KR100745434B1 - Differentiated connectivity in a pay-per-use public data access system - Google Patents

Abstract

The present invention provides a method and apparatus for providing a hierarchical application service for accessing a network service in a pay-per-use manner in a public access network. Using the personal device 108, a user can access different tiers 103, 104 of the required application services without requiring an association procedure such as a preset step with a service provider of the wireless access system 111. can do. This on-demand access is obtained by providing various personal identifiers, such as credit card numbers or use loyalty identifiers. Service provision also allows a user to modify, improve or degrade the currently set tier of application services during the user's connection to the access network via the personal device. The network level execution mechanism at the access point inside the access network allows access to only the application services within the application service tier they paid for and denies access to services not within that tier.

Description

A network access method and apparatus, and a recording medium {DIFFERENTIATED CONNECTIVITY IN A PAY-PER-USE PUBLIC DATA ACCESS SYSTEM}

preference

This application claims priority to Provisional Application No. 60 / 363,327, filed Mar. 8, 2002, with the same name in the United States.

The present invention relates to the field of computer network connection. The present invention relates in particular to Internet access through a publicly accessible networking infrastructure.

The present invention relates to a mechanism that enables users to access packet-based networking services provided by a service provider in public places such as airports, hotels, malls, etc. using their personal devices such as notebook computers and PDAs. . Such public access service providers may provide a variety of wired or wireless technologies that allow people to connect their own devices to the network and related services. With the advent of new wireless technology standard schemes for wireless and local area networks (LANs and PANs) (wireless LANs and wireless PANs), more and more public services of the type contemplated by the present invention are being provided. For example, public wireless access may be provided through wireless PAN technology such as wireless LAN technology or Bluetooth wireless technology based on the IEEE 802.11 family of standards.

Typically, packet-based data service provision requires the user to pre-register, such as subscribe, to a data service provider such as an Internet Service Provider (ISP) first, thereby establishing a long-term "payment" relationship with that provider. This is accomplished in an offline manner and a provider-to-subscriber relationship is established and activated before the user can gain access to these public services. This subscriber relationship includes the provision of a user profile that specifies the scope of authorized services that an individual user can access. ISPs typically provide local or toll free numbers that allow access to the same ISP at additional incremental costs (in addition to subscription fees) from a number of topographically distant locations. However, in the case of access to data services via wireless public provisioning systems, this mechanism has a serious problem. In other words, if a user accesses a public access infrastructure operated by a provider other than the one that has already established a subscription with him, their access is denied until they also establish a subscription with this new provider. These constraints ideally do not meet the premise of a public access infrastructure that always wants to serve as many users as possible.

In addition, current approaches for public access to network services, which typically use wireless technology, define a single tier of services. For example, a typical service is simple access to the WWW (World Wide Web). These service provisions do not take into account scenarios in which a user may access certain premium services on demand via his device. There is no mechanism that allows a user to select such premium services on-the-fly at any time without requiring a predetermined relationship to these services. If this service provisioning scheme has multiple tiers (or service groups), the user must select the necessary tiers in advance. In addition, the selected service tier remains unchanged for the duration of the user's access to the services provided by the service provider. In other words, the current way of providing services through the public access infrastructure does not provide different and dynamically adjustable (or on demand) service tiers to the user. In addition, this service provision method needs a mechanism for dynamically adjusting the payment policy for the user based on the selected service set.

A possible solution for providing the required tiered service is to install specific code in the client device (ie, the user's device). This particular code affects the communication protocol stack and requires the use of a new specific protocol. All packets generated by these client devices need to be modified using this additional specific code. Of course, in order to be able to read these modified packets, network elements within this network must implement the complementary part of the new specific protocol. An advantage is that this change in the protocol stack is not required. This approach eliminates the need for the client device to modify all and each transport it performs without the need for new protocols to be implemented by the client device, and for devices in the network to modify their communication protocol stack to understand the newly designed protocol. To avoid this, the existing [TCP / IP] standard method should be available.

Finally, there are other ways of using public wireless services. For example, one system proposes to facilitate access to public services by modifying all data packets sent by this device using specific software embedded on the personal device.

There is a need for a system that does not require any modification to the personal device to access the wireless network and does not require any modification to the data packets sent by this device to achieve various accesses. The previously described system depends on the specific features of the operating platform (server version or client version thereof). This operatively assumes communication and computational uniformity for devices participating in supporting the network. It is advantageous to have a system that can be used on unmodified devices and communication protocols, the communication protocols being non-uniformly calculated and communicated by devices using established and open communication standard schemes, such as the TCP / IP Internet Protocol Set. It is already supported by most personal (IP capable) devices that can be used in the environment and run on different types of operating systems. These personal devices must be built on a software and hardware platform that is independent of the software and hardware platform so that the network can support the devices with which they interact for its configuration. With regard to billing, the aforementioned systems are unable to perform dynamic reassignment of billing policies in the middle of an ongoing session.

Summary of the Invention

Thus, in one aspect of the invention, providers of public network services may provide different application service tiers to users of these application services. Users use their own personal devices, and no specific modifications are made to the personal devices to accommodate the spirit of the present invention, thereby negotiating the necessary tiers of application services, and at each use and when in use. Dynamic adjustment is possible.

Another aspect of the present invention is an execution mechanism that can be used in a communication infrastructure that supports such a public service provision. This execution mechanism can be applied at the edge of an infrastructure such as a wireless access point or an element within the infrastructure such as a router device. This execution mechanism allows individual users to access only those application services that exist within the selected application service tier, and denies access to all application services that do not exist within that tier. In some embodiments, this execution mechanism includes a means of informing users when users attempt to access a particular application service that is not within their currently selected tier and a new application service if necessary using the user's device again. The means for renegotiating the newly requested application service tier on the fly is further enhanced.

Another aspect of the present invention has the same purposes as described above, but as with devices and software operating at a protocol layer higher than the protocol layer used in the communication infrastructure, such as for example routers and wireless access points, An execution mechanism that can be used outside of the communication element. In this execution mechanism, a filter server is used across the communication infrastructure to limit, for example, web traffic from the user to reach only the web service belonging to the tier of application service selected by the user.

Other aspects of the present invention provide a variety of information, such as credit card information, frequent flier information, temporary identification information such as hotel room numbers, and the like, without requiring a predetermined subscription with a service provider that provides data. "On-the-spot" payment method allows users to pay for their use of dynamically selected selectable tiered application services provided in public using their own devices. Access on a pay-per-use basis.                 

In another aspect of the present invention, a payment policy is used that bills a user for services they have selected and accessed using their device. In general, this payment policy is based on a variety of criteria, including the degree of user activity that is considered in terms of the amount of traffic delivered to / from the user, or the length of time (session period) for which the selected application service tier is provided. In addition, the billing policy changes dynamically between sessions, allowing the user to update or modify his service tier and payment policy.

Other aspects and better understanding of the invention will be realized by reference to the following detailed description of the invention.

These and other aspects, features and advantages of the present invention will become apparent upon consideration of the following detailed description of the invention in conjunction with the accompanying drawings.

1 illustrates an architecture of a system that provides wireless network access in accordance with operations performed by a user and provides a required tier of application services;

2 shows three major functional steps in accordance with the present invention that allow an individual user to specify and obtain access to an authenticated application service ((a) a registration that allows a user to specify their choice among available application services). (B) a control notification that causes a particular executing device to know the appropriate access profile for a particular user; and (c) ensuring that individual packets, connections or sessions associated with a particular user's device always correspond to an authorized application service. An exemplary diagram of an implementation step for a suitable network device to police them,

3 shows the steps taken by a registration-related entity (especially a user device and a registration server) during the user's registration process, while demonstrating the user's credentials on the network side and allowing the user's selection from the available tiers of application services. Drawing showing a mechanism for

4 illustrates an example of the steps involved in the actual execution process, which mechanism checks the packet to verify that the particular packet conforms to the currently authorized application service for that particular user and for any accounting purposes. Include any necessary updates,

5 illustrates the steps involved in a process that allows individual users to dynamically change their selected tier of application services;

6 shows a process that allows a user to terminate their current session (deregistration), where such de-registration frees any resources that the network has assisted for a particular user. ) And users (especially when they are billed based on their session duration) to ensure that they are billed correctly for their own activities,

7 is a diagram of another example embodiment of managing and terminating a session without the user having to act explicitly for termination;                 

8 is a diagram of an embodiment of the steps that a registration server follows to determine how to proceed when the registration server receives a cookie;

9 illustrates an example of the exact mechanism of access control (ie, execution), enumerating a particular destination, protocol and combination thereof and illustrating the execution mechanism using tables in a router that individual users may or may not have access to. By way of example, the implementation of the access control framework of FIG. 9 can be applied to execution mechanisms occurring at different layers and possibly service level entities,

FIG. 10 is a diagram of a similar example of FIG. 9 for the case where access control is performed via a wireless access point or a Web proxy.

The present invention provides a method, apparatus and system for allowing a user to select from among a number of tiers of application services that can be used on a public network access infrastructure. The present invention allows a user to access differentiated tiers of application services even without having a previously signed subscription relationship with the service provider corresponding to that service. In addition, the present invention allows users to dynamically select and reselect desired tiers of application services without the involvement of a service provider operator. In some embodiments, this change results in a suitable change to the billing mechanism.

In the present invention, a service is defined as a destination end-point such as a corporate web page, a corporate server application, a corporate Lotus Notes mail server, or the like. This application level specification for services contrasts with the communication bandwidth allowed for communication across the Internet, for example 56 Kbps or 128 Kbps, regardless of what the destination of the communication is.

In various embodiments of the present invention, users use their own personal data devices, such as notebook computers or PDAs. Users can temporarily use other computing devices, such as kiosks. However, for the purposes of the present invention, these other devices are not intended to incorporate any additional set of software or hardware components that are unique and uniquely enabled for these devices to operate in accordance with the spirit of the present invention. It is assumed to operate as if it were a user's own "routine" computing device without need. The service provision considered for the embodiment of the present invention is based on the ubiquitous IP-based Internet technology, and the access technology is a wireless local operating in a non-proprietary radio frequency band such as IEEE 802.11b wireless LAN or Bluetooth wireless PAN. Based on communication technology. Apparently, those skilled in the art may implement other embodiments of the present invention within the spirit and scope of the present invention. For example, they may use other access technologies, such as infrared or Ethernet, or use a dynamic payment configuration based on usage as a way for subscription-based consumers, so that the tier of premium application services does not fall within their default defalut subscription profile. Can be accessed from time to time.

1 illustrates the architecture of a system that provides wireless network access to mobile users and their devices in a wireless hot-spot in a public place such as an airport. This figure also highlights the steps that need to be executed by the user to obtain the required tier of application services. This access network 101 comprises a router (eg, 106,107) and a wireless access point (WiAP) (eg, 110,111). The user device or user terminal 108 is connected to this access network and connected to the access point 110 via a wireless connection 109. In addition to network layer entities such as access points and routers, the access network also provides network support services such as Dynamic Host Configuration Protocol (DHCP) server 102, Domain Name Service (DNS) server 113, and Web proxies (e.g., 112,117). Include. These DHCP entities and DNS entities are common elements in most IP based networks known to those skilled in the art and provide various configuration information and query-resolution support to IP based user terminals. Web proxies are used to manage access to web servers from user terminals. In one embodiment of the invention, the access network includes a registration server 114 which is used to interactively establish the tier of application services required by the individual user.

As an example of possible tiers that are differentiated between tiers of application services, FIG. 1 shows two application service tiers, a gold service 103 and a silver service 104. Each application service tier is defined by one or more service groups. In this embodiment, the silver service tier 104 includes access to the general Internet 105 in FIG. The gold service tier includes a service for providing video clips to a user terminal in addition to all services included in the silver service tier. These tiers of application services may be static, ie the silver application service tier always contains the same set of application services therein (at least not frequently updated). On the other hand, the allocation of application services into the tier is dynamic, where the application services allocated into the tier can vary according to various criteria. In some embodiments, services are added or excluded based on a combination of criteria such as application quality considerations, admission control enforcement, time of day, and providing different billing models to application services at different times.

After user terminal 108 enters this system and establishes a wireless link with the access point, the terminal executes the DHCP protocol to obtain an IP address for the user terminal. This step is shown as item 116 in FIG. After this step, the user terminal uses a standard web browser and contacts the registration server 114 using the standard HTTP protocol. The registration server provides, among other things, a web-based list and associated claims on user terminals in various tiers of available application services. Allocating services into tiers can be static or dynamic based on other considerations, such as whether the service is currently available, promotions, and so on. At this point, the user enters an identifier, such as a credit card number or frequent flyer number, enters the required tier of application services into the browser and sends this information to the registration server. These steps are collectively shown as item 115 in FIG. After a suitable attestation step, the identifier provided by the user is also used to finally bill the user for the requested application service tier. Upon receiving and verifying the identifier, the registration server issues a control notification to the appropriate executing device informing that the corresponding user can access the corresponding application service within his / her selected service tier. The executing device executes a series of controls in response to this information to regulate the traffic of the user inside the access network. This step is shown as item 117 in FIG. In another implementation, the execution device may be a router 106, an access point 110, or a web proxy 117. The control mechanism includes placing a traffic filter at the appropriate execution device. Different illustrative embodiments of this control and execution mechanism are described later.

Figure 2 illustrates the following three functional steps used in the present invention that allow an individual user to specify and obtain access to an authorized application service.

(a) a registration step of allowing a user to specify his or her choice among available application services,

(b) a control notification step of informing the particular executing device of the appropriate access profile for the particular user;

(c) An act of causing a suitable network device to police individual packets, connections or sessions associated with a particular user's device at any time to correspond with an authorized application service.

As such, FIG. 2 highlights the steps of the present invention to provide user terminal access to various tiers of application services. In particular, the user terminal 108 first performs a registration step 201 with the registration authority 202. During registration, among other things, the user terminal is identified by a unique identifier. This identifier must be unique for the duration of the associated session, ie until the user terminal terminates the connection of the access network 101 and the application service is available therethrough. Since the access network can be controlled, configured and / or reconfigured on-the-fly based on application service selection by the user, the access network 101 of FIG. Is considered as a controllable infrastructure. This identifier may be a fixed identifier, such as a media access control (MAC) address of the communication hardware subsystem used by the user terminal, or a temporary identifier such as an IP address assigned to the user terminal by a DHCP server, or a web browser operating on the user terminal. It may be a web cookie provided to the application. By using an identifier that does not directly follow a network interface (eg, MAC address) or certain configuration parameters (eg, IP address) provided by the access network infrastructure, the registration mechanism allows the user terminal even when the network connection is changed ( This allows for example to maintain a connection with a registration server even when a new network interface is plugged in or DHCP configures a new IP address. In this case, the user terminal shares some of the responsibility of informing the registration server of any change in the device or any change in network specific configuration parameters.

The registration authority 202 records not only the identifier but also the tier of the application service requested by the user of the terminal. Knowing this, the registrar regulates the state of the communications network to accommodate new users and their chosen application service tier. This stateful operation in principle includes sending this association information between the device's identifier and the tiers of application services to some or all nodes of the controllable access infrastructure via control signal notification 203. As an example, a registrar (so-called registration server) may (a) pass the MAC address of the user terminal along with the tier of application services to the access point and LAN switch, or (b) the IP address of the user terminal with the tier of application services. Provide a network router, (c) pass a web cookie / IP address to a web proxy located within the network with the tier of application services, or (d) allow an application specific server to allow or deny traffic from a particular user terminal. Using this information, the appropriate network node blocks or accepts traffic from the user terminal to the service 205 and / or traffic from the service 205 to the user terminal.

3 shows an illustration of the individual steps in the initial interaction between the user terminal and the system. This may include obtaining the IP address 116, contacting the registration server to select the required tier of the application service 115, and updating control status 117 and 203, such as updating the status of the general control infrastructure. Include. Embodiments of the present invention use standard DHCP protocol to configure individual user terminals. After the user terminal enters the system, the physical layer of his network connection is activated and his system software is notified. As such, the user terminal broadcasts a DHCP request on the system network (item 1 in step 301). This request is processed by the machine running the DHCP server 102 which sends back a response to the user terminal (item 2 in steps 108 and 301). The DHCP response includes the IP address assigned to the user terminal by the system, the address of the default node that delivers the message (gateway IP address), and the IP address of the machine running the DNS server.

Certain embodiments of the present invention have client configuration software modified from its default operation (302). For example, when using the DHCP protocol, system-specific options are added to the DHCP protocol, which can be done according to existing standard methods of adding options within DHCP, and the DHCP server and client software can also create and interpret new options individually. Is extended to help. The system specific DHCP option includes the address of the registration server. After processing the DHCP response, the extended DHCP client software uses this address to launch a browser directed to the registration server (304). The foregoing embodiment of the present invention represents one exemplary embodiment of automatically configuring a user terminal without explicit user intervention using extended DHCP client and server software. In another embodiment of the present invention, no extension is performed to the DHCP protocol or DHCP client and server software (302). After the DHCP response is processed and the network connection is established, the browser is started manually on the user terminal and the browser is directed to the registration server. The identification portion of the registration server is a user via an out-of-band mechanism, such as visual notification 303, which may be available as a URL from a set of bookmarks in the browser or may be printed or displayed prominently in a public place. It may be provided to. While DHCP is the most common mechanism for initial configuration of user terminals, other configuration protocols can be used effectively. For example, the next generation Internet Protocol IPv6 allows nodes to automatically configure themselves without the need for any help from a DHCP server. Also, using techniques such as destination redirection, the web request from the client device to the destination web can be sent to any desired location, such as a registration server, independently of the location the browser user wants to go on the Internet. Redirection can be set. The invention is equally applicable to other means of initial user terminal configuration.

As part of the user interaction with the registration server, the user selects the selected tier of application services and provides payment related information (305). This information is sent (306) to the appropriate and logically clear node for verification through the registration server / agency. If the user-provided information is proved to be correct (307), the registration is considered successful. In this case, the accounting process for this user session is initiated and the appropriate information is relayed to the general control infrastructure element via a control notification message. If this information is invalid (307), the user is given another opportunity to register with the system.

Once the user selection of a particular application service tier has been successfully confirmed by the system, the user will initiate a transfer to application services within that tier. FIG. 4 illustrates the following steps within an example process by the universal access controllable infrastructure (204 in FIG. 2) during this communication. After receiving a packet (a request packet or any other transmission from the device) (401), the packet is examined to determine its origin, ie the user terminal and the application service tier to which it belongs (402). The mechanism by which this packet is associated with a particular user terminal and / or application service tier depends on the exact elements within the controllable access infrastructure in which this execution is executed. This is described in the case of a router in FIG. 9 and in the case of a wireless access point of a web proxy in FIG. If the application service follows the tier of services associated with the packet origin (403), the packet proceeds to the next step (404), if necessary, the accounting information associated with the original user terminal is updated (405) and in this case a particular application service. The billing policy for requires so to be. If the application service is not followed (403), the packet is dropped or appropriate measures are taken (406). In either case, the infrastructure element begins to process the next packet. If this compliance test fails (403), the system looks for another countermeasure.

In some embodiments, the executing node redirects the packet and / or generates a failure notification to the registration server. If a packet that fails the compliance test responds to a web-based request, the registration server responds to the user terminal using the HTTP protocol to notify that the user has attempted access in violation of the user's current tier of the application service. This web-based application gives the user the option to renegotiate the tier of application services so that subsequent access attempts by the user are not denied.

Depending on the information provided by the user at the time of registration and the capabilities of the system, other countermeasure actions will send an “out of band” notification to the user. The latter case is preferred if the user is not currently using a web browser application or does not include any specialized application to which a message can be sent by the system. Out of band notifications may include sending a message to a pager, such as an interactive personal e-mail device such as a wireless personal device, sending a phone call to a cellular phone, sending a short message service (SMS) message, and the like. Include.

Describes a process that allows a user to renegotiate or change the tier of application services during an ongoing connection with a public access network. As already explained, this may be used if a user finds that a particular requested application service is currently outside of the user's current tier selection. Alternatively, a user may find the need to temporarily switch to a different tier of application services at some point. For example, a user may suddenly find the need to access premium application services that are not included within the first selected application service tier. Application service profiles are sometimes created and classified to indicate a user's desired selection of an application service tier under certain conditions or when certain characteristics are satisfied, such as location characteristics. The service profile of the user facilitates the selection of the application service tier.

Although embodiments of the present invention described herein refer to user selection of service selection, it is within the scope of the present invention to use a service profile to facilitate user tier selection. 5 illustrates the steps involved in changing the tier of application services associated with a user terminal. The user terminal contacts the registration server by directing the browser to the registration server (501), requests the change of the current tier of application services (502), and provides all the necessary information (503) (similar to 305). ). If this information is valid (504), the change is allowed and the status of the access control element in the general-purpose infrastructure is updated (505) and the status of the accounting element therein is updated (506). Since the user terminal already has an existing connection to the access network (and thus has a unique identifier), the process 503 for providing the necessary information is not described in detail as in the first process 305 in FIG. . For example, the user does not have to provide personal information (eg credit card number) again, but instead the software on the user's terminal can provide the user specific identifier directly to the registration server (eg using a web cookie), thereby allowing the server to Facilitates associating a request for a change in an application service tier with an existing user-network connection.

Although the procedure of updating the service described in FIG. 5 represents one embodiment of the present invention, other things are possible within the spirit of the present invention. For example, one skilled in the art can achieve similar results by pointing the user to the requested application service and having the service provider respond with an appropriate registration page for the tier of application services that include the requested application service. The latter approach does not require the user to explicitly contact the registration server for the upgrade. However, this approach can achieve the same end result as the embodiment shown in FIG.

Since support for dynamically defined application services is an element of the present invention, a mechanism must be specified to cause these service connections to terminate. For example, this de-registration mechanism is used for accurate billing in scenarios in which a user is billed based on the duration of the user-network connection. This mechanism can be used by the user to check current usage and billing information prior to making a decision about termination or duration of the connection. Figure 6 illustrates the stage of potentially final interaction between a user terminal and a public access network when the user terminal effectively terminates all sessions and ends access to various network services. In the illustrated embodiment, the user terminal points the browser to the registration server (601) and requests the termination of its session using the standard HTTP protocol (602). As part of this request, the user terminal includes a user specific unique identifier set during the registration process (see 201 of FIG. 2) (602). The registration server then retrieves appropriate usage statistics from the associated execution device (603) and provides the appropriate usage information to the user terminal (604). Based on this usage information, the user decides whether to continue or stop using the publicly available service infrastructure (605). If the user decides to continue using, the termination process is stopped and the user resumes his or her normal network access. This mechanism provides the user with a means of simply verifying their activity history and associated billing history. However, if the user decides to terminate the current connection (605), the registration server takes the necessary action to remove the information associated with the user's presence in the public access network. The registration server first issues 606 a suitable control notification message to the executing device to disable other access by the user terminal. Successful execution of this control message effectively removes unnecessary access control information in the execution device. It also serves to prevent any subsequent unauthorized access attempts. After sending this notification, the registration server completes the process of removing active user specific information (such as a unique identifier associated with the user's current session) from its internal table and billing the user appropriately (607). In addition to notifying the access control device, the registration server also notifies 608 the DHCP server so that the DHCP server can update its own table and release resources as appropriate.

7 illustrates another example embodiment of managing and terminating a session without the user having to explicitly operate for termination. In this embodiment, so-called web technology is used to follow the presence of user terminal 108 in the system. FIG. 7 repeats the relevant portion of FIG. 1 with adding a session database 702 that maintains a record 703 of terminals in the system. In particular, after assigning 116 an IP address to the user terminal by DHCP server 102, the server informs registration server 114 that the new IP address has been assigned to the user terminal (701). In one embodiment, the registration enters this IP address into a "standby" pool of IP addresses. This IP address will be removed from the standby pool when the user accesses the registration server to register for a new service and continue or update the existing service. In another embodiment, the registration server associates this IP address with the record 703 in the user session database 702. In any case, the registration server is notified of the new IP address assignment.

This new IP address assignment is provided to the latest user terminal or terminal with an ongoing session. The latter case can occur for a variety of reasons, such as temporary link 109 failure, rebooting the user device, changing the wireless access point due to movement, for example, adjusting the access technology from wireless LAN to wired Ethernet or Bluetooth wireless technology. The user device may obtain a newer IP address that is different than previously used. However, the user may still have chosen a valid payment policy. For example, the user requested a 30 minute period and communication interruptions occurred between 7 and 10 minutes in this period. In this case, the latest IP address cannot be completely associated with the new session but can be used to update session information for an existing session.

In the embodiment shown in Figures 7 and 8, this is accomplished using web cookies. A web cookie is a small amount of information sent by a web server to a web browser interacting with the server. The web browser stores the cookie locally in a user terminal operating the browser. This cookie is uploaded by the browser whenever the web browser revisits the web server. This is used to track user visits to specific web sites. In this case, when the user terminal revisits the registration server after reassigning a new IP address to the server, the cookie is again provided to the registration server and the registration server uses this cookie to record sessions for this user terminal. Search) and update him accordingly.

In another embodiment, the transfer of the new IP address from the DHCP server to the registration server is omitted. This ensures that session data for newly initiated or ongoing sessions are processed only by the registration server. This is because apart from the cookie, a web server, such as a registration server, can retrieve a large amount of information related to the user terminal, including its IP address. However, the IP address transfer at 701 or similar address transfer in the opposite direction is used to prove that the IP address used by the user device is a valid IP address assigned by the DHCP server.

8 illustrates an embodiment of the steps the registration server follows to determine how to proceed if the registration server receives cookies. When a cookie is associated with an active / in progress session, that cookie is said to be valid. A number of events 807 contribute to invalidating cookies. For example, a DHCP server may invalidate an IP address. This occurs when the "lease" time associated with the IP address assigned by the DHCP server expires before the user terminal requests to renew the lease. In the embodiment of FIG. 7, the DHCP server communicates this information by sending a " IP address removal " message 704. The granularity of a DHCP lease indicates how accurate a pay-while-I-am-on billing policy is. For example, given a lease in increments of two minutes, The user who chooses to pay on the basis will be charged for using the system for 2 minutes or 4 minutes or 6 minutes. Also, if the user chooses to pay for 30 minutes of blocks and 30 minutes has elapsed, the session will be invalidated. In the session record 703 in FIG. 7, the latter is calculated from the session record entry (paymentSlectionTime) describing the selection time of the payment policy and / or the time covered by the selected payment policy (paymentDuration) or other related data stored in the session record. Can be. The time to choose payment is closely related to the time at which the service tier is selected, but this is generally not a requirement. Various time intervals may be associated with a grace period to account for the possibility that the user has been temporarily separated. This grace period is advantageously adjusted by the DHCP server so that the DHCP server does not assign the removed IP address to the new user terminal, but the registration server has not yet updated its session record.

Momentary disconnection can occur for other reasons, such as user movement and temporary link failures, user device reboots, changes in the wireless access point due to movement, or coordination of access technology from wireless LAN to wired Ethernet or Bluetooth wireless technology. Through the use of cookies, which are used as session identifiers that can be terminated and persisted, the user can continue to access the selected tier of services without having to re-register with the registration server. By using a cookie that is sent each time the user terminal accesses the registration server, the registration server can recover any session information that it needs to ignore the connection interruption caused by various reasons. This capability is often referred to as service roaming.

9 is a more detailed diagram of how access control is performed using a router in the access network 101 of FIG. 1 or the equivalent controllable infrastructure 204 of FIG. In FIG. 9, it is assumed that the user terminal 901 is assigned an IP address 10.0.0.1 using the DHCP protocol. In other embodiments, subsequent IP addresses may be different. The service provider also defines two application service tiers, gold and silver application service tiers, which allow users to access devices with IP addresses 10.1.1.2 and 10.1.2.2, respectively. (Generalization for multiple application service tiers, each with multiple lists of IP addresses and / or port numbers, is straightforward to those skilled in the art.) The client then passes through the wireless access point 902 to the registration authority 903. ) To specify its requested tier of application services. The registrar 903 provides 904 a web page list of all available tiers of application services and related claims. The user then selects between two tiers 909 (silver and gold) of the application service and sends this selection back to the registration server (along with other personal credentials) (905). Grouping services into various application service tiers is incremental in that selecting the gold service tier, for example, can also enable access to all services within the silver service tier.

Let's assume that the user terminal has chosen the silver service tier. One of the nodes on which the access control mechanism may be executed is the router 906. As shown in FIG. 9, this router-based access control scheme is accomplished by sending a set of filtering rules to the router based on the IP address of the user terminal and its requested application service tier 907. After receiving this filtering rule, the router stores it in its local routing table 908. In FIG. 9, this routing table indicates that IP address 10.0.0.1 (the IP address of the user terminal of interest) can access the application service provided on TCP port 80 on destination address 10.1.2.2. This corresponds to a web server for silver services, so that user terminals associated with IP address 10.0.0.1 can only access silver services.

Execution mechanisms may also be performed at other nodes within an access network infrastructure, such as a wireless access point, or at a web proxy. These alternatives are shown in FIG. 10 and assume that the user terminal has the IP address 10.0.0.1 as before. In addition, assume that the hardware (MAC) address of the wireless device associated with the user terminal is "MAC_ADDR_1". First, as shown on the left side of the figure, the registration authority 1002 sends a set of filtering rules 1003, 1004 to one or more wireless access points (WiAP) 1005, 1006. Because the wireless access point distinguishes terminals by MAC address, the filtering table 1007 in the wireless access point 1005 typically refers to the MAC address of the user terminal (“MAC_ADDR_1” in this example) and the destination IP address and / or permit. Contains the port number of a set of possible destination nodes. This figure illustratively shows that the user terminal has selected the application service silver tier 1008 (destination address 10.1.2.2).

The right side of FIG. 10 shows that access control is performed by placing a filter on the web proxy 1009. In this case, registrar 1002 passes the appropriate set of filtering rules 1010 to the web proxy. The web proxy then updates the corresponding information in its filtering table 1011. This is actually an application layer filtering mechanism because the web proxy only intercepts traffic from user terminals that are web based. In this case, the user terminal is uniquely identified by a network layer identifier such as an IP address (10.0.0.1 in this example) or an application layer identifier such as a set of web cookies.

10 shows a case where the filtering table 1011 identifies a user terminal by its set of allowed destinations via its IP address (10.0.0.1) and URL set. In this particular example, assume that the user has selected a silver service associated with the URL http://10.1.2.2/silver.html URL is a standard way of naming, finding, and searching objects on the web.

Embodiments of the invention mentioned herein relate to controlling access to selected application services using access points, routers, and web proxies. Those skilled in the art may use other network traffic control elements within the spirit of the invention.

The embodiments of the present invention proposed so far have been based on the assumption that a public access infrastructure uses a wireless LAN to allow a user to connect to a network through a wireless interface. However, the principles and methods disclosed herein may be applied to other wired and wireless access technologies. Those skilled in the art can readily develop additional embodiments of the present invention for other access technologies using, for example, wired IEEE 802.3 Ethernet technology instead of IEEE 802.11 wireless LAN technology without departing from the spirit of the invention.

The invention can be realized in hardware, software or a combination of hardware and software. The visualization tool according to the invention can be realized in a centralized manner within one computer system or in a distributed manner in which different elements are distributed over several interconnected computer systems. Any kind of computer system or other device is suitable as long as it can perform the methods and / or functions disclosed herein. A typical combination of hardware and software may be a general purpose computer system having a computer program capable of controlling the computer system to perform the methods disclosed herein when loaded and executed. In addition, the present invention includes all features that enable implementation of the methods disclosed herein and may be embedded within a computer program product that is loaded into a computer system and capable of executing the methods.

A computer program means or computer program in this context is a set of instructions that causes a system having an information processing capability to perform a particular function immediately after or after conversion into another language, code or notation and / or reproduction in a different material form. And any expression in any language, code, or notation.

Accordingly, the present invention encompasses an article of manufacture comprising a computer usable medium having computer readable program code means embodied therein for carrying out the functions described above. Computer readable program code means in the article of manufacture comprises computer readable program code means for causing a computer to perform the steps of the method of the present invention. Likewise, the present invention may be embodied as a computer program product having a computer usable medium having computer readable program code means implemented therein for performing the above-described functions. Computer readable program code means in the computer program product includes computer readable program code means for causing a computer to perform one or more functions of the present invention. The invention may also be embodied as a machine readable program storage device that implements a program of instructions executable to carry out method steps that invoke one or more functions of the invention.

The foregoing has outlined some of the more relevant objects and embodiments of the present invention. The present invention can be used for many applications. Although the specification has been written for specific configurations only, the timing indications and methods, intents and concepts of the invention may be applied to other devices and applications. It will be understood by those skilled in the art that modifications and variations to the disclosed embodiments can be made within the spirit and scope of the invention. Thus, the described embodiments need to be construed as merely illustrative of the more salient features and applications of the present invention. Other advantageous results may be realized by applying the disclosed invention in different ways or by modifying the invention in a manner known to those skilled in the art.

Claims (38)

A method of allowing a user to access a specific group of application services on a networked device using a standard set of communication protocols. Providing a plurality of application service groups accessible to the device, at least one of the application services in each group being used by the device; Causing the user to select the particular application service group from the plurality of groups; Dynamically and automatically configuring the network based on the specific application service group to allow the device to access the specific application service group through the network. Way. The method of claim 1, Subsequently causing the user to select another application service group from the plurality of groups; Dynamically and automatically configuring the network based on the subsequent selection result to allow the device to access the other application service group through the network. Way. delete delete The method of claim 1, The providing step includes retrieving the list of application service groups from local data. Way. Claim 6 was abandoned when the registration fee was paid. The method of claim 1, The providing step includes retrieving the list of application service groups over the network from a group of devices remote from the device. Way. delete delete delete Claim 10 was abandoned upon payment of a setup registration fee. The method of claim 1, The providing step includes dynamically generating at least one of the plurality of application service groups from a list of possible applications. Way. Claim 11 was abandoned upon payment of a setup registration fee. The method of claim 1, The providing step further includes mapping the plurality of application service groups to at least one network identifier. Way. delete The method of claim 1, The automatic configuration step includes setting up a traffic filtering rule in the network, The traffic filtering rule associates the device with the specific application service group. Way. delete delete delete delete delete The method of claim 1, Prohibiting access to another application service group; Way. delete delete delete delete Enabling a user device connected to a network—the user device uses a standard set of communication protocols, the network comprising at least one network configuration service, at least one service management application service, at least one network traffic control element, At least two application service groups accessible to the user device, the at least one network configuration service configures the user device, and the at least one service management application service is a list of the at least two application service groups Providing to the user device ━, Causing a user of the user device to select at least one of the at least two application service groups; Dynamically and automatically configuring said at least one network traffic control element to enable access to said at least one group only; Way. Providing the user device with a list of a plurality of application service groups in response to a user device connected to a network; Sending an identifier set to the device indicating a selection of a particular group of the plurality of application service groups; Dynamically configuring the network by at least one network traffic control element using the identifier to enable communication between the device and the particular application service group over the network. Way. Setting permission to access the device, Causing the device to select access from a plurality of available application service groups to a selected application service, wherein the device uses a standard set of communication protocols and is connected to a network; Associating the access permission for the device with at least one identifier such that the device accesses the selected application service from at least one of the plurality of available application service groups; Roaming the device using the at least one identifier and accessing the selected application service using the set access permission; Way. delete A server that allows a user to access a particular group of application services on a networked device using a standard set of communication protocols, The server, A listing module for providing a list of a plurality of application service groups accessible to the device—at least one of the application services in each group may be used by the device; An enabling module for allowing the user to select the particular application service group from the plurality of groups; A configuration module for dynamically configuring the network based on the specific application service group to allow the device to access the specific application service group over the network; Device. delete Method according to any one of claims 1, 2, 5, 6, 10, 11, 13, 19, 24, 25 or 26. A computer-readable recording medium in which a program for performing each step of the recording is recorded. delete delete delete delete delete delete delete delete

Images