WO2003094441A1 - An arrangement and a method for directing geographically dispersed units - Google Patents

An arrangement and a method for directing geographically dispersed units Download PDF

Info

Publication number
WO2003094441A1
WO2003094441A1 PCT/SE2003/000716 SE0300716W WO03094441A1 WO 2003094441 A1 WO2003094441 A1 WO 2003094441A1 SE 0300716 W SE0300716 W SE 0300716W WO 03094441 A1 WO03094441 A1 WO 03094441A1
Authority
WO
WIPO (PCT)
Prior art keywords
units
arrangement
communication system
service platform
direct
Prior art date
Application number
PCT/SE2003/000716
Other languages
French (fr)
Inventor
Nils-Göran MAGNUSSON
Niclas Klack
Stefan Johansson
Urban Modig
Original Assignee
Telia Ab (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telia Ab (Publ) filed Critical Telia Ab (Publ)
Priority to EP03723586A priority Critical patent/EP1504568A1/en
Priority to AU2003230515A priority patent/AU2003230515A1/en
Publication of WO2003094441A1 publication Critical patent/WO2003094441A1/en
Priority to NO20044376A priority patent/NO20044376L/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Definitions

  • the present invention concerns, according to a first aspect, an arrangement for a wired communication system for directing geographically dispersed units to the correct resource on a service platform.
  • the present invention concerns, according to a second aspect, a method for a wired communication system for directing by means of an arrangement geographically dispersed units to the correct resource on a service platform.
  • the present invention concerns, according to a third aspect, at least one computer software product for directing geographically dispersed units to the correct resource on a service platform.
  • a problem of verification arises when different units attempt to gain access to a group server.
  • a secure method for identifying these units is required, and a method of guiding the authorised units to the service platform on the group server to which they have access.
  • a user or a unit must currently log in in order to communicate with the group server.
  • the user or unit making the request for access must have a public IP address.
  • VLAN virtual local network
  • the document WO-01/31843-A2 describes a connection method with authentication and access control together with the management of debiting/accounting.
  • the user or unit that seeks to be connected is termed "the source” in the document.
  • Several attributes are used in order to identify the source, such as MAC address, user name, userid, password, VLAN-tag and location. If a user has been identified as a source, different users can have different authorisations, even though they use the same computer. If a computer has been identified as a source, authorisation that is associated with the MAC address is given.
  • Authentication and access control of the source are carried out with the aid of "source profiles" that are stored in a database in a gateway.
  • the source profile also contains information about an account. Once a source has passed authentication and access control, redirection to a special portal page may be carried out.
  • the document WO-A2-01/31886 is related to the document WO-A2-01/31843 and describes redirection to a special portal page based on a number of attributes.
  • the connection procedure with authentication and access control is managed by a gateway.
  • the document WO-A2-01/31808 is related to the documents described above and demonstrates identification based on location or MAC address.
  • the document WO-A1 -01/76294 demonstrates a method and a system for creating individual service platforms.
  • a service platform is created for each so-called "client structure" that has at least one user.
  • One user can be connected to several client structures. The user can give varying authorisation to his or her own client structure to other users.
  • a local gateway detects the installation of a local node and informs the access supplier, which presents different services for the new node.
  • Local nodes can, for example, communicate using LonWorks.
  • VLAN management server and a "remote access server” are connected to a VLAN. Both of these have a table that indicates the location of terminals. The table makes it possible for the terminals to connect to the home network, independently of the particular network in which they are located. The terminals are identified by their MAC address.
  • an arrangement for a wired communication system in order to direct geographically dispersed units to the correct resource on a service platform.
  • the arrangement comprises a group server and an IP access node connected to the group server to which said units are connected via the communication system.
  • the IP access node comprises information about said units, which information is collected regularly by the server.
  • the group server directs the unit to the correct sen/ice platform, arranged on the group server, based on a request for resources received from the unit and based on said information.
  • an arrangement is achieved for a wired communication system for the direction of geographically dispersed units to the correct resource on a service platform.
  • the arrangement comprises an IP access node, which is connected via the communication system to said units, and a group server that is included in the IP access node.
  • the IP access node comprises information about said units, which information is collected regularly by the group server.
  • the group server directs the unit to the correct service platform arranged on said group server based on a request for resources received from the unit and based on said information.
  • the group server comprises a server comprising said service platforms, and a device connected to the server that manages the requests for resources received from the units.
  • the arrangement further comprises a memory in which said information is stored in the form of tables.
  • the tables comprise information about which combination of VLAN/IP number, MAC address/IP number and user account/IP number has access to which platform.
  • One advantage is achieved in this context if the units are constituted by terminals, users or equipment, or by a combination of these.
  • One advantage is achieved in this context if said information is regularly synchronised between the group server and the IP access node.
  • the IP access node comprises an authorisation system in order to determine whether a unit is authorised, and a router that is connected to the authorisation system.
  • the authorisation system comprises an AAA server connected to the said router and a database, connected to the AAA server, comprising the identities of the units.
  • the IP access node furthermore comprises a policy server connected to the database and to said router, which policy server configures said router in accordance with the policy for a specified account.
  • a method is achieved for a wired communication system in order to direct, by means of an arrangement, geographically dispersed units to the correct resource on a service platform.
  • the method comprises the following steps:
  • One advantage is achieved in this context if the step of presenting an account and a password related to the unit is carried out through the IP access node automatically identifying and authorising the unit when it is connected through the identity of the unit having been recorded in a database that is part of the IP access node.
  • an advantage is achieved if the step of presenting an account and a password related to the unit is carried out through the input of the said account and password by the user of the unit.
  • the tables comprise information about which combination of VLAN/IP number, MAC address/IP number and user account/IP number has access to which platform.
  • the units are constituted by terminals. users or equipment, or by a combination of these.
  • the IP access node comprises a router and a policy server connected to the said router, whereby the method furthermore comprises the step:
  • At least one computer software product is achieved that can be directly loaded into the internal memory of at least one digital computer.
  • the computer software product or products comprise or comprises sections of program code for carrying out the steps according to the method when at least one of the said products is run on at least one said computer.
  • a very flexible solution to the problem of verifying platform access in a secure manner is achieved by this at least one computer software product.
  • Figure 1 is a block diagram that shows a first embodiment of the arrangement according to the present invention
  • Figure 2 shows a logical description of the architecture comprising the arrangement shown in Figure 1 ,
  • FIG. 3 shows a more detailed diagram of the network architecture shown in
  • Figure 4 shows a flow chart of a method in a wired communication system for directing, by means of an arrangement, geographically dispersed units to the correct resource on a service platform according to the present invention
  • Figure 5 shows a schematic diagram of some computer software products according to the present invention.
  • Figure 1 shows a block diagram of a first embodiment of an arrangement (10) according to the present invention.
  • the arrangement (10) connects to n geographically dispersed units (14-), ..., 14 n ) via a wired communication system (12).
  • the wired communication system (12) is shown only schematically in Figure 1.
  • the arrangement (10) comprises a group server (16) and an IP access node (18) connected to the group server (16) through which the communication system (12) is connected to the said units (14 ⁇ 14 n ).
  • the various units (14 ⁇ 14 n ) can, for example, be located in different apartments with different households.
  • the IP access node (18) comprises information about the said units (14-i, ..., 14 n ), which information is regularly collected by the group server (16).
  • the group server (16) When the group server (16) receives a request for resources from a unit 14 x , where 1 ⁇ x ⁇ n, it directs the unit 14 x to the correct sen/ice platform arranged on the group server (16) based on the request for resources and based on the said information.
  • the group server (16) In another embodiment (not shown in the drawing) of the arrangement (10) the group server (16) is part of the IP access node (18). This arrangement (10) functions otherwise in the same manner as the arrangement (10) shown in Figure 1.
  • the group server (16) comprises a server (22) comprising said service platforms, and a device (20) connected to the server (22) that manages the requests for resources received from the units (14 ⁇ , ..., 14 n ).
  • FIG. 1 The block diagram shown in Figure 1 really concerns mainly the logical architecture.
  • the household for example, is not connected to the IP access node (18) by a separate cable in the physical architecture.
  • Figure 1 does show how the household will experience the situation. This is also true of the three different cables that connect the IP access node (18) to the group server (16). These are three different cables from the point of view of the household, but only one cable in the physical architecture.
  • the IP access node (18) consists of an authorisation system and a router (see also Figure 2). All information about the households (VLAN), users (ACCOUNT), units (MAC addresses) and IP addresses are located here.
  • Table 1 gives an example of the information that is stored in the IP access node (18). There are four different accounts in this table, each of them having a different IP address, MAC address and VLAN character string.
  • Table 1 shows, for example, that a user from VLAN 1 (unit 14-i) has logged on to the account Stefan@mandeln.
  • the unit that the user has logged in on (probably his or her PC) has the MAC address 00-A0-C9-E8-5F-64, and it was given the following IP address: 131.131.131.10.
  • this request will then be sent to the IP address 192.168.30.31. This means that this request will be identified against the table "Account/IP address”.
  • the server (22) in the group server (16) will identify all incoming requests on the IP address 192.168.30.31 using the table "Account/IP address”.
  • the architecture shown in Figure 1 is not exclusively for use in apartments, and a house or a shop is also possible. Each apartment has been assigned a unique VLAN number. This number is used to verify from which of the apartments the traffic is generated. It is also used to label traffic that will be sent to a particular household.
  • This table will be used if the requests are sent to the IP number 192.168.30.31.
  • the different "User Accounts” and “Directed to Platform IP”s will be configured statically. It is only the IP address for this account that will be dynamic, since users will not receive the same IP address when they log in.
  • Table 2 shows an example of the table "Account/IP address”.
  • the user account Stefan@mandeln with IP address 131.131.131.10 will, in this case, be directed to the platform 192.168.10.1.
  • This table will be used if the requests are sent to the IP number 192.168.30.32.
  • the different "MAC addresses” and “Directed to Platform IP”s will be static. It is only the “IP address” that will be dynamic, since users will not always receive the same IP address when they log in.
  • Table 3 shows that the MAC address 00-A0-C9-E8-5F-64 and the IP address 131.131.131.10 will, be directed to the platform of apartment 1 (unit 14-t).
  • This table will be used if the requests are sent to the IP number 192.168.30.33. Everything in this table will be statically configured, since it has been predetermined which platform a household and its subnet are allowed to access. As long as the request arrives with the correct VLAN character string and source IP, direction of this request is possible within this VLAN.
  • Table 4 shows that only VLAN1 will be directed to the platform for apartment 1.
  • a domain name server is located in the IP access node (18), see Figure 2, that will translate a name to an IP address and vice versa. This will make it possible for users to user names instead of IP numbers when they select the identification of their requests.
  • VLAN 1 IP address: 131.131.131.10
  • IP address 131.131.131.20
  • the installed platforms are shown in Table 5. Each user has access to his or her own home, his or her personal area and the common area.
  • Example 1 PC logging in from the home.
  • Example 2 PC logging in from the home.
  • Example 3 PC logging in from the home. User Niclas logs into the account Niclas@mandeln and his PC receives the IP address 131.131.131.20.
  • the present invention uses information that is present in the IP access node (18). Examples of such information are given in Table 1. This information is used to create tables, whereby these tables will form the base for directing platform requests to the correct platform.
  • the invention makes possible the following:
  • FIG. 2 shows a logical description of the architecture of the arrangement (10) shown in Figure 1. Similar components in Figure 1 and in Figure 2 have been given the same reference numbers.
  • the IP access node (18) comprises an authorisation system in order to determine whether a unit 14 ⁇ , ..., 14 n is authorised, and a router (24) connected to the authorisation system.
  • the authorisation system comprises an AAA server (26) ("AAA” is an abbreviation of "Authentication, Authorisation and Accounting services”. This is a system used by a service provider to manage these functions related to customers.) connected to the said router (24), and a database (28), comprising the identities of the units 14- ⁇ , ..., 14 n , connected to the AAA server (26).
  • the IP access node (18) further comprises a policy server (30) that is connected to the database (28) and the said router (24) and that configures said router (24) in accordance with a policy for the specified account.
  • a VLAN is used to prevent unauthorised communication between households. It is a local network in Figure 2, a LAN, (Ethernet) to a block of flats and two houses connected with ADSL.
  • FIG. 3 shows a more detailed diagram of the network architecture shown in
  • Figure 4 shows a flow diagram for a method in a wired communication system in order to direct, by means of an arrangement (see, for example, Figure 1), geographically dispersed units to the correct resource on a service platform according to the present invention.
  • the method commences at block (70).
  • the method then continues, at block (72), with the step: the reception of a token IP address by the unit 14 x , where 1 ⁇ x ⁇ n, when it is connected.
  • the method then continues, at block (74), with the step: the presentation of an account and a password related to the unit 14 x .
  • the method then continues, at block (76), with the question: "Is the unit 14 x authorised?".
  • the unit 14 x is denied access to the platforms if the answer to this question is negative, and the steps according to the blocks (72)-(76) may be repeated for a fresh attempt.
  • the method continues, on the other hand, if the answer is positive, with the block (78) with the step: the regular collection by a group server (16) that is part of the arrangement (10) of information concerning the units (14 ⁇ , ..., 14 n ) from an IP access node (18) that is connected via the communication system (12) to the units 14 ⁇ 14 n .
  • the method then continues, at block (80), with the step: the reception by the group server (16) of a request for resources from a unit 14 x .
  • the method then continues, at block (82), with the step: the direction by the group server (16), based of the request for resources and based on said information, of the unit 14 x to the correct service platform arranged on the group server (16).
  • the method is then terminated at block (84).
  • the step of presenting a password related to the unit 14 x is carried out through the IP access node (18) automatically identifying and authorising the unit 14 x when it is connected through the recording of the identities of the units 14- 1 14 n in a database (28) that is part of the IP access node (18).
  • This can be used when there are no persons in the vicinity and the unit, for example an IP telephone adapter, cannot itself achieve the authorisation process.
  • this process takes places through a user of the unit 14 x inputting said account and said password.
  • the method also comprises the step: the reception by the unit 14 x of a usable IP address.
  • the method also comprises the step: the regular synchronisation of the information between the group server (16) and the IP access node (18).
  • the IP access node (18) comprises a router (24) and a policy server (30) connected to the said router (24), whereby the method also comprises the step: the configuration by the policy server (30) of said router (24) in accordance with the policy for the specified account.
  • Figure 5 shows a schematic diagram of some computer software products according to the present invention.
  • Figure 5 shows n digital computers 100 ⁇ , ..., 100 n , and n different computer software products 102 ⁇ , ..., 102 n , that can be loaded directly into the internal memory of the said computers 100 ⁇ , ..., 100 n .
  • Each 102 ⁇ 102 n comprises sections of software code for carrying out some or all of the steps according to Figure 4 when the product or products 102 ⁇ , ..., 102 n is or are run on the computers 100-t, ..., 100 n .
  • the computer software products 102 ⁇ , .... 102 n can be in the form of, for example, diskettes, RAM disks, magnetic tape, optomagnetic disks, or some other suitable products.

Abstract

The present invention concerns an arrangement (10) for a wired communication system (12) to direct geographically dispersed units (141,…, 14n) to the correct resource on a service platform. The arrangement (10) comprises a group server (16), an IP access node (18) connected to the group server (16)that is connected via the communication system (12) to the units (141, …, 14n), whereby the IP access node (18) comprises information about the units (141, …, 14n), which information is collected regularly by the group server (16), whereby the group server (16), based on a request for resources received from a unit (14x), and based on the said information, directs the unit (14x) to the correct service platform arranged on the group server (16).

Description

AN ARRANGEMENT AND A METHOD FOR DIRECTING GEOGRAPHICALLY DISPERSED UNITS
The present invention concerns, according to a first aspect, an arrangement for a wired communication system for directing geographically dispersed units to the correct resource on a service platform.
The present invention concerns, according to a second aspect, a method for a wired communication system for directing by means of an arrangement geographically dispersed units to the correct resource on a service platform.
The present invention concerns, according to a third aspect, at least one computer software product for directing geographically dispersed units to the correct resource on a service platform.
Background of the Invention
A problem of verification arises when different units attempt to gain access to a group server. A secure method for identifying these units is required, and a method of guiding the authorised units to the service platform on the group server to which they have access.
A user or a unit must currently log in in order to communicate with the group server. The user or unit making the request for access must have a public IP address.
Until now, virtual subnetworks have been used to verify units in the home. This technology is based upon each home possessing one subnetwork, from which the units in the home obtain their addresses. This subnetwork is subsequently connected to a VLAN (a virtual local network) and identification of the units in the home can be carried out using the identification that the VLAN has. This results in only authorised units having access to their allocated sections of the group server. A serious disadvantage of this solution is that this means of verification involves a direct dependence on the network structure being constructed in this way.
The document WO-01/31843-A2 describes a connection method with authentication and access control together with the management of debiting/accounting. The user or unit that seeks to be connected is termed "the source" in the document. Several attributes are used in order to identify the source, such as MAC address, user name, userid, password, VLAN-tag and location. If a user has been identified as a source, different users can have different authorisations, even though they use the same computer. If a computer has been identified as a source, authorisation that is associated with the MAC address is given. Authentication and access control of the source are carried out with the aid of "source profiles" that are stored in a database in a gateway. The source profile also contains information about an account. Once a source has passed authentication and access control, redirection to a special portal page may be carried out.
The document WO-A2-01/31886 is related to the document WO-A2-01/31843 and describes redirection to a special portal page based on a number of attributes. The connection procedure with authentication and access control is managed by a gateway.
The document WO-A2-01/31808 is related to the documents described above and demonstrates identification based on location or MAC address.
The document WO-A1 -01/76294 demonstrates a method and a system for creating individual service platforms. A service platform is created for each so-called "client structure" that has at least one user. One user can be connected to several client structures. The user can give varying authorisation to his or her own client structure to other users. A local gateway detects the installation of a local node and informs the access supplier, which presents different services for the new node. Local nodes can, for example, communicate using LonWorks.
The document US-6,075,776 describes a control system for VLANs. A "VLAN management server" and a "remote access server" are connected to a VLAN. Both of these have a table that indicates the location of terminals. The table makes it possible for the terminals to connect to the home network, independently of the particular network in which they are located. The terminals are identified by their MAC address.
None of the solutions described above demonstrates a flexible solution to the problem of verifying platform access in a secure manner.
Summary of the Invention
It is an object of the present invention to solve the problems described above. According to the invention, according to a first aspect, an arrangement is achieved for a wired communication system in order to direct geographically dispersed units to the correct resource on a service platform. The arrangement comprises a group server and an IP access node connected to the group server to which said units are connected via the communication system. The IP access node comprises information about said units, which information is collected regularly by the server. The group server directs the unit to the correct sen/ice platform, arranged on the group server, based on a request for resources received from the unit and based on said information. A very flexible solution to the problem of verifying platform access in a secure manner is achieved by this arrangement.
According to a second embodiment of the present invention, an arrangement is achieved for a wired communication system for the direction of geographically dispersed units to the correct resource on a service platform. The arrangement comprises an IP access node, which is connected via the communication system to said units, and a group server that is included in the IP access node. The IP access node comprises information about said units, which information is collected regularly by the group server. The group server directs the unit to the correct service platform arranged on said group server based on a request for resources received from the unit and based on said information. A very flexible solution to the problem of verifying platform access in a secure manner is achieved by this arrangement.
One advantage is achieved in this context if the group server comprises a server comprising said service platforms, and a device connected to the server that manages the requests for resources received from the units.
One advantage is achieved in this context if the arrangement further comprises a memory in which said information is stored in the form of tables.
One advantage is achieved in this context if the tables comprise information about which combination of VLAN/IP number, MAC address/IP number and user account/IP number has access to which platform.
One advantage is achieved in this context if the units are constituted by terminals, users or equipment, or by a combination of these. One advantage is achieved in this context if said information is regularly synchronised between the group server and the IP access node.
One advantage is achieved in this context if the IP access node comprises an authorisation system in order to determine whether a unit is authorised, and a router that is connected to the authorisation system.
One advantage is achieved in this context if the authorisation system comprises an AAA server connected to the said router and a database, connected to the AAA server, comprising the identities of the units.
One advantage is achieved in this context if the IP access node furthermore comprises a policy server connected to the database and to said router, which policy server configures said router in accordance with the policy for a specified account.
According to the present invention, according to a second aspect, a method is achieved for a wired communication system in order to direct, by means of an arrangement, geographically dispersed units to the correct resource on a service platform. The method comprises the following steps:
- the reception by a unit of an IP token address, when the unit is connected,
- the presentation of an account and a password related to the unit,
- the decision whether the unit is authorised,
- the regular collection by a group server that is part of the arrangement of information about the units from an IP access node that is connected to the said units via the communication system,
- the reception by the group server of a request for resources from the unit, and
- the direction by the group server, based on the request for resources and based on the said information, of the unit to the correct service platform arranged on the group server. A very flexible solution to the problem of verifying platform access in a secure manner is achieved by this method.
One advantage is achieved in this context if the step of presenting an account and a password related to the unit is carried out through the IP access node automatically identifying and authorising the unit when it is connected through the identity of the unit having been recorded in a database that is part of the IP access node.
According to a second embodiment, an advantage is achieved if the step of presenting an account and a password related to the unit is carried out through the input of the said account and password by the user of the unit.
One advantage is achieved in this context if the said information is stored in the form of tables in a memory that is part of the arrangement.
One advantage is achieved in this context if the tables comprise information about which combination of VLAN/IP number, MAC address/IP number and user account/IP number has access to which platform.
One advantage is achieved in this context if the method furthermore comprises the step:
- reception by the unit of a usable IP address.
One advantage is achieved in this context if the units are constituted by terminals. users or equipment, or by a combination of these.
One advantage is achieved in this context if the method furthermore comprises the step:
- regular synchronisation of the said information between the group server and the IP access node.
One advantage is achieved in this context if the IP access node comprises a router and a policy server connected to the said router, whereby the method furthermore comprises the step:
- the configuration by the policy server of the said router according to the policy for the specified account.
According to the present invention, according to a third aspect, at least one computer software product is achieved that can be directly loaded into the internal memory of at least one digital computer. The computer software product or products comprise or comprises sections of program code for carrying out the steps according to the method when at least one of the said products is run on at least one said computer. A very flexible solution to the problem of verifying platform access in a secure manner is achieved by this at least one computer software product.
It should be pointed out that where the terms "comprisesTcomprising" are used in this application, they are to be understood to specify the presence of the said features, steps or components, but they do not exclude the presence of one or more other features, steps, components, or groups of these.
Embodiments of the invention will now be described with reference to the attached drawings, where:
Brief Description of the Drawings
Figure 1 is a block diagram that shows a first embodiment of the arrangement according to the present invention,
Figure 2 shows a logical description of the architecture comprising the arrangement shown in Figure 1 ,
Figure 3 shows a more detailed diagram of the network architecture shown in
Figure 2,
Figure 4 shows a flow chart of a method in a wired communication system for directing, by means of an arrangement, geographically dispersed units to the correct resource on a service platform according to the present invention, and
Figure 5 shows a schematic diagram of some computer software products according to the present invention.
Detailed Description of Embodiments
Figure 1 shows a block diagram of a first embodiment of an arrangement (10) according to the present invention. As Figure 1 makes clear, the arrangement (10) connects to n geographically dispersed units (14-), ..., 14n) via a wired communication system (12). The wired communication system (12) is shown only schematically in Figure 1. The arrangement (10) comprises a group server (16) and an IP access node (18) connected to the group server (16) through which the communication system (12) is connected to the said units (14ι 14n). The various units (14ι 14n) can, for example, be located in different apartments with different households. The IP access node (18) comprises information about the said units (14-i, ..., 14n), which information is regularly collected by the group server (16). When the group server (16) receives a request for resources from a unit 14x, where 1 < x < n, it directs the unit 14x to the correct sen/ice platform arranged on the group server (16) based on the request for resources and based on the said information. In another embodiment (not shown in the drawing) of the arrangement (10) the group server (16) is part of the IP access node (18). This arrangement (10) functions otherwise in the same manner as the arrangement (10) shown in Figure 1. As Figure 1 also makes clear, the group server (16) comprises a server (22) comprising said service platforms, and a device (20) connected to the server (22) that manages the requests for resources received from the units (14ι, ..., 14n).
The block diagram shown in Figure 1 really concerns mainly the logical architecture. The household, for example, is not connected to the IP access node (18) by a separate cable in the physical architecture. However, Figure 1 does show how the household will experience the situation. This is also true of the three different cables that connect the IP access node (18) to the group server (16). These are three different cables from the point of view of the household, but only one cable in the physical architecture.
The IP access node (18) consists of an authorisation system and a router (see also Figure 2). All information about the households (VLAN), users (ACCOUNT), units (MAC addresses) and IP addresses are located here.
Table 1 gives an example of the information that is stored in the IP access node (18). There are four different accounts in this table, each of them having a different IP address, MAC address and VLAN character string.
Figure imgf000008_0001
Table 1. Table 1 shows, for example, that a user from VLAN 1 (unit 14-i) has logged on to the account Stefan@mandeln. The unit that the user has logged in on (probably his or her PC) has the MAC address 00-A0-C9-E8-5F-64, and it was given the following IP address: 131.131.131.10.
When the user desires access to any one of the platforms, he or she can choose to be identified by account IP address, MAC address/IP address or by VLAN/IP address. This is achieved by choosing one of these three URLs (Uniform Resource Locators).
www.myhome.telia.com <--> 192.168.30.31 (account/IP address)
www.myportal.telia.com <--> 192.168.30.32 (MAC address/IP address)
www.mydevice.telia.com <-> 192.168.30.33 (VLAN/IP address)
If the user types "www.myhome.telia.com" into his or her web browser, this request will then be sent to the IP address 192.168.30.31. This means that this request will be identified against the table "Account/IP address". The server (22) in the group server (16) will identify all incoming requests on the IP address 192.168.30.31 using the table "Account/IP address".
If the user chooses 192.168.30.32, this request will be mapped against the table "MAC address/IP address". The final choice "www.mydevice.telia.com" will be executed against the table: "VLAN/IP address".
The architecture shown in Figure 1 is not exclusively for use in apartments, and a house or a shop is also possible. Each apartment has been assigned a unique VLAN number. This number is used to verify from which of the apartments the traffic is generated. It is also used to label traffic that will be sent to a particular household.
All accounts will each receive their IP address from the same subnet, which in Figure 1 is 131.131.131.10-200.
The different direction tables are described below.
Account/IP address
This table will be used if the requests are sent to the IP number 192.168.30.31. The different "User Accounts" and "Directed to Platform IP"s will be configured statically. It is only the IP address for this account that will be dynamic, since users will not receive the same IP address when they log in.
Figure imgf000010_0001
Table 2.
Table 2 shows an example of the table "Account/IP address". The user account Stefan@mandeln with IP address 131.131.131.10 will, in this case, be directed to the platform 192.168.10.1.
Unit/IP address
This table will be used if the requests are sent to the IP number 192.168.30.32. The different "MAC addresses" and "Directed to Platform IP"s will be static. It is only the "IP address" that will be dynamic, since users will not always receive the same IP address when they log in.
Figure imgf000010_0002
Figure imgf000011_0001
Table 3.
Table 3 shows that the MAC address 00-A0-C9-E8-5F-64 and the IP address 131.131.131.10 will, be directed to the platform of apartment 1 (unit 14-t).
Household/IP address
This table will be used if the requests are sent to the IP number 192.168.30.33. Everything in this table will be statically configured, since it has been predetermined which platform a household and its subnet are allowed to access. As long as the request arrives with the correct VLAN character string and source IP, direction of this request is possible within this VLAN.
Figure imgf000011_0002
Table 4.
Table 4 shows that only VLAN1 will be directed to the platform for apartment 1.
Several platforms have been installed on the group server (16). Each one of these platforms has only one owner. There are three households in this example, and one of these households has two accounts. The two other households have only one account each.
The following platforms have been configured on the group server (16), see Table
5.
Figure imgf000012_0001
Table 5.
A domain name server (DNS) is located in the IP access node (18), see Figure 2, that will translate a name to an IP address and vice versa. This will make it possible for users to user names instead of IP numbers when they select the identification of their requests.
www.myhome.telia.com <--> 192.168.30.31
www.myportal.telia.com <--> 192.168.30.32
www.mydevice.telia.com <--> 192.168.30.33
Some illustrative examples are given below:
Apartment 1 User: Stefan
Account: Stefan@mandeln
MAC address of the PC: 00-A0-C9-E8-5F-64
VLAN: 1 IP address: 131.131.131.10
Apartment 2 User: Niclas
Account: Niclas@mandeln
MAC address of the PC: 00-A0-C9-E8-5F-65
VLAN: 2
IP address: 131.131.131.20
The installed platforms are shown in Table 5. Each user has access to his or her own home, his or her personal area and the common area.
Example 1 : PC logging in from the home.
User Stefan logs into the account Stefan@mandeln and his PC receives the IP address 131.131.131.10.
He desires access to his apartment platform and thus he uses the URL: http://myhome.telia.com in his web browser. The router in the IP access node (18) will send this request to the server (22) in the group server (16), where the request will be checked against the table "VLAN/IP address". This table (Table 4) will direct the request to the platform of apartment 1 , since this request is labelled with VLAD ID 1 and it has the IP address 131.131.131.10.
Example 2: PC logging in from the home.
User Stefan logs into the account Stefan@mandeln and his PC receives the IP address 131.131.131.10.
He desires access to his unit platform and thus he uses the URL: http://mydevice.telia.com in his web browser. The router in the IP access node (18) will send this request to the server (22) in the group server (16), where the request will be checked against the table "Unit/IP address". This table (Table 3) will direct the request to the platform of 00-A0-C9-E8-5F-64, since this request has this MAC address and it has the IP address 131.131.131.10.
Example 3: PC logging in from the home. User Niclas logs into the account Niclas@mandeln and his PC receives the IP address 131.131.131.20.
He desires access to the platform of his account and thus he uses the URL: http://myportal.telia.com in his web browser. The router in the IP access node (18) will send this request to the server (22) in the group server (16), where the request will be checked against the table "Account/IP address". This table (Table 2) will direct the request to Niclas' platform, since this request has the IP number 131.131.131.20.
The present invention uses information that is present in the IP access node (18). Examples of such information are given in Table 1. This information is used to create tables, whereby these tables will form the base for directing platform requests to the correct platform. The invention makes possible the following:
- a method for households to obtain access to the various platforms.
- a method for the operator to ensure that only authorised requests will be directed to a certain platform.
Figure 2 shows a logical description of the architecture of the arrangement (10) shown in Figure 1. Similar components in Figure 1 and in Figure 2 have been given the same reference numbers. Figure 2 makes it clear that the IP access node (18) comprises an authorisation system in order to determine whether a unit 14ι, ..., 14n is authorised, and a router (24) connected to the authorisation system. The authorisation system comprises an AAA server (26) ("AAA" is an abbreviation of "Authentication, Authorisation and Accounting services". This is a system used by a service provider to manage these functions related to customers.) connected to the said router (24), and a database (28), comprising the identities of the units 14-ι, ..., 14n, connected to the AAA server (26). The IP access node (18) further comprises a policy server (30) that is connected to the database (28) and the said router (24) and that configures said router (24) in accordance with a policy for the specified account. An important fact that it is worth pointing out here is that a VLAN is used to prevent unauthorised communication between households. It is a local network in Figure 2, a LAN, (Ethernet) to a block of flats and two houses connected with ADSL.
Figure 3 shows a more detailed diagram of the network architecture shown in
Figure 2. This drawing has been provided with the same reference numbers as those in Figure 2 for the same components. The reader is referred otherwise to the descriptions of Figure 1 and Figure 2, since the functions shown in Figure 4 are the same.
Figure 4 shows a flow diagram for a method in a wired communication system in order to direct, by means of an arrangement (see, for example, Figure 1), geographically dispersed units to the correct resource on a service platform according to the present invention. The method commences at block (70). The method then continues, at block (72), with the step: the reception of a token IP address by the unit 14x, where 1 < x < n, when it is connected. The method then continues, at block (74), with the step: the presentation of an account and a password related to the unit 14x. The method then continues, at block (76), with the question: "Is the unit 14x authorised?". The unit 14x is denied access to the platforms if the answer to this question is negative, and the steps according to the blocks (72)-(76) may be repeated for a fresh attempt. The method continues, on the other hand, if the answer is positive, with the block (78) with the step: the regular collection by a group server (16) that is part of the arrangement (10) of information concerning the units (14ι, ..., 14n) from an IP access node (18) that is connected via the communication system (12) to the units 14ι 14n. The method then continues, at block (80), with the step: the reception by the group server (16) of a request for resources from a unit 14x. The method then continues, at block (82), with the step: the direction by the group server (16), based of the request for resources and based on said information, of the unit 14x to the correct service platform arranged on the group server (16). The method is then terminated at block (84).
According to one embodiment, the step of presenting a password related to the unit 14x is carried out through the IP access node (18) automatically identifying and authorising the unit 14x when it is connected through the recording of the identities of the units 14-1 14n in a database (28) that is part of the IP access node (18). This can be used when there are no persons in the vicinity and the unit, for example an IP telephone adapter, cannot itself achieve the authorisation process.
If a person is available, this process takes places through a user of the unit 14x inputting said account and said password.
According to one preferred embodiment, the method also comprises the step: the reception by the unit 14x of a usable IP address. According to one preferred embodiment, the method also comprises the step: the regular synchronisation of the information between the group server (16) and the IP access node (18).
According to one preferred embodiment, the IP access node (18) comprises a router (24) and a policy server (30) connected to the said router (24), whereby the method also comprises the step: the configuration by the policy server (30) of said router (24) in accordance with the policy for the specified account.
Figure 5 shows a schematic diagram of some computer software products according to the present invention. Figure 5 shows n digital computers 100ι, ..., 100n, and n different computer software products 102ι, ..., 102n, that can be loaded directly into the internal memory of the said computers 100ι, ..., 100n. Each 102ι 102n comprises sections of software code for carrying out some or all of the steps according to Figure 4 when the product or products 102ι, ..., 102n is or are run on the computers 100-t, ..., 100n. The computer software products 102ι, .... 102n, can be in the form of, for example, diskettes, RAM disks, magnetic tape, optomagnetic disks, or some other suitable products.
The invention is not limited to the embodiments described above. It will be apparent that many different modifications are possible within the scope of the attached claims.

Claims

1. An arrangement (10) for a wired communication system (12) to direct geographically dispersed units (14ι 14n) to the correct resource on a service platform, characterised in that the arrangement (10) comprises a group server (16), an IP access node (18) connected to the group server (16) and that is connected via the communication system (12) to the said units (14ι, ..., 14n), whereby the IP access node (18) comprises information about the said units (14-i, ..., 14n), which information is collected regularly by the group server (16), whereby the group server (16), based on a request for resources received from a unit (14x), and based on the said information, directs the unit (14x) to the correct service platform, arranged on the said group server (16).
2. An arrangement (10) for a wired communication system (12) to direct geographically dispersed units (14ι, ..., 14n) to the correct resource on a service platform, characterised in that the arrangement (10) comprises an IP access node (18) that is connected via the communication system (12) to the said units (14ι 14n) and to a group server (16) that is part of the IP access node (18), whereby the IP access node (18) comprises information about the said units (14ι, ..., 14n), which information is collected regularly by the group server (16), whereby the group server (16) based on a request for resources received from a unit (14x), and based on the said information, directs the unit (14x) to the correct service platform arranged on the said group server (16).
3. An arrangement (10) for a wired communication system (12) to direct geographically dispersed units (14-ι, ..., 14n) to the correct resource on a service platform according to claim 1 or 2, characterised in that the group server (16) comprises a server (22) comprising said service platforms and a device (20) connected to the server (22) that manages the requests for resources received from the units (14ι, ..., 14n).
4. An arrangement (10) for a wired communication system (12) to direct geographically dispersed units (14ι, ..., 14n) to the correct resource on a service platform according to any one of claims 1-3, characterised in that the arrangement (10) also comprises memory in which the said information is stored in tables.
5. An arrangement (10) for a wired communication system (12) to direct geographically dispersed units (14ι, ..., 14n) to the correct resource on a service platform according to claim 4, characterised in that the tables comprise information about which combination of VLAN/IP number and MAC address/IP number has access to which platform.
6. An arrangement (10) for a wired communication system (12) to direct geographically dispersed units (14ι 14n) to the correct resource on a service platform according to any one of claims 1-5, characterised in that the units (14-t, ..., 14n) are constituted by terminals, users or equipment, or by a combination of these.
7. An arrangement (10) for a wired communication system (12) to direct geographically dispersed units (14ι 14n) to the correct resource on a service platform according to any one of claims 1-6, characterised in that the said information is regularly synchronised between the group server (16) and the IP access node (18).
8. An arrangement (10) for a wired communication system (12) to direct geographically dispersed units (14ι 14n) to the correct resource on a service platform according to any one of claims 1-7, characterised in that the IP access node (18) comprises an authorisation system in order to determine whether a unit (14ι 14n) is authorised, and a router (24) connected to the authorisation system.
9. An arrangement (10) for a wired communication system (12) to direct geographically dispersed units (14ι, ..., 14n) to the correct resource on a service platform according to claim 8, characterised in that the authorisation system comprises an AAA server (26) connected to said router (24) and a database (28) comprising the identities of the units (14ι 14n), connected to the AAA server (26).
10. An arrangement (10) for a wired communication system (12) to direct geographically dispersed units (14ι, ..., 14n) to the correct resource on a service platform according to claim 9, characterised in that the IP access node (18) furthermore comprises a policy server (30) that is connected to the database (28) and to the said router (24), and that configures the said router (24) in accordance with a policy for the specified account.
11. A method for a wired communication system (12) in order, by means of an arrangement (10), to direct geographically dispersed units (14-i, ..., 14n) to the correct resource on a service platform, which method comprises the steps: - the reception by a unit (14x), where 1 < x < n, of an IP token address when the unit is connected;
- the presentation of an account and a password related to the unit (14x);
- the determination of whether the unit (14x) is authorised;
- the regular collection by a group server (16) that is part of the arrangement (10) of information about the units (14ι 14n) from an IP access node (18) that is connected to the said units (14-i, ..., 14n) via the communication system (12);
- the reception by the group server (16) of a request for resources from the unit (14x); and
- the direction by the group server (16), based on the request for resources and based on the said information of the unit (14x) to the correct service platform arranged on the group server (16).
12. A method for a wired communication system (12) in order by means of an arrangement (10) to direct geographically dispersed units (14-i, ..., 14n) to the correct resource on a service platform according to claim 11 , characterised in that the step of presenting an account and a password related to the unit (14x) is carried out by the IP access node (18) automatically identifying and authorising the unit (14x) when it is connected, through the recording of the identities of the units (14-ι 14n) in a database
(28) that is part of the IP access node (18).
13. A method for a wired communication system (12) in order by means of an arrangement (10) to direct geographically dispersed units (14ι 14n) to the correct resource on a service platform according to claim 11 , characterised in that the step of presenting an account and a password related to the unit (14x) is carried out by the user inputting the said account and password.
14. A method for a wired communication system (12) in order by means of an arrangement (10) to direct geographically dispersed units (14ι, ..., 14n) to the correct resource on a service platform according to any one of claims 11-13, characterised in that the said information is stored in the form of tables in memory that is part of the arrangement (10).
15. A method for a wired communication system (12) in order by means of an arrangement (10) to direct geographically dispersed units (14ι 14n) to the correct resource on a service platform according to claim 14, characterised in that the tables comprise information about which combination of VLAN/IP number and MAC address/IP number has access to which platform.
16. A method for a wired communication system (12) in order by means of an arrangement (10) to direct geographically dispersed units (141 , ..., 14n) to the correct resource on a service platform according to any one of claims 11-15, characterised in that the method also comprises the step:
- the reception by the unit (14x) of a usable IP address.
17. A method for a wired communication system (12) in order by means of an arrangement (10) to direct geographically dispersed units (14-ι, .... 14n) to the correct resource on a service platform according to any one of claims 11-16, characterised in that the units (14ι, ..., 14n) are constituted by terminals, users, equipment or a combination of these.
18. A method for a wired communication system (12) in order by means of an arrangement (10) to direct geographically dispersed units (14ι, ..., 14n) to the correct resource on a service platform according to any one of claims 11-17, characterised in that the method also comprises the step:
- the regular synchronisation of the said information between the group server (16) and the IP access node (18).
19. A method for a wired communication system (12) in order by means of an arrangement (10) to direct geographically dispersed units (14ι 14n) to the correct resource on a service platform according to any one of claims 11-18, characterised in that the IP access node (18) comprises a router (24) and a policy server (30) connected to said router (24), whereby the method also comprises the step:
- the configuration by the policy server (30) of said router (24) in accordance with the policy for the specified account.
20. At least one computer software product (102ι 102n) that can be directly loaded into the internal memory of at least one digital computer (100ι 100n) comprising sections of software code for carrying out the steps according to claim 11 when the said at least one products (102ι, ..., 102n) is/are run on said at least one computer (100ι, ..., 100n).
PCT/SE2003/000716 2002-05-06 2003-05-02 An arrangement and a method for directing geographically dispersed units WO2003094441A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP03723586A EP1504568A1 (en) 2002-05-06 2003-05-02 An arrangement and a method for directing geographically dispersed units
AU2003230515A AU2003230515A1 (en) 2002-05-06 2003-05-02 An arrangement and a method for directing geographically dispersed units
NO20044376A NO20044376L (en) 2002-05-06 2004-10-15 Device and method for managing geographically distributed units

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SE0201362-1 2002-05-06
SE0201362A SE524173C2 (en) 2002-05-06 2002-05-06 Device and method for routing units to the correct resource on a service platform

Publications (1)

Publication Number Publication Date
WO2003094441A1 true WO2003094441A1 (en) 2003-11-13

Family

ID=20287778

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2003/000716 WO2003094441A1 (en) 2002-05-06 2003-05-02 An arrangement and a method for directing geographically dispersed units

Country Status (5)

Country Link
EP (1) EP1504568A1 (en)
AU (1) AU2003230515A1 (en)
NO (1) NO20044376L (en)
SE (1) SE524173C2 (en)
WO (1) WO2003094441A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001031843A2 (en) * 1999-10-22 2001-05-03 Nomadix, Inc. Systems and methods for providing dynamic network authorization, authentication and accounting
WO2001075560A1 (en) * 2000-04-03 2001-10-11 Targian Ab User information retrieving system
WO2001091434A1 (en) * 2000-05-19 2001-11-29 Telia Ab (Publ) Service management in home environment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001031843A2 (en) * 1999-10-22 2001-05-03 Nomadix, Inc. Systems and methods for providing dynamic network authorization, authentication and accounting
WO2001075560A1 (en) * 2000-04-03 2001-10-11 Targian Ab User information retrieving system
WO2001091434A1 (en) * 2000-05-19 2001-11-29 Telia Ab (Publ) Service management in home environment

Also Published As

Publication number Publication date
SE0201362D0 (en) 2002-05-06
EP1504568A1 (en) 2005-02-09
AU2003230515A1 (en) 2003-11-17
SE0201362L (en) 2003-11-07
SE524173C2 (en) 2004-07-06
NO20044376L (en) 2005-01-13

Similar Documents

Publication Publication Date Title
US5944794A (en) User identification data management scheme for networking computer systems using wide area network
US20020083342A1 (en) Systems, methods and computer program products for accessing devices on private networks via clients on a public network
KR100744213B1 (en) Automated provisioning system
US6442588B1 (en) Method of administering a dynamic filtering firewall
US8713641B1 (en) Systems and methods for authorizing, authenticating and accounting users having transparent computer access to a network using a gateway device
US8041815B2 (en) Systems and methods for managing network connectivity for mobile users
JP5047436B2 (en) System and method for redirecting users attempting to access a network site
US8627410B2 (en) Dynamic radius
US20060031436A1 (en) Systems and methods for multi-level gateway provisioning based on a device&#39;s location
CN101668017B (en) Authentication method and equipment
JP2004505383A (en) System for distributed network authentication and access control
CN101076033B (en) Method and system for storing authentication certificate
US20100162362A1 (en) Enterprise Management of Public Instant Message Communications
JP2002157180A (en) Access management and monitor system for internet server
US20040095916A1 (en) Web-contents receiving system and apparatus for providing an access point
CN102055816A (en) Communication method, business server, intermediate equipment, terminal and communication system
US7793352B2 (en) Sharing network access capacities across internet service providers
WO2008030526A2 (en) Systems and methods for obtaining network access
RU2387089C2 (en) Method of allocating resources with limited access
CN112383500B (en) Method and system for controlling access request related to screen projection equipment
JPH08153072A (en) Computer system and computer system managing method
GB2555108A (en) Improvements in and relating to network communications
JP3564117B2 (en) Wireless LAN device
US7430600B2 (en) Method and device for making a portal in a computer system secure
WO2003094441A1 (en) An arrangement and a method for directing geographically dispersed units

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SC SD SE SG SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 2003723586

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 2003723586

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP

WWW Wipo information: withdrawn in national office

Ref document number: 2003723586

Country of ref document: EP