Method for the routing and control of packet data traffic in a communication system
First Claim
Patent Images
1. A method, comprising:
- initiating the establishment of a security association between a client node and a first gateway node;
obtaining at least one user identity and user authentication data from an authentication server;
authenticating the user with the authentication data;
providing said at least one user identity to a second gateway node;
obtaining for the user authorization pertaining to at least one access point in said second gateway node;
providing said authorization pertaining to said at least one access point and an address for said client node to said first gateway node;
providing said address to said client node from said first gateway node;
transmitting a packet from said client node to said first gateway node, said packet comprising said address as source address;
allowing said packet based on said authorization pertaining to said at least one access point; and
routing said packet to a destination node in said first gateway node based on at least said address.
9 Assignments
0 Petitions
Accused Products
Abstract
The invention relates to a method, which comprising initiating the establishment of a security association between a client node and a gateway node. User data is obtained from an authentication server and the user is au-thenticated. Authorization is obtained for the user for certain network services from a separate authorization node. An authorized address is provided to the client node. The authorization is checked by the gateway node for the allowing outbound packets to specific destinations.
37 Citations
38 Claims
-
1. A method, comprising:
-
initiating the establishment of a security association between a client node and a first gateway node; obtaining at least one user identity and user authentication data from an authentication server; authenticating the user with the authentication data; providing said at least one user identity to a second gateway node; obtaining for the user authorization pertaining to at least one access point in said second gateway node; providing said authorization pertaining to said at least one access point and an address for said client node to said first gateway node; providing said address to said client node from said first gateway node; transmitting a packet from said client node to said first gateway node, said packet comprising said address as source address; allowing said packet based on said authorization pertaining to said at least one access point; and routing said packet to a destination node in said first gateway node based on at least said address. - View Dependent Claims (2, 3, 4, 5, 6, 7, 10, 20)
-
-
8. A method, comprising:
-
initiating the establishment of a security association between a client node and a first gateway node; obtaining at least one user identity and user authentication data from an authentication server; authenticating the user with the authentication data; providing said at least one user identity to a control node; obtaining for the user authorization pertaining to at least one access point to said first gateway node from said control node; obtaining an address for said client node in said first gateway node; providing said address to said client node from said first gateway node; transmitting a packet from said client node to said first gateway node, said packet comprising said address as source address; allowing said packet based on said authorization pertaining to said at least one access point; and routing said packet to a destination node in said first gateway node based on at least said address.
-
-
9. A method, comprising:
-
initiating the establishment of a security association between a client node and a first gateway node; obtaining at least one user identity and user authentication data from an authentication server; authenticating the user with the authentication data; requesting the creation of a packet data protocol context from a second gateway node; creating a packet data protocol context in said second gateway node; determining session control node information in said second gateway node; providing said session control node information in at least one protocol configuration option to said first gateway node; providing said session control node information to said client node in a configuration payload of a security association related message.
-
-
11. A communication system, comprising:
-
a client node configured to initiate the establishment of a security association with a first gateway node, to transmit a packet to said first gateway node, said packet comprising an address as source address; a first gateway node configured to establish a security association with said client node, to obtain at least one user identity and user authentication data from an authentication server, to authenticate the user with the authentication data, to providing said at least one user identity to a second gateway node, to provide said address to said client node from said first gateway node, to receive said packet comprising said address as source address, to allow said packet based on said authorization pertaining to said at least one access point and to route said packet to a destination node based on at least said address; and a second gateway node configured to obtain for the user an authorization pertaining to at least one access point and to provide said authorization pertaining to said at least one access point and an address for said client node to said first gateway node. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A communication system comprising:
-
a client node configured to initiate the establishment of a security association towards a first gateway node; and a first gateway node configured to obtaining at least one user identity and user authentication data from an authentication server, to authenticate the user with the authentication data, to provide said at least one user identity to a control node, to obtain for the user authorization pertaining to at least one access point, to obtain an address for said client node, to providing said address to said client node, to receive a packet from said client node, said packet comprising said address as source address, to allowing said packet based on said authorization pertaining to said at least one access point and to route said packet to a destination node in said first gateway node based on at least said address.
-
-
19. A communication system, comprising:
-
a client node configured to initiate the establishment of a security association to a first gateway node; said first gateway node configured to obtain at least one user identity and user authentication data from an authentication server, to request the creation of a packet data protocol context from a second gateway node, to authenticate the user with the authentication data and to providing said session control node information to said client node in a configuration payload of a security association related message; and said second gateway node configured to create a packet data protocol context in said second gateway node, to determine session control node information in said second gateway node, to providing said session control node information in at least one protocol configuration option to said first gateway node.
-
-
21. A network node, comprising:
-
a security entity configured to establish a security association with a client node, to obtain at least one user identity and user authentication data from an authentication server, to authenticate the user with the authentication data, to providing said at least one user identity to a gateway node, to provide an address to said client node; a communication entity configured to receive said packet comprising said address as source address; a filtering entity configured to allow said packet based on said authorization pertaining to said at least one access point; and a router entity configured to route said packet to a destination node based on at least said address.
-
-
22. A network node, comprising:
-
means for establishing a security association with a client node; means for obtaining at least one user identity and user authentication data from an authentication server; means for authenticating the user with the authentication data; means for providing said at least one user identity to a gateway node; means for to providing an address to said client node; means for receiving a packet comprising said address as source address; means for allowing said packet based on said authorization pertaining to said at least one access point; and means for routing said packet to a destination node based on at least said address.
-
-
23. A network node, comprising:
-
a security entity configured to obtain at least one user identity and user authentication data from an authentication server, to authenticate the user with the authentication data, to provide said at least one user identity to a control node, to obtain for the user authorization pertaining to at least one access point, to obtain an address for said client node, to providing said address to said client node; a communication entity configured to receive a packet from said client node, said packet comprising said address as source address; a filtering entity configured to allow said packet based on said authorization pertaining to said at least one access point; and a routing entity configured to route said packet to a destination node based on at least said address.
-
-
24. A network node, comprising:
-
means for obtaining at least one user identity and user authentication data from an authentication server; means for authenticating the user with the authentication data; means for providing said at least one user identity to a control node; means for obtaining for the user authorization pertaining to at least one access point; means for obtaining an address for said client node; means for providing said address to said client node; means for receiving a packet from said client node, said packet comprising said address as source address; means for allowing said packet based on said authorization pertaining to said at least one access point; and means for routing said packet to a destination node based on at least said address.
-
-
25. A network node, comprising:
a security entity configured to establish a security association with a client node, to obtain at least one user identity and user authentication data from an authentication server, to request the creation of a packet data protocol context from a second gateway node, to authenticate the user with the authentication data and to providing said session control node information to said client node in a configuration payload of a security association related message.
-
26. A network node, comprising:
-
means for establishing a security association with a client node; means for obtaining at least one user identity and user authentication data from an authentication server; means for requesting the creation of a packet data protocol context from a second gateway node, means for authenticating the user with the authentication data; and means for providing said session control node information to said client node in a configuration payload of a security association related message.
-
-
27. A computer program embodied on a computer readable medium, when executed on a data-processing system, the computer program being configured to perform:
-
establishing a security association with a client node; obtaining at least one user identity and user authentication data from a server; authenticating the user with the authentication data; providing said at least one user identity to a gateway node; providing an address to said client node; receiving a packet comprising said address as source address; allowing said packet based on said authorization pertaining to said at least one access point; and routing said packet to a destination node based on at least said address. - View Dependent Claims (28, 29, 30)
-
-
31. A computer program embodied on a computer readable medium, when executed on a data-processing system, the computer program being configured to perform:
-
obtaining at least one user identity and user authentication data from an authentication server; authenticating the user with the authentication data; providing said at least one user identity to a control node; obtaining for the user authorization pertaining to at least one access point; obtaining an address for said client node; providing said address to said client node; receiving a packet from said client node, said packet comprising said address as source address; allowing said packet based on said authorization pertaining to said at least one access point; and routing said packet to a destination node based on at least said address. - View Dependent Claims (32, 33, 34)
-
-
35. A computer program embodied on a computer readable medium, when executed on a data-processing system, the computer program being configured to perform:
-
establishing a security association with a client node; obtaining at least one user identity and user authentication data from an authentication server; requesting the creation of a packet data protocol context from a second gateway node, authenticating the user with the authentication data; and providing said session control node information to said client node in a configuration payload of an security association related message. - View Dependent Claims (36, 37, 38)
-
Specification