Method for the routing and control of packet data traffic in a communication system
First Claim
Patent Images
1. A method, comprising:
- initiating an establishment of a security association between a client node and a first gateway node, where initiating comprises at least one authentication message communicated between the client node and the first gateway node indicating a name of an access point;
obtaining at least one user identity and user authentication data for a user of the client node from an authentication server;
authenticating the user with the authentication data and establishing the security association;
providing said at least one user identity and an indication of said access point to a second gateway node;
obtaining for the user an authorization pertaining to said access point and an address allocated from said access point;
providing said address to said client node from said first gateway node;
receiving a packet from said client node, said packet comprising said address as a source address;
allowing said packet based on said authorization pertaining to said at least one access point and firewall rules allowing communication by said access point for said source address to a destination address indicated in said packet; and
routing, by the first gateway node, said packet toward a destination node based on at least said destination address.
9 Assignments
0 Petitions
Accused Products
Abstract
The invention relates to a method, which comprising initiating the establishment of a security association between a client node and a gateway node. User data is obtained from an authentication server and the user is authenticated. Authorization is obtained for the user for certain network services from a separate authorization node. An authorized address is provided to the client node. The authorization is checked by the gateway node for the allowing outbound packets to specific destinations.
-
Citations
35 Claims
-
1. A method, comprising:
-
initiating an establishment of a security association between a client node and a first gateway node, where initiating comprises at least one authentication message communicated between the client node and the first gateway node indicating a name of an access point; obtaining at least one user identity and user authentication data for a user of the client node from an authentication server; authenticating the user with the authentication data and establishing the security association; providing said at least one user identity and an indication of said access point to a second gateway node; obtaining for the user an authorization pertaining to said access point and an address allocated from said access point; providing said address to said client node from said first gateway node; receiving a packet from said client node, said packet comprising said address as a source address; allowing said packet based on said authorization pertaining to said at least one access point and firewall rules allowing communication by said access point for said source address to a destination address indicated in said packet; and routing, by the first gateway node, said packet toward a destination node based on at least said destination address. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method, comprising:
-
initiating an establishment of a security association between a client node and a first gateway node, where initiating comprises at least one authentication message communicated between the client node and the first gateway node indicating a name of an access point; obtaining at least one user identity and user authentication data for a user of the client node from an authentication server; authenticating the user with the authentication data and establishing the security association; providing said at least one user identity and an indication of said access point to a control node; obtaining for the user an authorization pertaining to said access point from said control node; obtaining an address allocated from said access point for said client node by said first gateway node; providing said address to said client node from said first gateway node; receiving a packet from said client node, said packet comprising said address as a source address; allowing said packet based on said authorization pertaining to said at least one access point and firewall rules allowing communication by said access point for said source address to a destination address indicated in said packet; and routing, by said first gateway device, said packet toward a destination node based on at least said destination address. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
9. A method, comprising:
-
initiating an establishment of a security association between a client node and a first gateway node, where initiating comprises at least one authentication message communicated between the client node and the first gateway node indicating a name of an access point; obtaining at least one user identity and user authentication data for a user of the client node from an authentication server; authenticating the user with the authentication data and establishing the security association; requesting a creation of a packet data protocol context from a second gateway node; creating a packet data protocol context in said second gateway node; determining session control node information in said second gateway node; providing said session control node information in at least one protocol configuration option of said packet data protocol context to said first gateway node; providing said session control node information to said client node in a configuration payload of a security association related message. - View Dependent Claims (10, 11, 12)
-
-
18. A network node, comprising:
-
at least one processor; and at least one memory storing computer program code, where the at least one memory storing the computer program code is configured, by the at least one processor, to cause the network node to at least; establish a security association with a client node, where establishing comprises at least one authentication message communicated from the client node indicating a name of an access point; obtain at least one user identity and user authentication data for a user of the client node from an authentication server, to authenticate the user with the authentication data and establish the security association, providing said at least one user identity and an indication of said access point to a gateway node; provide an address allocated by said access point to said client node; receive said packet comprising said address as source address; allow said packet based on said authorization pertaining to said at least one access point and firewall rules allowing communication by said access point for said source address to a destination address indicated in said packet; and route said packet toward a destination node based on at least said destination address.
-
-
19. An apparatus, comprising:
-
at least one processor; and at least one memory storing computer program code, where the at least one memory storing the computer program code is configured, by the at least one processor, to cause the apparatus to at least; establish a security association with a client node, where the establishing comprises at least one authentication message communicated from the client node indicating a name of an access point; obtain at least one user identity and user authentication data for a user of the client node from an authentication server; authenticate the user with the authentication data and establish the security association; provide said at least one user identity and an indication of said access point to a gateway node; provide an address allocated from said access point to said client node; receive a packet comprising said address as source address; allow said packet based on said authorization pertaining to said at least one access point and firewall rules allowing communication by said access point for said source address to a destination address indicated in said packet; and route said packet toward a destination node based on at least said address.
-
-
20. A network node, comprising:
-
at least one processor; and at least one memory storing computer program code, where the at least one memory storing the computer program code is configured, by the at least one processor, to cause the network node to at least; obtain an identity of an access point in at least one authentication message during initialization of a security association with a client node; obtain at least one user identity and user authentication data for a user of the client node from an authentication server; authenticate the user with the authentication data and establish the security association; provide said at least one user identity and an indication of said access point to a control node; obtain for the user authorization pertaining to said access point, an address allocated from said access point for said client node; provide said address to said client node; receive a packet from said client node, said packet comprising said address as source address; allow said packet based on said authorization pertaining to said at least one access point and firewall rules allowing communication by said access point for said source address to a destination address indicated in said packet; and route said packet toward a destination node based on at least said destination address.
-
-
21. An apparatus, comprising:
-
at least one processor; and at least one memory storing computer program code, where the at least one memory storing the computer program code is configured, by the at least one processor, to cause the apparatus to at least; obtain an identity of an access point in at least one authentication message during initialization of a security association with a client node; obtain at least one user identity and user authentication data for a user of the client node from an authentication server; authenticate the user with the authentication data; provide said at least one user identity and an indication of said access point to a control node; obtain for the user authorization pertaining to said access point; obtain an address allocated from said access point for said client node; provide said address to said client node; receive a packet from said client node, said packet comprising said address as source address; allow said packet based on said authorization pertaining to said at least one access point and firewall rules allowing communication by said access point for said source address to a destination address indicated in said packet; and route said packet toward a destination node based on at least said destination address.
-
-
22. A network node, comprising:
-
at least one processor; and at least one memory storing computer program code, where the at least one memory storing the computer program code is configured, by the at least one processor, to cause the network node to at least; establish a security association with a client node, where establishing comprises at least one authentication message communicated from the client node indicating an identity of an access point; obtain at least one user identity and user authentication data from an authentication server; request a creation of a packet data protocol context from a second gateway node, where said request comprises said at least one user identity and an indication of said access point; authenticate the user with the authentication data; receive said packet data protocol context, where session control node information is included in at least one protocol configuration option of said packet data protocol context; and provide said session control node information to said client node in a configuration payload of a security association related message.
-
-
23. An apparatus, comprising:
-
at least one processor; and at least one memory storing computer program code, where the at least one memory storing the computer program code is configured, by the at least one processor, to cause the apparatus to at least; establish a security association with a client node, where establishing comprises at least one authentication message communicated from the client node indicating an identity of an access point; obtain at least one user identity and user authentication data for a user of the client node from an authentication server; request a creation of a packet data protocol context from a second gateway node, receive said packet data protocol context, where session control node information is included in at least one protocol configuration option of said packet data protocol context; authenticate the user with the authentication data; and provide said session control node information to said client node in a configuration payload of a security association related message.
-
-
24. A non-transitory computer readable medium embodying a computer program, the computer program executable by a data processor to perform:
-
establishing a security association with a client node, where establishing comprises at least one authentication message communicated from the client node indicating an identity of an access point; obtaining at least one user identity and user authentication data for a user of the client node from a server; authenticating the user with the authentication data; providing said at least one user identity and an indication of said access point to a gateway node; providing an address allocated from said access point to said client node; receiving a packet comprising said address as source address; allowing said packet based on said authorization pertaining to said access point and firewall rules allowing communication by said access point for said source address to a destination address indicated in said packet; and routing said packet toward a destination node based on at least said destination address. - View Dependent Claims (25, 26, 27)
-
-
28. A non-transitory computer readable medium embodying a computer program, the computer program executable by a data processor to perform:
-
obtaining an identity of an access point in at least one authentication message communicated during initialization of a security association with a client node; obtaining at least one user identity and user authentication data for a user of the client node from an authentication server; authenticating the user with the authentication data and establishing the security association; providing said at least one user identity and an indication of said access point to a control node; obtaining for the user authorization pertaining to said access point; obtaining an address allocated from said access point for said client node; providing said address to said client node; receiving a packet from said client node, said packet comprising said address as source address; allowing said packet based on said authorization pertaining to said at least one access point and firewall rules allowing communication by said at least one access point for said source address to a destination address indicated in said packet; and routing said packet toward a destination node based on at least said destination address. - View Dependent Claims (29, 30, 31)
-
-
32. A non-transitory computer readable medium embodying a computer program, the computer program executable by a data processor to perform:
-
establishing a security association with a client node, where establishing comprises at least one authentication message communicated from the client node indicating an identity of an access point; obtaining at least one user identity and user authentication data for a user of the client node from an authentication server; requesting a creation of a packet data protocol context from a second gateway node, authenticating the user with the authentication data, where said request comprises said at least one subscriber identity and an indication of said access point; receiving said packet data protocol context, where session control node information is included in at least one protocol configuration option of said packet data protocol context; and providing said session control node information to said client node in a configuration payload of an security association related message. - View Dependent Claims (33, 34, 35)
-
Specification