JP2003512763A - Secure Internet-compatible two-way communication system and user interface - Google Patents

Abstract

(57) [Summary] A system including a modem confirms authentication of a user command and, in response to the confirmation of the user command (410, 415), restricts bridge communication between the first port and the second port. By prohibiting Internet access (425, 430), unauthorized Internet access is prevented. The system uses a plurality of communication protocol layers to maintain communication with a remote device on a first link via a first port during periods when bridged communication is prohibited. The system also blocks Internet access by inhibiting Internet access by the first communication protocol layer of the plurality of protocol layers (425,430). The system maintains communication with the remote device at another second communication protocol layer of the plurality of protocol layers during a period in which communication of the first protocol layer is prohibited.

Description

Detailed Description of the Invention

The present invention is directed to interactive interactive communications such as cable modems, computers, TVs, VCRs, set top boxes, or their associated peripherals.
System and user interface suitable for use in i-directional communication).

Home entertainment systems are increasingly becoming multiple sources.
And with multiple destination communication, both personal computer and television functions (PC / TV functions) are being included. Such systems include satellite or terrestrial sources, high-definition television (HDTV) broadcasts, multipoint microwave distribution systems (MMDS).
Data, including broadcast and digital video broadcast (DVB), can be received. Such a system may also use a cable modem, for example, over a broadcast or coaxial link (eg, a cable TV line), or ADSL (Async).
hronous Digital Subscriber Line) or ISDN (Integrated Service Digita)
l Network) You can also use a compatible modem to provide high-speed Internet access over a telephone line link. Home entertainment systems include local sources such as digital video disc (DVD), CDROM, VHS, and digital VHS (DVHS®) type players, PCs, set-top boxes, and many other sources. Can also communicate with.

A home entertainment system that supports Internet compatible bi-directional communication using cable modems and other types of modems should be able to provide security and operational flexibility. Specifically, it provides a secure user interface to prevent unauthorized Internet access and assists complex user interactive tasks, while providing a simple command interface suitable for the general public. It is desired to provide. Further, in configuring home entertainment communication features to manage and access elements and peripherals of the home entertainment system, and to support Internet applications, and Internet domain names (eg, Universal Resource Locator, URL It is desirable to provide user flexibility in assigning). Such applications include, for example, video receivers, audio receivers, VCRs, DVDs, PCs, printers, scanners, copiers, telephones, operated in stand-alone mode or in a domestic (or other) intranet. Accompanied by equipment including fax machines and household appliances. These problems and the problems derived therefrom are addressed by the system according to the present invention.

Systems that include a modem locally generate a WEB page as a user interface, which allows the user to lock the modem and prevent unauthorized Internet access. Modems (two-way communication devices such as cable modem ADSL and other types of modems) use multiple protocol layers when communicating over communication links. This system verifies the user command authorization (va
Then, in response to the confirmed user command, the internet access is blocked by prohibiting the internet access by limiting the bridging communication between the first port and the second port. The system uses multiple communication protocol layers to maintain communication with a remote device on a first link via a first port during periods when bridge communication is prohibited.

As another feature, the system blocks internet access by prohibiting internet access of a first communication protocol layer in multiple protocol layers. The system maintains communication with a remote device at another second communication protocol layer of the plurality of protocol layers during periods when communication at the first protocol layer is prohibited.

FIG. 1 shows a modem's Internet communication function.
By providing the user with the ability to lock and unlock
1 illustrates a cable modem system that advantageously blocks unauthorized Internet access. This cable modem system is a domain name snoop server (DNSS).
) Is also incorporated, which makes it easier to request domain name resolution (Domain Name resol
The ution request is intercepted, and the domain name is translated into the corresponding Internet compatible WEB page address. To support these and other features, the modem advantageously uses different standardized browser applications to generate WEB page-based graphical user interfaces for display to the user on a PC. . These modem features prevent unauthorized Internet access, provide user flexibility in assigning Internet domain names, and use a simple command interface suitable for the general public to provide home (or other) intranet systems. Addresses the problem of managing and accessing the elements and peripherals of.

The exemplary embodiment of system 12 shown in FIG. 1 is a cable modem cable communication between a remote CATV headend and a local area network (LAN) device, such as a PC local to the cable modem. mod
em bridging communication). Bi-directional communication between the system 12 and the CATV headend is in a multi-layer protocol format. This multi-layer protocol format is QAM (Quadrature Amplitude Modulation) or QP
It includes a physical layer using SK (Quadrature Phase Shift Keying). This physical layer is DO
CSIS MAC (Media Access Control) Transports MPEG2 (Moving Pictures Expert Group) transport protocol data that conveys data frames. MAC data carries Ethernet data frames or MAC management data,
Ethernet data carries IP layer data. The cable modem also maintains a return communication path to the CATV headend using time division multiplexing of return data according to the Ethernet protocol.

Comprehensive physical layer data sent from the CATV headend to the cable modem is processed for communication to a LAN device connected to the corresponding Ethernet or USB port. Ethernet
(Registered trademark) format or USB format. The cable modem maintains two-way communication with the LAN device and also supports the corresponding Ethernet (Eth
ernet) (registered trademark) protocol or USB protocol to receive data from the device. Bidirectional communication between the system 12 and an Ethernet compatible or USB compatible device (connected to ports 72 and 82 of the system 12) is similar to communication between a CATV headend and the system 12. For this, a multi-layered protocol format is used. This multi-layered protocol format
Is an Ethernet (registered trademark) / USB frame, HTTP (Hyper T
ext Transmission Protocol) and TCP / IP (Transmission Control Prot)
ocol / Internet Protocol) data, and other protocols depending on the application being served.

The cable modem described herein uses an MPEG compatible protocol that complies with the MPEG2 image coding standard, referred to as the “MPEG standard”. This standard is based on the system encoding section.
(ISO / IEC13818-1, June 10, 1994) and video encoding section (ISO / IEC13818-2, 1995).
January 20th) is included. Internet TCP / IP described herein
And Ethernet compatible protocols were approved by the International Telecommunication Union (ITU) in March 1998, and RFC 2669 (Request).
st For Comment Document 2669), multimedia cable network system (MCNS) preparation requirements (prelimi
nary requirements) and DOCSIS 1.0 (Data Over Cable Service Interfa
ce Compatibility 1.0) Provides compatibility with requirements. Further, the discussion of domain name processing in this specification is described in RFC 1591 in March 1994, and RFC in February 1996.
1918, and other documented domain name resolution procedures (Domai
n Name Resolution procedure). RFC documents are available via the Internet and are produced by the Internet Standards Working Committee.

The principles of the present invention can be applied to any two-way communication system and are not limited to cables, ADSL, ISDN, or conventional modems. Also, while the disclosed system is described as processing WEB page data for display, this is merely an example. The term "WEB page" may be generally construed to represent any form of data that can be communicated from an Internet source via the Internet Protocol (IP), such as streamed video or audio data, telephone messages, Computer program, email,
Or it includes any form of packet data, including other communications.

The cable modem (system 12) shown in FIG. 1 communicates with a CATV headend through a bidirectional wideband high speed RF link on line 10, which link
It is typically composed of coaxial cable or hybrid fiber / coaxial cable (HFC). The modem system 12 bidirectionally communicates with a device located at a user site via a local area network (LAN). A general user side local area network is connected to a digital / digital interface through a connector 72.
Includes Intel / Xerox Ethernet (R) compatible network. Other user-side devices communicate via a Universal Serial Bus (USB) compatible network connected via connector 82. Ethernet (E
user devices connected to the thernet) (registered trademark) and USB networks include, for example, personal computers (PCs), network printers, video receivers, audio receivers, VCRs, DVDs, scanners, copiers, telephones, fax machines, And appliances such as home appliances.

In operation, the diplexer 2 of the cable modem system 12 shown in FIG.
0 is the downstream communication (CATV) carried on the cable line 10.
Upstream communication (transmitted from the modem 12 to the CATV headend) from the headend transmitted to the modem 12). Diplexer 20
Separates the upstream data from the downstream data based on the difference between the frequency ranges used by the upstream data (usually 5 to 42 MHz) and the downstream data (usually 92 to 855 MHz). The controller 60 constitutes an element of the cable modem 12 shown in FIG.
At 0, it receives MPEG2 transport data from the CATV headend and converts that data to an Ethernet compatible or USB compatible format for output via ports 72 and 82, respectively.
Similarly, the controller 60 constitutes an element of the cable modem 12 shown in FIG. 1 with ports 72 and 82 providing Ethernet compatible or U
It receives SB compatible data, converts it and sends MPEG2 transport protocol data over the cable line 10 to the CATV headend.
The controller 60 uses the bidirectional data and control signal buses to
Configure the elements of system 12 by setting the control register values of the two elements. Specifically, the controller 60 includes a tuner 15, a SAW filter 25, a differential amplifier 30, and an MCNS (Multimedia Cable Network System) so as to receive a DOCSIS format signal at the RF channel frequency identified in advance. System) interface device 35. Signals in DOCSIS format comprise an MPEG2 transport protocol format that carries Ethernet compatible data frames containing IP data content.

The controller 60 uses an initialization process to determine the RF channel frequency with which the tuner 15 is set for reception. This initialization process repeatedly tunes to successive RF channel frequency candidates until a DOCSIS compliant signal is obtained. Controller 6
0 indicates a candidate channel depending on the success of decoding the received data by the MCNS interface processor 35 and the error rate within the allowable range of the corresponding decoded data.
Recognize DOCSIS compliant signals on the (candidate channel). The controller 6 for various purposes such as adaptively and iteratively adjusting upstream and downstream communication parameters during the initialization process.
0, in cooperation with MCNS interface 35, amplifier 85, and RF transformer 87, also sends data upstream to the CATV headend. This parameter includes, for example, the transmission output level of the cable modem and the timing offset.

During normal operation after initialization, 64QAM (Quadrature Amplitude Modulation) or 256QAM
To modulate the RF carrier with MPEG2 transport protocol data. The MPEG2 transport data includes Ethernet (registered trademark) format data, and the Ethernet (registered trademark) format data represents, for example, an HTML (Hyper Text Markup Language) WEB page requested by the user. Contains data. The MPEG transport data is the diplexer 2
0 to tuner 15 are provided. The tuner 15 down-converts the input signal from the diplexer 20 to a lower frequency band and filters it with the SAW filter 25 to enhance the separation of the signal from the adjacent RF channel. The filtered signal from unit 25 is level shifted and buffered in differential amplifier 30 to provide a signal compatible with MCNS interface processor 35. The down-converted and level-shifted signal from the amplifier 30 is demodulated by the MCNS processor 35. This demodulated data is further trellis-decoded by processor 35 to be mapped into byte aligned data segments, deinterleaved and Reed-Solomon errors corrected. Trellis decryption
(Trellis decoding), deinterleaving, and Reed-Solomon error correction are well known functions, eg Lee and Messerschmi.
Reference text "Digital Communication" by dt (1
Kluwer Academic Boston, Massachusetts, USA, 1988
Press). The processor 35 further converts the MPEG2 format data into an Ethernet (registered trademark) data frame,
It is provided to the processor 60.

The processor 60 parses and filters the Ethernet compatible data received from the unit 35 using a configured filter from the CATV headend. Processor 6
The filtering performed by 0 is the I in the incoming Ethernet frame packet provided by the unit 35.
Match the P data identifier with the IP identifier value preloaded from the CATV headend. This IP identifier value (IP
The identifier value) may be during initialization prior to this, or the configuration operation (configu
ration operation). With this technique, the processor 60 implements a data admission control function, transfers selected data to a local LAN device, and discards other selected data content. This configurable filter system (configurable fil
ter system) is (a) content rating for parents.
content ratings for parental or other blocking control, (b) preset user preferences for targeting advertisements and "push-content", (c) Firewall filtering, (d) identity of source, (e) data search function (dat
a search function), and metadata items (met
It can be used to advantage in filtering data based on a data item. The filtered Ethernet compatible serial data is sent to a PC via an Ethernet interface 65, a filter and isolation transformer 70, and a port 72.
Be communicated to. The interface 65 buffers and coordinates the data from the processor 60 for filtering and conversion in the unit 70 and output to the PC via the port 72.

Similarly, the controller 60 performs conversion and filtering for outputting the IP data (carried in an Ethernet® data frame) from the processor 35 in the USB format via the port 82. To do. US
The B data is buffered by the transceiver 75, filtered by the noise and buffering suppression (EMI / ESD) filter 80, and then output to the USB compatible LAN device connected to the port 82.

The modem system 12 also communicates data, eg from a connected PC, upstream to the CATV headend. To this end, the controller 60 of the system 12 receives Ethernet compatible data from the connected PC via the port 72, the interface 65, and the filter / separation transformer 70, and sends it to the processor 35. provide. Processor 35 modulates the RF carrier with the received Ethernet format data using 16QAM or QPSK (Quadrature Phase Shift Keying).
The resulting modulated data is transmitted to the amplifier 85, for upstream communication.
Through the transformer 87 and the diplexer 20, the signals are time-division multiplexed and placed on the cable line 10. Amplifier 85 outputs the data to the CATV headend at the appropriate power level selected during the initialization process described above. The transformer 87 has a certain degree of fault and noise (when the modem 12 has a fault, or when the modem or a device connected thereto has a noise locally).
noise) separation.

Similarly, modem system 12 also communicates data upstream from devices connected via USB port 82. In one exemplary embodiment, the controller 60 of the system 12 may include a transceiver 75 to the Ethernet (Etherne).
t) (registered trademark) compatible data is received and provided to the processor 35 to perform upstream communication in the above-described manner. To this end, the transceiver 75
The Ethernet (registered trademark) data encapsulated in the SB frame is received from the port 82 via the filter 80, the USB frame data is removed, and the Ethernet (registered trademark) format data is converted to the controller 60.
To provide.

The controller 60 also responds to the on / off and reset switch 90 and performs various functions other than those already described. Specifically, the modem 12 is conveniently instructed by the controller 60. (a) The user locks the modem,
It allows you to block unauthorized Internet access, (b) supports interception of domain name resolution requests and translation of domain names into corresponding Internet-compatible WEB page addresses, (c) home, private Internet, or other Allows you to assign an Internet domain name independently of the public Internet for use with your intranet system,
(D) Generate an interactive HTML WEB page as a graphical user interface. In addition, the controller 60 uses the configuration information provided by the CATV headend to configure the parameters of the modem 12. The controller 60 also directs the system 12 in synchronizing and multiplexing upstream communications onto the cable line 10 and implementing rate limiting in controlling upstream data traffic. In addition, controller 60 bi-directionally filters the received data to provide the selected data to both the CATV headend and the LAN device connected to ports 72 and 82. The controller 60 also maintains a TCP / IP data stack for buffering and data management, and provides data ranging communication (data ra) with the CATV headend.
nging communication) is supported. This ranging communication (ranging communica
initiated by the CATV headend, the continuous but intermittent polling of individual modems to determine status and identify modem or line failures. including.

FIG. 2 illustrates the functionality of the cable modem of FIG. 1 in a network environment including multiple PCs and CATV headends. The functional elements of FIG. 2 shown within system 12 are combined with the remaining elements of system 12 depicted in FIG.
It is performed by the controller 60 (FIG. 1). In FIG. 2, the cable modem 12 provides bidirectional bridge communication between the headend cable service provider 240 and the PCs 220 and 265 connected to the LAN. System 1
At 2, bi-directional bridge communication between different input and output protocols is provided by interface and protocol conversion functions 225 and 235. The bidirectional communication paths provided by the units 225 and 235 are based on the protocol conversion (pro) of the multi-layered protocol structure.
support tocol conversion). As described above in connection with FIG. 1, the protocol layers include, in addition to the USB protocol layer and the QAM or QPSK modulation physical layer, hierarchical MPEG2, Ethernet (registered trademark),
An IP protocol layer is included. Also, the TCP / IP stack 260 uses the WE
B page generator, server and management function 255, and SNMP (Simple Network Management Protocol) communication function 2
For 45, buffer request and response message data. Furthermore, SN
Both the MP communication function 245 and the WEB page manager function 255 use the modem database 250 in responding to commands.

SNMP function 245 receives and interprets SNMP communications from CATV headend 240 and manages the operation of system 12 in response to the communications. Specifically, function 245 configures modem 12 and updates system parameters using configuration information provided by the CATV headend. Function 245 also includes PCs 220, 265, and C.
Parsing messages received from ATV headend 240 and forwarding, resending,
Or set the bidirectional filter of system 12 for discard. Function 245 also supports the headend 240-initiated ranging communication function described above to perform continuous polling of modem 12 to determine modem status and activity.

The Web pate generator function 255 generates an interactive HTML WEB page as illustrated in FIGS. 12 and 13 described later. The generated WEB page includes a graphical user interface that allows technicians to easily perform diagnostic tests on system 12 and its associated networks. Function 255 generates, for example, an HTML WEB page for display on the connected user's PC 220, allowing the technician to directly determine faults and status through that user's PC. The generated WEB page can also be accessed remotely using SNMP or other protocol after performing a password and user ID authentication procedure on the remote PC. The generated WEB page authorizes the user by the ability to lock and unlock the Internet communication capabilities of the modem.
d User) to prevent unauthorized Internet access. The generated WEB page also has a user interface that can display and / or update system parameters and received data such as security alerts, special events (such as advertisements), network traffic statistics or underflow or overflow conditions, and data transfer statistics. Also provide. The WEB page contains diagnostics, billing, status, internal settings (internal c)
onfiguration) and other information to change the modem configuration (modem configur
ation change) is also possible. In another embodiment, the functionality described herein performed by the generated WEB page can be incorporated into the WEB browser page.

The WEB page generated by function 255 also provides an interface that allows a user to assign an internet domain name to the private internet (relative to the public internet). This interface allows, for example, a user to assign an Internet domain name to an element of a home (or other) intranet system. For this purpose, the domain name snoop server (DNSS) 230 that intercepts is, for example, the PC 220.
It supports the interception of domain name resolution requests generated by the PC 220 in response to a user's Internet WEB page request initiated via a browser running at. The DNSS 230 translates the intercepted domain name into a corresponding private interface WEB page address to generate a WE independently of the public Internet for use in a home or other private internet or intranet system.
Allows you to assign a private internet domain name via page B.

FIG. 3 is a flow chart showing a method for converting a domain name into a corresponding Internet compatible WEB page address. This method uses the controller 60 of FIG. 1 (along with the other elements of system 12 of FIGS. 1 and 2) via a WEB page generated for use in a home or other private intranet system. Allows you to assign a private internet domain name. Following the start of step 300, the PC 220 (FIG. 2) proceeds to step 303 (FIG. 3), where the user's W
In response to the EB page request, send a domain name resolution request to system 12 (FIG. 2). The PC 220 browser submits the domain name request according to standard Internet resolution protocols. This protocol is, for example, RFC1035,15
91, 1816, and subsequent RFCs related to these documents and earlier RFCs, such as RFCs (Request For Comment) available on the Internet.
) Detailed in the document.

Internet Domain Name Resolution request
st) is the domain name server used to resolve the domain name into an IP address (
DNS). Request is one or more D's from a resolver to get the full IP address of a particular machine or device.
Submitted to NS. For example, when the user uses the WEB browser to enter RCA. Suppose you typed com. It will then be sent to DNS, which will send it to IP address 15
Can be converted to 7.254.235.215. WEB browser is this I
Contact the WEB server using the P address and retrieve the WEB page information. Note that this example is extremely simplistic. In practice, several DNSs that are organized hierarchically are referred to as referrals or recursion.
) Process, and many other processes involved, including caching and age factor processing.

The domain name resolution request is passed from the PC 220 to the system 12 to transfer the domain name entered by the user and translate it into the corresponding IP address of the requested WEB page source. At step 305, an intercepting domain name database (unit 250 in FIG. 2) is provided for use by system 12. The intercepting domain name database associates the IP address with the domain name of the home LAN (private intranet) intranet device. Also, this database is a WE generated by the system 12.
It is obtained from the domain name and IP address information that the user locally assigns via the B-page interface. Alternatively, the intercepting domain name database is located at the remote Internet location.
, From the CATV headend to DHCP (Dynamic Host Configuration Pr
It can also be downloaded using otocol). In another embodiment, the intercepting domain name database may be downloaded from a local internet location, eg local storage, or the database may be pre-stored in system 12.

In step 310, the snoop server (DNSS) of system 12 (FIG. 2) is
) 230 examines the domain name resolution request message from PC 220 to determine if the delivered domain name matches the name in database 250. If the delivered domain name matches the name in the database 250 (FIG. 2), then in step 315 the system 12 (the controller 6 in FIG.
Intercept the domain name resolution request from the PC 220 (FIG. 2) (instruction 0). If there is such a name match, the system 12 at step 317 prohibits further communication of the domain name resolution message to the public internet domain name server. In step 320, the snoop server (DNSS) 230 uses the database 250 to convert the intercepted domain name into an IP compatible address, and in step 323, returns the IP address to the request source (PC 220 in this example). In addition, in step 325, the system 12 translates the domain name and IP address and the history of requests.
Domain Name and IP address translations and requests) database 25
0 for monitoring and, for example, parental control
, Collate and compile that information for other purposes, including firewall filtering, or for accumulating user favorite data as a background operation. The edited information is the W generated by the unit 255 continuously or at the user's request via the WEB page.
Enable to display on EB page. The process of FIG. 3 ends at step 330.

In another embodiment, step 317 is not performed and system 12 also communicates the domain name resolution message received from PC 220 to the public Internet domain name server. In this case, system 12 can receive two IP address translations in response. That is, the conversion from the DNSS 230 and the conversion from the remote public domain name server. The IP addresses received may or may not be the same, resulting in potential address conflicts and race conditio.
n) may occur. To prevent problems due to such race conditions, system 12 is programmed to select the first received IP address response. Typically, the first response received is from the local DNSS 230. Alternatively, the system 12 may be otherwise conditioned, for example, the system 12 may be conditioned to prioritize responses from particular sources, such as from a remote server.

By the function of the intercepting domain name server and the process of FIG. 3,
A means is provided for a user to easily and quickly assign, add, or change an Internet domain name for use on the private Internet, for example to accommodate the addition of devices to the private Internet. This allows
The user has the flexibility to manage and change the configuration of home (or other) intranet system elements and peripherals, for example, via a WEB page running in a standardized browser. Users do not have to impact the public Internet, and do not incur the hassle and time-consuming burden of registering domain name assignments and changes with public Internet gateways and service providers (ISPs), and private Internet domains. Name assignment can be advantageously managed. In addition, a user requesting a WEB page generated within the private internet can
There is no need to know the complex IP address of the page. Instead, the user can access the WEB page by submitting a locally assigned private internet domain name, and the intercepting domain name server recognizing that it matches the WEB page of the request. it can.

By the function of the intercepting domain name server and the process of FIG. 3,
The following are advantageously possible: (A) Dynamically allocate the IP address of a WEB page generated by the system 12 or the IP address of another information source or device on the private Internet for security or other purposes.
(B) Assigning an alias (or user-customizable) domain name and IP address to the information source, and the system 12 (or DNS server) is addressed directly to it, for example. Intercept non-DNS requests and allow them to respond.
Then, (c) the domain name is replaced with the locally assigned substitute name. Thus, the system 12 can communicate to devices on a LAN or subnet with a locally assigned private internet domain name or IP address that identifies the device as being on that particular LAN or subnet. The domain name or IP address is, as explained above,
It can be assigned via a WEB page generated by the unit 255, or by downloading the data locally or remotely to the database 250 (FIG. 2). This allows the user to access the WEB page generated by the unit 255 of the system 12, for example, on the LAN.
There is no need to adjust the IP address or netmask of the above PC.

FIG. 4 is a flow chart of a method of inhibiting and unlocking Internet access using a cable modem. The user interface is Ethernet (Ether
Net) (registered trademark) is presented to the PC connected to the port 72. This method is shown in FIG.
Controller 60 (along with the other elements of system 12 of FIGS. 1 and 2) is used to securely lock the modem to prevent unauthorized Internet access. This allows one unauthorized user (such as a child) to (u
nattended) is guaranteed not to be able to access the network device. Also, the user is guaranteed that he cannot access his PC while the modem is locked.

Following the initiation of step 400, the communication bridge function of the cable modem 12 is enabled in step 405 of FIG. As described above, this bridge function allows an Ethernet (registered trademark) device such as a PC connected to the port 72 of the system 12 of FIG. 1 to communicate with the cable line 10 according to the specifications of the DOCSIS standard. For connecting to an RF network. According to the DOCSIS standard, modems are stably ranging (ie, maintaining bidirectional communication) with a cable modem termination system (CMTS) while connected. Therefore, removing internet connectivity requires the consumer to physically disconnect the modem from the RF net or remove power to the modem. The method and system described in connection with FIG. 4 uses hardware (ie lock and key) or software (ie username and password) to disable the bridge function of the modem. Providing a locking mechanism. This protects consumer network devices connected to that modem from external traffic and prevents unauthorized users from accessing the Internet through the modem.

Authentication of the user initiating the lock on the modem is accomplished by steps 410 and 41 of FIG.
Check with 5. Specifically, in step 415, the user ID and password input in step 410 are confirmed using the menu illustrated in FIG. This menu and other menus used in the process of FIG. 4 are displayed on a PC connected to port 72 (FIG. 1). If an incorrect password or user ID is entered, use the Incorrect Password Handling menu of FIG. 11 to attempt to specify steps 410 and 415 until control 60 (FIG. 1) declares a successful or unsuccessful confirmation. Repeat over and over.

The password of the modem is changed using the password change menu illustrated in FIG. This menu can be activated via icons 505 and 605 in the exemplary WEB page generated by the modems of FIGS. 5 and 6, respectively. The password change menu of FIG. 10 prompts the user to enter the original password and the new password twice (to confirm the new password). A typical password can be, for example, up to 10 letters, numbers, and any combination of characters other than alphanumeric characters. The password can be initially set when the modem 12 is initialized using the menu of FIG. 10 or a similar menu. Alternatively, if the password is lost, the headend can also reset the password using a software mechanism, MIB (Management Information Base that contains software procedures that allow remote management). A default password (eg, "letmeout") detailed in the user manual can be used to invoke the procedure that causes the headend to reset the password. In such a system, if the password is lost or forgotten, a private MIB made available in the modem allows a management station operated from the cable headend or a network operations center controlled by the internet service provider to The password can be reset to default again. To this end, the SNMP manager at the headend or network operations center may be required to reset either the user's password or user ID, or both the password and user ID.
Command B. To invoke this procedure, the user calls the cable operator or network operations center and provides the default password as the authentication for the request to reset the password on his modem. Alternatively,
Modem 12 is not in lock mode, modem 12 is connected to PC and CAT
Assuming that bridge communication between V headends is permitted, the modem 12
The default password can be communicated to the headend via the and the MIB-based procedure for resetting the password can be invoked directly.

If the confirmation is successful in step 415, the user requests the display of the WEB page in step 420. The requested WEB page acts as the user interface,
Have the user lock the modem and prevent Internet access communications. In step 425, the user initiates locking and unlocking of the modem's Internet access communication with icons 500 and 700 on the WEB page of FIGS. 5 and 7, respectively. Alternatively, the user initiates unlocking and locking of Internet access communications by checkboxes 600 and 800 on the WEB page of FIGS. 6 and 8, respectively. In step 425, the user initiates a modem lock using the WEB page icon 500 of FIG. 5 or a checkbox (such as, for example, the WEB page icon 800 of FIG. 8). In another embodiment, the functionality described herein can be activated and inactivated using user interface menus and WEB pages different than those depicted in FIGS. 5-12.

In step 430, the Internet access communication of the modem 12 is disabled and a WEB page showing this disabled status is displayed in a manner as illustrated by icons 500 and 800 of FIGS. 5 and 8, respectively. . Modem 12 disables Internet access by advantageously prohibiting bridged communication of IP data between the CATV headend and LAN devices connected to ports 72 and 82. When locked, the client device (
Any attempt to access the Internet from a WEB browser on, for example, the PC 220 in FIG. 2) is restricted to accessing content cached on that PC itself or to WEB pages generated internally by the modem 12. It While the modem is locked, no traffic is passed from the customer's home network or PC (and private internet) to the RF side of the network and to the headend and public internet. The modem's bridging function is disabled.

In this locked state, the modem 12 maintains multi-layer protocol communication with the CATV headend to support the DOCSIS standard ranging process and to the modem 12 database (unit 250 in FIG. 2). SNMP (
Access by a simple network management protocol defined in RFC1157 is supported. Ranging communication pro
cess) is initiated by the CATV headend, for which DOCS
It is described in the IS Radio Frequency Interface Specification. Ranging communication message
The (ranging communication message) includes a periodic ranging maintenance message carried in the MAC (Media Access Control) layer of the OSI (Open Systems Interconnection) network model.
For database communication, SNMP that uses a user datagram protocol (UDP) that operates in IP of the session layer of the OSI model is used. During lock mode, modem 12 also maintains multi-layer protocol communication with a PC (eg, PC 220 of FIG. 2 connected to an Ethernet port).
It provides a WEB page-based user interface (as illustrated in FIGS. 5-8) and allows the user to unlock and relock the modem as needed.

The modem 12 uses the filter mechanism to connect to the CATV headend and connect LAN.
Internet access is disabled by advantageously prohibiting bridged communication of IP data between devices. In this embodiment, bidirectional communication of IP layer data is prohibited. However, in another embodiment, a filter mechanism may be used to pass data between the CATV headend and the attached LAN device at one or more specific protocol layers while inhibiting communication at other protocol layers. it can. Further, bidirectional filtering can be used to pass a particular protocol layer in one direction, such as from the headend to the LAN device, while passing one or more other layers from the LAN device to the headend. Alternatively, all bridge communication may be prohibited. The filter is implemented as a configurable filter to direct data between a CATV and a connected LAN device to one or more of (a) content, (b) protocol type, and (c) data source or destination. It can be used for bidirectional filtering based on Content filtering can be performed based on metadata, other content, or items derived from the content for a variety of specific purposes, including those described above in connection with FIG.

The filter may be implemented in a manner similar to the DOCSIS cable device MIB specified in RFC 2669, which defines the docsdevFilterIPDirection object and the docsDevFilterIpDaddr object, or may be implemented using other filter mechanisms. By mainly using a filter that uses these two objects, the user's WEB browser (
For example, all traffic from the WEB browser on PC 220 shown in FIG. 2) to the headend to the Internet or selected traffic can be restricted. Initializing the lock causes the modem to filter the data traffic and have a destination address (corresponding to the IP of the cable modem termination system at the headend) matching the IP address of the gateway (eg P
Restrict all inbound traffic from the browser (C220). Alternatively, configure such a filter based on the docsdevFilterIPDirection object and the docsDevFilterIpProtocol (or based on another mechanism) to restrict all selected content passed in either direction through the selected protocol or modem. Good. This ensures increased security by allowing the user to block access to the Internet and also from the Internet (via the headend) to the user's PC.

In another embodiment, in step 430 of FIG. 4, the modem 12 inhibits communication to the CATV headend by the Ethernet communication protocol layer and at the same time to the CATV headend by the MAC protocol layer. Prevent unauthorized Internet access by maintaining communication. M
The AC protocol layer carries management information supporting ranging operations and other modem and network management functions. In addition, the modem 12 at the same time maintains multi-layer protocol communication with the PC (eg, the PC 220 of FIG. 2 connected to the Ethernet port of the modem 12) to enable W
Provide an EB page-based user interface (as illustrated in FIGS. 5-8) to allow the user to unlock and relock the modem as needed.

Next, the process of FIG. 4 will be described. If the unauthorized user attempts to surf the web at step 445, for example, locking the modem at step 430, it is all blocked, so that this branch of the process of FIG. 4 ends at step 450. Alternatively, at steps 440, 455, and 460, the authorized user can unlock the modem. In this case, when the user attempts to unlock the modem in step 440, a password prompt menu (eg, the menu of FIG. 9) is displayed in response. The user is, for example, the WEB of FIG.
The modem can be unlocked by activating an unlock button 700 on the page or by checking the "Web Access" checkbox 800 in FIG. Following the password entry in step 455, upon confirmation of the correct password in step 460, the modem is unlocked in step 470 to support bridge communication and provide the user with Internet access. This branch of FIG. 4 ends at step 475. Upon identifying an invalid password in step 460, in step 465
The user is notified that the entered password is invalid through the menu illustrated in FIG. Through this menu, the user can retry the password verification, which begins at step 440, or abort the attempt to unlock the modem, at step 465. If the user aborts the unlock attempt at step 465, the process returns to step 430 to display the WEB page.

In another embodiment, user authentication for locking and unlocking the modem to provide Internet access can be done in another manner without the need for a password or user ID entry. An access card mechanism may be provided in modem 12 for use, for example, in authentication based on digital signatures, other authentication, or verification of entitlement data. Similarly, the modem 12 can support different access devices such as a physical key to establish user authentication or an electronic key.

FIGS. 12 and 13 show WEB pages generated by the cable modem of FIG. This WEB page allows, for example, a technician to advantageously determine and adjust a particular internal modem configuration. This web page includes (a) configuring modem 12; (b) requesting display of system parameters; (c) selecting service billing options; and (d) assigning Internet addresses. , Interactive functions including one or more of: This WEB page uses password protected access similar to the scheme described above in connection with blocking unauthorized Internet access. Therefore, even if an unauthorized user learns the URL address of a specific WEB page, the WEB page is password protected. This WEB page also displays certain diagnostic information to the technician, which allows the technician to view internal status (eg, items 910-920 in FIG. 13).
) To access and set configurations is no longer necessary to rely on LED displays or special diagnostic equipment. In addition, such a WEB page allows a technician to use the customer's PC to access and configure the modem 12 (FIG. 1), providing the technician with a PC or laptop, for example. The costs associated with doing so can be eliminated. The technician can, for example, set the power level of the return channel (item 913 in FIG. 12). The information obtained on this WEB page includes unique information about the customer's network configuration. Specifically, for example, the number of PCs connected to the network, the speed of Ethernet (registered trademark) (
100 Mb or 10 Mb), and the MAC address of modem 12 (items 900 and 902 in FIG. 13). Similarly, the displayed WEB page is (a
) IP address of the WEB page, (b) File Transfer Protocol (FTP)
Other address information can be displayed, such as the address and (c) email address. The WEB page also provides other customer network information, including details about traffic volume and collisions on the network. This is convenient because it eliminates the need for personalized diagnostic equipment and software.

Modem 12 also generates a browser alert box for certain network events that the user may wish to be notified of. Further, the browser displays special HTML information during the retrieval of the WEB page data. During this time, the modem 12 sends information to the user regarding the particular event occurring on the network. Such events include unauthorized access to the user's LAN network, LAN network traffic overflow, and the amount of data transferred through modem 12. The modem 12 also allows the cable internet service provider to limit data transfer by setting a quota, and the user can also see the amount of data transferred. This alert box also allows the user to see statistics for certain types of access including WEB page fetching, DNS requests, FTP (File Transfer Protocol), file transfers, email messages, and so on. In another embodiment, such events and information associated therewith are not limited to display in a browser alert box, but instead respond to a request to retrieve information on demand from the modem 12.
You can also see it on the WEB page generated by. The information item described above in connection with FIGS. 12 and 13 is, for example, the area of FIG. 12 and FIG.
a) It may be displayed on 905 and 907 or may be presented in another display format.

In addition, the command line (item 911) of FIGS. 12 and 13 can be used to enter a domain name or IP address and assign it to the (locally connected) peripheral of the modem 12. it can. The command line 911 also
It can also be used to associate an input domain name with its corresponding IP address, and vice versa, which requires updating the database in modem 12. Peripherals can have (a) devices on the intranet, (b) devices on the domestic home network, and (c) devices on the private internet. Similarly, command line 911 provides a data input line to allow a user to enter data for setting data traffic filters in modem 12. Such a traffic filter would be (
a) Content rating by parents or for other blocking controls, (b
) Filtering data based on preset user preferences, (c) firewall filtering, (d) source or destination identification, (e) data search capabilities, to target ads and "push content" to serve. Can be used for Alternatively, on the WEB page of FIGS. 12 and 13,
For example, the menus displayed in the areas 905 and 907 can be used, and specifically, it supports the input, assignment, and association of the domain name and the corresponding IP address. Similarly, the unique menus presented in areas 905 and 907 are used to activate and deactivate the data traffic filter.
g), and can also be used for configuring.

The modem 12 also functions as a browser proxy agent for web page surfing. This increases the browser's WEB surfing speed, especially if multiple browsers (ie, multiple PCs on the customer's LAN network) are active at the same time. The modem 12 fetches in advance a WEB page associated with the WEB page that the user is browsing at that time and forward-caches it. This eliminates the delays caused by remote WEB sites and Internet infrastructure, thus increasing the speed of surfing the Internet. Furthermore, by setting the internal filter described earlier in connection with FIG.
The modem 12 is used as a firewall to eliminate unwanted traffic that can cause confusion and protects a user's net system at home or business from outside intrusion and destruction.

The architecture of the system of FIGS. 1 and 2 is not exclusive. It is possible to obtain different architectures and achieve the same objectives in accordance with the principles of the invention. Further, the functionality of the elements of modem 12 of FIGS. 1 and 2 and the process steps of FIGS. 3 and 4 may be implemented in whole or in part by programmed instructions of controller 60. Also, the principles of the present invention can be applied to any two-way communication system with any multi-layer protocol and are not limited to DOCSIS compatible modems or any other type of modem.

[Brief description of drawings]

[Figure 1]   1 illustrates a cable modem system according to the present invention.

FIG. 2 illustrates the functionality of a cable modem in a network environment with multiple PCs and a cable TV system headend according to the present invention.

FIG. 3 is a flow chart illustrating a method of converting a domain name into a corresponding Internet compatible WEB page address according to the present invention.

FIG. 4 is a flow chart illustrating a method for inhibiting and unlocking internet access using a cable modem according to the present invention.

5 is a WEB page generated by the cable modem of FIG. 1 representing an example of a user interface menu that provides the ability to lock and unlock the Internet in accordance with the present invention.

FIG. 6 is a WEB page generated by the cable modem of FIG. 1 representing an example of a user interface menu that provides the ability to lock and unlock the Internet in accordance with the present invention.

FIG. 7 is a WEB page generated by the cable modem of FIG. 1 representing an example of a user interface menu that provides the ability to lock and unlock the Internet in accordance with the present invention.

8 is a WEB page generated by the cable modem of FIG. 1 representing an example of a user interface menu that provides the ability to lock and unlock the Internet in accordance with the present invention.

9 is a user interface menu generated by the cable modem of FIG. 1 illustrating the entry of passwords and user IDs used to manage Internet access in accordance with the present invention.

FIG. 10 is a user interface menu generated by the cable modem of FIG. 1 illustrating the entry of passwords and user IDs used to manage Internet access in accordance with the present invention.

FIG. 11 is a user interface menu generated by the cable modem of FIG. 1, illustrating the entry of passwords and user IDs used to manage Internet access in accordance with the present invention.

FIG. 12 is a WEB page generated by the cable modem of FIG. 1 according to the present invention.

FIG. 13 is a WEB page generated by the cable modem of FIG. 1 according to the present invention.

─────────────────────────────────────────────────── ─── Continued front page    (81) Designated countries EP (AT, BE, CH, CY, DE, DK, ES, FI, FR, GB, GR, IE, I T, LU, MC, NL, PT, SE), OA (BF, BJ , CF, CG, CI, CM, GA, GN, GW, ML, MR, NE, SN, TD, TG), AP (GH, GM, K E, LS, MW, MZ, SD, SL, SZ, TZ, UG , ZW), EA (AM, AZ, BY, KG, KZ, MD, RU, TJ, TM), AE, AG, AL, AM, AT, AU, AZ, BA, BB, BG, BR, BY, BZ, C A, CH, CN, CR, CU, CZ, DE, DK, DM , DZ, EE, ES, FI, GB, GD, GE, GH, GM, HR, HU, ID, IL, IN, IS, JP, K E, KG, KP, KR, KZ, LC, LK, LR, LS , LT, LU, LV, MA, MD, MG, MK, MN, MW, MX, NO, NZ, PL, PT, RO, RU, S D, SE, SG, SI, SK, SL, TJ, TM, TR , TT, TZ, UA, UG, US, UZ, VN, YU, ZA, ZW F-term (reference) 5C064 BA01 BB02 BC06 BC18 BC23                       BD02 BD08                 5K030 GA15 HA08 HD03 HD09 LD20                 5K033 BA01 BA07 CB08 CB09 DB18

Claims (22)

[Claims] 1. A first communication link using a first plurality of communication protocol layers over a first port and a second port using a second plurality of communication protocol layers over a second port. A method of blocking internet access in a device that performs two-way communication on a second link, the method comprising: confirming authentication of a user command; and responding to the confirmed user command, the first port and the first port. Prohibiting internet access communication by limiting bridge communication between two ports; using the first plurality of communication protocol layers during a period in which the bridge communication is prohibited; Maintaining communication with a remote device on the first link via the. 2. The prohibiting step comprises filtering data communicated from the first port to the second port using a first filtering criterion, and from the second port to the first port. Filtering the communicated data using a second filtering criterion that is different from the first filtering criterion. 3. The method of claim 1, wherein the prohibiting step comprises the step of filtering data communicated between the first port and the second port. 4. The prohibiting step includes: (a) grading content by a guardian or for other blocking controls; (b)
Based on at least one of preset user preferences, (c) firewall filtering, (d) source or destination identification, and (e) data search capabilities for targeting advertising and "push content" 4. The method of claim 3, comprising the step of: 5. The prohibiting step filters data based on at least one of (a) IP address, (b) protocol type, (c) data identifier, and (d) source or destination identifier. The method of claim 3, comprising the steps :. 6. The prohibiting step comprises:   Configuring a filter to perform said filtering step   The method of claim 3, comprising: 7. The method of claim 1, comprising unlocking the forbidden Internet access communication in response to a confirmed user command. 8. The method of claim 1, wherein the prohibiting step comprises the step of blocking communication of all data between the first port and the second port. 9. The first plurality of communication protocol layers are (a) a QAM layer, (a)
b) MPEG (Moving Pictures Expert Group) transport protocol layer, (
c) MAC (Media Access Control) layer, (d) Ethernet layer, and (e
2.) The method of claim 1 including a DOCSIS compatible layer including at least two of the IP layers. 10. The two-way communication device is at least one of: (a) a modem, (b) a telephone, and (c) a processing device, and maintaining communication with the remote device comprises: (I) password processing, (
ii) Supporting at least one of the polling of the interactive device from a remote source. 11. The confirmation step includes: (a) password, (b) user I
D, (c) PIN, (d) security code, (e) access code, and (f) using at least one of a physical key to verify authentication of the user command. The method according to claim 1, wherein 12. A method of blocking internet access in a device for bidirectional communication on a first communication link via a first port using a plurality of communication protocol layers, the method comprising: authenticating a user command. Confirming, in response to the confirmed user command, using the first communication protocol layer of the plurality of protocol layers to prohibit Internet access communication, and the communication of the first protocol layer Maintaining communication with a remote device at another second communication protocol layer of the plurality of protocol layers during a prohibited period. 13. The first plurality of communication protocol layers includes a DOCSIS compatible layer, and the prohibiting step includes (a) a physical layer, (b) an MPEG (Moving Pictures Expert Group) transport protocol layer, and (c). ) MAC (Media Access Control) layer, (d) Etern
13. The method of claim 12, including the step of disallowing communication in at least one of the t layer and (e) IP layer. 14. The method according to claim 12, further comprising the step of unlocking the forbidden Internet access in the first communication protocol layer of the plurality of protocol layers in response to the confirmed user command. The method described. 15. The prohibiting step comprises: (a) grading content by a guardian or for other blocking controls; (b)
At least one of preset user preferences, (c) firewall filtering, (d) source or destination identification, and (e) data retrieval capabilities for targeting advertising and "push content". 13. The method of claim 12 including the step of filtering the data based on. 16. The two-way communication device is at least one of: (a) a modem, (b) a telephone, and (c) a processing device, and maintaining communication with the remote device comprises: 13. The method of claim 12, supporting (i) password handling and / or (ii) polling of the interactive device from a remote source. 17. The confirmation step comprises: (a) password, (b) user I
Confirming the authentication of the user command using at least one of D, (c) PIN, (d) security code, (e) access code, and (f) physical key. 13. The method of claim 12 characterized. 18. A second plurality of communication protocol layers on a first communication link using a first plurality of communication protocol layers and a second plurality of communication protocol layers.
A method of blocking Internet access in a device that performs two-way communication on a second link via a port, the method comprising: verifying the authentication of a user command; and responding to the confirmed user command, Unlocking the forbidden bridge communication between the first port and the second port; and using the first plurality of communication protocol layers during a period during which the bridge communication is prohibited, Maintaining communication with a remote device on the first link via a port. 19. The method of claim 18, further comprising the step of unlocking the forbidden Internet access communication in the first communication protocol layer of the plurality of protocol layers in response to the confirmed user command. The method described. 20. Maintaining the communication, (i) password processing, and (i)
19. The method of claim 18, i) supporting at least one of polling the interactive device from a remote source. 21. The password processing includes: (i) enabling password input to release the prohibition and enabling Internet access of the first communication protocol layer; and (ii) password change by a remote source. 21. The method of claim 20, comprising at least one of enabling 22. The method of claim 20, wherein the polling comprises interrogating the interactive communication system by a remote source to determine the status of the interactive communication system.