MXPA99006494A

MXPA99006494A - Secure access method, and associated apparatus, for accessing a private data communication network

Info

Publication number: MXPA99006494A
Application number: MXPA/A/1999/006494A
Authority: MX
Inventors: Nordman Mikael
Original assignee: Telefonaktiebolaget Lm Ericsson (Publ)
Priority date: 1997-01-17
Filing date: 1999-07-12
Publication date: 2000-01-21

Abstract

A method (152), and associated apparatus (10), for accessing a private IP network (14) with a wireless host (32) by way of a wireless access network (52). Once authenticated and permitted access to the private IP network (14), the wireless host (32) becomes a virtual host of the private IP network (14). A wireless host identifier (WHI) is used to identify the wireless host (32). Permission to communicate by way of wireless access network (52) is confirmed by an authentication procedure (162). The WHI is thereafter provided to the private IP network (14). If the WHI is of a selected value, permission to access the private IP network (14) is granted. An IP address used to address data to the wireless host (32) is allocated by the private IP network (14) once access to the private IP network (14) is granted.

Description

SECURE ACCESS METHOD, AND ASSOCIATED DEVICE FOR ACCESS TO A PRIVATE DATA COMMUNICATION NETWORK The present invention relates generally to communications between a guest and a device located in a network. More particularly, the present invention relates to an associated method and apparatus, to allow access of the wireless host to a private data communication network, such as an IP private network. In a mode in which the private data communication network is formed of a private IP network, the private IP network is connected to a wireless access network formed of the network infrastructure of a radio communication system, such as, for example, a cellular communication system. Once the wireless guest can access the private IP network, an IP address is assigned to the wireless guest by the private IP network. The information that is accessed in the IP private network is addressed to the wireless guest using the IP address assigned by the private IP network. A request by the wireless guest to access the private IP network by the wireless guest is first transmitted to the wireless access network. An authentication procedure is carried out in order to confirm that the wireless guest can communicate through the wireless access network. If the wireless guest is authenticated, a wireless guest identity (WHI) is sent, identifying the wireless guest to the private IP network. The wireless guest can access the private IP network if the wireless guest identity identifies a wireless guest who is entitled to access the private IP network. The IP private network then assigns an IP address to the wireless guest. The IP address is used to direct data to the wireless guest. A simple and efficient way by which you can access a private IP, or another data communication, is provided. A wireless guest identity is used to identify the wireless guest in the wireless access network and in the private IP network. When the wireless guest identity is stored in the wireless access network it does not have to be sent to the wireless access network infrastructure in an air interface. And if the wireless guest can access the private IP network, the wireless guest is assigned an IP address by the private IP network. The IP address can be assigned dynamically to the wireless guest, and a separate IP address does not have to be permanently assigned to the wireless guest. BACKGROUND OF THE INVENTION Advances in communication technology have allowed significant improvements in how data can be communicated between a transmitting station and a receiving station. For example, in radio communications, advances in digital communication techniques have allowed the introduction and popularization of new types of communication systems. For example, cellular communication systems employing digital communication technologies have been installed in several areas and are widely used. Advances in communication technology have also facilitated the decentralization of computer systems. Processing devices can be distributed in separate locations and connected together through network connections. Network connections between distributed processing devices and communications between them have precipitated, for example, the emergence and wide availability of IP networks, such as the Internet. Other private data communication networks have been formed in a similar way. Advances in communication technology also allowed the integration of radio communication systems and connected to the network. For example, it is possible for a terminal device such as a portable computer to be connected by means of a radio link to the network infrastructure of a radiocommunication system and, in turn, through a network connection to a network device connected to the Internet. The terminal device forms a wireless host for the network device connected to the Internet since no physical link such as wired to the terminal device is formed. A private IP network is formed of a group of network devices, connected together through network connections, but to which access to the network is limited. Increasing numbers of private IP networks are being created and access to them through a wireless guest is being demanded more and more. Growing numbers of other data communication networks are being created and access to them through a wireless guest is in increasing demand. Due to the limited access nature of a private network, there is a need to ensure that the wireless guest is authorized to access the private network and, if the wireless guest is authorized to access the private network, there is a corresponding need to ensure that the wireless guest appropriately receives an acceptable level of access to the private network, that is, the wireless guest must be treated as a virtual guest, given the level of access to the private network as that given to a guest physically connected to said network. Since the connection of a wireless guest with a network device of a private data communication network includes a radio link, the wireless guest must be identified by means of an address in such a way that the data can communicate there. In some existing communication systems where the wireless guest can communicate with a network device, the wireless guest's address is assigned dynamically. That is, for example, in a mode in which the private data communication network is formed from a private IP network, instead of assigning a permanent IP address to the wireless guest, a temporary IP address is assigned to the host when The data must be communicated to the wireless guest. A dynamic IP address assignment, Ipv6, is an example of an allocation method by which wireless hosts are dynamically assigned to IP addresses. In such a method, to provide a fixed identity for the wireless guest, a DNS name (Domain Name System) is assigned. A DNS name is a symbolic name provided for wireless guests and other devices connected to an IP network.

One way by which a wireless guest can access an IP private network is to use a dial-up connection from the wireless guest to the private IP network. Once a switched connection is formed, the wireless guest is identified with a key.

Another way in which a wireless guest can sometimes access the private IP network is through the use of an authenticated tunnel. The wireless guest is connected to the private IP network through the authenticated tunnel, and the wireless guest is authenticated in the private IP network with an identity and a password. Said tunneling method is sometimes referred to as "layer 2 tunnel formation". A PPTP system developed by Microsoft Corporation, an L2F system, developed by Sysco Systems, and an L2TP system developed by IETF, are related to tunneling PPP. The existing forms by which a wireless guest has access to a private IP, or another data communication network requires significant amounts of protocol usage. As in any communication system limited by bandwidth, the protocol consumes a lot of bandwidth. When the wireless guest has access to the private network through the network infrastructure of a cellular communication system, portions of the network infrastructure function as a wireless access network. When, for example, the private data communication network forms a private IP network, two IP addresses are required to allow communication between the wireless guest and the private IP network. A first IP address is required in the wireless access network formed from the portion of the network infrastructure, and a second IP address is required in the IP private re. Therefore, the wireless guest must belong to two networks, that is, the IP access network and the private IP network. As a result, two IP addresses must be assigned to the wireless guest. If DNS is used in both methods, it is also necessary to assign DNS names in both networks. The layer two tunneling method requires the formation of a protocol stack having three additional layers, the PPP layer, a layer two tunneling layer, and a basic IP layer. The excess protocol that results from these additional protocol layers consumes bandwidth. Such a requirement is generally undesirable in a limited bandwidth system. Some wireless guests can also communicate data packets through circuit switched connections as well as packet switched connections. A GSM communication system (Global System for Mobile Communications) is an example of a cellular communication system that allows wireless guests to operate there to communicate packet data by means of packet switched connections and also switched by circuit. It would be helpful to offer a way by which the wireless guest can access a private IP, or another data communication network using the same access procedure regardless of the type of data that should be communicated between them. In conventional ways by which access is offered to a wireless host for example to a private IP network, dial-up connections are made directly to the private IP network. This connection can be made, for example, to a remote access server of the private IP network. The telephone charges associated with the dial-up connection can be important. For example, the cost of a long distance can be charged to form the dial-up connection if an inter-LATA switched connection or similar is required between the network infrastructure of the cellular communication system and the private IP network. It would obviously be desirable for the wireless guest to have access to a wireless access network as close as possible to the location in which the wireless guest is positioned and can then use the IP transmission between the wireless access network and the private IP network. One way by which a wireless guest can be allowed access to a private data communication network to communicate data in packets with each other would be of benefit. Taking into account this background information related to accessing a wireless guest and a private IP network, significant improvements of the present invention were developed. SUMMARY OF THE INVENTION The present invention advantageously provides an associated method and apparatus for allowing a wireless guest to access a private data communication network, such as a private IP network. The present invention also advantageously offers an associated method and apparatus, once access is granted to the private network, to dynamically assign a temporary address to the wireless guest. The dynamically assigned address is used to direct data to be communicated to the wireless guest. In one aspect of the present invention, the wireless guest is coupled through an air printer to the network infrastructure of a PLMN (Public Land Mobile Network), such as a GSM network. The PLMN in turn is connected to a private IP network. The network infrastructure thus forms a wireless access network. When the wireless guest requires access to the private IP network, communications are first authenticated in the wireless access network formed from the network infrastructure of the PLMN. An authentication process is carried out to confirm that communications are allowed through the wireless access network. If the authentication procedure confirms that such communications are allowed, a wireless guest identity (WHI) previously stored in the wireless access network, and identifying the wireless guest, is sent to the private IP network. The private IP network allows access to the wireless guest if the wireless guest identity provided corresponds to the identity of a wireless guest who is authorized to access the private IP network. An IP address is assigned to the wireless guest by the private IP network. This IP address is used to direct data communicated to the wireless guest. The IP address can be a dynamically assigned address, used during a selected period to temporarily identify the wireless guest. Accordingly, the wireless guest does not have to have a separate IP identity to access a wireless access network. On the contrary, a wireless guest identity stored in the wireless access network formed of the PLMN infrastructure is used for the purpose of identifying the wireless guest in the private IP network. The wireless guest identity may be provided, for example, subscription data in the wireless access network. The wireless guest identity is selected, for example, by the operator of the private IP network, and the wireless guest identity is provided to the network infrastructure of the PLMN and stored there in accordance with an agreement between the operator of the private IP network and the operator of the PLMN. Once you have access to the private IP network, an IP address for the wireless guest is provided through the private IP network and not through the PLMN. The wireless guest can become a virtual guest of the private IP network thus ensuring that the user and the guest environment, including security and conversions, of the private IP network are applied similarly to the wireless guest. The formation of IP tunnels is used between the PLMN and the private IP network. The IP tunnel can be secured either by means of an authentication process or by arranging secure transmissions through arrangements of the operators of the PLMN and the private IP network. The tunnel authentication keys may be stored together with the WHI in the HLR, the SIM card, or in the wireless guest in order to provide secure transmission of the wireless guest identity as well as other data. The formation of tunnels, however, does not extend towards the air interface. Unlike, specific transmission protocols are used for air interface in order to communicate datagrams between the wireless guest and the network infrastructure of the PLMN. In these and other aspects, therefore, a secure access method, and an associated apparatus for implementing the method, has access to a private data communication network through a remote communication station. Once the access is provided, the data is communicated between the private data communication network and the remote communication station. The private data communication network is connected to the network infrastructure of the radiocommunication system. A remote communication station identity is stored in the network infrastructure of the radio communication system. A registration request is generated by the remote communication station to request registration of the remote communication station in order to have access to the network infrastructure in order to allow data communication. The registration request is detected in the network infrastructure. The authenticated remote communications station to confirm the authorization of the remote communication station to communicate through the network infrastructure. A request for network access is sent to the private data communication network if the remote communication station is authenticated so that the remote communication station is identified by the remote communication station identity. A determination is made in response to the request for network access, if the remote communication station is authorized to have access to the private data communication network. And, the remote communication station has the right to access the private data communication network if it is determined that the remote communication station has the right to access the private network. After granting permission to the private data communication network, an address, such as a temporary address, can be assigned to the wireless guest. A more complete appreciation of the present invention and the scope of said invention can be obtained from the accompanying drawings which are briefly summarized below, the following detailed description of the presently preferred embodiments of the invention, and the appended claims. BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 illustrates a functional block diagram of a communication system wherein one embodiment of the present invention can operate. Figure 2 illustrates a functional, logical block diagram showing the routing of data communicated between a wireless guest and a private IP network. Figure 3 illustrates a functional block diagram of a private IP network including an embodiment of the present invention for assigning an address by which address data is communicated to a wireless guest. Figure 4 illustrates a logical flow diagram showing the steps of the method of one embodiment of the present invention. DETAILED DESCRIPTION Referring first to Figure 1, a communication system, generally presented in ten, allows data communication between the remote communication station 12 and a private IP14 network. The private network of IP14 forms here a private intranet to which access is allowed selectively. When the remote communication station 12 is entitled to access the IP14 private network, data can communicate with each other. In one embodiment, packet data is communicated between the remote communication station 12 and the IP14 private network. While the private IP network is illustrated in the exemplary embodiment illustrated in the figure, in other embodiments, access to other types of private data communication networks may be performed in an analogous manner through the operation of one embodiment of the present invention. . Therefore, while the following description is handled in relation to a private network of IP14, it will be understood that the present invention may also operate to allow access to other data communication networks. In the exemplary embodiment illustrated in the figure, the communication system 10 is formed of a GSM cellular communication system (Global System for Mobile Communications), of which the network infrastructure forms a wireless access network to which the network connects. Private IP14. In other embodiments, the communication system 10 is formed alternatively from another structure. The radio station 10 includes a radio transceiver, here a GSM16 mobile terminal. The mobile terminal 16 includes a SIM (Subscriber Identity Module) card inserted in the mobile terminal 16 or otherwise connected, indicated here via the lines 22. The SIM card 18 includes a storage location 24 for storing information of authentication, in a conventional manner. The SIM card further includes a storage location 26 for storing the address of the IP14 private network. In one embodiment of the present invention, the SIM card further includes a storage location 28 for storing a WHI (wireless guest identification). Other subscriber data may be stored additionally in other storage locations of the SIM card 18. The mobile terminal 16 connects to a wireless guest 32, here via the lines 34. The wireless 32, in one embodiment, forms a computer portable capable of receiving data communicated there through a network device of the IP1 private network. The wireless guest 32 may be connected alternately to the mobile terminal 16 by a non-contact coupler. For example, an infrared coupler. In one embodiment of the present invention, the wireless guest includes storage locations 36, 38 and 42, for storing data similar to those stored in the storage locations 24, 26 and 28. That is, in such a mode, the authentication inflammation, the address of the private address IP14, and the value of the WHI are stored in the storage locations 36-42, respectively, in the exemplary embodiment illustrated in the figure, said information is stored redundantly in the locations storage in both the SIM 18 and the wireless guest 32. In other embodiments, the authentication information is simply stored in one of the storage locations 24 or 36. The network infrastructure of the communication system 10 forms a network of wireless access connected to the IP14 private network through a structural network 46. The wireless access network formed from the infraest network structure of the GSM system is shown here including a BTS (base transceiver station) 52. The BTS 52 is operable to generate downlink signals and to receive uplink signals 56 on an air interface formed of radio links between the remote communication station and the BTS 52. In the mode in which positions of the communication system 10 are formed of a GSM communication system structure, said structure, as well as the air interface formed between the remote communication station 12. and the BTS52 are defined by the GSM system specification standards. Groups of BTSs of which a single BTS 52 is shown in the figure, are connected through lines 58 to a BSC (base station controller) 62. BSC 62 is operable, inter alia, to control the operation of the BTSs connected there. The BSC 62 is also coupled here via the lines 64, to an MSC / VLR (Mobile Switching Center / Visited Location Register) 66. The MSC / VLR 66 can operate in a conventional manner to form appropriate connections for the purpose of form a communication path between the BSC 62 and the PSTN (Public Switched Telephone Network) 68 through the lines 72. The MSC / VLR 66 is also connected, through lines 74, to an HLR (Home Location Register) 76. HLR 76 includes an authentication center (not illustrated separately) in which, inter alia, an IMSI (International Mobile Subscriber Identity) is stored. ) and a value of a pseudo random number. These values are used during authentication procedures used to confirm the authenticity of the remote communication station. In one embodiment of the present invention a WHI value associated with the wireless guest 32 is also stored in the HLR 76. And, in another embodiment of the present invention, an address associated with the private IP14 network is also stored in the HLR 76 Both the BSC 62 and the HLR 76 are additionally connected to an SGSN (Service GPRS Support Node) 82. The BSC 62 is connected to the SGSN 82 via the lines 84. And, the HLR 76 is connected to the SGSN 82 through the lines 86. The SGSN 82 is additionally coupled to the structural network 46 through the lines 88. In this way, the SGSN 82 is connected to the private network of IP14. The IP1 private network here forms a HIPN (intelligent home address network), illustrated herein to include a GGSN (gate GPRS support node) 92 and an address IP access control network 94. Additional details of HIPN forming the private network of IP1 are described below in relation to figure 3. Network structure 94 is additionally connected to additional IP networks such as, for example, to the IP 96 network. The structure network 46 is further illustrated connected through a GGSN 96 to another IP network forming another HIPN, here the HIPN102, through an Internet connection 104. And, the structure network 46 is also connected to an additional private IP network which forms an additional HIPN 106 through an Internet connection 108. Said additional HIPNs 96, 102 and 106 are exemplary and are shown to illustrate ways in which private IP networks can be connected to a wireless access network such as infrastructure. of the GSM system network illustrated in the figure. During the operation, when a wireless guest operator 32 wishes to have access to the IP14 private network, appropriate commands are generated in the wireless guest to initiate a request to access the IP14 private network. Signals indicating said request are provided to the mobile terminal 16, and the mobile terminal generates a request on the air interface as an uplink signal 56 communicated to the BTS 52. In a GSM communication system, a fixing procedure is initiated . The BTS 52 sends the request through BSC 62 to the MSC / VLR 66. The IMSI and the pseudo-random number of values are retrieved from the HLR 76 and an authentication procedure is carried out. While details of the authentication procedure performed in a GSM communication system can be found in the GSM system specification standards, in general, the authentication procedure authenticates, that is, confirms, that the mobile terminal 16 is authorized to communicate to through the network infrastructure that forms the wireless access network. Once the authentication procedure has been successfully completed, that is, once it has been confirmed that the mobile terminal 16 is an authentic terminal that is authorized to communicate through the wireless access network formed of the network infrastructure, it is sent to the private network of IP14 a value of the WHI associated with the wireless guest. In one embodiment, when the WHI is stored in the HLR 76, the stored value is provided through line 86 to the SGSN82 through the structure 46 and to the private network of IP14. The WHI stored in the HLR in sent to the SGSN 82 if the authentication procedure confirms the authenticity of the mobile terminal 16. Accordingly, the value of the WHI is authenticated by the authentication procedure performed by the wireless access network. The storage of the WHI in the HLR 76 or in another part of the wireless access network, requires an agreement between an operator of the IP14 private network and the operator of the wireless access network for the secure storage of the value of WHI in the wireless access network. A separate IP address or DNS Name (Domain Name Service) is provided only in the IP14 private network, and nowhere else. Accordingly, since the IP address and the DNS name is provided in the private IP network, the wireless guest 32, when entitled to access the private IP network, becomes a virtual guest of the network 14 The user and the host environment of the network 14, including security of network protection, also apply to the wireless guest 32. Access of the wireless guest 32 to other networks, such as HIPNs 96, 102 and 106 , it can be done analogously. In one embodiment, the authenticated IP tunnel training can also be carried out between the SGSN 82 and the GGSN 92 in the structure network 46 in order to ensure a secure transmission of the WHI and other data between the IP14 private network. and the wireless access network formed from the network infrastructure. Said authenticated tunnel formation is carried out since the structure network 46 can be shared by many different operators and the security of the structure can not be ensured. For example, if one wishes to have access to the HIPN 106, the data is routed through a public Internet 108. Authenticated IP tunnel training is carried out to authenticate the traffic, i.e., data communication, between the SGSN 82 and the GGSN 92. The authentication of the traffic routed in the structure ensures the validity of the WHI value when the value is received in the GGSN 92. When for example, on the contrary, it must have access to the HIPN 102 , the Internet transmission 104 is similarly authenticated by an authentication procedure. In one embodiment, the GGSN 92 includes an access control mechanism to ensure that only desired WHIs values can access the private IP network. A list of desired WHIs is stored in the access control mechanism of the GGSN 92. And, an WHI authentication procedure may additionally be carried out in order to further increase the level of security and minimize the possibility of erroneous access to the private IP network in response to WHI administration errors. While not illustrated separately in Figure 1, the SGSN 82 and the GGSN 92 are protected by protections positioned to the structure network 46. Within the IP14 private network, standard HIPN security procedures, such as protections and keys , they are used. Accordingly, the wireless guest 32, once allowed access to the private IP network, is equipped with the same environment and security level as all other guests directly connected to the network 14. Figure 2 illustrates the logical arrangement of portions of the communication system 10 illustrated in Figure 1. Again during the operation of one embodiment of the present invention, a wireless guest, here the wireless guest 32, can directly access the private IP network, again illustrated here to form a HIPN14. When the wireless guest 32 must have access to the private network IP14, the mobile terminal 16 generates a fixation request to fix the wireless access network formed of the network infrastructure of the GSM system. The fixing procedure is carried out in accordance with SGSN 82 when packet switched circuit connections are used. And, the fastening procedure is carried out in accordance with MSC / VLR 66 when circuit switched connections are used per circuit. During the setting procedure, the IMSI, WHI, and other associated subscriber data values are downloaded from HLR 76 to MSC / VLR66 and SGSN 82, as appropriate. Other appropriate subscriber data includes the address of the IP14 private network. Additional private IP network addresses such as HIPN 96, 102 and 106 (illustrated in Figure 1) can also be downloaded to allow alternative access, or a second option to an alternate IP network. The HIPN address that identifies the private network of IP14 in one mode, this address of the GGSN, such as GGSN 92 of the private network IP14. Then the mobile terminal 16 generates a "request" to activate the routing context * PDP "to the SGSN 82 or an access to the MSC / VLR 66, as appropriate Access to the MSC / VLR 66 is carried out, for example , by making a call originating from the mobile terminal Alternatively, standardization of the additional protocol in the air interface can be carried out to explicitly indicate that the MSC / VLR should be accessed. the activation request for the SGSN 82 or the access to the MSC / VLR 66 is additionally provided to the SGSN or MSC / VLR, as appropriate, an indication in the sense that the HIPN must be accessed. , for example, that the private IP network identified by the HIPN address stored in the HLR is the address of the private IP network to which it must be accessed, or a default address can be used with the object to identify the network p IP address to which you must have access. SGSN 82 or MSC / VLR 66, as appropriate, analyzes the value of the MSI provided here and determines the address of the private IP network, by default, if the address is not provided otherwise. SGSN 82 and MSC / VLR 66, as appropriate, generate a "create PDP context" command that is sent through the network of structure 46 to GGSN 92, when access to the IP14 private network must be available, or another GGSN when you must have access to another network. The "create PDP context" command includes the WHI of the wireless guest, and said value is used as the guest identity in the HIPN that forms the private network IP 14. Figure 2 further shows a wireless guest 112 that can be connected to another WAR (wireless access router) 114 through a radio link. And, the WAR 114 is connected to the structure network 26. The wireless guest 112 is exemplary of another device which can be allowed access to the IP14 network. Figure 3 illustrates a logical model of the IP14 private network, formed of a HIPN illustrated previously in Figures 1 and 2. The formed HIPN of the network 14 provides services and a user environment including the following: a DHCP service ( dynamic guest configuration profile) a DNS service (Domain Name Service), a news service, a mail service, a connection service, an NTP service, a WWW service (international network), other servers of application, connection to an Internet connections to Intranets, connection to a network structure, and protections in each interface in which connection is made with another network. The access to a private IP network by the wireless guest 32 provides a vertical service and access to the home organization of a mobile terminal. In such a scenario, the private IP network is part of the private network of a service provider. A public IP network provides public Internet services. On the contrary, if there was access to a public IP network, the public IP network is located in an Internet service provider either in a PLMN (public land mobile network) address or well visited, provided by your operator or a dedicated Internet service provider. With reference to Figure 3, the HIPN forming the private network of IP14 is again shown connected to the structure network 46. A WHR (wireless guest router) 124, which also functions as protection, is connected to the network of structure 46. The WHR 124 is formed of a router that has special support to selectively allow a wireless guest, as for example the wireless guest 32, becomes a virtual guest of the network. The network 14 includes other routers, here the routers 126 and 128, which are connected to an Internet 132 and an Intranet 134, respectively. The routers 124-128 are connected through a local area network (LAN) 138 to which a DHCP device (dynamic guest configuration profile) 142 and a DNS device (domain name service) 144 are also connected. In addition, other optional application servers of which the server 146 is representative are also illustrated in the figure, also connected to the LAN 138. And, wireless hosts 148, directly coupled to the IP14 private network are additionally presented in the figure in FIG. connection to the LAN 138. The DHCP 142 can operate to assign addresses to wireless hosts such as the wireless guest 32. A value of WHI is used as the wireless guest address in the DHCP 142. The DNS 144 can be operated to store names of wireless guests such as the wireless guest 32. The value of the WHI is used as the primary name in the DNS 144, and other secondary names they can also be stored in combination with the WHI. By way of example, DNS names include, for example, WH124450123456789a org. country; MSISDN467051234567a org. Country; and myhostoa org. country The value of the WHI can be used profitably because said value is a secure identity provided to a wireless network that identifies the wireless subscription employed in the wireless guest. By storing the value of the WHI as subscriber data in the HLR 76 (illustrated in Figure 1) the value of the WHI is stored with an appropriate level of security. When the wireless guest who has access to the GSM network is authenticated before receiving authorization to use the stored WHI, a separate connection is not required to access the private IP14 network. The transmission between the IP14 private network and the wireless access router 124 must be secure. To ensure the security of the transmission, the wireless guest router 124 and the wireless access router that forms a part of the GSM, the wireless access network stores the address and information and authentication as to the respective routers between which communication is allowed. Such measures ensure that a WHI arriving at the wireless guest router 124 is secure and correct. If necessary, the transmission between the routers can be coded and provide a higher level of data reliability and confidentiality. Optionally, the authentication procedure in the WHR 124 may be associated with the WHI thus protecting the IP network against errors in the administration of the WHIs. The WHI and an authentication key may also be received from the wireless guest 32, and authentication procedures may be further carried out on the private IP network before granting permission to the wireless guest 32 for access to the private IP network. Attempts to access without a valid WHI are rejected by the GGSN. And, valid WHIs must be preconfigured in the WHR 124 as well as the DHCP 142 and DNS 144. The DHCP 142 updates the DNS 144 with the assigned IP address used to direct data to communicate to the wireless guest. While the IP14 private network illustrated in FIG. 3 shows only a single LAN 138, the network can, on the contrary, be implemented on several physical LANs or implemented on a single platform without a physical LAN. When WHRs analogous to WHR 124 are present in several physical locations each WHR is considered as a subnet (SHIPN) of the HIPN that forms the private IP network. In an arrangement of this type, each SHIPN may communicate with another SHIPN through a structure network. Figure 4 illustrates the method generally presented at 152, of one embodiment of the present invention. Method 152 provides a secure access method for accessing a private IP network by a remote communication station. First, and as indicated in block 154, a remote communication station identity is stored in the network infrastructure forming a wireless access network of a radio communication system. The remote communication station identity is stored together with authentication data associated with the remote communication station. Then, and as indicated in block 156, a request is generated by the remote communication station to request access to the network infrastructure in order to allow data communication there. The request is detected, in accordance with that indicated with block 158, in the network infrastructure. The remote communication station is authenticated, in accordance with that indicated by block 162 to confirm the authorization of the remote station to communicate through the network infrastructure. Then, an IP network access request is sent to the private IP network, as indicated in block 164. Then, as indicated in block 166, it is determined whether the remote communication station is authorized to access the private IP network. And, the station Remote communication can access the private IP network and it is determined that the remote communication station has the right to access the network. During the operation of one embodiment of the present invention, a wireless guest is allowed to become a virtual guest of a private IP network. A wireless guest identity (WHI) is used in a guest identifier of the private IP network. The wireless guest only requires to authenticate in the private IP network when there is no contract for secure storage between the operators of the wireless access network and the private IP network, in terms of security, for example, identification information. An authentication procedure confirms the authenticity of the structure that transmits the access request. A bandwidth required at the air interface to generate the request to access the private IP network is also beneficially reduced when transferring IP packets at the air interface as only specific protocols for air interface are used. to transmit IP packets in the air interface. The above descriptions are preferred examples for implementing the invention, and the scope of the present invention is not necessarily limited to this description. The scope of the present invention is defined in the following claims.

Claims

REVINDICATIONS In a method for communicating data between a private data communication network and a remote communication station, the private data communication network is connected to the network infrastructure of a radio communication system of which the remote communication station is part , an improvement of an assured access method for accessing the private data communication network by the remote communication station, said method comprising the steps of: storing a remote communication station identity identifying the communication station remote in a storage location; generate a request from a remote communication station to access the network infrastructure to allow data communication; detecting in the network infrastructure the request generated during said request generating step; authenticate the remote communication station to confirm the authorization of the remote communication station to communicate through the network infrastructure; sending a request for network access to the private data communication network if the remote communication station is authenticated during said authentication step, the remote communication station identified by the remote communication station identity stored during said step of storage; determining, in response to the request for network access sent during said sending step, whether the remote communication station has the right to access the private data communication network; and allowing the remote communication station to access the private data communication network if it is determined that the remote communication station, during said determination step, is entitled to have access to the private data communication network. In a method for data communication between a private IP network (Internet protocol) and a remote communication station, the private IP network connected to the network infrastructure of a radiocommunication system of which the remote communication station is part , an improvement of an assured access method for accessing the private IP network by the remote communication station, said method comprising the steps of: storing a remote communication station identity that identifies the remote communication station in a storage location; generate a request from the remote communication station to access the network infrastructure in order to allow data communication; detect in the network infrastructure the request generated during said generation step; authenticating the remote communication station in order to confirm the authorization of the remote communication station to communicate by means of the network infrastructure; sending an IP network access request to the private IP network if the remote communication station is authenticated during said authentication step, the remote communication station is identified by the remote communication station identity stored during said storage step; determining, in response to the IP network access request sent during said sending step, whether the remote communication station can access the private IP network; and allowing the remote communication station to access the private IP network if it is determined, during said determination step, that the remote communication station has the right to access the private IP network. The method of claim 2, wherein the storage location in which the remote communication station is stored during said storage step is located in the network infrastructure of the radio communication system, the identity of the remote communication station is stored together with authentication data associated with the remote communication station. The method of claim 2, where the remote communication station comprises a wireless guest connected to a radio transceiver, the radio transceiver is operable to communicate with the network infrastructure, and where said storage step comprises the storage of a wireless guest identity, the identity Wireless guest is associated with the wireless guest. The method of claim 4, wherein the reasoning location in which the wireless guest identity is stored during said storage step is positioned in the wireless guest. The method of claim 4, wherein the wireless guest identity is stored in the radio transceiver. The method of claim 6, wherein the radio transceiver comprises a cellular mobile terminal operable in a cellular communication system, the cellular mobile terminal has a memory card, and wherein the wireless guest identity is stored in the memory card. The method of claim 2, wherein the radiocommunication system comprises a cellular communication system, and wherein said step of generating the request comprises generating a fixation request, the fixation request is for requesting fixation, by means of a radio link of the radio transceiver with the network infrastructure of the cellular communication system by means of an air interface formed therein. The method of claim 2, wherein the radiocommunication system comprises a cellular communication system, wherein the data communicated between the remote communication station and the private IP network comprises packet data, and where the request generated during said generation step it is provided to a router that routes packet data. . The method of claim 9, wherein the cellular communication system comprises a GSM communication system and wherein the router to which the request is provided comprises an SGSN (serving GPRS support node). The method of claim 2, wherein the radio communication system comprises a cellular communication system, wherein the data communicated between the remote communication station and the private IP network comprises data switched in packets and where the request generated during said generation step it is provided to a router • through a circuit-switched circuit connection. . The method of claim 11, wherein the cellular communication system comprises a GSM communication system and wherein the router to which the request is provided comprises an MSC / VLR (mobile switching center / visited location register). . The method of claim 12, wherein said storage step further comprises the step of storing an IP private network identity identifying the private IP network between which the data communicates with the remote communication station. . The method of claim 13, wherein the request for access to the IP network sent during said sending step is sent to the IP network identified by the IP network identity stored during said storage step of the IP private network identity . . The method of claim 2, wherein said generating step further comprises generating an IP network identity, provided to a wireless guest, the IP network identity provided to a wireless guest that identifies the private IP network among the which should communicate the data with the remote communication station. . The method of claim 15, wherein the IP network access request sent during said sending step is sent to the private IP network identified by the IP network identity provided to the wireless guest generated during said generation step. . The method of claim 2, wherein the remote communication station has a default IP network identity associated with said remote communication station and where the request for IP network access sent during said sending step is sent to the network Private IP identified by the default IP network identity. . The method of claim 2, which also comprises the step of authenticating an access request to the private IP network. The method of claim 2, wherein said determining step comprises the steps of: storing in the private IP network a list of remote communication station identities that identifies remote communication stations that are entitled to access the private IP network; and comparing the remote communication station identity associated with the IP network access request sent during said sending step with the remote communication station identities stored in the list. . The method of claim 19, comprising the additional step of assigning an address to the remote communication station in the private IP network if the remote communication system is entitled to access there, the address is assigned to the communication station remote to direct data communicated by the private IP network to the remote communication station. . The method of claim 20, wherein the address assigned during said allocation step comprises a temporary address, the temporary address identifying the remote communication station during a selected period. . In a radio communication system having a wireless access network, a private data communication network connected to the wireless access network and a remote communication station selectively operable to communicate data with the private data communication network by means of the wireless access network, an improvement of the apparatus to selectively allow access to the private data communication network by the remote communication station, said apparatus comprises: a storage element for storing a remote communication station identity identifying the station of remote communication; a detector connected to the wireless access network infrastructure, said detector for detecting a request requesting access from the remote communication station to the wireless access network to allow data communication; an authenticator connected to the wireless access network, said authenticator to confirm the authorization of the remote communication station to communicate through the wireless access network; a network access requestor connected to said authenticator, said network access requestor is operable in response to an authentication by said authenticator, said network access requestor to generate a request to request access to the private data communication network by the remote communication station, the remote communication station identified in the request by the remote communication station identifier stored in said storage element; and a determinator positioned in the private IP network, said determiner is operable in response to a request requested by said network access requestor to determine if access by the remote communication station is allowed to the private data communication network. . The apparatus of claim 22, further comprising an address allocator positioned in the private IP network, said address allocator for assigning an address to the remote communication station, the address assigned by said address allocator is used to direct data communicated to the remote communication station by the private IP network. . The apparatus of claim 23, wherein said address allocator comprises a dynamic dispatcher for dynamically assigning a temporary IP address, the temporary IP address is used to direct the data communicated to the remote communication station during a selected period. . The apparatus of claim 22, wherein said storage element further stores a private data communication address that identifies the private data communication network.