WO2004012413A1 - Communication autorisee initiee par un serveur en presence d'un translateur d'adresse reseau (nat) ou de pare-feux - Google Patents

Communication autorisee initiee par un serveur en presence d'un translateur d'adresse reseau (nat) ou de pare-feux Download PDF

Info

Publication number
WO2004012413A1
WO2004012413A1 PCT/GB2003/003184 GB0303184W WO2004012413A1 WO 2004012413 A1 WO2004012413 A1 WO 2004012413A1 GB 0303184 W GB0303184 W GB 0303184W WO 2004012413 A1 WO2004012413 A1 WO 2004012413A1
Authority
WO
WIPO (PCT)
Prior art keywords
client
message
internet
server
way
Prior art date
Application number
PCT/GB2003/003184
Other languages
English (en)
Inventor
Paul Austin
Kenneth Tindell
Original Assignee
Livedevices Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from GB0217592A external-priority patent/GB2391436B/en
Application filed by Livedevices Limited filed Critical Livedevices Limited
Priority to AU2003251342A priority Critical patent/AU2003251342A1/en
Priority to JP2005505568A priority patent/JP2005535269A/ja
Priority to EP03771157A priority patent/EP1532793A1/fr
Publication of WO2004012413A1 publication Critical patent/WO2004012413A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • H04L12/2858Access network architectures
    • H04L12/2859Point-to-point connection between the data network and the subscribers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • H04L12/2869Operational details of access network equipments
    • H04L12/2898Subscriber equipments
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2514Translation of Internet protocol [IP] addresses between local and global IP addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/256NAT traversal
    • H04L61/2567NAT traversal for reachability, e.g. inquiring the address of a correspondent behind a NAT server
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M7/00Arrangements for interconnection between switching centres
    • H04M7/006Networks other than PSTN/ISDN providing telephone service, e.g. Voice over Internet Protocol (VoIP), including next generation networks with a packet-switched transport layer

Definitions

  • the present invention relates to methods and software for using asynchronous messaging systems, for example including (but not limited to) Global System for Mobile communication Short Message Service (GSM SMS), European Radio Message System (ERMES), or UDP sent over a Virtual Private Network, to allow Internet connected servers to initiate Internet communication with clients without the clients being subject to unsolicited network traffic or needing an always-on Internet connection.
  • GSM SMS Global System for Mobile communication Short Message Service
  • ERMES European Radio Message System
  • UDP sent over a Virtual Private Network
  • the present application uses the terms "host”, “client” and “server” to refer to systems that communicate using the Internet.
  • the Intemet is generally defined as a collection of data communication networks that use the TCP/IP suite of protocols, and is the communication infrastructure used by applications such as the World Wide Web ("the Web"), electronic mail ("e-mail") and File Transfer Protocol (“FTP").
  • a host is any system that can communicate using the Intemet. Examples of hosts include, but are not limited to, computers, automotive systems, consumer electronic products, metering equipment and other embedded systems that contain microcontrollers or microprocessors.
  • a server is a host that offers a service that is accessed by communication over the Intemet.
  • a server will typically, but not always, have an always-on Internet connection as discussed in more detail hereinbelow.
  • a client is a host that accesses the services of a server by communication over the Internet. Any individual host may be a client for some services and a server for others. In other words, a host may be a client and a server at the same time.
  • At present hosts can be connected to the Intemet in two ways: • Dial-up: this is where a host contains some device, such as a modem, that can, at the host's instigation, create a physical network connection (a means of carrying digital signals) to some similar device owned by an Intemet Service Provider (ISP).
  • ISP Intemet Service Provider
  • This ISP owned device such as another modem, is attached to a special kind of host, usually called a router, which is permanently connected to the Intemet backbone (this being the permanently connected communications network that carries IP packets between ISPs).
  • the host and the router then run the TCP/IP protocol suite over their physical network connection.
  • the router forwards the host's IP packets to and from the rest of the Intemet.
  • Dial-up connection is used for three principal reasons. Firstly, at present most physical network connections between a host and an ISP make use of a circuit switched infrastructure provided by a telephone company. This circuit switched infrastructure, which may be wired (telephone lines), fibre optic or wireless, was originally designed for voice telephony and for two devices to be connected, resources must be allocated to the connection for the duration of the connection. Consequently, the telephone companies usually charge for the duration of the connection rather than the amount of data that passes along it (in the same way they would for a voice call). For reasons of cost, therefore, a client usually only maintains a physical network connection to an ISP when it wishes to communicate with servers on the Intemet.
  • Intemet at any one time. This means that an ISP can support many more hosts with the same number of in-coming telephone Unes and modems using temporary dial-up connections than if hosts were always connected to the ISP's routers. Dial-up therefore allows the ISP to charge less for its services.
  • a physical network connection must be established between the client and its ISP, as above. If the client is initiating the communication then it is straightforward for the client to establish this physical connection. Client initiated connection is the typical usage mode for dial-up connections. For example, when a Web browser is started on a PC, the PC will create a dial-up connection to an ISP.
  • a server wishes to initiate communication with a client then the situation is more complicated. It would, in principle, be possible for an ISP to establish a physical network connection to a client when the ISP receives IP packets for the client from a server. This is not in general done because of charging issues.
  • a client initiates communication and establishes a physical network connection to an ISP, it is clear that the client should pay for the connection. If a server wishes to communicate with the client then it is much harder to decide who should pay for the connection. If the communication relates to a service that the client wants then it would be correct for the ISP to pass on the connection charges to the client.
  • NAT Network Address Translation
  • IP address is a 32 binary digit number.
  • the use of the binary digits within IP addresses is structured to reflect network topology and real-world organisations. As a consequence not all of the 2 32 possible LP addresses can be used and there are not enough public IP addresses for every host to have its own. ISPs overcome this problem using NAT.
  • NAT Network Address Translation
  • the ISP's router When a host wishes to communicate with a host external to the ISP's own network, the ISP's router that forwards the internal host's IP packets onto the Intemet backbone will replace the private source address in the IP packets with its own public IP address. The router will also remember that the internal host has sent IP packets to the external host. When the external host replies, it will send its IP packets to the ISP's router- since the IP packets it receives contain the router's public IP address as their source address. The ISP's router will realise that the IP packets are a reply to the internal host and will forward the packets to the internal host.
  • Hosts external to the ISP cannot directly communicate with hosts on the IP's internal network because those hosts on the internal network do not have public IP addresses. Hosts external to the ISP can only communicate with the ISP's routers. NAT only works if a host (usually a client) internal to the ISP sends the first IP packets (for example, opening a TCP connection) of a communication so that a router can "leam" to translate between the host's private IP address and the router's public IP address (see Figure 1).
  • Firewalls are the second problem related to server initiated Intemet communication.
  • a firewall is a device that restricts what IP packets are allowed to enter and leave an organisation's internal TCP/IP network.
  • a firewall will be configured to allow communication between a host in the organisation's internal network and a host external to the organisation's network if the first IP packets of the communication are sent by the internal host. This configuration is used to stop unsolicited IP packets being sent to hosts within the organisation.
  • IPv6 (RFC 2460; 'Internet Protocol, Version 6 (Ipv6)"; S. Deering, R. Hinden; December 1998)
  • IPv6 (RFC 2460; 'Internet Protocol, Version 6 (Ipv6)"; S. Deering, R. Hinden; December 1998)
  • Other new network technology such as GPRS and ADSL
  • NAT or firewalls for reasons including stopping malicious external hosts from sending unsolicited and unwanted IP packets to hosts inside the organisation. This is especially important with technologies like GPRS where hosts may have to pay for IP packets that they receive. Therefore, even in the presence of IPv6 and new network technologies that provide always-on connections, the problems of server initiated Internet communication identified above still exist.
  • VoIP Voice-over-Internet Protocol
  • PSTN Telephone Network
  • the second device then connects to the Internet and establishes communication with the first device by transmitting an identifier known to the first device.
  • All of these prior art references rely on some form of non-Internet signalling to provoke a VoIP phone that is not normally connected to the Intemet to dial in to the Intemet through an ISP.
  • These VoIP systems take no account of the problems involved in communicating through NAT routers or firewalls or the like. Indeed, VoIP systems generally use H323 or similar protocols that require firewalls to be at least partially disabled or opened, or extremely sophisticated proxies.
  • a method of initiating Intemet communication between a client device and a server device the client and server devices being separated from each other by a firewall or a Network Address Translation (NAT) router, wherein the server device is adapted to cause a message to be delivered to the client device by way of a communications protocol other than the Intemet, thus bypassing the firewall or NAT router, and the client device, upon receipt of the message, initiates an Intemet or the like connection to the server device through the firewall or NAT router.
  • NAT Network Address Translation
  • a client device adapted to establish an Internet connection with a server device upon receipt of a message transmission which is initially triggered by the server, the message being received by the client by way of a communications protocol other than the Intemet, wherein the client and server devices are separated from each other by a firewall or a Network Address Translation (NAT) router, and wherein the client device initiates the Internet or the like connection to the server device through the firewall or NAT router.
  • NAT Network Address Translation
  • a server device adapted to cause a message to be transmitted to a client device by way of a communications protocol other than the Intemet, wherein the client and server devices are separated from each other by a firewall or a Network Address Translation (NAT) router, and wherein the client device, upon receipt of the message, then initiates the Internet or the like connection to the server device through the firewall or NAT router.
  • a communications protocol other than the Intemet wherein the client and server devices are separated from each other by a firewall or a Network Address Translation (NAT) router, and wherein the client device, upon receipt of the message, then initiates the Internet or the like connection to the server device through the firewall or NAT router.
  • NAT Network Address Translation
  • a system comprising at least a client device and a server device, the client and server devices being separated from each other by a firewall or a Network Address Translation (NAT) router, wherein the server device is adapted to cause a message to be transmitted to the client device by way of a communications protocol other than the Intemet, and wherein the client device is adapted, upon receipt of the message, to initiate an Internet or the like connection to the server device through the firewall or NAT router.
  • NAT Network Address Translation
  • an authorisation portal device adapted, upon receipt of a signal from a predetermined server device, to transmit a message to a predetermined client device by way of a communications protocol other than the Internet, the client and server devices being separated from each other by a firewall or a Network Address Translation (NAT) router, wherein the client device initiates the Internet or the like connection to the server device through the firewall or NAT router upon receipt of the message.
  • NAT Network Address Translation
  • Embodiments of the present invention may use an asynchronous messaging system such as, but not limited to, GSM SMS, the European Radio Message System (ERMES), RDS (Radio Data System), long wave (LW) radio or other modulated radio frequency (RF) signals, Trafficmaster® or UDP sent over a Virtual Private Network as the communications protocol other than the Intemet.
  • the messaging system allows server initiated Intemet communication for clients that have dial-up connections and/or that are subject to NAT or a firewall - that is, it simulates an always-on connection that is not subject to NAT or a firewall.
  • a key feature is that it is the client device that initiates the Intemet or the like connection (e.g.
  • the message may be transmitted by an "authorisation portal" to signal to a client when the client is not currently connected to the Intemet or the client cannot be sent an IP packet by a host external to the client's organisation.
  • An authorisation portal is a device (for example, but not limited to, a computer or a network router) that has permission to signal a client to establish a connection to the Internet.
  • An authorisation portal may signal to a client at any time by sending a message to the client using, for example, an asynchronous messaging system as defined hereinbefore.
  • GSM SMS Global System for Mobile communication Short Message Service
  • the authorisation portal may send SMS messages by using, amongst other methods, a GSM modem or an SMS Service Centre.
  • the client may receive SMS messages by using, amongst other methods, a GSM modem.
  • a means for a client to determine that a message sent using an asynchronous message system has been sent by a trusted authorisation portal is provided.
  • the authorisation portal When the authorisation portal sends a signal to the client it sends to the client an asynchronous messaging system message that may include, but it is not limited to, an identity of the client, an identity of the portal and a non-repeating value (for example a date and/or time, a value generated by a hardware counter or clock, a random number, a nonce or the like).
  • the authorisation portal may attach a digital signature of the message to a main body of the message.
  • the client On receiving the message, the client may check that the client identity contained in the message is its own, that the authorisation portal identity contained in the message identifies an authorisation portal that it trasts, that it has not seen the non-repeating value before, and that the digital signature attached to the message is correct. If any of these checks fail, the message may be discarded.
  • a digital signature can be generated by a first party applying a special mathematical function to the data to be signed.
  • the output of the function is the signature.
  • the function is such that by examining the data and the signature a second party can be certain that the data has not been changed since the signature was generated and that the first party, and only the first party, generated the signature.
  • Many different digital signature functions are possible.
  • the present invention does not rely on any particular function. Two alternatives are presented here as examples. Any other function with the properties just described could also be used.
  • Example 1 A one-way-function with a shared secret
  • some data called a "shared secret", whose value is known only to the client and the trusted authorisation portal, is stored by the client in a memory device contained in or attached to the client and by the authorisation portal in a memory device contained in or attached to the authorisation portal.
  • the authorisation portal generates a digital signature by applying a one-way- function to the message and the shared secret. For example, where F is the one-way- function, S is the shared secret and M is the message, the signature will be F(M,S).
  • the client regenerates the signature by applying the same one-way-function to the message and its copy of the shared secret. If the signature that the client generates does not match the signature attached to the message then the message is discarded.
  • a one-way-function is a mathematical function that takes an input X and produces an output Y.
  • One-way-functions have the property that the input X cannot be derived from the output Y. Since the shared secret, which is known only to the client and the authorisation portal, is included in the input to the one-way-function, only the client and authorisation portal can generate the signature by means other than guessing.
  • a one-way-function that has many possible output values is used to help prevent an attacker guessing the signature for a message that it has created. Since the input of the one-way-function cannot be derived from the output, an attacker cannot deduce the shared secret if the attacker captures a message and its signature.
  • Suitable one- way-functions include, but are not limited to, MD5 (Message Digest 5 algorithm), SHA-1 (US Secure Hash Algorithm 1), HMAC-MD5 (Keyed-Hashing for Message Authentication MD5) or HMAC-SHA (Keyed-Hashing for Message Authentication SHA-1).
  • MD5 Message Digest 5 algorithm
  • SHA-1 US Secure Hash Algorithm 1
  • HMAC-MD5 Keyed-Hashing for Message Authentication MD5
  • HMAC-SHA Keyed-Hashing for Message Authentication SHA-1
  • Some data called a "private key”, whose value is known only to the trusted authorisation portal, is stored by the authorisation portal in a memory device contained in or attached to the authorisation portal.
  • a "private key” whose value is known only to the trusted authorisation portal
  • some data called a "public key” that is related to the private key in a special way, is stored by the client in a memory device contained in or attached to the client.
  • the authorisation portal generates a digital signature by first applying a compression function to the message and then encrypting the output of the compression function using a public-key encryption algorithm keyed with the private key.
  • the client On receiving the message, the client decrypts the signature using the corresponding public-key decryption algorithm keyed with the public key. The client then applies the same compression function to its copy of the message and checks that the output of the compression function is the same as the decrypted signature. If output of the compression function is not the same as the decrypted signature then the message is discarded.
  • Public-key cryptography uses an encryption algorithm and a decryption algorithm and two related keys called the private key and the public key.
  • the algorithms and keys are such that some data encrypted with the private key can only be decrypted with the public key. Likewise, some data encrypted with the public key can only be decrypted with the private key.
  • Suitable public-key encryption schemes include, but are not limited to, RSA (Rivest-Shamir-Adleman).
  • a compression function is a mathematical function that takes an input X and produces an output Y.
  • Compression functions have the property that Y usually requires fewer binary digits to represent than X, but that it is very difficult to predict Y from X other than by applying the function to X.
  • Suitable compression functions include, but are not limited to, MD5 and SHA-1.
  • Embodiments of the present invention allow the client to ensure that an asynchronous messaging system message was sent to it by an authorisation portal that it trusts and that the message has not been changed after it was sent.
  • the presence of the nonrepeating value allows the client to detect and discard old messages that the client has previously received. Such messages may have been replayed accidentally by an authorisation portal or deliberately by an attacker.
  • Suitable non-repeating values include, but are not limited to, a date and/or time, a value generated by a hardware counter or clock, a random number, a nonce or the like.
  • Embodiments of the present invention may provide a means for a trasted authorisation portal to signal to a client that the client should establish TCP/IP communication with a particular server, if necessary establishing a dial-up connection to the Internet first.
  • TCP/IP communication is used to mean any communication mechanism that uses the TCP/IP protocol suite. This includes, but is not limited, to TCP and UDP packet exchanges.
  • An authorisation portal may signal to the client to establish TCP/IP communication with the particular server.
  • the asynchronous message used to send the signal includes, explicitly or implicitly, the identity of the particular server.
  • the client On receipt of the message the client performs a check to ensure that the message was sent by a trusted authorisation portal. If the message was sent by a trusted authorisation portal then the client may respond as follows: 1. If client does not already have a connection to the Internet it establishes a dial-up connection to its ISP.
  • the client establishes TCP/IP communication with the server identified explicitly or implicitly by the message. Since the TCP/IP communication is established by the client, that is the first IP ⁇ acket(s) is(are) sent by the client, the TCP/IP communication will operate correctly when the client's ISP is using Network Address Translation (NAT) or the organisation containing the client is using a firewall. (TCP/IP communication is established by means including, but not limited to, opening a TCP connection or sending a UDP packet.)
  • NAT Network Address Translation
  • Embodiments of the present invention may provide a means for a trusted server to send a request to a trusted authorisation portal in such a way that the authorisation portal can be sure of the server's identity.
  • the server may use a secure Internet communications protocol such as, but not limited to, SSL (Secure Sockets Layer) or TLS (Transport Layer Security) to communicate with the authorisation portal.
  • SSL Secure Sockets Layer
  • TLS Transport Layer Security
  • Such secure Internet protocols use means such as, but not limited to, "digital certificates" to prove the identity of the authorisation portal to the server. Examples of digital certificates include, but are not limited to, X.509 (directory authorisation framework) certificates.
  • the server may then use a means such as, but limited to, its own digital certificate or secret password to prove its identity to the authorisation portal. Once the server and portal are sure of each other's identity, the authorisation portal will accept requests from the server sent over the secure Internet communication protocol.
  • Some embodiments of the present invention may, by some means including, but not limited to, manual configuration, allow an owner (i.e. a human or machine entity that is authorised to manage the activities of a client) of a client to inform an authorisation portal trasted by the client that a particular server is permitted to signal to the client as hereinbefore described.
  • the authorisation portal will only signal to the client in response to a request from the particular server if the owner of the client has so informed the authorisation portal.
  • control information may be included in an asynchronous message sent by an authorisation portal to a client.
  • This control information includes, but is not limited to, the priority with which the client should act on the message and the reason why the server wishes to communicate with the client (see Figure 3).
  • the control information may alternatively or additionally include one or more commands in addition to a simple instruction to establish an Internet connection.
  • the control information may instruct the client to establish an Internet connection with the server and automatically to transfer predetermined data such as a status report or a data log or the like.
  • a server can initiate Intemet communication with a client even if the client does not have an always-on Internet connection, or the client is subject to Network Address Translation (NAT), or the client is part of an organisation that uses a firewall to stop hosts that are external to the organisation from sending unsolicited IP packets to hosts that are within the organisation.
  • NAT Network Address Translation
  • server initiated Internet communication is possible in the presence of NAT, embodiments of the present invention allow server initiated Internet communication without clients needing public IP addresses.
  • server initiated Internet communication is possible in 4) above without the need for clients to have public IP addresses
  • embodiments of the present invention allow server initiated Internet communication without the need to adopt IPv6 (Internet Protocol version 6) to overcome the shortage of IPv4 (Internet Protocol version 4) addresses.
  • FIGURE 1 shows a conventional client-server architecture with dial-up Intemet connections
  • FIGURE 2 shows a conventional client-server architecture implementing a firewall
  • FIGURE 3 shows a client-server architecture embodying the present invention
  • FIGURE 4 illustrates trust relationships between an end user, an embedded device, a server and an authorisation portal in accordance with an embodiment of the present invention.
  • Figure 1 shows a conventional architecture comprising two client devices 1, 2 (each of which may, for example, be an embedded device) that are each connectable to an ISP 3 by way of dial-up connections 4, 4'.
  • the ISP 3 uses NAT, which means that each client 1, 2 has a private IP address known to and used by only the ISP 3 dedicated to the clients 1, 2.
  • the ISP 3 has a public IP address that enables it to communicate directly with other servers 6 or the like over the public Internet backbone 5, in this example by way of always-on connections 7, 8. Where a client 2, for example, needs to communicate with the remote server 6, it must first establish a dial-up connection 4' to the ISP 3.
  • the client 2 then transmits at least one IP packet including its private IP address and the public IP address of the remote server 6, the IP packet being sent initially to the ISP 3.
  • the ISP 3 notes the private IP address of the client 2 that sent the IP packet and translates this by way of NAT into its own public IP address before relaying the IP packet to the remote server 6 by way of the Internet backbone 5.
  • a response from the remote server 6 may then be sent over the Intemet backbone 5 to the client 2 by way of a response IP packet addressed to the public IP address of the ISP 3.
  • the ISP 3 by using NAT, is able to determine from data included in the response IP packet that the IP packet is intended for the client 2, and will translate the public IP address information in the response IP packet to the private IP address of the client 2 before relaying the response IP packet over the dial- up connection 4'. It will be appreciated that it is not possible in this conventional architecture for a remote server 6 to initiate communication with a particular client 1, 2, since the private IP addresses of the clients 1, 2 are not known to the remote server 6.
  • FIG 2 shows an alternative conventional architecture comprising clients 10, 11, 12 and 13 which are connected together as part of a private TCP/IP network 14 (for example a LAN or WAN operated by a particular company or organisation).
  • the private TCP/IP network 14 is provided with a firewall device 15 through which it may communicate with the outside world by way of the Intemet backbone 5.
  • the firewall 15 is also configured as an ISP, although the firewall 15 may alternatively connect to the Internet backbone by way of a separate or remote ISP 3 as shown in Figure 1.
  • a remote server 6 with an always-on connection 8 as in Figure 1.
  • the firewall 15 is configured so as to allow communication between a client 10 internal to the private TCP/IP network 14 and the remote server 6 only if the first IP packets of the communication are sent by the internal client 10, thereby preventing unsolicited IP packets being sent to a client 10 within the private network 14 from outside.
  • FIG. 3 shows an architecture in accordance with an embodiment of the present invention.
  • a client device 20 that may communicate over the Internet backbone 5 with a remote server 6 by way of a NAT router and/or a firewall 21.
  • the client 20 may have a dial-up or always-on connection 22 to the NAT router/firewall 21, which in turn has a dial-up or always-on connection 23 to the Internet backbone 5.
  • the server 6 is provided with an always-on connection 8 to the Internet backbone 5.
  • an authorisation portal 24 having an always-on connection 25 to the Internet backbone 5.
  • the remote server 6 wishes to establish communication with the client 20, it sends an "initiate communication" signal to the authorisation portal 24 by way of the Internet backbone 5.
  • the "initiate communication" signal generally includes information identifying the particular client 20 that is to establish communication with the server 6.
  • the client 20 has some form of unique identifier and the authorisation portal 24 keeps a database mapping the identifiers of various clients 20 to whatever address is needed for an appropriate asynchronous messaging protocol 26.
  • the type of client 20 identifier may be whatever is most suited for the application. For example, where the clients 20 are embedded devices in motor vehicles and the asynchronous messaging protocol 26 is GSM SMS, an appropriate client identifier could be a registration number or Vehicle Identification Number (VTN) for each motor vehicle.
  • VTN Vehicle Identification Number
  • the messaging address may then be a telephone number of a GSM modem located in the motor vehicle and associated with the embedded client 20.
  • the server 6 may then send a message along the lines of "I want to communicate with the embedded client in the motor vehicle with registration number X123 ABC" to the authorisation portal 24 by way of the Internet backbone 5.
  • the authorisation portal 24 looks up registration number "X123 ABC” in its database to find a telephone number (e.g. "07776 123 456") for the GSM modem associated with the embedded client 20 in the motor vehicle in question.
  • the authorisation portal 24 then sends an SMS message to the GSM modem with number "07776 123 456" associated with the client 20 by way of the asynchronous messaging protocol 26.
  • the client 20 receives the message from the authorisation portal 24, checks to see that the message has come via a predetermined authorisation portal 24 trusted by the client 20 (and optionally that the message has originated from a remote server 6 also trusted by the client 20 and/or the authorisation portal 24) and then acts on the message, for example by establishing TCP/IP communication with the remote server 6 by way of the NAT router/firewall 21 and the Internet backbone 5. It is important to appreciate that, in this example, it is not necessary for the server 6 to know the messaging address or private IP address of the client 20, since NAT effectively prevents the server 6 from ever knowing the private IP address for a client 20.
  • FIG. 4 illustrates the various trust relationships required in embodiments of the present invention.
  • An end user 30 owns and implicitly trasts a client device 20, and also trusts applications running on a predetermined remote server 6.
  • the client 20 in turn trasts a predetermined authorisation portal 24, as does the remote server 6.
  • the server 6 wishes to communicate with the client 20, the server 6 must first establish mutual authentication with the authorisation portal 24 followed by transmission to the authorised portal 24 (by way of the Internet backbone 5) of a client "wake-up request”.
  • the authorisation portal 24 then sends an asynchronous notification message to the client 20, the message containing a cryptographic digital signature or the like that allows the client 20 to authenticate the authorisation portal 24 and/or the remote server 6.
  • the client 20 is then able to estabhsh a connection to the remote server 6 by way of the Internet backbone 5.
  • the preferred features of the invention are applicable to all aspects of the invention and may be used in any possible combination.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

L'invention concerne un procédé et un système d'activation d'une communication Internet initiée par un serveur et autorisée entre un dispositif client et un dispositif serveur au moyen d'un portail d'autorisation. Lorsque le serveur souhaite initier une communication Internet avec un client particulier, ce serveur envoie un message Internet au portail d'autorisation. Ce portail d'autorisation transmet alors le message au dispositif client au moyen d'un protocole de communication autre que l'Internet, par exemple par SMS. Le client, une fois le message reçu, établit ensuite une connexion Internet avec le serveur. Ainsi, un serveur peut initier une communication Internet avec un client malgré la présence de NAT ou de pare-feux ou similaires qui, autrement, empêcheraient une communication initiée par un serveur.
PCT/GB2003/003184 2002-07-30 2003-07-28 Communication autorisee initiee par un serveur en presence d'un translateur d'adresse reseau (nat) ou de pare-feux WO2004012413A1 (fr)

Priority Applications (3)

Application Number Priority Date Filing Date Title
AU2003251342A AU2003251342A1 (en) 2002-07-30 2003-07-28 Served initiated authorised communication in the presence of network address translator (nat) or firewalls
JP2005505568A JP2005535269A (ja) 2002-07-30 2003-07-28 通信開始方法,システム,認可ポータル,クライアント装置およびサーバ装置
EP03771157A EP1532793A1 (fr) 2002-07-30 2003-07-28 Communication autorisee initiee par un serveur en presence d'un translateur d'adresse reseau (nat) ou de pare-feux

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
GB0217592A GB2391436B (en) 2002-07-30 2002-07-30 Server initiated internet communication
GB0217592.5 2002-07-30
US10/214,378 2002-08-06
US10/214,378 US20040024882A1 (en) 2002-07-30 2002-08-06 Enabling authorised-server initiated internet communication in the presence of network address translation (NAT) and firewalls

Publications (1)

Publication Number Publication Date
WO2004012413A1 true WO2004012413A1 (fr) 2004-02-05

Family

ID=31189612

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2003/003184 WO2004012413A1 (fr) 2002-07-30 2003-07-28 Communication autorisee initiee par un serveur en presence d'un translateur d'adresse reseau (nat) ou de pare-feux

Country Status (4)

Country Link
EP (1) EP1532793A1 (fr)
JP (1) JP2005535269A (fr)
AU (1) AU2003251342A1 (fr)
WO (1) WO2004012413A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1894384A2 (fr) * 2005-06-23 2008-03-05 Nokia Corporation Systeme, terminal, procede et produit-programme informatique permettant d'etablir une connexion au niveau du transport avec un serveur situe derriere un traducteur d'adresse de reseau et/ou un pare-feu
CN1707997B (zh) * 2004-06-11 2010-04-21 宏碁股份有限公司 应用https通讯协议的客户服务架构及其方法
WO2011120864A1 (fr) 2010-03-30 2011-10-06 Schneider Electric Industries Sas Procede et systeme de communication entre un equipement et un serveur

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7656870B2 (en) * 2004-06-29 2010-02-02 Damaka, Inc. System and method for peer-to-peer hybrid communications
JP4859930B2 (ja) * 2006-10-24 2012-01-25 パイオニア株式会社 通信システム、通信方法、通信プログラムおよび記録媒体
BR112018007055A2 (pt) * 2015-10-13 2018-10-23 Sony Corporation dispositivo de processamento de informações.

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999012365A1 (fr) * 1997-08-29 1999-03-11 Telia Ab (Publ) Systeme de communication comprenant des moyens de transmission d'adresses internet via un service de messages courts
EP1128627A1 (fr) * 2000-02-21 2001-08-29 International Business Machines Corporation Dispositif et procédé d'établissement des communications dans un réseau informatique
EP1161055A2 (fr) * 2000-02-29 2001-12-05 International Business Machines Corporation Procédé et système d'association de dispositifs pour sécuriser des transactions commerciales effectuées sur l'Internet
US20020129165A1 (en) * 2001-03-12 2002-09-12 Dingsor Andrew D. Network address translation and port mapping

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999012365A1 (fr) * 1997-08-29 1999-03-11 Telia Ab (Publ) Systeme de communication comprenant des moyens de transmission d'adresses internet via un service de messages courts
EP1128627A1 (fr) * 2000-02-21 2001-08-29 International Business Machines Corporation Dispositif et procédé d'établissement des communications dans un réseau informatique
EP1161055A2 (fr) * 2000-02-29 2001-12-05 International Business Machines Corporation Procédé et système d'association de dispositifs pour sécuriser des transactions commerciales effectuées sur l'Internet
US20020129165A1 (en) * 2001-03-12 2002-09-12 Dingsor Andrew D. Network address translation and port mapping

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1707997B (zh) * 2004-06-11 2010-04-21 宏碁股份有限公司 应用https通讯协议的客户服务架构及其方法
EP1894384A2 (fr) * 2005-06-23 2008-03-05 Nokia Corporation Systeme, terminal, procede et produit-programme informatique permettant d'etablir une connexion au niveau du transport avec un serveur situe derriere un traducteur d'adresse de reseau et/ou un pare-feu
EP1894384A4 (fr) * 2005-06-23 2012-10-10 Nokia Corp Systeme, terminal, procede et produit-programme informatique permettant d'etablir une connexion au niveau du transport avec un serveur situe derriere un traducteur d'adresse de reseau et/ou un pare-feu
WO2011120864A1 (fr) 2010-03-30 2011-10-06 Schneider Electric Industries Sas Procede et systeme de communication entre un equipement et un serveur
FR2958484A1 (fr) * 2010-03-30 2011-10-07 Idkaya Sarl Procede et systeme de communication entre un equipement et un serveur

Also Published As

Publication number Publication date
EP1532793A1 (fr) 2005-05-25
AU2003251342A1 (en) 2004-02-16
JP2005535269A (ja) 2005-11-17

Similar Documents

Publication Publication Date Title
Kaufman et al. Internet key exchange protocol version 2 (IKEv2)
US20040024882A1 (en) Enabling authorised-server initiated internet communication in the presence of network address translation (NAT) and firewalls
Calhoun et al. Diameter base protocol
Patel et al. Securing L2TP using IPsec
US7949785B2 (en) Secure virtual community network system
US8364772B1 (en) System, device and method for dynamically securing instant messages
US7680878B2 (en) Apparatus, method and computer software products for controlling a home terminal
JP3343064B2 (ja) フレームを捕獲、カプセル化及び暗号化するための擬似ネットワークアダプタ
US20040249973A1 (en) Group agent
US20040249974A1 (en) Secure virtual address realm
US20060072569A1 (en) Network address translation protocol for transmission control protocol connections
US20070271453A1 (en) Identity based flow control of IP traffic
Geneiatakis et al. SIP Security Mechanisms: A state-of-the-art review
EP1036460A2 (fr) Procede d'authentification de paquets en presence de traductions d'adresses reseau et de conversions de protocole
JP4394701B2 (ja) ネットワークトポロジーを隠蔽する方法および装置
US20070036110A1 (en) Access control of mobile equipment to an IP communication network with dynamic modification of the access policies
Nowaczewski et al. Securing Future Internet and 5G using Customer Edge Switching using DNSCrypt and DNSSEC.
Aboba et al. Securing block storage protocols over ip
US20040243837A1 (en) Process and communication equipment for encrypting e-mail traffic between mail domains of the internet
Richardson et al. Opportunistic encryption using the internet key exchange (ike)
Eronen et al. IKEv2 clarifications and implementation guidelines
WO2004012413A1 (fr) Communication autorisee initiee par un serveur en presence d'un translateur d'adresse reseau (nat) ou de pare-feux
JP2007334753A (ja) アクセス管理システムおよび方法
JP4003634B2 (ja) 情報処理装置
US7237263B1 (en) Remote management of properties, such as properties for establishing a virtual private network

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
REEP Request for entry into the european phase

Ref document number: 2003771157

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2003771157

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2005505568

Country of ref document: JP

WWP Wipo information: published in national office

Ref document number: 2003771157

Country of ref document: EP