Patent Grant
8910300
This application relates to U.S. Provisional Patent Application Ser. No. 61/428,620, filed Dec. 30, 2010 and entitled SECURE TUNNELING PLATFORM SYSTEM AND METHOD, and to U.S. Provisional Patent Application Ser. No. 61/559,460, filed Nov. 14, 2011, and entitled SECURE TUNNELING PLATFORM SYSTEM AND METHOD, the entire contents of each of which are incorporated herein by reference.
1. Field
The present application relates, generally, to network bandwidth sharing and, more particular, to identifying users thereof.
2. Description of the Related Art
Sharing bandwidth, such as via Wi-Fi, is a practical solution that has benefits such as described in commonly assigned U.S. Pat. No. 7,924,780. Users who access communication networks, such as the Internet, via Wi-Fi often share a public Internet protocol (“IP”) address. For example, a respective Internet Service Provider (“ISP”) provides Internet access via one or a limited number of IP addresses. The Internet bandwidth is made available via a Wi-Fi access point. User A operates an IPOD TOUCH, and locates and accesses the Wi-Fi service to access a web page on the Internet. User B operates a laptop computer and locates the same Wi-Fi service to access a different web page on the Internet. The devices operated by User A and User B share the single public IP address provided by the ISP. In this example, it is impossible to determine which user (User A or User B) accessed which Internet web page because both users shared the same public IP address.
In the above example, two users operate different computing devices and access two different web pages at the same time. Unfortunately, the ISP can only detect the one IP address that is shared by and accessed both users. Therefore, the respective users cannot be identified.
A system and method are disclosed that include storing address information representing respective endpoints on one or more networks. A first computing device is provided a first network address, which is associated with a second network address. A secure pathway is established over a network between the first computing device and at least one processor, and a pathway network address is provided for the secure pathway. A first communication session via the secure pathway is provided between the first user computing device and the at least one processor, and electronic authentication information is received from the first computing device for access to at least one other computing device. The authentication information is sent to an authenticating device, and, when confirmed, the first user computing device is authorized to access the other computing device(s). Each of the pathway network address, the first respective network address, the second network address, and the at least one other computing device is stored in the one or more databases.
For the purpose of illustrating the invention, there is shown in the drawings several forms, which are presently preferred, it being understood, however, that the invention is not limited to the precise arrangements and instrumentalities shown. The features and advantages of the present invention will become apparent from the following description of the invention that refers to the accompanying drawings, in which:
A system and method are provided for identifying respective users that access a communication network via Wi-Fi or other sharing of bandwidth, even when both users share the bandwidth, substantially simultaneously. The system and method in accordance with the teachings herein further provide identification and disclosure of respective users that use bandwidth provided via Wi-Fi service, including bandwidth that is provided on a single or a limited number of shared public IP addresses.
In an embodiment, one or more disclosure services are provided to identify a user who is accessing to the Internet, given the public IP address and port that has been assigned to the connection. In addition to the systems and methods set forth and described in commonly assigned U.S. Pat. No. 7,924,780 and U.S. Pat. No. 7,995,993, the entire contents of each of which are hereby incorporated by reference, users who register with an information processor to share bandwidth and be entitled to access other registered users' bandwidth at no additional charge are assigned unique respective user names. As described herein, accounting logs may be kept that represent sessions and connections (network address translation (“NAT”)), for example, for disclosure purposes. For example, accounting is provided for “PPP” sessions (which may be generated by Remote Authentication Dial In User Service (“RADIUS”) servers), “captive portal” sessions (which may be generated by RADIUS servers) and for NAT translations accounting (generated by L2TP Network Server (“LNS”), which may be a computer, router, or other suitable device).
The present application includes a network tunneling platform that provides a device, such as a router, computer or other suitable hardware, that is configured to provide user identification over a communication network, even when a user the user's computing device is behind one or multiple NAT services. As shown and described in commonly assigned U.S. Pat. No. 7,924,780, registered user identification information is received and stored in one or more databases. Registered network users are subscribers and, therefore, can be identified unequivocally. For example, users are authenticated by providing a username and password, and may be authorized to share other user's network bandwidth at no additional cost, or for a small fee, depending upon the user's authenticated status. The teachings herein provide for relating the user's connection IP address and TCP/UDP port with the user's authentication information (e.g., user name and password) in order to identify the user.
Users identification capability provided in accordance with the teachings herein provides compliance with the security policies and legal requirements of even very strict measures implemented by an Internet service provider.
In an embodiment, user identification information is provided via a PPP session that is provided via a layer 2 tunneling protocol (“L2TP”) tunnel. Each user session is established via a L2TP tunnel, which provides an independent Internet protocol (“IP”) address to each PPP tunnel and, accordingly, to each user. User credentials and a respective session IP address is logged by, for example, a RADIUS server that may also support authentication and accounting processes.
The tunneling embodiments in accordance with the teachings herein also supports an environments that have a limited number of available IP addresses. Public IP address conservation may be provided by assigning a private IP address to each respective user. In this embodiment, respective private IP addresses are translated, for example, via one or more network addresses translation (“NAT”) servers, to one or more public IP addresses before network traffic reaches the Internet. In an embodiment, multiple private IP addresses are NATed with a single public IP address (also called public address translation (“PAT”) or NAT overload). Thus, a feature is provided that translates one IP address into another. In an embodiment, PAT is used to translate private IP addresses into public ones. By providing a NAT accounting log, unequivocal user identification can be provided.
Although many of the examples herein relate to IP conservation, the teachings herein support alternative embodiments, for example, including those that do not provide or otherwise support NAT translation. In order to support a limited or otherwise reduced number of IP addresses, a less complex and expensive embodiment is supported by simply assigning independent public IP addresses to users connected at any given time, instead of translating private IP addresses via NAT and sharing one or more public IP addresses.
In addition, the infrastructure in an embodiment provides substantial redundancy for, for example, datacenter and communication providers. This supports significant availability and substantial scalability, for example, to support hundreds of thousands of concurrent users by adding network equipment that, for example, terminates the tunnels at configured routers. In case of a lower number of concurrent users, the system is adjustable to scale appropriately in terms of functionality and cost.
In an embodiment, the present application employs regards the extensible authentication protocol (“EAP”), an authentication framework that is frequently used in wireless networks and Point-to-Point connections. EAP is widely used, for example, in IEEE 802.11 (Wi-Fi), and WPA and WPA2 standards have adopted IEEE 802.1X with multiple EAP types for authentication mechanisms. When used as an authentication protocol, EAP is usable on the captive portal, and is suitable when used with WPA and/or WPA2. For example, LEAP (Lightweight-EAP), EAP-TLS, EAP-TTLS, EAP-FAST, EAP-SIM, EAP-AKA are applicable in association with one or more credentials and/or processes. In an embodiment, 802.1X involves a supplicant (e.g., a mobile computing device such as a smartphone, PDA or the like), an authenticator (e.g., a configured router) and a server. 802.1X is used to transport EAP messages via EAP over Lan (“EAPOL”) from a supplicant to an authenticator, and thereafter via RADIUS/Diameter from authenticator to the server.
In at least one known system, such as employed by systems and methods described in commonly assigned U.S. Pat. No. 7,924,780 and U.S. Pat. No. 7,995,993, three actors are employed: a supplicant, an authenticator and a server. In such embodiment(s), a universal access method (“UAM”) is used to transport password authentication protocol (“PAP”) messages. Thereafter, HTTPs may be used for transporting data from supplicant to a UAM Server, HTTP is used from supplicant to authenticator, and RADIUS is used from Authenticator to Server.
In accordance with an embodiment in accordance with the present application that employs tunneling, three actors are similarly employed, a supplicant, an authenticator and a server that may include a plurality of elements. In one embodiment, for example, EAP messages are transferred from EAPOL to PPP and then to RADIUS. In an alternative embodiment, a tunneling “on demand” architecture is employed, which eliminates a step of converting EAPOL to PPP, and that may be easier for manufacturers to implement. In the alternative embodiment, a proxy RADIUS (that may be modified to trigger the PPP authentication) is employed, or a modified EAP daemon may be applied. Each of these two embodiments are discussed in greater detail below, in connection with
Referring now to the drawing figures, in which like reference numerals represent like elements,
Continuing with reference to
Communication network 106 is preferably a global public communication network such as the Internet, but can also be a wide area network (WAN), local area network (LAN), an intranet or other network that enables computing devices and peripheral devices to communicate.
In a preferred embodiment, information processor(s) 102 and computing devices 104 are preferably equipped with web browser software, such as MICROSOFT INTERNET EXPLORER, MOZILLA FIREFOX, APPLE SAFARI or the like. Information processor 102 and computing devices 104 are coupled to communication network 106 using any known data communication networking technology.
The various components illustrated in
The nature of the present application is such that one skilled in the art of writing computer executable code (i.e., software) can implement the functions described herein using one or more of a combination of popular computer programming languages and developing environments including, but not limited to, C, C++, Visual Basic, JAVA, HTML, XML, ACTIVE SERVER PAGES, JAVA server pages, servlets, MYSQL and PHP.
Although the present application is described by way of example herein and in terms of a web-based system using web browsers and a web site server (e.g., information processor 102), system 100 is not limited to such a configuration. It is contemplated that system 100 is arranged such that information processor 102 and/or computing devices 104 communicate with and outputs data using any known communication method, for example, using a non-Internet browser WINDOWS viewer coupled with a local area network protocol such as the Internet Packet Exchange (IPX), dial-up, third-party, private network or a value added network (VAN).
It is further contemplated that any suitable operating system can be used on information processor 102 and/or computing device 104, for example, DOS, WINDOWS 3.x, WINDOWS 95, WINDOWS 98, WINDOWS NT, WINDOWS 2000, WINDOWS ME, WINDOWS CE, WINDOWS POCKET PC, WINDOWS XP, WINDOWS VISTA, WINDOWS 7, MAC OS, UNIX, LINUX, PALM OS, POCKET PC, BLACKBERRY, ANDROID, IOS and any other suitable operating system.
At step 5, the user tries to connect to a web server which is not whitelisted (prior authentication is required) using the HTTP protocol. At step 6, configured router 302 (illustrated as “Fonera”) redirects the user to the captive portal (web server 320) using the HTTP protocol. This occurs in an embodiment where the web authentication is used. At steps 7 and 8, the user device 306 requests the captive portal, via the HTTPs protocol, and the web server 320 sends it, including a login form. At step 9, user device 306 sends credentials, preferably via the password authentication protocol (“PAP”) to web server 320, which checks the credentials with a local or remote database or system (step 10), and may use any suitable protocol that is defined between the two systems. Another HTTPs redirect is built, for example, with a one time password that user device 306 uses later to establish the tunnel.
Once the user credentials have been validated, the tunnel establishment process begins. User device 306 sends the received one time password to configured router 302 via the HTTP protocol (step 12). Configured router 302, thereafter, starts an L2TP layer 2 tunnel (step 13) and a PPP session (step 14) on top of it using the one time password, with the LNS server(s) 308. The LNS server(s) 308 converts the authentication request into a RADIUS communication with a Proxy RADIUS 304 (step 15), which forwards the credentials to a final RADIUS server 316 (step 16), which validates the one time password. The communication between 304 and 316, in this embodiment, preferably occurs through a secure VPN tunnel in order to protect the authentication credentials when exchanged through the Internet. Moreover, DCRs 312 and 314 are used for providing this VPN.
Continuing now with reference to
At this point in the process, the user is already authenticated, and can freely connect to the Internet using the established tunnel. At step 24, configured router 302 has received a positive authentication confirmation from the LNS Server 308 (see step 19), and rules (including NAT or PAT, when appropriate) are enforced to put traffic of the user device 306 into the recently established PPP session. Thereafter and from this point forward, the user is authenticated and can freely navigate to any server on the Internet, however the traffic is routed through the tunnel.
Continuing with reference to
Thus, and as described in connection with the above example embodiment, the teachings herein provide for a user connection flow that includes access to white-listed and non-white-listed domains, and user authentication and authorization, including web server authentication, tunnel authorization and captive portal authorization.
In an embodiment, an integration of at least three session accountings is included. One is a PPP session accounting that is by one or more RADIUS servers 110. A second is a captive portal session accounting that is generated by RADIUS server(s) 110. A third is a NAT accounting, that is provided by LNS server 108. The PPP session accounting may include at least a user's session start time, stop time and the respective LNS's IP address where the PPP session finishes. The PPP session accounting may also include customer premises equipment (“CPE”) 307, such as a router device provided to a user by the user's Internet service provider (“ISP”), assigned IP address which is included in the tunnel IP source for the LNS, because CPE 307 is translating (NAT) Configured router wide area network (“WAN”) IP address. In an embodiment, CPE 307 includes a router and/or internet access point for Internet connectivity. Other information included in the PPP session accounting is the private IP address assigned to the Configured router by the LNS for the PPP session, the user's username, the type of accounting packet and the FON unique session identifier, which may be the same for a captive portal session.
In an embodiment, a captive portal manages user authorization and accounting at configured router 302. The captive portal sessions accounting preferably includes one or more of: the user's session start time, the session stop time, the user's username, the user's device type (Smart Phone, etc) and media access control (“MAC”) address, the user's CPE 307 MAC address, the user's computing device (Smart Phone, etc) IP address, assigned by the Configured router via DHCP and a unique session identifier (same as described above in connection with the for the PPP session).
Moreover, the NAT translation sessions accounting is generated by LNS server 108 and includes one or more of: the translation creation time, the translation deleting time, the type of accounting (e.g., NAT Creation or NAT Deletion), the layer 4 communication protocol (UDP or TCP), the PPP session IP address (internal address) and the port, the LNS public IP address used for the translation and the port, and the Internet IP address that the user is reaching, and the port.
Thus, in accordance with the respective sessions accountings, user tracking and identification is provided. For example, the user's public IP address, TCP or UDP port, and a timeframe are known in advance. Using that information, the present application locates the private IP address that is assigned to the PPP session, which relates to a single PPP session, provided the time frame is appropriate (i.e. given a 24 h time frame, there may be several PPP sessions which have shared the same private IP address at different times). Moreover, using the PPP session IP address, the PPP session accounting for that IP address can be determined, and the user's username and CPE 307 address can be determined.
Moreover, in case further information is required (i.e, user device's MAC address) the Unique-Session-ID can be obtained and the Captive Portal's user session, which has the same Unique-Session-ID, can be located. The user device's MAC address and the Configured router's MAC address can, therefore, be identified.
The teachings herein provide for a “live platform” that includes a modular design in order to facilitate scalability and redundancy. In an embodiment, an LNS sub-platform terminates the L2TP PPP tunnels that are originated at the configured routers 302. The LNS sub-platform may also assign a private IP addresses to the users' sessions, translate private IP addresses into public ones, generate NAT accounting and forward it to an external Syslog, authenticate users' sessions by using RADIUS protocol and generate sessions accounting by using RADIUS protocol.
An information technology (“IT”) services sub-platform may also be provided including one or more configured router/firewall that may provide encrypted tunnels (Gre/IPSec) with the platform for secured RADIUS authentication and other transactions. The IT services platform may also implement one or more firewall capabilities in order to protect the servers installed at the datacenters. The IT services platform may also include a RADIUS proxy server that, in an embodiment concentrates RADIUS authentication and accounting, and forwards information relating thereto to the RADIUS server 110 that is maintained or managed by provider or proprietor of the system and method in accordance with the teachings herein, and which may be located anywhere in the world. Further, a monitoring server may be included that is configured to check the health status of the network and server devices, and to forward the information to a centralized monitor platform, which may be maintained or managed by provider or proprietor of the system and method in accordance with the teachings herein. Moreover, a disclosure server may be included that stores information required for a disclosure action (RADIUS logs, NAT accounting, etc), and that provides a secured web interface for data extraction.
In addition to the LNS sub-platform, border switches, the platform described herein is configured to aggregate traffic from the LNS and IT Services sub-platform, as well as to provide IP connectivity with the ISP aggregation platform, and to provide inter-datacenter connectivity for redundancy purposes.
In an alternative embodiment, PPPoE technology may be substituted for PPP and L2TP. Moreover, a single customer provided equipment from an ISP (e.g., “CPE”) device may be substituted for a combination of a second router device (e.g., configured router 302) and a “CPE.” This embodiment is more efficient and less costly, for example, due to a reduction in equipment.
Continuing with reference to the example IP address assignments illustrated in
Thus, and as illustrated in
In an embodiment, data are encapsulated in one format and transmitted from one device, such as computing device 104 that is a smartphone, and then transmitted to another device that removes the EAP capsule, and encapsulates the authentication information using another protocol, for example, PPP, and transmit that to another device, for example RADIUS server 110. Once RADIUS server 110 receives the PPP encapsulated credentials, RADIUS server 110 authenticates the user using the authentication credentials (or does not authenticate due to improper credentials or other reason), RADIUS server 110 transmits a reply via PPP. The reply via PPP is received, opened and encapsulated back into EAP, before being transmitted back to computing device 104.
Thus, and as illustrated in
Thus and in connection with
Continuing with reference to
Therefore, and in accordance with the teachings herein, a system and method are provided for identifying respective users that access a communication network via Wi-Fi or other shared bandwidth. Individual users of Wi-Fi service via shared public IP address(es) can be identified and disclosed, for example, to civil authorities.
Although the present invention is described and shown in relation to particular embodiments thereof, many other variations and modifications and other uses will become apparent to those skilled in the art. Thus, various embodiments and variations are shown and described herein, and it is preferred, therefore, that the present invention be limited not by the specific disclosure herein.
| Number | Name | Date | Kind |
|---|---|---|---|
| 6184710 | Mendel | Feb 2001 | B1 |
| 6298383 | Gutman et al. | Oct 2001 | B1 |
| 6430619 | Sitaraman et al. | Aug 2002 | B1 |
| 6795700 | Karaoguz et al. | Sep 2004 | B2 |
| 6842770 | Serlet et al. | Jan 2005 | B1 |
| 6934530 | Engelhart | Aug 2005 | B2 |
| 6950628 | Meier et al. | Sep 2005 | B1 |
| 6957069 | Shah et al. | Oct 2005 | B2 |
| 6957086 | Bahl et al. | Oct 2005 | B2 |
| 6961575 | Stanforth | Nov 2005 | B2 |
| 7251827 | Guo et al. | Jul 2007 | B1 |
| 7263076 | Leibovitz | Aug 2007 | B1 |
| 7296078 | Sanchez Herrero et al. | Nov 2007 | B2 |
| 7302229 | Riddles | Nov 2007 | B2 |
| 7568218 | Garg et al. | Jul 2009 | B2 |
| 7924780 | Waisman-Diamond | Apr 2011 | B2 |
| 7995993 | Waisman-Diamond | Aug 2011 | B1 |
| 8091116 | Kutt et al. | Jan 2012 | B2 |
| 8179840 | O'Neill | May 2012 | B2 |
| 8213934 | Tsirtsis et al. | Jul 2012 | B2 |
| 8266266 | Short et al. | Sep 2012 | B2 |
| 8319835 | Azuma et al. | Nov 2012 | B2 |
| 8332923 | Oba et al. | Dec 2012 | B2 |
| 20010053683 | Murayama et al. | Dec 2001 | A1 |
| 20020035617 | Lynch et al. | Mar 2002 | A1 |
| 20020075844 | Hagen | Jun 2002 | A1 |
| 20020138635 | Redlich et al. | Sep 2002 | A1 |
| 20030051041 | Kalavade et al. | Mar 2003 | A1 |
| 20040052223 | Karaoguz et al. | Mar 2004 | A1 |
| 20040122959 | Lortz | Jun 2004 | A1 |
| 20040133687 | Yamaguchi et al. | Jul 2004 | A1 |
| 20040141617 | Volpano | Jul 2004 | A1 |
| 20050021781 | Sunder et al. | Jan 2005 | A1 |
| 20050050352 | Narayanaswami et al. | Mar 2005 | A1 |
| 20050096048 | Clare et al. | May 2005 | A1 |
| 20050177515 | Kalavade et al. | Aug 2005 | A1 |
| 20050204037 | Levy | Sep 2005 | A1 |
| 20050220106 | Raverdy et al. | Oct 2005 | A1 |
| 20050223086 | Raverdy et al. | Oct 2005 | A1 |
| 20050232242 | Karaoguz et al. | Oct 2005 | A1 |
| 20050232283 | Moyer et al. | Oct 2005 | A1 |
| 20050233740 | Jiang | Oct 2005 | A1 |
| 20050250448 | Knauerhase et al. | Nov 2005 | A1 |
| 20050260972 | Karaoguz et al. | Nov 2005 | A1 |
| 20060041931 | Boxall et al. | Feb 2006 | A1 |
| 20060223527 | Lee et al. | Oct 2006 | A1 |
| 20060239254 | Short et al. | Oct 2006 | A1 |
| 20070008885 | Bonner | Jan 2007 | A1 |
| 20070087756 | Hoffberg | Apr 2007 | A1 |
| 20070094401 | Gagne et al. | Apr 2007 | A1 |
| 20070226320 | Hager et al. | Sep 2007 | A1 |
| 20070254624 | Le Creff et al. | Nov 2007 | A1 |
| 20080059445 | De Bellis | Mar 2008 | A1 |
| 20090172798 | Upp | Jul 2009 | A1 |
| 20090279492 | Montemurro et al. | Nov 2009 | A1 |
| 20100017525 | Albert et al. | Jan 2010 | A1 |
| 20100106572 | van Hoff et al. | Apr 2010 | A1 |
| 20100235895 | Grassley et al. | Sep 2010 | A1 |
| 20100263022 | Wynn et al. | Oct 2010 | A1 |
| 20110047603 | Gordon et al. | Feb 2011 | A1 |
| 20110088003 | Swink et al. | Apr 2011 | A1 |
| 20110154454 | Frelechoux | Jun 2011 | A1 |
| 20110255459 | Gupta et al. | Oct 2011 | A1 |
| 20120054840 | Gupta et al. | Mar 2012 | A1 |
| 20120149334 | Zhang et al. | Jun 2012 | A1 |
| 20120158979 | Lee et al. | Jun 2012 | A1 |
| Number | Date | Country |
|---|---|---|
| 101399671 | Apr 2009 | CN |
| 1 104 133 | May 2001 | EP |
| 1 241 903 | Sep 2002 | EP |
| 1 357 720 | Oct 2003 | EP |
| 1 411 676 | Apr 2004 | EP |
| 1 550 264 | Jul 2005 | EP |
| 1 643 719 | Apr 2006 | EP |
| 2 051 473 | Apr 2009 | EP |
| 2440193 | Jan 2008 | GB |
| 2007-049503 | Feb 2007 | JP |
| 2007-281919 | Oct 2007 | JP |
| WO 03047294 | Jun 2003 | WO |
| WO 2007093216 | Aug 2007 | WO |
| WO 2008040697 | Apr 2008 | WO |
| WO 2009114976 | Sep 2009 | WO |
| WO 2010019084 | Feb 2010 | WO |
| WO 2012119450 | Sep 2012 | WO |
| Entry |
|---|
| International Search Report and Written Opinion dated Feb. 1, 2013. |
| A. Perez-Mendez et al. “GSS-EAP pre-authentication for Kerberos.” ABFAB, Mar. 2012, Accessed Oct. 10, 2013, <http://tools.ietf.org/pdf/draft-perez-abfab-eap-gss-preauth-01.pdf. |
| HighBeam Research, “Locals Surf Wi-Fi Wave: Businesses Give Away Web Access to Entice Paying Customers”, HighBeam Research, copyright 2005, 4 pages. |
| http://www.pbs.org/newshour/bb/cyberspace/July-dec05/philadelphia—11-22.html, 6 pages. Nov. 22, 2005. |
| http://www.bwianews.com/, 27 pages. Dec. 1, 2005. |
| http://www.cnn.com/2003/TECH/internet/12/11/sprj.ws.Wi-Fi.city.ap/, 2 pages. |
| “Air Marshal version 2.0—Captive Portal System—Wireless Hotspots Wired Networks Device Authentication.” IEA Software, Inc. Feb. 13, 2013. <http://www.iea-software.com/products/airmarshall.cfm>. |
| “Air Marshal—Authentication Gateway Version 2.0.40 Users Guide”, IEA Software, Inc. |
| “Cellular Data Offload and Extending Wi-Fi Coverage with Devicescape Easy WiFi Case Study”, Devicescape Software, Inc., Oct. 2010. |
| Notice of Reasons for Rejection dated Jun. 5 2012 in corresponding Japanese Patent Application No. 2011-102216 (with English language translation). |
| International Search Report and Written Opinion dated Mar. 6, 2012 in corresponding International Application No. PCT/EP2011/074318. |
| Number | Date | Country | |
|---|---|---|---|
| 20120204241 A1 | Aug 2012 | US |
| Number | Date | Country | |
|---|---|---|---|
| 61428620 | Dec 2010 | US | |
| 61559460 | Nov 2011 | US |
