Method for the routing and control of packet data traffic in a communication system

US 20080198861A1
Filed: 02/16/2007
Published: 08/21/2008
Est. Priority Date: 02/16/2007
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

initiating the establishment of a security association between a client node and a first gateway node;

obtaining at least one user identity and user authentication data from an authentication server;

authenticating the user with the authentication data;

providing said at least one user identity to a second gateway node;

obtaining for the user authorization pertaining to at least one access point in said second gateway node;

providing said authorization pertaining to said at least one access point and an address for said client node to said first gateway node;

providing said address to said client node from said first gateway node;

transmitting a packet from said client node to said first gateway node, said packet comprising said address as source address;

allowing said packet based on said authorization pertaining to said at least one access point; and

routing said packet to a destination node in said first gateway node based on at least said address.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a method, which comprising initiating the establishment of a security association between a client node and a gateway node. User data is obtained from an authentication server and the user is au-thenticated. Authorization is obtained for the user for certain network services from a separate authorization node. An authorized address is provided to the client node. The authorization is checked by the gateway node for the allowing outbound packets to specific destinations.

37 Citations

View as Search Results

38 Claims

1. A method, comprising:
- initiating the establishment of a security association between a client node and a first gateway node;
  
  obtaining at least one user identity and user authentication data from an authentication server;
  
  authenticating the user with the authentication data;
  
  providing said at least one user identity to a second gateway node;
  
  obtaining for the user authorization pertaining to at least one access point in said second gateway node;
  
  providing said authorization pertaining to said at least one access point and an address for said client node to said first gateway node;
  
  providing said address to said client node from said first gateway node;
  
  transmitting a packet from said client node to said first gateway node, said packet comprising said address as source address;
  
  allowing said packet based on said authorization pertaining to said at least one access point; and
  
  routing said packet to a destination node in said first gateway node based on at least said address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 10, 20)
- - 2. The method according to claim 1, the method further comprising:
    - providing said at least one user identity to a control node from said second gateway node;
      
      determining in said control node said authorization pertaining to said at least one access point with said at least one user identity; and
      
      indicating said authorization to said second gateway node.
  - 3. The method according to claim 2, the method further comprising:
    - adding a session signaling message pertaining to a session to said packet;
      
      providing an indication of said session to said control node;
      
      detecting a session release condition for said session in said control node;
      
      sending a release request message from said control node to said first gateway node; and
      
      deleting a second security association in said first gateway node.
  - 4. The method according to claim 1, wherein said second gateway node is a Gateway General Packet Radio Service Support Node.
  - 5. The method according to claim 1, wherein said user is a mobile subscriber.
  - 6. The method according to claim 1, wherein said first gateway node is a Virtual Private Network gateway.
  - 7. The method according to claim 1, wherein said at least one user identity comprises at least one of a Mobile Subscriber Integrated Services Digital Network number, an International Mobile Subscriber Identity, a Session Initiation Protocol Uniform Resource Identifier, an electronic mail address and a logical name.
  - 10. The method according to claim 1, wherein said second gateway node is a Gateway General Packet Radio Service Support Node.
  - 20. The method according to claim 1, wherein said second gateway node is a Gateway General Packet Radio Service Support Node.

8. A method, comprising:
- initiating the establishment of a security association between a client node and a first gateway node;
  
  obtaining at least one user identity and user authentication data from an authentication server;
  
  authenticating the user with the authentication data;
  
  providing said at least one user identity to a control node;
  
  obtaining for the user authorization pertaining to at least one access point to said first gateway node from said control node;
  
  obtaining an address for said client node in said first gateway node;
  
  providing said address to said client node from said first gateway node;
  
  transmitting a packet from said client node to said first gateway node, said packet comprising said address as source address;
  
  allowing said packet based on said authorization pertaining to said at least one access point; and
  
  routing said packet to a destination node in said first gateway node based on at least said address.

9. A method, comprising:
- initiating the establishment of a security association between a client node and a first gateway node;
  
  obtaining at least one user identity and user authentication data from an authentication server;
  
  authenticating the user with the authentication data;
  
  requesting the creation of a packet data protocol context from a second gateway node;
  
  creating a packet data protocol context in said second gateway node;
  
  determining session control node information in said second gateway node;
  
  providing said session control node information in at least one protocol configuration option to said first gateway node;
  
  providing said session control node information to said client node in a configuration payload of a security association related message.

11. A communication system, comprising:
- a client node configured to initiate the establishment of a security association with a first gateway node, to transmit a packet to said first gateway node, said packet comprising an address as source address;
  
  a first gateway node configured to establish a security association with said client node, to obtain at least one user identity and user authentication data from an authentication server, to authenticate the user with the authentication data, to providing said at least one user identity to a second gateway node, to provide said address to said client node from said first gateway node, to receive said packet comprising said address as source address, to allow said packet based on said authorization pertaining to said at least one access point and to route said packet to a destination node based on at least said address; and
  
  a second gateway node configured to obtain for the user an authorization pertaining to at least one access point and to provide said authorization pertaining to said at least one access point and an address for said client node to said first gateway node.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The communication system according to claim 11, the communication system further comprising:
    - said second gateway node configured to provide said at least one user identity to a control node;
      
      said control node configured to determine said authorization pertaining to said at least one access point with said at least one user identity and to indicate said authorization to said second gateway node.
  - 13. The communication system according to claim 12, the communication system further comprising:
    - said client node configured to add a session signaling message pertaining to a session to said packet;
      
      a session control node configured to provide an indication of said session to said control node;
      
      said control node configured to detect a session release condition for said session, to send a release request message to said first gateway node; and
      
      said first gateway node configured to delete a second security association.
  - 14. The communication system according to claim 11, wherein said second gateway node is a Gateway General Packet Radio Service Support Node.
  - 15. The communication system according to claim 11, wherein said user is a mobile subscriber.
  - 16. The communication system according to claim 11, wherein said first gateway node is a Virtual Private Network gateway.
  - 17. The communication system according to claim 11, wherein said at least one user identity comprises at least one of a Mobile Subscriber Integrated Services Digital Network number, an International Mobile Subscriber Identity, a Session Initiation Protocol Uniform Resource Identifier, an electronic mail address and a logical name.

18. A communication system comprising:
- a client node configured to initiate the establishment of a security association towards a first gateway node; and
  
  a first gateway node configured to obtaining at least one user identity and user authentication data from an authentication server, to authenticate the user with the authentication data, to provide said at least one user identity to a control node, to obtain for the user authorization pertaining to at least one access point, to obtain an address for said client node, to providing said address to said client node, to receive a packet from said client node, said packet comprising said address as source address, to allowing said packet based on said authorization pertaining to said at least one access point and to route said packet to a destination node in said first gateway node based on at least said address.

19. A communication system, comprising:
- a client node configured to initiate the establishment of a security association to a first gateway node;
  
  said first gateway node configured to obtain at least one user identity and user authentication data from an authentication server, to request the creation of a packet data protocol context from a second gateway node, to authenticate the user with the authentication data and to providing said session control node information to said client node in a configuration payload of a security association related message; and
  
  said second gateway node configured to create a packet data protocol context in said second gateway node, to determine session control node information in said second gateway node, to providing said session control node information in at least one protocol configuration option to said first gateway node.

21. A network node, comprising:
- a security entity configured to establish a security association with a client node, to obtain at least one user identity and user authentication data from an authentication server, to authenticate the user with the authentication data, to providing said at least one user identity to a gateway node, to provide an address to said client node;
  
  a communication entity configured to receive said packet comprising said address as source address;
  
  a filtering entity configured to allow said packet based on said authorization pertaining to said at least one access point; and
  
  a router entity configured to route said packet to a destination node based on at least said address.

22. A network node, comprising:
- means for establishing a security association with a client node;
  
  means for obtaining at least one user identity and user authentication data from an authentication server;
  
  means for authenticating the user with the authentication data;
  
  means for providing said at least one user identity to a gateway node;
  
  means for to providing an address to said client node;
  
  means for receiving a packet comprising said address as source address;
  
  means for allowing said packet based on said authorization pertaining to said at least one access point; and
  
  means for routing said packet to a destination node based on at least said address.

23. A network node, comprising:
- a security entity configured to obtain at least one user identity and user authentication data from an authentication server, to authenticate the user with the authentication data, to provide said at least one user identity to a control node, to obtain for the user authorization pertaining to at least one access point, to obtain an address for said client node, to providing said address to said client node;
  
  a communication entity configured to receive a packet from said client node, said packet comprising said address as source address;
  
  a filtering entity configured to allow said packet based on said authorization pertaining to said at least one access point; and
  
  a routing entity configured to route said packet to a destination node based on at least said address.

24. A network node, comprising:
- means for obtaining at least one user identity and user authentication data from an authentication server;
  
  means for authenticating the user with the authentication data;
  
  means for providing said at least one user identity to a control node;
  
  means for obtaining for the user authorization pertaining to at least one access point;
  
  means for obtaining an address for said client node;
  
  means for providing said address to said client node;
  
  means for receiving a packet from said client node, said packet comprising said address as source address;
  
  means for allowing said packet based on said authorization pertaining to said at least one access point; and
  
  means for routing said packet to a destination node based on at least said address.

25. A network node, comprising:
- a security entity configured to establish a security association with a client node, to obtain at least one user identity and user authentication data from an authentication server, to request the creation of a packet data protocol context from a second gateway node, to authenticate the user with the authentication data and to providing said session control node information to said client node in a configuration payload of a security association related message.

26. A network node, comprising:
- means for establishing a security association with a client node;
  
  means for obtaining at least one user identity and user authentication data from an authentication server;
  
  means for requesting the creation of a packet data protocol context from a second gateway node, means for authenticating the user with the authentication data; and
  
  means for providing said session control node information to said client node in a configuration payload of a security association related message.

27. A computer program embodied on a computer readable medium, when executed on a data-processing system, the computer program being configured to perform:
- establishing a security association with a client node;
  
  obtaining at least one user identity and user authentication data from a server;
  
  authenticating the user with the authentication data;
  
  providing said at least one user identity to a gateway node;
  
  providing an address to said client node;
  
  receiving a packet comprising said address as source address;
  
  allowing said packet based on said authorization pertaining to said at least one access point; and
  
  routing said packet to a destination node based on at least said address.
- View Dependent Claims (28, 29, 30)
- - 28. The computer program according to claim 27, wherein said computer readable medium is a removable memory card.
  - 29. The computer program according to claim 27, wherein said computer readable medium is a removable memory device.
  - 30. The computer program according to claim 27, wherein said computer readable medium is a magnetic disk, a holographic memory or an optical disk.

31. A computer program embodied on a computer readable medium, when executed on a data-processing system, the computer program being configured to perform:
- obtaining at least one user identity and user authentication data from an authentication server;
  
  authenticating the user with the authentication data;
  
  providing said at least one user identity to a control node;
  
  obtaining for the user authorization pertaining to at least one access point;
  
  obtaining an address for said client node;
  
  providing said address to said client node;
  
  receiving a packet from said client node, said packet comprising said address as source address;
  
  allowing said packet based on said authorization pertaining to said at least one access point; and
  
  routing said packet to a destination node based on at least said address.
- View Dependent Claims (32, 33, 34)
- - 32. The computer program according to claim 31, wherein said computer readable medium is a removable memory card.
  - 33. The computer program according to claim 31, wherein said computer readable medium is a removable memory device.
  - 34. The computer program according to claim 31, wherein said computer readable medium is a magnetic disk, a holographic memory or an optical disk.

35. A computer program embodied on a computer readable medium, when executed on a data-processing system, the computer program being configured to perform:
- establishing a security association with a client node;
  
  obtaining at least one user identity and user authentication data from an authentication server;
  
  requesting the creation of a packet data protocol context from a second gateway node,authenticating the user with the authentication data; and
  
  providing said session control node information to said client node in a configuration payload of an security association related message.
- View Dependent Claims (36, 37, 38)
- - 36. The computer program according to claim 35, wherein said computer readable medium is a removable memory card.
  - 37. The computer program according to claim 35, wherein said computer readable medium is a removable memory device.
  - 38. The computer program according to claim 35, wherein said computer readable medium is a magnetic disk, a holographic memory or an optical disk.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Conversant Wireless Licensing S.à.r.l. (f/k/a Core Wireless Licensing S.a.r.l.) (MOSAID Technologies Inc. (f/k/a Conversant Intellectual Property Management))
Original Assignee
Nokia Corporation
Inventors
Makela, Riku-Ville

Granted Patent

US 7,809,003 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/401
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0272   Virtual private networks

H04L 63/162   at the data link layer

H04L 65/1016   IP multimedia subsystem [IMS]

H04L 65/1104   Session initiation protocol...

H04L 67/14   Session management for real...

H04L 67/142   Managing session states for...

H04L 67/143   Termination or inactivation...

H04L 67/147   Signalling methods or messa...

H04W 12/06   Authentication

H04W 12/72   Subscriber identity

H04W 88/16   Gateway arrangements

Method for the routing and control of packet data traffic in a communication system

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

37 Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Method for the routing and control of packet data traffic in a communication system

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links