WO2009083737A2 - Establishing a connection to a network device - Google Patents

Establishing a connection to a network device Download PDF

Info

Publication number
WO2009083737A2
WO2009083737A2 PCT/GB2008/051230 GB2008051230W WO2009083737A2 WO 2009083737 A2 WO2009083737 A2 WO 2009083737A2 GB 2008051230 W GB2008051230 W GB 2008051230W WO 2009083737 A2 WO2009083737 A2 WO 2009083737A2
Authority
WO
WIPO (PCT)
Prior art keywords
connection
network
establish
protocol
access
Prior art date
Application number
PCT/GB2008/051230
Other languages
French (fr)
Other versions
WO2009083737A3 (en
Inventor
Alistair Massarella
Thomas Playford
Original Assignee
Crfs Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Crfs Limited filed Critical Crfs Limited
Publication of WO2009083737A2 publication Critical patent/WO2009083737A2/en
Publication of WO2009083737A3 publication Critical patent/WO2009083737A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/54Store-and-forward switching systems 
    • H04L12/56Packet switching systems
    • H04L12/5691Access to open networks; Ingress point selection, e.g. ISP selection
    • H04L12/5692Selection among different networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/18Multiprotocol handlers, e.g. single devices capable of handling multiple protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/18Selecting a network or a communication service

Definitions

  • the present invention relates to a device for and a method of establishing a connection to a network device.
  • the Internet is an interconnected system of networks connecting computers around the world.
  • a computer can access the Internet via a local area network, such as a wireless local area network (WLAN).
  • WLAN wireless local area network
  • a user attaches their device to a network, for example via an Ethernet link to a router or wireless link to an access point, and configures their device, for example by assigning an Internet address.
  • a uniform resource locator URL
  • the computer establishes a connection to the server for requesting a web page.
  • Configuring the computer usually requires prior knowledge of the network and/or information about the network so as to register the device. This can limit the ability of computers to be "dropped" into any network environment. Also, it can take a considerable amount of time to configure several computers.
  • US-A-6012088 describes an automatic configuration process to handle the task of configuring an Internet access device at a customer site.
  • the customer enters a registration identification number and a telephone number onto the device, which initially connects to the Internet over a standard analogue telephone line in order to download configuration data.
  • this process can help facilitate setting up the device, it has several disadvantages.
  • the process uses a specific type of connectivity to set up the device, namely a dial-up service, which may not always be available.
  • the present invention seeks to provide a method of and device for establishing a connection to a network device.
  • a device configured to attempt, in a predefined order and until a connection is established, to establish a connection to any one of a predetermined set of network devices using any one of a plurality of predetermined connection protocols via any one of a plurality of predetermined access networks including at least one access network about which the device has no prior network access information, the device configured to attempt to establish the connection via the access network before another access network.
  • the device may comprise controlling means configured to attempt, in a predefined order and until a connection is established, to establish a connection to any one of a predetermined set of network devices using any one of a plurality of predetermined connection protocols via any one of a plurality of predetermined access networks.
  • the device may comprise memory, at least one processor and a plurality of network interfaces, wherein the memory may be configured to store the predefined order in which connections should be attempted, the predetermined set of network devices, the plurality of predetermined connection protocols and the plurality of predetermined access networks, and the at least one processor may be configured to attempt to establish the connection using a network interface and to determine when the connection is established.
  • the device may be further configured to send a request to establish a connection to a network device using a connection protocol via an access network, determine whether a response is received from the network device indicating that the requested connection is establishable, in dependence on such a response being received, establish the requested connection and, in dependence on such a response not being received, abort the attempt to establish the connection to the network device using the connection protocol via the access network.
  • the connection may provide a channel for data transfer between the device and the network device.
  • the connection may be a tunnelled connection.
  • the connection may be a secure connection.
  • connection protocol may comprise information relating to a data link layer, a network layer, a transport layer, a session layer, a presentation layer and/or an application layer of a protocol stack. At least one of the plurality of predetermined connection protocols may specify a name of the network device. At least one of the plurality of predetermined connection protocols may specify an Internet protocol address of the network device.
  • the device may be further configured, according to the connection protocol, to send authentication information to the network device for authenticating the device.
  • the authentication information may comprise information identifying a public key and the private key corresponding to the public key may be a password-free private key.
  • the device may be further configured, according to the connection protocol, to receive authentication information from the network device for authenticating the network device.
  • the connection protocol may comprise a Secure Shell protocol.
  • At least one of the plurality of predetermined access networks may comprise a wireless local area network. At least one of the plurality of predetermined access networks may comprise a wired network. At least one of the plurality of predetermined access networks may comprise a mobile telecommunications system.
  • the device may be further configured to transmit sensor data to the network device using the connection.
  • the device may be further configured to receive control information from the network device using the connection.
  • the device may be configured to attempt to establish a connection to the network devices using one connection protocol and one access network, and, in response to failing to establish a connection to any of the network devices, to attempt to establish a connection to the network devices using another connection protocol and/or access network.
  • the device may be configured to attempt to establish a connection after the device is powered on or after a previously established connection is lost.
  • a system comprising at least one device and a network device cluster comprising at least one connection managing network device and at least one application network device.
  • the network device cluster may further comprise a round-robin name server.
  • the connection protocol of at least one of the at least one device may comprise an Internet protocol address of a network device and instructions instructing the device to establish a new connection to a different Internet protocol address of a different network device may be sent to the device using the connection.
  • a method of operating a device comprising attempting, in a predefined order and until a connection is established, to establish a connection to any one of a predetermined set of network devices using any one of a plurality of predetermined connection protocols via any one of a plurality of predetermined access networks including at least one access network about which the device has no prior network access information, and attempting to establish the connection via the access network before another access network.
  • the method may comprise sending a request to establish a connection to a network device using a connection protocol via an access network, determining whether a response is received from the network device indicating that the requested connection is establishable, in dependence on such a response being received, establishing the requested connection, and, in dependence on such a response not being received, aborting the attempt to establish the connection to the network device using the connection protocol via the access network.
  • the method may comprise establishing a tunnelled connection.
  • the method may comprise establishing a secure connection.
  • the method may further comprise specifying a name of the network device.
  • the method may further comprise specifying an Internet protocol address of the network device.
  • the method may further comprise sending authentication information to the network device for authenticating the device.
  • the method may further comprise receiving authentication information from the network device for authenticating the network device.
  • the method may further comprise connecting using a Secure Shell protocol.
  • the method may comprise attempting to establish a connection to the network devices using one connection protocol and one access network, and, in response to failing to establish a connection to any of the network devices, attempting to establish a connection to the network devices using another connection protocol and/or access network.
  • a computer program comprising program comprising instructions which when executed by a processor perform the method.
  • a computer- readable medium storing the computer program.
  • Figure 1 shows a system including nodes attempting to establish connections to application servers in accordance with the present invention
  • Figure 2 is a block diagram of a node in accordance with the present invention
  • Figure 3 is a flowchart illustrating a method by which a node attempts to establish a connection to a server in accordance with the present invention
  • Figure 4 illustrates a list of the order in which connections are attempted
  • Figure 5 illustrates a tunnelled connection between a node and a server
  • Figure 6 is a sequence flow diagram illustrating a method by which a node establishes a connection to a server using a Secure Shell protocol in accordance with the present invention.
  • a system 1 of devices 2 (hereinafter referred to as "nodes") connected to a cluster 3 of network devices via interconnected networks 4, 5, 6, 7 is shown.
  • the system 1 is a spectral monitoring system in which nodes 2 gather data about spectral power density across a range of frequencies, for example 1 Hz to 1 THz or part(s) thereof, using a sufficiently high sample rate to be able to provide detailed information about temporal events.
  • the nodes 2 process the raw spectral power data to reduce the amount of data for transmission and transmit the data to the cluster 3 so as to allow a position- and/or time-dependent map of frequency usage to be prepared. Such a map may be helpful for frequency planning and for regulatory purposes.
  • the nodes 2 may take the form of other types of sensing devices measuring, for example, air pollution, temperature, humidity and so forth.
  • the system 1 may be a distributed computing or communication system and the nodes 2 may take the form of computing devices.
  • the system 1 may also be used for environmental monitoring, civic and police monitoring, scientific surveying and security CCTV, for example.
  • a node 2 attempts to establish a connection to the cluster 3 regardless of the environment in which it finds itself so as to transmit and/or receive data, such as sensor data.
  • the nodes 2 may be deployed in an environment in which they may have access to one or more different access networks, for example an Ethernet network, a wireless access network or a mobile telecommunications system.
  • the set of networks may be topologically diverse, each network may be unreliable, and at least one of the networks may be a network about which the node 2 has no prior network access information about the network.
  • Such a network may be referred to as "hostile” or “restrictive”.
  • the nodes 2 can autonomously and automatically establish a connection to the cluster 3 regardless of the environment, resulting in no, or minimal, set-up requirements and more reliable communications.
  • the nodes 2 can be plugged into an Ethernet port or other form of wired port, or attempt some form of wireless access, and will attempt to establish a connection, thus facilitating establishment of a scaleable network of nodes 2, the number of which can run to tens or hundreds of thousands or millions. For example, a city may be provided with tens or hundreds of nodes.
  • establishing the connection may also involve authenticating both the node 2 and cluster 3, and the data transfer channel may also be encrypted, so that the connection is a secure connection and information cannot be intercepted by or falsely provided by third parties.
  • various access networks 5, 6, 7, each interconnected to the Internet 4, are shown, including a General Packet Radio Service (GPRS) access network 5, a wireless local area network 6, and a wired network 7.
  • GPRS General Packet Radio Service
  • a digital subscriber line access multiplexer 8 connected to the Internet 4 is also shown.
  • the system 1 may be differently configured and may include other forms of access network and other interconnecting networks.
  • the system 1 need not include one or more of the illustrated networks 4, 5, 6, 7, 8 or may include more access networks of the same or a different type.
  • Other access networks may be based on Bluetooth, Enhanced Data rates for GSM Evolution (EDGE), High-Speed Packet Access (HSPA) or satellite connections (not shown).
  • EDGE Enhanced Data rates for GSM Evolution
  • HSPA High-Speed Packet Access
  • satellite connections not shown.
  • only one or two nodes 2 are shown connected to each access network 5, 6, 7.
  • the GPRS access network 5 includes a GPRS gateway 9, the wireless local area network 6 includes a WiFi access point 10, and the wired network 6 includes a firewall 11.
  • the access networks 5, 6, 7 need not include the components or elements shown in this example and may include other components, such as additional network infrastructure (not shown).
  • the components of the access networks 5, 6, 7 or any other access network components may restrict network traffic originating from the nodes 2 and/or originating from the Internet 4.
  • the WiFi Access Point 10 may have network address translation functionality.
  • the nodes 2 connected to the wireless local area network 6 may have private Internet protocol (IP) addresses and so may not be addressable from the Internet.
  • IP Internet protocol
  • the GPRS gateway 9 may only route packets from external devices, such as servers, connected to the Internet 4 if the internal node 2 has previously sent a packet to the external device. Hence, external devices may not be able to initiate connections to internal nodes 2.
  • connection initiation requirements such as this are common and so it may be useful if nodes 2 initiate connections to the server rather than the traditional server-to-client approach.
  • firewall 11 may only allow packets to be transmitted that are directed to a standard Transmission Control Protocol (TCP) port used for web- browsing applications such as port 80.
  • TCP Transmission Control Protocol
  • the access network 5, 6, 7 may support quality of service (QoS) and may, for example, only agree on a traffic contract with a node 2 for a connection with a lower rather than a higher priority level.
  • QoS quality of service
  • the cluster 3 includes a round-robin Domain Name System (DNS) server 12 connected to the Internet 4 and one or more connection managing servers 13, each of which is connected to both the Internet 4 and to one or more application servers 14.
  • DNS Domain Name System
  • connection managing servers 13 l 5 13 2 each connected to three application servers 14 l 5 14 2 , 14 3 , 14 4 , 14 5 , 14 6 are shown.
  • the cluster 3 may include one or more than two connection managing servers 13, each of which may be connected to one, two or more than three application servers 14.
  • connection managing servers 13 and/or additional application servers 14 could be added to the system.
  • the system 1 is scaleable and the cluster 3 may include redundancy features such as additional connection managing servers 13 and/or application servers 14 that operate as-and-when required.
  • the cluster 3 is configured so that internal changes do not affect how a node 2 may establish a connection.
  • the function of a connection managing server 13 and an application server 14 may also be performed by a single network device.
  • the cluster 3 may be distributed, with components at different physical locations connected via a public network, such as the Internet 4, or a private network.
  • the node 2 need not attempt to establish a connection to a server in a cluster.
  • the server may stand alone.
  • the node 2 may attempt to establish a connection to another node 2.
  • the round-robin DNS server 12 responds to DNS requests to resolve a particular name, e.g., host name, by returning a variable list of one or more of the IP addresses of the connection managing servers 13 such that the "load" (i.e. the network traffic) is balanced between these servers.
  • the round-robin DNS server 12 may return an IP address of a first connection managing server 13 ⁇ in response to a first DNS request, the IP address of a second connection managing server 13 2 in response to a second DNS request, and the IP address of the first connection managing server 13 ⁇ in response to a third DNS request.
  • the cluster 3 does not need to include a round-robin DNS server, or there may be more than one round-robin DNS server.
  • load balancing techniques such as a technique employing a virtual server (not shown), may be used.
  • a second load balancing technique may also be provided for nodes 2 that are not able to connect to a DNS server. The technique may involve a connection managing server 13 instructing a node 2 to reconnect to a different IP address of a different server, with the address being changed for each incoming request.
  • the node 2 includes at least one processor 15, random access memory 16, Flash memory 17, electrically erasable programmable read-only memory (EEPROM) 18, first 19 and a second 20 field-programmable gate arrays (FPGA) and at least two network interfaces.
  • the node 2 includes an Ethernet interface 21, at least one public land mobile network (PLMN) interface 22 and a WiFi interface 23.
  • the at least one PLMN interface 22 may comprise a GPRS interface and/or an EDGE interface and/or an HSPA interface.
  • the node 2 may include sensors or sensing devices, such as an acceleration sensor 24, a magnetic field sensor 25, a temperature sensor 26, a GPS receiver 27, a webcam 28 and a first analogue-to- digital converter (ADC) 29.
  • the processor(s) 15, memory 16, 17, 18, FPGAs 19, 20 interfaces 21, 22, 23 and sensors 24, 25, 26, 27, 28, 29 are operatively connected via general purpose input/output (GPIO) devices 30, 31and/or USB interface(s) 32 and/or a controller area network (CAN) bus 33 and/or other types of buses.
  • GPIO general purpose input/output
  • CAN controller area network
  • a clock 34 is operatively connected to the processor(s) 15and the FPGAs 19, 20.
  • the clock 34 is also operatively connected to the GPS receiver 27 for receiving a pulse per second (PPS) timing signal.
  • the first FPGA 19 is also coupled to dedicated random access memory 16 2 .
  • a removable storage device 35 may also be connected via the USB interface 32. Electrical power may be supplied via various means including power over Ethernet, a battery or a DC power source, and is conditioned by a power conditioner 36. Nodes 2 may also obtain power from their environment using, for example, a solar cell and may also be programmed to only operate for short periods, such as one or more minutes per day or per week, and to sleep during the intervening periods.
  • the components such as one or both of the FPGAs 19, 20, may be omitted or other components may be added, such a display or keypad, according to the purpose of the node. It will also be appreciated that some components may be duplicated. For example, there may be more than one temperature sensor 26, one of which is used for external monitoring and one of which is used for internal monitoring. There may also be additional components and/or other, different types of storage, memory, network interfaces, sensors 37, or means for operatively connecting these components (not shown). For example, a programmable interrupt controller may be used instead of the second FPGA, and the GPIO device connected to the second FPGA may be replaced by a serial peripheral interface bus.
  • Nodes 2 intended to form part of the system 1 may be provided with at least one interface to a pervasive access network through which the node has a high chance of establishing a connection.
  • a pervasive access network examples include a GPRS network and a satellite communication network.
  • Nodes 2 may also be configured so that a local user can connect to the node 2, for example, by connecting a laptop computer directly to the node 2 via Ethernet interface 21 or USB interface 32.
  • the local user can communicate with a node 2 that may not be connected to a server 13, for example, to retrieve stored sensor data or diagnostic information or to transmit control information.
  • the node 2 also includes an antenna 38, operatively connected to a radio-frequency- to-intermediate-frequency converter 39, which, in turn, is operatively connected to an intermediate-frequency-to-baseband converter 40. Both frequency converters 39, 40 are operatively connected to the processor(s) 15 via the FPGAs 19, 20 and GPIO devices 30, 31.
  • the intermediate-frequency-to-baseband converter 40 is operatively connected to a second ADC 41, which, in turn, is operatively connected to the first field-programmable gate array 19.
  • the node 2 may be configured to tune to a required frequency range and obtain data samples which are stored internally, processed to search for required flags and/or to reduce the size of the data, and then transmitted to the cluster 3.
  • EEPROM 18, acceleration sensor 24, magnetic field sensor 25, temperature sensor 26, first ADC 29, other sensor(s) 37 and antennae 38 may be positioned externally in relation to the device housing (not shown).
  • the dotted line in Figure 2 is used to illustrate which devices may operate at radio frequencies (on the left of the dotted line) and which devices may operate at baseband frequencies (on the right of the dotted line).
  • a node 2 may be structured differently for different sensing applications or other purposes.
  • a node will have at least one processor, memory and a plurality of network interfaces.
  • Computer programs CP or firmware for controlling operation of the node 2 are stored in Flash memory 17 or other storage device and loaded into memory 1 O 1 for execution by the processor(s) 15.
  • Nodes 2 intended to form part of the system 1 need not be configured in the same way.
  • some nodes 2 may have wireless interfaces and some may not.
  • the process is automatically run whenever the node 2 is powered on or whenever a previously established connection to a server is lost (step S301).
  • the node 2 is self-configuring, for example when first installed or when the network environment changes.
  • the node 2 attempts to connect to a first server address, using a first connection protocol and via a first access network. These parameters are taken from a list 43 ( Figure 4) of server addresses, a list 44 ( Figure 4) of connection protocols and a list 45 ( Figure 4) of access networks, each of which may be stored in Flash memory 17 (step S302). These lists are described in more detail later with reference to Figure 4.
  • the node 2 determines whether a connection has been established (step S303). For example, this may include setting a timer (not shown) and determining whether a request "times out" or may involve an error occurring at any stage of the process of establishing a connection.
  • the node 2 aborts the attempt and determines whether there is a next server address in the list of server addresses (step S304). If there is a next server address, the node 2 attempts to connect to the next server address (step S305). If there are no more server addresses in the list, the node 2 determines whether there is a next connection protocol in the list of connection protocols (step S306). If there is a next connection protocol in the list, the node attempts to connect to the first connection server in the list using the next connection protocol in the list (step S307). The process of trying different servers is repeated using each connection protocol (steps S303 to S306).
  • the node 2 determines whether there is a next access network in the list of access networks (step S308). If there is a next access network in the list, the server attempts to connect to the first connection server in the list using the first connection protocol in the list via the next access network in the list (step S309). The process of trying different servers and using different connections protocols is repeated using each access network (steps S303 to S308).
  • the node 2 determines that a connection has been established to a server, it proceeds to communicate with the server (step S310). If no connection is established and there are no more server addresses, connection protocols or access networks in the respective lists, then the process terminates.
  • the list 42 comprises a list 43 of a plurality of access networks 4O 1 , 46 2 , ... , 46 L , a list 44 of a plurality of connection protocols Al 1 , Al 2 , ... , 47 M and a list 45 of a plurality of server addresses 48 l5 48 2 , ..., 48 N .
  • Each list item may contains one or more items specifying parameters, options and so forth. For example, each of the plurality of connection protocols Al 1 , Al 2 , ...
  • connection protocol such as the application layer protocol to be used to establish the connection (e.g., SSH) 49 l5 various specific options 49 2 such as encryption ciphers, timeout periods and so forth, host authentication information 49 3 such as list of public host keys, node authentication information 49 4 such as a password-free key pair, channel parameters 49 5 such as the local port for traffic for forwarding and the remote port and address the traffic should be forwarded to.
  • the list of parameters may vary from that shown in this example and may also depend on the specified application layer protocol.
  • the connection protocol parameters may relate to a data link layer, a network layer, a transport layer, a session layer, a presentation layer and/or an application layer of a protocol stack.
  • Other connection protocol parameters could include: credentials for logging on to a network, IP address assignment information, QoS parameters, web proxy server information and so forth.
  • the node 2 may store, in memory, a private key used for authentication purposes that is not password-protected. Given the security risks posed by unauthorised copying and usage of this key, the private key is preferably stored in areas of the physical memory that are difficult for external devices to access
  • the predefined order in which the node 2 attempts to establish a connection to a server 13 may be defined in many different ways. For example, attempts to establish a connection to one server may be made using any connection protocol and any access network before attempting to establish a connection to another server.
  • the list 42 may be differently structured and, for example, may involve an ordered list of a plurality of any combinations of predetermined server addresses, predetermined connection protocols and predetermined access networks may be used. For example, each combination of server address, connection protocol and access network may require its own specific set of parameters.
  • the node 2 would simply attempt to establish a connection using the server address, connection protocol and access network specified in the first list item, then, if a connection is not established, the second list item, and so on until a connection is established or there are no more items in the list. Furthermore, the node 2 may randomly select the servers 13 to attempt to connect to so as to provide a further means for network load balancing, for example, when DNS is unavailable and nodes 2 are attempting to connect using IP addresses.
  • nodes 2 may be provided with an interface to allow it to connect to a pervasive access network, such as a GPRS or satellite-based network, through which the node can almost always communicate.
  • the node 2 can also be provided with prior information about the pervasive access network, for example some or all of the parameters and a specific communication protocol, to allow the node 2 to establish a connection. Communication over such an access network may have a high cost and/or a low bandwidth.
  • the node will attempt to establish a connection using other access networks including at least one access network about which the device has no prior network access information, i.e. a hostile network. However, the pervasive access network may be used if the node 2 cannot establish a connection through any of the other access networks.
  • the node 2 can still reach a server 13, for example, to inform the server 13 of its presence and that it cannot establish a connection via other networks.
  • the node 2 may also provide other information, such as information about its location or status.
  • the server 13 can respond by providing the node 2 with further information to allow the node 2 to establish a connection via another access network.
  • the node 2 may receive a new or updated version of the list 42 via an established connection to a server 13 or via any other means such as a local Ethernet or USB connection, and may be programmed to replace or update the list 42 stored in Flash memory 17 with the new or updated version.
  • the node 2 establishes a tunnelled connection to the application server 14.
  • the node 2 includes a connection client module 50 which communicates with the connection managing server 13 in the cluster 3 in order to establish a tunnelled connection 51 which passes through potentially restrictive access network(s) 5, 6, 7 and the Internet 4.
  • an application client module 52 in the application server 14 can connect to the application server module 53 in the node 2, for example, to request sensor data or to transmit control information.
  • Control information may cause nodes 2 to update computer programs stored in Flash memory 17 related to data processing and/or establishing connections, for example.
  • connection client module 50 at the node 2 (hereinafter referred to as the "client") first attempts to connect to the servers via the wired network 7 which includes the firewall 11, using the Ethernet interface 21 ( Figure 2).
  • the client 50 may first attempt to register on the network and obtain a network address. It may, for example, send a Dynamic Host Configuration Protocol (DHCP) message for discovering available DHCP servers, receive one or more messages from DHCP servers each offering a dynamically-assigned IP address, and send a message to one of the DHCP server requesting an IP address.
  • DHCP Dynamic Host Configuration Protocol
  • One or more different methods for obtaining a network address may also be used.
  • the client 50 may attempt to assign its own IP address.
  • the IP address of a first connection managing server 13 ⁇ may be obtained by performing a DNS lookup of the host name retrieved from the list 42 ( Figure 4) or the IP address may be retrieved directly from the list 42.
  • the latter method may be required in any network environment in which DNS lookup requests are blocked by the firewall 11 or any other network component, or DNS lookups are not possible for any other reason.
  • the DNS lookup involves communicating with the round- robin DNS server 12 ( Figure 1) and/or any other name server.
  • the client 50 sends a connection request54 directed to the first connection managing server 13 l 5 which may be a standard TCP synchronisation packet addressed to SSH port 22 (step S601).
  • the connection request 54 is blocked by the firewall 11, for example due to packet filtering rules specifying allowed destination ports, and hence does not reach its destination.
  • the client 50 determines that no response to the connection request is received, for example, after listening for a response for a predetermined timeout period (step S602).
  • the client 50 then makes a second attempt to establish a connection by sending a connection request 55 directed to a second connection managing server 13 2 (step S603).
  • the connection request 55 is also blocked by the firewall 11.
  • the node 2 again determines that no response is received (step S604), and makes a third attempt to establish a connection using the hyper-text transfer protocol (HTTP), which firstly involves sending a connection request 56 to the standard web-server port number 80 of the first connection managing server 13 ⁇ (step S605).
  • HTTP hyper-text transfer protocol
  • the connection request 56 is also blocked by the firewall 11, for example, because the firewall 11 may not allow packets to be directed to particular IP addresses including the IP address of the server.
  • the client 50 After determining that no response is received (step S606), the client 50 sends a similar connection request 57 directed to the second connection managing server 13 2 (step S607), but this is also blocked by the firewall 11.
  • step S607 After determining that no response is received (step S607), the client 50 then attempts to connect to the servers via the GPRS network 5 which includes the GPRS gateway 9.
  • a connection request 58 directed to the first connection managing server 13 ⁇ (step S609) is sent using the GPRS interface 21 ( Figure 2), but is not forwarded by the gateway 9 for some reason and the client 50 determines that no response is received (step S610).
  • a connection request that is a standard TCP synchronisation packet is then sent by the client 50 directed to port 22 of the second connection managing server 13 2 .
  • the packet reaches the server 13 2 , which, in turn, replies with an acknowledgment message indicating that the connection is establishable, and the client 50 then sends a forward acknowledgement message to the server thus completing a standard TCP handshake 59 (step S611).
  • the node 2 determines that a response has been received from the server 13 2 (step S612).
  • the client 50 and the connection managing server 13 2 exchange various messages 60 and perform various actions in order to establish the SSH connection (step S613).
  • the client 50 and the server 13 2 may exchange messages identifying an SSH version and messages for negotiating encryption algorithms, authentication methods and so forth.
  • the server 13 2 may provide authentication information in the form of a public host key to the client 50, which may be checked against a list of authentic host keys held by the client 50 thereby authenticating the server 13 2 to the client 50.
  • a random session key may be generated and used to encrypt all messages exchanged by the client 50 and the server 13 2 .
  • the client 50 may send authentication information in the form of a message identifying a public node key to the server 13 2 .
  • the server 13 2 may check whether this key is in a list of authorised keys and furthermore that the key is not already in use by another client 50 connected to any of the connection managing servers 13, thereby indicating that a key may have been copied by a third party. In this case, the server may "blacklist" the key and refuse all connections from clients 50 using the blacklisted key.
  • the server 13 2 may encrypt a challenge using the public node key and the client 50 may decrypt the challenge using the password-free private node key.
  • the client 50 declares that a connection is established if all of the steps involved in setting up an SSH connection are successful (step S614).
  • the application server module 53 of the node 2 may then transmit a message to the application server 14 4 of the cluster 3.
  • the client 50 communicates with the connection managing server 13 2 in order to open an SSH channel (step S615).
  • TCP packets 62 sent by the application server module 53 of the node 2 are encapsulated by the client 50 into SSH packets 63 (step S616).
  • Such a process of encapsulation may include encryption of the data.
  • the SSH packets 63 are then sent via the tunnelled connection to the connection managing server 13 2 (step S617), which decapsulates the TCP packets and forwards them to a specified port and a specified address of the application server 14 4 (step S618).
  • TCP packets may similarly be sent by the application server 14 4 to the connection managing server 13 2 and sent, encapsulated in SSH packets, to the client 50 where they are decapsulated (step S619).
  • a connection is established that provides a channel for data transfer between the node 2 and the application server 14.
  • the node 2 is able to transmit sensor data to the application server 14 as-and-when certain predetermined conditions are met.
  • certain data received from the sensors may cause the node 2 to enter an "alarm" state which causes it to communicate with the server 14.
  • the node 2 may listen for requests from the application server 14 requesting sensor data or other information on a periodic basis or in response to a demand from a user.
  • the SSH connection between the client 50 and the server 13 may be established using any specified method. Furthermore, many different types of connections between a client 50 and a connection managing server 13 may be established, including, for example, direct TCP connections, PPP-based tunnels, HTTP TCP tunnels, direct TCP port translation and port 80 remote servers. For example, HTTP TCP tunnels embed a TCP network stream in a HTTP connection, which is particularly useful for nodes 2 in access networks 5, 6, 7 whose only external connection is via a HTTP proxy server.
  • Direct TCP port translation involves establishing an SSH connection to a remote server 13 using a non-standard destination port in order to circumvent simple port-based filtering firewalls.
  • Port 80 remote servers are connection managing server applications that listen on port 80 or port 443 (the standard HTTP and HTTPS port numbers) so that, in principle, the node 2 can connect to these via any access network 5, 6, 7 that allows its clients to browse the web, for example.
  • a custom protocol may be used to establish a connection.
  • the networks may be of any type and need not be based on TCP/IP or utilise IP addresses.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Communication Control (AREA)

Abstract

A device(2) configured to attempt, in a predefined order and until a connection is established, to establish a connection to any one of a predetermined set of servers (14 1, 14 2, 14 3)using any one of a plurality of predetermined connection protocols via any one of a plurality of predetermined access networks (5, 6, 7, 8) including at least one access network about which the device has no prior network access information. The device is configured to attempt to establish the connection via the access network before another access network.

Description

Establishing a connection to a network device
Field of the Invention
The present invention relates to a device for and a method of establishing a connection to a network device.
Background Aft
Networks of devices, such as computers, are well known in the art.
For example, the Internet is an interconnected system of networks connecting computers around the world. A computer can access the Internet via a local area network, such as a wireless local area network (WLAN).
Typically, a user attaches their device to a network, for example via an Ethernet link to a router or wireless link to an access point, and configures their device, for example by assigning an Internet address. Once configured, the user enters a uniform resource locator (URL) of a web server and the computer establishes a connection to the server for requesting a web page.
Configuring the computer usually requires prior knowledge of the network and/or information about the network so as to register the device. This can limit the ability of computers to be "dropped" into any network environment. Also, it can take a considerable amount of time to configure several computers.
US-A-6012088 describes an automatic configuration process to handle the task of configuring an Internet access device at a customer site. The customer enters a registration identification number and a telephone number onto the device, which initially connects to the Internet over a standard analogue telephone line in order to download configuration data. Although this process can help facilitate setting up the device, it has several disadvantages. For example, the process uses a specific type of connectivity to set up the device, namely a dial-up service, which may not always be available. The present invention seeks to provide a method of and device for establishing a connection to a network device.
Summary According to a first aspect of the present invention, there is provided a device configured to attempt, in a predefined order and until a connection is established, to establish a connection to any one of a predetermined set of network devices using any one of a plurality of predetermined connection protocols via any one of a plurality of predetermined access networks including at least one access network about which the device has no prior network access information, the device configured to attempt to establish the connection via the access network before another access network.
Thus, even if a device is located in an unknown or "hostile" network environment, it can still attempt to establish a connection autonomously and automatically to a network device and so minimise user input.
The device may comprise controlling means configured to attempt, in a predefined order and until a connection is established, to establish a connection to any one of a predetermined set of network devices using any one of a plurality of predetermined connection protocols via any one of a plurality of predetermined access networks.
The device may comprise memory, at least one processor and a plurality of network interfaces, wherein the memory may be configured to store the predefined order in which connections should be attempted, the predetermined set of network devices, the plurality of predetermined connection protocols and the plurality of predetermined access networks, and the at least one processor may be configured to attempt to establish the connection using a network interface and to determine when the connection is established.
The device may be further configured to send a request to establish a connection to a network device using a connection protocol via an access network, determine whether a response is received from the network device indicating that the requested connection is establishable, in dependence on such a response being received, establish the requested connection and, in dependence on such a response not being received, abort the attempt to establish the connection to the network device using the connection protocol via the access network.
The connection may provide a channel for data transfer between the device and the network device. The connection may be a tunnelled connection. The connection may be a secure connection.
The connection protocol may comprise information relating to a data link layer, a network layer, a transport layer, a session layer, a presentation layer and/or an application layer of a protocol stack. At least one of the plurality of predetermined connection protocols may specify a name of the network device. At least one of the plurality of predetermined connection protocols may specify an Internet protocol address of the network device.
The device may be further configured, according to the connection protocol, to send authentication information to the network device for authenticating the device. The authentication information may comprise information identifying a public key and the private key corresponding to the public key may be a password-free private key. The device may be further configured, according to the connection protocol, to receive authentication information from the network device for authenticating the network device. The connection protocol may comprise a Secure Shell protocol.
At least one of the plurality of predetermined access networks may comprise a wireless local area network. At least one of the plurality of predetermined access networks may comprise a wired network. At least one of the plurality of predetermined access networks may comprise a mobile telecommunications system.
The device may be further configured to transmit sensor data to the network device using the connection. The device may be further configured to receive control information from the network device using the connection. - A -
The device may be configured to attempt to establish a connection to the network devices using one connection protocol and one access network, and, in response to failing to establish a connection to any of the network devices, to attempt to establish a connection to the network devices using another connection protocol and/or access network.
The device may be configured to attempt to establish a connection after the device is powered on or after a previously established connection is lost.
According to a second aspect of the present invention, there is provided a system comprising at least one device and a network device cluster comprising at least one connection managing network device and at least one application network device. The network device cluster may further comprise a round-robin name server. The connection protocol of at least one of the at least one device may comprise an Internet protocol address of a network device and instructions instructing the device to establish a new connection to a different Internet protocol address of a different network device may be sent to the device using the connection.
According to a third aspect of the present invention, there is provided a method of operating a device comprising attempting, in a predefined order and until a connection is established, to establish a connection to any one of a predetermined set of network devices using any one of a plurality of predetermined connection protocols via any one of a plurality of predetermined access networks including at least one access network about which the device has no prior network access information, and attempting to establish the connection via the access network before another access network.
The method may comprise sending a request to establish a connection to a network device using a connection protocol via an access network, determining whether a response is received from the network device indicating that the requested connection is establishable, in dependence on such a response being received, establishing the requested connection, and, in dependence on such a response not being received, aborting the attempt to establish the connection to the network device using the connection protocol via the access network.
The method may comprise establishing a tunnelled connection. The method may comprise establishing a secure connection.
The method may further comprise specifying a name of the network device. The method may further comprise specifying an Internet protocol address of the network device. The method may further comprise sending authentication information to the network device for authenticating the device. The method may further comprise receiving authentication information from the network device for authenticating the network device. The method may further comprise connecting using a Secure Shell protocol.
The method may comprise attempting to establish a connection to the network devices using one connection protocol and one access network, and, in response to failing to establish a connection to any of the network devices, attempting to establish a connection to the network devices using another connection protocol and/or access network.
According to a fourth aspect of the present invention there is provided a computer program comprising program comprising instructions which when executed by a processor perform the method.
According to a fifth aspect of the present invention there is provided a computer- readable medium storing the computer program.
Brief Description of the Drawings
Embodiments of the present invention will now be described, by way of example, with reference to the accompanying drawings, in which:
Figure 1 shows a system including nodes attempting to establish connections to application servers in accordance with the present invention;
Figure 2 is a block diagram of a node in accordance with the present invention; Figure 3 is a flowchart illustrating a method by which a node attempts to establish a connection to a server in accordance with the present invention; Figure 4 illustrates a list of the order in which connections are attempted; Figure 5 illustrates a tunnelled connection between a node and a server; and Figure 6 is a sequence flow diagram illustrating a method by which a node establishes a connection to a server using a Secure Shell protocol in accordance with the present invention.
Detailed Description of Embodiments Referring to Figure 1, a system 1 of devices 2 (hereinafter referred to as "nodes") connected to a cluster 3 of network devices via interconnected networks 4, 5, 6, 7 is shown. In this example, the system 1 is a spectral monitoring system in which nodes 2 gather data about spectral power density across a range of frequencies, for example 1 Hz to 1 THz or part(s) thereof, using a sufficiently high sample rate to be able to provide detailed information about temporal events. The nodes 2 process the raw spectral power data to reduce the amount of data for transmission and transmit the data to the cluster 3 so as to allow a position- and/or time-dependent map of frequency usage to be prepared. Such a map may be helpful for frequency planning and for regulatory purposes. The nodes 2 may take the form of other types of sensing devices measuring, for example, air pollution, temperature, humidity and so forth. In some embodiments, the system 1 may be a distributed computing or communication system and the nodes 2 may take the form of computing devices. The system 1 may also be used for environmental monitoring, civic and police monitoring, scientific surveying and security CCTV, for example.
As will be explained in more detail later, once a node 2 is primed, for example, by switching on the node 2 or by providing a trigger signal, it attempts to establish a connection to the cluster 3 regardless of the environment in which it finds itself so as to transmit and/or receive data, such as sensor data. The nodes 2 may be deployed in an environment in which they may have access to one or more different access networks, for example an Ethernet network, a wireless access network or a mobile telecommunications system. The set of networks may be topologically diverse, each network may be unreliable, and at least one of the networks may be a network about which the node 2 has no prior network access information about the network. Such a network, particularly if restrictions for use are put in place, may be referred to as "hostile" or "restrictive". However, the nodes 2 can autonomously and automatically establish a connection to the cluster 3 regardless of the environment, resulting in no, or minimal, set-up requirements and more reliable communications. Thus, the nodes 2 can be plugged into an Ethernet port or other form of wired port, or attempt some form of wireless access, and will attempt to establish a connection, thus facilitating establishment of a scaleable network of nodes 2, the number of which can run to tens or hundreds of thousands or millions. For example, a city may be provided with tens or hundreds of nodes.
Due to the public nature of the networks over which the node 2 and the cluster 3 communicate, establishing the connection may also involve authenticating both the node 2 and cluster 3, and the data transfer channel may also be encrypted, so that the connection is a secure connection and information cannot be intercepted by or falsely provided by third parties.
Referring still to Figure 1, various access networks 5, 6, 7, each interconnected to the Internet 4, are shown, including a General Packet Radio Service (GPRS) access network 5, a wireless local area network 6, and a wired network 7. A digital subscriber line access multiplexer 8 connected to the Internet 4 is also shown. The system 1 may be differently configured and may include other forms of access network and other interconnecting networks. For example, the system 1 need not include one or more of the illustrated networks 4, 5, 6, 7, 8 or may include more access networks of the same or a different type. Other access networks may be based on Bluetooth, Enhanced Data rates for GSM Evolution (EDGE), High-Speed Packet Access (HSPA) or satellite connections (not shown). For clarity, only one or two nodes 2 are shown connected to each access network 5, 6, 7. However, it will be appreciated that any number of nodes 2 may be connected or may be attempting to access each network 5, 6, 7. Furthermore, at least two of the access networks 5, 6, 7 may cover the same geographical area so that nodes 2 may be able to connect to more than one access network. The order in which connections are attempted is described later. The GPRS access network 5 includes a GPRS gateway 9, the wireless local area network 6 includes a WiFi access point 10, and the wired network 6 includes a firewall 11. The access networks 5, 6, 7 need not include the components or elements shown in this example and may include other components, such as additional network infrastructure (not shown).
The components of the access networks 5, 6, 7 or any other access network components may restrict network traffic originating from the nodes 2 and/or originating from the Internet 4.
For example, the WiFi Access Point 10 may have network address translation functionality. Thus, the nodes 2 connected to the wireless local area network 6 may have private Internet protocol (IP) addresses and so may not be addressable from the Internet.
In some cases, the GPRS gateway 9 may only route packets from external devices, such as servers, connected to the Internet 4 if the internal node 2 has previously sent a packet to the external device. Hence, external devices may not be able to initiate connections to internal nodes 2. One way connection initiation requirements such as this are common and so it may be useful if nodes 2 initiate connections to the server rather than the traditional server-to-client approach.
Furthermore, the firewall 11 may only allow packets to be transmitted that are directed to a standard Transmission Control Protocol (TCP) port used for web- browsing applications such as port 80.
In addition, the access network 5, 6, 7 may support quality of service (QoS) and may, for example, only agree on a traffic contract with a node 2 for a connection with a lower rather than a higher priority level.
Other types of traffic restrictions may be imposed by a component of an access network and these restrictions may change with time as-and-when the system 1 is modified. Referring still to Figure 1, the cluster 3 includes a round-robin Domain Name System (DNS) server 12 connected to the Internet 4 and one or more connection managing servers 13, each of which is connected to both the Internet 4 and to one or more application servers 14. For illustrative purposes, two connection managing servers 13l 5 132, each connected to three application servers 14l 5 142, 143, 144, 145, 146 are shown. The cluster 3 may include one or more than two connection managing servers 13, each of which may be connected to one, two or more than three application servers 14. For example, as the number of nodes 2 in the system 1 increases and/or the volume of data communicated to the cluster 3 increases, additional connection managing servers 13 and/or additional application servers 14 could be added to the system. Hence, the system 1 is scaleable and the cluster 3 may include redundancy features such as additional connection managing servers 13 and/or application servers 14 that operate as-and-when required. However, the cluster 3 is configured so that internal changes do not affect how a node 2 may establish a connection. The function of a connection managing server 13 and an application server 14 may also be performed by a single network device. The cluster 3 may be distributed, with components at different physical locations connected via a public network, such as the Internet 4, or a private network.
The node 2 need not attempt to establish a connection to a server in a cluster. For example, the server may stand alone. Furthermore, the node 2 may attempt to establish a connection to another node 2.
The round-robin DNS server 12 responds to DNS requests to resolve a particular name, e.g., host name, by returning a variable list of one or more of the IP addresses of the connection managing servers 13 such that the "load" (i.e. the network traffic) is balanced between these servers. For example, the round-robin DNS server 12 may return an IP address of a first connection managing server 13α in response to a first DNS request, the IP address of a second connection managing server 132 in response to a second DNS request, and the IP address of the first connection managing server 13α in response to a third DNS request. The cluster 3 does not need to include a round-robin DNS server, or there may be more than one round-robin DNS server. Furthermore, other load balancing techniques, such as a technique employing a virtual server (not shown), may be used. A second load balancing technique may also be provided for nodes 2 that are not able to connect to a DNS server. The technique may involve a connection managing server 13 instructing a node 2 to reconnect to a different IP address of a different server, with the address being changed for each incoming request.
Referring to Figure 2, an RF monitoring node 2 forming or capable of forming part of the spectral monitoring system 1 (Figure 1) will now be described. The node 2 includes at least one processor 15, random access memory 16, Flash memory 17, electrically erasable programmable read-only memory (EEPROM) 18, first 19 and a second 20 field-programmable gate arrays (FPGA) and at least two network interfaces. In this example, the node 2 includes an Ethernet interface 21, at least one public land mobile network (PLMN) interface 22 and a WiFi interface 23. The at least one PLMN interface 22 may comprise a GPRS interface and/or an EDGE interface and/or an HSPA interface. Optionally, the node 2 may include sensors or sensing devices, such as an acceleration sensor 24, a magnetic field sensor 25, a temperature sensor 26, a GPS receiver 27, a webcam 28 and a first analogue-to- digital converter (ADC) 29. As shown in Figure 2, the processor(s) 15, memory 16, 17, 18, FPGAs 19, 20 interfaces 21, 22, 23 and sensors 24, 25, 26, 27, 28, 29 are operatively connected via general purpose input/output (GPIO) devices 30, 31and/or USB interface(s) 32 and/or a controller area network (CAN) bus 33 and/or other types of buses. A clock 34 is operatively connected to the processor(s) 15and the FPGAs 19, 20. The clock 34 is also operatively connected to the GPS receiver 27 for receiving a pulse per second (PPS) timing signal. The first FPGA 19 is also coupled to dedicated random access memory 162. A removable storage device 35 may also be connected via the USB interface 32. Electrical power may be supplied via various means including power over Ethernet, a battery or a DC power source, and is conditioned by a power conditioner 36. Nodes 2 may also obtain power from their environment using, for example, a solar cell and may also be programmed to only operate for short periods, such as one or more minutes per day or per week, and to sleep during the intervening periods. It will be appreciated that some of the components, such as one or both of the FPGAs 19, 20, may be omitted or other components may be added, such a display or keypad, according to the purpose of the node. It will also be appreciated that some components may be duplicated. For example, there may be more than one temperature sensor 26, one of which is used for external monitoring and one of which is used for internal monitoring. There may also be additional components and/or other, different types of storage, memory, network interfaces, sensors 37, or means for operatively connecting these components (not shown). For example, a programmable interrupt controller may be used instead of the second FPGA, and the GPIO device connected to the second FPGA may be replaced by a serial peripheral interface bus.
Nodes 2 intended to form part of the system 1 may be provided with at least one interface to a pervasive access network through which the node has a high chance of establishing a connection. Examples of a pervasive access network are a GPRS network and a satellite communication network.
Nodes 2 may also be configured so that a local user can connect to the node 2, for example, by connecting a laptop computer directly to the node 2 via Ethernet interface 21 or USB interface 32. Thus, the local user can communicate with a node 2 that may not be connected to a server 13, for example, to retrieve stored sensor data or diagnostic information or to transmit control information.
The node 2 also includes an antenna 38, operatively connected to a radio-frequency- to-intermediate-frequency converter 39, which, in turn, is operatively connected to an intermediate-frequency-to-baseband converter 40. Both frequency converters 39, 40 are operatively connected to the processor(s) 15 via the FPGAs 19, 20 and GPIO devices 30, 31. The intermediate-frequency-to-baseband converter 40 is operatively connected to a second ADC 41, which, in turn, is operatively connected to the first field-programmable gate array 19. The node 2 may be configured to tune to a required frequency range and obtain data samples which are stored internally, processed to search for required flags and/or to reduce the size of the data, and then transmitted to the cluster 3. In Figure 2, EEPROM 18, acceleration sensor 24, magnetic field sensor 25, temperature sensor 26, first ADC 29, other sensor(s) 37 and antennae 38 may be positioned externally in relation to the device housing (not shown).
The dotted line in Figure 2 is used to illustrate which devices may operate at radio frequencies (on the left of the dotted line) and which devices may operate at baseband frequencies (on the right of the dotted line).
A node 2 may be structured differently for different sensing applications or other purposes. In many cases, a node will have at least one processor, memory and a plurality of network interfaces.
Computer programs CP or firmware for controlling operation of the node 2 are stored in Flash memory 17 or other storage device and loaded into memory 1 O1 for execution by the processor(s) 15.
Nodes 2 intended to form part of the system 1 need not be configured in the same way. For example, some nodes 2 may have wireless interfaces and some may not.
Referring to Figure 3, a process by which a node 2 (Figure 1) establishes a connection with a connection managing server 13 (Figure 1) will now be described.
The process is automatically run whenever the node 2 is powered on or whenever a previously established connection to a server is lost (step S301). Thus, the node 2 is self-configuring, for example when first installed or when the network environment changes.
The node 2 attempts to connect to a first server address, using a first connection protocol and via a first access network. These parameters are taken from a list 43 (Figure 4) of server addresses, a list 44 (Figure 4) of connection protocols and a list 45 (Figure 4) of access networks, each of which may be stored in Flash memory 17 (step S302). These lists are described in more detail later with reference to Figure 4. The node 2 determines whether a connection has been established (step S303). For example, this may include setting a timer (not shown) and determining whether a request "times out" or may involve an error occurring at any stage of the process of establishing a connection. If a connection has not been established, the node 2 aborts the attempt and determines whether there is a next server address in the list of server addresses (step S304). If there is a next server address, the node 2 attempts to connect to the next server address (step S305). If there are no more server addresses in the list, the node 2 determines whether there is a next connection protocol in the list of connection protocols (step S306). If there is a next connection protocol in the list, the node attempts to connect to the first connection server in the list using the next connection protocol in the list (step S307). The process of trying different servers is repeated using each connection protocol (steps S303 to S306). If there are no more connection protocols in the list, the node 2 determines whether there is a next access network in the list of access networks (step S308). If there is a next access network in the list, the server attempts to connect to the first connection server in the list using the first connection protocol in the list via the next access network in the list (step S309). The process of trying different servers and using different connections protocols is repeated using each access network (steps S303 to S308).
When the node 2 determines that a connection has been established to a server, it proceeds to communicate with the server (step S310). If no connection is established and there are no more server addresses, connection protocols or access networks in the respective lists, then the process terminates.
Referring to Figure 4, a list 42 used for determining the order in which connections are attempted is shown.
The list 42 comprises a list 43 of a plurality of access networks 4O1, 462, ... , 46L, a list 44 of a plurality of connection protocols Al1, Al2, ... , 47M and a list 45 of a plurality of server addresses 48l5 482, ..., 48N. Each list item may contains one or more items specifying parameters, options and so forth. For example, each of the plurality of connection protocols Al1, Al2, ... , 47M comprises a list of parameters, such as the application layer protocol to be used to establish the connection (e.g., SSH) 49l5 various specific options 492 such as encryption ciphers, timeout periods and so forth, host authentication information 493 such as list of public host keys, node authentication information 494 such as a password-free key pair, channel parameters 495 such as the local port for traffic for forwarding and the remote port and address the traffic should be forwarded to. The list of parameters may vary from that shown in this example and may also depend on the specified application layer protocol. For example, the connection protocol parameters may relate to a data link layer, a network layer, a transport layer, a session layer, a presentation layer and/or an application layer of a protocol stack. Other connection protocol parameters (not shown) could include: credentials for logging on to a network, IP address assignment information, QoS parameters, web proxy server information and so forth.
The node 2 (Figure 2) may store, in memory, a private key used for authentication purposes that is not password-protected. Given the security risks posed by unauthorised copying and usage of this key, the private key is preferably stored in areas of the physical memory that are difficult for external devices to access
The predefined order in which the node 2 attempts to establish a connection to a server 13 (Figure 1) may be defined in many different ways. For example, attempts to establish a connection to one server may be made using any connection protocol and any access network before attempting to establish a connection to another server. Alternatively, the list 42 may be differently structured and, for example, may involve an ordered list of a plurality of any combinations of predetermined server addresses, predetermined connection protocols and predetermined access networks may be used. For example, each combination of server address, connection protocol and access network may require its own specific set of parameters. In this case, the node 2 would simply attempt to establish a connection using the server address, connection protocol and access network specified in the first list item, then, if a connection is not established, the second list item, and so on until a connection is established or there are no more items in the list. Furthermore, the node 2 may randomly select the servers 13 to attempt to connect to so as to provide a further means for network load balancing, for example, when DNS is unavailable and nodes 2 are attempting to connect using IP addresses.
As mentioned earlier, nodes 2 may be provided with an interface to allow it to connect to a pervasive access network, such as a GPRS or satellite-based network, through which the node can almost always communicate. The node 2 can also be provided with prior information about the pervasive access network, for example some or all of the parameters and a specific communication protocol, to allow the node 2 to establish a connection. Communication over such an access network may have a high cost and/or a low bandwidth. The node will attempt to establish a connection using other access networks including at least one access network about which the device has no prior network access information, i.e. a hostile network. However, the pervasive access network may be used if the node 2 cannot establish a connection through any of the other access networks. Thus, the node 2 can still reach a server 13, for example, to inform the server 13 of its presence and that it cannot establish a connection via other networks. The node 2 may also provide other information, such as information about its location or status. The server 13 can respond by providing the node 2 with further information to allow the node 2 to establish a connection via another access network.
The node 2 may receive a new or updated version of the list 42 via an established connection to a server 13 or via any other means such as a local Ethernet or USB connection, and may be programmed to replace or update the list 42 stored in Flash memory 17 with the new or updated version.
Referring to Figure 5, the node 2 establishes a tunnelled connection to the application server 14. The node 2 includes a connection client module 50 which communicates with the connection managing server 13 in the cluster 3 in order to establish a tunnelled connection 51 which passes through potentially restrictive access network(s) 5, 6, 7 and the Internet 4. Once the tunnelled connection is established, an application client module 52 in the application server 14 can connect to the application server module 53 in the node 2, for example, to request sensor data or to transmit control information. Control information may cause nodes 2 to update computer programs stored in Flash memory 17 related to data processing and/or establishing connections, for example.
Referring to also to Figure 6, a method of connecting a node 2 (Figure 1) to a server 13 using a Secure Shell protocol will now be described.
In this example, the connection client module 50 at the node 2 (hereinafter referred to as the "client") first attempts to connect to the servers via the wired network 7 which includes the firewall 11, using the Ethernet interface 21 (Figure 2).
The client 50 may first attempt to register on the network and obtain a network address. It may, for example, send a Dynamic Host Configuration Protocol (DHCP) message for discovering available DHCP servers, receive one or more messages from DHCP servers each offering a dynamically-assigned IP address, and send a message to one of the DHCP server requesting an IP address. One or more different methods for obtaining a network address may also be used. For example, the client 50 may attempt to assign its own IP address.
The IP address of a first connection managing server 13α may be obtained by performing a DNS lookup of the host name retrieved from the list 42 (Figure 4) or the IP address may be retrieved directly from the list 42. The latter method may be required in any network environment in which DNS lookup requests are blocked by the firewall 11 or any other network component, or DNS lookups are not possible for any other reason. The DNS lookup involves communicating with the round- robin DNS server 12 (Figure 1) and/or any other name server.
The client 50 sends a connection request54 directed to the first connection managing server 13l 5 which may be a standard TCP synchronisation packet addressed to SSH port 22 (step S601). The connection request 54 is blocked by the firewall 11, for example due to packet filtering rules specifying allowed destination ports, and hence does not reach its destination. The client 50 determines that no response to the connection request is received, for example, after listening for a response for a predetermined timeout period (step S602). The client 50 then makes a second attempt to establish a connection by sending a connection request 55 directed to a second connection managing server 132 (step S603). The connection request 55 is also blocked by the firewall 11.
The node 2 again determines that no response is received (step S604), and makes a third attempt to establish a connection using the hyper-text transfer protocol (HTTP), which firstly involves sending a connection request 56 to the standard web-server port number 80 of the first connection managing server 13α (step S605). The connection request 56 is also blocked by the firewall 11, for example, because the firewall 11 may not allow packets to be directed to particular IP addresses including the IP address of the server. After determining that no response is received (step S606), the client 50 sends a similar connection request 57 directed to the second connection managing server 132 (step S607), but this is also blocked by the firewall 11.
After determining that no response is received (step S607), the client 50 then attempts to connect to the servers via the GPRS network 5 which includes the GPRS gateway 9. A connection request 58 directed to the first connection managing server 13α (step S609) is sent using the GPRS interface 21 (Figure 2), but is not forwarded by the gateway 9 for some reason and the client 50 determines that no response is received (step S610).
A connection request that is a standard TCP synchronisation packet is then sent by the client 50 directed to port 22 of the second connection managing server 132. In this case the packet reaches the server 132, which, in turn, replies with an acknowledgment message indicating that the connection is establishable, and the client 50 then sends a forward acknowledgement message to the server thus completing a standard TCP handshake 59 (step S611).
The node 2 determines that a response has been received from the server 132 (step S612). The client 50 and the connection managing server 132 exchange various messages 60 and perform various actions in order to establish the SSH connection (step S613). For example, the client 50 and the server 132 may exchange messages identifying an SSH version and messages for negotiating encryption algorithms, authentication methods and so forth. The server 132 may provide authentication information in the form of a public host key to the client 50, which may be checked against a list of authentic host keys held by the client 50 thereby authenticating the server 132 to the client 50. A random session key may be generated and used to encrypt all messages exchanged by the client 50 and the server 132. The client 50 may send authentication information in the form of a message identifying a public node key to the server 132. The server 132 may check whether this key is in a list of authorised keys and furthermore that the key is not already in use by another client 50 connected to any of the connection managing servers 13, thereby indicating that a key may have been copied by a third party. In this case, the server may "blacklist" the key and refuse all connections from clients 50 using the blacklisted key. In order to authenticate the client 50, the server 132 may encrypt a challenge using the public node key and the client 50 may decrypt the challenge using the password-free private node key.
The client 50 declares that a connection is established if all of the steps involved in setting up an SSH connection are successful (step S614). The application server module 53 of the node 2 may then transmit a message to the application server 144 of the cluster 3. The client 50 communicates with the connection managing server 132 in order to open an SSH channel (step S615). TCP packets 62 sent by the application server module 53 of the node 2 are encapsulated by the client 50 into SSH packets 63 (step S616). Such a process of encapsulation may include encryption of the data. The SSH packets 63 are then sent via the tunnelled connection to the connection managing server 132 (step S617), which decapsulates the TCP packets and forwards them to a specified port and a specified address of the application server 144 (step S618). TCP packets may similarly be sent by the application server 144 to the connection managing server 132 and sent, encapsulated in SSH packets, to the client 50 where they are decapsulated (step S619). Thus, a connection is established that provides a channel for data transfer between the node 2 and the application server 14. For example, the node 2 is able to transmit sensor data to the application server 14 as-and-when certain predetermined conditions are met. For example, certain data received from the sensors may cause the node 2 to enter an "alarm" state which causes it to communicate with the server 14. Alternatively, the node 2 may listen for requests from the application server 14 requesting sensor data or other information on a periodic basis or in response to a demand from a user.
The SSH connection between the client 50 and the server 13 may be established using any specified method. Furthermore, many different types of connections between a client 50 and a connection managing server 13 may be established, including, for example, direct TCP connections, PPP-based tunnels, HTTP TCP tunnels, direct TCP port translation and port 80 remote servers. For example, HTTP TCP tunnels embed a TCP network stream in a HTTP connection, which is particularly useful for nodes 2 in access networks 5, 6, 7 whose only external connection is via a HTTP proxy server. Direct TCP port translation involves establishing an SSH connection to a remote server 13 using a non-standard destination port in order to circumvent simple port-based filtering firewalls. Port 80 remote servers are connection managing server applications that listen on port 80 or port 443 (the standard HTTP and HTTPS port numbers) so that, in principle, the node 2 can connect to these via any access network 5, 6, 7 that allows its clients to browse the web, for example. A custom protocol may be used to establish a connection.
It will be appreciated that many other modifications may be made to the embodiments hereinbefore described.
For example, the networks may be of any type and need not be based on TCP/IP or utilise IP addresses.

Claims

Claims
1. A device configured to attempt, in a predefined order and until a connection is established, to establish a connection to any one of a predetermined set of network devices using any one of a plurality of predetermined connection protocols via any one of a plurality of predetermined access networks including at least one access network about which the device has no prior network access information, the device configured to attempt to establish the connection via the access network before another access network.
2. A device according to claim 1, comprising controlling means configured to attempt, in a predefined order and until a connection is established, to establish a connection to any one of a predetermined set of network devices using any one of a plurality of predetermined connection protocols via any one of a plurality of predetermined access networks.
3. A device according to claim 1 or 2, comprising: memory; at least one processor; and a plurality of network interfaces; wherein the memory is configured to store the predefined order in which connections should be attempted, the predetermined set of network devices, the plurality of predetermined connection protocols and the plurality of predetermined access networks, and the at least one processor is configured to attempt to establish the connection using a network interface and to determine when the connection is established.
4. A device according to any preceding claim, further configured to send a request to establish a connection to a network device using a connection protocol via an access network, determine whether a response is received from the network device indicating that the requested connection is establishable, in dependence on such a response being received, establish the requested connection and, in dependence on such a response not being received, abort the attempt to establish the connection to the network device using the connection protocol via the access network.
5. A device according to any preceding claim, wherein the connection provides a channel for data transfer between the device and the network device.
6. A device according to any preceding claim, wherein the connection is a tunnelled connection.
7. A device according to any preceding claim, wherein the connection is a secure connection.
8. A device according to any preceding claim, wherein the connection protocol comprises information relating to a data link layer, a network layer, a transport layer, a session layer, a presentation layer and/or an application layer of a protocol stack.
9. A device according to any preceding claim, wherein at least one of the plurality of predetermined connection protocols specifies a name of the network device.
10. A device according to any preceding claim, wherein at least one of the plurality of predetermined connection protocols specifies an Internet protocol address of the network device.
11. A device according to any preceding claim, further configured, according to the connection protocol, to send authentication information to the network device for authenticating the device.
12. A device according to the preceding claim, wherein the authentication information comprises information identifying a public key and wherein the private key corresponding to the public key is a password-free private key.
13. A device according to any preceding claim, further configured, according to the connection protocol, to receive authentication information from the network device for authenticating the network device.
14. A device according to any preceding claim, wherein the connection protocol comprises a Secure Shell protocol.
15. A device according to any preceding claim, wherein at least one of the plurality of predetermined access networks comprises a wireless local area network.
16. A device according to any preceding claim, wherein at least one of the plurality of predetermined access networks comprises a wired network.
17. A device according to any preceding claim, wherein at least one of the plurality of predetermined access networks comprises a mobile telecommunications system.
18. A device according to any preceding claim, further configured to transmit sensor data to the network device using the connection.
19. A device according to any preceding claim, further configured to receive control information from the network device using the connection.
20. A device according to any preceding claim, configured to attempt to establish a connection to the network devices using one connection protocol and one access network, and, in response to failing to establish a connection to any of the network devices, to attempt to establish a connection to the network devices using another connection protocol and/or access network.
21. A device according to any preceding claim, configured to attempt to establish a connection after the device is powered on or after a previously established connection is lost.
22. A system comprising: at least one device according to any preceding claim; a cluster comprising: at least one connection managing server; and at least one application server.
23. A system according to claim 22, wherein the cluster further comprises a round-robin name server.
24. A system according to claim 22 or 23, wherein the connection protocol of at least one of the at least one device comprises an Internet protocol address of a server and instructions instructing the device to establish a new connection to a different Internet protocol address of a different server are sent to the device using the connection.
25. A method of operating a device, the method comprising: attempting, in a predefined order and until a connection is established, to establish a connection to any one of a predetermined set of network devices using any one of a plurality of predetermined connection protocols via any one of a plurality of predetermined access networks including at least one access network about which the device has no prior network access information, and attempting to establish the connection via the access network before another access network.
26. A method according to claim 25, comprising: sending a request to establish a connection to a network device using a connection protocol via an access network; determining whether a response is received from the network device indicating that the requested connection is establishable; in dependence on such a response being received, establishing the requested connection; and, in dependence on such a response not being received, aborting the attempt to establish the connection to the network device using the connection protocol via the access network.
27. A method according to any one of claims 25 to 26, comprising: establishing a tunnelled connection.
28. A method according to any one of claims 25 to 27, comprising: establishing a secure connection.
29. A method according to any one of claims 25 to 28, further comprising: specifying a name of the network device.
30. A method according to any one of claims 25 to 29, further comprising: specifying an Internet protocol address of the network device.
31. A method according to any one of claims 25 to 30, further comprising: sending authentication information to the network device for authenticating the device.
32. A method according to any one of claims 25 to 31, further comprising: receiving authentication information from the network device for authenticating the network device.
33. A method according to any one of claims 25 to 32, further comprising: connecting using a Secure Shell protocol.
34. A method according to any one of claims 25 to 33, comprising: attempting to establish a connection to the network devices using one connection protocol and one access network; and, in response to failing to establish a connection to any of the network devices, attempting to establish a connection to the network devices using another connection protocol and/or access network.
35. A computer program comprising program comprising instructions which when executed by a processor perform a method according to any one of claims 25 to 34.
36. A computer-readable medium storing a computer program according to claim 35.
PCT/GB2008/051230 2008-01-03 2008-12-29 Establishing a connection to a network device WO2009083737A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB0800070A GB2456148B (en) 2008-01-03 2008-01-03 Establishing a connection to a network device
GB0800070.5 2008-01-03

Publications (2)

Publication Number Publication Date
WO2009083737A2 true WO2009083737A2 (en) 2009-07-09
WO2009083737A3 WO2009083737A3 (en) 2009-08-27

Family

ID=39111096

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2008/051230 WO2009083737A2 (en) 2008-01-03 2008-12-29 Establishing a connection to a network device

Country Status (2)

Country Link
GB (1) GB2456148B (en)
WO (1) WO2009083737A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9148288B2 (en) 2011-08-31 2015-09-29 Metaswitch Networks Ltd Conditional telecommunications

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102014223211A1 (en) * 2014-11-13 2016-05-19 Das Maingold Gmbh A system for implementing and communicating data from clients on the same or different platforms and for selecting the data transmission paths used therefor and a corresponding method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004008693A1 (en) * 2002-07-10 2004-01-22 Koninklijke Philips Electronics N.V. Interface selection from multiple networks
US20050125511A1 (en) * 2003-12-08 2005-06-09 Hunt Preston J. Intelligent local proxy for transparent network access from multiple physical locations
US20070183394A1 (en) * 2006-02-03 2007-08-09 Deepak Khandelwal Automatic call origination for multiple wireless networks

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999040746A1 (en) * 1998-02-10 1999-08-12 Qualcomm Incorporated Phones with multiple system determination lists
US6029200A (en) * 1998-03-09 2000-02-22 Microsoft Corporation Automatic protocol rollover in streaming multimedia data delivery system
SE522317C2 (en) * 2000-02-02 2004-02-03 Telia Ab Method for selecting radio networks, as well as systems and terminals for utilization of the method
US6728875B1 (en) * 2000-11-09 2004-04-27 International Business Machines Corporation Network station suitable for identifying and prioritizing network adapters
KR100959977B1 (en) * 2004-07-20 2010-05-27 엘지전자 주식회사 Apparatus for establishing network using network interface, Method and a recording medium thereof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004008693A1 (en) * 2002-07-10 2004-01-22 Koninklijke Philips Electronics N.V. Interface selection from multiple networks
US20050125511A1 (en) * 2003-12-08 2005-06-09 Hunt Preston J. Intelligent local proxy for transparent network access from multiple physical locations
US20070183394A1 (en) * 2006-02-03 2007-08-09 Deepak Khandelwal Automatic call origination for multiple wireless networks

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9148288B2 (en) 2011-08-31 2015-09-29 Metaswitch Networks Ltd Conditional telecommunications

Also Published As

Publication number Publication date
GB2456148A (en) 2009-07-08
WO2009083737A3 (en) 2009-08-27
GB0800070D0 (en) 2008-02-13
GB2456148B (en) 2010-11-17

Similar Documents

Publication Publication Date Title
US11252239B2 (en) Enabling communications between devices
KR102047197B1 (en) Discovering Wide Area Services for the Internet of Things
JP6785376B2 (en) IoT device connectivity, discovery, networking
EP3317774B1 (en) Method and system for internetwork communication with machine devices
US20220116771A1 (en) Devices, systems and methods for connecting and authenticating local devices to common gateway device
RU2589860C2 (en) Architecture and functional capabilities of intermachine gateway
US20190387458A1 (en) Mechanisms for ad hoc service discovery
FI125972B (en) Equipment arrangement and method for creating a data transmission network for remote property management
EP3469776A1 (en) Network-visitability detection control
EP1675355B1 (en) Method, apparatus and program products for discovering an information processing apparatus and for converting communication packets into secure or non-secure packets.
US8964765B2 (en) Mobile handheld multi-media gateway and phone
EP3610626A1 (en) Methods for automatic bootstrapping of a device
Bergmann et al. Server-based internet of things architecture
US6975857B2 (en) Automatically configuring a communication interface of a device for connection with a wireless communication network
US20170207921A1 (en) Access to a node
WO2017160557A1 (en) System and method for network-level smart home security
WO2021002180A1 (en) Relay method, relay system, and relay program
EP2936891B1 (en) Method, control node, gateway and computer program for enabling communication with a newly detected device
US12001853B2 (en) Device bootstrapping
WO2009083737A2 (en) Establishing a connection to a network device
CN113067910B (en) NAT traversal method and device, electronic equipment and storage medium
US20220361261A1 (en) Method for connecting a communication node and communication node
WO2014139646A1 (en) Communication in a dynamic multipoint virtual private network
WO2011139138A1 (en) Method of providing multi address binding in a network
CN114208132A (en) Hardware device loading

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08868423

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08868423

Country of ref document: EP

Kind code of ref document: A2