WO2003077477A1 - A method and system for controlling and filtering traffic in a wireless network - Google Patents

A method and system for controlling and filtering traffic in a wireless network Download PDF

Info

Publication number
WO2003077477A1
WO2003077477A1 PCT/SE2003/000402 SE0300402W WO03077477A1 WO 2003077477 A1 WO2003077477 A1 WO 2003077477A1 SE 0300402 W SE0300402 W SE 0300402W WO 03077477 A1 WO03077477 A1 WO 03077477A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminals
access point
segment
terminal
packet
Prior art date
Application number
PCT/SE2003/000402
Other languages
French (fr)
Inventor
Martin Leben
Timo Pohjanvuori
Original Assignee
Repeat It Ab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Repeat It Ab filed Critical Repeat It Ab
Priority to EP03744092A priority Critical patent/EP1488575A1/en
Priority to AU2003215992A priority patent/AU2003215992A1/en
Publication of WO2003077477A1 publication Critical patent/WO2003077477A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/22Traffic shaping
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/02Traffic management, e.g. flow control or congestion control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/02Traffic management, e.g. flow control or congestion control
    • H04W28/06Optimizing the usage of the radio link, e.g. header compression, information sizing, discarding information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/08Access point devices

Definitions

  • the present invention relates generally to a method and system for controlling and filtering mobile communication traffic.
  • data packets communicated between wireless terminals being connected to the same access point can be controlled and filtered.
  • Wide-ranging mobile access networks are often designed as cellular networks including a plurality of base stations being connected together by means of switching nodes such as Base Station Controllers (BSC) and/or Mobile Switching Centres (MSC) .
  • BSC Base Station Controllers
  • MSC Mobile Switching Centres
  • Each base station provides radio coverage over an area known as a cell, for communication over radio channels with mobile terminals located in the cell.
  • standardised communication protocols and radio channels are used, such as those defined for GSM, TDMA, PDC, UMTS, etc, for transmission of speech and/or data over the air interface as well as within the network, thereby providing a certain data rate.
  • Digital circuit-switched radio channels of today are primarily designed for communication of encoded speech, providing data rates of less than 10 kbit/s.
  • Such mobile networks are used for providing radio coverage over large areas, often entire countries.
  • a multitude of new mobile services are now developed, which can be employed in particular as new technologies with greater capacity and higher data rates are introduced.
  • Such services are typically available over the Internet and may involve voice, text, images, audio and video files, etc. in various different formats and combinations.
  • WLAN Wireless Local Area Network
  • WLAN is designed to provide high speed connections primarily in small hot spot areas, such as airports, hotels and conference venues, providing fast Internet access and other data services to visitors.
  • WLAN may of course also be used in residential and office environments .
  • WLAN wireless local area network
  • Radio channels are often used in freely available frequency bands, such as 2,4 GHz and beyond, requiring no operator licence.
  • other access technologies may also be used, such as infrared signalling.
  • a WLAN may comprise one or more stationary radio stations or the like, acting as access points to which wireless terminals having WLAN capabilities may be connected over predefined channels.
  • the wireless terminals may be mobile or stationary and can be used by subscribers at home, in an office, or when visiting other areas.
  • a WLAN access point may be directly connected to a extension of a fixed LAN (Local Area Network) which in turn, through various gateways and/or routers, may provide access to the Internet or an intranet.
  • Internet services are normally delivered from a public telecommunication operator.
  • IEEE802.11b One such WLAN standard is the IEEE802.11b, which can be used to provide access to the Internet and other data networks for wireless terminals, using either radio frequency carriers or infrared carriers.
  • the IEEE802.11b standard is similar to the communication standards used in Ethernet data networks with respect to protocol layers, allowing for smooth and uniform communication between WLANs and fixed Ethernet data networks.
  • Each access point in a WLAN using the IEEE802.11b standard is allocated a channel which is shared by terminals currently being wirelessly connected to that access point.
  • the connected terminals constitute together with the access point a "Basic Service Set" BSS, according to the terminology used in the IEEE802.11b standard.
  • the communicating terminals may be dynamically multiplexed in time over the shared communication channel by using, e.g., a polling procedure or a scheduling function, as are known in the art. If random access type transmissions from terminals interfere by collision, the normal procedure is to simply try again, e.g., after a random delay time.
  • the shared channel is used for transmitting data packets to and from individual terminals, and for broadcast transmissions from the access point to plural terminals simultaneously.
  • the terminal can easily occupy the shared channel for long periods of time, thereby denying transmission access to the channel for other terminals as well as for the access point itself.
  • Terminals connected to the same access point may of course communicate with each other.
  • the access point then acts as a repeater by simply re-transmitting data packets from one terminal to another. This repeating function is executed after reading destination and source addresses in a received packet, and it is not necessary to read the remaining packet contents at the access point. If the destination and source addresses are recognised as belonging to the same BSS, the packet is not processed further and is automatically retransmitted.
  • the repeating function allows for all terminals within a BSS to receive any such re-transmitted data packets, which may become a drawback since data traffic addressed to one terminal can be intercepted by any of the other terminals being connected to the same access point. This enables illicit eavesdropping of an unauthorised terminal on traffic intended for another terminal. Addresses of active terminals can thereby also be identified, and deceiving messages can be sent back to the identified terminal for various ill-intended purposes.
  • the repeating function in previous solutions is "blind", since only destination and source addresses are checked in each data packet before re-transmission, without any further control.
  • Terminals within a BSS can thus communicate with each other over the access point without any restrictions or control being applied. This facilitates exchange of packets which may violate the network operators policy and/or degrade the performance of the network and/or interfere with normal operation of the network.
  • a 'malicious' terminal impersonate a default gateway, thereby making a "man-in- the-middle" attack.
  • This can be done by sending a specific message including its own address as a faked gateway address, to one or more terminals, for illicitly receiving packets transmitted therefrom.
  • the attacked terminals will then send their traffic, intended for the real default gateway, to the 'malicious' terminal instead.
  • the 'malicious' terminal can read potentially sensitive content in transmitted packets, including secret information such as bank account numbers or passwords.
  • the 'malicious' terminal may then send the packets on to the real default gateway, possibly after modifying the packets as well.
  • Traffic shaping may include controlling traffic flows, packet scheduling with respect to, e.g., required QoS (Quality of Service) and/or priorities, and limiting the amount of transmitted packets to or from specific terminals. Traffic shaping may also be performed according to pre-defined subscriptions.
  • QoS Quality of Service
  • the security level can also be generally increased by increasing the isolation of transmissions from one terminal to another being connected to the same access point, such that interception by any third unauthorised terminal of transmitted data packets is made more difficult. It is also desirable to prevent the transmission of unauthorised data packets between terminals, e.g., containing deceiving messages, and to prevent any illicit attacks.
  • the object of this invention is to reduce or eliminate the problems outlined above.
  • This object and others are obtained by providing a method and system for controlling wireless transmission of data packets between an access point and wireless terminals, wherein a shared communication channel is used for transmissions between the access point and the terminals.
  • the connections between the terminals and the access point are divided into communication segments, wherein each segment is established for at least one terminal and comprises certain communication parameters and rules.
  • each segment is established for at least one terminal and comprises certain communication parameters and rules.
  • Communication segments are established by defining and storing communication parameters and rules for data packets being communicated with terminals belonging to each segment.
  • the defined parameters and rules may thus dictate that specific control functions are performed for the packet, or that the packet is allowed to be re-transmitted without further control.
  • the control functions may involve any of: charging, firewall functionality, routing, bridging, legal interception by forwarding packets to legal authorities, filtering of unauthorised packets and traffic shaping.
  • Each segment may be dynamically established when a connection with a terminal is initiated, or may be more or less permanently established for one or more terminals.
  • a directional antenna may be used by one or more terminals, and link encryption may be used between the access point and one or more terminals, for providing isolation between terminals. Such isolation will make it more difficult for any unauthorised terminal to intercept transmitted packets, and will force transmissions over the access point, thereby enabling control and registration.
  • Fig. 1 is a schematic view of a communication scenario in which the invention may be implemented.
  • Fig. 2 is a schematic illustration of communication protocols in an access point and two terminals.
  • Fig. 3 is a schematic illustration of a data packet being communicated between two terminals.
  • Fig. 4 is a schematic block diagram of an access point.
  • FIG. 1 is a schematic view of an exemplary communication scenario in which the present invention may be implemented.
  • a WLAN 100 comprises a plurality of access points, of which only one access point 102 is shown.
  • the WLAN 100 is connected by means of a communication link 104 to a backbone network 106, which may be the Internet, an intranet, a fixed public or private network, or any combination of such networks.
  • the communication link 104 may be a wireline connection or a wireless connection.
  • two wireless terminals 108, 110 are currently connected to the access point 102 by means of radio interfaces.
  • the terminals 108, 110 may be mobile phones, laptop computers, personal digital assistants or the like.
  • Routers of private networks may also be used for wireless communication over the access point 102, acting as terminals towards the access point.
  • a shared communication channel is used for communication between the access point 102 and terminals connected thereto.
  • data packets are communicated between the access point 102 and the terminals 108, 110 according to the IEEE802.11b standard.
  • a communication protocol is implemented having a plurality of stacked layers for handling incoming and outgoing data packets, as is well known in the art.
  • the lowest layer is a "physical layer” for handling radio signals, and the next layer is a "link layer” for handling communication link parameters of the radio interface between a terminal 108, 110 and the access point 102.
  • Further layers are also provided in higher levels, such as those of the well-known IP (Internet Protocol) stack.
  • IP Internet Protocol
  • Such protocols in the communicating parties 102, 108, 110 of Fig. 1 are schematically illustrated in Fig. 2, where 200 denotes a protocol stack in the access point 102, and 202 and 204 denote protocol stacks in the terminals 108 and 110, respectively.
  • Each of the protocol stacks 200, 202, 204 comprises a physical layer 200A, 202A, 204A and a link layer 200B, 202B, 204B, respectively.
  • all connections between terminals and an access point constitutes a common "segment" which is terminated in the link layers of the respective terminals and the access point.
  • each access point comprises a repeating function for re- transmitting packets within the same BSS, as described above .
  • the terminal 108 sends a data packet 300 destined to the terminal 110, by transmitting the packet to a serving access point.
  • link addresses specified in the packet 300 are read at link layer 200B, as indicated by dashed arrows.
  • the link addresses in the packet 300 include a source address SA of the sending terminal 108, a destination address DA of the destined terminal 110 and an access point address AA.
  • the addresses are MAC (Media Access Control) addresses in this case.
  • the access point 102 recognises that the sending and receiving terminals 108, 110 belong to the same BSS of the access point 102, and according to previous solutions, an automatic repeating function 302 is then activated for re-transmitting the packet.
  • the repeating function 302 thus automatically retransmits packets within the same segment without any further checking or control, which may lead to the drawbacks outlined in the background section of this description.
  • the present invention is intended to avoid such unrestricted and uncontrolled re-transmission of packets, and provides a mechanism which makes it more difficult for any third unauthorised terminal to intercept communicated packets and for terminals to communicate in ad hoc mode.
  • Fig. 4 illustrates a preferred embodiment of the present invention.
  • An access point 400 is shown, in which a radio communication protocol is implemented, including a physical layer 400A and a link layer 400B, schematically indicated by dashed lines.
  • the access point 400 comprises a communication unit 402 for handling radio signals in the physical layer 400A, which may include various radio components, such as an antenna, transceivers, modulators/demodulators, not shown.
  • the communication unit 402 may comprise a so-called radio card or the like.
  • the access point 400 further comprises an interface handler 404 for handling communication interfaces for connected terminals, as logically dealt with in link layer 400B.
  • the interface handler 404 is connected to a control unit 406 which is further connected to an interface unit 408 providing communication with other access points or with a gateway to other networks, such as the backbone network 106 in Fig. 1.
  • the Interface unit 408 may preferably be based on the Ethernet standard or any other used LAN (Local Area Network) or WAN (Wide Area Network) standard.
  • the control unit 406 is configured to perform various controlling and/or filtering functions for data packets communicated to or from terminals connected to the access point 400.
  • controlling and filtering functions may involve charging, firewall functionality, routing, bridging, legal interception by forwarding packets to legal authorities, filtering of unauthorised packets and traffic shaping as exemplified above.
  • These functions may be performed in one or more higher layers of one or more network protocols being used, which can be implemented in the control unit 406, such as an IP stack.
  • the controlling and/or filtering functions are thus stored in the access point 400 and can be remotely updated.
  • a remote network managing system may be connected to access points in the network for configuring the access points with respect to, e.g., security, alarms, performance and the control functions discussed above.
  • the network managing system may also receive and process traffic records for charging and registration.
  • the interface handler 404 is configured to divide plural current terminal connections into individual or grouped segments. Each segment may be dynamically established when a terminal connection is initiated. Alternatively, a segment may be more or less permanently established for one or more terminals. Establishing a segment includes defining communication parameters including terminal addresses. Rules are also defined, being valid specifically for the segment, which are stored in the control unit 406.
  • a data packet received from a terminal in one segment, is destined to a terminal in another segment of the same access point 400
  • the packet is forwarded to the control unit 406 for performing the controlling functions based on the parameters and rules defined for respective segments, which may be defined by a network provider.
  • the network provider may define rules for communication between two specific segments which may relate to charging, traffic filtering etc, as exemplified above.
  • four wireless terminals T1-T4 are currently connected to the access point 400.
  • segments S1-S3 have been established for the terminals T1-T4 such that terminal TI belongs to segment SI, terminal T2 belongs to segment S2, and both terminals T3 and T4 belong to segment S3.
  • a packet arriving from terminal TI being destined to terminal T2 is first handled at the access point in the communication unit 402 according to the physical layer 400A.
  • the packet is then forwarded to the interface handler 404 which recognises that the packet is to be treated and controlled according to parameters and/or rules defined for segments SI and S2.
  • the packet may then be transferred to the control unit 406 for executing specific control functions as dictated by the rules.
  • the control may be executed in one or more higher network protocol layers, being implemented in the control unit 406. If the control unit 406 determines that the packet is permitted to be sent to the destined terminal T2, the packet is forwarded back to the communication unit 402 for final transmission to the destined terminal T2.
  • segment S2 communication with terminal T2 is treated according to rules defined for segment S2.
  • the next segment S3 is established for a group of two terminals T3 and T4.
  • the terminals T3 and T4 may belong to the same user or household, and the rules defined for segment S3 may permit uncontrolled and unrestricted communication therebetween.
  • a repeating function not shown, may then be used for data packets communicated between terminals T3 and T4 without any further control.
  • the rules may dictate that specific control functions are executed for traffic within segment S3, for providing isolation between terminals.
  • a network operator may have decided that no data packets at all can be communicated between two segments, e.g., SI and S3.
  • the interface handler 404 determines whether an incoming data packet includes a destination address within the same segment as the sending terminal, and whether the packet can be re-transmitted without further control in higher protocol layers. Otherwise, the packet is forwarded to the control unit 406 for performing specific control functions accordingly, as described above. In order to make it more difficult for any unauthorised terminal to intercept transmitted packets, measures may be taken to isolate the transmissions. For example, a directional antenna may be used by at least one of the sending and receiving terminals.
  • Directional antennas will also make it more difficult for terminals to use ad hoc mode, and for a terminal to transmit packets to plural terminals simultaneously, which will thus increase the overall security level. Thereby, the transmissions can be controlled and registered by the access point, as described above .
  • link encryption may be used for packets transmitted between a terminal and the access point, e.g., using one or more encryption keys which are known only by the terminal and the access point. This will also prevent terminals from communicating in ad hoc mode.
  • transmissions are forced over the access point, thereby enabling control and registration. It is then also possible for the access point to detect any unauthorised data packets, e.g., containing deceiving messages, and to detect any illicit attacks.
  • the functional units 402, 404 and 406 in Fig. 4 are merely logically represented and may be implemented as software in one or more processors anywhere in the access point 400.
  • the interface handler 404 functionality may for example be integrated with the communication unit 402.
  • the interface handler 404 and the control unit 406 can be integrated into one functional unit.
  • the invention has been described in the context of an access point of a WLAN using the IEEE802.11b standard. However, the invention may be used in any access point communicating with plural terminals in any type of network, provided that a shared communication channel is used for communicating data packets between terminals over the access point.

Abstract

A method and system for controlling wireless transmission of data packets between an access point (102) and wireless terminals (108, 110), using a shared communication channel. Connections between the terminals and the access point are divided into communication segments, wherein each segment is established for at least one terminal and comprises certain communication parameters and rules. Control functions are performed for communicated packets depending on and according to the communication parameters and rules of the respective segments or segment. Traffic between terminals being connected to the same access point can then be controlled and filtered, and traffic shaping can be performed in an access point for a shared channel.

Description

A METHOD AND SYSTEM FOR CONTROLLING AND FILTERING TRAFFIC IN A WIRELESS NETWORK
TECHNICAL FIELD
The present invention relates generally to a method and system for controlling and filtering mobile communication traffic. In particular, data packets communicated between wireless terminals being connected to the same access point can be controlled and filtered.
BACKGROUND OF THE INVENTION AND PRIOR ART
Wide-ranging mobile access networks are often designed as cellular networks including a plurality of base stations being connected together by means of switching nodes such as Base Station Controllers (BSC) and/or Mobile Switching Centres (MSC) . Each base station provides radio coverage over an area known as a cell, for communication over radio channels with mobile terminals located in the cell. When setting up radio connections with mobile terminals, standardised communication protocols and radio channels are used, such as those defined for GSM, TDMA, PDC, UMTS, etc, for transmission of speech and/or data over the air interface as well as within the network, thereby providing a certain data rate. Digital circuit-switched radio channels of today, e.g., according to the GSM standard, are primarily designed for communication of encoded speech, providing data rates of less than 10 kbit/s. Such mobile networks are used for providing radio coverage over large areas, often entire countries. A multitude of new mobile services are now developed, which can be employed in particular as new technologies with greater capacity and higher data rates are introduced. Such services are typically available over the Internet and may involve voice, text, images, audio and video files, etc. in various different formats and combinations.
Currently, enhanced wireless access technologies are emerging having far greater data rates, such as WLAN
(Wireless Local Area Network) . WLAN is designed to provide high speed connections primarily in small hot spot areas, such as airports, hotels and conference venues, providing fast Internet access and other data services to visitors. WLAN may of course also be used in residential and office environments .
The term "WLAN", as commonly used, actually stands for a plurality of high-speed wireless technologies for packet based communication with data rates ranging between 1 - 50 Mbit/s, depending on transmission conditions and protocols used. Radio channels are often used in freely available frequency bands, such as 2,4 GHz and beyond, requiring no operator licence. However, other access technologies may also be used, such as infrared signalling. A WLAN may comprise one or more stationary radio stations or the like, acting as access points to which wireless terminals having WLAN capabilities may be connected over predefined channels. The wireless terminals may be mobile or stationary and can be used by subscribers at home, in an office, or when visiting other areas. A WLAN access point may be directly connected to a extension of a fixed LAN (Local Area Network) which in turn, through various gateways and/or routers, may provide access to the Internet or an intranet. Internet services are normally delivered from a public telecommunication operator.
One such WLAN standard is the IEEE802.11b, which can be used to provide access to the Internet and other data networks for wireless terminals, using either radio frequency carriers or infrared carriers. The IEEE802.11b standard is similar to the communication standards used in Ethernet data networks with respect to protocol layers, allowing for smooth and uniform communication between WLANs and fixed Ethernet data networks.
Each access point in a WLAN using the IEEE802.11b standard is allocated a channel which is shared by terminals currently being wirelessly connected to that access point. The connected terminals constitute together with the access point a "Basic Service Set" BSS, according to the terminology used in the IEEE802.11b standard.
In order to avoid interference within the BSS, the communicating terminals may be dynamically multiplexed in time over the shared communication channel by using, e.g., a polling procedure or a scheduling function, as are known in the art. If random access type transmissions from terminals interfere by collision, the normal procedure is to simply try again, e.g., after a random delay time. In a WLAN access point, the shared channel is used for transmitting data packets to and from individual terminals, and for broadcast transmissions from the access point to plural terminals simultaneously. However, in the case when a terminal determines itself that it is allowed to use the channel, the terminal can easily occupy the shared channel for long periods of time, thereby denying transmission access to the channel for other terminals as well as for the access point itself.
Terminals connected to the same access point may of course communicate with each other. According to the IEEE802.11b standard, the access point then acts as a repeater by simply re-transmitting data packets from one terminal to another. This repeating function is executed after reading destination and source addresses in a received packet, and it is not necessary to read the remaining packet contents at the access point. If the destination and source addresses are recognised as belonging to the same BSS, the packet is not processed further and is automatically retransmitted.
Since a single shared channel is used for each access point, it is also possible for terminals to communicate signals directly between them, without using the access point as a repeater, which is sometimes referred to as "ad hoc mode". It is however preferable to communicate signals over the access point, since the signals are more reliably received and transmitted by using, e.g., better radio equipment and a higher antenna position.
However, the repeating function allows for all terminals within a BSS to receive any such re-transmitted data packets, which may become a drawback since data traffic addressed to one terminal can be intercepted by any of the other terminals being connected to the same access point. This enables illicit eavesdropping of an unauthorised terminal on traffic intended for another terminal. Addresses of active terminals can thereby also be identified, and deceiving messages can be sent back to the identified terminal for various ill-intended purposes.
The repeating function in previous solutions is "blind", since only destination and source addresses are checked in each data packet before re-transmission, without any further control. Terminals within a BSS can thus communicate with each other over the access point without any restrictions or control being applied. This facilitates exchange of packets which may violate the network operators policy and/or degrade the performance of the network and/or interfere with normal operation of the network.
For example, it is possible for a 'malicious' terminal to impersonate a default gateway, thereby making a "man-in- the-middle" attack. This can be done by sending a specific message including its own address as a faked gateway address, to one or more terminals, for illicitly receiving packets transmitted therefrom. In other words, the attacked terminals will then send their traffic, intended for the real default gateway, to the 'malicious' terminal instead. Thereby, the 'malicious' terminal can read potentially sensitive content in transmitted packets, including secret information such as bank account numbers or passwords. The 'malicious' terminal may then send the packets on to the real default gateway, possibly after modifying the packets as well.
Furthermore, the possibilities for a network operator to register bandwidth consumption and to perform relevant charging are also limited when such blind repetition of packets is used in an access point.
In order to avoid the problems outlined above, it is desirable to be able to control and filter traffic between terminals being connected to the same access point. It is also desirable to be able to perform traffic shaping in an access point for a shared channel. Traffic shaping may include controlling traffic flows, packet scheduling with respect to, e.g., required QoS (Quality of Service) and/or priorities, and limiting the amount of transmitted packets to or from specific terminals. Traffic shaping may also be performed according to pre-defined subscriptions.
Furthermore, it is desirable to provide isolation of transmissions from one terminal to another being connected to the same access point, in order to ensure that the terminals will communicate with each other over the access point, and not in the "ad hoc mode". Thereby, the transmissions can be controlled and registered by the access point as discussed above.
The security level can also be generally increased by increasing the isolation of transmissions from one terminal to another being connected to the same access point, such that interception by any third unauthorised terminal of transmitted data packets is made more difficult. It is also desirable to prevent the transmission of unauthorised data packets between terminals, e.g., containing deceiving messages, and to prevent any illicit attacks.
SUMMARY OF THE INVENTION
The object of this invention is to reduce or eliminate the problems outlined above. This object and others are obtained by providing a method and system for controlling wireless transmission of data packets between an access point and wireless terminals, wherein a shared communication channel is used for transmissions between the access point and the terminals.
The connections between the terminals and the access point are divided into communication segments, wherein each segment is established for at least one terminal and comprises certain communication parameters and rules. When a data packet is received from a first terminal connected to the access point, at least a destination address in the received packet is read. It is then determined whether the packet is destined to a second terminal connected to the same access point. Specific control functions are then performed for the packet, depending on and according to the communication parameters and rules of the respective segments or segment.
Communication segments are established by defining and storing communication parameters and rules for data packets being communicated with terminals belonging to each segment. The defined parameters and rules may thus dictate that specific control functions are performed for the packet, or that the packet is allowed to be re-transmitted without further control. The control functions may involve any of: charging, firewall functionality, routing, bridging, legal interception by forwarding packets to legal authorities, filtering of unauthorised packets and traffic shaping.
Each segment may be dynamically established when a connection with a terminal is initiated, or may be more or less permanently established for one or more terminals. A directional antenna may be used by one or more terminals, and link encryption may be used between the access point and one or more terminals, for providing isolation between terminals. Such isolation will make it more difficult for any unauthorised terminal to intercept transmitted packets, and will force transmissions over the access point, thereby enabling control and registration.
BRIEF DESCRIPTION OF THE DRAWINGS The present invention will now be described in more detail and with reference to the accompanying drawings, in which:
Fig. 1 is a schematic view of a communication scenario in which the invention may be implemented. - Fig. 2 is a schematic illustration of communication protocols in an access point and two terminals. Fig. 3 is a schematic illustration of a data packet being communicated between two terminals.
Fig. 4 is a schematic block diagram of an access point.
DESCRIPTION OF PREFERRED EMBODIMENTS
Fig. 1 is a schematic view of an exemplary communication scenario in which the present invention may be implemented. A WLAN 100 comprises a plurality of access points, of which only one access point 102 is shown. The WLAN 100 is connected by means of a communication link 104 to a backbone network 106, which may be the Internet, an intranet, a fixed public or private network, or any combination of such networks. The communication link 104 may be a wireline connection or a wireless connection. In Fig. 1, two wireless terminals 108, 110 are currently connected to the access point 102 by means of radio interfaces. By way of example, the terminals 108, 110 may be mobile phones, laptop computers, personal digital assistants or the like. Routers of private networks may also be used for wireless communication over the access point 102, acting as terminals towards the access point. In general, a shared communication channel is used for communication between the access point 102 and terminals connected thereto. In this example, data packets are communicated between the access point 102 and the terminals 108, 110 according to the IEEE802.11b standard.
In each access point of the WLAN 100 as well as in each communicating terminal, a communication protocol is implemented having a plurality of stacked layers for handling incoming and outgoing data packets, as is well known in the art. The lowest layer is a "physical layer" for handling radio signals, and the next layer is a "link layer" for handling communication link parameters of the radio interface between a terminal 108, 110 and the access point 102. Further layers are also provided in higher levels, such as those of the well-known IP (Internet Protocol) stack. A communicated data packet can be transferred between the layers within each protocol for processing the packet at different levels.
Such protocols in the communicating parties 102, 108, 110 of Fig. 1 are schematically illustrated in Fig. 2, where 200 denotes a protocol stack in the access point 102, and 202 and 204 denote protocol stacks in the terminals 108 and 110, respectively. Each of the protocol stacks 200, 202, 204 comprises a physical layer 200A, 202A, 204A and a link layer 200B, 202B, 204B, respectively. In previous solutions, all connections between terminals and an access point constitutes a common "segment" which is terminated in the link layers of the respective terminals and the access point. Thus, the segment belonging to the access point 102 is terminated in link layer 202B of the terminal 108, in link layer 204B of the terminal 110 and in link layer 200B of the access point 102. Such a segment corresponds to the "Basic Service Set" BSS in the IEEE802.11b standard. According to this standard, each access point comprises a repeating function for re- transmitting packets within the same BSS, as described above .
With reference to Fig. 3, the terminal 108 sends a data packet 300 destined to the terminal 110, by transmitting the packet to a serving access point. After being received at the physical layer 200A of the protocol 200 in the access point, link addresses specified in the packet 300 are read at link layer 200B, as indicated by dashed arrows. The link addresses in the packet 300 include a source address SA of the sending terminal 108, a destination address DA of the destined terminal 110 and an access point address AA. The addresses are MAC (Media Access Control) addresses in this case.
By reading these addresses, the access point 102 recognises that the sending and receiving terminals 108, 110 belong to the same BSS of the access point 102, and according to previous solutions, an automatic repeating function 302 is then activated for re-transmitting the packet. The repeating function 302 thus automatically retransmits packets within the same segment without any further checking or control, which may lead to the drawbacks outlined in the background section of this description. The present invention is intended to avoid such unrestricted and uncontrolled re-transmission of packets, and provides a mechanism which makes it more difficult for any third unauthorised terminal to intercept communicated packets and for terminals to communicate in ad hoc mode. The automatic repeating function is thus not used "blindly" and the link layer in each access point is modified to include an interface handler which provides for various control functions, which will be described below with reference to Fig. 4. Fig. 4 illustrates a preferred embodiment of the present invention. An access point 400 is shown, in which a radio communication protocol is implemented, including a physical layer 400A and a link layer 400B, schematically indicated by dashed lines. The access point 400 comprises a communication unit 402 for handling radio signals in the physical layer 400A, which may include various radio components, such as an antenna, transceivers, modulators/demodulators, not shown. In practice, the communication unit 402 may comprise a so-called radio card or the like.
The access point 400 further comprises an interface handler 404 for handling communication interfaces for connected terminals, as logically dealt with in link layer 400B. The interface handler 404 is connected to a control unit 406 which is further connected to an interface unit 408 providing communication with other access points or with a gateway to other networks, such as the backbone network 106 in Fig. 1. The Interface unit 408 may preferably be based on the Ethernet standard or any other used LAN (Local Area Network) or WAN (Wide Area Network) standard.
The control unit 406 is configured to perform various controlling and/or filtering functions for data packets communicated to or from terminals connected to the access point 400. For example, such controlling and filtering functions may involve charging, firewall functionality, routing, bridging, legal interception by forwarding packets to legal authorities, filtering of unauthorised packets and traffic shaping as exemplified above. These functions may be performed in one or more higher layers of one or more network protocols being used, which can be implemented in the control unit 406, such as an IP stack. The controlling and/or filtering functions are thus stored in the access point 400 and can be remotely updated. A remote network managing system, not shown, may be connected to access points in the network for configuring the access points with respect to, e.g., security, alarms, performance and the control functions discussed above. The network managing system may also receive and process traffic records for charging and registration. The interface handler 404 is configured to divide plural current terminal connections into individual or grouped segments. Each segment may be dynamically established when a terminal connection is initiated. Alternatively, a segment may be more or less permanently established for one or more terminals. Establishing a segment includes defining communication parameters including terminal addresses. Rules are also defined, being valid specifically for the segment, which are stored in the control unit 406.
Thus, when a data packet, received from a terminal in one segment, is destined to a terminal in another segment of the same access point 400, the packet is forwarded to the control unit 406 for performing the controlling functions based on the parameters and rules defined for respective segments, which may be defined by a network provider. For example, the network provider may define rules for communication between two specific segments which may relate to charging, traffic filtering etc, as exemplified above. In Fig. 4, four wireless terminals T1-T4 are currently connected to the access point 400. In this example, segments S1-S3 have been established for the terminals T1-T4 such that terminal TI belongs to segment SI, terminal T2 belongs to segment S2, and both terminals T3 and T4 belong to segment S3.
Thus, a packet arriving from terminal TI being destined to terminal T2, is first handled at the access point in the communication unit 402 according to the physical layer 400A. The packet is then forwarded to the interface handler 404 which recognises that the packet is to be treated and controlled according to parameters and/or rules defined for segments SI and S2. The packet may then be transferred to the control unit 406 for executing specific control functions as dictated by the rules. As mentioned above, the control may be executed in one or more higher network protocol layers, being implemented in the control unit 406. If the control unit 406 determines that the packet is permitted to be sent to the destined terminal T2, the packet is forwarded back to the communication unit 402 for final transmission to the destined terminal T2.
Correspondingly, communication with terminal T2 is treated according to rules defined for segment S2. The next segment S3 is established for a group of two terminals T3 and T4. For example, the terminals T3 and T4 may belong to the same user or household, and the rules defined for segment S3 may permit uncontrolled and unrestricted communication therebetween. A repeating function, not shown, may then be used for data packets communicated between terminals T3 and T4 without any further control. Alternatively, the rules may dictate that specific control functions are executed for traffic within segment S3, for providing isolation between terminals. On the other hand, a network operator may have decided that no data packets at all can be communicated between two segments, e.g., SI and S3. This may be the case if a user of, e.g., terminal TI does not trust a user of terminals T3 and T4. The interface handler 404 thus determines whether an incoming data packet includes a destination address within the same segment as the sending terminal, and whether the packet can be re-transmitted without further control in higher protocol layers. Otherwise, the packet is forwarded to the control unit 406 for performing specific control functions accordingly, as described above. In order to make it more difficult for any unauthorised terminal to intercept transmitted packets, measures may be taken to isolate the transmissions. For example, a directional antenna may be used by at least one of the sending and receiving terminals. Directional antennas will also make it more difficult for terminals to use ad hoc mode, and for a terminal to transmit packets to plural terminals simultaneously, which will thus increase the overall security level. Thereby, the transmissions can be controlled and registered by the access point, as described above .
Further, link encryption may be used for packets transmitted between a terminal and the access point, e.g., using one or more encryption keys which are known only by the terminal and the access point. This will also prevent terminals from communicating in ad hoc mode.
By providing isolation between terminals as described above, transmissions are forced over the access point, thereby enabling control and registration. It is then also possible for the access point to detect any unauthorised data packets, e.g., containing deceiving messages, and to detect any illicit attacks.
It should be noted that the functional units 402, 404 and 406 in Fig. 4 are merely logically represented and may be implemented as software in one or more processors anywhere in the access point 400. In an alternative embodiment, the interface handler 404 functionality may for example be integrated with the communication unit 402. In another embodiment, the interface handler 404 and the control unit 406 can be integrated into one functional unit. The invention has been described in the context of an access point of a WLAN using the IEEE802.11b standard. However, the invention may be used in any access point communicating with plural terminals in any type of network, provided that a shared communication channel is used for communicating data packets between terminals over the access point.
While the invention has been described with reference to specific exemplary embodiments, the description is only intended to illustrate the inventive concept and should not be taken as limiting the scope of the invention. Various alternatives, modifications and equivalents may be used without departing from the spirit of the invention, which is defined by the appended claims.

Claims

1. A method of controlling wireless transmission of data packets between an access point and wireless terminals, wherein a shared communication channel is used for transmissions between the access point and the terminals, characterised in that connections between the terminals and the access point are divided into communication segments, wherein each segment is established in the access point for at least one terminal and comprises certain communication parameters and rules, the method comprising the following steps:
A) receiving a data packet from a first terminal connected to the access point, - B) reading at least a destination address in the received packet,
C) determining whether the packet is destined to a second terminal connected to the same access point, and
D) performing specific control functions for the packet depending on and according to the communication parameters and rules of the respective segments or segment .
2. A method according to claim 1, characterised in that the communication segments are established by defining and storing the communication parameters and rules for data packets being communicated with terminals belonging to each segment.
3. A method according to claim 1 or 2, characterised in that a segment is established dynamically for a terminal when a connection is initiated with that terminal.
A method according to any of claims 1 - 3, characterised in that a segment is established more or less permanently for one or more terminals.
A method according to any of claims 1 - 4, characterised in that the control functions involve any of: charging, firewall functionality, routing, bridging, legal interception by forwarding packets to legal authorities, filtering of unauthorised packets and traffic shaping.
A method according to claim 5, characterised by the step of remotely updating the control functions in the access point .
A method according to any of claims 1 - 6, characterised in that the first and second terminals belong to different segments.
A method according to any of claims 1 - 6, characterised in that a communication segment is established for a group of at least two terminals.
A method according to claim 8, characterised in that the first and second terminals belong to said group of the same segment, and that specific control functions are performed in step D) according to communication parameters and rules defined for traffic within that segment for providing isolation between terminals.
A method according to claim 8, characterised in that the first and second terminals belong to said group of the same segment, and that the packet is re-transmitted without further control according to rules defined for traffic within that segment.
11. A method according to any of claims 1 - 10, characterised in that a directional antenna is used by one or more terminals for providing isolation between terminals .
12. A method according to any of claims 1 - 11, characterised in that link encryption is used between the access point and one or more terminals for providing isolation between terminals.
13. A method according to any of claims 1 - 9, 11 or 12, characterised in that the control functions are executed in one or more layers of one or more network protocols being used.
14. A system for controlling wireless transmission of data packets, the system comprising an access point and a plurality of wireless terminals, wherein a shared communication channel is used for transmissions between the access point and the terminals, characterised in that the access point comprises: means for dividing the connections between the terminals and the access point into communication segments, wherein each segment is established for at least one terminal and comprises certain communication parameters and rules, means for receiving a data packet from a first terminal connected to the access point, - means for reading at least a destination address in the received packet, an interface handler for determining whether the packet is destined to a second terminal connected to the same access point, and a control unit for performing specific control functions for the packet depending on and according to the communication parameters and rules of the respective segments or segment.
15. A system according to claim 14, characterised in that the access point belongs to a WLAN (Wireless Local Area Network) using the IEEE802.11b standard.
16. A system according to claim 14 or 15, characterised in that that one or more of the terminals includes a directional antenna for providing isolation between terminals .
17. A system according to any of claims 14 - 16, characterised by means for using link encryption between the access point and one or more of the terminals for providing isolation between terminals.
PCT/SE2003/000402 2002-03-11 2003-03-11 A method and system for controlling and filtering traffic in a wireless network WO2003077477A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP03744092A EP1488575A1 (en) 2002-03-11 2003-03-11 A method and system for controlling and filtering traffic in a wireless network
AU2003215992A AU2003215992A1 (en) 2002-03-11 2003-03-11 A method and system for controlling and filtering traffic in a wireless network

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SE0200717-7 2002-03-11
SE0200717A SE0200717D0 (en) 2002-03-11 2002-03-11 A method and system for controlling and filtering traffic in a wireless network

Publications (1)

Publication Number Publication Date
WO2003077477A1 true WO2003077477A1 (en) 2003-09-18

Family

ID=20287214

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SE2003/000402 WO2003077477A1 (en) 2002-03-11 2003-03-11 A method and system for controlling and filtering traffic in a wireless network

Country Status (4)

Country Link
EP (1) EP1488575A1 (en)
AU (1) AU2003215992A1 (en)
SE (1) SE0200717D0 (en)
WO (1) WO2003077477A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2871634A1 (en) * 2004-06-14 2005-12-16 Ucopia Comm Sa Data transmission rate optimizing method for wireless network, involves configuring traffic regulators to allocate time portion of wireless connections to each user terminal based on pre-established rules to obtain optimized rate
WO2017003781A1 (en) * 2015-06-30 2017-01-05 Mist Systems, Inc. Access enforcement at a wireless access point

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5199072A (en) * 1992-02-03 1993-03-30 Motorola, Inc. Method and apparatus for restricting access within a wireless local area network
EP0597640A1 (en) * 1992-11-13 1994-05-18 NCR International, Inc. Wireless local area network system
US5513263A (en) * 1994-11-30 1996-04-30 Motorola, Inc. Method for establishing classes within a communication network
US6307837B1 (en) * 1997-08-12 2001-10-23 Nippon Telegraph And Telephone Corporation Method and base station for packet transfer
US6363070B1 (en) * 1998-07-01 2002-03-26 Motorola, Inc. Method for selecting virtual end nodes in an RF network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5199072A (en) * 1992-02-03 1993-03-30 Motorola, Inc. Method and apparatus for restricting access within a wireless local area network
EP0597640A1 (en) * 1992-11-13 1994-05-18 NCR International, Inc. Wireless local area network system
US5513263A (en) * 1994-11-30 1996-04-30 Motorola, Inc. Method for establishing classes within a communication network
US6307837B1 (en) * 1997-08-12 2001-10-23 Nippon Telegraph And Telephone Corporation Method and base station for packet transfer
US6363070B1 (en) * 1998-07-01 2002-03-26 Motorola, Inc. Method for selecting virtual end nodes in an RF network

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2871634A1 (en) * 2004-06-14 2005-12-16 Ucopia Comm Sa Data transmission rate optimizing method for wireless network, involves configuring traffic regulators to allocate time portion of wireless connections to each user terminal based on pre-established rules to obtain optimized rate
WO2017003781A1 (en) * 2015-06-30 2017-01-05 Mist Systems, Inc. Access enforcement at a wireless access point
US9686289B2 (en) 2015-06-30 2017-06-20 Mist Systems, Inc. Access enforcement at a wireless access point
US10091209B2 (en) 2015-06-30 2018-10-02 Mist Systems, Inc. Access enforcement at a wireless access point
US10581863B2 (en) 2015-06-30 2020-03-03 Mist Systems, Inc. Access enforcement at a wireless access point
US11218488B2 (en) 2015-06-30 2022-01-04 Juniper Networks, Inc. Access enforcement at a wireless access point

Also Published As

Publication number Publication date
AU2003215992A1 (en) 2003-09-22
SE0200717D0 (en) 2002-03-11
EP1488575A1 (en) 2004-12-22

Similar Documents

Publication Publication Date Title
EP1850532B1 (en) Method of providing a guest terminal with emergency access over a WLAN
US7089586B2 (en) Firewall protection for wireless users
EP1515510B1 (en) Method and system for providing multiple encryption in a multi-band multi-protocol hybrid wired/wireless network
US7236470B1 (en) Tracking multiple interface connections by mobile stations
EP1364490B1 (en) Seamless roaming options in an ieee 802.11 compliant network
EP1606904B1 (en) A flexible wlan access point architecture capable of accommodating different user devices
US8537716B2 (en) Method and system for synchronizing access points in a wireless network
US8599829B2 (en) System and method for hardware acceleration in a hybrid wired/wireless local area network
EP3817447B1 (en) Method and apparatus for supporting qos (quality of service) flow to drb (data radio bearer) remapping for sidelink communication in a wireless communication system
EP1515486B1 (en) Method and system for providing an intelligent switch in a hybrid wired/wireless local area network
US20070076612A1 (en) Call admission control within a wireless network
US7995516B2 (en) Mobile wireless base station
WO2004070970A1 (en) Mobile wireless base station
US7526248B2 (en) Extended wireless communication system and method
EP1303968B1 (en) System and method for secure mobile communication
EP1488575A1 (en) A method and system for controlling and filtering traffic in a wireless network
WO2003045034A1 (en) Security of data through wireless access points supporting roaming
EP1547299B1 (en) Method and system for providing multiple encryption in a multi-band multi-protocol hybrid wired/wireless network
EP1401150B1 (en) Communication system and method in a hybrid wired/wireless local area network
EP1547408B1 (en) System and method for hardware acceleration in a hybrid wire/wireless local area network
CA3194927A1 (en) Methods, apparatuses, and systems for network accessibility
Sahoo A Novel Approach for Survivability of IEEE 802.11 WLAN Against Access Point Failure
Lin et al. ARP-like direct link transmission scheme in WLAN

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PH PL PT RO RU SC SD SE SG SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2003744092

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 2003744092

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP

WWW Wipo information: withdrawn in national office

Ref document number: 2003744092

Country of ref document: EP