AN ARRANGEMENT AND A METHOD FOR DIRECTING GEOGRAPHICALLY DISPERSED UNITS
The present invention concerns, according to a first aspect, an arrangement for a wired communication system for directing geographically dispersed units to the correct resource on a service platform.
The present invention concerns, according to a second aspect, a method for a wired communication system for directing by means of an arrangement geographically dispersed units to the correct resource on a service platform.
The present invention concerns, according to a third aspect, at least one computer software product for directing geographically dispersed units to the correct resource on a service platform.
Background of the Invention
A problem of verification arises when different units attempt to gain access to a group server. A secure method for identifying these units is required, and a method of guiding the authorised units to the service platform on the group server to which they have access.
A user or a unit must currently log in in order to communicate with the group server. The user or unit making the request for access must have a public IP address.
Until now, virtual subnetworks have been used to verify units in the home. This technology is based upon each home possessing one subnetwork, from which the units in the home obtain their addresses. This subnetwork is subsequently connected to a VLAN (a virtual local network) and identification of the units in the home can be carried out using the identification that the VLAN has. This results in only authorised units having access to their allocated sections of the group server. A serious disadvantage of this solution is that this means of verification involves a direct dependence on the network structure being constructed in this way.
The document WO-01/31843-A2 describes a connection method with authentication and access control together with the management of debiting/accounting. The user or unit that seeks to be connected is termed "the source" in the document. Several attributes are used in order to identify the source, such as MAC address, user name, userid, password, VLAN-tag and location. If a user has been identified as a source, different users can have different authorisations, even though they use the same computer. If a computer has been identified as a source, authorisation that is associated with the MAC address is given. Authentication and access control of the source are carried out with the aid of "source profiles" that are stored in a database in a gateway. The source profile also contains information about an account. Once a source has passed authentication and access control, redirection to a special portal page may be carried out.
The document WO-A2-01/31886 is related to the document WO-A2-01/31843 and describes redirection to a special portal page based on a number of attributes. The connection procedure with authentication and access control is managed by a gateway.
The document WO-A2-01/31808 is related to the documents described above and demonstrates identification based on location or MAC address.
The document WO-A1 -01/76294 demonstrates a method and a system for creating individual service platforms. A service platform is created for each so-called "client structure" that has at least one user. One user can be connected to several client structures. The user can give varying authorisation to his or her own client structure to other users. A local gateway detects the installation of a local node and informs the access supplier, which presents different services for the new node. Local nodes can, for example, communicate using LonWorks.
The document US-6,075,776 describes a control system for VLANs. A "VLAN management server" and a "remote access server" are connected to a VLAN. Both of these have a table that indicates the location of terminals. The table makes it possible for the terminals to connect to the home network, independently of the particular network in which they are located. The terminals are identified by their MAC address.
None of the solutions described above demonstrates a flexible solution to the problem of verifying platform access in a secure manner.
Summary of the Invention
It is an object of the present invention to solve the problems described above. According to the invention, according to a first aspect, an arrangement is achieved for a wired communication system in order to direct geographically dispersed units to the correct resource on a service platform. The arrangement comprises a group server and an IP access node connected to the group server to which said units are connected via the communication system. The IP access node comprises information about said units, which information is collected regularly by the server. The group server directs the unit to the correct sen/ice platform, arranged on the group server, based on a request for resources received from the unit and based on said information. A very flexible solution to the problem of verifying platform access in a secure manner is achieved by this arrangement.
According to a second embodiment of the present invention, an arrangement is achieved for a wired communication system for the direction of geographically dispersed units to the correct resource on a service platform. The arrangement comprises an IP access node, which is connected via the communication system to said units, and a group server that is included in the IP access node. The IP access node comprises information about said units, which information is collected regularly by the group server. The group server directs the unit to the correct service platform arranged on said group server based on a request for resources received from the unit and based on said information. A very flexible solution to the problem of verifying platform access in a secure manner is achieved by this arrangement.
One advantage is achieved in this context if the group server comprises a server comprising said service platforms, and a device connected to the server that manages the requests for resources received from the units.
One advantage is achieved in this context if the arrangement further comprises a memory in which said information is stored in the form of tables.
One advantage is achieved in this context if the tables comprise information about which combination of VLAN/IP number, MAC address/IP number and user account/IP number has access to which platform.
One advantage is achieved in this context if the units are constituted by terminals, users or equipment, or by a combination of these. One advantage is achieved in this context if said information is regularly synchronised between the group server and the IP access node.
One advantage is achieved in this context if the IP access node comprises an authorisation system in order to determine whether a unit is authorised, and a router that is connected to the authorisation system.
One advantage is achieved in this context if the authorisation system comprises an AAA server connected to the said router and a database, connected to the AAA server, comprising the identities of the units.
One advantage is achieved in this context if the IP access node furthermore comprises a policy server connected to the database and to said router, which policy server configures said router in accordance with the policy for a specified account.
According to the present invention, according to a second aspect, a method is achieved for a wired communication system in order to direct, by means of an arrangement, geographically dispersed units to the correct resource on a service platform. The method comprises the following steps:
- the reception by a unit of an IP token address, when the unit is connected,
- the presentation of an account and a password related to the unit,
- the decision whether the unit is authorised,
- the regular collection by a group server that is part of the arrangement of information about the units from an IP access node that is connected to the said units via the communication system,
- the reception by the group server of a request for resources from the unit, and
- the direction by the group server, based on the request for resources and based on the said information, of the unit to the correct service platform arranged on the group server. A very flexible solution to the problem of verifying platform access in a secure manner is achieved by this method.
One advantage is achieved in this context if the step of presenting an account and a password related to the unit is carried out through the IP access node automatically identifying and authorising the unit when it is connected through the identity of the unit having been recorded in a database that is part of the IP access node.
According to a second embodiment, an advantage is achieved if the step of presenting an account and a password related to the unit is carried out through the input of the said account and password by the user of the unit.
One advantage is achieved in this context if the said information is stored in the form of tables in a memory that is part of the arrangement.
One advantage is achieved in this context if the tables comprise information about which combination of VLAN/IP number, MAC address/IP number and user account/IP number has access to which platform.
One advantage is achieved in this context if the method furthermore comprises the step:
- reception by the unit of a usable IP address.
One advantage is achieved in this context if the units are constituted by terminals. users or equipment, or by a combination of these.
One advantage is achieved in this context if the method furthermore comprises the step:
- regular synchronisation of the said information between the group server and the IP access node.
One advantage is achieved in this context if the IP access node comprises a router and a policy server connected to the said router, whereby the method furthermore comprises the step:
- the configuration by the policy server of the said router according to the policy for the specified account.
According to the present invention, according to a third aspect, at least one computer software product is achieved that can be directly loaded into the internal memory of at least one digital computer. The computer software product or products comprise or comprises sections of program code for carrying out the steps according to the method when at least one of the said products is run on at least one said computer. A very flexible solution to the problem of verifying platform access in a secure manner is achieved by this at least one computer software product.
It should be pointed out that where the terms "comprisesTcomprising" are used in this application, they are to be understood to specify the presence of the said features, steps or components, but they do not exclude the presence of one or more other features, steps, components, or groups of these.
Embodiments of the invention will now be described with reference to the attached drawings, where:
Brief Description of the Drawings
Figure 1 is a block diagram that shows a first embodiment of the arrangement according to the present invention,
Figure 2 shows a logical description of the architecture comprising the arrangement shown in Figure 1 ,
Figure 3 shows a more detailed diagram of the network architecture shown in
Figure 2,
Figure 4 shows a flow chart of a method in a wired communication system for directing, by means of an arrangement, geographically dispersed units to the correct resource on a service platform according to the present invention, and
Figure 5 shows a schematic diagram of some computer software products according to the present invention.
Detailed Description of Embodiments
Figure 1 shows a block diagram of a first embodiment of an arrangement (10) according to the present invention. As Figure 1 makes clear, the arrangement (10) connects to n geographically dispersed units (14-), ..., 14n) via a wired communication system (12). The wired communication system (12) is shown only schematically in Figure 1. The arrangement (10) comprises a group server (16) and an IP access node (18) connected to the group server (16) through which the communication system (12) is connected to the said units (14ι 14n). The various units (14ι 14n) can, for example, be located in different apartments with different households. The IP access node (18) comprises information about the said units (14-i, ..., 14n), which information is regularly collected by the group server (16). When the group server (16) receives a request for resources from a unit 14x, where 1 < x < n, it directs the unit 14x to the correct sen/ice platform arranged on the group server (16) based on the request for resources and based on the said information. In another embodiment (not shown in the drawing) of the arrangement (10) the group server (16) is part of the IP access node (18). This arrangement (10) functions otherwise in the same manner as the arrangement (10) shown in Figure 1. As Figure 1 also makes clear, the group server (16) comprises a server (22) comprising said service platforms, and a device (20) connected to the server (22) that manages the requests for resources received from the units (14ι, ..., 14n).
The block diagram shown in Figure 1 really concerns mainly the logical architecture. The household, for example, is not connected to the IP access node (18) by a separate cable in the physical architecture. However, Figure 1 does show how the household will experience the situation. This is also true of the three different cables that connect the IP access node (18) to the group server (16). These are three different cables from the point of view of the household, but only one cable in the physical architecture.
The IP access node (18) consists of an authorisation system and a router (see also Figure 2). All information about the households (VLAN), users (ACCOUNT), units (MAC addresses) and IP addresses are located here.
Table 1 gives an example of the information that is stored in the IP access node (18). There are four different accounts in this table, each of them having a different IP address, MAC address and VLAN character string.
Table 1. Table 1 shows, for example, that a user from VLAN 1 (unit 14-i) has logged on to the account Stefan@mandeln. The unit that the user has logged in on (probably his or her PC) has the MAC address 00-A0-C9-E8-5F-64, and it was given the following IP address: 131.131.131.10.
When the user desires access to any one of the platforms, he or she can choose to be identified by account IP address, MAC address/IP address or by VLAN/IP address. This is achieved by choosing one of these three URLs (Uniform Resource Locators).
www.myhome.telia.com <--> 192.168.30.31 (account/IP address)
www.myportal.telia.com <--> 192.168.30.32 (MAC address/IP address)
www.mydevice.telia.com <-> 192.168.30.33 (VLAN/IP address)
If the user types "www.myhome.telia.com" into his or her web browser, this request will then be sent to the IP address 192.168.30.31. This means that this request will be identified against the table "Account/IP address". The server (22) in the group server (16) will identify all incoming requests on the IP address 192.168.30.31 using the table "Account/IP address".
If the user chooses 192.168.30.32, this request will be mapped against the table "MAC address/IP address". The final choice "www.mydevice.telia.com" will be executed against the table: "VLAN/IP address".
The architecture shown in Figure 1 is not exclusively for use in apartments, and a house or a shop is also possible. Each apartment has been assigned a unique VLAN number. This number is used to verify from which of the apartments the traffic is generated. It is also used to label traffic that will be sent to a particular household.
All accounts will each receive their IP address from the same subnet, which in Figure 1 is 131.131.131.10-200.
The different direction tables are described below.
Account/IP address
This table will be used if the requests are sent to the IP number 192.168.30.31. The different "User Accounts" and "Directed to Platform IP"s will be configured statically. It is only the IP address for this account that will be dynamic, since users will not receive the same IP address when they log in.
Table 2.
Table 2 shows an example of the table "Account/IP address". The user account Stefan@mandeln with IP address 131.131.131.10 will, in this case, be directed to the platform 192.168.10.1.
Unit/IP address
This table will be used if the requests are sent to the IP number 192.168.30.32. The different "MAC addresses" and "Directed to Platform IP"s will be static. It is only the "IP address" that will be dynamic, since users will not always receive the same IP address when they log in.
Table 3.
Table 3 shows that the MAC address 00-A0-C9-E8-5F-64 and the IP address 131.131.131.10 will, be directed to the platform of apartment 1 (unit 14-t).
Household/IP address
This table will be used if the requests are sent to the IP number 192.168.30.33. Everything in this table will be statically configured, since it has been predetermined which platform a household and its subnet are allowed to access. As long as the request arrives with the correct VLAN character string and source IP, direction of this request is possible within this VLAN.
Table 4.
Table 4 shows that only VLAN1 will be directed to the platform for apartment 1.
Several platforms have been installed on the group server (16). Each one of these platforms has only one owner. There are three households in this example, and one of these households has two accounts. The two other households have only one account each.
The following platforms have been configured on the group server (16), see Table
5.
Table 5.
A domain name server (DNS) is located in the IP access node (18), see Figure 2, that will translate a name to an IP address and vice versa. This will make it possible for users to user names instead of IP numbers when they select the identification of their requests.
www.myhome.telia.com <--> 192.168.30.31
www.myportal.telia.com <--> 192.168.30.32
www.mydevice.telia.com <--> 192.168.30.33
Some illustrative examples are given below:
Apartment 1 User: Stefan
Account: Stefan@mandeln
MAC address of the PC: 00-A0-C9-E8-5F-64
VLAN: 1 IP address: 131.131.131.10
Apartment 2 User: Niclas
Account: Niclas@mandeln
MAC address of the PC: 00-A0-C9-E8-5F-65
VLAN: 2
IP address: 131.131.131.20
The installed platforms are shown in Table 5. Each user has access to his or her own home, his or her personal area and the common area.
Example 1 : PC logging in from the home.
User Stefan logs into the account Stefan@mandeln and his PC receives the IP address 131.131.131.10.
He desires access to his apartment platform and thus he uses the URL: http://myhome.telia.com in his web browser. The router in the IP access node (18) will send this request to the server (22) in the group server (16), where the request will be checked against the table "VLAN/IP address". This table (Table 4) will direct the request to the platform of apartment 1 , since this request is labelled with VLAD ID 1 and it has the IP address 131.131.131.10.
Example 2: PC logging in from the home.
User Stefan logs into the account Stefan@mandeln and his PC receives the IP address 131.131.131.10.
He desires access to his unit platform and thus he uses the URL: http://mydevice.telia.com in his web browser. The router in the IP access node (18) will send this request to the server (22) in the group server (16), where the request will be checked against the table "Unit/IP address". This table (Table 3) will direct the request to the platform of 00-A0-C9-E8-5F-64, since this request has this MAC address and it has the IP address 131.131.131.10.
Example 3: PC logging in from the home. User Niclas logs into the account Niclas@mandeln and his PC receives the IP address 131.131.131.20.
He desires access to the platform of his account and thus he uses the URL: http://myportal.telia.com in his web browser. The router in the IP access node (18) will send this request to the server (22) in the group server (16), where the request will be checked against the table "Account/IP address". This table (Table 2) will direct the request to Niclas' platform, since this request has the IP number 131.131.131.20.
The present invention uses information that is present in the IP access node (18). Examples of such information are given in Table 1. This information is used to create tables, whereby these tables will form the base for directing platform requests to the correct platform. The invention makes possible the following:
- a method for households to obtain access to the various platforms.
- a method for the operator to ensure that only authorised requests will be directed to a certain platform.
Figure 2 shows a logical description of the architecture of the arrangement (10) shown in Figure 1. Similar components in Figure 1 and in Figure 2 have been given the same reference numbers. Figure 2 makes it clear that the IP access node (18) comprises an authorisation system in order to determine whether a unit 14ι, ..., 14n is authorised, and a router (24) connected to the authorisation system. The authorisation system comprises an AAA server (26) ("AAA" is an abbreviation of "Authentication, Authorisation and Accounting services". This is a system used by a service provider to manage these functions related to customers.) connected to the said router (24), and a database (28), comprising the identities of the units 14-ι, ..., 14n, connected to the AAA server (26). The IP access node (18) further comprises a policy server (30) that is connected to the database (28) and the said router (24) and that configures said router (24) in accordance with a policy for the specified account. An important fact that it is worth pointing out here is that a VLAN is used to prevent unauthorised communication between households. It is a local network in Figure 2, a LAN, (Ethernet) to a block of flats and two houses connected with ADSL.
Figure 3 shows a more detailed diagram of the network architecture shown in
Figure 2. This drawing has been provided with the same reference numbers as those in Figure 2 for the same components. The reader is referred otherwise to the descriptions of Figure 1 and Figure 2, since the functions shown in Figure 4 are the same.
Figure 4 shows a flow diagram for a method in a wired communication system in order to direct, by means of an arrangement (see, for example, Figure 1), geographically dispersed units to the correct resource on a service platform according to the present invention. The method commences at block (70). The method then continues, at block (72), with the step: the reception of a token IP address by the unit 14x, where 1 < x < n, when it is connected. The method then continues, at block (74), with the step: the presentation of an account and a password related to the unit 14x. The method then continues, at block (76), with the question: "Is the unit 14x authorised?". The unit 14x is denied access to the platforms if the answer to this question is negative, and the steps according to the blocks (72)-(76) may be repeated for a fresh attempt. The method continues, on the other hand, if the answer is positive, with the block (78) with the step: the regular collection by a group server (16) that is part of the arrangement (10) of information concerning the units (14ι, ..., 14n) from an IP access node (18) that is connected via the communication system (12) to the units 14ι 14n. The method then continues, at block (80), with the step: the reception by the group server (16) of a request for resources from a unit 14x. The method then continues, at block (82), with the step: the direction by the group server (16), based of the request for resources and based on said information, of the unit 14x to the correct service platform arranged on the group server (16). The method is then terminated at block (84).
According to one embodiment, the step of presenting a password related to the unit 14x is carried out through the IP access node (18) automatically identifying and authorising the unit 14x when it is connected through the recording of the identities of the units 14-1 14n in a database (28) that is part of the IP access node (18). This can be used when there are no persons in the vicinity and the unit, for example an IP telephone adapter, cannot itself achieve the authorisation process.
If a person is available, this process takes places through a user of the unit 14x inputting said account and said password.
According to one preferred embodiment, the method also comprises the step: the reception by the unit 14x of a usable IP address. According to one preferred embodiment, the method also comprises the step: the regular synchronisation of the information between the group server (16) and the IP access node (18).
According to one preferred embodiment, the IP access node (18) comprises a router (24) and a policy server (30) connected to the said router (24), whereby the method also comprises the step: the configuration by the policy server (30) of said router (24) in accordance with the policy for the specified account.
Figure 5 shows a schematic diagram of some computer software products according to the present invention. Figure 5 shows n digital computers 100ι, ..., 100n, and n different computer software products 102ι, ..., 102n, that can be loaded directly into the internal memory of the said computers 100ι, ..., 100n. Each 102ι 102n comprises sections of software code for carrying out some or all of the steps according to Figure 4 when the product or products 102ι, ..., 102n is or are run on the computers 100-t, ..., 100n. The computer software products 102ι, .... 102n, can be in the form of, for example, diskettes, RAM disks, magnetic tape, optomagnetic disks, or some other suitable products.
The invention is not limited to the embodiments described above. It will be apparent that many different modifications are possible within the scope of the attached claims.