CN1267414A

CN1267414A - Implementation of access service

Info

Publication number: CN1267414A
Application number: CN98808149.0A
Authority: CN
Inventors: 菲利普·金兹伯格; 简·埃里克·埃克伯格; 佩克·莱廷; 安特·伊拉·杰西卡; 帕特里克·弗莱克特; 汤姆·索迪伦格
Original assignee: Nokia Networks Oy
Current assignee: Nokia Oyj
Priority date: 1997-07-14
Filing date: 1998-07-14
Publication date: 2000-09-20
Also published as: EP1005737A2; AU8443398A; NO20000170D0; WO1999007108A3; FI981031A; FI104668B; WO1999007108A2; FI981031A0; NO20000170L; JP2001512926A; AU741703B2

Abstract

The invention relates to the implementation of access service in a telecommunications network comprising an access network, a network providing services, and user-operated terminals (TE1... TE3, PC) connected to the access network. The access service is provided by connecting the user terminal to the network providing the services through interface elements that connect the access network to the network providing the services, and in response to the access service at least one charging record is generated for transmission to the billing means (BS) for billing the access service subscriber for the access service provided. To ensure that reliable and versatile billing can be incorporated into the system in a connectionless network, the start-up of a single access service session is indicated by generating a start-up message for charging purposes at the moment when the user connects to the access network through the terminal, charging records with a digital signature associated with the said access service session are generated and the generated signatures verified. The terminal is given access to the network providing the services, if the said messages are generated in an acceptable manner. The object generating the start-up messages can be modified according to the type of network involved.

Description

The realization of access service

The present invention relates generally to the realization of access service in the telecommunication system, the charging that relates in particular to access service realizes.Under this environment, term " access service " is meant a kind of like this business, and it is to the network user, for example telephone net user or LAN user, and the business of being provided to provides network, and for example the internet is perhaps just providing the access of the part of these business in the network.

Optical fiber is a kind of natural selection of trunk network transmission medium, needs the higher transmission capacity usually because relaying connects, and transmission range is longer, and existing cable route is often available.The situation that the user connects (circuit between local switch and the user) also changes very fast, because the different multimedia business that the individual consumer also can very fast universal instructions for use high transfer rate.

But, what also be can't see can allow the constructions cost of following network that broadband services is provided reduce significantly.On the one hand, wish that user network lays optical fiber as much as possible, because obviously need so in the future.On the other hand, the cost of reformation user network is surprisingly high, and this course of modernization will need many decades.Therefore, the expensive major obstacle that is extensive use of optical fiber in the user network that becomes.

For the foregoing reasons, taked more efficiently step to develop and used traditional subscriber's line (twisted-pair feeder) to carry out high speed data transfer, promptly obviously surpassed the speed of the basic connection speed of ISDN (144kbit/s), possibility.Existing ADSL (ADSL (Asymmetric Digital Subscriber Line)) and HDSL (bit rate Digital Subscriber Line) technology is for providing high-speed data and video transmission to open the new situation by telephone line to user terminal.

It is asymmetric that the ADSL transmission connects, and the transmission rate from the network to user is much larger than the speed from user-to-network.Therefore, the ADSL technology is mainly used in different customer service (" program request " business).ADSL transmission speed from the network to user is 2 to 6Mbit/s magnitude, and from user-to-network then is 16 to 640kbit/s (only accusing the system channel).

The HDSL transmission technology is used for the digital signal at twisted-pair cable transmission 2Mbit/s.The HDSL technology is symmetrical, and its transmission speed in two transmission directions is identical.Single HDSL transceiver system comprises the employing ECT echo cancellation technique, by the transceiver of twisted-pair feeder to the interconnection of the bidirectional transmission path formed.The HDSL transmission system can comprise one, this transceiver system that two or three are parallel; For two or three parallel to, the speed that each parallel transmission connects is less than 2Mbit/s, three parallel to being 784kbit/s, two are parallel to being 1168kbit/s.Defined the signal of 2Mbit/s value in the international recommendation, for example be used for the VC-12 signal of SDH network or the 2048kbit/s signal G.703/G.704 compatible, how in the HDSL system, to have sent with CCITT.

Because aforementioned schemes only provides 1 speed to the 6Mbit/s level, must take measures to look for the subscriber's line technology that can allow ATM step velocity (10 to 55Mbit/s).The ETSI of International Standards Organization (the European Telecommunication Standard committee) is drafting the standard of VDSL (very-high-data-rate digital subscriber l) equipment that allows this speed.The VDSL technology can be used for symmetry and be connected with asymmetric.

The aforementioned techniques that is used for transmission rapid data on twisted-pair feeder is abbreviated as xDSL jointly.Although still can't provide broadband services to the terminal use by optical fiber, telecom operators can pass through existing subscriber's line, utilize aforementioned techniques that these business are provided.ADSL is most promising broadband services realization technology at present, therefore, provides an example of these professional interconnection techniques with its conduct.

ADSL forum has defined the universal network model that xDSL connects, and it is shown in Figure 1.The equipment that user side is connected to circuit is called as ATU-R (ADSL transmission unit-long-range), and the equipment that network terminal (at local switch) is connected to circuit is called as ATU-C (ADSL transmission unit-center.These equipment are also referred to as ADSL Modem (or ADSL transceiver), have generated an adsl link between them.The high-speed data that connects from ADSL is connected to subscribers feeder, makes the user still can use conventional arrowband POTS/ISDN business, can insert high-speed data simultaneously again and connect.These narrow band services and broadband services utilize PS filter (POTS separator) separated from one another, and this PS filter is realized the frequency separation of ADSL signal and narrow band signal.

The terminal TE that is positioned at the terminal use can be different type, CATV terminal TE1 for example, PC TE2, or ISDN phone TE3.System is a business module Smi of every kind of terminal configuration (i=1...3), and these modules are finished the adaptive required function of terminal.This business module comprises so-called top setting box, PC interface, or LAN router.The distributed network PDN of user front end (front end distribution of net) is connected to business module with ATU-R.

In the network terminal of adsl link, access node AN has formed the convergent point of arrowband and wideband data, and wherein the traffic carrying capacity from different business systems that transmits by different networks is focused at together.For example, this access node can be positioned at the center switch of telephone network.

The alphabetical A of Fig. 1 has represented the personal sector of network, and B is the common part of network, and C is the network (telephony nature is positioned at wherein) in the user front end.

A problem of the above-mentioned type network is, how the terminal use inserted (promptly using subscribers feeder) to the business that operation system provided, internet service for example, charging.Charging is preferably based on the data volume of time or transmission, perhaps considers this two factors simultaneously.It can be no connection type that this problem mainly results from network.In other words, network can messaging foundation not be connected (for example SETUP and RELEASE) with discharging, so can't charge in the mode identical with the routine call net, the charging of routine call net is set up and release event based on connecting.Secondly, the production firm of xDSL modulator-demodulator does not comprise the characteristic that permission is chargeed based on the data volume of incident or transmission in its equipment.Therefore, can't obtain the required data of chargeing by the inquiry modulator-demodulator.

Should be noted that each session begins with SETUP message if terminal is ISDN or ATM terminal,, in this case, can utilize conventional method to realize charging based on incident with the RELEASE end of message.Therefore, there is the network of following situation in the problems referred to above influences, i.e. network portion between terminal and the access node, and perhaps the link between terminal TE and the delivery network PDN is connectionless at least.More properly say, can construct the transmission path between terminal and the access node, make that the transmission path between access node and the ATU-R is towards connection type (for example based on ATM), and the part between ATU-R and the terminal is no connection type (a for example ethernet link).

In the ambulant no connected system of support terminal, this problem also is how terminal use's access service to be chargeed.This is because the ambulant agreement of support terminal (for example mobile IP, IP=Internet Protocol) does not allow with specified conditions, to network user's classification, for example client with charge.

In fixed terminal equipment, problem is also complicated because of following situation: plurality of client is used same subscribers feeder, and this makes can't distinguish the user according to circuit.This situation occurs in, and for example, terminal is placed on public front end, and for example library or bookstore are provided to the situation of the access of broadband services to the public.Same problem appears at the employee and wishes by setting up and the situation that realizes being connected of employer's LAN working at home.In this case, can't determine that the bill of session should send to employer, rather than the user.Or rather, when this system can't distinguish that the user connects and becomes active user (its ticket should be paid by employer), when as personal user (he pays the ticket of oneself).

Since then, term " user " is used in reference to the people of generation use terminal, and term " permit holder " refers to tissue or individual that payment transaction is used.The user also can be a permit holder.

The objective of the invention is to eliminate above-mentioned defective, a kind of scheme that realizes access service in connectionless networks be provided, this scheme adopt simple as far as possible equipment guarantee can be in system integrated reliable and flexible billing function.Another object of the present invention provides a kind of scheme, this scheme is applicable to the ambulant network of support terminal, also is applicable to following situation, promptly needs ticket is sent to certain address, this address is different from the address of determining according to subscribers feeder, user that neither end network address identified.

These purposes realize by the scheme that defines in the patent claims independently.

At first, thought of the present invention is, when user access network, uses beginning message to show the beginning of individual session.The entity that generates beginning message can change according to different system, and beginning message can send to the element of handling ticket by different way.Secondly, thought of the present invention is, generates the charging message that can verify in network, and the latter is relevant with the service conversation that described beginning message is initiated, and have a for example specific digital signature of permit holder, whether correctly generate this station message recording according to terminal and allow (or forbidding) access network.

One of benefit that this scheme is brought is, can be restricted to the paying customer with inserting authority, distinguishes different user on the same source address for billing purpose.If a plurality of users use same subscribers feeder, terminal is indicated the permit holder sign that is associated with the active user so, by relatively coming certifying signature with the data of correct permit holder.

Can easily realize the factor that all are relevant with Information Security on this system principle: authentication, data integrity, anti-repudiation (a certain side of transfer of data can't deny participating in this time transaction afterwards) and confidentiality (listener-in can't decipher any data of catching).

An important attendant advantages of this system is, it can obtain business the client net is provided, internet for example, access after, his or she used business is chargeed simultaneously.On terminal display, the client can see the metering data of connection itself simultaneously, and used business, and receives to refinement all metering datas fully item by item on regular (for example month by month) ticket.

The charge system that this system can also use existing (for example in the telephone network) does not therefore need new scheme or investment in this respect.

Referring to Fig. 2 to 15, utilize the example of accompanying drawing to describe invention and preferred embodiments thereof in detail below, in the accompanying drawings:

Fig. 1 has illustrated the defined universal network model of ADSL forum;

Fig. 2 shows the network environment that can adopt the method that the present invention advises;

Fig. 3 a and 3b show in network environment shown in Figure 2 system according to work of the present invention;

Fig. 3 c and 3d show a kind of replacement scheme of system shown in Fig. 3 a and the 3b;

Fig. 4 shows the dialog box that occurs on the terminal display;

Fig. 5 has illustrated the message between the different system assembly;

Fig. 6 describes the operation between access server and the router in detail;

Fig. 7 a shows the main window of terminal display;

Fig. 7 b shows the ticket that need send to the client;

Fig. 7 c shows when not when accounting server receives all required expenses, user's deficit;

Fig. 7 d shows when the clock that does not have accounting server and terminal and loses when synchronous user's deficit;

Fig. 8 shows structure and the content of station message recording;

Fig. 9 a shows the structure of terminal with the form of functional block diagram;

Fig. 9 b provides the detailed description of CDR maker structure;

Figure 10 shows the structure of accounting server with the form of functional block diagram;

Figure 11 shows the structure of access server with the form of functional block diagram;

Figure 12 has illustrated the message that is associated with a kind of preferred bells and whistles of system;

Figure 13 has illustrated when network using allows the mobile IP protocol of IP layer-two mobility, the message between the different system assembly;

When Figure 14 has illustrated network using Ipv6 agreement, the message between the different system assembly; And

Figure 15 shows a kind of system that supports the IP layer-two mobility according to the present invention.

Below, referring to the example of Fig. 2, describe operational environment of the present invention in detail, in Fig. 2, simply show the universal network model of Fig. 1.Supposing that this network comprises provides the ISP of the operator of internet service, for this reason, is called the access service supplier.This example only shows a terminal, this terminal generally is a PC PC who has network interface (for example Ethernet card), be connected to ADSL Modem A1 by LAN cable LC1 (for example 10BaseT), the latter then is connected to the ADSL Modem A2 that is positioned at access service supplier front end by general link circuit SL.Terminate in the telephone operator switch because serve as the twisted-pair feeder of subscribers feeder, modulator-demodulator A2 must be positioned at the switch front end, to guarantee ultimate range.

Concerning this example, suppose that the operator that internet service is provided also serves as telecom operators.But telecom operators can only provide telephone service by the POTS separator, perhaps connection are rented another service supplier so that broadband services to be provided.Following antitrust act even may force telecom operators to adopt this strategy is unless themselves can provide broadband services.

In network shown in Figure 2, reduce to point-to-point connection between terminal and the access service supplier at the network PDN of terminal use's front end.Modulator-demodulator A2 is connected to the lan switch SW of service supplier by LAN cable LC2 (for example 10BaseT).This switch is connected to access service supplier network AP N with different users, and the latter is connected to the internet by the router R1 that serves as gateway.The Access Network part of system is represented by symbol N1 in Fig. 2, provides professional external network to be represented by symbol N2.Access Network can also be considered to terminal is connected to the network portion (therefore, router R1 also can suppose it is the part of Access Network) of the network portion that provides professional.

In this embodiment, connect to transmit Ether frame, and modulator-demodulator is to the bridge joint between the LAN part of serving as the user and access service supplier's the LAN part by ADSL.In fact, lan switch can for example be by Bay Network, the Centillion100 that USA produced, perhaps Cisco Systems, the Catalyst 3000 that USA produced.

Fig. 3 a has illustrated according to method of the present invention how to be applied to network environment shown in Figure 2.End user terminal (PC) comprises smart card reader CR, distributes an individual smart card to each client, by its identification client (user).In addition, terminal comprises the program library with smart card communications, and carries out in the process in connection, generates the station message recording of the digital signature that has the user with predetermined space (for example a minute), and sends it to the software of network.

Accounting server WD checking and the station message recording that collection terminal generated, it is connected to access service supplier's network AP N.This network may comprise a plurality of different accounting servers, but every kind of terminal has only the accounting server of a special use.Accounting server is equipped with memory MS, and for example tape is used to store all station message recordings that accounting server is accepted.The station message recording of accumulation regularly sends ticket treatment system BS to, and the latter is existing ticket treatment system among the public telephone switching network PSTN preferably, perhaps, for example is similar to existing ticket treatment system, but is positioned at the system of broadband networks.Network N W1 illustrates with general profile in the figure, and accounting server is connected to the ticket treatment system by it, and therefore, network N W1 can be made of public switched telephone network or grouping or data network.Along with the quantity that is used for the system that internet service charges increases, this class ticket treatment system (being positioned at the internet) can also be used for this purpose.Possibility is represented by the dotted line among the figure.Accounting server also can be directly connected to the ticket treatment system.Before transferring them to the ticket treatment system, the station message recording can be stored among the mass memory unit MS1 temporarily, and the latter serves as intermediate storage, and its purpose back can be described.

In addition, access server SL is connected to access service supplier's network.The task of access server SL is to come the switch internet to connect by control router/hub R1, and router/hub R1 serves as Access Network and link between the professional network is provided.

In a kind of preferred embodiment, this system comprises known Dynamic Host Configuration Protocol server (DHCP), is used for dynamic assignment IP address and gives terminal.In dynamic address allocation, in case predetermined " renting the period " of connection termination or address then, this address turns back in the address pool of address to be allocated.(DHCP be described in R.Droms in October in 1993 27 publish " Dynamic Host Configuration Protocol provides among the RFC-1541).

Charging and access server preferably are positioned at access service supplier's front end, and they do not need physically to separate, but can be integrated into same unit.If accounting server by the independent agency institute that provides ticket to manage business to a plurality of access service suppliers sometimes, accounting server can be positioned at the Internet side of system.Say that in logic the position of accounting server is unimportant, but in fact the selection of position is subjected to influence such as following factor.At first, suggestion is installed accounting server in public switched telephone network or near the position of public switched telephone network, to guarantee easily to insert the existing ticket treatment system of telephone network.For raising the efficiency, the connection between terminal and the accounting server must be fast as much as possible, can easily control any time-delay (if accounting server when distance is far away in the internet, situation is not always like this).Because just the client is used with regard to business for example once charges January, this system also is designed to provide local service (a limited geographically zone), has no reason accounting server is placed on place away from the client.

Ignored POTS separator (referring to Fig. 1) among Fig. 2 and the 3a, because separator also can be integrated among the ATU.

Fig. 3 b shows a kind of optional system, between access service supplier network AP N and switch SW, has the router R2, and system's all fours of it and Fig. 3 a, in this embodiment, router R2 is controlled by access server.Access control point can be positioned at one of these two routers.The traffic carrying capacity pathfinding of router R2 self terminal in future is to the server that is positioned at access service supplier network, and perhaps pathfinding is to router R1.Also access control point can be arranged on simultaneously in these two routers.This situation can occur in, and for example some business are positioned at Access Network, and all the other business are when being positioned at the elsewhere.

Fig. 3 c and 3d show other two kinds of optional network specific digits.Under situation shown in Fig. 3 c, some single access service suppliers are connected to and share router R1, and the latter is connected to the router that access server is controlled by independent Access Network CAN.Under situation shown in Fig. 3 d, the access service supplier has its oneself router (not shown), and therefore, their network is directly connected to Access Network.

According to a preferred embodiment of the present invention, between access server and the access control point, and the transmission path between access server and the accounting server is safe, guarantees to transmit the confidentiality of data.This can realize by the transmission media (point-to-point connection) of the special use that physically other side of use can't insert between the network element that relates to, perhaps use encrypted transmission to realize at these elements.Safe transmission connects the unauthorized that has prevented system and uses.

Below in conjunction with Fig. 4 to 6, describe operation in detail according to system of the present invention.For convenience of description, this system's supposition is consistent with Fig. 3 a.

When the user is inserted into the card reader that is connected to terminal with his or her smart card, can begin to charge.The program that resides in the terminal is opened a window on terminal display.This window is called dialog box.Fig. 4 shows an example of dialog box.Utilize the drop-down list of dialog box, the user can select the type of required connection.These connections can be divided into different types, for example have the connection of this system features and being connected of complete internet feature by differentiation, for example the permanent connection to the E-mail server realizes, this E-mail server can will be notified to the user in real time with new E-mail message.A kind of business in back can be than the connection considerably cheaper of complete internet feature (for example FIM 5/ every day).Also can generate the limited connection of this class the business that is different from the E-mail server is provided, for example the job site lan server.The user also can select preferred operator or select to encrypt or unencrypted connection by menu.

The business that can select from the drop-down list of dialog box can be kept in terminal or the smart card, makes can open dialog box before terminal is created to the connection of network.Perhaps terminal can at first be retrieved nearest service lists from access server, accounting server or another webserver automatically when the user inserts card reader with smart card.This means that time delay is slightly long, but the user can always select in nearest business afterwards, also can receive the information of current rate.During connecting, the service selection that dialog box provided also can be upgraded automatically, guarantees that terminal (or smart card) always comprises last and inserts available business record during session.

Smart card comprises the record of user's configuration data, and in this example, user's configuration data is user name (ASCII fromat), user ID symbolic code, user's PKI and private key, and the remaining sum of user's ticket.PKI is readable also available.But, private key only available (can't from card, read).Availability means that the key that relates to can be used for generation and checking digital signature, i.e. encryption and decryption data.The amount of money of permit holder that the remaining sum of ticket relates to payment (this amount of money can be 0 at any time, so it and the final amount of money of actual ticket and inequality, this means that it is only with for terminal use's reference).In addition, smart card can be used to preserve the PKI of accounting server, to guarantee that message is veritably from accounting server.

User data, for example name, identifier and private key can be stored in terminal memory (on hard disc of computer or floppy disk), rather than smart card, as long as can accept lower Information Security.

Fig. 5 has illustrated the communication between the different parts of system.When the user clicked the connection button of dialog box, terminal software sent business request information Init_Serivce to access server SL (Fig. 5).This business request information comprises the current IP address (ClientAddr) of terminal and the type of service of selecting from the dialog box menu (Type) at least.Access server is verified this message, sends beginning message START to accounting server WD.The beginning message comprise the user current IP address (ClientAddr), when stopping to pay, the user needs address notified (ServeAddr), task identifier (ServiceId), access server identifier (ServerId), and (temporarily) identifier (ConnId) (START and message OK and CANCEL, the back will be discussed) that is used for the different messages type between the identified server.Message Init_Serivce and START are called as beginning message here, and it is used for indicating to access server and accounting server the beginning of single access service session.

According to the information that receives, accounting server WD generates the station message recording (CDR, charging data record) of a particular type, and this record comprises and inserts the relevant contract data of session, comprise sign enliven access session with about ID.The structure of this station message recording illustrates that in subsequent descriptions this description is applied to all station message recordings.(arrow A Fig. 5) sends this and begins charging message accounting server to terminal.Terminal will return to accounting server the station message recording relevant with contract, be with digital signature (Fig. 5, arrow B).Digital signature is meant based on the right known encryption algorithm of key, wherein utilizes private key to realize encrypting, and allows anyone to utilize PKI to decipher this message.This can not guarantee the confidentiality of message, but can be used for verifying the message that starts from correct source point.Therefore, transmit leg can't deny sending this message afterwards.If the employing digital signature does not generally need to encrypt whole message, but the summary of this message of encipher only, the latter serve as a kind of verification and.From encrypting angle, this makes a summary technical as safe as a house, and the outsider can't generate the message with identical summary.The private key of transmit leg is used to encrypt this summary and timestamp, and the two has generated digital signature together.The generating mode of digital signature has multiple known optional method.But, because the present invention does not relate to the signature of signal, so be not described in detail this process here.The more specifically information of this respect can find (for example, Schneier, Applied Cryptography, ISBN 0-471-11709-9, Wiley ﹠amp in many books in this field of investigation; Sons, 1996).

Terminal can realize and the signature (accepting contract) of about CDR as mentioned above automatically, perhaps terminal can be after accounting server reception and about CDR, open it by independent contract window and browse on display, this window requires user-approved to accept the access service contract once more.When user's window accept button the time, terminal sends signature and about CDR to accounting server.

Receive signature with about CDR after, accounting server WD verifies that by known method this signature is with this CDR of authentication.For this reason, accounting server retrieves this user's PKI C (arrow C) from its customer data base.

There is multiple mode can locate correct PKI.At first, terminal can retrieve client's (user) name and identifier receiving and about CDR when signature from smart card, and these data are added signature and about CDR, will send to accounting server with about CDR then.Accounting server uses ID numbers to retrieve correct PKI from its customer data base.Another kind of scheme is to allow accounting server before generation and about CDR, checks the access authority of the customer ID and the system of arriving.When accounting server when access server receives START message, its sends authentication request (this is not shown) and gives the IP address that is included in the START message.Except the customer ID symbolic code, terminal can be inserted other client's customizing messages in replying, and adds signature then in replying, and replying behind the signature sent to accounting server.The advantage of this scheme is that accounting server was known user's sign, thereby can be generated as the contract (for example providing different rates for different clients) of this customization before generating contract.Unfavorable factor is to need two extra message, this establishment of connection process that slowed down naturally.The third scheme is a kind of like this system, and wherein before access server was transmitted to accounting server by START message with identifier, terminal was inserted into the customer ID symbolic code in the Init_Service message.In this case, accounting server and access server are all known the customer ID symbolic code.If accounting server belongs to different mechanisms with access server, this may be a defective so.But this possible defective can followingly be corrected.Voip identifiers is generated by two parts.The first component identification client's source (being client's special-purpose accounting server).These parts are used for the pathfinding of START message to the accounting server that relates to.The public key encryption of the special-purpose accounting server of second parts by the client means that it can't be discerned by access server.Also can make voip identifiers with the different business example difference, for example by enclose the character string of a full-length after voip identifiers, this character string changes with the different business example, for example is the function of time.(therefore, voip identifiers comprises area code and signature.If ADSL user has contract with different (a plurality of) call charge service supplier, area code is necessary so).

What accounting server will be accepted in its billing database preserves a period of time with about CDR (arrow D), in case the client lodges a complaint to business in the future.After this, accounting server sends OK message to access server, the request access server is given this client access (arrow E) to network, this message comprises and is used to discern to connecting the described identifier (ConnId) of specific message, and the contract identifier (ContractId) that is assigned to service conversation.Access server then indicates router R1 to allow the client to insert (Yin Te) net.This processing is represented by arrow F in Fig. 5, will describe in detail at Fig. 6 below.

After this, the user can access network.To describe the stage that the user uses the business that network provides below in detail.

If accounting server is not accepted the station message recording (if it is incorrect for example to sign), it is not to send OK message so, but send message CANCEL, although do not need contract identifier because do not give the access of user-to-network this moment, the field that CANCEL comprises is identical with OK message.

If when the user stops using terminal, interrupt connecting, then send similar CANCEL (arrow G), but, must also use the contract identifier that is included in this message because normally disconnect this moment.Therefore, CANCEL is structurally identical, but according to the difference of the time point that receives CANCEL, different on function.Access server can be for other reasons, for example under overload situations, (keep additional capacity if be necessary for important connection, then may need to stop more unessential connection) disconnect user, perhaps accounting server can be for some reason, for example under overload situations, perhaps in the time can't retrieving the station message recording of appointment, the request access server cuts out connection.

Come the beginning message of self terminal also can directly send to accounting server.But, when beginning message for the first time when terminal sends to access server, the configuration of accounting server interface is all identical to all service suppliers, this makes that except access server accounting server can be handled the ticket of other service supplier and handle.If router can detect the traffic carrying capacity of sending from particular source, and it is notified to access server, does not need to begin message (because beginning message can be sent from router) so.

Fig. 6 shows in detail and is connecting incipient stage (Fig. 5, arrow F), the communication between access server and the router.Should be routine, suppose that the connection between access server and the router is that known Telnet connects, because snmp protocol (Simple Network Management Protocol) still can't be used to upgrade the access list of this router.

The interface of access server SL control router R1 obtains the access of internet by this interface user.Access list AL is stored in the router.As shown in Figure 6, this tabulation can comprise 5 row, first row show the IP address (ClientAddr) of the terminal that can use this interface access, secondary series shows above-mentioned connection identifier (CID (ConnId), the 3rd row are contract identifier (ContractId), the 4th row are the packet numbers that arrive, and the 5th row are numbers of the grouping of sending.In two transmission directions of interface similar tabulation can be arranged.

When access server SL received OK message from accounting server, it at first sent an order of removing access list to router.This order is represented by CLEAR_AC.Then, access server sends the order (PERMIT_ICMP) that allows all internet control messages to pass through.If accounting server and/or access server are positioned at the Internet side of router R1, then access server sends necessary order, allows all connections of arriving accounting server and/or access server (PERMIT_WD and PERMIT_SL).At last, access server sends the order that allows to insert by the interface of particular terminal.For each ongoing connection sends such order (PERMIT_ADDR1...PERMIT_ADDRN).In response to this order, router upgrades this access list.For each new connection is similarly upgraded.In other words, at first remove whole tabulation, rewrite then, new terminal is joined this tabulation.

In order to upgrade access list, accounting server sends current for access provides the address of the terminal that professional network pays, perhaps at least with respect to any delta data of last access list.

When the user stopped connecting, accounting server sent CANCEL to access server (Fig. 5, arrow G).Therefore, access server upgrades access list as mentioned above, removes this user in renewal process from this table.This processing is represented by arrow H in Fig. 5.

If establishment of connection and termination need be carried out fast, make and safeguard that in the above described manner tabulation seems too slow that then router can be preserved a plurality of update event, they is included in the new access list quickly.

In fact, for example can realize above-mentioned processing by for example meeting the CISCO router-modelle 7000 of IOS 11.2 operating system features.The front was carried, and router in the future may comprise such characteristic, and the more efficiently access list that promptly allows only to revise list item when needed upgrades.

After having set up connection, the business that terminal can use the internet to provide.In order to keep connecting, terminal regularly generates the station message recording, they is sent to smart card carry out digital signature, and the station message recording behind the signature is sent to accounting server, and the latter is kept at the station message recording of accepting in its billing database.

After obtaining the access of internet service by router R1, the user can use his/her professional browser (for example known Web browser) to locate business suitable on the internet, concludes additional contract with this professional supplier.When the client finds suitable business, for example during VOD service, he for example selects professional by clicking suitable option.

If the client has made selection, then the server of service supplier sends task identifier to accounting server WD, this identifier is discerned this film and client's identifier, and server can for example be determined client's identifier according to the source address (for example socket addresses of TCP connection) of the message that receives from the client browser program.

After this, the processing of this business of operation of accounting server WD startup.At first, accounting server, sends and about CDR to terminal to corresponding to this professional parameter then from professional database retrieval, and the latter is included in the billing parameter of using during this service conversation, and the contract identifier.After receiving this professional station message recording of activation, terminal program is opened a window on terminal display.Below this window is called the contract window.The information that utilization receives from accounting server, this window have shown difference side and the professional master data that relates to.In addition, this window has shown the contract identifier that identifies the session of this time specific transactions.Therefore, this contract only relates to single business, for example watches selected film, and it is outside fully that this service interfacing is gone into business.Therefore, this system is not only to access service, and other business is chargeed simultaneously.This charging can be depended on, the business tine that for example provides.

All current active contracts are presented at all that (Fig. 7 a) in the main window of terminal.Because the internet service charging based on the business tine that provides is directly not relevant with thought of the present invention, therefore, no longer described in detail herein.Charging process has a detailed description (the application's fashion is unexposed submitting to) in PTC patent application PCT/F197/00685 that same applicant submits to.

Accounting server utilizes the source point of each station message recording of public key verifications of this client (permit holder), and the station message recording of accepting is kept in the billing database.Need represent from each CDR that terminal sends to accounting server once through chargeing the turn-on time of special time, comprise the contract identifier, the latter is used for disassociation service.Because once only there is a system user can use specific terminal, so during any single access session, all remain unchanged from the signature of the station message recording that source address receives.Be each permit holder and such all records of contract identifier accumulation.In order to determine total ticket of every kind of business (for example access service), system adds the charging amount in all station message recordings relevant with the specific contract identifier.

CDR regularly is sent to ticket treatment system BS (Fig. 3) from the billing database of accounting server, and the The latter known method is processed into ticket with them, sends to the client.Each ticket has comprised service lists and the client handles the cycle in (for example one month) charging of all business of using at ticket.This ticket can be paid hard copy by mailing, perhaps sends to terminal with electronic form.Fig. 7 b shows a ticket that sends to the client.The service lists that this ticket has comprised user data and used in the ticket processing cycle.Professional for each, ticket can type of service, service supplier, the contract identifier that is used to receive business, time started and business continue duration by for example specifying, and price.

Because the operation of ticket treatment system is known, be not described in detail herein.

For example, the station message recording (charging message) can following utilization be planted in 9 (0 to 8) altogether by system:

0. contract: this is that accounting server sends to the initial station message recording (Fig. 5, arrow A) of client's (unsigning), if the client accepts contract, then terminal returns to accounting server with it behind signature.

1. payment: this class station message recording sends to accounting server from client terminal after signing during service conversation, the latter is verified.

2. last: this CDR is similar to Class1, but comprises a statement, shows that it is that terminal needs last CDR of sending during the current business session.Press exit button user oneself, when stopping business, terminal is the CDR of transmission types 1 at first, is the CDR of type 6 afterwards.In this way, accounting server can be distinguished Client-initiated termination and professional fair termination (for example film end).This class record also can be used for one-off charge.

3. pulse: this class CDR sends to terminal from accounting server.If its objective is and tell the terminal service needed to continue, it should send new CDR so.If in the time period of appointment, terminal does not send legal CDR, and accounting server sends an abort message to the server of service supplier so.

4. lose sequence number: this record sends to terminal (handling between contract period at legal continuous ticket) by accounting server, has received the CDR that has specific sequence number in order to the notice accounting server, and perhaps the CDR of Jie Shouing is illegal.In this case, terminal can send CDR once more to remedy this situation.But this class function is all optional for the either party.If terminal is not in response to this class CDR, best choice is a CDR part of guaranteeing that the ticket treatment system is had no right to charge and lost so.

5. the contract of Gai Donging: this class CDR sends to the client by accounting server, and it is similar to 0 station message recording of type, but the contract identifier that provides in the message is not new now, but identical with the number of the current short-term contract that is using.During service conversation, send such station message recording to be changed to show billing parameter.Terminal can, if for example price reduces, accept new contract so automatically, otherwise, require customer selecting whether to accept.

6. abort: this class CDR can send on either direction, is used to show that contract stops.This CDR is signed by the sender.

7. digital cash: the another kind of mode of utilizing the ticket treatment system is to make the CDR relevant with specific payment (Class1 or 2) comprise the payment of digital cash form.But accounting server does not send digital cash to the ticket treatment system.Give bank server but digital cash is directly transmitted (in case having accumulated more a spot of relatively digital cash of appointment), the perhaps webserver of other mechanism is directly charged to client's account then.Digital cash can use with concentrated ticket treatment system BS, and its mode is identical with ecommerce, perhaps can be used as a kind of replacement scheme of concentrating ticket to handle.

8. charge synchronously: this record sends to terminal (between legal continuous charging contract period) by accounting server, does not cover the per minute rate of continuous contract (for example when terminal clock is moved overfill) in order to show payment CDR.Synchronously CDR shows that the client should pay and how much safeguards that contract is effective.

Fig. 5 has illustrated the charging process of single business.The classification of each message provides representing on the arrow of this message.This figure has illustrated such a case: accounting server detects once the specific station message recording and loses between service period.

The quantity of the processing of carrying out simultaneously according to needs on the terminal, the interval between two continuous Class1 CDR can change to some extent.To meet increase very big if terminal is born, and the generation of CDR lags behind with respect to the performance of payment, and the charging that then is included among the CDR is corresponding bigger.

In fact, charge continuously and relate to the problem of two time correlations.Barrier or mistake and lose one or more payment CDR at first, for some reason.Secondly, terminal clock is moved slowlyer than accounting server clock.In order to eliminate these problems, two threshold values (A and B) have been defined.First threshold (A) is the maximum arrearage that the user is carried on as before and do not paid use and can be in arrears with accounting server.First threshold (B) is the maximum arrearage that the user still can be in arrears with after payment.These two limits values all are linked to independently timer value (T _AAnd T _B).

Fig. 7 c and 7d have illustrated a solution of described problem.Time shaft t has represented the time of accounting server, and time shaft t1 has represented the time of terminal.In this two figure, the time is shown with stopwatch.The longitudinal axis on figure top shows the arrearage that the user is in arrears with accounting server, and the bottom shows the station message recording that accounting server and terminal are sent.Should be routine, the hypothetical network time-delay is to ignore.In Fig. 7 c, clock moves with identical speed, but in Fig. 7 d, terminal clock is slower than accounting server clock.At moment t1=0, terminal sends signature contract (CDR-0) and gives accounting server.Accounting server receives this contract at moment t=0.At this moment, subscriber arrearage D (t) begins to increase.Because do not receive payment, increase so arrearage is linear in time.The increment rate of arrearage (money of per time unit) defines in contract.When accounting server received payment CDR (CDR-1), arrearage deducted the amount of money that provides among this CDR.

After receiving contract, accounting server regularly calculates amount owed (for example a second once).If D (t)＞A, then accounting server transmission types 4CDR gives terminal.If accounting server is not in time T _AIn receive payment in arrears, termination of contract then.Fig. 7 c shows such a case: the payment CDR (CDR-1) that sends at moment t1=120 can't arrive accounting server.Therefore, before carrying out follow-up normal payment, the arrearage amount has surpassed threshold value A.Therefore, accounting server transmission types 4CDR gives terminal, and terminal resends payment CDR in response.Also can define accounting server can work and do not receive the payment CDR maximum time period.If surpass this time dimension, then accounting server transmission types 4CDR.

If accounting server is not the running check amount owed, its must check amount owed at every turn when normally paying so.If the speed of terminal clock operation is slower than accounting server clock, shown in Fig. 7 d, when then the amount of money of payment in arrears surpassed threshold value B after payment, accounting server was to terminal transmission types 8CDR (synchronously), and the latter comprises the information of required payment amount.In response, terminal sends the synchronous CDR of signature.If accounting server is not in time T _BIn receive payment in arrears, termination of contract then.

All required charge informations of system transmit in the protocol message sequence field of (station message recording).Be included in the station message recording field as shown in Figure 8:

Type: the type of indication CDR promptly relates to any in aforementioned 8 kinds of station message recordings.

Length: this field list is understood the byte total length of CDR, comprises type and length field.

The contract number: this field has comprised an integer that accounting server is given.This numeral all is identical to all CDR relevant with same chargeable session.

Sequence number a: integer of indicating the generation order of CDR during the chargeable session.First and about CDR (type 0) that terminal assigns number 0 to return to it are that increment unit increases this number with 1 afterwards.Do not specify this field in the CDR type 3,5,6 and 7, the sequence number of the CDR that indication is lost in type 4.

Task identifier: the content of this field has been indicated the business of client being chargeed.The value of this field parameter is based on manage business contract between supplier and (multimedia) service supplier of ticket.

Type of service: the parameter in this field is used for roughly dividing professional to add up, and for example Web website, video request program, file transmit or the like.

Time started: the parameter in this field shows

CDR type

0 and 5, and 3,4 and 6 current time, the time started of Class1 and 2 metering period.

Concluding time: the parameter-definition in this field the end of CDR Class1 and 2 chargeable session.And for the CDR of type 0 and 5, this field parameter has shown accounting server wishes how often to receive a payment CDR.The CDR of other type does not define this parameter.

Identifier: the parameter in this field has been indicated client, accounting server and server identification.This identifier can be the integer or the network address, but in the ticket treatment system, they must be unique.

Method of payment: CDR type 0,5,1 and 2 has defined the parameter in this field.For example, method of payment can followingly be divided: free, primary charging (CDR), regularly or external trigger, promptly it is handled by in the terminal another and triggers.For example, the terminal video reproduction program can once trigger the generation of CDR in one minute.A kind of like this system is described below, and wherein accounting server uses the generation of the parameter triggering CDR in the method for paying field.

The amount of money: this field shows client's arrearage (arrearage on the time period between the arrearage of whole session or two CDR).

Traffic data: this field comprises from the applications of terminal and sends to terminal, and is transmitted to the information of network.

Signature: this field comprises client's digital signature, and it is used for the authentication of CDR.

Appendix 1 has adopted abstract grammar mark 1 (ASN.1) to provide the detailed description of CDR structure, and ASN.1 is the universal description language of the data structure used in the field of telecommunications.In addition, the structure of Init_Service, START, OK and CANCEL also explained in this appendix.

Station message recording and described message can for example send in the data field of IP bag, and this data field can comprise one or more station message recordings.

When network insertion and payment when synchronized with each other, promptly can insert the network that business is provided when client with charge, and unpaid client be can't insert the time, the charging operate as normal.For example, fault may cause the appearance of such a case: router refusal client with charge inserts the network that provides professional, perhaps allows the not access of client with charge (this client does not send payment CDR).In order to correct this situation, access server poll router and accounting server.Access server obtains access list from router, obtains the client's of this particular moment payment network access IP address from accounting server.If paying customer's address is not included in the access list, then access server adds this table with this address.If be included in the client with charge tabulation kind that address in the access list is not included in accounting server, then access server is removed this address from this tabulation.System can be configured to allow service supplier that required polling interval is set.

Fig. 9 a has provided the operation of terminal (CT) by functional block diagram.For the present invention, most important parts comprises CDR maker CG in this equipment, and it generates the station message recording.That be connected to the CDR maker is security vault SLI, and its memory comprises client's privacy key, and carries out the signature of station message recording.The CDR maker generates CDR, sends it to security vault, utilizes client's privacy key that it is signed in security vault.Security vault returns to the CDR maker with the CDR of signature, and the latter is transmitted to accounting server WD with it.

If use or environmental requirement must exchange encrypt message between terminal and accounting server, then security vault encrypt, signature and signature verification.

Security vault can be based on hardware or based on the scheme of software.But hardware based scheme provides better fail safe.Therefore, security vault or its part can be utilized to comprise for example smart card of client's privacy key, in the above described manner structure.

In addition, terminal comprises the element of the business of reception.These elements can comprise, for example professional player VP, and it can be the video player of regeneration from the vision signal of network reception, can also give the order of CDR maker, requires it to generate the station message recording.Professional browser SB, professional player VP and CDR maker are connected to network by the communication pool CL of terminal.The protocol stack that CL follows terminal puts together.This protocol stack can for example comprise TCP/IP stack, for example Winsock of Microsoft.

The first logical block SUL that opens of terminal sends beginning message to access server when the user inserts card reader with smart card.

The charging counter BC of the ticket accuracy that terminal can also integrated client be used to check that service supplier sends.In addition, terminal can comprise the Quality of Service of different elements with the information flow of monitoring reception.For example, when the quality of business was reduced to particular value, video player can require to stop transmission information to the source point order.

Fig. 9 b shows in detail the functional block diagram of CDR maker.Contract logical block CLU1 handles the generation of station message recording according to the information that is stored among the configuration database CDB.It comprises following logic: send the contract information that receives to graphical user interface GUI, and generate the station message recording of the above-mentioned type.This logic comprises the timing element TM that determines elapsed time between two continuous CDR.Contract logical block CLU1 is connected to communication pool and network by external control interface ECI, and is connected to professional player by internal control interface ICI.External control interface is realized the conversion of inside and outside CDR form.The message that the internal control interface is managed business between player and the contract logical block transmits, and finishes necessity conversion between the inside story form of used message format of professional player and equipment.Connection between internal control interface and the professional player (interface A3) can for example realize by communication pool (TCP socket).Configuration database CDB is used to store user's setting (user's hobby), and it also can be in response to the service identification that receives, and storage is to the information of the different business (for example film) of client playing.This database can for example generate by Microsoft Access or Borland Paradox.This configuration database is by administrative unit MM control.Administrative unit, configuration database and contract logical block all are connected to the graphical user interface (GUI) of equipment, and graphical user interface for example can realize by Java small routine or Microsoft Visual Basic programming tool.

If professional player is designed for example to be used for video request program, its program realization of can be for example designing so by personal computer or for VOD service.A kind of such program is Xing Technology Inc., the StreamWorks that USA provided.

Administrative unit and contract logical block are received security vault by the A1 chain of interfaces.SETCOS 3.1 smart cards (and intelligent card reader) that security vault and A1 interface can for example be produced by Setec Oy are realized, perhaps realize by the product of equal value based on international smart card standard.(ISO of International Standards Organization has defined following a series of smart card specification: ISO 7816-1 (physical dimension), ISO 7816-2 (contact position), ISO 7816-3 (host-host protocol) and ISO 7816-4 (order and file structure).

The user can have some different smart cards, and every sheet smart card is opened a kind of connection of particular type.A card can for example be used to set up the connection of complete internet feature, and another card (this employee during its permit holder) only is used for the LAN in cut-in operation place.

The structure of accounting server WD that Figure 10 has utilized general block diagram illustrations.The core of equipment is made of contract logical block CLU2, and it can be linked into Service Database SED, customer data base SUD and billing database BD.Service Database comprises the business information that the different business supplier is provided, and the parameter that these business are chargeed.Accounting server can also be for example independently changes billing parameter according to the time in one day.Customer data base comprises the customer data (PKI that comprises each client) of the operator that manages accounting server.The station message recording that receives from terminal is kept at the billing database.Encryption unit CM is associated with the contract logical block, in order to checking station message recording signature.These parts are corresponding to the SL parts of terminal.Station message recording after the contract logical block is signed from the terminal receiving terminal, it is transmitted to encryption unit to verify.The contract logical block is kept at the station message recording of accepting in the billing database.The contract logical block is connected to network by communication pool CL, and the protocol stack that communication pool CL generates has defined connection to be set up.

In fact, the contract logical block with above-mentioned functions can be for example by the instrument based on international system descriptive language (SDL) standard, and for example the SDT instrument of Telelogic AB product is realized.

The database of accounting server can reside among the above-mentioned memory MS (Fig. 3), and is arranged in accounting server.In addition, the station message recording can be kept among the different massage storage MS1 (Fig. 3), and MS1 is between the ticket treatment system of accounting server and network, and its organizational form makes the ticket treatment system can easily handle the information that is stored in wherein.Utilize the independent database of this class, can allow service supplier use database to carry out different inquiries to develop its business.For example, service supplier or client can handle the charge information (using E-mail or similar fashion) that cycle intermediate request specific transactions generates at ticket.

Figure 11 utilizes functional block diagram that the structure of access server SL has been described.Server is equipped with interface unit IU for outside the connection, and it comprises router interface unit R IU, accounting server interface unit WIU, and terminal interface unit TIU.TIU receives aforementioned initial message Init_Service from terminal, for this client's initialization ticket is handled session.Router interface unit monitors router access list, and the communicating by letter of accounting server interface unit handles and accounting server.Connecting logic CLO is the simple state machine of link distinct interface unit.Connect tabulation and two formations that logic also comprises all connections of opening, a formation comprises the connection that needs stop, and another formation comprises the connection that needs are set up.

Router control unit RCU comprises the router command set, and it controls router by the maintenance of handling aforementioned access list.

Lock unit SU is by the address of the client with charge that obtains with the connection of opening of specific interval comparison router tabulation with from accounting server, finish described payment and insert authority synchronously.Correct any conflict, being free from mistakes in guaranteeing to charge, it is also longer than described interval to continue.

Router connects the binding between control unit RCC monitoring access service and the router.Because the connection that this official holiday is decided between router and the access server is that Telnet connects, so if connect sluggish overlong time, router will interrupt this connection.If router is by chance for example because of above-mentioned reason, or interrupt this connections because of other interference in connecting, then the task of router control unit is to activate connection.

Should be if charge at least based on the data volume that transmits, then capacity monitor unit VCU and used billing database BD2 thereof are included in the access server.In this case, control unit uses the router access list to check by the bag of router interface and counts, and storage in billing database BD2, is guaranteed to be used for the IP address that this is connected for the quantity of each contract identifier storage package with terminal.When the needs call charge service, according to data in the contract combination identifiers access server billing database and the data in the accounting server billing database.This makes can consider the data volume that transmits in ticket is handled.

The foregoing description does not provide the additional user signature for the bag statistics, this means that the user must the determined bag counting of belief system.But under all other situations, terminal can both be verified correctly and charge.In order to address this problem, two phase process have been adopted.At first, access server has increased particular value (for example 50Mb) afterwards at the capacity that charges, the notice terminal.In this way, terminal can be monitored the capacity statistics that access server carries out, and it is compared with its record.Secondly, access server sends the relevant CDR of each capacity to accounting server, and the latter is transmitted to terminal with it and signs.This process is similar to the signature of above-mentioned contract; It provides a chance that monitoring is chargeed to the terminal use, makes it be difficult to deny ticket.Explain this method in detail below in conjunction with Figure 12, Figure 12 has illustrated the communication between the different elements.

At first, as mentioned above, independent " capacity agreement " (arrow 121 to 124) is created with the form of the contract of external trigger by system.Access server reads required bag counting from router, and with this storage in billing database BD2.When bag counting arrival predetermined limits, the type 3CDR (pulse) that access server sends signature gives accounting server (arrow 126).But before this, access server sends a message VM to the terminating traffic FPDP, and the latter comprises the information (by term " traffic data " expression) of the data volume of transmission.Therefore, comprised capacity information among the next CDR that needs to sign, before signature CDR, the user, or terminal will have an opportunity to verify this capacity at least.

When receiving type 3CDR from access server, accounting server is discerned the contract that this contract is an external trigger, and the CDR that will be referred to is transmitted to terminal (arrow 127).If user or terminal are accepted this capacity counting, then terminal generates payment CDR, and the data amount information that receives is inserted into the traffic data field of this payment CDR, sends to accounting server and pays CDR (arrow 128).Accounting server is transmitted this CDR, perhaps is included in data wherein, gives access server (arrow 129), and the latter confirms to be included in the data in the traffic data field at least.According to the result of this checking, access server or termination are professional, perhaps allow its to continue.In this case, the business that provides may comprise such composite service, and this business comprises based on the time with based on the contract of capacity.

From the terminal angle, above-mentioned charging based on capacity can followingly be carried out.Accounting server sends new contract (arrow 122), and the value that the parameter of its method of payment comprises shows the external trigger payment.Payment if desired, then terminal receives the type 3CDR of the required payment amount of indication.This terminal is accepted payment automatically, perhaps data is presented on the terminal display, allows user's decision whether to accept this payment transaction.If the acceptance payment, then terminal is 1 (payment CDR) with the CDR type change, and signature CDR sends it to accounting server (arrow 128).

Payment transaction also can be triggered by certain external object, and for example accounting server sends to order of terminal, and indication should be paid.Such order sends to the socket addresses corresponding to traffic data.Except actual command (" paying "), this command messages also comprises the contract identifier information.After this, terminal is paid.In this case, this order only shows needs payment.Actual payment amount is determined by contract.

As mentioned above, the charging based on capacity can followingly realize: constantly inform what of the ongoing ticket amount of money of terminal or user.Because each payment all must be accepted, so will deny very difficulty of charging.Message only just sends when needs are paid, so if do not have round traffic carrying capacity with terminal room, also do not produce blank or redundant charging message.Because realize this specific character in application layer, so be not limited to any specific technology, a plurality of " taximeters " can be arranged between service supplier and terminal based on the charging of capacity, simultaneously based on capacity to service billing.

Although last example is based on the adsl loop border, obviously on any connectionless networks that such access service is provided, provide identical advantage according to method of the present invention, these professional each users that must the identification particular network address, perhaps user's professional permit holder of payment transaction expense not necessarily.Terminal also can be connected to the network that provides professional by wireless connections.Following connection type may vary.

In front, mentioned user network address (IP address) can be with the different business session difference, situation about in any single service conversation, remaining unchanged simultaneously.But, can also be applied to the user moves to the another location from a position situation according to method of the present invention.In order to realize this point, can adopt mobile IP protocol, it is the version of the ambulant existing IP of support terminal.(principle of mobile IP for example Upkar Varshney is published in January, 1997, explains in the article on the Internet Watch " Supporting Mobility with WirelessATM ").

Mobile IP is based on such system, and wherein each mobile host or mobile node have agency's (" home agent ") of an appointment, and this agency is transmitted to bag the current location of mobile host.When mobile host when a subnet moves to another subnet, its is registered in the agency (" external agent ") for this subnet service.The home agent of external agent and mobile host carries out a series of inspection, registers this mobile host, and register information is sent to it.The bag that mails to this mobile host is sent to the original position of mobile host (home agent), and where they are forwarded to current external agent, and the latter then is transmitted to mobile host with it.

When mentioned above principle was applied to based on system of the present invention, each user can have (ownership) accounting server of a special use, and the PKI of its leading subscriber serves as home agent.Provide the access server (being the external agent) of service when to begin to charge to the accounting server indication for different sub-network.This accounting server is retrieved PKI from user's ascription charging server, take over billing function.Importantly user's PKI can be sent to the accounting server near the user safely, makes accounting server can verify the station message recording.(if this transmission can't be carried out safely, and the third party can revise key during transmitting so, thereby generates the expense that is included in original subscriber's ticket).For example, user's PKI can send near accounting server and can be by the database of accounting server visit.Nearest accounting server can utilize the accounting server of user's special use to identify and handle charging.When service conversation stops, the CDR that accumulates during session will be sent to user's special-purpose accounting server.

Adopt in the system of mobile IP the communication between the different parts shown in Figure 13.In the figure, ownership and external agent as physically independently element illustrate, but the front carried, access server also can serve as the external agent, and ascription charging server can be served as home agent.According to mobile IP, external agent FA sends the broadcast that is called " Agent Advertisement " to the subnet of himself continuously, represents with alphabetical AA in the figure.In the middle of disconnection when receiving described subnet, it receives these message, infers that in view of the above it is connected to oneself home network or other networks.If terminal detects it and is connected to the home network of oneself, it is with operate as normal, without any need for mobility service.Otherwise terminal will obtain the Care-of Address of external network.This address is the address of the interim point that connects of this terminal in the network.Simultaneously, this address has constituted the terminating point that leads to the channel of this terminal.Terminal is not generally stopped paying out receiver address the broadcast of sending from above-mentioned external agent.In response, terminal sends registration request RR by external agent FA to its home network.One of content that this request comprises is the Care-of Address that was assigned to this terminal just now.In response to this request, home agent upgrades the position data of this terminal in its database, sends register response R_Reply to terminal by the external agent.How this response message comprises home agent, and (aspect which) accepted all necessary informations that registration is asked.All message between above-mentioned terminal, external agent and the home agent all are the mobile IP messages of standard.

After this, external agent FA sends above-mentioned beginning message, i.e. call charge service request Init_Service gives access server SL.This message is equal to business request information shown in Figure 5, shows the beginning of single service conversation.One of content that this message comprises is the Care-of Address of this terminal.At this moment, except termination and the acknowledge message ACK that charges, the operation of system as shown in Figure 5, these two message back will be discussed.Then, the message that the access server inspection receives will begin message START and be transmitted to accounting server WD.Be the contract negotiation between accounting server and the terminal afterwards, common result is a user access network.

The termination of chargeing is different from fixed terminal shown in Figure 5, and in mobile IP environments, terminal can be exerted one's influence by external agent or accounting server, and this depends on which element at first detects variation.If the external agent detects the user and withdrawed from network, then it sends end CANCEL (1) and gives access server.Access server is given accounting server with described forwards, closes this connection in router.The external agent can detect the user automatically and withdraw from, and continues to appear in the subnet to show it because mobile IP requires terminal regularly to send message.The message of these " survivals " only is used for home agent, and the latter does not transmit them.But, if at first detecting the user, withdraws from accounting server, and it sends end CANCEL (2) to access server so, and the latter cancels this connection in router.In all others, the selection that the termination of connection comprises is identical with aforementioned content.

Under mobile IP situation, user and terminal then do not send beginning message (as shown in Figure 5), but revise external agent's operation, when the terminal that is connected to the subnet that it serves is registered its special-purpose home agent by the external agent, allow its to start and charge.

In addition, the external agent safeguards that a special charging just opens timer, and it starts when business request information is sent to access server.If not timer then before, receive ACK message, then the external agent sends new service request to access server, attempts restarting charging.This is the processing that the external agent carries out all terminals of not chargeing as yet in its zone.

Utilize said process, the access service supplier can be limited in the user those users that can charge to its access network reliably, although mobile IP itself does not provide such characteristic.

Should be pointed out that mobile IP network is not the absolute demand external agent.If do not use the external agent, then network comprises that still a Dynamic Host Configuration Protocol server or other mechanism assigns the temporary address.If in this case, then terminal need be used mobility service, and it must be by its home agent registration.Like this, according to the difference of network configuration, Dynamic Host Configuration Protocol server or home agent can serve as access server.

Aforementioned description relates to the access server that mobile IP connects.If the routing addressing agreement is the IPv6 that does not have special external agent, the Starting mode of access service must be different so.

When the IPv6 terminal was connected to new network, the process of acquiescence was the notice message of terminal wait from router.This message can be given the terminal authority, makes it can generate the address of oneself or forces terminal to obtain a temporary address by the DCHP server.After receiving described temporary address, terminal sends constraint and upgrades, and is used to upgrade the network router data of (fixing) home address that relates to terminal and relevant temporary address.The special-purpose home agent be sent to all nodes, especially terminal that terminal communicates with is upgraded in these constraints.Utilize these constraints to upgrade, node upgrades their routing addressing data, thereby the bag that mails to this terminal directly can be forwarded to its temporary address.

Figure 14 provides when the routing addressing agreement is IPv6, and the simplification of the message between the different parts is described.In this case, router may require the new user (terminal) who is connected to network to register on local Dynamic Host Configuration Protocol server DHCP_S.Terminal response sends registration request (REQUEST) in the notice message that it received to Dynamic Host Configuration Protocol server.Assigning a temporary address (message ACK) to after the terminal, Dynamic Host Configuration Protocol server sends beginning message Init_Service to access server SL, starts and charges.From chargeing and the access server angle, suppose that Dynamic Host Configuration Protocol server has served as external agent's role in the mobile IP network.Or rather, by sending described beginning message, the new terminal that just is connected to network is notified to access server.In all others, this protocol class is similar to above-mentioned mobile IP situation (wherein network comprises the external agent).

In this case, the default configuration of gateway router R1 all terminals that must be able to allow to be connected to network all are linked into access server and accounting server.

When terminal moves to another subnet (promptly moving to another access server from an access server) from a subnet, can consult a new contract.According to transferring situation about being changed, consult existing contract again or upgrade same contract.For example, if operator also changes simultaneously, so always can consult a new contract.If operator remains unchanged, but quality of service that new network is provided and differing widely that last network provides, then existing contract can be revised by negotiation again.Making this side who transfers decision also should determine to stop or upgrade to have contract.In any case the user is entitled to know him or she and has inserted which network, and business with what form provides.

Network environment shown in Figure 13 and 14 is similar to Fig. 3 a to the given example of 3d, but lan switch is replaced by wireless (or wired) Access Network, ATU-C is replaced by common binding site, for example intelligent HUB or similar devices, and ATU-R is replaced by terminal interface (card).In addition, if this network is a mobile IP network, Dynamic Host Configuration Protocol server has been replaced by the external agent so.The example that Figure 15 utilizes Fig. 3 a to provide has illustrated a back network environment.Herein, the external agent illustrates with independent unit, although it can be integrated in the access server.As shown in the drawing, the local accounting server of access point generally is different from the special-purpose accounting server by the user of described access point access network, but described special-purpose accounting server can be connected to internet or telephone network.

Although example has below in conjunction with the accompanying drawings been described the present invention, obviously the present invention is not limited to these examples, but can change to some extent in the restriction that the attached patent claims in back set.Provide a kind of concise and to the point description of conceivable variation below.

For example, terminal can not need to send actual charging, but certain other (charging is correlated with) message is given accounting server, and then, accounting server can utilize it oneself to generate the station message recording.For example, terminal can send so-called alive message between service period, and afterwards, accounting server can only generate a station message recording, and the wherein professional duration that continues equals from a last alive message to accepting contract elapsed time constantly.Similarly, especially in the ambulant system of support terminal, certain other network element or entity, for example access server or external agent can be assumed to be the effect of terminal the maker of station message recording.This element or entity must have user's trust completely.The effect of supposing terminal can for example be changed, and to described element or the specific lump sum of entity pays, the latter then keeps this connection according to the payment that receives by terminal, and may carry out extra payment in the requesting terminal.If the entity of GC group connector utilizes the signature of himself to generate the station message recording, then accounting server must be known that side's of described entity representative sign at any time.Station message recording also can be generated by the interface element of the access that is provided to the network that provides professional for terminal.For example, this class situation can occur in known general bag wireless traffic (GPRS) terminal by GPRS network when described internetwork network element (be in this embodiment gateway GPRS support node) inserts IP network.

Can adopt certain known other method to replace digital signature, be used for guaranteeing that the ticket processing procedure station message recording can not distorted in transmission, and the transmit leg data in the message be correct.Importantly the station message recording can be verified to the present invention.For example, between the network element of network element that generates charging message and inspection charging message, should be secure transmission channel, perhaps charging message should comprise electronic cash.If the use electronic cash does not then need to verify the user, but only by checking the charging message that receives from the user and verifying that with the structural intergrity of the cash of paying form by mails generally by special server, for example the server of bank is realized for this.

Link provides the network of business and the element of access network can comprise any suitable equipment that can optionally pass through traffic carrying capacity, for example packet filter or fire compartment wall.This watt also can serve as the beginning message that the session of indication new business begins for other message that other purpose sends.--the CDR structure--=================--in initial version, coding is a byte-oriented,--do not need mark and length field.If what is not specified,--ENUMERATED is encoded into an octet,--INTEGER is encoded into the at first octet string of form of a MSB--(according to the difference of largest amount, length is respectively 2,4 or 8) CDR_cdrType ∷=ENUMERATED{

Contract (0),--initial CDR, WD-〉client

Payment (1),--normally pay CDR

Final (2),--as mentioned above, the client stops

Pulse (3),--indicate new payment

Missing_seq (4),--have the CDR of the sequence number of losing

Mod_contract (5),--control is consulted again

Abort (6),--stop connecting, do not comprise memory

E_cash (7)--electronic cash support C DR, type B }--type 0..6 is become CDRtypeA by heavy duty,--type 7 has been used CDRtypeB

＜! [CDATA[CDR_network ∷=ENUMERATED{ unknown (0), TCP/IP (1), ISDN (2) } CDR_serviceTypeType ∷=ENUMERATED{ unknown (0) ...＜!--SIPO<dP n="30">--<dp n="d30"/>CDR_timeType ∷=hundrethOfSec OCTET STRING (SIZE (1)), seconds OCTET STRING (SIZE (1)), minutes OCTET STRING (SIZE (1)), hours OCTET STRING (SIZE (1)), days OCTET STRING (SIZE (1)), year_lo OCTET STRING (SIZE (1)), year_hi OCTET STRING (SIZE (1)) } CDR_identifierType ∷=SEQUENCE{ type ENUMERATED{system_assigned (0), E164_addr (1) ... } data OCTET STRING (SIZE (16)) } CDR_paymentMethodType ∷=ENUMERATED{]]

Free (0),--free one_time (1),--once pay legal agreement periodic (2),--based on the time

Wd_req (3),--payment is by the WD message trigger

Ext_trig (4)--payment is by external client's applications trigger } CDR_currencyType ∷=ENUMERATED{

majorType?ENUMERATED{bill(0)，E_cash(1)}，

currency?ENUMERATED{FiM(0)，USD(1)，...}}

--in a byte, encode, make majorType take

Most important bit, currency bit 0-6CDR_moneyAmountType ∷=SEQUENCE{ currency CDR_currencyType, value INTEGER (0..MAX_WORD) if--use electronic cash, then this value defined--sequence number of electronic cash support C DR

CDR_signatureType∷＝SEQUENCE{present  ENUMERATED{absent(0)，present(1)}，type   ENUMERATED{RSA-with-MD5(0)，DES-with-MD5(1)}，signature OCTET STRING SIZE(64)}CDRformatA∷＝SEQUENCE{type    CDR_cdrType，length  INTEGER(0..MAX_S_WORD)，contractNr INTEGER(0..MAX_D_WORD)，sequenceNr  INTEGER(0..MAX_WORD)，serviceld  INTEGER(0..MAX_D_WORD)，serviceType CDR_serviceTypeType，startTime  CDR_timeType，endTime  CDR_timeType，clientld  CDR_identifierType，watchdogld CDR_identifierType，serverld  CDR_identifierType，payMethod  CDR_paymentMethodType，moneyAm  CDR_moneyAmountType，trafficData OCTET STRING(SIZE(8))signature CDR_signatureType}&lt;!-- SIPO &lt;DP n="32"> -->&lt;dp n="d32"/>     CDRformatB∷＝SEQUENCE{     type      CDR_cdrType，     length    INTEGER(0..MAX_S_WORD)，     contractNr INTEGER(0..MAX_WORD)，     sequenceNr  INTEGER(0..MAX_WORD)，     e_cash   OCTET_STRING(SIZE(0..200))}    Start∷＝SEQUENCE{      MessageType    OCTET_STRING(SIZE(1))DEFAULT(1)      MessageLen     INTEGER(0..MAX_LEN)，      ClientAddr NWAddr，      ServerAddr     NWAddr，      Serverld       CDR_identifierType，      Serviceld INTEGER(0..MAX_D_WORD)，      Connld    INTEGER(0..MAX_WORD) } OK∷＝SEQUENCE{      MessageType  OCTET_STRING(SIZE(1))DEFAULT(2)      MessageLen   INTEGER(0..MAX_LEN)，      Contractld INTEGER(0..MAX_D_WORD)，      Connld     INTEGER(0..MAX_WORD)  }  Cancel∷＝SEQUENCE{      MessageType     OCTET_STRING(SIZE(1))DEFAULT(3)      MessageLen      INTEGER(0..MAX_LEN)，      Contractld INTEGER(0..MAX_D_WORD)，      Connld     INTEGER(0..MAX_WORD)  }

Claims

1. method that in telecommunications network, realizes access service, this telecommunications network comprise Access Network (N1), business net (N2) is provided and be connected to Access Network the terminal of operating by the user (TE1...TE3, PC), wherein

-by link Access Network and the professional interface element that net is provided user terminal is connected to business net is provided, thus access service is provided,

-in response to access service, generating at least one station message recording, described record before is given to ticket processing unit (BS), and permit holder is carried out the charging of access service,

It is characterized in that, in data transmission network,

-when the user utilizes terminal contact Access Network, generate beginning message for chargeing, indicate the beginning of single service conversation,

-generate can verify with the relevant charging message of described access service session,

The charging message that-checking generates, and

-as long as generated described message with acceptable manner, the terminal just business of being allowed to access provides net.

2. according to the method for claim 1, it is characterized in that charging message is generated by terminal.

3. according to the method for claim 2, it is characterized in that the verifiability of charging message guarantees by comprising the specific digital signature of permit holder.

4. according to the method for claim 2, it is characterized in that the verifiability of charging message guarantees by the secure data transmission channel.

5. according to the method for claim 2, it is characterized in that, as long as receive described charging message with set rate, and the correctness of definite checking that is associated with this message, the terminal just business of being allowed to access provides net.

6. according to the method for claim 2, it is characterized in that terminal also sends the data of the permit holder that is associated with the active user of terminal, thereby described data are used to check and verify, and will distribute to the ticket of this permit holder from the charging message that terminal receives.

7. according to the method for claim 2, it is characterized in that, use a special-purpose accounting server (WD) in the network at least, make each terminal that an accounting server that is assigned to it specially all be arranged, the charging message that the accounting server receiving terminal generates.

8. according to the method for claim 2, it is characterized in that in case the terminal business of acquiring provides the access of net, terminal generates the station message recording with specific interval, this record has the specific checking of permit holder, and the charging of specific turn-on time of section represented in each such record.

9. according to the method for claim 7, it is characterized in that beginning message comprises the terminal current address that need be transmitted to accounting server.

10. according to the method for claim 9, it is characterized in that, utilize special access server (SL) will begin message and be transmitted to accounting server from terminal.

11. the method according to claim 10 is characterized in that, in response to the beginning message that receives, accounting server sends a contract message to terminal, shows that the user must consult a contract that relates to access service.

12. the method according to claim 11 is characterized in that, terminal is returned the contract message that has the permit holder certain validation, accounting server is checked this checking and station message recording, after finding that these are correctly, start and handle, provide net with terminal by interface element (R1) business of being connected to.

13. the method according to claim 6 is characterized in that, indicates the sign of the permit holder that is associated with the user who uses terminal in beginning message.

14. the method according to claim 12 is characterized in that, the sign of the permit holder that will be associated with the user who uses terminal in contract message is transmitted to accounting server.

15. the method according to claim 9 is characterized in that, in response to the beginning message that receives, accounting server is to the data of terminal request definition permit holder sign.

16. the method according to claim 12 is characterized in that, accounting server sends bind command to access server (SL), starts and handles, and this order is used for control interface element (R1).

17. the method according to claim 16 is characterized in that interface element comprises router, access server is safeguarded the router access list, and this table comprises the address that the terminal of net can be provided by this router access service.

18. the method according to claim 2 is characterized in that, except access service, terminal provides every kind of professional generation station message recording of using in the net for business specially.

19. the method according to claim 7 is characterized in that, sends the charge information that is included in the charging message from accounting server to independent ticket treatment system (BS), is used to generate the specific ticket of permit holder.

20. the method according to claim 19 is characterized in that, charge information is sent to the ticket treatment system of using in the public telephone network.

21. method according to claim 17, it is characterized in that, access server is with the payment terminal tabulation on payment terminal tabulation and the router on the predetermined space comparison accounting server, if the table in the router is different from the table of accounting server, then terminal is connected to business net is provided, or with its disconnection.

22. the method according to claim 1 is characterized in that, connecting with wired xDSL type of attachment to small part between interface element and the terminal set up.

23. the method according to claim 1 is characterized in that, the connection between terminal and the Access Network is wireless connections.

24. adopt mobile IP as the network of routing addressing agreement in according to the method for claim 1, terminal is when connecting Access Network, be assigned a temporary address, it is by the external agent in the Access Network, send a registration request to its home agent, register this temporary address, it is characterized in that, the Access Network external agent generates described beginning message in response to registration.

25. adopt mobile IP as the network of routing addressing agreement in according to the method for claim 16, terminal is assigned a temporary address when connecting Access Network, it sends a registration request by the external agent in the Access Network to its home agent, registers this temporary address, it is characterized in that

The Access Network external agent is in response to registration, generate described beginning message, accounting server serves as mobile IP home agent, access server serves as the external agent that service is provided for different sub-network, and described external agent is used for indicating to the special-purpose accounting server of each terminal the subnet at this terminal place of any moment.

26. according to the method for claim 1, it is characterized in that in the network that adopts the ambulant routing addressing agreement of support terminal this network comprises the server that at least one distributes temporary address (DHCP_S), make

-when terminal was connected to Access Network, it was to the server registers oneself of distributing the address, and

The server of-distribution address generates described beginning message in response to registration.

27. method according to Claim 8 is characterized in that, if terminal obtains the access that business provides net, when the data volume that transmits during service conversation so surpassed predetermined the restriction, terminal received a payment request message.

28. the method according to claim 27 is characterized in that, terminal receives the data amount information corresponding to payment request message, perhaps corresponding to the payment amount information of payment request message.

29. method according to claim 7, it is characterized in that, accounting server is when receiving the charging message of indication payment from terminal, determine user's current arrearage, if after described payment, arrearage still surpasses specific predetermined limits (B), and then accounting server sends a message to terminal, and indication needs the additional pay of terminal.

30. method according to claim 16, it is characterized in that, accounting server is in response to scheduled event, comprise that situation (i) accounting server does not receive charging message with acceptable manner, and (ii) accounting server receives special end from terminal or accounting server, and terminal and the professional connection that provides between the net are provided.

31. the method according to claim 30 is characterized in that, in response to one group of scheduled event, additionally authorizes access server independence terminating terminal and the professional connection that provides between the net.

32. a system that in telecommunications network, realizes access service, this telecommunications network comprise Access Network (N1), business provide net (N2) and by Access Network be connected to business provide net (TE1...TE3, PC), described system comprises by the terminal of user's operation

-jockey (SL) provides the interface element (RI) of net that terminal is connected to business by link Access Network and business net is provided, and

-provide the access of net in response to the business of being provided to, generate the device of station message recording (CDR),

It is characterized in that,

-this system comprises starting drive, is used for when the user utilizes terminal to be connected to Access Network, generates message for chargeing, the beginning of indication access service session,

-this system comprises demo plant (SLI), is used to generate the station message recording that can verify, and

-jockey (SL) in response to testing fixture (WD), when generating the station message recording with acceptable manner, is connected to business with terminal net is provided.

33. the system according to claim 32 is characterized in that, the device that generates charging message is integrated into terminal.

34. the system according to claim 32 is characterized in that, it also comprises recognition device (CR), is used to discern the permit holder that is associated with the active user of terminal.

35. the system according to claim 33 is characterized in that, recognition device (CR) is arranged in terminal.

36. the system according to claim 32 is characterized in that, testing fixture comprises at least one independent accounting server (WD), and a plurality of terminals send charging message to this server.

37. the system according to claim 32 is characterized in that, jockey comprises the alone server (SL) in the network, and described server serves as the router (R1) of interface element based on the message control that accounting server sent.

38. the system according to claim 36 is characterized in that, recognition device comprises a smart card reader (CR) that is connected to terminal, and the smart card that is distributed to the user comprises the identifier of the permit holder that is associated with the user at least.

39., wherein send the IP bag according to the system of claim 32, it is characterized in that,

-system adopts the ambulant IP layer of support terminal routing addressing agreement, and according to this agreement, terminal is registered when being connected to Access Network, and

-initiation of services device is responsible for registration, generates initiation message in response to registration.

40. according to the system of the mobile IP routing addressing of the employing of claim 39 agreement, wherein system comprises at least one home agent and at least one external agent, it is characterized in that the initiation of services device is integrated into the external agent in the system.

41. the system according to claim 39 is characterized in that, system comprises at least one server (DHCP_S), this server-assignment address, and terminal is to this server registers, and the initiation of services device is positioned at described server.