Patent Application
20070268878
The invention will be explained in greater detail by reference to exemplary embodiments shown in the drawings, in which:
For the purpose of teaching of the invention, embodiments of the invention are described in the sequel. It will be apparent to the person skilled in the art that other alternative and equivalent embodiments of the invention can be conceived and reduced to practice without departing from the true spirit of the invention, the scope of the invention being only limited by the claims as finally granted.
In
In a typical operation in a prior art system, the host controls the log on to the network, e.g. by switching on the access point. When the host logs on to the network, an authorization request with log on information is sent to the authorization server (43). Typically the authorization request is sent by the access point (21, 22, 23, 24), but this may also be done by the user client (10). The authorization server processes the request and, when successful, selects the appropriate tunnel (41) for the user traffic and sends a positive response to the access point (or client), including the IP address assigned by the IP address assignment server (such as DHCP). The selection of the tunnel is based on the log on information and/or other host related information in the user profile database (42). Another operation in prior art systems may involve a combination of the network operator authorization server (43) and an authorization server in the service provider platform (54). In this case the network provider authorization server (43) forwards the authorization request to the authorization server in the service provider platform. The authorization server in the service provider platform processes the request and responds to the network authorization server (43). When the response is positive, a tunnel (41) will be assigned to the user traffic by the authorization server (43) and a positive response is sent to the user. From that moment all user traffic will be transported via the tunnel (41). The user traffic includes host traffic and guest traffic.
The core network ‘delivers’ the user traffic to the Service Provider Platform (50). The Service Provider Platform provides access to the internet (60), but also other services can be provided via the Service Provider network (51) by servers (52, 53). Some other services provided by the Service provider may require additional user authorization at application level. This authorization comprises an authorization server (54) and user database (55) in the Service provider Network.
In the embodiment as shown in
The separation of guest traffic and host traffic is based on the MAC address of the user client. Separation based on this hardware related information provides a high level of security. The guest traffic can be clearly isolated in the host network, which improves security and can be beneficial for e.g. system, identity and content protection for the host and other guests.
The separation of traffic is based on a list of host users in the access point. The list contains identification information of host client devices that are allowed to access the access point as host user. A client device is classified as host user, when the identification information of the client device corresponds with identification information as stored in the host user list.
Identification information can be hardware related, such as a MAC address or serial number. The identification information can also be protocol related, such as an IP address.
The host user list can be managed at the access point by the access point owner/operator via a management interface. This management interface can be implemented as an addition to known “client access control” interfaces for access points. Also, management of the host user list can be performed remote via the communication network. This mode of operation allows remote management of the host user list by either the access point owner/operator or a third party such as a hotspot service provider.
Remote management of the host user list in an access point for shared internet access allows host user access to an access point by other users then the access point owner/operator only, e.g. for all registered users of a hotspot service provider. In this case the identification information of client devices, which devices can also be provided by the hotspot service provider to the users, is entered remotely to the host user list at the access point. After remote entry of the identification information, the corresponding client devices will be detectable as host client devices by the access point, on basis of the updated host user list.
Because the separation is realized in the host network, the traffic of hosts and guests can be separated through the end-to-end communication path towards the service provider. This is the preferred mode of operation of the system according to the invention. However, other separation points for guest traffic and host traffic can be conceived and reduced to practice, such as:
before entering the access network (3);
in the core network, before entering the tunnel (2);
at the interface between the core network and the Service Provider platform (1).
As an alternative to separation based on a MAC address, separation of guest traffic and host traffic can also be based on other layer 2 protocol information, or layer 3 protocol information, such as one or more elements in the 5-tupple in the IP packet header. A person skilled in the art will appreciate that various implementations for the separation of guest traffic and host traffic are possible, for which the exemplary embodiment disclosed by the current invention are meant as examples, the shared result of the various implementations being that guest traffic and host traffic can be handled separately in the service provider platform.
On the event of network log on, for example when the access point is switched on, the authorization server (43) assigns different tunnels for host traffic and guest traffic through the core network. In the embodiment shown in
A person skilled in the art will appreciate that transportation of traffic through the core network by means of a tunnel can be implemented using various techniques like e.g. GRE tunneling, MPLS, Virtual Channel and/or VPN, these various techniques sharing the aspect that for an aggregated number of users from various user locations, a fixed communication path to the service provider platform is provided for these users only.
The completion of the network log on includes the sending of the host IP address to the access point, which is maintained by the access point in order to route host traffic. The host IP address is assigned by the network provider, via authorization server 43, or by an IP address assignment from the service provider, involving an authorization and IP address assignment server outside the walled garden, such as authorization server 54.
IP address assignment for guest traffic always involves the authorization server (57) in the walled garden. When a guest logs in, the access point sends an authorization request to the authorization server (57) in the walled garden, or sends an authorization request to the network authorization server (43) which forwards the request to the authorization server in the walled garden (57). The authorization server (57) returns a temporarily unique IP address to the guest, which is retrieved from an IP address assignment server in the walled garden, and all traffic related to the assigned IP address is redirected to the authorization server.
Arriving at the service provider platform, host traffic is granted access to the servers (52, 53) and internet (60) on arrival. Guest traffic is however initially limited to the walled garden, i.e. the authorization server. The walled garden is an isolated part of the service provider platform and comprises servers and databases for guest user authentication and administration of guest traffic and guest sessions. The guest traffic is only allowed escape from the walled garden, i.e. access to the servers (52, 53) and internet, after successful authorization.
The administration of guest traffic is separated from the administration of host traffic. This is beneficial for post-session investigation in case of e.g. malicious use or abuse of a shared internet connection. The administration of guest traffic comprises guest user information, assigned temporarily IP address, start-time and ending-time of guest sessions and other user details.
The IP address assigned to the guest traffic is a temporarily unique IP address. The temporarily unique IP address can be a public IP address or a private IP address. In the latter case network address translation is performed when guest traffic is sent and received to or from internet. The temporarily unique IP address is assigned to specific guest traffic and related guest user for a time period, which is configured in the administration server and/or the IP address assignment server. The time period can vary from the session-time (i.e. the time the guest is logged on to shared internet access, which ends when the guest logs of) to a maximum limit (e.g. 12 hours or 3 days). This is beneficial for post-event analysis, like e.g. after an event of internet abuse (like fraud or illegal content transport). To this end the service provider is able to trace guest user information related to guest traffic at any time in the past by means of the administration servers and databases in the walled garden.
Specific guest traffic at a specific time in the past can be related to a specific guest user. This provides means to relate malicious internet use or internet abuse to specific guests and also offers the opportunity to isolate malicious internet use or internet abuse by guests from normal usage of the shared internet connection by the host. This can be most helpful for a number of reasons, such as:
lawful interception: the service provider is able to intercept traffic of specific guests;
isolation of sources of spam and viruses;
bandwidth usage, fair use policy monitoring;
illegal content traffic isolation;
separate billing of guest traffic.
For this purpose, also the IP addresses (or IP numbers) assigned to guest traffic are maintained separate from IP numbers assigned to host traffic.
As a result of application of separated administration of guest traffic and host traffic, the isolation of problems will be extensively improved, largely decreasing or even eliminating the situation that a host needs to be disconnected by the service provider, e.g. as a result of illegal content transport. This will improve the service to both hosts and other guest users.
Another advantage is that new, innovative billing methods can be applied, such as a kick-back fee for the host, based on the guest traffic originating form the access point owned by the host.
Authorization of guests by the authorization server in the walled garden is accessible via a welcome page or authorization page, to which guest traffic is redirected after IP address assignment. As indicated in the flowchart in
After successful authorization, a dynamic DNS registration is performed is performed, based on the guest user information in the databases. This allows the guest to operate a web server, that will be addressable from the internet after successful log in by the guest.
| Number | Date | Country | Kind |
|---|---|---|---|
| 06010038.5 | May 2006 | EP | regional |
