Method for the routing and control of packet data traffic in a communication system

US 7,809,003 B2
Filed: 02/16/2007
Issued: 10/05/2010
Est. Priority Date: 02/16/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A method, comprising:

initiating an establishment of a security association between a client node and a first gateway node, where initiating comprises at least one authentication message communicated between the client node and the first gateway node indicating a name of an access point;

obtaining at least one user identity and user authentication data for a user of the client node from an authentication server;

authenticating the user with the authentication data and establishing the security association;

providing said at least one user identity and an indication of said access point to a second gateway node;

obtaining for the user an authorization pertaining to said access point and an address allocated from said access point;

providing said address to said client node from said first gateway node;

receiving a packet from said client node, said packet comprising said address as a source address;

allowing said packet based on said authorization pertaining to said at least one access point and firewall rules allowing communication by said access point for said source address to a destination address indicated in said packet; and

routing, by the first gateway node, said packet toward a destination node based on at least said destination address.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a method, which comprising initiating the establishment of a security association between a client node and a gateway node. User data is obtained from an authentication server and the user is authenticated. Authorization is obtained for the user for certain network services from a separate authorization node. An authorized address is provided to the client node. The authorization is checked by the gateway node for the allowing outbound packets to specific destinations.

28 Citations

View as Search Results

35 Claims

1. A method, comprising:
- initiating an establishment of a security association between a client node and a first gateway node, where initiating comprises at least one authentication message communicated between the client node and the first gateway node indicating a name of an access point;
  
  obtaining at least one user identity and user authentication data for a user of the client node from an authentication server;
  
  authenticating the user with the authentication data and establishing the security association;
  
  providing said at least one user identity and an indication of said access point to a second gateway node;
  
  obtaining for the user an authorization pertaining to said access point and an address allocated from said access point;
  
  providing said address to said client node from said first gateway node;
  
  receiving a packet from said client node, said packet comprising said address as a source address;
  
  allowing said packet based on said authorization pertaining to said at least one access point and firewall rules allowing communication by said access point for said source address to a destination address indicated in said packet; and
  
  routing, by the first gateway node, said packet toward a destination node based on at least said destination address.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1,wherein said packet comprises session initiation protocol signaling in order to establish a session between said client node and said destination node via the first gateway node.
  - 3. The method according to claim 2, the method further comprising:
    - providing an indication of said session to said a control node;
      
      receiving, at said first gateway node, a release request message from said control node; and
      
      in response to said release request message, deleting said security association in said first gateway node.
  - 4. The method according to claim 1, wherein said second gateway node is a gateway general packet radio service support node.
  - 5. The method according to claim 1, wherein said user is a mobile subscriber.
  - 6. The method according to claim 1, wherein said first gateway node is a virtual private network gateway.
  - 7. The method according to claim 1, wherein said at least one user identity comprises at least one of a mobile subscriber integrated services digital network number, an international mobile subscriber identity, a session initiation protocol uniform resource identifier, an electronic mail address and a logical name.

8. A method, comprising:
- initiating an establishment of a security association between a client node and a first gateway node, where initiating comprises at least one authentication message communicated between the client node and the first gateway node indicating a name of an access point;
  
  obtaining at least one user identity and user authentication data for a user of the client node from an authentication server;
  
  authenticating the user with the authentication data and establishing the security association;
  
  providing said at least one user identity and an indication of said access point to a control node;
  
  obtaining for the user an authorization pertaining to said access point from said control node;
  
  obtaining an address allocated from said access point for said client node by said first gateway node;
  
  providing said address to said client node from said first gateway node;
  
  receiving a packet from said client node, said packet comprising said address as a source address;
  
  allowing said packet based on said authorization pertaining to said at least one access point and firewall rules allowing communication by said access point for said source address to a destination address indicated in said packet; and
  
  routing, by said first gateway device, said packet toward a destination node based on at least said destination address.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method according to claim 8, wherein said packet comprises session initiation protocol signaling in order to establish a session between the client node and the destination node via the first gateway node.
  - 14. The method according to claim 8, wherein said second gateway node is a gateway general packet radio service support node.
  - 15. The method according to claim 8, wherein said user is a mobile subscriber.
  - 16. The method according to claim 8, wherein said first gateway node is a virtual private network gateway.
  - 17. The method according to claim 8, wherein said at least one user identity comprises at least one of a mobile subscriber integrated services digital network number, an international mobile subscriber identity, a session initiation protocol uniform resource identifier, an electronic mail address and a logical name.

9. A method, comprising:
- initiating an establishment of a security association between a client node and a first gateway node, where initiating comprises at least one authentication message communicated between the client node and the first gateway node indicating a name of an access point;
  
  obtaining at least one user identity and user authentication data for a user of the client node from an authentication server;
  
  authenticating the user with the authentication data and establishing the security association;
  
  requesting a creation of a packet data protocol context from a second gateway node;
  
  creating a packet data protocol context in said second gateway node;
  
  determining session control node information in said second gateway node;
  
  providing said session control node information in at least one protocol configuration option of said packet data protocol context to said first gateway node;
  
  providing said session control node information to said client node in a configuration payload of a security association related message.
- View Dependent Claims (10, 11, 12)
- - 10. The method according to claim 9, wherein said second gateway node is a Gateway General Packet Radio Service Support Node.
  - 11. The method according to claim 9, wherein the session control node information is used by at least the second gateway node to control a session between the client node and a destination node established via the first gateway node.
  - 12. The method according to claim 9, wherein said at least one user identity comprises at least one of a mobile subscriber integrated services digital network number, an international mobile subscriber identity, a session initiation protocol uniform resource identifier, an electronic mail address and a logical name.

18. A network node, comprising:
- at least one processor; and
  
  at least one memory storing computer program code, where the at least one memory storing the computer program code is configured, by the at least one processor, to cause the network node to at least;
  
  establish a security association with a client node, where establishing comprises at least one authentication message communicated from the client node indicating a name of an access point;
  
  obtain at least one user identity and user authentication data for a user of the client node from an authentication server, to authenticate the user with the authentication data and establish the security association,providing said at least one user identity and an indication of said access point to a gateway node;
  
  provide an address allocated by said access point to said client node;
  
  receive said packet comprising said address as source address;
  
  allow said packet based on said authorization pertaining to said at least one access point and firewall rules allowing communication by said access point for said source address to a destination address indicated in said packet; and
  
  route said packet toward a destination node based on at least said destination address.

19. An apparatus, comprising:
- at least one processor; and
  
  at least one memory storing computer program code, where the at least one memory storing the computer program code is configured, by the at least one processor, to cause the apparatus to at least;
  
  establish a security association with a client node, where the establishing comprises at least one authentication message communicated from the client node indicating a name of an access point;
  
  obtain at least one user identity and user authentication data for a user of the client node from an authentication server;
  
  authenticate the user with the authentication data and establish the security association;
  
  provide said at least one user identity and an indication of said access point to a gateway node;
  
  provide an address allocated from said access point to said client node;
  
  receive a packet comprising said address as source address;
  
  allow said packet based on said authorization pertaining to said at least one access point and firewall rules allowing communication by said access point for said source address to a destination address indicated in said packet; and
  
  route said packet toward a destination node based on at least said address.

20. A network node, comprising:
- at least one processor; and
  
  at least one memory storing computer program code, where the at least one memory storing the computer program code is configured, by the at least one processor, to cause the network node to at least;
  
  obtain an identity of an access point in at least one authentication message during initialization of a security association with a client node;
  
  obtain at least one user identity and user authentication data for a user of the client node from an authentication server;
  
  authenticate the user with the authentication data and establish the security association;
  
  provide said at least one user identity and an indication of said access point to a control node;
  
  obtain for the user authorization pertaining to said access point, an address allocated from said access point for said client node;
  
  provide said address to said client node;
  
  receive a packet from said client node, said packet comprising said address as source address;
  
  allow said packet based on said authorization pertaining to said at least one access point and firewall rules allowing communication by said access point for said source address to a destination address indicated in said packet; and
  
  route said packet toward a destination node based on at least said destination address.

21. An apparatus, comprising:
- at least one processor; and
  
  at least one memory storing computer program code, where the at least one memory storing the computer program code is configured, by the at least one processor, to cause the apparatus to at least;
  
  obtain an identity of an access point in at least one authentication message during initialization of a security association with a client node;
  
  obtain at least one user identity and user authentication data for a user of the client node from an authentication server;
  
  authenticate the user with the authentication data;
  
  provide said at least one user identity and an indication of said access point to a control node;
  
  obtain for the user authorization pertaining to said access point;
  
  obtain an address allocated from said access point for said client node;
  
  provide said address to said client node;
  
  receive a packet from said client node, said packet comprising said address as source address;
  
  allow said packet based on said authorization pertaining to said at least one access point and firewall rules allowing communication by said access point for said source address to a destination address indicated in said packet; and
  
  route said packet toward a destination node based on at least said destination address.

22. A network node, comprising:
- at least one processor; and
  
  at least one memory storing computer program code, where the at least one memory storing the computer program code is configured, by the at least one processor, to cause the network node to at least;
  
  establish a security association with a client node, where establishing comprises at least one authentication message communicated from the client node indicating an identity of an access point;
  
  obtain at least one user identity and user authentication data from an authentication server;
  
  request a creation of a packet data protocol context from a second gateway node, where said request comprises said at least one user identity and an indication of said access point;
  
  authenticate the user with the authentication data;
  
  receive said packet data protocol context, where session control node information is included in at least one protocol configuration option of said packet data protocol context; and
  
  provide said session control node information to said client node in a configuration payload of a security association related message.

23. An apparatus, comprising:
- at least one processor; and
  
  at least one memory storing computer program code, where the at least one memory storing the computer program code is configured, by the at least one processor, to cause the apparatus to at least;
  
  establish a security association with a client node, where establishing comprises at least one authentication message communicated from the client node indicating an identity of an access point;
  
  obtain at least one user identity and user authentication data for a user of the client node from an authentication server;
  
  request a creation of a packet data protocol context from a second gateway node,receive said packet data protocol context, where session control node information is included in at least one protocol configuration option of said packet data protocol context;
  
  authenticate the user with the authentication data; and
  
  provide said session control node information to said client node in a configuration payload of a security association related message.

24. A non-transitory computer readable medium embodying a computer program, the computer program executable by a data processor to perform:
- establishing a security association with a client node, where establishing comprises at least one authentication message communicated from the client node indicating an identity of an access point;
  
  obtaining at least one user identity and user authentication data for a user of the client node from a server;
  
  authenticating the user with the authentication data;
  
  providing said at least one user identity and an indication of said access point to a gateway node;
  
  providing an address allocated from said access point to said client node;
  
  receiving a packet comprising said address as source address;
  
  allowing said packet based on said authorization pertaining to said access point and firewall rules allowing communication by said access point for said source address to a destination address indicated in said packet; and
  
  routing said packet toward a destination node based on at least said destination address.
- View Dependent Claims (25, 26, 27)
- - 25. The computer readable medium according to claim 24, wherein said computer readable medium is a removable memory card.
  - 26. The computer readable medium according to claim 24, wherein said computer readable medium is a removable memory device.
  - 27. The computer readable medium according to claim 24, wherein said computer readable medium is a magnetic disk, a holographic memory or an optical disk.

28. A non-transitory computer readable medium embodying a computer program, the computer program executable by a data processor to perform:
- obtaining an identity of an access point in at least one authentication message communicated during initialization of a security association with a client node;
  
  obtaining at least one user identity and user authentication data for a user of the client node from an authentication server;
  
  authenticating the user with the authentication data and establishing the security association;
  
  providing said at least one user identity and an indication of said access point to a control node;
  
  obtaining for the user authorization pertaining to said access point;
  
  obtaining an address allocated from said access point for said client node;
  
  providing said address to said client node;
  
  receiving a packet from said client node, said packet comprising said address as source address;
  
  allowing said packet based on said authorization pertaining to said at least one access point and firewall rules allowing communication by said at least one access point for said source address to a destination address indicated in said packet; and
  
  routing said packet toward a destination node based on at least said destination address.
- View Dependent Claims (29, 30, 31)
- - 29. The computer readable medium according to claim 28, wherein said computer readable medium is a removable memory card.
  - 30. The computer readable medium according to claim 28, wherein said computer readable medium is a removable memory device.
  - 31. The computer readable medium according to claim 28, wherein said computer readable medium is a magnetic disk, a holographic memory or an optical disk.

32. A non-transitory computer readable medium embodying a computer program, the computer program executable by a data processor to perform:
- establishing a security association with a client node, where establishing comprises at least one authentication message communicated from the client node indicating an identity of an access point;
  
  obtaining at least one user identity and user authentication data for a user of the client node from an authentication server;
  
  requesting a creation of a packet data protocol context from a second gateway node,authenticating the user with the authentication data, where said request comprises said at least one subscriber identity and an indication of said access point;
  
  receiving said packet data protocol context, where session control node information is included in at least one protocol configuration option of said packet data protocol context; and
  
  providing said session control node information to said client node in a configuration payload of an security association related message.
- View Dependent Claims (33, 34, 35)
- - 33. The computer readable medium according to claim 32, wherein said computer readable medium is a removable memory card.
  - 34. The computer readable medium according to claim 32, wherein said computer readable medium is a removable memory device.
  - 35. The computer readable medium according to claim 32, wherein said computer readable medium is a magnetic disk, a holographic memory or an optical disk.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Conversant Wireless Licensing S.à.r.l. (f/k/a Core Wireless Licensing S.a.r.l.) (MOSAID Technologies Inc. (f/k/a Conversant Intellectual Property Management))
Original Assignee
Nokia Corporation
Inventors
Makela, Riku-Ville
Primary Examiner(s)
Shah; Chirag G
Assistant Examiner(s)
NGUYEN, MINH TRANG T

Application Number

US11/707,020
Publication Number

US 20080198861A1
Time in Patent Office

1,327 Days
Field of Search

None
US Class Current

370/401
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0272   Virtual private networks

H04L 63/162   at the data link layer

H04L 65/1016   IP multimedia subsystem [IMS]

H04L 65/1104   Session initiation protocol...

H04L 67/14   Session management for real...

H04L 67/142   Managing session states for...

H04L 67/143   Termination or inactivation...

H04L 67/147   Signalling methods or messa...

H04W 12/06   Authentication

H04W 12/72   Subscriber identity

H04W 88/16   Gateway arrangements

Method for the routing and control of packet data traffic in a communication system

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Method for the routing and control of packet data traffic in a communication system

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links