JP2005520250A - Differentiating connectivity in pay-per-use public data access systems - Google Patents

Abstract

A method and apparatus for providing layered application services for access to a network on a pay-per-use basis in a public access network.
Using a personal device, a user accesses different application service layers on demand without requiring prior association, such as a subscription with a wireless access system service provider. Can do. Such on-demand access is obtained by providing various personal identifiers, such as credit card numbers or identification of people who frequently fly. In addition, service offerings allow users to modify, enhance, or degrade currently established application service layers via personal devices during the lifetime of the user's association with the access network. You can do it. A network-level constraint mechanism at an access point in the access network ensures that the user has access only to application services in the application service layer that pay for it, and service services not included in that layer. Access is denied.

Description

Priority This application claims priority from US patent application Ser. No. 60 / 363,327, filed Mar. 8, 2002, having the same name as the present application.

  The present invention is directed to the field of computer network connectivity. The present invention specifically relates to Internet access via a publicly accessible network infrastructure.

  The present invention is provided by a service provider where a user uses his personal device such as a notebook computer and a personal digital assistant (PDA) at a public location such as an airport, shopping center or hotel. It relates to mechanisms by which packet-based networking services are accessed. Such public access service providers offer a variety of wired and wireless technologies that allow people to connect their personal devices to the network and related services. With the advent of new wireless technology standards for local area networks and personal area networks (wireless LAN and wireless PAN, respectively), we have a number of public service offerings of the type specifically considered in the present invention. Witnessing a sudden increase in For example, public wireless access can be provided via wireless PAN technology such as wireless LAN technology based on the IEEE 802.11 family of standards or Bluetooth wireless technology.

  Typically, packet-based data service offerings are pre-registered, eg, subscribed to a data service provider, such as an Internet Service Provider (ISP), thereby providing a long-term “payment” relationship with the provider. Need to establish. Such a process is usually accomplished in an off-line manner, and a provider-subscriber relationship is established and activated before the user gains access to such public services. Such subscriber relationships include the definition of user profiles that specify the range of services that individual users are allowed to access. An ISP typically provides a local or toll-free phone number that allows access to that ISP at an additional incremental cost (in addition to subscription fees) from a number of geographically separated locations become. However, for access to data services via wireless public offerings, this mechanism has serious disadvantages, i.e., to a public access infrastructure operated by a different provider than the one the user has already established a subscription with. When approaching, the user is denied access unless he also subscribes to this new provider. Such limitations override the assumption of a public access infrastructure that ideally serves (and earns) as many users as possible.

  Furthermore, current methods of public access to network services, usually using wireless technology, define a single service layer. For example, a typical service is simply access to the World Wide Web (or simply “Web”). Such a definition of service does not consider a scenario in which a user can access certain premium services on demand via the user's own device. There is no mechanism that allows a user to select one or more such premium services at any time, without requiring a pre-established relationship to such premium services. Even if the service offering has multiple tiers (or groups of services), the user must select the desired service tier in advance. Furthermore, the selected service layer remains unchanged for the duration that the user accesses the service provided by the service provider. In other words, current service offerings over public access infrastructure do not provide users with a different dynamically tunable (or on-demand) service layer. Such service offerings also require a mechanism for dynamically selecting a payment policy for the user based on the selected set of services. Furthermore, it should be done in order to achieve the above offerings in real time.

  A possible solution in providing layered services on demand is to install special code on the client (ie user) device. This special code affects the communication protocol stack and requires the use of a new specific protocol. All packets generated by these client devices need to be modified using this extra special code. Of course, network elements inside this network need to implement the complementary part of the new special protocol in order to be able to read these modified packets. It would be advantageous to have a method that does not require this change in the protocol stack. The method does not require a new protocol to be implemented by the client device, does not require the client device to modify every transmission it makes, and the devices in the network It should be possible to use existing [TCP / IP] standards so that it is not necessary to modify the communication protocol stack to understand.

The last point is shown as an alternative approach to deploying public wireless services. For example, some systems use specialized software implemented on these devices to facilitate access to public services by modifying all data packets sent by personal devices. Proposed.
US Patent Application 60/363327

  It would be advantageous to have a system that does not require changes on personal devices to access a wireless network and that does not require modification to the data packets transmitted by these devices to achieve the various is there. The previously described system relies on specific features of the operating platform (either the server or its client version). This leads to the premise of operation of device communication and computing homogeneity involved in supporting the network. By devices that use established open communication standards, such as the TCP / IP suite of Internet protocols, already supported by an overwhelming majority of personal (IP-enabled) devices that run on different types of operating systems, It is better to have a system applicable to unmodified devices and communication protocols that can be applied in non-homogeneous computing and communication environments. The personal device must be built on a software and hardware platform that is independent of the network support device software and hardware platform with which the personal device interacts with its configuration. With respect to billing, the aforementioned system does not allow dynamic reassignment of billing policies in the middle of an ongoing session.

  Accordingly, one aspect of the present invention allows public network service providers to provide different application service layers to users of application services. The user may use his / her own personal modifications that have not been specially modified to address the teachings of the present invention in order to negotiate and dynamically adjust for the desired application service layer on a usage-by-use basis. -Use the device.

  Another aspect of the present invention is a constraint mechanism applicable in a communication infrastructure that supports such public service offerings. This constraint mechanism is applicable to elements inside the infrastructure, such as router devices, or elements at the edge of the infrastructure, such as wireless access points. The constraint mechanism ensures that an individual user can only access application services within the application service layer selected by the user, and denies access to all application services not included in that layer. In some embodiments, the constraint mechanism further includes means for alerting the user when attempting to access a particular application service that is not included in the currently selected tier, and also allows a user with its own device. Augmented by means to renegotiate the new desired application service on the fly to allow access to the new application service when desired.

  Another aspect of the invention is applicable beyond infrastructure communication elements (eg, routers, wireless access points, etc.), such as devices and software that operate at higher protocol layers than those used in the communication infrastructure. It is a restriction mechanism having the same purpose as described above. With such a constraint mechanism, the filter server is used on the communication infrastructure, for example to ensure that web traffic from users reaches only web services belonging to the selected application service layer. Can be limited.

  Another aspect of the present invention does not require a prior subscription with a data offering service provider, and is temporary such as credit card information, frequent flyer information, hotel room numbers, etc. Dynamically selectable layered application services that users can use in their devices and provided in public places using various means of “on the spot” payments such as identity information Can be accessed on a "pay-per-use" basis.

  An additional aspect of the present invention uses a payment policy in which the user selects using their device and charges the user for the services accessed. In general, these payment policies are based on various criteria, including the amount of traffic transferred to or from the user, or the degree of user activity with respect to the duration (session time) that the selected application service layer was provided. based on. In addition, billing policies can be changed dynamically during a session to allow users to upgrade or modify their service tier and payment policies.

  Other aspects and better understanding of the invention can be realized by reference to the detailed description.

  The above and other objects, features and advantages of the present invention will become apparent upon further study of the following detailed description of the invention in conjunction with the drawings.

  The present invention provides a method, apparatus, and system that allow a user to select between multiple layers of application services that are enabled over a public network access infrastructure. With the present invention, users can gain access to different application service layers even when they do not have a pre-prepared subscriber relationship with the corresponding service provider. The present invention allows a user to dynamically select and reselect a desired application service layer automatically without the intervention of a service provider operator. In some embodiments, such changes also result in suitable changes to the billing (or billing) mechanism.

  In the present invention, a service is defined as a destination endpoint, such as a company web page, an enterprise server application, an enterprise LotusNotes mail server. This application-level definition of service is in contrast to network-level services such as the communication bandwidth allowed for communication over the Internet, such as 56 Kbps or 128 Kbps, regardless of what the communication destination is It is.

  In various embodiments of the invention, a user can use his or her own personal data device, such as a notebook computer or a personal digital assistant (PDA). Users can also temporarily use other computing devices, such as kiosks. However, for purposes of the present invention, these other devices are here uniquely and exclusively capable of operating in accordance with the teachings of the present invention and allowing the user to benefit from the present invention. Assume that it behaves as if it were the user's own “daily life” computing device without the need to incorporate additional sets of software or hardware components into those devices. The service offering considered in the embodiments of the present invention is based on ubiquitous IP-based Internet technology, and the access technology is wireless local communication that operates in an unlicensed radio frequency band such as IEEE 802.11b wireless LAN or Bluetooth wireless PAN. Based on technology. Obviously, those skilled in the art will be able to implement other embodiments of the invention without departing from the spirit and concept of the invention. For example, alternative access technologies such as infrared or Ethernet can be used, or dynamic pay as a way for subscription-based customers to occasionally access premium application service layers that are not included in the default subscription profile.・ Per-use method can be used.

  FIG. 1 illustrates the architecture of a system that provides wireless network access to mobile users and their devices in wireless hotspots in public areas such as airports. This figure also highlights the steps that the user needs to perform to obtain the desired application service layer. Access network 101 includes routers (eg, 106, 107) and wireless access points (WiAP) (eg, 110, 111). A user device or user terminal (108) is connected to this access network via a wireless connection 109 to an access point (110 in FIG. 1). In addition to network layer entities such as access points and routers, the access network includes a DHCP (Dynamic Host Configuration Protocol) server 102, a DNS (Domain Name Service) server 113, and a web proxy (eg, 112, 117). ) And other network support services. DHCP entities and DNS entities are common elements of most IP-based networks known to those skilled in the art and provide various configuration information and query resolution support for IP-based user terminals. A web proxy is used to manage access from a user terminal to a web server. In an embodiment of the present invention, the access network includes a registration server 114 that is used to interactively establish the application service layer desired by individual users.

  As examples of possible layers that distinguish the application server layers, FIG. 1 shows two application service layers, Gold 103 and Silver 105. Each layer of application services is defined by a collection (or group) of one or more services. In this example, the silver service layer 104 includes access to the general Internet 105 of FIG. The gold service layer can include all services included in the silver service layer, as well as services that provide video clips to the user terminal. These layers of application services can exist statically, i.e., for example, a silver application service layer always includes (or at least occasionally updates) the same set of application services therein. )be able to. On the other hand, the allocation of application services within a tier can be dynamic, in which case the application services “assigned” to the tier can be changed based on various criteria. In some embodiments, services may be added based on a combination of criteria such as the quality of application service considerations, forced admission control, time of day, and application of different billing models to application services at different times. It can be reduced.

  After the user terminal 108 enters such a system and establishes a wireless link with the access point, the user terminal 108 executes the DHCP protocol to obtain the IP address of the user terminal. This step is shown as item 116 in FIG. Following this step, the user terminal contacts the registration server 114 using a standard web browser and using the standard HTTP protocol. The registration server provides, among other things, a web-based listing for user terminals of the various layers of available application services and their associated charges. The assignment of services to tiers can be static or dynamic based on the current availability of services, promotions and other considerations. At this point, the user enters an identifier, such as a credit card number, the number of a person who frequently uses an airplane, and a desired application service layer into the browser, and transmits this information to the registration server. These steps are collectively shown as item 115 in FIG. If correctly verified, the identifier supplied by the user is also used to ultimately charge the user for the desired application service layer. Upon receipt and verification of the identifier, the registration server issues a control notification to the appropriate constraining device to inform that the corresponding user has access to the application services included in the service layer selected by the user. The constraining device reacts to this information by placing a set of controls that regulate user traffic within the access network. This step is shown as item 117 in FIG. In alternative embodiments, the constraining device can be either a router (106), an access point (110), or a web proxy (117). In that case, the control mechanism includes placement of a traffic filter with an appropriate constraining device. Different example embodiments of this control and constraint mechanism will be described later.

FIG. 2 illustrates the three functional steps used for the present invention that allow individual users to specify and perform access to permitted application services. The three steps are:
a) registration that allows the user to specify his / her choice from among the available application services;
b) a control notification that allows a specific restricted device to know the appropriate access profile of a specific user;
c) Constraints that allow appropriate network devices to monitor individual packets, connections, or sessions associated with a particular user's device to ensure that they always correspond to authorized application services. It is.

  Thus, FIG. 2 highlights the steps of the present invention that provide a user terminal with access to various layers of application services. Specifically, the user terminal 108 first performs registration 201 with the registration authority 202. During registration, among other things, the user terminal is identified by a unique identifier. This identifier must be unique during the duration of the associated session, that is, until the user terminal terminates its association with the access network (101) and application services available through it. Since the access network can be controlled, configured and reconfigured on-the-fly based on the application service layer selection by the user, the access network (101) of FIG. Also identified as This identifier is a fixed one such as a medium access (MAC) address of a communication hardware subsystem used by the user terminal, a temporary one such as an IP address assigned to the user terminal by a DHCP server, or a user terminal Can be a web cookie supplied to a web browser application running on. By using this registration mechanism by using an identifier that is not directly based on either a network interface (eg, MAC address) or a specific configuration parameter (eg, IP address) supplied by the access network infrastructure, The user terminal will be able to maintain an association with the registration server even if the network connectivity changes (eg, a new network interface is inserted, DHCP configures a new IP address, etc.). In this case, the user terminals can share part of the responsibility to inform the registration server about changes in the device or network specific configuration parameters.

The registration authority 202 records this identifier and the application service layer requested by the user of the terminal. With this knowledge, the registration authority can condition the communication network to deal with the new user and the application service layer selected by the user. The conditioning operation passes information via control signaling 203 to some or all nodes of the controllable access infrastructure, mainly based on this binding information between the device identifier and the application service layer. Including that. As an example, a registration authority (also referred to as a registration server) can:
a) pass the MAC address of the user terminal along with the application service layer to the access point and the LAN switch,
b) Pass the IP address of the user terminal together with the application service layer to the network router,
c) pass the web cookie / IP address of the user terminal along with the application service layer to a web proxy located on the network,
d) Inform the application specific server to accept or reject traffic from a particular user terminal. Using this information, the appropriate network node blocks or passes traffic 206 between the user terminal and these services 205.

  FIG. 3 shows an example of the individual steps of the initial interaction between the user terminal and the system. This includes control of results such as obtaining IP addresses (116), contacting the registration server and selecting the desired application service layer (115), and updating the state of the generic control infrastructure (117 and 203) A notification is included. Embodiments of the present invention configure individual user terminals using the standard DHCP protocol. After the user terminal enters the system, the physical layer of the network connection is activated and the system software is notified. As a result, the user terminal broadcasts a DHCP request on the system network (item 1 in 301). This request is processed by the machine executing the DHCP server 102, which sends a response back to the user terminal (item 2 of 108 and 301). The DHCP response includes the IP address assigned to the user terminal by the system, the IP address of the default node that relays the message (gateway IP address), and the IP address of the machine running the DNS server.

  Certain embodiments of the invention have 302 client configuration software modified from the default behavior. For example, when using the DHCP protocol, system-specific options are added to the DHCP protocol, which can be done in accordance with existing standards that add options to DHCP, and the DHCP server and client software each have new options. Is extended to generate and interpret. The system specific DHCP option includes the address of the registration server. In processing the DHCP response, the extended DHCP client software uses this address to launch 304 a browser directed to the registration server. This embodiment of the present invention represents one example embodiment of automatic configuration of a user terminal using extended DHCP client and server software without explicit user intervention. In another embodiment of the invention, no extensions are made 302 to the DHCP protocol or DHCP client and server software. After the DHCP response is processed and the network connection is configured, the browser is manually activated at the user terminal and directed to the registration server. Registration server identification can be made available as a URL from a set of browser bookmarks, or to the user via an out-of-band mechanism such as a visual notification that is printed or displayed prominently in public places. 303 can be provided. DHCP is the most common mechanism for initial configuration of user terminals, but alternative configuration protocols can be used effectively as well. For example, IPv6, the next generation Internet protocol, allows a node to automatically configure itself without assistance from a DHCP server. It also uses techniques such as destination redirection to redirect web requests from the client device to the destination web to any destination location, for example, a registration server, regardless of the Internet location where the browser user is trying to go. can do. The present invention is equally applicable to such alternative means of initial user terminal configuration.

  As part of the user interaction with the registration server, the user selects the desired application service layer and provides 305 payment-related information. This information is sent 306 by the registration server / institution to the appropriate, logically separate verification node. If the user-supplied information is verified as correct 307, the registration is considered successful. In this case, the accounting process for this user session is initiated and the appropriate information is relayed 308 to the general control infrastructure element via a control notification message. If the information is invalid 307, the user is generally given 310 another opportunity to register with the system.

  If the selection by a user of a particular application service layer is successfully confirmed by the system, the user can be expected to start sending to that layer's application service. FIG. 4 illustrates the steps that the elements of the universal access controllable infrastructure 204 of FIG. 2 follow in an example process during such communication. After receiving the packet (request packet or other transmission from the device) 401, the packet is examined to determine 402 its origin, ie, the user terminal and the application service layer to which it belongs. The mechanism for associating a packet with a particular user terminal and / or application service layer depends on the exact elements of the controllable access infrastructure in which this constraint is enforced. This is illustrated in FIG. 9 for the router and in FIG. 10 for the wireless access point or web proxy. 403 if the application service follows the service layer associated with the origin of the packet, the packet is forwarded 404 to the next hop, and if required if it is required by the billing policy of the specific application service Accounting information related to the originating user terminal is updated 405. If the application service does not follow 403, the packet is discarded or appropriate modification steps are taken 406. In either case, the infrastructure element starts processing the next packet. If the certification test fails, 403, the system may take alternative corrective action.

  In some embodiments, the constraining node redirects the packet, generates a failure notification to the registration server, or both. If the packet that failed the certification test corresponds to a web-based request, the registration server uses the HTTP protocol to notify that the user has attempted access that violates the user's current application service layer. It is possible to respond to the user terminal. This web-based notification can give the user the option to renegotiate the application services layer so that subsequent access attempts by the user are not denied.

  Depending on the information provided by the user at registration and the functioning of the system, sending an “out of band” notification to the user can be another corrective action. The latter may be desirable when the user is not currently using a web browser application or when the system does not include specialized applications that can send messages. The out-of-band notification may be a pager or interactive personal email device, such as sending a message to a wireless personal device, a phone call to a mobile phone, an SMS (Short Message Service) message, etc. .

  The process by which the user renegotiates or changes the application service layer during an ongoing association with the public access network will now be described. As already mentioned, this can be used when the user discovers that a particular desired application service is currently outside the user's current tier selection. Alternatively, the user may find it necessary to temporarily switch to a different application service layer at some point. For example, a user may suddenly notice the need to access premium application services that are not included in the originally selected application service tier. An application service profile is created and stored under certain conditions or when certain properties are satisfied, for example based on location properties, sometimes for the user to point to a preferred choice of application service layer Please note that. The user service profile can facilitate application service layer selection.

  Although the embodiments of the invention described herein refer to user selection for service selection, the use of service profiles to facilitate user tier selection is not within the spirit of the invention. FIG. 5 shows the steps involved in changing the application service layer associated with the user terminal. The user terminal contacts the registration server 501 by pointing the browser to the registration server, requests 502 to change the current application service layer, and supplies all necessary information 503 (same as 305). If the information is valid 504, the change is accepted and the comprehensive infrastructure access control status 505 and accounting 506 elements are updated. Since the user terminal already has an existing association with the access network (and thus a unique identifier), the process 503 for supplying the necessary information is not as detailed as the original process 305 in FIG. For example, the user does not need to re-supply personal information (eg credit card number) and the user terminal software can supply the user-specific identifier directly to the registration server (eg using web cookies) This helps the server to relate this application service layer change request to an existing user-network association.

  The procedure for upgrading the service described in FIG. 5 represents one embodiment of the present invention, but other procedures that do not depart from the spirit of the present invention are possible. For example, those skilled in the art will achieve similar results by pointing the user to the desired application service and the service provider responding with an appropriate registration page in the application service layer that contains the requested application service. can do. This latter approach does not require the user to explicitly contact the registration server for upgrade. However, this approach achieves the same end result as the embodiment shown in FIG.

  Since support for dynamically defined application services is an element of the present invention, a mechanism by which such service associations can be terminated must be specified. For example, such deregistration mechanisms are useful for accurate billing in scenarios where users are charged based on user-network related durations. Such a mechanism can also be used to check current usage and billing information before the user makes a decision regarding the continuation or termination of the association. FIG. 6 shows the (potentially) last interaction step of the user terminal with the public access network when the user terminal effectively closes all sessions and terminates access to various network services. Indicates. In the illustrated embodiment, the user terminal points 601 to the registration server and requests 602 to terminate the session using standard HTTP protocol. As part of this request, the user terminal may include 602 a user-specific unique identifier established during the registration process (see 201 in FIG. 2). The registration server retrieves 603 appropriate usage statistics from the associated restricted device and provides 604 appropriate usage statistics to the user terminal. Based on this usage information, the user decides 605 either to confirm the end of the association or to continue using the publicly available service infrastructure. If the user decides to continue, the termination process is postponed and the user resumes normal network access. This mechanism gives the user a simple means of verifying the activity history and associated charges. However, if the user decides to end the current association 605, the registration server takes the steps necessary to remove information related to the presence of the user in the public access network. The registration server first issues 606 an appropriate control notification message to the restricted device to disable further access by the user terminal. By successful execution of such a control message, unnecessary access control information of the restricted device is effectively removed. The message also serves as a protection mechanism against subsequent unauthorized access attempts. After sending this notification, the registration server also removes the active user specific information (such as a unique identifier associated with the user's current session) from its internal table and completes the process of properly charging the user 607. In addition to notifying the access control device, the registration server also informs the DHCP server 608 so that the DHCP server can update its own table and release resources appropriately.

  FIG. 7 illustrates another example embodiment of session management and termination that does not require the user to explicitly work for termination. This embodiment uses a web technology called cookies to track the presence of the user terminal 108 in the system. In FIG. 7, in addition to the relevant parts of FIG. 1, a session database 702 for storing a record 703 of terminals in the system is added. Specifically, following the IP address assignment 116 to the user terminal by the DHCP server 102, the server informs the registration server 114 that a new IP address has been assigned 701 to the user terminal. In one embodiment, registration places this IP address in a “standby” pool of IP addresses. When a user accesses the registration server to register for a new service, continue an existing service, or update an existing service, the IP address is removed from the standby pool. In another embodiment, the registration server associates this IP address with a record 703 in the user session database 702. In any case, the registration server is informed about the new IP address assignment.

  New IP address assignments may actually be given to new user terminals or terminals that may have an ongoing session. The latter is due to various reasons for temporary link 109 failure, user device reboot, wireless access point changes due to movement, eg access technology from wireless LAN to wired Ethernet (R) or Bluetooth wireless technology. It may occur at the time of adjustment. The user device may obtain a new IP address that is different from that previously used. However, the user may have selected a payment policy that is still valid. For example, if a user requests a 30-minute time block and a communication interruption occurs between the seventh and tenth minutes from this time block, the new IP address will be assigned to a completely new session. Must not be associated, but instead must be used to update session information associated with an existing session.

  In the embodiment shown in FIGS. 7 and 8, this is accomplished through the use of web cookies. A web cookie is a small amount of information that a web server sends to a web browser that interacts with the server. Web browsers store cookies on the user terminal that runs the browser. This cookie is uploaded by the browser each time a particular web browser revisits a particular web server. This can be used to track user visits to a particular web site. In the present invention, when a user terminal revisits the registration server after reassignment of a new IP address, a cookie can be supplied to the registration server again, and the registration server uses the cookie to return the user terminal. Session records (if any) can be retrieved and the records updated accordingly.

  In another embodiment, transmission of a new IP address from the DHCP server to the registration server is omitted. This allows session data relating to a newly started session or an ongoing session to be exclusively processed by the registration server. This is possible because the web server can retrieve a large amount of information about the user terminal, including the IP address, separately from the cookie, similar to the registration server. However, sending an IP address at 701 or a similar address in the opposite direction is used to verify that the IP address used by the client device is a valid IP address assigned by the DHCP server. Is.

  FIG. 8 illustrates an embodiment of steps that a registration server follows to determine how to proceed if the registration server receives a cookie. A cookie is said to be valid when associated with an active / in-progress session. Multiple events 807 may contribute to invalidating cookies. For example, the DHCP server may invalidate the IP address. This occurs when the “lease” time associated with the IP address assigned by the DHCP server expires before the user terminal requests a lease renewal. In the embodiment of FIG. 7, the DHCP server communicates this information by sending an “Remove IP Address” message 704. The granularity of DHCP leases shows the accuracy of the pay-while-I-am-on billing policy. For example, if a lease is granted in 2 minute increments, a user who chooses to pay based on the duration of his session is charged for using the system, such as 2 minutes, 4 minutes, 6 minutes, etc. The session is also invalidated if the user chooses to pay for a 30 minute block and 30 minutes have passed. In the session record 703 of FIG. 7, the latter is stored in a session record item describing the payment policy selection time (paymentSelectionTime) and / or the time covered by the selected payment policy (paymentDuration), or both. Can be calculated from other relevant data. The time for payment selection can be very close to the time the service layer is selected, but this is generally not a requirement. Furthermore, various time intervals can be associated with a grace period to take into account the possibility that the user has been temporarily disconnected. This grace period is advantageously coordinated with the DHCP server so that the DHCP server does not assign the already removed IP address to the new user terminal, but the registration server has not yet updated its session record.

  Temporary disruption of connections can be caused by temporary link failures, user device reboots, wireless access point changes due to movement, eg adjustment of access technology from wireless LAN to wired Ethernet technology or Bluetooth wireless technology May occur due to user movement and other reasons. The use of cookies, which are sometimes used as session identifiers that can persist beyond the connection interruption, allows the user to continue to access the selected service layer without having to re-register with the registration server. By using a cookie that is sent each time a user terminal accesses the registration server, the registration server can ignore the connection interruption caused by any number of reasons and restore the necessary session information. This function is often referred to as service roaming.

  FIG. 9 details how the access control is implemented by a router in the access network 101 of FIG. 1 or the equivalent controllable infrastructure 204 of FIG. In FIG. 9, it is assumed that the user terminal 901 is assigned an IP address 10.0.0.1 using the DHCP protocol. In other embodiments, this and the following IP address may be different. In addition, the service provider defines two application service layers, gold and silver, which allow users to access IP addresses 10.1.1.2 and 10.1.2.2 respectively. (Generalization to multiple application service layers, each having multiple lists of IP addresses or port numbers or both, is straightforward to those skilled in the art). The client contacts the registration authority 903 via the wireless access point 902 to specify the desired application service layer. Registration authority 903 provides 904 a web page listing of all available application service tiers and associated fees. The user selects between the two application service layers 909 (gold and silver) and sends the selection back to the registration server 905 (along with other personal certificates). The grouping of services into different application service tiers is incremental and can be made accessible to all services in the silver service tier, for example, by selecting the gold service tier. can do.

  Assume that the user terminal has selected the silver service layer. One node that can implement the access control mechanism is a router 906. As can be seen from FIG. 9, this router-based access control scheme can be achieved by communication 907 to the router a set of filtering rules based on the IP address of the user terminal and the requested application service layer. Upon receipt of these filtering rules, the router stores the rules in the local routing table 908. In FIG. 9, the routing table shows that the IP address 10.0.0.1 (the IP address of the user terminal in question) is an application service provided on the TCP port 80 with the destination address 10.1.2.2. Indicates that access is possible. This corresponds to the Silver Service web server, so that the user terminal associated with the IP address 10.0.0.1 can only access the Silver Service.

  The constraining mechanism can also be performed at an alternative node in the access network infrastructure, such as a wireless access point or web proxy. These alternatives are shown in FIG. 10, which assumes that the user terminal has the IP address 10.0.0.1 as before. Further, assume that the hardware (MAC) address of the wireless device associated with the user terminal is “MAC_ADDR_1”. First, as shown on the left side of the figure, the registration authority 1002 can pass a set of filtering rules 1003, 1004 to one or more wireless access points (WiAP) 1005, 1006. Since the wireless access point distinguishes terminals by MAC address, the filtering table 1007 in the wireless access point (1005 in FIG. 10) usually has the MAC address of the user terminal (in this example, “MAC_ADDR_1”). The destination IP address and / or port number of the set of allowable destination nodes. As before, this figure shows an example when the user terminal selects the silver application service layer 1008 (destination address 10.1.2.2).

  The right side of FIG. 10 shows the case where access control is implemented by placing a filter on the web proxy 1009. In this case, the registration authority 1002 passes the appropriate set of filtering rules 1010 to the web proxy. The web proxy updates the corresponding information in its filtering table 1011. It should be understood that this is actually an application layer filtering mechanism because the web proxy only intercepts web-based traffic from the user terminal. In this case, the user terminal can be uniquely identified by either a network layer identifier such as an IP address (10.0.0.1 in this example) or an application layer identifier such as a set of web cookies. .

  In FIG. 10, the filtering table 1011 may identify a user terminal by an IP address (10.0.0.1) and identify a set of destinations allowed by a URL (Uniform Resource Locator) pair. It is shown. In this particular example, assume that the user selects a silver service, which is associated with the URL http://10.1.2.2/silver.html. A uniform resource locator (URL) is a standard means of naming, finding and searching for objects on the web.

  Embodiments of the present invention have been described herein with respect to the use of access points, routers, and web proxies to control access to selected application services. Those skilled in the art will be able to use alternative network traffic control elements without departing from the spirit of the invention.

  The embodiments of the present invention presented so far are based on the premise that the public access infrastructure allows a user to connect to a network via a wireless interface using a wireless LAN. However, the principles and methods described in the present invention can be applicable to other wireless and wired access technologies. Those skilled in the art will appreciate additional embodiments of the invention for alternative access technologies that use, for example, wired IEEE 802.3 Ethernet technology rather than IEEE 802.11 wireless LAN technology, without departing from the spirit of the invention. It will be easy to develop.

  The present invention can be realized in hardware, software, or a combination of hardware and software. The visualization tool according to the present invention can be implemented in a centralized form within a single computer system or in a distributed form where different elements spread across multiple interconnected computer systems. Any computer system or other apparatus adapted to perform the methods and / or functions described herein is applicable. A typical combination of hardware and software can be a general-purpose computer system and a computer program that controls the computer system to perform the methods described herein when loaded and executed. . The invention may also be implemented in a computer program product that includes all the functionality that enables the methods described herein and that can execute the methods when loaded into a computer system. it can.

  Here, the computer program is intended to cause a system having information processing capabilities to execute a specific function directly or after conversion to another language, code, or notation or after copying in a different material form. Including any representation in any language, code or notation of the instruction set.

  Accordingly, the present invention includes an article of manufacture that includes a computer usable medium having computer readable program code means implemented therein to produce the functions described above. Computer readable program code means in the product includes computer readable program code means for causing a computer to perform the steps of the method of the present invention. Similarly, the present invention may be implemented as a computer program product comprising a computer usable medium having computer readable program code means for generating the functions described above implemented therein. The computer readable program code means of the computer program product includes computer readable program code means for causing a computer to perform one or more functions of the present invention. Furthermore, the present invention is a program storage device that specifically implements a program of instructions executable by a machine to perform method steps that are readable by the machine and perform one or more functions of the present invention. Can be implemented.

  It should be noted that the foregoing outlines some of the more pertinent objects and embodiments of the present invention. The present invention can be used in many applications. Thus, although specific arrangements, timing displays, and methods have been described, the intent and concepts of the present invention are suitable and applicable to other arrangements and applications. It will be apparent to those skilled in the art that modifications can be made to the disclosed embodiments without departing from the spirit and scope of the invention. The described embodiments are to be construed as merely illustrative of some of the more prominent features and applications of the present invention. Other beneficial results can be achieved by applying the disclosed invention in different ways or modifying the invention in a manner known to those skilled in the art.

FIG. 1 illustrates the architecture of an example system that provides wireless network access with operations performed by users and systems to provide a desired application service layer. FIG. 6 shows an example of three main functional steps used in accordance with the present invention to allow an individual user to specify and gain access to an authorized application service. The three steps are: a) registration that allows users to specify their choice among available application services, b) that a particular restricted device knows the appropriate access profile for a particular user Control notification to enable, c) the appropriate network device to ensure that a particular user's device will always support the permitted application services, individual packets, connections associated with such device Or a constraint that allows a session to be managed. FIG. 7 illustrates steps performed by registration-related entities (particularly user devices and registration servers) during a user registration process, verifying a user's certificate and A network-side mechanism that accepts the selection is included. It is a figure which shows the example of the step included in an actual constraint process. This constraint mechanism includes the inspection of a particular packet to verify that the particular packet complies with the currently permitted application services for a particular user, and all necessary updates for accounting purposes. FIG. 5 illustrates steps including processing that allows an individual user to dynamically change a selected application service layer. It is a figure which shows the process which a user complete | finishes the present session (registration cancellation). Such deregistration ensures that the network releases all resources reserved for a particular user, and the user is charged exactly for the user's own activity (especially when the user Useful when you are charged based on the duration of FIG. 6 illustrates another example embodiment of session management and termination that does not require the user to explicitly work for termination. FIG. 6 illustrates an embodiment of steps followed by a registration server to determine how to proceed if a cookie is received. It is a figure which shows the example of the exact mechanism of access control (namely, restrictions). This figure shows an example embodiment of a constraint mechanism through the use of a table in the router that lists specific destinations, protocols, or combinations thereof that individual users can or cannot access. The access control framework of FIG. 9 can also be applied to constraint mechanisms that take place at different layers, possibly at service level entities. FIG. 10 is a view similar to FIG. 9 when access control is performed via a wireless access point or web proxy.

Claims (38)

Enabling a user to use a set of standard communication protocols on a device coupled to a network to access a specific group of application services;
Providing a plurality of groups of application services accessible from the device, wherein at least one application service of each group is usable by the device;
Allowing the user to select the specific group of application services from the plurality of groups;
Dynamically and automatically configuring the network based on the specific group of application services to allow the device to access the specific group of application services via the network. A method comprising and. Allowing the user to make a subsequent selection of another group of application services from the plurality of groups;
Automatically reconfiguring the network based on the subsequent selection to allow the device to access the another group of application services via the network. The method of claim 1.   The method of claim 1, wherein the network uses a standard TCP / IP communication protocol.   The method of claim 1, wherein the set of standard communication protocols includes a standard IEEE 802 communication protocol.   The method of claim 1, wherein the providing comprises retrieving a list of the group of application services from local data.   The method of claim 1, wherein the providing comprises retrieving a list of the group of application services from a group of devices remotely located from the device over the network.   The method of claim 6, wherein the providing is initiated by the group of devices and includes sending an unsolicited message to the device by the group of devices.   The method of claim 7, wherein the content of the unsolicited message depends on at least one property associated with the device.   The method of claim 6, wherein the searching includes using a web browser application coupled to the device and a web server coupled to the network.   The method of claim 1, wherein the providing comprises dynamically creating at least one of the plurality of groups of application services from a list of possible application services.   The method of claim 1, further comprising mapping the plurality of groups of application services to at least one network identifier.   The method of claim 11, wherein the at least one network identifier comprises at least one identifier taken from a group of identifiers including an IP address, a TCP / UDP port number, a protocol identifier, an application identifier, and a combination of the identifiers. .   The automatically configuring includes setting up traffic filtering rules in the network, the traffic filtering rules associating the device with the specific group of application services. Item 2. The method according to Item 1.   The traffic filtering rules are set with at least one network traffic control element from a group of network traffic elements coupled to the network, the group of network traffic control elements comprising a data access point; 14. The method of claim 13, comprising a bridge, switch, hub, router, gateway, proxy server, web server, and any combination thereof.   The traffic filtering rule is based on at least one identifier from a group of identifiers, the group of identifiers being a user of a device, a medium access control (MAC) address of the device, and the plurality of groups of application services. A medium access control (MAC) address, an IP address of the device, an IP address of the plurality of groups of application services, a TCP / UDP port number of the device, a TCP / UDP port number of the plurality of groups of application services, 15. The method of claim 14, comprising a universal resource locator (URL) and any combination of these identifiers.   Further comprising charging a fee for access to at least one of the plurality of groups of application services by the device, wherein the charging is an alternative associated with each group of application services selected by the user The method of claim 2, comprising providing a charging policy. The alternative billing policy is
A time-based charging policy wherein the fee depends on a duration that the network remains configured to allow the device to access the particular group of application services;
A time-based billing policy with a pre-selected length of time;
A time-based charging policy having a length of time that is dynamically reset until the device stops accessing the particular group of application services;
Service subscription rate in minutes, hours, days or months,
As long as the network remains configured to allow access to the specific group of application services by the device, the amount of billing is the application service of the specific group of devices and application services A usage-based billing policy that depends on the amount of traffic passed over the network between
A usage-based billing policy with a pre-selected amount of traffic;
The method of claim 16, wherein the method is based on at least one policy from a group of alternative charging policies including any combination of these.   The charging includes associating the fee with the user of the device, the associating comprising credit card information, frequent flyer information, customer loyalty information, application service subscription information, 17. Providing at least one user identification from a group of user identifications including hotel room information, user ID / password information, personal information embedded in a personal smart card, and a combination of said identifications. The method described in 1.   The method of claim 1, further comprising prohibiting access to another group of application services. Defining said another group of application services as prohibited services;
Allowing the user to select at least one of the prohibited services from the plurality of application services;
Automatically reconfiguring the network based on the specific group of application services to allow the device to access the at least one of the prohibited services via the network The method of claim 19 further comprising:   Further comprising charging a fee for the at least one access of the prohibited service, wherein the fee is adjusted based on a charging policy selected by a user associated with the at least one of the prohibited service. The method of claim 20.   20. The method of claim 19, further comprising sending a notification to at least one of the device and another device to indicate that access to the another group of application services is prohibited.   The method of claim 1, wherein the providing is based on at least one property associated with the device. At least two groups of at least one network configuration service, at least one service management application service, at least one network traffic control element, and application services accessible from a user device using a set of standard protocols Enabling the user device connected to a network comprising:
The at least one network configuration service configures the user device;
The at least one service management application service providing the user device with the listing of the at least two groups of application services;
Allowing a user of the user device to select at least one group from the at least two groups of application services;
Dynamically configuring the at least one network traffic control element to allow access to only the at least one group. Responsive to the connection of the user device to the network, providing the device with a list of multiple groups of application services;
Sending a set of identifiers representing selection of a particular group of application services from the plurality of groups of application services to the device;
Instructs at least one network traffic control element to automatically and dynamically configure the network to enable communication over the network between the device and the particular group of application services Using the identifier to do. Set device permissions,
Using a set of standard protocols, allowing the device coupled to the network to select access to an application service selected from a plurality of groups of available application services;
Associating the access permission of the device with at least one identifier for the device to access the selected application service from at least one of the plurality of groups of application services;
Using the at least one identifier to allow the device to roam and access the selected application service using the established access permissions.   27. The method of claim 26, further comprising maintaining the established access permissions even when network binding conditions are changed. Including a server that allows a user to use a set of standard communication protocols on a device coupled to a network to access a particular group of application services, the server comprising:
A listing module that provides a listing of a plurality of groups of application services accessible from the device, wherein at least one of the application services of each of the groups is usable by the device. When,
An enabling module that allows the user to select the particular group of application services from the plurality of groups;
A configuration module that automatically configures the network dynamically based on the particular group of application services to allow the device to access the particular group of application services over the network. A device including and.   The enabling module allows the user to make a subsequent selection of another group of application services from the plurality of groups, and the configuration module is configured to configure the application services over the network by the device. A billing module that dynamically reconfigures the network dynamically based on the subsequent selection and charges a fee for the access to allow the access to another group; 29. The apparatus of claim 28, based on an alternative charging policy associated with each group.   An article of manufacture comprising computer usable media having computer readable program code means embodied therein for causing automatic and dynamic configuration, wherein the computer readable program code means in the article of manufacture is An article of manufacture comprising computer readable program code means for causing a computer to perform the steps of claim 1.   An article of manufacture comprising computer usable medium having computer readable program code means implemented therein for causing automatic and dynamic configuration, wherein the computer readable program code means in the article of manufacture is 25. An article of manufacture comprising computer readable program code means for causing a computer to perform the steps of claim 24.   An article of manufacture comprising computer usable medium having computer readable program code means implemented therein for causing automatic and dynamic configuration, wherein the computer readable program code means in the article of manufacture is 26. An article of manufacture comprising computer readable program code means for causing a computer to perform the steps of claim 25.   An article of manufacture comprising computer usable media having computer readable program code means implemented therein for providing application service access, wherein the computer readable program code means in the article of manufacture is claimed. An article of manufacture comprising computer readable program code means for causing a computer to perform the steps of paragraph 26.   A computer program product comprising a computer usable medium having computer readable program code means implemented therein for automatic and dynamic configuration, said computer readable program in said computer program product A computer program product, wherein the code means comprises computer readable program code means for causing a computer to perform the functions of claim 28.   A machine readable program storage device that specifically implements a program of instructions executable by the machine to perform automatic and dynamic configuration method steps comprising the steps of claim 1.   25. A machine readable program storage device that specifically implements a program of instructions executable by the machine to perform automatic and dynamic configuration method steps including the steps of claim 24.   A program storage device readable by a machine that specifically implements a program of instructions executable by the machine to perform automatic and dynamic configuration method steps comprising the steps of claim 25.   27. A machine readable program storage device that specifically implements a program of instructions executable by the machine to perform the method steps for causing application service access including the steps of claim 26.

Images