Communication system and method for providing a mobile communications service

US 8,688,077 B2
Filed: 08/29/2005
Issued: 04/01/2014
Est. Priority Date: 09/30/2004
Status: Active Grant

First Claim

Patent Images

1. A communication system for providing a mobile telecommunication service, comprising:

a communication network configured to transmit messages based upon an Internet protocol;

a mobile computer;

an access network for the mobile computer in which messages are transferred using a multicast process;

a network connection computer that connects the access network to the communication network;

a plurality of access points in the access network, each access point having at least one respective access point connection computer configured to establish a communication connection with the mobile computer; and

an authentication verification computer for establishing and managing trusted relationships between a plurality of communication elements;

wherein the network connection computer and the access point connection computer are each configured to execute a packet filtering method for security-related protection of the communication system when receiving and transmitting messages;

the packet filtering method executed by the access point connection computers comprising;

determining a source address of a message, andrejecting the message if that message has at least one access point connection rejection characteristic, the at least one access point connection rejection characteristic being at least one of a source address identifying a non-mobile communication element that originates from a wireless link, message information that indicates the message arrives at an upstream interface and originates from a wireless link, and the message is an advertisement message from an access point that arrives at an input-side interface and originates from a wireless link;

the packet filtering method executed by the network connection computer comprising;

determining a source address of a message, andrejecting the message if that message has at least one network connection rejection characteristic, the at least one network connection rejection characteristic being at least one of the source address of the message indicates the message is from a mobile computer, the source address of the message indicates that the message is from the access network, the source address of the message indicates the message is a MOMBASA-internal message, the message conforms to the Internet Group Management Protocol, and the message conforms to the Independent Multicast-Sparse Mode protocol; and

wherein the network connection computer and the authentication verification computer are configured to execute an overload control method by providing a communication protocol for the communication elements in order to prevent a malfunction of the communication elements as a result of an attack.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a communication system and a method for providing a mobile telecommunication service. A communication network transmits messages on the basis of at least one internet protocol. A network connection computer connects an access network for mobile computers and the communication network. The access network is equipped with several access points comprising corresponding access point connection computers, which are configured to create a communication connection between variable access points and the mobile computers. An authorization verification computer establishes and manages trusted relationships between several communication elements. The network connection computer and the access point connection computer are configured to execute packet filtering during the receipt and transmission of messages for the secure protection of the communication system.

20 Citations

View as Search Results

17 Claims

1. A communication system for providing a mobile telecommunication service, comprising:
- a communication network configured to transmit messages based upon an Internet protocol;
  
  a mobile computer;
  
  an access network for the mobile computer in which messages are transferred using a multicast process;
  
  a network connection computer that connects the access network to the communication network;
  
  a plurality of access points in the access network, each access point having at least one respective access point connection computer configured to establish a communication connection with the mobile computer; and
  
  an authentication verification computer for establishing and managing trusted relationships between a plurality of communication elements;
  
  wherein the network connection computer and the access point connection computer are each configured to execute a packet filtering method for security-related protection of the communication system when receiving and transmitting messages;
  
  the packet filtering method executed by the access point connection computers comprising;
  
  determining a source address of a message, andrejecting the message if that message has at least one access point connection rejection characteristic, the at least one access point connection rejection characteristic being at least one of a source address identifying a non-mobile communication element that originates from a wireless link, message information that indicates the message arrives at an upstream interface and originates from a wireless link, and the message is an advertisement message from an access point that arrives at an input-side interface and originates from a wireless link;
  
  the packet filtering method executed by the network connection computer comprising;
  
  determining a source address of a message, andrejecting the message if that message has at least one network connection rejection characteristic, the at least one network connection rejection characteristic being at least one of the source address of the message indicates the message is from a mobile computer, the source address of the message indicates that the message is from the access network, the source address of the message indicates the message is a MOMBASA-internal message, the message conforms to the Internet Group Management Protocol, and the message conforms to the Independent Multicast-Sparse Mode protocol; and
  
  wherein the network connection computer and the authentication verification computer are configured to execute an overload control method by providing a communication protocol for the communication elements in order to prevent a malfunction of the communication elements as a result of an attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The communication system as claimed in claim 1, wherein the packet filtering method executed by the network connection computer and the packet filtering method executed by the access point connection computers are also configured to repel a predetermined class of attacks which use deliberately changed source addresses.
  - 3. The communication system as claimed in claim 2, wherein the packet filtering method executed by the network connection computer and the packet filtering method executed by the access point connection computers are also configured to protect an internal message exchange within the access network from external attacks.
  - 4. The communication system as claimed in claim 1, wherein the authentication verification computer is configured to establish and manage at least one permanent trusted relationship:
    - between each of the access point connection computers and the authentication verification computer, orbetween the network connection computer and the authentication verification computer, orbetween the network connection computer and each of the access point connection computers, orbetween communication elements in a network area which are configured to receive a uniform paging service.
  - 5. The communication system as claimed in claim 1, wherein the authentication verification computer establishes and manages a permanent trusted relationship between the authentication verification computer and the mobile computer.
  - 6. The communication system as claimed in claim 1, wherein during an initial registration of the mobile computer, the authentication verification computer establishes and manages a temporary trusted relationship between the mobile computer and at least one of the communication elements.
  - 7. The communication system as claimed in claim 1, wherein the authentication verification computer is configured to execute an overload control method according to a token bucket method.

8. A method for providing a mobile telecommunication service via a communication network configured to transmit messages based upon an Internet protocol, comprising:
- transmitting a message via a multicast process within an access network for mobile computers;
  
  connecting a plurality of access points in the access network to the communication network via a network connection computer, each access point having or being connected to an access point connection computer;
  
  establishing a communication connection between the access network and a mobile computer to communicate with the access points;
  
  establishing and managing trusted relationships between a plurality of communication elements of the communication network via the authentication verification computer;
  
  executing at least one packet filtering method for security protection of the communication network at boundaries of the access network when receiving and transmitting messages via at least one of the network connection computer and at least one of the access point connection computers;
  
  the at least one packet filtering method comprising at least one of a packet filtering method executed by the network connection computer and a packet filtering method executed by at least one of the access point connection computers;
  
  the packet filtering method executed by the network connection computer comprising;
  
  determining a source address of a message, andrejecting the message if that message has at least one network connection rejection characteristic, the at least one network connection rejection characteristic being at least one of the source address of the message indicates that the message is from a mobile computer, the source address of the message indicates the message is from the access network, the source address of the message indicates the message is a MOMBASA-internal message, the message conforms to the Internet Group Management Protocol, and the message conforms to the Independent Multicast-Sparse Mode protocol; and
  
  the packet filtering method executed by at least one of the access point connection computers comprising;
  
  determining a source address of a message, andrejecting the message if that message has at least one access point connection rejection characteristic, the at least one access point connection rejection characteristic being at least one of the source address identifying a non-mobile communication element that originates from a wireless link, message information that indicates the message arrives at an upstream interface and originates from a wireless link, and the message is an advertisement message from an access point that arrives at an input-side interface and originates from a wireless link; and
  
  executing an overload control via the network connection computer and the authentication verification computer via a communication protocol for communication elements of the communication network in order to prevent malfunction of one of the communication elements as a result of an attack.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 9. The method as claimed in claim 8, wherein the at least one packet filtering method is also comprised of a packet filtering method configured for repelling a predetermined class of attacks using deliberately changed source addresses is executed.
  - 10. The method as claimed in claim 9, wherein the at least one packet filtering method is also executed for protection of an internal message exchange within the access network from external attacks.
  - 11. The method as claimed in claim 8, wherein a distribution of keys to adjacent communication elements of an access point of the access network provides for a further access point to execute local authentication of a mobile computer while automatically tracking an existing useful data connection.
  - 12. The method as claimed in claim 8, wherein the overload control is executed during an initial registration process of the mobile computer or while executing or updating paging services.
  - 13. The method as claimed in claim 8, wherein the overload control is implemented by a Linux net filter architecture.
  - 14. The method as claimed in claim 8, wherein the overload control is executed on a plurality of levels.
  - 15. The method as claimed in claim 8, wherein the overload control is executed decentrally on a level of geographical cells.
  - 16. The method as claimed in claim 8, wherein the overload control is executed centrally on a level of the total network load.
  - 17. The method as claimed in claim 8, wherein the overload control is executed according to a token bucket method.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Unify GmbH & Co. KG (Atos SE)
Original Assignee
Unify GmbH & Co. KG (Atos SE)
Inventors
Fartmann, Alfons, Schafer, Gunter, Totzke, Jurgen, Westerhoff, Lars
Primary Examiner(s)
SAMS, MATTHEW C

Application Number

US11/547,815
Publication Number

US 20070287422A1
Time in Patent Office

3,137 Days
Field of Search

455/411, 455/403
US Class Current

455/411
CPC Class Codes

H04L 12/185   with management of multicas...

H04L 12/1886   with traffic restrictions f...

H04L 12/189   in combination with wireles...

H04L 63/0227   Filtering policies mail mes...

H04L 63/10   for controlling access to d...

H04L 63/14   for detecting or protecting...

H04W 12/122   Counter-measures against at...

H04W 12/125   Protection against power ex...

H04W 12/126   Anti-theft arrangements, e....

H04W 4/06   Selective distribution of b...

H04W 80/04   Network layer protocols, e....

Communication system and method for providing a mobile communications service

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Communication system and method for providing a mobile communications service

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links