Controlling devices on an internal network from an external network

US 20050240758A1
Filed: 03/31/2004
Published: 10/27/2005
Est. Priority Date: 03/31/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method for an intermediary selectively coupling an external network and an internal network to dynamically generate filter rules to facilitate establishing an end to end secure session connection between a first device on the internal network and a second device of the external network, the method comprising:

receiving a secure session establishment request by the second device on the external network to establish a secure communication session with the first device on the internal network;

forwarding the secure session establishment request to the first device;

monitoring the internal network for an approval or disapproval acknowledgement by the first device for the secure session establishment request; and

if an approval authentication acknowledgement is monitored, then configuring a first filter rule of the intermediary to allow communication between the first and second devices through the intermediary.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments of the invention are illustrated, discussed and claimed. In some embodiments, disclosed are techniques for facilitating a control point on an external network to interact with a UPnP device on an internal network to which access is blocked by a gateway, firewall or other such device. In particular, various embodiments disclose how the UPnP Security protocol may be utilized by such an external control point to allow the control point to remotely send actions to, query the state of, and/or otherwise securely access desired internal network UPnP devices.

Citations

37 Claims

1. A method for an intermediary selectively coupling an external network and an internal network to dynamically generate filter rules to facilitate establishing an end to end secure session connection between a first device on the internal network and a second device of the external network, the method comprising:
- receiving a secure session establishment request by the second device on the external network to establish a secure communication session with the first device on the internal network;
  
  forwarding the secure session establishment request to the first device;
  
  monitoring the internal network for an approval or disapproval acknowledgement by the first device for the secure session establishment request; and
  
  if an approval authentication acknowledgement is monitored, then configuring a first filter rule of the intermediary to allow communication between the first and second devices through the intermediary.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - determining a presence advertisement for the first device has been received before forwarding the secure session establishment request to the first device.
  - 3. The method of claim 2 wherein the presence advertisement is delivered in accordance with the UPnP Simple Service Discovery Protocol (SSDP).
  - 4. The method of claim 1, further comprising:
    - receiving network traffic from the second device corresponding to the second device requesting a UPnP Device Description Document from the first device.
  - 5. The method of claim 1, further comprising:
    - receiving a service request from the second device for the first device, the service request having an associated communication port for performing the service;
      
      determining the service request identifies a service advertised by the first device in a device description document; and
      
      configuring a second filter rule to allow communication between the first device and the second device using the associated communication port.
  - 6. The method of claim 1, further comprising:
    - providing the second device with an indicia for use by the second device in establishing a communication link to the first device.
  - 7. The method of claim 6, wherein the indicia is a selected one of a globally routable Internet Protocol (IP) address, or an internal network address non-routable on the external network.
  - 8. The method of claim 1, wherein communication within the internal network is in accord with an IPv6 compatible Internet Protocol (IP).
  - 9. The method of claim 1, further comprising:
    - retrieving an Access Control List (ACL) from the first device, the ACL including an identification of devices authorized to establish communication sessions; and
      
      determining based at least in part on the ACL the second device is authorized to establish the secure communication session with the first device before forwarding the secure session establishment request to the first device.
  - 10. The method of claim 1, further comprising:
    - receiving network traffic from the second device corresponding to a previous secure communication session established when the second device was previously on the internal network; and
      
      responding to said network traffic with an error such that the second device attempts to re-establish a secure communication session from the external network.
  - 11. The method of claim 1, further comprising:
    - establishing the end to end secure session connection between the first device on the internal network and the second device of the external network in a single end to end secure session connection between said first and second devices.

12. A method for communicating with a device by way of an intermediary selectively coupling an external network and an internal network, comprising:
- receiving a presence advertisement for the device;
  
  storing a network address associated with the first device;
  
  determining services offered by the device; and
  
  while on the external network, issuing a secure communication initiation request to the device via the intermediary.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12, wherein the intermediary is configured to:
    - forward the request to the device;
      
      monitor for an approval or disapproval authentication acknowledgement to the request; and
      
      configure a filter of the intermediary to allow communication with the device if an approval authentication acknowledgement is received.
  - 14. The method of claim 13, wherein the intermediary is further configured to configure the filter to block communication with the device is a disapproval authentication acknowledgement is received.
  - 15. The method of claim 12 wherein the presence advertisement is received while on the internal network.
  - 16. The method of claim 12, wherein while on the internal network, the method further comprising requesting a description of services offered by the device.
  - 17. The method of claim 16, wherein the description of services is requested from the intermediary.
  - 18. The method of claim 12, wherein while on the external network, the method further comprising requesting a description of services offered by the device.
  - 19. The method of claim 18, wherein the description of services is requested from the intermediary.
  - 20. The method of claim 12, further comprising:
    - receiving an approval authentication acknowledgement to the request; and
      
      responsive to the approval, requesting a service of the device.
  - 21. The method of claim 12, wherein the network address associated with the first device is a globally unique network address having an address portion identifying the intermediary.
  - 22. The method of claim 12, wherein a traveling control point performs the method for communicating with the device.

23. A system of devices communicatively coupled with an internal network and an external network via a gateway, comprising:
- a first device, communicatively coupled to the internal network, offering services;
  
  a second device selectively coupled with the internal and external networks, the second device seeking a service of the first device, wherein when requesting the service, said requesting includes sending a secure communication initiation request to the first device to facilitate establishing a secure communication session with the first device; and
  
  an intermediary selectively communicatively coupling the first and second devices, wherein the intermediary is configured to receive a secure communication initiation request from the second device over the external network and forward the request to the first device.
- View Dependent Claims (24, 25, 26)
- - 24. The system of claim 23, wherein the intermediary is further configured to monitor the first device for an approval or disapproval authentication acknowledgement for the request, and to configure a filter of the intermediary controlling communication over the first network from the first device based at least in part on a monitored authentication acknowledgement.
  - 25. The system of claim 23, wherein the first device communicates with the second device in accord with the UPnP Security Protocol.
  - 26. The system of claim 23, wherein the secure communication initiation request corresponds to a UPnP Set Session Key (SSK) request.

27. An article comprising a machine-accessible media having associated data for an intermediary selectively coupling an external network and an internal network to dynamically generate filter rules to facilitate establishing an end to end secure session connection between a first device on the internal network and a second device of the external network, wherein the data, when accessed, results in the intermediary performing:
- receiving a secure session establishment request by a second device on the external network to establish a secure communication session with a first device on the internal network;
  
  forwarding the secure session establishment request to the first device;
  
  monitoring the internal network for an approval or disapproval acknowledgement by the first device for the secure session establishment request; and
  
  if an approval authentication acknowledgement is monitored, then configuring a first filter rule of the intermediary to allow communication between the first and second devices through the intermediary.
- View Dependent Claims (28, 29, 30, 31)
- - 28. The article of claim 27, wherein the data further includes data, which when accessed, results in the intermediary performing:
    - determining a presence advertisement for the first device has been received before forwarding the secure session establishment request to the first device.
  - 29. The article of claim 27, wherein the data further includes data, which when accessed, results in the intermediary performing:
    - receiving a service request from the second device for the first device, the service request having an associated communication port for performing the service;
      
      determining the service request identifies a service advertised by the first device in a device description document; and
      
      configuring a second filter rule to allow communication between the first device and the second device using the associated communication port.
  - 30. The article of claim 27, wherein the data further includes data, which when accessed, results in the intermediary performing:
    - providing the second device with an indicia for use by the second device in establishing a communication link to the first device.
  - 31. The article of claim 27, wherein the data further includes data, which when accessed, results in the intermediary performing:
    - retrieving an Access Control List (ACL) from the first device, the ACL including an identification of devices authorized to establish communication sessions; and
      
      determining based at least in part on the ACL the second device is authorized to establish the secure communication session with the first device before forwarding the secure session establishment request to the first device.

32. An article comprising a machine-accessible media having associated data for communicating with a device by way of an intermediary selectively coupling an external network and an internal network, wherein the data, when accessed, results in a machine performing:
- receiving a presence advertisement for the device;
  
  storing a network address associated with the first device;
  
  determining services offered by the device; and
  
  while on the external network, issuing a secure communication initiation request to the device via the intermediary.
- View Dependent Claims (33, 34, 35)
- - 33. The article of claim 32, wherein the data further includes data, which when accessed by the machine, results in the machine performing:
    - receiving the presence advertisement while on the internal network.
  - 34. The article of claim 32, wherein the data further includes data, which when accessed by the machine, results in the machine performing, while on the internal network, requesting a description of services offered by the device.
  - 35. The article of claim 32, wherein the data further includes data, which when accessed by the machine, results in the machine performing, while on the external network, requesting a description of services offered by the device.

36. Machine-accessible information for an intermediary selectively coupling an external network and an internal network embodied in a propagated signal which, when accessed, results in the intermediary performing:
- receiving a secure session establishment request by a second device on the external network to establish a secure communication session with a first device on the internal network;
  
  forwarding the secure session establishment request to the first device;
  
  monitoring the internal network for an approval or disapproval acknowledgement by the first device for the secure session establishment request; and
  
  if an approval authentication acknowledgement is monitored, then configuring a first filter rule of the intermediary to allow communication between the first and second devices through the intermediary.
- View Dependent Claims (37)
- - 37. The propagated signal of claim 36, wherein the machine-accessible information further includes information, which when accessed, results in the intermediary performing:
    - receiving a service request from the second device for the first device, the service request having an associated communication port for performing the service;
      
      determining the service request identifies a service advertised by the first device in a device description document; and
      
      configuring a second filter rule to allow communication between the first device and the second device using the associated communication port.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Lord, Christopher J., Warrier, Ulhas, Garg, Ajay

Application Number

US10/815,396
Publication Number

US 20050240758A1
Time in Patent Office

Days
Field of Search
US Class Current

713/153
CPC Class Codes

H04L 63/0263 Rule management

H04L 63/101 Access control lists [ACL]

Controlling devices on an internal network from an external network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling devices on an internal network from an external network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links