Patent Application
20070011301
This invention relates generally to electronic communication over a network, and more particularly to establishing service for a subscriber having a generic customer premises equipment (CPE) device or apparatus where access information for a configuration server is not initially contained within the CPE.
Subscriber provisioning involves the allocation of network resources and the configuration of network equipment to establish services for the first time. When configuration information is not initially contained within a customer premises equipment (CPE) apparatus, the information may be loaded into the CPE apparatus during manufacture so that once the CPE apparatus is connected to the network the CPE will retrieve this stored information and access a configuration server. Alternatively, a user may enter the access information manually, or by accessing a service provider web-portal.
From a business perspective, those customers who require a large number of CPE devices configured to setup service from a particular service provider can justify the increased cost in order to request the CPE devices be configured at the factory to include information used for configuring with a particular service provider. At the other end of the continuum, for those customer who require a relatively small number of CPE devices configured to setup service can individually configure their CPE devices since the scale of the configuration operation is small enough to justify spending the resources, including time and manpower, in order to configure a small number of CPE devices. However, the intermediate scale deployment of generic CPE can be problematic. Accordingly, there is a need in the art for a configuring apparatus and method for use with intermediate sized deployment where for each CPE device the service provider information is not initially specified.
Embodiments of the present invention and their advantages are best understood by referring to the detailed description that follows. It should be appreciated that like reference numerals are used to identify like elements illustrated in the figures.
In reference to
First cluster 102 includes a first user terminal 120, a first service terminal 122, a first customer premises equipment (CPE) 124, and a first modem 126. First user terminal 120 can be a personal computer running a web-browser application, for example, in order to permit access for a user to the Internet 104. First service terminal 122 can be either an ordinary telephone conforming to use with the plain old telephone service (POTS) having the traditional analog inputs and outputs, or service terminal 122 can be an internet-ready telephone where information is sent and received by service terminal 122 as packets to and from the network, as described above in reference to the Internet 104.
When service terminal 122 is an ordinary POTS telephone device, a terminal adapter (as shown in
First cluster 102 directly connects to the Internet 104 through a communications channel such as twisted-pair phone lines, a coaxial cable, or an optical link. Modem 126 provides the signaling necessary for first cluster 102 to connect to and communicate with a corresponding modem (not shown) typically belonging to an Internet Service Provider (ISP). Modem 126, can also termed a gateway modem or gateway router, and may include a digital subscriber line (DSL) or cable modem in series with a router for direct connection to the Internet 104. It is understood that each modem connects directly to another modem which may have a subsequent connection through a router to another network to other network devices so that Internet 104 includes a plurality of hierarchical interconnection networks.
CPE 124 can be a local network router such as those manufactured by LINKSYS (R) of Irvine, Calif., USA. CPE 124 can directly connect to modem 126, usually through a digital communications channel like a fixed wire network cable or a wireless connection. The term CPE is widely used and can refer to any communications equipment present at a customer site. Although both modem 126 and router 124 are typically installed at the customer site, for the purposes of this disclosure, the term CPE will be directed toward a router 124, or similar device, that may be connected directly to a modem 126, or else connected indirectly to modem 126 through another intermediate router 124 in a hierarchical manner. CPE 124, as a router, is typically a device that forwards data packets along networks based on their network addresses, and efficiently manages the information flow to and from modem 126.
Routers are typically installed at the juncture between at least two separate networks, at a place where the networks connect, in order to allow communication, or message packet passing, between the separate networks. More than one router can be connected to modem 126 if the modem is also a gateway, incorporating both modem and router functions, but each cluster is shown with only one router for simplicity. Networks can be hierarchical where one router connects to another like branches in a tree and the terminal devices, or user terminals, can be considered as leaves on the tree.
If the scope of a particular network is relatively wide, it can be arbitrarily considered as a Wide Area Network (WAN). In contrast, the relatively narrow scope of the connectivity between first user terminal 120, first service terminal 122, and first CPE 124 can be considered as a local area network (LAN). Although shown with two network devices, the LAN of first cluster 102 may contain more terminal devices, or may include another router for connection to another network. Routers such as CPE 124 are often connected between a WAN and a LAN.
Similar to first cluster 102, second cluster 106 includes a second user terminal 130, a second service terminal 132, a second customer premises equipment (CPE) 134, and a second modem 136. Second cluster 106 directly connects to ISP 108 through a communications channel such as a twisted-pair phone lines, a coaxial cable, or an optical link. Modem 136 provides the signaling necessary for first cluster 106 to connect to and communicate with a corresponding modem (not shown) within ISP 108 which then connects hierarchically to the Internet 104. In this manner, a data connection by message passing can be formed between devices on first cluster 102 to devices on second cluster 106. Similar to first DHCP server 140, a second DHCP server 142 can be used to supply an IP address for second CPE 134 and other network devices. In this example, second DHCP server 142 is located within ISP 108. Although only two clusters (102, 106) are shown, this number is not limiting.
Message packets on a switched packet network such as the Internet 104 are sent, routed, and received based on network addresses. In order to establish communication with a device or node on the network, each device must have a unique address. A first dynamic host configuration protocol (DHCP) server 140 is shown connected to Internet 104 and simplifies network management by dynamically assigning an internet protocol (IP) address when a network device is added to the network, thus avoiding the need for a manual allocation for this task. In some systems, the IP address can be dynamically changed while the network device is connected. In contrast, a static IP address does not change. Some network devices support a mixture of both dynamic and static IP addressing.
In some applications, first DHCP server 140 can be used to assign an IP address to first CPE 124. In a hierarchical manner, first CPE 124 can assign an IP address to any network device connected on the LAN of first cluster 102. Alternatively, modem 126 may be a gateway router that includes a DHCP server, or CPE 124 may be connected to an intermediate router (not shown) that provides DHCP services. In the present configuration, first DHCP server 140 provides an IP address to first CPE 124 in first cluster 102. Internet 104 is a broad, hierarchical interconnection network embracing various technologies spanning both the analog and digital domains. A network address translator (NAT) may be used in a hierarchical router or gateway in order to re-map the local network addresses so that all the network addresses are unique in a hierarchical manner.
According to the Internet Engineering Task Force (IETF) as reflected in their publication RFC3261, a session initiation protocol (SIP) proxy server 144 is shown as connected to Internet 104 and is used to create, modify, and terminate sessions that allow participants to agree on a set of compatible media types and establish connections for Internet telephone calls, multimedia distribution, and multimedia conferences, for example. In a voice over internet protocol (VOIP) application, SIP proxy server 144 routes requests to a user's current location, authenticates and authorizes users for services, implements provider call-routing policies, and provides features to users. The SIP also provides a registration function that allows users to upload their current locations for use by proxy servers. SIP runs on top of several different transport protocols such as the internet protocol (IP).
When initiating an internet telephone call for VoIP communications, for example, first service terminal 122 can initiate a call to second service terminal 132 by first contacting proxy server 144 and requesting a latency-controlled connection for a voice session with second service terminal 132. In a traditional data transfer arrangement over Internet 104, latency is not usually an issue since the data from the source is divided into discrete packets that are sent individually and then reassembled at the destination. In this manner, once the data package is reassembled, it does not matter that packets were delayed, nor does it matter that some packets may have been received out of order, as long as the packets are reassembled into their initial order and none are missing. However, in a voice connection, undue latency can cause communication difficulties. To avoid this problem, a priority circuit having a lower latency is typically established between the two ends of the VoIP connection, that is, between CPE (124, 134). In a priority case, if a voice packet and a data packet are both received by the same router, the voice packet is given priority in order to avoid introducing latency to the voice packet delivery and reassembly.
Prior to initiating an internet telephone call using a service terminal (122, 132), the CPE must be configured for service with the respective service provider (SP) through a process called provisioning where service is established with a service provider (SP). In an example including a voice service provider (VSP), a provisioned subscriber is a voice service customer whose order for voice service has been processed, and may include the assignment of a particular CPE device and a VoIP telephone number. In other cases, the particular CPE device is not yet configured, but the VoIP telephone number is associated with user data that may be associated with particular CPE information in a configuration database.
A default server 148 contains redirection information to establish service for a previously un-configured or generic CPE device. For example, when first CPE 124 is initially connected to an active network, CPE 124 can search a predetermined configuration server address memory location to determine if pre-configuration information is present. If pre-configuration information is not present, CPE 124 can search a predetermined default server address memory location to determine if an address is present identifying a default server which can provide the configuration server address for use in configuration. CPE 124 can use the default server address to access default sever 148 in order to give identifying information and receive corresponding configuration server information. For example, CPE 124 can retrieve the default server address and access the default server over the hierarchical network by sending one or more messages to default sever 148. These messages can include CPE 124 identifying information such as a serial number, media access control (MAC) address, manufacturer name, model number, user name, and user account information.
Default server 148 includes a database where the CPE identifying information is used to identify the network address of a configuration server which CPE 124 can access in order to obtain configuration information for use in establishing service with a service provider. Alternatively, the information database may be located at a remote location to default server 148, yet is accessible so that default server 148 provides the configuration server 146 address to CPE 124. As described, CPE 124 can be connected through the Internet 104 in order to access default server 148 in an on-net configuration flow. Similarly, second CPE 134 can be connected through ISP network 108 in order to access default server 148 in an off-net configuration flow.
Processing unit 206 can be a suitably programmed microprocessor or microcomputer. Memory unit 208 stores and retrieves information under the control of processing unit 206. Memory unit 208 can be any device that is enabled to store and retrieve information including information such as a service provider (SP) configuration server address 220, a default server address 222, SP configuration data 224, a CPE encryption certificate 226, and one or more server encryption certificates 228. Typically, memory unit 208 can be implemented as a random access memory (RAM), a read only memory (ROM), a magnetic recording and reproducing device, or an electrically alterable storage and retrieval device such as an electrically erasable programmable ROM (EEPROM).
SP server address 220 and default server address 222 can be stored as a uniform resource locator (URL) for use on the world wide web (WWW). In this case, the URL is broadcast to a name server (not shown) that will resolve the URL to an internet protocol (IP) address. Processing unit 206 retrieves a server address (220, 222) from memory unit 208 and passes that information to WAN communications unit 202 in order to access the selected server (146, 148). Terminal adapter 210 can be implemented as a part of CPE (124, 134) or can be a stand-alone network device having a data connection to CPE (124, 134). In one embodiment, terminal adapter 210 converts analog telephone signals to digital packets in a broadcasting mode and converts digital packets to analog telephone signals in a receiving mode in order to provide network access for an otherwise non-accessible service terminal (122, 132). Various types of terminal adapters may be used to interface with other user devices. For example, a different type of terminal adapter 210 may be used to interface with a camera, a video monitor, or a hand-held device in order to provide network connectivity to these devices. In this manner, terminal adapter 210 is the final, or terminal, element on the network.
Since protecting customer information and configuration details is desirable to avoid unnecessarily exposing individuals to identity theft and networks from compromise, network security is important. Hence, it is desirable to establish a secure connection, or encrypted communication channel, prior to the exchange of sensitive information over an unsecured network such as Internet 104. One way to accomplish this is to establish a transport layer security (TLS) channel between two devices prior to exchanging sensitive information.
The transport layer security framework is specified according to an Internet Engineering Task Force (IETF) TLS Working Group document RFC2246 which specifies the transport layer security protocol. The transport layer refers to the middle layer of a networking framework called the open system interconnection (OSI) model and provides for transparent transfer of data between end systems or hosts. The transport layer of OSI is responsible for end-to-end error recovery and flow control to ensure complete data transfer. In establishing a traditional TLS connection, a secure connection is formed by passing encrypted information messages that are decrypted by each entity in order to mutually authenticate each entity to the other entity. Ordinary mutual authentication is typically not specific to a particular device or server, but merely verifies that each entity is in possession of a valid, encrypted certificate. Essentially, the traditional form of mutual authentication only verifies that each entity belongs to a group of approved entities, and unique information that identifies a particular CPE 124 is not used.
Once the above mutual authentication is completed, the entities traditionally proceed to set up encryption, to establish a secure connection by changing the cipher specification. This takes time which limits server availability, and can result in needlessly transferring information between the entities in the event that either entity is later deemed to be invalid due to more detailed considerations. For example, even if the traditionally authenticated CPE device is in possession of a valid, generic certificate issued by the CPE manufacturer, the CPE device may not be assigned to a valid user or listed in an approved database of valid CPE devices.
Processing unit 206 retrieves default server address 222 and passes it to WAN communications unit 202 for connecting 310 to default server 148. In this context, connecting includes sending and receiving information between CPE 124 and default server 148 over the network. Once connected to default server 148, flow 300 continues with CPE 124 acquiring 312 a network address for configuration server 146. If CPE 124 found a configuration server address in memory unit 208 or if CPE 124 has received a configuration server address from default server 148, flow 300 continues with CPE 124 connecting 314 to configuration sever 146. Flow 300 continues with CPE 124 acquiring 316 the subscriber configuration data from configuration server 146 which is then can be stored in memory unit 208 in the location denoted as SP configuration data 224. Once the configuration data is received, flow 300 continues with CPE 124 loading 318 the acquired subscriber configuration data in order to setup the internal state of CPE 124. The internal state regarding configuration may be one of In-service (IS) or Not-in-service (NIS), where NIS refers to device that is not properly configured for voice. Finally, once CPE 124 has received and loaded the configuration data, flow 300 concludes with CPE 124 restarting 318 using the subscriber configuration data to establish service with the service provider.
In reference to
During this negotiation between CPE 124 and the DHCP server 140, CPE 124 broadcasts a DHCPDISCOVER message where CPE 124 asserts a MAC address to the active network in order to locate available servers. DHCP server 140 receives the DCHPDISCOVER message and responds to the broadcast by asserting a DHCPOFFER message to CPE 124 including parameters of a proposed network address. CPE 124 responds to the DHCPOFFER by sending a DHCPREQUEST message requesting the offered parameters from DHCP server 140 and implicitly declining offers from all other servers that may have responded to the DHCPDISCOVER message. There are several options available to a network device during this negotiation allowing for some vendor-specific customizations. For example, according to IETF publication RFC2132, a DHCPREQUEST may be offered with or without vendor specific information in a series of data fields identified as DHCP option-60.
If the intended service provider (SP) network address is set 404, the DHCPREQUEST will be asserted 406 without option-60. According to the IETF RFC2132, the dynamic host configuration protocol (DHCP) provides a framework for passing configuration information to hosts on a Transfer Control Protocol/Internet Protocol (TCP/IP) network. Specifically, DHCP option-60 relates to a vendor class identifier. This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. Specifically, option-60 can include the vendor identifier. DHCP server 140 then responds by asserting a DHCPACK message including the committed network address to conclude the operation of connecting CPE 124 to the network as well as a network address for configuration server 146 in an option-43 vendor class field. Once the CPE network address is set, the CPE can then setup 408 a transport layer security (TLS) connection between CPE 124 and configuration sever 146 in order to acquire and initialize using the configuration data.
Once initialized, the CPE will detect whether service is established 410 with the service provider. If so, then the subscriber service is established 412 and provisioning flow 400 has terminated normally. However, if service is not established 410, then the CPE applies a retry procedure 414 in order to attempt to establish the service. This retry procedure 414 should allow the CPE to become properly registered when the network connectivity issue is resolved, not related to wrong configuration parameters or hardware/firmware problems. If the retry procedure 414 is not successful, an error condition 416 is assumed and the CPE enters an idle state 418-1. In an idle state (418-1, -2, and -3), CPE 124 will remain inactive until an external intervention such as a reset, or a manually initiated reconfiguration. The service status can be reflected by an indicator such as the status of a ready light, an icon or graphical symbol on a display, or some other indication to convey the status of the CPE to a user. Alternatively, a service availability indication may be asserted to another device on the LAN of first cluster 102 including an indicator on the first service terminal 122.
If after CPE 124 is connected to the active network it detects that the SP network address is not set 404, the DHCPREQUEST will be asserted 420 with option-60, an optional field for carrying vendor specific information where the definition of this information is vendor specific. DHCP server 140 detects 422 receipt of a DHCPREQUEST having option-60, and if configured with vendor defined network address, responds by asserting a DHCPACK message with option-43 to provide committed network address for configuration server 146 to conclude the operation of connecting CPE 124 to the network. DHCP option-60 is used by the client to identify the vendor. If the DHCP server is set up (provisioned) to respond with vendor specific information, the DHCP server includes information in its response in DHCP option-43 to the DHCP client. In this case, the specific information is a VSP URL. Since many DHCP servers may reply to a DHCPDISCOVER message, the CPE where the SP network address is initially not set would only consider a DHCPREQUEST to those DHCP servers that were capable of responding with a configuration server network address.
Prior to this invention, if a DHCPREQUEST was asserted with option-60, DHCP server 140 would not respond with a configuration server network address if it is not configured with SP defined configuration server address, the CPE would enter the idle state 418-2 since there would be no way to reconcile the DHCPREQUEST option-60 data with a configuration server address if the vendor information, DHCP option-43, was not known. Alternatively, if no DHCP server responded appropriately to the DHCPREQUEST bearing option-60, then CPE would enter idle state 418-2. Once the network address for configuration server 146 is received, CPE 124 can then setup 424 a transport layer security (TLS) connection between CPE 124 and configuration sever 146 in order to acquire and initialize CPE 124 using the configuration data. Once initialized, CPE 124 will detect whether service is established 426 with the service provider. If so, then the subscriber service is established 412 and provisioning flow 400 has terminated normally. However, if service is not established 426, then the CPE applies a retry procedure 428 in order to attempt to establish the service. If the retry procedure 428 is not successful, an error condition 430 is assumed and the CPE enters an idle state 418-3.
Following the sending 704 of server hello message, default server 148 sends 706 a grant VSP server certificate message granting the initialization server VSP certificate and requesting the CPE 124 client certificate. The VSP certificate is already encrypted using the default server 148 private key. CPE 124 decrypts the VSP server certificate with the initialization server public key and checks the identity of the organization that issued the VSP certificate. If the VSP certificate issuer is not approved, the TLS procedure is abandoned.
The VSP certificate issuer may not be approved if the issuer is not an approved vendor or if an authentication problem prevents the authentication process from completing normally. However, if the VSP certificate issuer is approved, CPE 124 sends the encrypted CPE certificate and user defined data using the CPE private key and sends the encrypted CPE certificate along with user defined data in a client certificate message 708. At this point, default server 148 authenticates the CPE certificate by decrypting it using the CPE public key and verifying the issuer is approved.
If the issuer is not approved, the TLS procedure is abandoned. However, if the issuer is approved, default server 148 proceeds to matching the decrypted CPE data with the CPE data records previously stored in a CPE database. If there is a match found in the CPE database, default server 148 determines if the particular service provider (SP) service has been approved for this CPE unit. If SP service has not been approved, the TLS procedure is abandoned. However, if the SP service has been approved, the TLS procedure continues to set up the session encryption using a change cipher specification protocol. Message 706 and message 708 correspond to mutually authenticating 604 both SP and CPE certificates. Once the cipher specification is changed, corresponding to setting up encryption 606, the TLS connection is established providing security for the exchange of information with default server 148.
Once CPE 124 receives the configuration server network address response message 1008, CPE 124 extracts the configuration server network address 1006 and sends a configuration data request message 1010 to configuration server 146 at the configuration server network address 1006. The configuration data request message 1010 includes a predetermined portion of the CPE identifying data 1002 so that configuration server 146 may locate the appropriate configuration data 1012 for CPE 124. Similar to default server 148, configuration server 146 may retain the configuration data 1012 in a local database or may have access to one or more remote databases containing the appropriate information. Configuration server 146 retrieves the stored configuration data 1012 from the appropriate database and responds to CPE 124 with a configuration data response message 1014 including configuration data 1012 for the appropriate configuration server 146. As described, CPE 124 distributes appropriate portions of configuration data 1012 and initializes CPE 124 to establish service with a service provider. To protect sensitive information, all message content may be encrypted or sent through a transport layer security
Although the invention has been described with respect to particular embodiments, this description is only an example of the invention's application and should not be taken as a limitation. Consequently, the scope of the invention is set forth in the following claims.
