Access control of mobile equipment to an IP communication network with dynamic modification of the access policies
First Claim
1. ) Access equipment (EA) to a communication network (N), equipped with a radio-communication interface (IR) capable of exchanging data packets with mobile hosts (H1, H2, H3) located in a geographical zone (Z) linked to the relevant interface (IR), negotiation means (MN) intended to set up an exchange of data packets (RA, NS, NA) with a mobile host in the relevant geographical zone requesting access to said communication network, and transmission means (MT) to transmit data packets forming a data flow (F), between one or more remote equipments (ED) located in said communication network and the mobile hosts recorded in a list of authorized mobile hosts (ACL) stored in said access equipment, wherein said transmission means do not transmit any data packet to or from mobile hosts not recorded on said list of authorized mobile hosts, characterized by the fact that these negotiation means are capable of receiving from said mobile host a solicitation message (NS) containing a digital signature obtained by means of a private key associated to a public key, an IP address of the mobile host generated with the public key and a certificate digitally signed by at least one certificate authorizer, the certificate including the public key and a holder name of the public and private key pair, said negotiation means comprising control means (MC) capable of verifying the digital signature of the certificate authorizer, and then verifying the digital signature and the IP address of the mobile host with the public key received in the certificate, in order to authenticate the mobile host, the control means (MC) being capable of modifying the list of authorized mobile hosts in function of the authentication.
1 Assignment
0 Petitions
Accused Products
Abstract
Access equipment (EA) to a communication network (N), equipped with a radio-communication interface (IR) capable of transmitting packets to mobile hosts (H1, H2, H3) located in a geographical zone (Z) linked to the interface, negotiation means intended to set up an exchange of data packets with a host of this zone, requesting access to the network, and transmission means to allow a data flow between one or multiple remote equipments (ED) situated in the communication network and the hosts recorded on the list of authorized mobile hosts, wherein the transmission means do not transmit any data packets to or from hosts not recorded on the list. This equipment is characterized by the fact that the negotiation means comprise control means intended to authenticate the host on the basis of the exchange of data packets and to modify the list in function of this authentication.
31 Citations
8 Claims
- 1. ) Access equipment (EA) to a communication network (N), equipped with a radio-communication interface (IR) capable of exchanging data packets with mobile hosts (H1, H2, H3) located in a geographical zone (Z) linked to the relevant interface (IR), negotiation means (MN) intended to set up an exchange of data packets (RA, NS, NA) with a mobile host in the relevant geographical zone requesting access to said communication network, and transmission means (MT) to transmit data packets forming a data flow (F), between one or more remote equipments (ED) located in said communication network and the mobile hosts recorded in a list of authorized mobile hosts (ACL) stored in said access equipment, wherein said transmission means do not transmit any data packet to or from mobile hosts not recorded on said list of authorized mobile hosts, characterized by the fact that these negotiation means are capable of receiving from said mobile host a solicitation message (NS) containing a digital signature obtained by means of a private key associated to a public key, an IP address of the mobile host generated with the public key and a certificate digitally signed by at least one certificate authorizer, the certificate including the public key and a holder name of the public and private key pair, said negotiation means comprising control means (MC) capable of verifying the digital signature of the certificate authorizer, and then verifying the digital signature and the IP address of the mobile host with the public key received in the certificate, in order to authenticate the mobile host, the control means (MC) being capable of modifying the list of authorized mobile hosts in function of the authentication.
-
8. ) Process for controlling the access of mobile hosts (H1, H2, H3) to a communication network (N) via access equipment (EA) equipped with a radio-communication interface (IR) capable of exchanging data packets with one of said mobile hosts when the latter is located in a geographical zone (Z) linked to said access equipment (EA), said process comprising a data packet exchange step (RA, NS, NA) between said access equipment and said mobile hosts and a transmission step consisting in transmitting data packets forming data flows (F) via said access equipment between one or multiple remote equipments (ED) located in said communication network and said mobile hosts if and only if the latter have been previously recorded on a list of authorized mobile hosts (ACL) stored in said access equipment, characterized by the fact that, prior to said transmission step the access equipment receives from a mobile host requesting access to the communication network a solicitation message (NS) containing a digital signature obtained by means of a private key associated to a public key, an IP address generated with the public key and a certificate digitally signed by at least one certificate authorizer, the certificate including the public key and a holder name of the public and private key pair, proceeds with the authentication of said mobile host soliciting access to the communication network, by verifying the digital signature and the IP address with the help of the public key received in the certificate, and modifies said list of authorized mobile hosts in function of this authentication.
Specification