from the DSL Forum standardization body, defines a new protocol, described in the Technical Report 87, TR87, allowing the configuration and management of HIPPs by the HIPP-C. In TR87, it is assumed that the HIPP has an IP address and contacts its HIPP-C.
Since the connection between the HIPP and the HIPP-C is asymmetric in a sense that if there is any Network Address Port Translation function, NAPT, or any Network Address Translation function, NAT, between the HIPP and the HIPP-C, or others such as firewalls and the like, it is only the HIPP that can take the initiative to initialize a communication between the HIPP and the HIPP-C because the HIPP has a private IP address and the HIPPC a public IP address.
Although that the opposite i.e. the HIPP-C initiating the contact with the HIPP is a known message in the CPE WAN-side Management Protocol according to TR87, it cannot be used due to the presence of such a NAPT and/or NAT function. Indeed, the NAPT is still ignorant regarding the entry translating the port and public IP address into the private IP address of the HIPP, i.e. ignorant regarding a communication in the direction HIPP-C towards HIPP initialized by the HIPP-C. Hereby, the initiative and the control of the HIPP configuration and management remains in the hands of the HIPP, as it is always the HIPP that can initiate the first message and by then properly configure the NAT entry.
The technical purpose of the invention is to develop a method to configure a connection between a HIPP and a HIPP-C, in which connection a NAT and/or a NAPT function can be arranged between the HIPP and the HIPP-C and in which a communication between the HIPP and the HIPP-C can be initialized by the HIPP-C.
The invention's technical purpose is fully met by said method to configure a connection between at least one Home Internet Protocol Plug, HIPP, located at a subscriber side and a Home Internet Protocol Plug Controller, HIPP-C, located in an access network, both connected via a Digital Subscriber Line, DSL, a Digital Subscriber Line Access Multiplexer, DSLAM, and the access network with each other, wherein at least a Network Address Port Translation function, NAPT, and/or at least a Network Address Translation function, NAT, takes place between the HIPP and the HIPP-C, which method is characterized by the steps:
This invention allows the HIPP-C to correctly configure the NAT and/or NAPT functions or others in the HIPP/HIPP-C path in a way that full control of the HIPP is given to the HIPP-C. Furthermore the invention allows that even the very first message of the HIPP-C towards the HIPP can be initialized by the HIPP-C. Moreover the same HIPP information used to configure the NAT/NAPT functions between the HIPP and the HIPP-C improves the security by allowing to insert a simple mechanism to stop Denial of Services, DoS attacks.
Said method with the specifying features of claim 1 has the advantage over the state of the art, that beside the simple mechanism of the basic idea of allowing the HIPP-C to configure NAT and/or NAPT functions in order to be able later on to contact the HIPP, the mechanism allows also the HIPP-C to set layer three filters against DoS attacks.
In a preferred embodiment of said invention, the connection is configured in a way that both, the HIPP and the HIPP-C can initialize a communication with each other.
In a preferred embodiment of said invention, an initialization of a communication with the HIPP-C is only possible for HIPPs whose HIPP information has been acquired and provided to the HIPP-C. Thereby an admission to initialize a communication between a HIPP and the HIPP-C by the HIPP is only granted e.g. for HIPPs registered at the HIPP-C with their HIPP information. The granting takes place by using the HIPP information being readily available to the HIPP-C. By this proceeding only HIPPs registered at the HIPP-C and being directly connected via a DSL line with the same access network in which the HIPP-C is located can initialize a communication with the HIPP-C. Another possibility is that filters are configured by the HIPP-C using the HIPP information, wherein the filters only allow the initialization of a communication by HIPPs whose HIPP information has been used to configure the filters. The HIPP information preferably comprises the Medium Access Control address, MAC address, of the HIPP. By using a registration at the HIPP-C or by using filters or by an analog proceeding it is possible to defeat a certain kind of Denial of Service Attacks on the HIPP-C.
In a preferred embodiment of said invention, at least one filter configured by the HIPP-C in consideration of the HIPP information governs the initialization of a communication by the HIPP with the HIPP-C. Thereby the configuration of the filter considers e.g. the Private IP Address of the HIPP known by the HIPP-C, the DSL line information provided to the HIPP-C by the DSLAM, the MAC address of the HIPP, or a combination of all. Preferably the filter is also configured by the HIPP-C before the HIPP tries to contact the HIPP-C.
In a preferred embodiment of said invention, the filter is a layer three filter.
In another preferred embodiment of said invention, the layer three filter is located in the DSLAM.
In another preferred embodiment of said invention, the layer three filter is located in a layer three network element, e.g. an IP forwarder.
In another preferred embodiment of said invention, the HIPP information provided to the HIPP-C comprises at least the Private Internet Protocol Address of the HIPP. The Private IP Address can be acquired e.g. by snooping.
In another preferred embodiment of said invention, the layer two address of the HIPP comprised in the HIPP information provided to the HIPP-C comprises at least the Medium Access Control address of the HIPP.
In an additional preferred embodiment of said invention, at least the layer two address is provided to the HIPP-C by the DSLAM.
In an additional preferred embodiment of said invention, the HIPP information comprises at least the related DSL line information.
In a particularly preferred embodiment of said invention, at least the DSL line information is provided to the HIPP-C by the DSLAM.
As shown in
In the auto-configuration process described in TR46 in DSL Forum, the HIPP 1 gets its IP address, by whatever means: Point to Point Protocol Internet Protocol Control Protocol, PPP IPCP, DHCP, or static IP.
Particularly to enable the HIPP-C 2 to initialize a communication with the HIPP 1 if there is a NAPT function 6 between the HIPP 1 and the HIPP-C 2, the NAPT function 6 has to be configured in a certain kind.
The idea according to the invention is that the HIPP-C 2 gets informed that a HIPP 1 is on-line before the HIPP 1 tries to contact the HIPP-C 2. Once the HIPP 1 is on-line, the configuration of the layer 1 and layer 2 is available. The DSLAM 4 is the first device that has the information about the layer two address of the HIPP 1, further called HIPP information. Most likely the HIPP information comprises the Media-Access-Control address, MAC address, and the related DSL line information also known by the DSLAM 4. The DSLAM 4 then informs the HIPP-C 2 that a new HIPP 1 is on-line, and provides the related HIPP information concerning this HIPP 1 to the HIPP-C 2.
The related HIPP information is acquired by snooping the Private-IP-address of the HIPP 1 from the actual used IP-address assignment protocol such as from the DHCP or PPP protocols. As well for DHCP as for PPP a relay agent can execute this snooping. The HIPP information has to be brought to the attention of the HIPP-C 2. This can be done by enabling such an agent to forward this information to the HIPP-C 2 or by including such an agent in the HIPP-C 2. Furthermore, the HIPP-C 2 has now the needed information to correctly configure the potential NAPT functions 6 that lay between the HIPP-C 2 and the HIPP 1. Doing so, the HIPP-C 2 is now able to take fully control of the HIPP 1 and to take the initiative to latter contact this.
Furthermore the invention improves the security of auto configuration services in which a HIPP-C 2 is managing and configuring at least one HIPP 1. As the HIPP 1 is able to take the initiative to contact the HIPP-C 2, and as in an access network 5, the HIPP-C 2 might have to deal with hundreds of thousands of HIPPs 1, the HIPP-C 2 is vulnerable to Denial of Service, DoS attacks. A DoS attack is a type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic. However, according to the state of the art there is no mechanism foreseen to prevent HIPPs 1 to send messages to the HIPP-C 2, meaning that DoS attacks can be generated against the HIPP-C 2.
According to the invention, with the knowledge of the Private IP address and/or the MAC address and/or the DSL line information of the HIPP 1 comprised in the HIPP information, the HIPP-C 2 is enabled to configure layer three filters in the DSLAM 4 or other network elements and to thereby avoid DoS attacks of the different HIPPs 1.
Layer three filters can either be set in the DSLAM 4 if the capability is there or in a layer three network element, such as an IP forwarder provided with the related layer two information.
By setting layer three filters, only the messages coming from a certain DSL line 3 with the corresponding source MAC address will be allowed to go to the IP address of the HIPP-C 2. All the messages with the destination IP address of the HIPP-C 2, that have a non-matching source MAC address with the corresponding DSL line 3 or layer two information (VP/VC) will be discarded. This prevents at least a certain kind of DoS attacks.
By doing so, only the messages coming from a certain DSL line with the corresponding source MAC address will be allowed to go to the IP address of the HIPP-C. All the messages with the destination IP address of the HIPP-C, that have a non-matching source MAC address with the corresponding DSL line or layer two information e.g. like VP/VC will be discarded. This prevents a certain kind of DoS attacks.
After this, in level VI both, the HIPP and the HIPP-C can contact each other, wherein both can initialize a communication.
The invention is commercially applicable particularly in the field of production and operation of Home IP plug controller products and in the field of production and operation of networks providing Home IP Plug Controllers.
1 Home Internet Protocol Plug, HIPP
2 Home Internet Protocol Plug Controller, HIPP-C
3 Digital Subscriber Line, DSL
4 Digital Subscriber Line Access Multiplexer, DSLAM
5 Access network
6 Network Address Port Translation function, NAPT function
7 Dynamic Host Configuration Protocol Relay, DHCP Relay
8 IP-Edge
9 DSL Modem
| Number | Date | Country | Kind |
|---|---|---|---|
| 05 290 030.5 | Jan 2005 | EP | regional |
