WO2012163428A1 - Multiple cpu architecture platform network firewall - Google Patents

Multiple cpu architecture platform network firewall Download PDF

Info

Publication number
WO2012163428A1
WO2012163428A1 PCT/EP2011/059166 EP2011059166W WO2012163428A1 WO 2012163428 A1 WO2012163428 A1 WO 2012163428A1 EP 2011059166 W EP2011059166 W EP 2011059166W WO 2012163428 A1 WO2012163428 A1 WO 2012163428A1
Authority
WO
WIPO (PCT)
Prior art keywords
data packet
processor
incoming data
application processor
packet
Prior art date
Application number
PCT/EP2011/059166
Other languages
French (fr)
Inventor
Liang YUAN
Jacob Lerenius
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Priority to EP11725399.7A priority Critical patent/EP2705640B1/en
Priority to PCT/EP2011/059166 priority patent/WO2012163428A1/en
Priority to CN201180068333.2A priority patent/CN103384992B/en
Publication of WO2012163428A1 publication Critical patent/WO2012163428A1/en
Priority to US14/094,012 priority patent/US9525663B2/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F1/00Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
    • G06F1/26Power supply means, e.g. regulation thereof
    • G06F1/32Means for saving power
    • G06F1/3203Power management, i.e. event-based initiation of a power-saving mode
    • G06F1/3206Monitoring of events, devices or parameters that trigger a change in power modality
    • G06F1/3209Monitoring remote activity, e.g. over telephone lines or network connections
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F1/00Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
    • G06F1/26Power supply means, e.g. regulation thereof
    • G06F1/32Means for saving power
    • G06F1/3203Power management, i.e. event-based initiation of a power-saving mode
    • G06F1/3234Power saving characterised by the action undertaken
    • G06F1/3287Power saving characterised by the action undertaken by switching off individual functional units in the computer system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F1/00Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
    • G06F1/26Power supply means, e.g. regulation thereof
    • G06F1/32Means for saving power
    • G06F1/3203Power management, i.e. event-based initiation of a power-saving mode
    • G06F1/3234Power saving characterised by the action undertaken
    • G06F1/3293Power saving characterised by the action undertaken by switching to a less power-consuming processor, e.g. sub-CPU
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/088Access security using filters or firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Definitions

  • the present disclosure generally relates to communication devices, and more particularly to a firewall implemented on a communication processor of a multiprocessor communication device to control power consumption in communication devices.
  • IP Internet protocol
  • a processing unit or device that is commonly referred to as a baseband or communication processor.
  • Complex operations such as those required for implementing certain functions and application of a device such as a smart phone, can be handled by general purpose microprocessors, generally referred to as application processors.
  • the application processor can be used to implement functions such as, but not limited to, media playback functions, email display functions, word processing and web browsing functions .
  • the information processing of the IP packets is typically executed in the application processor of the multi-processor device.
  • IP packets are received on the communication processor side of the mobile device.
  • the packets are forwarded from the communication processor to the application processor for processing and, in some cases, depending on the particular communication protocol of the packet, a response or acknowledgment must be sent back to the network from the application processor via the communication processor.
  • the communication processor will wake the application processor to process the incoming packet.
  • the response from the application processor can be simply a termination of the IP connection or another action not necessarily needing the attention from the application processor.
  • the processing of the unwanted data by the application processor consumes a significant amount of power, which is a concern with these battery operated mobile devices.
  • the need for push network traffic means that some mobile terminals, most typically smart phones, must continually monitor and receive data traffic related to certain communication related operations, which requires an open data connection. Since the connection is always open by default, numerous amounts of traffic can be received and processed by the mobile device, including unwanted or undesirable traffic.
  • application processors In the active mode, application processors typically require more power to operate than communication processors. However, when the user of the device is not actively using the device, the application processor is generally not needed. Thus, the application processor can be shut down or placed in a sleep or idle mode to conserve power. In the event that incoming push data is received, the application processor can be powered up to receive and process the incoming data. This type of traffic is typically processed through a firewall in the application processor of the device. In the case of unwanted data, this can require unnecessary operation of the application processor and undesirable power consumption, even without the user's knowledge or benefit.
  • the exemplary embodiments overcome one or more of the above or other disadvantages known in the art.
  • the system includes a communication processor and an application processor communicatively coupled to the communication processor.
  • the communication processor is configured to detect a receipt of an incoming data packet, initially process at least a portion of the incoming data packet in the communication processor to determine if the incoming packet satisfies a first set of pre-determined criteria, and automatically enable a transfer of the incoming data packet to the application processor depending upon an outcome of the initial processing of the incoming data packet.
  • the disclosed embodiments are directed to a method.
  • the method includes detecting a receipt of an incoming data packet in a multi-processor communication device, the multi-processor device including at least a communication processor and an application processor, initially processing at least a portion of the incoming data packet in the communication processor to determine if the incoming packet satisfies a first set of pre-determined criteria, and enabling a transfer of the incoming data packet to the application processor depending upon an outcome of the initial processing.
  • FIG. 1 is a block diagram of an exemplary communication system incorporating aspects of the disclosed embodiments.
  • FIG. 2 is a block diagram of an exemplary user equipment incorporating aspects of the disclosed embodiments.
  • FIG. 3 is a flow chart illustrating an exemplary process incorporating aspects of the disclosed embodiments.
  • FIGs. 4A-4C represent exemplary current profiles for a communication processor and application processor in a system incorporating aspects of the disclosed embodiments.
  • Fig. 5 is a block diagram of an exemplary device that can be used to practice aspects of the disclosed embodiments.
  • the communication system 100 generally includes a core communication network or system 102 that is configured to be in communication with an information and data network 104, such as the Internet, and a user equipment or device 106.
  • the network 102 is a wireless communication system, such as a cellular telephone network, wireless local area network or Wi-Fi network, for example.
  • a data connection 108 is configured to enable communication between the core network 102 and the user equipment 106.
  • the user equipment or device 106 can comprise a wireless or Wi-Fi enabled device, such as a mobile communication device, cellular communication device.
  • Examples of such devices can include, but are not limited to, personal computing devices, notebooks and notepads, smartphones, cellular telephones, video game consoles, or digital audio and video players.
  • the network 102 can be configured to be coupled to, and in communication with, any number of user equipment devices 106, at substantially the same time.
  • the aspects of the disclosed embodiments are generally directed to minimizing power consumption is such user equipment 106 even when the data connection 108 is persistently active.
  • a mirrored network policy that includes a firewall stored on the communication processor 120.
  • Fig. 2 illustrates one embodiment of the network policy structure of the communication processor 120 and the application processor 130.
  • unwanted network traffic can be filtered at an early stage of the processing without the need for the application processor 130 to be woken or activated to handle the data. If the application processor 130 remains in an inactive or idle state, a significant amount of power is conserved. The time spent handing the data is also significantly reduced.
  • the filtering on the communication processor 120 is done by introducing a network stack and a transport stack containing a firewall 202 as is shown in Fig. 2.
  • the firewall 202 implemented on the communication processor 120 can include packet filtering, port filtering and/or packet content filtering.
  • the firewall 202 generally comprises a firewall rules management module 204, a network stack module 206 and a packet filter module 208.
  • the network stack module 206 generally comprises a transmission control protocol module 210, a user datagram protocol module 212 and an Internet protocol module 214, as those are generally understood in the art.
  • the packet filter module 208 generally includes a transmission control protocol filter module 216, a user datagram protocol filter module 218 and an Internet protocol filter module 220.
  • the application processor 130 includes a firewall rules client module 230 and a network stack module 232.
  • the network stack module 232 which can also be referred to as an Internet protocol suite, includes a transmission control protocol module 234, a user datagram protocol module 236 and an Internet protocol module 238, as those are generally understood in the art.
  • the communication processor 120 can also include a packetservice network interface module 222, a data link layer module 224 and a WCDMA/GPRS/ CDMA module 226.
  • a shared memory 228 can be used to transfer information and data to and between the communication processor 120 and the application processor 130.
  • the communication processor 120 may communicate with the application processor 130 using any suitable interface, including for example, a universal serial bus or other proprietary interface.
  • the application processor 130 can include a virtual network interface 240 to facilitate the exchange and transfer of the information and data.
  • Fig. 3 is a flowchart illustrating an exemplary process flow incorporating aspects of the disclosed embodiments.
  • the communication processor 120 detects and/or receives 302 an incoming network packet, also referred to herein as a "packet.”
  • a packet can include a formatted unit or block of data carried by a packet mode computer network.
  • packets as is used herein will also include datagrams, as is applicable.
  • the communication processor 120 is configured to process 304 at least a portion of the incoming packet according to a first pre-determined criteria.
  • a determination 306 is made as to whether the packet satisfies the first pre-determined criteria.
  • the pre-determined criteria can include for example, general firewall processing such as extracting source/destination IP addresses, port and protocol information of the incoming packet or if the packet passes certain packet filter rules.
  • the packet filter rules can be established in any suitable manner.
  • the communication processor 120 can automatically enable the incoming data packet to be forwarded 310 to the application processor 130 for processing 312.
  • the communication processor 120 is configured to be able to process the incoming data packet without waking, or changing a state of the application processor 130.
  • the packet can be processed 320 in the packet filter and/or network protocol stack of the communication processor. If the first criteria is satisfied a determination 308 is made as to whether or not a state of the application processor is active or inactive. In one embodiment, the firewall 202 on the communication processor 120 will determine 308 if a state or status of the application processor 130 is active or idle. In alternate embodiments, any suitable process can be used to determine 308 the state of the application processor 130, including for example, monitoring a status indicator of the application processor 130. In the active state, the application processor 130 is powered on and is processing, or is ready to process data, which in this example could be the received packet.
  • the packet is forwarded 310 to the application processor 130 for processing.
  • the packet is forwarded 310 from the communication processor 120, or a memory location associated with the communication processor 120, to the application processor 130.
  • the communication processor 120 communicates with the application processor 130 via the shared memory 228.
  • the firewall 202 in the communication processor 120 processes 314 the received packet according to a second set of predetermined criteria.
  • the packet is processed 314 in the packet filter 208 of the firewall 202 of the communication processor 120.
  • the processing 314 of the packet by the packet filter 208 can include processing the packet according to rules set in the TCP Firewall Filter 216, UDP Firewall Filter 218 and IP firewall filter 220.
  • the packet filter 208 extracts the source/destination IP addresses, the source/destination port and protocol information associated with the packet, and uses this information to process the packet according to the firewall rules.
  • a determination 316 is made as to whether the packet passes the IP Firewall Rules, as can be defined in the Firewall Rules Management module 204. If the packet fails to pass the IP Firewall Rules, which rules can be set or established by the application processor 130, the packet is determined 316 to be an unsolicited packet. The unsolicited packet will then be handled 320 by the network protocol stack 206 on the communication processor 120, without waking the application processor 130, in a manner as will generally be understood.
  • the packet passes the IP Firewall Rules, the packet is determined 316 to be a solicited packet. In the case of the application processor 130 being in the inactive or sleep state, the state of the application processor is enabled to be changed 318 to an active state. The packet is then forwarded 310 to the application processor 130. The processor 130 then processes 312 the packet according to the rules established in the firewall rules client 230 and the TCP/UDP/IP protocol stack 234- 238. In one embodiment, a virtual network interface 240 communicates with the memory 228 for enabling communication and the transfer of data and information between the communication processor 120 and the application processor 130.
  • the virtual network interface 240 can comprise a modem network interface emulated as an Ethernet network interface communicatively coupled between the shared memory device 228 and the application processor device 130.
  • any suitable interface can be utilized to enable communication and the transfer of data and information to and between the communication processor 120 and the application processor 130.
  • the Firewall Rules Management module 204 can be used to establish and implement rules as established by the application processor 130. For example, to create firewall rules, in one embodiment, when an application being executed by the application processor 130 establishes a network or data connection, or listens on a port, the Firewall Rules Client module 230 will send a data connection request that includes the port number and the protocol type to the Firewall Rules Management module 204 on the communication processor 120. The Firewall Rules Management module 204 will create a firewall rule(s), and apply the new rule(s).
  • the rules for the firewall can be configured by the application processor 130, changed by the application processor 130 at run time, set by either the application processor 130 or communication processor 120 at boot time, hard coded in executable, or provided in a file or table for lookup.
  • the file or table for lookup could be provided in the user equipment 106 or be set by an external party, such as an operator, for example.
  • the Firewall Rules Client 230 will send a request that includes the port number and protocol type to the Firewall Rules Management module 204.
  • the Firewall Rules Management module 204 removes the related firewall rules(s) and applies the new rule(s).
  • Figs. 4A-4C are graphs illustrating power consumption performance in a system incorporating aspects of the disclosed embodiments.
  • the current profile line 410 corresponds to the power consumption of the firewall on the communication processor 120 during 15 ping requests from the Internet 110.
  • the current profile line 420 illustrates the power consumption of the device 106.
  • Fig. 4C compares the current profile of a device 106 incorporating an application processor 130 of the disclosed embodiments, as represented by line 440, versus a device that is not using such an application processor, as represented by line 430.
  • the power consumption is decreased by approximately 36 mA RMS during the time of receiving the packets. During this time, the application processor 130 is not active.
  • the user equipment 106 may be capable of operating in accordance with any of a number of communication protocols.
  • these protocols can include, but are not limited to, second generation (2G) communication protocols IS- 136, time division multiple access (TDMA), global system for mobile communication (GSM), IS-95 code division multiple access (CDMA), third generation (3G) communication protocols, such as Universal Mobile Telecommunications System (UMTS), CDMA2000, wideband CDMA (WCDMA), time division-synchronous CDMA (TD-SCDMA), 3.9 generation (3.9G) wireless communication protocols, such as Evolved Universal Terrestrial Radio Access Network (E-UTRAN) or wireless communication projects, such as long term evolution (LTE) or fourth generation (4G) communication protocols.
  • 2G second generation
  • TDMA time division multiple access
  • GSM global system for mobile communication
  • CDMA IS-95 code division multiple access
  • third generation (3G) communication protocols such as Universal Mobile Telecommunications System (UMTS), CDMA2000, wideband CDMA (WCDMA), time division-synchronous CDMA (TD-S
  • the user equipment 106 may be capable of operating in accordance with a non-cellular communication protocol or environment.
  • the user equipment 106 may be capable of communication in a wireless local area network (WLA ).
  • WLA wireless local area network
  • the user equipment 106 may also be configured to communicate in accordance with techniques, such as radio frequency (RF), infrared (IrDA), any of a number of WLAN techniques.
  • RF radio frequency
  • IrDA infrared
  • the user equipment 106 may communicate using one or more of the following WLAN techniques: IEEE 802.11, e.g., 802.11a, 802.11b, 802.11g or 802.11 ⁇ .
  • the user equipment 106 may also communicate, via a world interoperability, to use a microwave access (WiMAX) technique, such as IEEE 802.16, and/or a wireless personal area network (WPAN) technique, such as IEEE 802.15, BlueTooth (BT), or ultra wideband (UWB).
  • WiMAX microwave access
  • WiPAN wireless personal area network
  • BT BlueTooth
  • UWB ultra wideband
  • the communications protocols described above may use signals.
  • the signals may comprise signaling information in accordance with the air interface standard of the applicable cellular system, user speech, received data, user generated data, and/or the like.
  • the user equipment 106 may be capable of operating with one or more air interface standards, communication protocols, modulation types, or access types.
  • TCP transport layer protocols
  • other transport layer protocols that can be handled by the firewall 202 implemented on the communication processor 120 can include, but are not limited to ATP, CUDP, DCCP, PCP, IL, NBF, SCTP, SPX, SST, UDP Lite, ⁇ , or other network protocols where TCP and UDP are the most common protocols that generate the problems solved by the disclosed embodiments.
  • Fig. 5 illustrates a block diagram of a user equipment 106 comprising an electronic device 500 that can be used to implement aspects of the disclosed embodiments.
  • the device 500 includes at least one antenna 502 in communication with a transmitter 504 and a receiver 506.
  • the electronic device 500 may further comprise a processing device(s) or processor(s) 508, or other processing component.
  • the processor 508 instead of a single processor for handling all functions of the electronic device 500, the processor 508 comprises a multi-core processor that allows each individual core to provide specific processing functions, including communication and application specific functions.
  • the processor 508 comprises the communication processor 120 and application processor 130 illustrated in Figs. 2 and 3.
  • the processor 508 may provide at least one signal to the transmitter 504 and may receive at least one signal from the receiver 506 in a suitable fashion.
  • the processor 508 may include one or more devices configured to execute instructions.
  • the execution of computer readable program code e.g., groups of computer-executable instructions stored in a memory
  • processor 508 may cause the device 500 to perform the processes generally described herein including, for example, method steps that may result in data, events or other output activities.
  • the processor 508 may be a dedicated (e.g., monolithic) microprocessor device, or may be part of a composite device such as an ASIC, gate array, multi-chip module (MCM), etc.
  • the processor 508 may be electronically coupled to other functional components in the device 500 via a wired or wireless bus.
  • processor 508 may access memory 512 in order to obtain stored information (e.g., program code, data, etc.) for use during processing.
  • the memory 512 may generally include removable or imbedded memories that operate in a static or dynamic mode. Further, memory 512 may include read only memories (ROM), random access memories (RAM), and rewritable memories such as Flash, EPROM, etc.
  • Computer readable program code may include any interpreted or compiled computer language including computer-executable instructions.
  • the electronic device 500 may also comprise one or more memory devices 512, which can be part of the electronic device 500 or remotely coupled to the electronic device 500 and processor 508.
  • the electronic device 500 can include one or more interfaces 510 that may also be coupled to various components in the electronic device 500. These interfaces 510 may allow for inter-apparatus communication (e.g., a software or protocol interface), apparatus-to-apparatus communication (e.g., a wired or wireless communication interface) and even apparatus to user communication (e.g., a user interface). These interfaces 510 generally allow components within electronic device 500, other apparatuses and users, to interact with the electronic device 500.
  • inter-apparatus communication e.g., a software or protocol interface
  • apparatus-to-apparatus communication e.g., a wired or wireless communication interface
  • apparatus to user communication e.g., a user interface
  • interfaces 510 may communicate machine -readable data, such as electronic, magnetic or optical signals embodied on a computer readable medium, or may translate the actions of users into activity that may be understood by the electronic device 500 (e.g., typing on a keyboard 516, speaking into the microphone 520 of a cellular handset or touching an icon on a touch screen display or device 518.) Interfaces 510 may further allow processor 508 and/or memory 512 to interact with other modules 514.
  • other modules 514 may comprise one or more components supporting more specialized functionality provided by the electronic device 500, including for example, the firewall rule management, network stack and packet filtering functionality.
  • the electronic device 500 may also comprise a user interface comprising one or more input or output devices, such as a conventional earphone or speaker 522, a ringer 524, a microphone 520, and a display 518.
  • the one or more output devices of the user interface may be coupled to the processor 508.
  • the electronic device 500 may also comprise a power source 526, such as a battery, for powering various circuits to operate the electronic device 500.
  • a power source 526 such as a battery
  • the processor 508 of the electronic device 500 may comprise circuitry for implementing audio feature, logic features, and/or the like.
  • the processor 508 may comprise one or more digital signal processor devices, microprocessor devices, digital to analog converters, or other support circuits.
  • the control and signal processing features of the processor 508 as generally referred to herein may be allocated between devices, such as the communication processor 120 and application processor 130 devices described above, according to their respective capabilities.
  • the processor 508 may also comprise an internal voice coder and/or an internal data modem.
  • the processor 508 may comprise features to operate one or more software programs and execute the processes generally described herein.
  • the processor 508 may be capable of operating a software program for connectivity, such as a conventional Internet browser.
  • the connectivity program may allow the electronic device 500 to transmit and receive Internet content, such as location-based content, or other web page content.
  • the electronic device 500 may use a wireless application protocol (WAP), hypertext transfer protocol (HTTP), file transfer protocol (FTP), or other such similar data transfer protocols to transmit and/or receive the Internet content.
  • WAP wireless application protocol
  • HTTP hypertext transfer protocol
  • FTP file transfer protocol
  • the aspects of the disclosed embodiments reduce power consumption in a communication device by providing a mirrored network policy that is stored on the communication processor of a device that includes an application processor and a communications processor.
  • a firewall is implemented on the communication processor that uses rules from the application processor, or another separate processor, where the firewall includes packet filtering, port filtering and/or packet content filtering.
  • the application processor is typically idled or inactive when not used. Unwanted data traffic can be filtered at an early stage without the need for the communication processor to wake the application processor to handle the data.
  • the filtering is carried out by introducing a network stack and a transport stack containing a firewall on the communication processor portion of the device. Since the application processor does not need to awaken to handle this data, a significant amount of power is conserved, and the time spent handling the data traffic or request is also significantly reduced, which also improves total performance.

Abstract

A system includes a communication processor and an application processor communicatively coupled to the communication processor. The communication processor is configured to detect a receipt of an incoming data packet, initially process at least a portion of the incoming data packet in the communication processor to determine if the incoming packet satisfies a first set of pre-determined criteria and automatically enable a transfer of the incoming data packet to the application processor depending upon an outcome of the initial processing of the incoming data packet.

Description

MULTIPLE CPU ARCHITECTURE PLATFORM NETWORK FIREWALL
BACKGROUND
[0001] The present disclosure generally relates to communication devices, and more particularly to a firewall implemented on a communication processor of a multiprocessor communication device to control power consumption in communication devices.
[0002] In a traditional communication network, such as a mobile communication network, data channel or connection requests would generally be initiated by the client device or handset, also referred to herein as a mobile terminal or device. The active use of a data connection by the device generally consumes power which, in a battery operated mobile device, is an operational factor and concern. Network traffic over the Internet to a mobile device generally involves the processing of the packets that comprise an Internet protocol ("IP") stack, also referred to as a "network" protocol stack.
[0003] In a multi-processor system or device, certain communication related operations, such as monitoring control indicators for incoming calls, can be handled by a processing unit or device that is commonly referred to as a baseband or communication processor. Complex operations, such as those required for implementing certain functions and application of a device such as a smart phone, can be handled by general purpose microprocessors, generally referred to as application processors. The application processor can be used to implement functions such as, but not limited to, media playback functions, email display functions, word processing and web browsing functions . The information processing of the IP packets is typically executed in the application processor of the multi-processor device.
[0004] IP packets are received on the communication processor side of the mobile device. The packets are forwarded from the communication processor to the application processor for processing and, in some cases, depending on the particular communication protocol of the packet, a response or acknowledgment must be sent back to the network from the application processor via the communication processor. For example, when a packet arrives from the network, such as an incoming mail notification, the communication processor will wake the application processor to process the incoming packet. In the case of unwanted data packets, the response from the application processor can be simply a termination of the IP connection or another action not necessarily needing the attention from the application processor. The processing of the unwanted data by the application processor consumes a significant amount of power, which is a concern with these battery operated mobile devices.
[0005] In the past, to conserve battery life of the device, when the data connection was not needed or not active, the connection would be shut down. This minimized the need for the application processor to receive and process unwanted data packets. While turning off the data connection will reduce the processing and associated energy consumption, merely turning off the IP connection is becoming a less desirable option, because by turning off the IP or data connection, many programs will not function properly. For example, with advanced communication services such as push email, a persistent or always active data connection between the device and the Internet is required. The mobile device must be able to persistently receive packets of data from those services in order to notify the mobile device of the existence of new electronic mail messages. The need for push network traffic means that some mobile terminals, most typically smart phones, must continually monitor and receive data traffic related to certain communication related operations, which requires an open data connection. Since the connection is always open by default, numerous amounts of traffic can be received and processed by the mobile device, including unwanted or undesirable traffic.
[0006] In the active mode, application processors typically require more power to operate than communication processors. However, when the user of the device is not actively using the device, the application processor is generally not needed. Thus, the application processor can be shut down or placed in a sleep or idle mode to conserve power. In the event that incoming push data is received, the application processor can be powered up to receive and process the incoming data. This type of traffic is typically processed through a firewall in the application processor of the device. In the case of unwanted data, this can require unnecessary operation of the application processor and undesirable power consumption, even without the user's knowledge or benefit.
[0007] It would be advantageous to minimize device battery consumption in a communication device even when the data connection is persistently active or enabled. It would also be advantageous to minimize use of the application processor in a multi-processor device for providing push network services.
[0008] Accordingly, it would be desirable to provide a system that addresses at least some of the problems identified.
BRIEF DESCRIPTION OF THE EMBODIMENTS
[0009] As described herein, the exemplary embodiments overcome one or more of the above or other disadvantages known in the art.
[0010] One aspect of the exemplary embodiments relates to a system. In one embodiment, the system includes a communication processor and an application processor communicatively coupled to the communication processor. The communication processor is configured to detect a receipt of an incoming data packet, initially process at least a portion of the incoming data packet in the communication processor to determine if the incoming packet satisfies a first set of pre-determined criteria, and automatically enable a transfer of the incoming data packet to the application processor depending upon an outcome of the initial processing of the incoming data packet.
[0011] In another aspect, the disclosed embodiments are directed to a method. In one embodiment, the method includes detecting a receipt of an incoming data packet in a multi-processor communication device, the multi-processor device including at least a communication processor and an application processor, initially processing at least a portion of the incoming data packet in the communication processor to determine if the incoming packet satisfies a first set of pre-determined criteria, and enabling a transfer of the incoming data packet to the application processor depending upon an outcome of the initial processing.
[0012] These and other aspects and advantages of the exemplary embodiments will become apparent from the following detailed description considered in conjunction with the accompanying drawings. It is to be understood, however, that the drawings are designed solely for purposes of illustration and not as a definition of the limits of the invention, for which reference should be made to the appended claims. Moreover, the drawings are not necessarily drawn to scale and that, unless otherwise indicated, they are merely intended to conceptually illustrate the structures and procedures described herein. In addition, any suitable size, shape or type of elements or materials could be used.
BRIEF DESCRIPTION OF THE DRAWINGS
In the drawings:
[0013] Fig. 1 is a block diagram of an exemplary communication system incorporating aspects of the disclosed embodiments.
[0014] Fig. 2 is a block diagram of an exemplary user equipment incorporating aspects of the disclosed embodiments.
[0015] Fig. 3 is a flow chart illustrating an exemplary process incorporating aspects of the disclosed embodiments.
[0016] Figs. 4A-4C represent exemplary current profiles for a communication processor and application processor in a system incorporating aspects of the disclosed embodiments.
[0017] Fig. 5 is a block diagram of an exemplary device that can be used to practice aspects of the disclosed embodiments.
DETAILED DESCRIPTION OF THE EXEMPLARY EMBODIMENTS
[0018] Referring to Fig. 1, an exemplary communication system incorporating aspects of the disclosed embodiments is generally designated by reference numeral 100. As shown in Fig. 1, the communication system 100 generally includes a core communication network or system 102 that is configured to be in communication with an information and data network 104, such as the Internet, and a user equipment or device 106. In one embodiment, the network 102 is a wireless communication system, such as a cellular telephone network, wireless local area network or Wi-Fi network, for example. A data connection 108, as is further described herein, is configured to enable communication between the core network 102 and the user equipment 106. The user equipment or device 106 can comprise a wireless or Wi-Fi enabled device, such as a mobile communication device, cellular communication device. Examples of such devices can include, but are not limited to, personal computing devices, notebooks and notepads, smartphones, cellular telephones, video game consoles, or digital audio and video players. Although the exemplary embodiments will be described herein with respect to a single user equipment 106, it will be understood that in alternate embodiments, the network 102 can be configured to be coupled to, and in communication with, any number of user equipment devices 106, at substantially the same time. The aspects of the disclosed embodiments are generally directed to minimizing power consumption is such user equipment 106 even when the data connection 108 is persistently active.
[0019] The aspects of the disclosed embodiments provide a mirrored network policy that includes a firewall stored on the communication processor 120. Fig. 2 illustrates one embodiment of the network policy structure of the communication processor 120 and the application processor 130. By providing a mirrored network policy on the communication processor 120, unwanted network traffic can be filtered at an early stage of the processing without the need for the application processor 130 to be woken or activated to handle the data. If the application processor 130 remains in an inactive or idle state, a significant amount of power is conserved. The time spent handing the data is also significantly reduced.
[0020] The filtering on the communication processor 120 is done by introducing a network stack and a transport stack containing a firewall 202 as is shown in Fig. 2. The firewall 202 implemented on the communication processor 120 can include packet filtering, port filtering and/or packet content filtering. In one embodiment, the firewall 202 generally comprises a firewall rules management module 204, a network stack module 206 and a packet filter module 208. The network stack module 206 generally comprises a transmission control protocol module 210, a user datagram protocol module 212 and an Internet protocol module 214, as those are generally understood in the art. The packet filter module 208 generally includes a transmission control protocol filter module 216, a user datagram protocol filter module 218 and an Internet protocol filter module 220.
[0021] The application processor 130 includes a firewall rules client module 230 and a network stack module 232. The network stack module 232, which can also be referred to as an Internet protocol suite, includes a transmission control protocol module 234, a user datagram protocol module 236 and an Internet protocol module 238, as those are generally understood in the art.
[0022] In one embodiment, the communication processor 120 can also include a packetservice network interface module 222, a data link layer module 224 and a WCDMA/GPRS/ CDMA module 226. A shared memory 228 can be used to transfer information and data to and between the communication processor 120 and the application processor 130. In alternate embodiments the communication processor 120 may communicate with the application processor 130 using any suitable interface, including for example, a universal serial bus or other proprietary interface.
[0023] In one embodiment, the application processor 130 can include a virtual network interface 240 to facilitate the exchange and transfer of the information and data.
[0024] The aspects of the disclosed embodiments generally provide two basic services in the communication processor 120, including packet filtering and firewall rules management. Fig. 3 is a flowchart illustrating an exemplary process flow incorporating aspects of the disclosed embodiments. Referring to Figs. 2 and 3, the communication processor 120 detects and/or receives 302 an incoming network packet, also referred to herein as a "packet." As will be generally understood, a packet can include a formatted unit or block of data carried by a packet mode computer network. The term "packets" as is used herein will also include datagrams, as is applicable. In one embodiment, the communication processor 120 is configured to process 304 at least a portion of the incoming packet according to a first pre-determined criteria. A determination 306 is made as to whether the packet satisfies the first pre-determined criteria. In one embodiment, the pre-determined criteria can include for example, general firewall processing such as extracting source/destination IP addresses, port and protocol information of the incoming packet or if the packet passes certain packet filter rules. The packet filter rules can be established in any suitable manner. Depending on the outcome of this determination, the communication processor 120 can automatically enable the incoming data packet to be forwarded 310 to the application processor 130 for processing 312. The communication processor 120 is configured to be able to process the incoming data packet without waking, or changing a state of the application processor 130.
[0025] In one embodiment, if the first criteria is not satisfied, the packet can be processed 320 in the packet filter and/or network protocol stack of the communication processor. If the first criteria is satisfied a determination 308 is made as to whether or not a state of the application processor is active or inactive. In one embodiment, the firewall 202 on the communication processor 120 will determine 308 if a state or status of the application processor 130 is active or idle. In alternate embodiments, any suitable process can be used to determine 308 the state of the application processor 130, including for example, monitoring a status indicator of the application processor 130. In the active state, the application processor 130 is powered on and is processing, or is ready to process data, which in this example could be the received packet. If the state of the application processor 130 is determined to be active, the packet is forwarded 310 to the application processor 130 for processing. In one embodiment, the packet is forwarded 310 from the communication processor 120, or a memory location associated with the communication processor 120, to the application processor 130. In one embodiment, as is shown in Fig. 2, the communication processor 120 communicates with the application processor 130 via the shared memory 228.
[0026] If the state of the application processor 130 is determined 308 to be inactive or idle, in one embodiment, the firewall 202 in the communication processor 120 processes 314 the received packet according to a second set of predetermined criteria. In one embodiment, the packet is processed 314 in the packet filter 208 of the firewall 202 of the communication processor 120. The processing 314 of the packet by the packet filter 208 can include processing the packet according to rules set in the TCP Firewall Filter 216, UDP Firewall Filter 218 and IP firewall filter 220. For example, in one embodiment, the packet filter 208 extracts the source/destination IP addresses, the source/destination port and protocol information associated with the packet, and uses this information to process the packet according to the firewall rules.
[0027] A determination 316 is made as to whether the packet passes the IP Firewall Rules, as can be defined in the Firewall Rules Management module 204. If the packet fails to pass the IP Firewall Rules, which rules can be set or established by the application processor 130, the packet is determined 316 to be an unsolicited packet. The unsolicited packet will then be handled 320 by the network protocol stack 206 on the communication processor 120, without waking the application processor 130, in a manner as will generally be understood.
[0028] If the packet passes the IP Firewall Rules, the packet is determined 316 to be a solicited packet. In the case of the application processor 130 being in the inactive or sleep state, the state of the application processor is enabled to be changed 318 to an active state. The packet is then forwarded 310 to the application processor 130. The processor 130 then processes 312 the packet according to the rules established in the firewall rules client 230 and the TCP/UDP/IP protocol stack 234- 238. In one embodiment, a virtual network interface 240 communicates with the memory 228 for enabling communication and the transfer of data and information between the communication processor 120 and the application processor 130. The virtual network interface 240 can comprise a modem network interface emulated as an Ethernet network interface communicatively coupled between the shared memory device 228 and the application processor device 130. In alternate embodiments, any suitable interface can be utilized to enable communication and the transfer of data and information to and between the communication processor 120 and the application processor 130.
[0029] The Firewall Rules Management module 204 can be used to establish and implement rules as established by the application processor 130. For example, to create firewall rules, in one embodiment, when an application being executed by the application processor 130 establishes a network or data connection, or listens on a port, the Firewall Rules Client module 230 will send a data connection request that includes the port number and the protocol type to the Firewall Rules Management module 204 on the communication processor 120. The Firewall Rules Management module 204 will create a firewall rule(s), and apply the new rule(s). In one embodiment, the rules for the firewall can be configured by the application processor 130, changed by the application processor 130 at run time, set by either the application processor 130 or communication processor 120 at boot time, hard coded in executable, or provided in a file or table for lookup. The file or table for lookup could be provided in the user equipment 106 or be set by an external party, such as an operator, for example.
[0030] In order to remove a firewall rule(s), if an application is not listening to a port, or the connection is closed, the Firewall Rules Client 230 will send a request that includes the port number and protocol type to the Firewall Rules Management module 204. The Firewall Rules Management module 204 removes the related firewall rules(s) and applies the new rule(s).
[0031] Figs. 4A-4C are graphs illustrating power consumption performance in a system incorporating aspects of the disclosed embodiments. In Fig. 4A, the current profile line 410 corresponds to the power consumption of the firewall on the communication processor 120 during 15 ping requests from the Internet 110. In Fig. 4B, the current profile line 420 illustrates the power consumption of the device 106. Fig. 4C compares the current profile of a device 106 incorporating an application processor 130 of the disclosed embodiments, as represented by line 440, versus a device that is not using such an application processor, as represented by line 430. As is shown in this example, the power consumption is decreased by approximately 36 mA RMS during the time of receiving the packets. During this time, the application processor 130 is not active.
[0032] Referring again to Fig. 1, in one embodiment, the user equipment 106 may be capable of operating in accordance with any of a number of communication protocols. Examples of these protocols can include, but are not limited to, second generation (2G) communication protocols IS- 136, time division multiple access (TDMA), global system for mobile communication (GSM), IS-95 code division multiple access (CDMA), third generation (3G) communication protocols, such as Universal Mobile Telecommunications System (UMTS), CDMA2000, wideband CDMA (WCDMA), time division-synchronous CDMA (TD-SCDMA), 3.9 generation (3.9G) wireless communication protocols, such as Evolved Universal Terrestrial Radio Access Network (E-UTRAN) or wireless communication projects, such as long term evolution (LTE) or fourth generation (4G) communication protocols. The aspects of the disclosed embodiments are not intended to be limited by the particular communication protocol used.
[0033] In one embodiment, the user equipment 106 may be capable of operating in accordance with a non-cellular communication protocol or environment. For example, the user equipment 106 may be capable of communication in a wireless local area network (WLA ). The user equipment 106 may also be configured to communicate in accordance with techniques, such as radio frequency (RF), infrared (IrDA), any of a number of WLAN techniques. For example, the user equipment 106 may communicate using one or more of the following WLAN techniques: IEEE 802.11, e.g., 802.11a, 802.11b, 802.11g or 802.11η. The user equipment 106 may also communicate, via a world interoperability, to use a microwave access (WiMAX) technique, such as IEEE 802.16, and/or a wireless personal area network (WPAN) technique, such as IEEE 802.15, BlueTooth (BT), or ultra wideband (UWB).
[0034] It should be understood that the communications protocols described above may use signals. The signals may comprise signaling information in accordance with the air interface standard of the applicable cellular system, user speech, received data, user generated data, and/or the like. In one embodiment, the user equipment 106 may be capable of operating with one or more air interface standards, communication protocols, modulation types, or access types.
[0035] Although the aspects of the disclosed embodiments are generally described with respect to TCP, UDP and IP layer protocols, other transport layer protocols that can be handled by the firewall 202 implemented on the communication processor 120 can include, but are not limited to ATP, CUDP, DCCP, PCP, IL, NBF, SCTP, SPX, SST, UDP Lite, μΤΡ, or other network protocols where TCP and UDP are the most common protocols that generate the problems solved by the disclosed embodiments.
[0036] Fig. 5 illustrates a block diagram of a user equipment 106 comprising an electronic device 500 that can be used to implement aspects of the disclosed embodiments. In this exemplary embodiment, the device 500 includes at least one antenna 502 in communication with a transmitter 504 and a receiver 506. The electronic device 500 may further comprise a processing device(s) or processor(s) 508, or other processing component. In one embodiment, instead of a single processor for handling all functions of the electronic device 500, the processor 508 comprises a multi-core processor that allows each individual core to provide specific processing functions, including communication and application specific functions. In one embodiment, the processor 508 comprises the communication processor 120 and application processor 130 illustrated in Figs. 2 and 3.
[0037] The processor 508 may provide at least one signal to the transmitter 504 and may receive at least one signal from the receiver 506 in a suitable fashion. The processor 508 may include one or more devices configured to execute instructions. In at least one embodiment, the execution of computer readable program code (e.g., groups of computer-executable instructions stored in a memory) by processor 508 may cause the device 500 to perform the processes generally described herein including, for example, method steps that may result in data, events or other output activities. The processor 508 may be a dedicated (e.g., monolithic) microprocessor device, or may be part of a composite device such as an ASIC, gate array, multi-chip module (MCM), etc.
[0038] The processor 508 may be electronically coupled to other functional components in the device 500 via a wired or wireless bus. For example, processor 508 may access memory 512 in order to obtain stored information (e.g., program code, data, etc.) for use during processing. The memory 512 may generally include removable or imbedded memories that operate in a static or dynamic mode. Further, memory 512 may include read only memories (ROM), random access memories (RAM), and rewritable memories such as Flash, EPROM, etc. Computer readable program code may include any interpreted or compiled computer language including computer-executable instructions. The electronic device 500 may also comprise one or more memory devices 512, which can be part of the electronic device 500 or remotely coupled to the electronic device 500 and processor 508.
[0039] The electronic device 500 can include one or more interfaces 510 that may also be coupled to various components in the electronic device 500. These interfaces 510 may allow for inter-apparatus communication (e.g., a software or protocol interface), apparatus-to-apparatus communication (e.g., a wired or wireless communication interface) and even apparatus to user communication (e.g., a user interface). These interfaces 510 generally allow components within electronic device 500, other apparatuses and users, to interact with the electronic device 500. Further, interfaces 510 may communicate machine -readable data, such as electronic, magnetic or optical signals embodied on a computer readable medium, or may translate the actions of users into activity that may be understood by the electronic device 500 (e.g., typing on a keyboard 516, speaking into the microphone 520 of a cellular handset or touching an icon on a touch screen display or device 518.) Interfaces 510 may further allow processor 508 and/or memory 512 to interact with other modules 514. For example, other modules 514 may comprise one or more components supporting more specialized functionality provided by the electronic device 500, including for example, the firewall rule management, network stack and packet filtering functionality.
[0040] In an embodiment, the electronic device 500 may also comprise a user interface comprising one or more input or output devices, such as a conventional earphone or speaker 522, a ringer 524, a microphone 520, and a display 518. In one embodiment, the one or more output devices of the user interface may be coupled to the processor 508.
[0041] In an embodiment, the electronic device 500 may also comprise a power source 526, such as a battery, for powering various circuits to operate the electronic device 500.
[0042] The processor 508 of the electronic device 500 may comprise circuitry for implementing audio feature, logic features, and/or the like. For example, the processor 508 may comprise one or more digital signal processor devices, microprocessor devices, digital to analog converters, or other support circuits. The control and signal processing features of the processor 508 as generally referred to herein may be allocated between devices, such as the communication processor 120 and application processor 130 devices described above, according to their respective capabilities. Further, the processor 508 may also comprise an internal voice coder and/or an internal data modem. Further still, the processor 508 may comprise features to operate one or more software programs and execute the processes generally described herein. For example, the processor 508 may be capable of operating a software program for connectivity, such as a conventional Internet browser. Further, the connectivity program may allow the electronic device 500 to transmit and receive Internet content, such as location-based content, or other web page content. In an embodiment, the electronic device 500 may use a wireless application protocol (WAP), hypertext transfer protocol (HTTP), file transfer protocol (FTP), or other such similar data transfer protocols to transmit and/or receive the Internet content.
[0043] The aspects of the disclosed embodiments reduce power consumption in a communication device by providing a mirrored network policy that is stored on the communication processor of a device that includes an application processor and a communications processor. A firewall is implemented on the communication processor that uses rules from the application processor, or another separate processor, where the firewall includes packet filtering, port filtering and/or packet content filtering. To minimize energy consumption, the application processor is typically idled or inactive when not used. Unwanted data traffic can be filtered at an early stage without the need for the communication processor to wake the application processor to handle the data. The filtering is carried out by introducing a network stack and a transport stack containing a firewall on the communication processor portion of the device. Since the application processor does not need to awaken to handle this data, a significant amount of power is conserved, and the time spent handling the data traffic or request is also significantly reduced, which also improves total performance.
[0044] Thus, while there have been shown and described and pointed out fundamental novel features of the invention as applied to the exemplary embodiments thereof, it will be understood that various omissions and substitutions and changes in the form and details of devices illustrated, and in their operation, may be made by those skilled in the art without departing from the spirit of the invention. For example, it is expressly intended that all combinations of those elements and/or method steps which perform substantially the same function in substantially the same way to achieve the same results are within the scope of the invention. Moreover, it should be recognized that structures and/or elements and/or method steps shown and/or described in connection with any disclosed form or embodiment of the invention may be incorporated in any other disclosed or described or suggested form or embodiment as a general matter of design choice. It is the intention, therefore, to be limited only as indicated by the scope of the claims appended hereto.

Claims

What is claimed is:
1. A system comprising:
a communication processor; and
an application processor communicatively coupled to the communication processor;
wherein the communication processor is configured to:
detect a receipt of an incoming data packet;
initially process at least a portion of the incoming data packet in the communication processor to determine if the incoming packet satisfies a first set of pre-determined criteria; and
automatically enable a transfer of the incoming data packet to the application processor depending upon an outcome of the initial processing of the incoming data packet.
2. The system according to claim 1, wherein enabling a transfer of the incoming data packet to the application processor comprises the communication processor determining a state of the application processor and processing the incoming data packet in the communication processor according to a second set of predetermined criteria without changing a state of the application processor.
3. The system according to claim 2, wherein the communication processor is configured to determine if the incoming data packet is a solicited or unsolicited data packet from the second set of predetermined criteria, and if the incoming data packet is an unsolicited data packet, process the incoming data packet in the communication processor without transferring the data packet to the application processor.
4. The system according to claim 3, wherein if the incoming data packet is a solicited data packet and the state of the application processor is inactive, the communication processor is configured to enable a change in state of the application processor to active, and enable a forwarding of the incoming data packet to the application processor for processing.
5. The system according to claim 3, wherein if the incoming data packet is a solicited data packet and the state of the application processor is active, the communication processor is configured to enable a transfer of the incoming data packet to the application processor for processing.
6. The system according to claim 5 wherein when it is determined that the incoming data packet is a solicited packet and that the state of the application processor is inactive, the communication processor is configured to enable a activation of the application processor and automatically enable a transfer of the incoming data packet to the application processor for processing.
7. The system of claim 1 wherein the communication processor comprises a firewall including a packet filter module configured to determine if the incoming data packet satisfies a first set of pre-determined criteria and enable a transfer of the incoming data packet to the application processor for processing upon satisfaction of the first set of pre-determined criteria.
8. The system of claim 7 wherein the packet filter module comprises a transmission control protocol filter module, a user datagram protocol filter module and an Internet protocol filter module.
9. The system of claim 7 wherein the communication processor comprises a network protocol stack module configured to receive and process the incoming data packet from the packet filter module without a change of state of the application processor to active when the first set of pre-determined criteria is not satisfied.
10. The system of claim 9 wherein the network protocol stack comprises a TCP/UDP/IP stack module.
11. The system of claim 1 further comprising a firewall in the communication processor, the firewall configured to automatically process the incoming data packet when the state of the application processor is inactive.
12. The system of claim 11 wherein the firewall comprises a packet filter module.
13. The system of claim 1 further comprising a data connection coupled to the communication processor, the data connection being in a persistently active state.
14. The system of claim 1 wherein the system comprises a mobile communication device.
15. A metho d comprising :
detecting a receipt of an incoming data packet in a multi-processor communication device, the multi-processor device including at least a communication processor and an application processor;
initially processing at least a portion of the incoming data packet in the communication processor to determine if the incoming packet satisfies a first set of pre-determined criteria; and
enabling a transfer of the incoming data packet to the application processor depending upon an outcome of the initial processing.
16. The method of claim 15, wherein enabling a transfer of the incoming data packet to the application processor comprises:
determining a state an application processor; and
processing the incoming data packet in the communication processor without changing a state of the application processor.
17. The method of claim 16, wherein processing the incoming data packet in the communication processor comprises determining if the incoming data packet is an unsolicited packet or a solicited packet.
18. The method of claim 17 comprising, if the incoming data packet is an unsolicited packet, processing the incoming data packet in the communication processor without enabling the transfer of the incoming data packet to the application processor.
19. The method of claim 17 comprising, if the incoming data packet is a solicited packet, automatically enabling a transfer of the incoming data packet to the application processor if the state of the application processor is active.
20. The method of claim 19, comprising if the state of the application processor is inactive, automatically enabling a change of state of the application processor to active and enabling a transfer of the incoming data packet to the application processor.
21. The method of claim 15, wherein the processing of the incoming data packet in the communication processor comprises automatically enabling a processing of the data packet by a network protocol stack module in the
communication processor if the first set of pre-determined criteria is not satisfied.
22. The method of claim 15 further comprising automatically enabling a change of state of the application processor to an active state when the data packet is transferred to the application processor.
23. The method of claim 15 wherein determining if the incoming data packet satisfies a first set of pre-determined criteria comprises processing the data packet in a packet filter module of the communication processor.
24. The method of claim 23 wherein determining if the incoming data packet satisfies a first set of pre-determined criteria includes processing the data packet in a transmission control protocol filter module, a user datagram protocol filter module or an Internet protocol filter module of the packet filter module.
25. The method of claim 15 wherein the network protocol stack of the communication processor comprises a transmission control protocol stack module, a user datagram protocol stack module and an Internet protocol stack module.
26. The method of claim 15 further comprising automatically enabling an inactive state of the application processor when a data connection for receiving incoming data packets is persistently active.
27. The method of claim 15 wherein the initial processing of at least a portion of the incoming data packet in the communication processor is implemented in a firewall in the communication processor.
28. The method of claim 27, wherein the firewall includes packet filtering, port filtering and packet-content filtering.
29. The method of claim 27, wherein rules for the firewall are configured by the application processor, changed by the application processor at run-time, set by either the communication processor or the application processor at boot time, hard coded in executable code, or provided in a file or table for look-up.
30. A computer program product comprising computer readable program code means for executing the method according to claim 15.
PCT/EP2011/059166 2011-06-02 2011-06-02 Multiple cpu architecture platform network firewall WO2012163428A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
EP11725399.7A EP2705640B1 (en) 2011-06-02 2011-06-02 Multiple cpu architecture platform network firewall
PCT/EP2011/059166 WO2012163428A1 (en) 2011-06-02 2011-06-02 Multiple cpu architecture platform network firewall
CN201180068333.2A CN103384992B (en) 2011-06-02 2011-06-02 Multiple cpu architecture platform network firewall
US14/094,012 US9525663B2 (en) 2011-06-02 2013-12-02 Multiple CPU architecture platform network firewall

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2011/059166 WO2012163428A1 (en) 2011-06-02 2011-06-02 Multiple cpu architecture platform network firewall

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US14/094,012 Continuation US9525663B2 (en) 2011-06-02 2013-12-02 Multiple CPU architecture platform network firewall

Publications (1)

Publication Number Publication Date
WO2012163428A1 true WO2012163428A1 (en) 2012-12-06

Family

ID=44627027

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2011/059166 WO2012163428A1 (en) 2011-06-02 2011-06-02 Multiple cpu architecture platform network firewall

Country Status (4)

Country Link
US (1) US9525663B2 (en)
EP (1) EP2705640B1 (en)
CN (1) CN103384992B (en)
WO (1) WO2012163428A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104469901A (en) * 2013-09-17 2015-03-25 华为终端有限公司 Method and device for data processing
EP2988191A1 (en) * 2014-08-21 2016-02-24 Samsung Electronics Co., Ltd. Method and electronic device for reducing current consumption by the electronic device
KR20160078464A (en) * 2013-12-27 2016-07-04 인텔 코포레이션 Electronic device having two processors to process data
WO2024058861A1 (en) * 2022-09-13 2024-03-21 Qualcomm Incorporated Modem processor firewall operations

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140181172A1 (en) * 2012-12-20 2014-06-26 Brent J. Elliott Offloading tethering-related communication processing
EP3531676B1 (en) * 2014-11-20 2021-04-28 Huawei Technologies Co., Ltd. Task processing apparatus, intelligent device, task processing method, and baseband processor
WO2016094291A1 (en) 2014-12-08 2016-06-16 Umbra Technologies Ltd. System and method for content retrieval from remote network regions
WO2016093579A1 (en) * 2014-12-09 2016-06-16 Samsung Electronics Co., Ltd. Method and apparatus for controlling multiple processors to reduce current consumption
JP2018508067A (en) 2015-01-06 2018-03-22 アンブラ テクノロジーズ リミテッドUmbra Technologies Ltd. System and method for neutral application programming interface
EP3251301A4 (en) 2015-01-28 2018-10-10 Umbra Technologies Ltd. System and method for a global virtual network
JP2018515974A (en) 2015-04-07 2018-06-14 アンブラ テクノロジーズ リミテッドUmbra Technologies Ltd. System and method for providing virtual interfaces and advanced smart routing in a global virtual network (GVN)
US10321395B2 (en) * 2015-04-10 2019-06-11 Huawei Technologies Co., Ltd. Data packet processing method and related device
WO2016198961A2 (en) 2015-06-11 2016-12-15 Umbra Technologies Ltd. System and method for network tapestry multiprotocol integration
US11360945B2 (en) 2015-12-11 2022-06-14 Umbra Technologies Ltd. System and method for information slingshot over a network tapestry and granularity of a tick
CN109416680B (en) 2016-04-26 2023-02-17 安博科技有限公司 Sling routing logic and load balancing
WO2018119923A1 (en) * 2016-12-29 2018-07-05 华为技术有限公司 Communication method and mobile terminal
US11409351B2 (en) * 2019-08-22 2022-08-09 Hughes Network Systems, Llc Smart filtering of frames to improve low-power time
CN112752329B (en) 2019-10-30 2022-12-13 北京小米移动软件有限公司 Event notification method, device, mobile terminal and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999035557A2 (en) * 1998-01-07 1999-07-15 Microsoft Corporation System and method for receiving wireless information on a mobile device
EP1317115A2 (en) * 2001-11-29 2003-06-04 Stonesoft Corporation A firewall for filtering tunneled data packets
US20100056209A1 (en) * 2008-09-01 2010-03-04 Lenovo (Beijing) Limited Mobile terminal and method for switching states thereof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999035557A2 (en) * 1998-01-07 1999-07-15 Microsoft Corporation System and method for receiving wireless information on a mobile device
EP1317115A2 (en) * 2001-11-29 2003-06-04 Stonesoft Corporation A firewall for filtering tunneled data packets
US20100056209A1 (en) * 2008-09-01 2010-03-04 Lenovo (Beijing) Limited Mobile terminal and method for switching states thereof

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3007494A4 (en) * 2013-09-17 2016-07-13 Huawei Device Co Ltd Data processing method and device
CN104469901B (en) * 2013-09-17 2018-09-07 华为终端(东莞)有限公司 The method and device of data processing
US9838509B2 (en) 2013-09-17 2017-12-05 Huawei Device Co., Ltd. Data processing method and apparatus
CN104469901A (en) * 2013-09-17 2015-03-25 华为终端有限公司 Method and device for data processing
EP3087498A4 (en) * 2013-12-27 2017-08-09 Intel Corporation Electronic device having two processors to process data
KR20160078464A (en) * 2013-12-27 2016-07-04 인텔 코포레이션 Electronic device having two processors to process data
KR101974514B1 (en) * 2013-12-27 2019-05-02 인텔 코포레이션 Electronic device having two processors to process data
US10721684B2 (en) 2013-12-27 2020-07-21 Intel Corporation Electronic device having two processors to process data
US9703353B2 (en) 2014-08-21 2017-07-11 Samsung Electronics Co., Ltd Method and electronic device for reducing current consumption by the electronic device
KR20160023235A (en) * 2014-08-21 2016-03-03 삼성전자주식회사 Processing Method for periodic event and Electronic device supporting the same
EP2988191A1 (en) * 2014-08-21 2016-02-24 Samsung Electronics Co., Ltd. Method and electronic device for reducing current consumption by the electronic device
KR102137097B1 (en) 2014-08-21 2020-07-23 삼성전자주식회사 Processing Method for periodic event and Electronic device supporting the same
WO2024058861A1 (en) * 2022-09-13 2024-03-21 Qualcomm Incorporated Modem processor firewall operations

Also Published As

Publication number Publication date
US9525663B2 (en) 2016-12-20
CN103384992B (en) 2015-11-25
EP2705640B1 (en) 2019-02-20
EP2705640A1 (en) 2014-03-12
CN103384992A (en) 2013-11-06
US20140090047A1 (en) 2014-03-27

Similar Documents

Publication Publication Date Title
US9525663B2 (en) Multiple CPU architecture platform network firewall
US9265003B2 (en) Apparatus and methods for reducing power consumption and/or radio frequency interference in a mobile computing device
JP7430642B2 (en) Information reporting methods, terminals and network equipment
US9338135B2 (en) Device, system and method of maintaining connectivity over a virtual private network (VPN)
US7936708B2 (en) Device, system, and method of wireless network selection and handover
US8359071B2 (en) Power management techniques for a universal serial bus
US7962921B2 (en) Apparatus and methods using intelligent wake mechanisms
US9451551B2 (en) Controlling a power state of a cellular packet data subsystem in a portable electronic device
EP1804426A1 (en) Multi-mode mobile communication terminal and method for reducing power consumption thereof
JP2012518233A (en) Wake-up trigger to support multiple user interfaces, environments, and / or virtual machines
US8140087B2 (en) Techniques for always on always connected operation of mobile platforms using network interface cards
EP2625924A1 (en) Techniques to control a shared antenna architecture for multiple co-located radio modules
CN107182113B (en) Networking control method and device of multi-mode mobile terminal and mobile terminal
CN112584471B (en) Energy-saving signal receiving method, energy-saving signal sending method, terminal and network equipment
CN111343682A (en) Network switching method, device, storage medium and terminal
JP2023502946A (en) Secondary cell dormancy instruction processing method, terminal and network device
WO2019011231A1 (en) Method for reducing sar value of mobile terminal, storage medium and mobile terminal
WO2019029625A1 (en) Lte frequency band switching device and method, and mobile terminal
CN109739571A (en) Application program launching method, mobile terminal and computer readable storage medium
US9549372B2 (en) Adjusting radio dormancies in electronic devices based on receipt of unsolicited incoming packets
CN107295618A (en) Multimode terminal communication means, multimode terminal and computer-readable recording medium
US10015314B2 (en) Call collision processing method for terminal device, and terminal device
US20140198698A1 (en) System and Method for Filtering Broadcast Messages Received Over a Wireless Local Area Network
CN106445692B (en) Network service control method and device
WO2013184748A1 (en) Performing packet filtering and adjusting radio dormancies based on unsolicited incoming packets to electronic devices

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11725399

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2011725399

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE