WO2013072046A1 - Secure tunneling platform system and method - Google Patents

Secure tunneling platform system and method Download PDF

Info

Publication number
WO2013072046A1
WO2013072046A1 PCT/EP2012/004730 EP2012004730W WO2013072046A1 WO 2013072046 A1 WO2013072046 A1 WO 2013072046A1 EP 2012004730 W EP2012004730 W EP 2012004730W WO 2013072046 A1 WO2013072046 A1 WO 2013072046A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
authorization
request
tunneling
address
Prior art date
Application number
PCT/EP2012/004730
Other languages
English (en)
French (fr)
Inventor
Martin Varsavsky Waisman-Diamond
Gonzalo Julian Becares Fernandez
Xabier Iurgi ARGINZONIZ CEBREIRO
Juan Manuel Munoz Castro
Pablo Martin Medrano
Original Assignee
FON Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by FON Technology filed Critical FON Technology
Priority to EP12790424.1A priority Critical patent/EP2781071A1/en
Priority to JP2014540359A priority patent/JP5982706B2/ja
Publication of WO2013072046A1 publication Critical patent/WO2013072046A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • H04L12/2858Access network architectures
    • H04L12/2859Point-to-point connection between the data network and the subscribers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies

Definitions

  • the present application relates, generally, to network bandwidth sharing and, more particular, to secure tunneling and to identifying users.
  • Sharing bandwidth is a practical solution that has benefits such as described in commonly assigned U.S. Patent 7,924,780 issued April 12, 201 1 , the entire contents of which is incorporated herein by reference.
  • IP public internet protocol
  • ISP Internet Service Provider
  • the Internet bandwidth is made available via a Wi-Fi access point.
  • User A operates an IPOD
  • a device, a computer-readable medium, a system, a method, and means for implementing the method are disclosed for providing a virtual tunnel over the Internet for communications of the user using a user device, such as a handheld wireless device or a smart phone or other wireless or wired device or the like and for unambiguously identifying the user.
  • a system and method are provided for identifying respective users that access a communication network via Wi-Fi or other sharing of bandwidth, even when both users share the bandwidth, simultaneously.
  • the system and method in accordance with the teachings herein further provide identification and disclosure of respective users that use bandwidth provided via Wi-Fi service, including bandwidth that is provided on a single or a limited number of shared public IP addresses.
  • a method includes sending by user via the user's device a request for authentication and remotely web server authenticating the user's credentials, and if successful, sending an HTTP redirect request to the user's browser on the user device, including sending a random one time password hash for authorizing the user.
  • the user's browser then sends the authorization request to the configured router's captive portal via HTTP, including the password or password hash and tunnel authorization provided by the configured router communicating with the user's device at the user's premises establishing an L2TP tunnel to a primary system layer 2 tunneling protocol network server at the Internet Service Provider data center, the configured router sending a PPP authorization request to the LNS over the established L2TP tunnel, the request including the password, the LNS sending authorization radius request to a remote central data center away from the premises of the ISP data center, the remote data center confirming the authorization and the LNS router accepting the PPP tunnel and assigning a private IP address to the PPP session for the user.
  • HTTP including the password or password hash and tunnel authorization provided by the configured router communicating with the user's device at the user's premises establishing an L2TP tunnel to a primary system layer 2 tunneling protocol network server at the Internet Service Provider data center
  • the configured router sending a PPP authorization request to the LNS over the established L2TP tunnel, the request including the password,
  • the internet access for authenticating the user proceeds by the user sending a request through the internet through the configured router at the user's premises and encapsulating the request in the PPP tunnel previously established.
  • the LNS performs a translation of the private IP address and port into a public IP address, for example using a Port Address Translation.
  • a PAT log can be stored at a different server or at a same server, for example, at a disclosure server, and the LNS forwards the request of the internet, receives a reply, reversing the IP translation and the LNS responding to the configured router through the PPP tunnel so that the reply may be forwarded to the user's device.
  • the present application includes a network tunneling platform which provides a router that is configured to provide user identification over a communication network, even when a user the user's computing device is behind one or multiple NAT services.
  • Registered user identification information is received and stored in one or more databases.
  • network users are subscribers and, therefore, can be identified unequivocally.
  • users are authenticated by providing a username and password, and may be authorized to share other user's network bandwidth at no additional cost, or for a small fee, depending upon the user's authenticated status.
  • the teachings herein provide for relating the user's connection IP address and TCP/UDP port with the user's authentication information (e.g., user name and password) in order to identify the user.
  • Users identification capability provided in accordance with the teachings herein provides compliance with the security policies and legal requirements of even the strictest Internet service provider.
  • L2TP layer 2 tunneling protocol
  • IP internet protocol
  • RADIUS Remote Authentication Dial In User Service
  • the tunneling solution in accordance with the teachings herein also provides an environment that has limited IP addresses available.
  • Public IP address conservation may be provided by assigning private IP addresses to each user.
  • the respective private IP addresses is translated, for example, via one or more network addresses translation ("NAT") servers, to one or more public IP addresses before network traffic reaches the Internet.
  • NAT network addresses translation
  • multiple private IP addresses are NATed with a single public IP address (also called PAT or NAT overload). By providing a NAT accounting log, unequivocal user identification is provided.
  • the infrastructure in an embodiment provides substantial availability as a function of redundancy for, for example, datacenter and communication providers. Substantial scalability is also supported, for example, to support hundreds off thousands of concurrent users by adding network equipment that, for example, terminates the tunnels with Configured routers. In case of a lower number of concurrent users, the system is adjustable, as well as platform costs, to scale appropriately in terms of functionality and cost.
  • a Configured router in accordance with the teachings herein sends a RADIUS request to the System's RADIUS proxy server, and obtains configuration profile information therefrom, including for example white-listed domains, welcome page uniform resource locator ("URL"), L2TP server (“LNS”) details, or the like.
  • the system's RADIUS proxy sends the configuration profile to the Configured router.
  • HTTP hypertext transport protocol
  • the Configured router forwards the request to the user, which translates the traffic via NAT with the router's public IP address and will forward it to the Internet.
  • the HTTP response is sent to the user's browser.
  • Configured router's captive portal intercepts the request and sends to the user's browser a HTTP redirect, for example to a hypertext markup language (“HTML”) Welcome Page.
  • the user's browser requests the Welcome Page and a secured (“HTTPS”) Welcome Page is provided to the user.
  • HTTPS hypertext markup language
  • a user inserts his/her credentials (e.g., Username and Password) at the Welcome Page.
  • One or more web servers perform an authentication process by accessing the user's credentials in the system's database. If the authentication is successful, the web server sends a HTTP redirect request to the user's web browser software application, which includes a random one time password hash that is used during the authorization phase.
  • the user's browser sends an authorization request to the Configured router's captive portal, via HTTP, and includes the one time password.
  • the Configured router establishes a L2TP tunnel to its primary system LNS, in the case, for example, a tunnel has not already been established by a previous connection). If the connection to the primary LNS fails, the Configured router preferably attempts to connect to a secondary LNS. The Configured router sends a PPP authorization request to the LNS over the L2TP tunnel, and may include the One time password. In response, the LNS transmits an authorization RADIUS request to the system RADIUS proxy at, for example, an ISP.
  • the ISP is a partner with a provider or proprietor of the system and method in accordance with the teachings herein.
  • the RADIUS proxy at the ISP forwards the authorization request to a RADIUS server provided or otherwise managed by a provider or proprietor of the system and method in accordance with the teachings herein, which may be located anywhere in the world, via an encrypted virtual private network ("VPN"), established between the DCR routers.
  • VPN virtual private network
  • the RADIUS proxy provide by the System sends back an access-accept to the RADIUS proxy at the ISP, via the encrypted VPN.
  • the RADIUS proxy at the ISP forwards the access-accept packet to the LNS, which accepts the PPP tunnel and assigns a private IP address to the PPP session.
  • the Configured router transmits a RADIUS authorization request to the RADIUS proxy at the ISP, including the One time password, described above.
  • the RADIUS request is forwarded to the a RADIUS proxy server provided or otherwise managed by provider or proprietor of the system and method in accordance with the teachings herein.
  • the request is expected to be accepted, since the credentials are preferably the same as credentials used to authorize the PPP tunnel, described above.
  • Access-accept packet(s) are sent to the System RADIUS proxy, which may be located anywhere in the world, and then transmitted to the Configured router.
  • the access-accept packets preferably include the user's network profile.
  • the Configured router provides Internet access for the respective user, which may include a static network address translation ("NAT") between the private IP address assigned to the PPP session by the LNS, and the private IP address assigned to the user's device by the Configured router via the dynamic host control protocol ("DHCP").
  • NAT static network address translation
  • DHCP dynamic host control protocol
  • the user sends a request to the Internet through the Configured router.
  • the request is encapsulated in the PPP tunnel that is described above.
  • the LNS performs a port address translation ("PAT") for the request, and translates the private IP address and port in the request into a public IP address (which may be on a different port).
  • PAT log is stored at the disclosure server.
  • the request is forwarded over the Internet to a respective server, such as a HTTP server, and a response is transmitted therefrom, over the Internet and for another PAT process.
  • the IP (and port) translation is effectively reversed, and the LNS transmits the response to the Configured router through the PPP tunnel.
  • the Configured router forwards the response to the user's software application.
  • the teachings herein provide for a user connection flow that includes access to white- listed and non-white-listed domains, and user authentication and authorization, including web server authentication, tunnel authorization and captive portal authorization.
  • an integration of at least three session accountings are included.
  • One is a PPP session accounting that is by one or more RADIUS servers managed or maintained by a proprietor of the teachings herein.
  • a second is a captive portal session accounting that is generated by the System's RADIUS server(s) as well.
  • a third is a NAT accounting, that is provided by LNS router.
  • the PPP session accounting may include at least a user's session start time, stop time and the respective LNS's IP address where the PPP session finishes.
  • the PPP session accounting may also include the CPE IP address which is the tunnel IP source for the LNS, because of the CPE is translating (NAT) Configured router wide area network (“WAN”) IP address.
  • Other information included in the PPP session accounting is the private IP address assigned to the Configured router by the LNS for the PPP session, the user's username, the type of accounting packet and the FON unique session identifier (same for the Captive Portal session).
  • a captive portal manages user authorization and accounting at the Configured router.
  • the captive portal sessions accounting preferably includes one or more of: the user's session start time, the session stop time, the user's username, the user's device type (Smart Phone, etc) and media access control ("MAC") address, the user's CPE MAC address, the user's computing device (Smart Phone, etc) IP address, assigned by the Configured router via DHCP and a unique session identifier (same as described above in connection with the for the PPP session).
  • MAC media access control
  • the NAT translation sessions accounting is generated by the LNS router and includes one or more of: the translation creation time, the translation deleting time, the type of accounting (e.g., NAT Creation or NAT Deletion), the layer 4 communication protocol (UDP or TCP), the PPP session IP address (internal address) and the port, the LNS public IP address used for the translation and the port, and the Internet IP address that the user is reaching, and the port.
  • the type of accounting e.g., NAT Creation or NAT Deletion
  • UDP or TCP layer 4 communication protocol
  • PPP session IP address internal address
  • the user tracking and identification is provided.
  • the user's public IP address, TCP or UDP port, and a time frames are known in advance.
  • the teachings herein locate the private IP address that is assigned to the PPP session, which relates to a single PPP session, provided the time frame is appropriate (i.e. given a 24h time frame, there may be several PPP sessions which have shared the same private IP address at different times).
  • the PPP session accounting for that IP address can be determined, and the user's username and CPE address can be determined.
  • the Unique-Session-ID can be obtained and the Captive Portal's user session which has the same Unique-Session-ID can be located.
  • the user device's MAC address and the Configured router's MAC address can, therefore, be identified.
  • an LNS sub-platform terminates the L2TP PPP tunnels that are originated at the Configured routers.
  • the LNS sub-platform may also assign a private IP addresses to the users' sessions, translate private IP addresses into public ones, generate NAT accounting and forward it to an external Syslog, authenticate users' sessions by using RADIUS protocol and generate sessions accounting by using RADIUS protocol.
  • An information technology (“IT”) services sub-platform may also be provided including one or more configured router/firewall that may provides encrypted tunnels (Gre/IPSec) with the System's platform for secured RADIUS authentication and other transactions.
  • the IT services platform may also implement one or more firewall capabilities in order to protect the servers installed at the datacenters.
  • the IT services platform may also include a RADIUS proxy server that, in an embodiment concentrates RADIUS authentication and accounting, and forwards information relating thereto to the SYSTEM RADIUS proxy that is maintained or managed by provider or proprietor of the system and method in accordance with the teachings herein, and which may be located anywhere in the world.
  • a monitoring server may be included that is configured to check the health status of the network and server devices, and to forward the information to a centralized monitor platform, which may be maintained or managed by provider or proprietor of the system and method in accordance with the teachings herein.
  • a disclosure server may be included that stores information required for a disclosure action (RADIUS logs, NAT accounting, etc), and that provides a secured web interface for data extraction.
  • the platform described herein is configured to aggregate traffic from the LNS and IT Services sub-platform, as well as to provide IP connectivity with the ISP aggregation platform, and to provide inter-datacenter connectivity for redundancy purposes.
  • Appendix A For example, PPPoE technology is substituted for PPP and L2TP.
  • a single customer provided equipment from an ISP (e.g., "CPE") device is substituted for a combination of a second router device (e.g., a "Fonera” device) and a "CPE.”
  • This embodiment is more efficient and less costly, for example, due to a reduction in equipment.
  • a system and method are provided for identifying respective users that access a communication network via Wi-Fi or other shared bandwidth. Individual users of Wi-Fi service via shared public IP address(es) can be identified and disclosed, for example, to civil authorities.
  • FIG. 1 is an example of an overview of a user connection flow diagram and major structures of a system according to an aspect of the disclosure.
  • Fig. 2 is an example of a layer 2 tunneling protocol according to an aspect of the disclosure.
  • Fig. 3 is an example of a layer 2 tunneling protocol tunnel and a PPP session illustration according to an aspect of the disclosure.
  • Fig. 4 is an example of a live platform map representing IP connections and system modules at data centers according to an aspect of the disclosure.
  • FIG. 5 is an example of a layer 2 live platform map showing link connections between the system platform and the ISP data center according to an aspect of the disclosure.
  • Fig. 6 illustrates an example of structures of data center modules of the system according to an aspect of the disclosure.
  • Fig. 7 illustrates an example of the equipment distribution within racks at two data centers according to an aspect of the disclosure.
  • Fig. 8 illustrates an example of IP connections for out of band supervision network in the ISP data center and a central data center according to an aspect of the disclosure.
  • Fig. 9 is an example of a layer 2 OBSN platform map representing an example of link connections at the system's out of band supervision network platform at an ISP and interconnections with the ISP platform, according to an aspect of the disclosure.
  • Figs. l OA-C is a flow chart illustrating an example of a process flow according to an aspect of the disclosure.
  • Fig. 1 1 is a schematic illustration of an illustrative example of an EAP with tunneling approach, according to an aspect of the disclosure.
  • FIG. 12 is a schematic illustration of another example of an EAP with tunneling approach, including tunneling on demand, according to an aspect of the disclosure.
  • FIG. 13 is a schematic illustration of an illustrative example of a tunneling approach in which the server consists of three elements, according to an aspect of the present disclosure.
  • Fig. 14 is an example of the Supplicant, Authenticator and Server model using EAP messaging and EAPOL communication from Supplicant to Authenticator.
  • Fig. 15 is a schematic illustration of an example of tunneling in which the server has two elements, and UAM is used to transport PAP messages, according to an aspect of the disclosure.
  • Fig. 16 is a schematic illustration of an example of EAP without tunneling in a server with two elements, according to an aspect of the disclosure.
  • Fig. 17 is a schematic illustration of a user management diagram according to an aspect of the disclosure.
  • Fig. 18 is a diagram illustrating an example of the system using a PPPoE technology approach according to an aspect of the disclosure.
  • a configured router 22 such as a wireless router, may be positioned in a user's home or office so as to provide access to a user's device, such as a smart phone, laptop, desktop or other type of handheld device 21. While described herein as a wireless router 22, it will be understood that a wired connection may also be provided. Further, more than one such user device 21 may share the same connection to the internet via wireless router 22. Similarly, more than one. device may share the connection through ISP router 24, indicated in Fig. 1 as ISP Router CPE (Customer Premises Equipment), which also may be provided at the user's premises 20.
  • ISP Router CPE Customer Premises Equipment
  • Configured router 22 sends a RADIUS request to the system's radius PROXY server, which may be located at an ISP (Internet Service Provider). While described herein as a RADIUS proxy, it would be understood that other types of authentication of the user may also be provided and that other types of servers can also fulfill this function.
  • This transmission of the router for the profile request is illustrated in Fig. 10A, step SI .
  • the system RADIUS proxy 35 at the ISP sends a configuration profile to the configured router 22, as shown in step 2 of Fig. 10 and in communication arrow 2 in Fig. 1 .
  • the user is now free to transmit HTTP requests to white-listed domains and configured router 22 will transmit such requests to ISP router 24, which NATs the request with its own public IP address and forwards it to the internet.
  • the server at the ISP has sent to the configured router 22 information such as a list of white-listed domains which may be acceptable without further security measures, a welcome page URL, and details for the layer 2 tunneling protocol network server 31.
  • requests from configured router 22 for white-listed domains will be responded to, as illustrated in communication arrow 4 in Fig. 1.
  • configured router 22 transmits an HTTP request for a non-white-listed domain as illustrated in communication arrow 5
  • the configured router's captive portal intercepts this request of the user's browser using the captive portal service, and transmits to the user's browser an HTTP redirect to the welcome page, as illustrated in communication arrow 6.
  • the user's browser requests the welcome page, and the HTTPs welcome page is shown to the user as indicated by communication arrow 8.
  • the user can insert his or her credentials, such as user name and password, for example issued by the user's ISP or as otherwise provided to the user, entered on the welcome page, as indicated by communication arrow 9.
  • the welcome page may be sent by web server 41 located at a location different from the ISP's data center 30, for example the web server 31 may be located at a central data center 40 that provides services to support identification of the user and tunneling as described herein. It may be located anywhere in the world, or in the alternative, it and/or the other equipment illustrated in Fig. 1 as being a part of data center 40 may be located at the ISP's premises.
  • FIG. 1 illustrates a web server 41 , user database 43 and proxy RADIUS 45, as well as VCR 40 as being located at the central data center 40.
  • the user's welcome page is shown in Fig. 1 as being transmitted from web servers 41 located at the central location 40.
  • the user can enter her credentials, as discussed above, and these credentials can be forwarded to web servers 41 , which then processes the credentials to authenticate the user by accessing a database, such as user database 43, as illustrated in communication arrow 10 and as illustrated in step 3 of Fig. 10A.
  • web server 41 authenticates the user, if the
  • a password or a one time password hash as shown in Fig. 10A, and as illustrated in communication arrow 1 1 in Fig. 1 .
  • the web servers 41 redirect the HTTP request to the user's browser 21.
  • user's browser sends an authorization request to the configured router's captive portal via HTTP (or using another protocol), and the request includes the one time password received from web server 41 .
  • the configured router's captive portal will receive the authorization request, which includes the one time password received from web server 41 , as illustrated in step S5 of Fig. 10A.
  • step 6 configured router 22 establishes the L2TP tunnel with LNS 31 at the ISP data center, in case this has not already been established by a previous connection. This communication is illustrated by communication arrow 13 in Fig. 1. If connection to the primary LNS fails, configured router 22 attempts to connect to its secondary LNS. Configured router 22 sends a PPP (Point-to-Point protocol) session authorization request to the LNS over the L2TP tunnel that has been established, as described at S7 of Fig. 1 0A and as illustrated in Fig. 1 as communication arrow 14. This authorization request includes a one time password received from the user device.
  • PPP Point-to-Point protocol
  • LNS 31 will then attempt to send an authorization RADIUS request to the system RADIUS proxy 35, which may be located at the ISP data center 30. This is shown as communication arrow 15 in Fig. 1 and described as step S8 in Fig. 10A.
  • system RADIUS proxy 35 forwards the request to the SYSTEM RADIUS at the central database 40 via encrypted VPM (virtual private network) established between DC routers located at the ISP data center 30 and at the central data center 40. This is illustrated in step 9 in Fig. 10A and as communication arrow 16 in Fig. 1.
  • the determination is made whether to authorize based on the password received in the request, as illustrated in step S 10 of Fig. 10A, and if an affirmative decision is made, the system RADIUS proxy 45 at central data center 40 signals RADIUS proxy at the ISP of the axis-accept, and this is forwarded to LNS 31 , as illustrated in Fig. 1 by
  • LNS 31 accepts the PPP tunnel in response to the access-accept message received from the RADIUS proxy 35 and assigns a private IP address to the PPP session for user device 21 , as indicated by communication arrow 19 in Fig. 1 and as illustrated in step S I 3 of Fig. 10B.
  • a captive portal authorization will now be described with reference to communication arrows 20-24 illustrated in Fig. 1 configured router 22 sends a request for RADIUS authorization request to the RADIUS proxy 35 at the ISP data center 30, the request including the one time password received earlier, as shown in communication arrow 20 in Fig. 1. This is described as SI 4 in Fig. 10B.
  • the radius request is forwarded by RADIUS proxy 35 to the system RADIUS proxy 45 at the central data center. This request should always be accepted since the credentials sent, including the password, are the same as the PPP authorization credentials.
  • the access-accept packet is sent back from proxy RADIUS 45 to proxy RADIUS 35 at the ISP as illustrated in communication arrow 22 of Fig.
  • configured router 22 configures the internet access for user device 21 , and this configuration includes providing a static NAT between the private IP address assigned to the PPP session for user device 21 by LNS 31 and the private IP address assigned to user device 21 by configured router 22 via DHCP.
  • Access is provided to the internet for authenticated users as described below.
  • user sends a request for accessing a target on the internet via configured router 22, as indicated by communication arrow 25 in Fig. 1 as shown in step 19 of Fig. 10B.
  • the request may be encapsulated in the PPP tunnel earlier established, as indicated by communication arrow 26 in Fig. 1 and as described in step 20 in Fig. 10B.
  • LNS 31 performs a PAT (Port Address Translation) for the internet request from the user, thus translating the request's private IP address and port into a public IP address (which also may be on a port different from the private IP address), as indicated by communication arrow 27 in Fig.
  • PAT Port Address Translation
  • a PAT log will be stored at disclosure server 33 at the ISP, as indicated in communication arrow 28 in Fig. 1 , and as described in step S22 in Fig. 10B.
  • the request is forwarded to the internet by LNS 31 , as indicated by communication arrow 29 in Fig. 1 and as shown in step S23 in Fig. 10B.
  • LNS 31 receives a response from the internet responsive to the internet request, and LNS 31 proceeds through the PAT process, as shown by communication arrow 30 and as indicated in steps S24 and S25 in Fig. 10B.
  • the IP translation is reversed and the LNS now again has the private IP address of user device 21 .
  • LNS 31 transmits a response to the internet request to configured router 22 through the PPP tunnel, as indicated in S40 in Fig. I OC.
  • the configured router 22 then forwards the response to the user device 21.
  • a live communication platform with a modular design to facilitate scalability of the system and to provide redundancy of solution.
  • the live platform can include LNS sub-platform that terminates the L2TP and PPP tunnels originated at configured router 22.
  • a layer 3 live platform map is illustrated in Fig. 4.
  • Fig. 4 represents IP connections in system cabinets at the ISP data center and a central data center.
  • Fig. 5 illustrates a layer 2 live platform map.
  • Fig. 5 illustrates link
  • LNS sub-platform could provide functions such as terminating the L2TP and PPP tunnels originate at the configured router 22, as earlier mentioned, and in addition the LNS sub-platform can assign a private address for the user's sessions, translate the private IP address into public IP addresses, generate NAT accounting and forward such NAT results to an external system log, authenticate the user's sessions using, for example, a RADIUS protocol, and can generate sessions accounting using the RADIUS protocol.
  • an IT service's sub-platform can provide a router/firewall to provide encrypted tunnels (Gre/IPSec) with the central data center for secured RADIUS authentication and other transactions, and can implement firewall capabilities so as to protect the servers installed at the data centers.
  • the IT service's sub-platform can also provide the RADIUS proxy server that concentrates a radius authentication and accounting and forwards the results to the system RADIUS proxy at the central data center.
  • the IT service's sub-platform can work as monitoring server to check the health status of the network and server devices and can forward the information to the centralized monitor platform at the central data center.
  • a border switches can aggregate traffic from the LNS and IT service's sub-platform, provide IP connectivity with the ISP data center and a platform of the ISP as a whole, and provide inter-data center connectivity so as to provide redundancy.
  • the LNS sub- platform can have a number of LNS routers so that tunnel sessions and NAT services are distributed among all the LNS routers. Thus, network traffic congestion and single points of network failure can be avoided thus allowing scaling by addition of LNS routers.
  • IT services can be provided by a server farm, such as an HP DL 380, for multiple purposes, including monitoring, RADIUS proxy and disclosure services that can grow by adding additional servers.
  • the IT services router can include a modular router (for example, CISCO 3945), that can either be upgraded with additional hardware or with a secondary router.
  • Border switches can include core switches, for example CISCO 3750E with stackWISE PLUS technology that permits aggregating up to nine switches with 64 gigabytes backbone. Redundancy can be provided by the LNS sub-platform because each LNS is independent of the others and can be spread over two or more
  • the configured router 22 can dynamically configure the primary LNS 31 at the ISP as well as a secondary LNS at a second data center.
  • the user is reconnected to a secondary or tertiary LNS.
  • LNS fail over according to which LNS platforms can be dimensioned with extra capacity to ensure service even when maximum usage scenario in the event multiple LNS fail.
  • An IT services router and servers are duplicated in data centers so that all LNS routers can reach both IT services platforms locally or through the inter-data center link, for example if the RADIUS proxy fails, the LNS routers can connect to the secondary RADIUS proxy.
  • the border switches are configured in a cluster in each data center so that in the event that the master switch fails in one data center, a slave switch or more than one slave switch at the same data center becomes the master without service interruption. In this way, all LNS routers and the IP services router have redundant connections to the master and slave switches.
  • a switched PDU will have rack power bar that can perform remote power on/off the network operation center will be supported to respond to possible issues, for example, for instance the system may need to report a power outage and appropriate action may be required.
  • Engineers equipped for the task should be available in case urgent physical action is necessary, for example, in a case of power outage or in case a wire is not properly connected to one or more structures or devices or equipment as described herein.
  • the communication for the live network could typically require 2 x 10 Gbps Internet links for user traffic on each data center (for a total of 4 x 10 Gbps total).
  • the interface type for example LR or SR or the like could typically be provided and each link can be connected to a different router for redundancy purposes.
  • Out of band supervision for the network can be provided as I X fast internet link for remote management purposes (2X 100 Mbps) and these links could be connected to different routers than the others for the live network connections for redundancy purposes.
  • An internet-data center private network can include IX fast Ethernet private link between both racks located at each data center. This may be thought of as a critical link so that diverse protection can be implemented for multiple paths (again for redundancy purposes). If diverse protection is unfeasible, a second link can be implemented.
  • Out of band supervision for the network can include secured and reliable remote administration capabilities, including an IPSec tunnels established from the OBSN router's central data centers to the system OBSN routers at the ISP data center,
  • the connection from the data center at the central data center to the equipment at the ISP data centers can be fully encrypted and the traffic for the OBSN is separate from the user's traffic with virtual routing forwarding (VRF) for instance.
  • VRF virtual routing forwarding
  • Access to each piece of equipment can be secured remotely by SSH or by Console to assure that the equipment is available and reachable even when there is a connectivity problem or requires remote access to implement a boot sequence.
  • the OBSN network is located at the DCR routers which have a 24 port Fast Ethernet card with VLAN configuration capabilities. Each piece of equipment (routers, servers, PDU, etc) is connected to this network for remote administration purposes.
  • VRF virtual routing forwarding
  • DCR routers can have OBSN Vlan directly connected, and routes to reach the other datacenter OBSN Vlan through the Border Switches may be provided. Its default route can be the local OSR.
  • Border Switches can have routes to reach the local OBSN Vlan at the DCR, routes to reach the other datacenter OBSN Vlan through the point to point link, and a default route with the local OSR.
  • a Configured router's firmware can be modified to connect to this platform and check that the L2TP over PPP tunnel is not filtered with different ISPs at the country where the ISP is located.
  • An OpenNMS platform can be deployed to monitor the network equipment using the SNMP protocol.
  • a Zabbix platform can be deployed to monitor the servers and services (RADIUS proxy, etc) by using local agents.
  • Secondary monitoring platform can be configured on the central data center platform in order to check that the primary monitoring platform at the partner's datacenter is working properly; the communications between SYSTEM platform at the partner's datacenter and Madrid works properly; and alerts are escalated by email/SMS to the SYSTEM administrators Blackberry devices.
  • Remote monitoring platform can use the OBSN to reach the SYSTEM equipment at the partner's datacenter.
  • Mobile client applications can be provided on iOS and android devices, as well as other types of phones and handheld and portable devices.
  • An Apache web server may be used running on LINUX. However, it will be understood that other systems may also be used.
  • the present methods, functions, systems, computer-readable medium product, or the like may be implemented using hardware, software, firmware or a combination of the foregoing, and may be implemented in one or more computer systems or other processing systems, such that no human operation may be necessary. That is, the methods and functions can be performed entirely automatically through machine operations, but need not be entirely performed by machines. Similarly, the systems and computer-readable media may be implemented entirely automatically through machine operations but need not be so.
  • a computer system may include one or more processors in one or more units for performing the system according to the present disclosure and these computers or processors may be located in a cloud or may be provided in a local enterprise setting or off premises at a third party contractor. Similarly, the information stored may be stored in a cloud or may be stored locally or remotely.
  • the computer system or systems for interacting with a user can include a GUI (Graphical User
  • a computer system for implementing the foregoing methods, functions, systems and computer-readable storage medium may include a memory, preferably a random access memory, and may include a secondary memory.
  • the database may be part of the same machine or may be located off site, and may be implemented as a floppy disk drive, magnetic tape drive, an optical disk drive, removable storage drive, a combination of the foregoing or any type of recording medium.
  • Examples of a memory or a computer- readable storage medium product include a removable memory chip, such as an erasable programmable read-only memory (EPROM), a programmable read-only memory
  • the communication interface may include a wired or wireless interface communicating over TCP/IP paradigm or other types of protocols, and may communicate via a wire, cable, fire optics, a telephone line, a cellular link, a radio frequency link, such as WI-FI or Bluetooth, a LAN, a WAN, VPN, the world wide web or other such communication channels and networks, or via a combination of the foregoing,
  • public IP addresses are conserved in order to reduce the number of public IP addresses that are necessary for the system.
  • an IP conservation solution could be provided.
  • a distributed NAT with an each LNS 31 could thus be implemented. Accordingly, performance could be improved since all user traffic passing through the NAT (for example within 7200 CISCO ROUTER) and the NAT accounting has to be generated by the NAT router.
  • IP addressing approach for the live platform or for other communication scenarios is described below.
  • PPP sessions can be assigned a private IP address in the range 10.128.0.0/9.
  • a private/18 pool can be assigned to each LNS for the user's PPP tunnels.
  • Each LNS has a public/26 pool to NAT the PPP sessions.
  • the public IP addresses are also required for platform configuration. In this way, a total of perhaps a public/22 network is required for each data center, for the NAT pools, platform configurations and for future service growth.
  • IP addressing for the OBSN platform can be implemented, for example, by configuring private IP addresses at the OBSN platform to achieve enhanced security and IP conservation.
  • a significantly scalable solution can be provided if the tunnel and NAT solution provided by the LNS router is in the distributed model.
  • Two border switches can be included for each data center so as to aggregate at least 14 LNS routers.
  • Each LNS router can support, for example 10,000 user sessions, and each have 1 .8 Gbps of throughput and 2 Gbps of memory RAM so that a peak concurrency for each user can be 100 bps of throughput and 100 AT translations on average.
  • additional equipment may be necessary for the NAT log storage.
  • Fig. 14 illustrates a supplicant, an authenticator and an authentication server.
  • EAP Extensible Authentication Protocol
  • a tunneling "on demand" architecture is employed, which eliminates a step of converting EAPOL to PPP, and that may be easier for manufacturers to implement.
  • a proxy RADIUS that may be modified to trigger the PPP authentication
  • a modified EAP daemon may be applied.
  • the present application employs regards the extensible authentication protocol (“EAP”), an authentication framework that is frequently used in wireless networks and Point-to-Point connections.
  • EAP is widely used, for example, in IEEE 802.1 1 (Wi-Fi), and WPA and WPA2 standards have adopted IEEE 802. I X with multiple EAP types for authentication mechanisms.
  • EAP is usable on the captive portal, and is suitable when used with WPA and/or WPA2.
  • LEAP Lightweight - EAP
  • EAP-TLS EAP-TTLS
  • EAP-FAST EAP-FAST
  • EAP-SIM EAP-A A
  • IX involves a supplicant (e.g., a mobile computing device such as a smartphone, PDA or the like), an authenticator (e.g., a configured router) and a server. 802. I X is used to transport EAP messages via EAP over Lan (“EAPOL”) from a supplicant to an authenticator, and thereafter via RADIUS/Diameter from authenticator to the server.
  • a supplicant e.g., a mobile computing device such as a smartphone, PDA or the like
  • an authenticator e.g., a configured router
  • server e.g. 802.
  • I X is used to transport EAP messages via EAP over Lan (“EAPOL”) from a supplicant to an authenticator, and thereafter via RADIUS/Diameter from authenticator to the server.
  • EAPOL EAP over Lan
  • a universal access method (“UAM") is used to transport password authentication protocol (“PAP") messages.
  • PAP password authentication protocol
  • HTTPs may be used for transporting data from supplicant to a UAM Server
  • HTTP is used from supplicant to authenticator
  • RADIUS is used from Authenticator to Server.
  • Figs. 1 1 -13 illustrate by way of illustrative example embodiments according to an aspect of the present disclosure.
  • EAP may be used for transmitting credentials, such as for user authentication.
  • EAP is not usable transmitting credential information from a mobile computing device, such as a smartphone, to an authenticating server, such as RADIUS server 1 10.
  • data are encapsulated in one format and transmitted from one device, such as computing device 104 that is a smartphone, and then transmitted to another device that removes the EAP capsule, and encapsulates the authentication information using another protocol, for example, PPP, and transmit that to another device, for example RADIUS server 1 10.
  • PPP another protocol
  • RADIUS server 1 10 receives the PPP encapsulated credentials
  • RADIUS server 1 10 authenticates the user using the authentication credentials (or does not authenticate due to improper credentials or other reason)
  • RADIUS server 1 10 transmits a reply via PPP.
  • the reply via PPP is received, opened and encapsulated back into EAP, before being transmitted back to computing device 104.
  • FIG. 1 1 illustrates an example hardware arrangement 1 100, in addition to data transmissions and respective communication protocols employed therewith.
  • authentication happens in one phase.
  • the user using handset 104 tries to associate using 802. l x (EAPOL) and sends EAP messages encapsulated in this protocol (step S I 102).
  • Configured router 302 transforms the EAP messages from EAPOL to PPP and sends them to the LNS (step S I 104).
  • LNS server 108 transforms the EAP messages from its PPP capsule to a RADIUS capsule and forwards them to the RADIUS server 1 10 (step SI 106).
  • configured router 302 receives credential information in the EAPOL capsule, removes the EAPOL capsule and encapsulates the credential information into PPP and transmits it to LNS server 108.
  • LNS server 108 receives the PPP packet and forwards the EAP credential information via the RADIUS protocol to RADIUS server 1 10.
  • the successful authentication implies that a PPP/L2TP tunnel has been established between the router 302 and the LNS server 108.
  • the tunnel is specific to the user handset 104 and all the traffic to and from this device will be routed through the tunnel until the session stops.
  • Fig. 12 illustrates an example hardware arrangement 1200, in addition to data transmissions and respective communication protocols employed therewith.
  • the tunnel establishment happens in two phases. Phase one regards user authentication.
  • the user tries to associate a signal using 802.1 x (EAPOL) and sends EAP messages encapsulated in this protocol (step SI 202).
  • Configured router 302 transforms the EAP messages from the EAPOL capsule and puts them in a RADIUS format and sends them directly to the RADIUS server 1 10 (step SI 204).
  • RADIUS server 1 10 optionally sends back a one time password to configured router 302, which uses it to establish a L2TP/PPP tunnel with the LNS 108 which will then be used to route the user's traffic (step S I 206).
  • user device 104 has the user credentials (not shown) and starts an association with the configured router 302 using the 802. l x (EAPOL) protocol.
  • EAP is used to transmit the messages that authenticate the user.
  • the EAP messages may be different, depending on the type of EAP that is used (EAP-SIM, EAP-AKA, EAP-TTLS or other suitable type).
  • Configured router 302 takes the EAP messages encapsulated in the 802. l x (EAPOL) and encapsulates them in a RADIUS packet that is sent to the RADIUS server for user authentication.
  • RADIUS server 1 10 replies with new EAP messages (as known in the art, this process may occur more than once until the credentials are considered as validated) to LNS server 108 within a RADIUS encapsulation.
  • an (optional) one time password may be sent to configured router 302.
  • configured router 302 builds a L2TP/PPP packet with the received one time password and establishes a PPP session to LNS server 108 (e.g., via a suitable authentication protocol, be it PAP, CHAP, EAP) (step S I 208).
  • a suitable authentication protocol be it PAP, CHAP, EAP
  • configured router 302 forwards the EAP messages from RADIUS server 1 10 to the client device 104 and allows the association. Thereafter, traffic is forwarded to the Internet, using the tunnel, provided it was established.
  • Fig. 13 illustrates an example hardware arrangement 1300, in addition to data transmissions and respective communication protocols employed therewith.
  • the embodiment illustrated in Fig. 13 is a simplified view of that shown and described above, with reference to Fig. 3.
  • Fig. 15 illustrates an embodiment of the Supplicant, Authenticator and Server, the Server comprising two elements using a universal access method to transport the PAP messages without the need for tunneling.
  • HTTPs can be used from Supplicant to the UAM server, an HTTP can be used from Supplicant to authenticator, while Radius can be used from authenticator to server.
  • Fig. 6 illustrates the EAP without tunneling using UAM to transport PAP messages, in which HTTP is used from Supplicant to authenticator, while Radius is used from authenticator to server.
  • Fig. 17 is a user management diagram.
  • Fig. 18 illustrates the use of PPPoE technology which may be used instead of the PPP and the L2TP.
  • a single customer provided piece of equipment from the ISP for example a CPE device
  • a second router device for example, the Fonera device and the CPE.
  • a more efficient and possibly less costly solution can be provided, for example, because of a reduction in a number of pieces of a equipment needed.
  • LNS L2TP Network Server
  • Network equipments that terminates the tunnels with Configured routers.
  • ISP Router Customer Premises Equipment. Provides broadband access to the Configured router.
  • Configured router Autoconfiguration Communication between the Configured Requests router and SYSTEM Platform in order to let the Configured router get its configuration data (IP address, tunnel parameters, etc.).
  • RADIUS Proxy Servers Provide the authentication and accounting for users requests, and Configured routers auto configuration requests Monitoring Servers Responsible of the systems and networks equipment health checks
  • Disclosure Servers Provides a web interface to securely disclose the relevant user information when it is required by a Legal Enforcement Agency.
  • Billing Server Farm Supports all the billing logical processes, and the authorization users requests
  • UCS Server Farm Provides the heartbeat between Configured routers and SYSTEM Platform, and upgrade them if necessary
  • NAT/PAT/Overload Feature that translates an IP address into another.
  • the SYSTEM platform uses PAT to translate private IP addresses into public ones.
  • EAP Extensible Authentication Protocol an authentication framework frequently used in wireless networks and point-to-point connections.
  • WPA Wi-Fi Protective Access a security and certification protocol for Wi-Fi connections.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
PCT/EP2012/004730 2011-11-14 2012-11-14 Secure tunneling platform system and method WO2013072046A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP12790424.1A EP2781071A1 (en) 2011-11-14 2012-11-14 Secure tunneling platform system and method
JP2014540359A JP5982706B2 (ja) 2011-11-14 2012-11-14 セキュアトンネリング・プラットフォームシステムならびに方法

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201161559460P 2011-11-14 2011-11-14
US61/559,460 2011-11-14

Publications (1)

Publication Number Publication Date
WO2013072046A1 true WO2013072046A1 (en) 2013-05-23

Family

ID=47221299

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2012/004730 WO2013072046A1 (en) 2011-11-14 2012-11-14 Secure tunneling platform system and method

Country Status (3)

Country Link
EP (1) EP2781071A1 (ja)
JP (1) JP5982706B2 (ja)
WO (1) WO2013072046A1 (ja)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2016525247A (ja) * 2013-07-03 2016-08-22 フェイスブック,インク. ネイティブ・アプリケーション・ホットスポット
CN110178345A (zh) * 2016-05-31 2019-08-27 交互数字Ce专利控股公司 用于提供备用链路的方法和设备

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1104133A1 (en) * 1999-11-29 2001-05-30 BRITISH TELECOMMUNICATIONS public limited company Network access arrangement
US6430619B1 (en) * 1999-05-06 2002-08-06 Cisco Technology, Inc. Virtual private data network session count limitation
EP1411676A1 (en) * 2002-10-17 2004-04-21 Alcatel Method, network access server, client and computer software product for dynamic definition of layer 2 tunneling connections
WO2010019084A1 (en) * 2008-08-15 2010-02-18 Telefonaktiebolaget L M Ericsson (Publ) Lawful interception of nat/ pat
US7924780B2 (en) 2006-04-12 2011-04-12 Fon Wireless Limited System and method for linking existing Wi-Fi access points into a single unified network

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001273258A (ja) * 2000-03-23 2001-10-05 Nippon Telegr & Teleph Corp <Ntt> ユーザ認証システム
JP2001285354A (ja) * 2000-03-30 2001-10-12 Hitachi Ltd 通信路設定方法
JP3856223B2 (ja) * 2002-08-12 2006-12-13 Kddi株式会社 ユーザ認証方法およびプログラムならびにデータ通信端末
JP4401302B2 (ja) * 2005-01-20 2010-01-20 株式会社情報技研 通信管理システム、通信管理方法、及び通信管理プログラム
JP2007102777A (ja) * 2005-10-04 2007-04-19 Forval Technology Inc ユーザ認証システムおよびその方法
JP4960738B2 (ja) * 2007-03-28 2012-06-27 株式会社野村総合研究所 認証システム、認証方法および認証プログラム
US8335490B2 (en) * 2007-08-24 2012-12-18 Futurewei Technologies, Inc. Roaming Wi-Fi access in fixed network architectures
US8996716B2 (en) * 2008-11-17 2015-03-31 Qualcomm Incorporated Remote access to local network via security gateway
US8943552B2 (en) * 2009-04-24 2015-01-27 Blackberry Limited Methods and apparatus to discover authentication information in a wireless networking environment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6430619B1 (en) * 1999-05-06 2002-08-06 Cisco Technology, Inc. Virtual private data network session count limitation
EP1104133A1 (en) * 1999-11-29 2001-05-30 BRITISH TELECOMMUNICATIONS public limited company Network access arrangement
EP1411676A1 (en) * 2002-10-17 2004-04-21 Alcatel Method, network access server, client and computer software product for dynamic definition of layer 2 tunneling connections
US7924780B2 (en) 2006-04-12 2011-04-12 Fon Wireless Limited System and method for linking existing Wi-Fi access points into a single unified network
WO2010019084A1 (en) * 2008-08-15 2010-02-18 Telefonaktiebolaget L M Ericsson (Publ) Lawful interception of nat/ pat

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP2781071A1

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2016525247A (ja) * 2013-07-03 2016-08-22 フェイスブック,インク. ネイティブ・アプリケーション・ホットスポット
US9590884B2 (en) 2013-07-03 2017-03-07 Facebook, Inc. Native application hotspot
CN110178345A (zh) * 2016-05-31 2019-08-27 交互数字Ce专利控股公司 用于提供备用链路的方法和设备
EP3465994A4 (en) * 2016-05-31 2019-12-25 InterDigital CE Patent Holdings METHOD AND DEVICE FOR PROVIDING A BACKUP CONNECTION
US10855624B2 (en) 2016-05-31 2020-12-01 Interdigital Ce Patent Holdings Method and device for providing a backup link
CN110178345B (zh) * 2016-05-31 2021-06-29 交互数字Ce专利控股公司 用于提供备用链路的方法和设备

Also Published As

Publication number Publication date
JP2015502694A (ja) 2015-01-22
JP5982706B2 (ja) 2016-08-31
EP2781071A1 (en) 2014-09-24

Similar Documents

Publication Publication Date Title
US9015855B2 (en) Secure tunneling platform system and method
CN107534651B (zh) 用于传送会话标识符的方法及设备
EP2725829B1 (en) Common control protocol for wired and wireless nodes
EP2590368B1 (en) Method, equipment and network system for terminal communicating with ip multimedia subsystem(ims) core network server by traversing private network
US7389534B1 (en) Method and apparatus for establishing virtual private network tunnels in a wireless network
US8117639B2 (en) System and method for providing access control
US20170180428A1 (en) Policy-based configuration of internet protocol security for a virtual private network
US7849499B2 (en) Enterprise wireless local area network (LAN) guest access
EP3432523A1 (en) Method and system for connecting virtual private network by terminal, and related device
EP2606663A1 (en) A system and method for wi-fi roaming
WO2012024204A2 (en) A system and method for maintaining a communication session
US8611358B2 (en) Mobile network traffic management
CN113824791B (zh) 一种访问控制方法、装置、设备及可读存储介质
US20130283050A1 (en) Wireless client authentication and assignment
EP3811590A1 (en) System and method for creating a secure hybrid overlay network
US20150074768A1 (en) Method and system for operating a wireless access point for providing access to a network
WO2012130041A1 (zh) 网络资源共享的实现方法和系统
JP5982706B2 (ja) セキュアトンネリング・プラットフォームシステムならびに方法
JP5947763B2 (ja) 通信システム、通信方法、および、通信プログラム
JP5864453B2 (ja) 通信サービス提供システムおよびその方法
US11496337B2 (en) Openroaming based remote worker
Jonsson Security and cooperation considerations for Skekraft. net's wireless network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12790424

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2014540359

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2012790424

Country of ref document: EP