[go: up one dir, main page]

CN1326065C - Differentiated connectivity in a pay-per-use public data access system - Google Patents

Differentiated connectivity in a pay-per-use public data access system Download PDF

Info

Publication number
CN1326065C
CN1326065C CNB028284941A CN02828494A CN1326065C CN 1326065 C CN1326065 C CN 1326065C CN B028284941 A CNB028284941 A CN B028284941A CN 02828494 A CN02828494 A CN 02828494A CN 1326065 C CN1326065 C CN 1326065C
Authority
CN
China
Prior art keywords
group
application service
network
user
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB028284941A
Other languages
Chinese (zh)
Other versions
CN1647059A (en
Inventor
A·阿查里雅
C·比斯迪基安
高英培
A·马斯里
M·C·罗苏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Publication of CN1647059A publication Critical patent/CN1647059A/en
Application granted granted Critical
Publication of CN1326065C publication Critical patent/CN1326065C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • G06F15/16Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0246Exchanging or transporting network management information using the Internet; Embedding network management web servers in network elements; Web-services-based protocols
    • H04L41/0253Exchanging or transporting network management information using the Internet; Embedding network management web servers in network elements; Web-services-based protocols using browsers or web-pages for accessing management information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/51Discovery or management thereof, e.g. service location protocol [SLP] or web services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/101Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying security measures for digital rights management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Computer And Data Communications (AREA)

Abstract

This invention offers tiered application services for access to network services on a pay-per-use basis in public access networks. Using personal devices (108), the user can access different tiers of application services on demand (103, 104), without the need of any preexisting association, e.g., subscription, with the service provider of the wireless access system (111). Such on-demand access is obtained by providing a variety of personal identifiers, such as a credit card number or frequent flier identification. Moreover, the service offering allows a user through a personal device to modify, enhance or degrade the currently established tier of application services during the lifetime of the user's association with the access network. A network-level enforcement mechanism at access points within the access network ensures user access only to application services within the application service tier that they have paid for, and denies service accesses not within that tier.

Description

按使用付费的公共数据访问系统中的有区分连接Discriminated connectivity in pay-per-use public data access systems

优先权priority

本申请要求提交于2002年3月8日、所分配序列号为60/363,327的、具有相同标题的美国申请的优先权。This application claims priority to US application of the same title, filed March 8, 2002, assigned serial number 60/363,327.

技术领域technical field

本发明涉及计算机网络连接的领域。尤其涉及通过可公开访问的网络基础架构的因特网访问。The present invention relates to the field of computer network connections. In particular, it concerns Internet access through publicly accessible network infrastructures.

背景技术Background technique

本发明涉及一种机制,通过该机制用户可利用他们自己的个人设备,如笔记本计算机和个人数字助理(PAD)访问基于包(packet-based)的网络服务,这些网络服务是由服务提供商在如机场、商场、旅馆等公共场合提供的。这类公共访问服务提供商可提供多种有线或无线技术,通过这些技术人们将他们的个人设备连接到网络和它的相关服务。随着局域网和个域网(personal area network)的新无线技术标准(分别指无线LAN和无线PAN)的出现,我们看到公共服务的提供数量尤其是本发明中所考虑的服务类型的数量正迅速增长,。例如,公共无线访问可通过无线LAN技术,诸如那些基于IEEE 802.11系列标准的技术,或者通过无线PAN技术,诸如蓝牙无线技术来提供。The present invention relates to a mechanism by which users can utilize their own personal devices, such as notebook computers and personal digital assistants (PADs), to access packet-based network services provided by service providers at Such as airports, shopping malls, hotels and other public places. Such public access service providers offer a variety of wired or wireless technologies through which people connect their personal devices to the network and its associated services. With the advent of new wireless technology standards for Local Area Networks and Personal Area Networks (Wireless LAN and Wireless PAN respectively), we are seeing an increase in the number of public services provided, especially the types of services considered in the present invention. Rapid growth,. For example, public wireless access may be provided through wireless LAN technologies, such as those based on the IEEE 802.11 series of standards, or through wireless PAN technologies, such as Bluetooth wireless technology.

典型地,基于包的数据服务提供要求用户首先向数据服务提供商,如因特网服务提供商(ISP)预先注册,如预订,从而与该提供商建立长期的“付费”关系。这一过程通常以离线方式完成,在该用户能访问这一公共服务之前建立和激活该提供商一订户关系。这一订户关系包括用户简档的定义,该定义指定了该个人用户被授权访问的服务范围。ISP一般提供一个当地的或甚至免费的(toll-free)电话号码,其允许从许多地理上遥远的位置以一种额外增加费用(除订购费之外)访问该同一ISP。然而,对于通过无线公共服务去访问数据服务而言,该机制具有严重的缺点:如果用户试图访问由一提供商运营的公共访问基础架构,而该提供商不同于那些他们已与其建立了预订关系的提供商,那么这些用户将被拒绝访问,除非他们也向该新提供商进行预订。这样的限制挫败了公共访问基础架构的前提,其理想地希望总是为尽可能多的用户服务(及向其收费)。Typically, packet-based data service offerings require users to first pre-register, eg, subscribe, with a data service provider, such as an Internet Service Provider (ISP), thereby establishing a long-term "paid" relationship with the provider. This process is usually done offline, establishing and activating the provider-subscriber relationship before the user can access the common service. This subscriber relationship includes the definition of a user profile, which specifies the range of services that the individual user is authorized to access. ISPs typically provide a local or even toll-free phone number that allows access to the same ISP for an additional fee (in addition to the subscription fee) from many geographically remote locations. However, for accessing data services via wireless public services, this mechanism has a serious disadvantage: if users try to access a public access infrastructure operated by a provider different from those with which they have established a subscription relationship provider, those users will be denied access unless they also subscribe to the new provider. Such limitations defeat the premise of a public access infrastructure, which ideally wishes to always serve (and charge for) as many users as possible.

而且,当前对网络服务的公共访问的、通常使用无线技术的方案定义单一的服务等级。例如,一典型的服务是仅仅对万维网(或简单的说,“Web”)的访问。这样的服务定义不考虑这样的情境,其中用户可通过他们自己的设备按要求(on demand)访问某些需额外收费的服务(premium service)。不存在这样的机制,其允许用户在任何时候动态地选择一个或多个这样的额外收费服务,而不需要和这样的服务预先建立关系。即使服务提供确实有多个等级(或服务组),用户将必须提前选择他们所希望的服务等级。而且,在用户访问由该服务提供商提供的服务的期间内,所选择的服务等级保持不变。换言之,当前通过公共访问基础架构的服务提供未提供给用户不同的和可动态(或按要求)调整的服务等级。这样的服务提供也将需要基于用户所选择的服务集来为用户动态调节付费策略的机制。另外,为了实时完成以上所述的提供,应当。Furthermore, current approaches to public access to network services, often using wireless technologies, define a single class of service. For example, a typical service is simply access to the World Wide Web (or simply, "the Web"). Such a service definition does not take into account the situation where users can access certain premium services on demand through their own devices. There is no mechanism that allows a user to dynamically select one or more of these premium services at any time without pre-establishing a relationship with such services. Even if there are indeed multiple levels (or groups of services) of service offerings, users will have to select their desired level of service in advance. Moreover, the selected service level remains unchanged during the period that the user accesses the service provided by the service provider. In other words, current service offerings over public access infrastructures do not provide users with distinct and dynamically (or on-demand) adjustable service levels. Such service provision will also require a mechanism to dynamically adjust the payment policy for the user based on the set of services selected by the user. In addition, in order to complete the provision described above in real time, it should.

在按要求提供分等级服务方面的一种可能的解决方案是通过在客户端(即用户的)设备中安装特殊的代码。这一特殊代码将影响通信协议栈并使新的特定协议的使用成为必需。由这些客户端设备产生的每一个包都需要使用该额外的和特殊的代码来被修改。当然,这些网络里的网络部件必须运行该新特定协议的互补部分以能够读这些修改后的包。具有不需要协议栈中的改变的方法将是有利的。该方法应当能使用现有的TCP/IP标准以免得需要客户端设备执行新协议,免得需要客户端设备必须修改它的每个传输,及免得需要网络中的设备必须修改它们的通信协议栈以懂得新设计的协议。One possible solution in providing graded services on demand is by installing special code in the client (ie user's) device. This special code will affect the communication stack and necessitate the use of new specific protocols. Every packet generated by these client devices needs to be modified with this additional and special code. Of course, network elements in these networks must run complementary parts of the new specific protocol to be able to read these modified packets. It would be advantageous to have a method that does not require changes in the protocol stack. The method should be able to use existing TCP/IP standards without requiring client devices to implement new protocols, without requiring client devices to have to modify each of its transmissions, and without requiring devices in the network to have to modify their communication protocol stacks to Understand the newly designed protocol.

最后一点值得注意的是,存在用于部署公共无线服务的其他可选方案。例如,一个系统提出使用将被嵌入在个人设备上的专用软件,以通过修改每个由这些设备传输的数据包以便利于访问公共服务。A final point worth noting is that there are other options for deploying public wireless services. For example, one system proposes the use of specialized software to be embedded on personal devices to facilitate access to public services by modifying each data packet transmitted by these devices.

具有这样一种系统将是有益的,该系统不要求在用于访问无线网络的个人设备上做任何改变,且不需要在由这些设备传输的数据包上做任何修改,以达到它的各种。前面描述的系统依赖于操作平台(它的服务器或客户机版本)的特定特性。这为参与支持网络的设备建立了通信和计算同质性的运行假设。更好的是具有可应用在未更改的设备和通信协议上的系统,其可被使用已确立的开放通信标准的设备应用于非同质性计算和通信环境中,这些开放通信标准,如TCP/IP因特网协议系列,已经被压倒多数的运行于不同类型的操作系统上的个人(IP使能的)设备所支持。这些个人设备应该被构建在独立于网络支持设备的软件和硬件平台的软件和硬件平台上,其中这些个人设备与该网络支持设备进行交互以进行它的配置。关于记帐,前述系统不允许在正进行会话的中间动态重新指定记帐策略。It would be beneficial to have a system that does not require any changes in the personal devices used to access the wireless network and does not require any modification in the data packets transmitted by these devices in order to achieve its various . The systems described above depend on specific characteristics of the operating platform (either its server or client version). This establishes an operating assumption of communication and computational homogeneity for the devices participating in the supporting network. It would be even better to have a system that works on unchanged devices and communication protocols that can be applied in heterogeneous computing and communication environments by devices using established open communication standards, such as TCP The /IP Internet Protocol family is already supported by an overwhelming majority of personal (IP-enabled) devices running on different types of operating systems. These personal devices should be built on a software and hardware platform independent of that of the network enabled device with which they interact for its configuration. With regard to accounting, the aforementioned systems do not allow dynamic reassignment of accounting policies in the middle of an ongoing session.

发明内容Contents of the invention

因此本发明的一方面在于允许公共网络服务的供应商提供不同等级的应用服务给这些应用服务的用户。用户使用他们自己的个人设备,以便按每次使用以及在一正在进行的使用过程中协商和动态调整他们期望的应用服务等级,对于这些个人设备,没有为适应本发明的教授而作出特殊的修改。Therefore, one aspect of the present invention is to allow providers of public network services to provide different levels of application services to users of these application services. Users use their own personal devices to negotiate and dynamically adjust their desired application service levels on a per-use basis and during an ongoing use session, with no specific modifications made to accommodate the teachings of the present invention .

本发明的另一方面是可应用于支持所述公共服务提供的通信基础架构中的执行机制。该执行机制可应用于该基础架构内部的组件,如路由器设备,或在基础架构边缘的组件,如无线接入点(wireless access point)。该执行机制确保证个人用户只能访问那些在他们已选择的应用服务等级中的应用服务,并拒绝对所有不属于该等级内的应用服务的访问。在一些实施例中,该执行机制还被补充了当用户试图访问不属于当前他们所选等级内的特定应用服务时警告用户的装置,并且补充了这样的装置,通过该装置用户可再次用他们自己的设备动态地重新协商新的所期望的应用服务等级,以便若希望的话用户可以访问新的应用服务。Another aspect of the invention is an enforcement mechanism applicable in a communication infrastructure supporting said common service offering. This enforcement mechanism can be applied to components inside the infrastructure, such as router devices, or to components at the edge of the infrastructure, such as wireless access points. This enforcement mechanism ensures that individual users can only access those application services within their chosen application service level, and denies access to all application services that do not belong to that level. In some embodiments, this enforcement mechanism is supplemented by means to warn users when they attempt to access a particular application service that does not fall within their currently selected level, and by means by which users can reuse their The own device dynamically renegotiates the new desired application service level so that the user can access the new application service if desired.

本发明的又一方面是具有与前述相同的目的的一种执行机制,其可应用于基础架构的通信组件(如路由器和无线接入点)之外,诸如工作在较用于通信基础架构中的那些协议等级更高的协议等级的设备和软件。利用这样的执行机制,过滤服务器可被用于通信基础架构上以将例如来自用户的Web通信流限制为仅到达属于他们已选择的应用服务等级的Web服务。Yet another aspect of the present invention is an implementation mechanism with the same purpose as the foregoing, which can be applied outside of the communication components of the infrastructure (such as routers and wireless access points), such as operating in a communication infrastructure Devices and software with a higher protocol level than those with higher protocol levels. With such an enforcement mechanism, a filter server can be used on the communication infrastructure to restrict the flow of web traffic, eg, from users, to only reach web services belonging to their selected application service class.

本发明的再一方面在于使用户能使用他们自己的设备基于“按使用付费”访问在公共场合提供的动态可选择的分等级应用服务,而使用各种“当场”付款手段,诸如信用卡信息、飞行常客信息、如旅馆房间号的临时标识符信息等等,而不需要向数据供应的服务提供商事先预定。Yet another aspect of the present invention is to enable users to use their own devices to access dynamically selectable tiered application services offered in public on a "pay per use" basis, using various "on the spot" payment means such as credit card information, Frequent flyer information, temporary identifier information such as hotel room numbers, etc., without prior reservation to the data supply service provider.

本发明的其他方面是利用这样的付费策略,即向用户收取与他们使用自己的设备已选择和访问的服务相关的用户的费用。一般而言,这些付费策略基于各种标准,包括以传输到该用户和/或从该用户发送的通信流的数量表示的用户活动程度,或者提供所选等级的应用服务的持续时间(会话时间)。而且,在会话中收费策略可以动态改变,从而允许用户更新或修改他或她的服务等级和付费策略。Other aspects of the invention utilize a payment strategy where users are billed for services they have selected and accessed using their own devices. In general, these payment policies are based on various criteria, including the level of user activity expressed in terms of the number of communication streams transmitted to and/or from the user, or the duration for which a selected level of application service is provided (session time ). Also, charging policies can be changed dynamically during a session, allowing a user to update or modify his or her service level and charging policy.

本发明的其他方面和更好的理解可通过参考详细说明而实现。Other aspects and better understanding of the invention can be realized by referring to the detailed description.

附图说明Description of drawings

结合附图考虑下面对本发明的详细说明,本发明的这些和其他目的、特征和优点将变得是显然的,其中:These and other objects, features and advantages of the invention will become apparent from a consideration of the following detailed description of the invention when taken in conjunction with the accompanying drawings, in which:

图1示出了用于提供无线网络访问的系统的体系结构示例,以及用户和该系统为提供所需等级的应用服务所执行的动作。Figure 1 shows an example of the architecture of a system for providing wireless network access, and the actions performed by the user and the system to provide the required level of application services.

图2示出了根据本发明所使用的允许个人用户去指定和获得对授权的应用服务的访问的3个主要功能步骤。这3个步骤是:Figure 2 illustrates the 3 main functional steps used in accordance with the present invention to allow individual users to specify and gain access to authorized application services. The 3 steps are:

a)注册,其让用户在可获得的应用服务中指定他们的选择,a) registration, which allows users to specify their choices among available application services,

b)控制通知,其让特定的执行设备知道用于特定用户的适当访问简档,以及b) control notifications which let a particular implementing device know the appropriate access profile for a particular user, and

c)执行,其允许适当的网络设备去管制涉及特定用户的设备的各个包、连接或会话,以确保它们总与所授权的应用服务对应。c) Enforcement that allows the appropriate network equipment to police individual packets, connections or sessions involving a particular user's equipment to ensure that they always correspond to authorized application services.

图3示出了与注册相关的实体(尤其是用户设备和注册服务器)在用户的注册过程中所采取的步骤,包括在网络侧验证用户证书(credential)、并接受用户在可用应用服务等级中的选择的机制。Figure 3 shows the steps taken by the registration-related entities (in particular, the user equipment and the registration server) in the user's registration process, including verifying the user's credentials at the network side, and accepting the user in the available application service level mechanism of choice.

图4示出了包括在实际执行过程中步骤的例子,该执行机制包括特定包的检查以验证它符合当前为该特定用户授权的应用服务,以及检查任何为记帐目的的必要更新。Figure 4 shows an example of the steps involved in the actual implementation process, which includes a check of a particular package to verify that it complies with the application services currently authorized for that particular user, and checking for any necessary updates for billing purposes.

图5示出了在各个用户可动态改变他们所选择的应用服务等级的过程中包括的步骤。Figure 5 shows the steps involved in the process by which individual users can dynamically change their selected application service level.

图6示出了用户终止(注销)他们的当前会话的过程。这一注销用于确保网络释放任何已为特定用户保留的资源,且还确保正确向用户为他们自己的动作收取费用(尤其是当以其会话的持续时间为基础向用户收费时)。Figure 6 shows the process by which a user terminates (logs out) their current session. This logout is used to ensure that the network releases any resources that have been reserved for a particular user, and also to ensure that users are correctly charged for their own actions (especially when users are charged based on the duration of their session).

图9示出了访问控制的确切机制(即执行)的例子。它描述了通过使用路由器中的表实现这一执行机制的例子,其中该表列出了各个用户能或不能访问的特定目的地、协议或上述的组合。Figure 9 shows an example of the exact mechanism (ie enforcement) of access control. It describes an example of implementing this enforcement mechanism through the use of tables in routers that list specific destinations, protocols, or combinations of the above that individual users can or cannot access.

图9的访问控制框架还可以应用于出现在不同层以及可能出现在服务级别的实体处的执行机制。The access control framework of Figure 9 can also be applied to enforcement mechanisms occurring at different layers and possibly at service-level entities.

图10显示与图9类似的框架,其用于当通过无线接入点或Web代理执行访问控制时的情况。Figure 10 shows a framework similar to Figure 9 for the case when access control is performed by a wireless access point or a web proxy.

具体实施方式Detailed ways

本发明为提供了用于用户在通过公共网络访问基础架构提供的多个应用服务等级之间进行选择的方法、装置和系统。它允许用户获得对这样不同等级的应用服务的访问,即使他们没有预先提供的与相应的服务提供商的订户关系。它也允许用户自动地动态选择和重新选择他们期望的应用服务等级,而无需服务提供商操作者的介入。在一些实施例中,这样的变化也导致收费(或记帐)机制的适当变化。The present invention provides a method, apparatus and system for a user to select between multiple application service levels offered through a public network access infrastructure. It allows users to gain access to such different levels of application services even if they have no pre-provisioned subscriber relationship with the corresponding service provider. It also allows users to automatically and dynamically select and reselect their desired application service levels without service provider operator intervention. In some embodiments, such changes also result in appropriate changes in charging (or billing) mechanisms.

本发明中,服务被定义为目的端点,诸如:公司的Web页、公司的服务器应用、公司的Lotus Notes邮件服务器等等。服务的这一应用级别定义不同于网络级别的服务,诸如在因特网上进行通信所允许的通信带宽,例如56Kbps或128Kbps,这与通信的目的地是什么无关。In the present invention, a service is defined as a destination endpoint, such as: a company's Web page, a company's server application, a company's Lotus Notes mail server, and the like. This application level of service defines a service different from the network level, such as the communication bandwidth allowed for communication on the Internet, for example 56Kbps or 128Kbps, regardless of what the destination of the communication is.

在本发明的各实施例中,用户可使用他们自己的个人数据设备,如笔记本计算机或个人数字助理(PDA)。用户也可临时使用其他的计算设备,如信息亭(kiosk)等。然而,为本发明的目的,在这里那些其他设备被假定为表现得完全像它们是用户自己的“日常”计算设备一样,而不要求引入到这些设备中任何一组这样的附加的软件或硬件部件,其中这些软件和硬件部件唯一和排他地使这些设备能够根据本发明的教授去操作,并且使它们的用户能够获得本发明教授的好处。考虑用于本发明实施例的服务供给是基于普遍存在的、基于IP的因特网技术;访问技术是基于运作于非授权的无线频带中的无线本地通信技术,诸如IEEE 802.11b无线LAN或蓝牙无线PAN。显然地,本领域的技术人员能实现本发明的其他实施例,而不脱离本发明的精神和概念。例如,他们能用其他可选的访问技术,诸如红外线或以太网,或能使用动态按使用付费的安排作为用于基于预定的客户偶尔访问不属于他们的默认预定简档的等级的额外收费应用服务等级的一种途径。In various embodiments of the present invention, users may use their own personal data devices, such as notebook computers or personal digital assistants (PDAs). Users may also temporarily use other computing devices, such as kiosks and the like. However, for the purposes of the present invention, those other devices are assumed here to behave exactly as if they were the user's own "everyday" computing devices, without requiring the introduction of such additional software or hardware to any set of these devices components, which software and hardware components solely and exclusively enable these devices to operate in accordance with, and enable their users to obtain the benefits of, the teachings of this invention. The service provision contemplated for embodiments of the present invention is based on ubiquitous, IP-based Internet technologies; the access technology is based on wireless local communication technologies operating in unlicensed wireless frequency bands, such as IEEE 802.11b wireless LAN or Bluetooth wireless PAN . Apparently, those skilled in the art can implement other embodiments of the present invention without departing from the spirit and concept of the present invention. For example, they can use other alternative access technologies, such as infrared or Ethernet, or can use a dynamic pay-per-use arrangement as an additional charge for subscription-based customers occasionally accessing levels that are not part of their default subscription profile An approach to service levels.

图1示出了用于向在公共区域如机场中的无线热点(wireless hotspot)处的移动用户和他们的设备提供无线网络访问的系统的体系结构。该图也突出了需要被用户执行以获得期望等级的应用服务的步骤。访问网络101包括路由器(如106、107)和无线接入点(WiAP)(如110、111)。用户设备或用户终端(108),通过到接入点(图1中的110)的无线连接109连接到这一访问网络。除了网络层实体,诸如接入点和路由器之外,访问网络还可包括网络支持服务,诸如DHCP(动态主机配置协议)服务器102、DNS(域名服务)服务器113和Web代理(如112、117)。DHCP和DNS实体是本领域技术人员已知的大多数基于IP的网络中的常见组件,并为基于IP的用户终端提供各种配置信息和查询解析支持。Web代理被用于管理从用户终端到Web服务器的访问。本发明的实施例中,访问网络包括注册服务器114,其被用于交互式地建立个人用户所期望的应用服务等级。Figure 1 shows the architecture of a system for providing wireless network access to mobile users and their devices at wireless hotspots in public areas such as airports. The figure also highlights the steps that need to be performed by the user to obtain the desired level of application service. The access network 101 includes routers (such as 106, 107) and wireless access points (WiAP) (such as 110, 111). A user equipment or user terminal (108), connects to this access network via a wireless connection 109 to an access point (110 in Figure 1). In addition to network layer entities such as access points and routers, the access network may also include network support services such as DHCP (Dynamic Host Configuration Protocol) server 102, DNS (Domain Name Service) server 113 and Web proxies (eg 112, 117) . DHCP and DNS entities are common components in most IP-based networks known to those skilled in the art, and provide various configuration information and query resolution support for IP-based user terminals. Web proxies are used to manage access from user terminals to web servers. In an embodiment of the present invention, the access network includes a registration server 114, which is used to interactively establish the application service levels desired by individual users.

作为在应用服务等级之间进行区分的可能等级的例子,图1示出了两个应用服务等级,金服务103和银服务104。每个应用服务等级由一个或多个服务的集合(组)定义。在该例中,银服务等级104包括对图1中普通因特网105的访问。除了包括所有被包括在银服务等级中的所有服务之外,金服务等级还可能包括向用户终端提供视频剪辑的服务。这些等级的应用服务等级能静态地存在,即,例如银应用服务等级可能一直在其内包括相同一组应用服务(或者至少很少被更新)。另一方面,在各等级中的应用服务的分配可以是动态的,这里被“分配”到一等级里的应用服务可基于各种标准改变。在一些实施例中,基于标准的组合增加或减去服务,诸如基于:应用服务质量考虑;实施访问许可控制;时间;在不同的时间对应用服务使用不同的收费模式等等。As an example of possible levels for differentiating between application service levels, FIG. 1 shows two application service levels, Gold Service 103 and Silver Service 104 . Each application service level is defined by a collection (group) of one or more services. In this example, silver service level 104 includes access to the general Internet 105 in FIG. 1 . In addition to including all services included in the Silver service class, the Gold service class may also include services that provide video clips to user terminals. The application service classes of these levels can exist statically, ie for example the silver application service class may always include the same set of application services within it (or at least be updated rarely). On the other hand, the assignment of application services among classes can be dynamic, where the application services "assigned" into a class can change based on various criteria. In some embodiments, services are added or subtracted based on a combination of criteria, such as based on: application quality of service considerations; enforcing access admission controls; time; using different charging models for application services at different times, and the like.

用户终端108进入这样的系统并和接入点建立无线链路之后,其执行DHCP协议以为该用户终端获得一个IP地址。该步骤在图1中示为项116。在该步骤之后,用户终端使用标准Web浏览器使用标准HTTP协议联系注册服务器114。注册服务器给用户终端提供可获得的各应用服务等级及它们相关收费的基于Web的清单,以及其他信息。对各等级的服务分配可以是静态的,或基于当前的服务可用性、促销或其他因素等等而是动态的。此时,用户将一标识符,如信用卡号或飞行常客号码,以及所期望的应用服务等级输入到浏览器中,并向注册服务器发送这一信息。这些步骤在图1中共同示为项115。一旦经适当的确认,被用户提供的标识符也被用于为期望的应用服务等级最终向用户收费。一旦标识符被接受和确认,注册服务器向适当的执行设备发出一个控制通知,通知执行设备相应用户能访问属于他/她的所选服务等级的那些应用服务。执行设备通过安置一组控制以管制该用户在该访问网络中的通信流来响应该信息。该步骤在图1中示为项117。在不同的实施例中,该执行设备可以是路由器(106)、接入点(110)或Web代理(112)。然后控制机制将在适当执行设备上安置通信流过滤器。这一控制和执行机制的不同实施示例将在后面描述。After a user terminal 108 enters such a system and establishes a wireless link with an access point, it executes the DHCP protocol to obtain an IP address for the user terminal. This step is shown as item 116 in FIG. 1 . After this step, the user terminal uses a standard web browser to contact the registration server 114 using the standard HTTP protocol. The registration server provides the user terminal with a web-based list of available application service levels and their associated charges, as well as other information. The assignment of service to each tier may be static, or dynamic based on current service availability, promotional or other factors, and the like. At this point, the user enters an identifier, such as a credit card number or frequent flyer number, and the desired application service level into the browser, and sends this information to the registration server. These steps are collectively shown as item 115 in FIG. 1 . Once properly validated, the identifier provided by the user is also used to ultimately bill the user for the desired application service level. Once the identifier is accepted and validated, the registration server sends a control notification to the appropriate implementation device, informing the implementation device that the corresponding user can access those application services belonging to his/her selected service class. The enforcement device responds to the information by placing a set of controls to regulate the user's communication flow in the visited network. This step is shown as item 117 in FIG. 1 . In various embodiments, the executing device may be a router (106), an access point (110), or a web proxy (112). The control mechanism will then place traffic filters on the appropriate implementing devices. Different implementation examples of this control and enforcement mechanism will be described later.

图2示出了被用于本发明允许个人用户去指定和获得对经授权的应用服务访问的3个功能步骤。该3个步骤是:Figure 2 illustrates the 3 functional steps used by the present invention to allow individual users to specify and gain access to authorized application services. The 3 steps are:

a)注册,其让用户在可获得的应用服务中指定他们的选择;a) registration, which allows users to specify their choices among available application services;

b)控制通知,其让指定的执行设备知道用于特定用户的适当访问简档,以及b) control notifications, which let designated implementing devices know the appropriate access profile for a particular user, and

c)执行,其允许适当的网络设备去管制与特定用户设备相关的各个包、连接或会话,以确保他们总与经授权的应用服务对应。c) Enforcement that allows appropriate network equipment to police individual packets, connections or sessions related to a particular user equipment to ensure that they always correspond to authorized application services.

因此,图2突出了本发明用于向用户终端提供对各等级应用服务的访问的步骤。具体地,用户终端108首先向注册机构202进行注册201。注册期间,除其他事务外,由唯一的标识符标识用户终端。该标识符在相关会话期间,即直到用户终端结束它与访问网络(101)的关联和通过它能够获得的应用服务时为止,应当是唯一的。因为访问网络能基于其用户的应用服务等级选择动态地被控制、配置和/或重配置,所以图1中的访问网络(101)也被在图2中标识为可控制的基础架构。这一标识符可以是固定的,像用户终端使用的通信硬件子系统的介质访问(MAC)地址,或临时的,如由DHCP服务器分配给用户终端的IP地址,或提供给运行在用户终端上的Web浏览器应用的Web cookie。通过使用不直接基于网络接口(如MAC地址)、或基于由访问网络基础架构提供的特定配置参数(如IP地址)的标识符,注册机构允许用户终端维持它与注册服务器的关联,即使它的网络连接变化(如插上了新网络接口,或DHCP配置了新IP地址)。在这些情形中,用户终端可分担部分责任来将关于它的设备或网络特定配置参数中的变化通知给注册服务器。Figure 2 therefore highlights the steps of the invention for providing access to various levels of application services to user terminals. Specifically, the user terminal 108 first registers 201 with the registration authority 202 . During registration, among other things, the user terminal is identified by a unique identifier. This identifier should be unique during the relevant session, ie until the user terminal ends its association with the visited network (101) and the application services available through it. The access network (101) in FIG. 1 is also identified as a controllable infrastructure in FIG. 2 because the access network can be dynamically controlled, configured and/or reconfigured based on its users' application service level selections. This identifier can be fixed, such as the medium access (MAC) address of the communication hardware subsystem used by the user terminal, or temporary, such as the IP address assigned to the user terminal by the DHCP server, or provided to the user terminal running on the user terminal. Web cookies applied by your web browser. By using identifiers that are not based directly on the network interface (eg, MAC address), or based on specific configuration parameters provided by the accessing network infrastructure (eg, IP address), the registry allows the user terminal to maintain its Network connection changes (such as plugging in a new network interface, or DHCP assigning a new IP address). In these situations, the user terminal may share part of the responsibility to notify the registration server about changes in its device or network specific configuration parameters.

注册机构202将记录这一标识符和用户终端已请求的应用服务等级。利用这些知识,注册机构将调节通信网络以适应该新用户和他/她所选择的应用服务等级。调节动作主要包括在通过制信号203将设备的标识符和应用服务等级之间的绑定信息传递给可控制访问基础架构的一些或全部节点中。作为例子,注册机构(也称注册服务器)可以:The registration authority 202 will record this identifier and the application service level that the user terminal has requested. Using this knowledge, the registry will adjust the communication network to suit the new user and his/her chosen application service level. The adjustment action mainly consists in passing the binding information between the identifier of the device and the service level of the application to some or all nodes of the controllable access infrastructure through the control signal 203 . As an example, a registration authority (also called a registrar) can:

a)将用户终端的MAC地址随同应用服务等级一起传递给接入点和LAN交换机,或者a) passing the MAC address of the user terminal to the access point and the LAN switch together with the application class of service, or

b)将用户终端的IP地址随同应用服务等级一起传递给网络路由器,或者b) passing the IP address of the user terminal to the network router together with the application service level, or

c)将Web cookie/IP地址随同应用服务等级一起传递给网络中的Web代理,或者c) pass the web cookie/IP address along with the application service level to the web proxy in the network, or

d)通知特定于应用的服务器接受或拒绝来自特定用户终端的通信流。d) Informing the application-specific server to accept or reject the communication stream from the specific user terminal.

使用该信息,适当的网络节点将封锁、或放行从用户终端到那些服务205的或从那些服务205到用户终端的通信流206。Using this information, the appropriate network node will block, or pass, traffic 206 from the user terminal to those services 205 or from those services 205 to the user terminal.

图3示出了用户终端和系统的最初交互中的各个步骤的例子。它包括这样的功能,诸如获得一IP地址(116),联系注册服务器和选择期望的应用服务等级(115)的功能,以及由此产生的控制通知,如对普通控制基础架构(117和203)的状态进行更新。本发明的该实施例使用标准DHCP协议用于配置个人用户终端。用户终端进入系统后,它的网络连接的物理层被激活,它的系统软件被通知。结果,用户终端在系统网络上广播DHCP请求(301中的项1)。这一请求被运行DHCP服务器102的机器处理,该机器向用户终端发送回一个响应(108和301中的项2)。该DHCP响应包括由系统分配给该用户终端的IP地址、用于中继消息的默认节点的IP地址(网关IP地址)和运行DSN服务器的机器的IP地址。Figure 3 shows an example of various steps in the initial interaction of the user terminal and the system. It includes functions such as obtaining an IP address (116), contacting the registration server and selecting the desired application service level (115), and the resulting control notifications, such as to the common control infrastructure (117 and 203) status is updated. This embodiment of the invention uses the standard DHCP protocol for configuring individual user terminals. After a user terminal enters the system, the physical layer of its network connection is activated and its system software is notified. As a result, the user terminal broadcasts a DHCP request on the system network (item 1 in 301). This request is processed by the machine running DHCP server 102, which sends a response back to the user terminal (item 2 in 108 and 301). The DHCP response includes the IP address assigned by the system to the user terminal, the IP address of the default node for relaying messages (gateway IP address) and the IP address of the machine running the DSN server.

本发明的一特殊的实施例具有修改了其默认行为的客户机配置软件。例如当使用DHCP协议时,一系统特定的选项被增加到DHCP协议,这可根据用于在DHCP中增加选项的现有标准来完成,并且扩展了DHCP服务器和客户机软件以分别产生和解释该新选项。系统特定的DHCP选项包括注册服务器的地址。在处理DHCP响应时,扩展的DHCP客户机软件使用该地址启动被定向到注册服务器304的浏览器。本发明该上述实施例代表了一个使用扩展的DHCP客户机和服务器软件的无需显在的用户介入的用户终端自动配置的实施例示例。在本发明的另一实施例中,未对DHCP协议或对DHCP客户机和服务器软件实现扩展(302)。在处理了DHCP响应及配置了网络连接之后,在用户终端上手动启动浏览器并且将该浏览器定向到注册服务器。注册服务器的标识可以作为ULR从浏览器的书签集合中获得,或可以通过带外(out-of-band)机制例如可在公共场合突出打印或显示的可视通知(303)提供给用户。尽管DHCP是用于用户终端初始配置的最通用的机制,但是可以一样有效地使用其他的配置协议。例如,下一代因特网协议,IPv6,允许节点自动配置其自身,而无需来自DHCP服务器的任何帮助。而且,运用像目的地重定向的技术,从客户机设备到目的地Web的Web请求可被重定向到任何期望的位置,例如,注册服务器,而独立于在因特网上的浏览器用户想要去的位置。本发明对这种其他可选的初始用户终端配置的手段是同样适用的。A particular embodiment of the invention has the client configuration software with its default behavior modified. For example, when using the DHCP protocol, a system-specific option is added to the DHCP protocol, which can be done according to existing standards for adding options in DHCP, and the DHCP server and client software are extended to generate and interpret the new options. System-specific DHCP options include the address of the registration server. The extended DHCP client software uses this address to launch a browser directed to the registration server 304 when processing the DHCP response. This above-described embodiment of the present invention represents an example embodiment of automatic configuration of user terminals without explicit user intervention using extended DHCP client and server software. In another embodiment of the invention, no extensions are implemented to the DHCP protocol or to the DHCP client and server software (302). After the DHCP response has been processed and the network connection configured, a browser is manually launched on the user terminal and directed to the registration server. The registry server's identification can be obtained as a ULR from the browser's bookmark collection, or can be provided to the user through an out-of-band mechanism such as a visual notice (303) that can be prominently printed or displayed in public. Although DHCP is the most common mechanism for initial configuration of user terminals, other configuration protocols may be used equally effectively. For example, the next generation Internet protocol, IPv6, allows nodes to configure themselves automatically without any help from a DHCP server. Moreover, using techniques like destination redirection, a Web request from a client device to a destination Web can be redirected to any desired location, for example, a registry server, independent of where the browser user wants to go on the Internet. s position. The present invention is equally applicable to such other optional initial user terminal configuration means.

作为用户与注册服务器交互的一部分,用户将接着选择期望的应用服务等级并提供与付费相关的信息(305)。该信息接着被注册服务器/机构发送到适当的、逻辑上分离的节点进行确认(306)。如果用户提供的信息被确认是正确的(307),注册被认为成功。这种情况中,发起用于该用户会话的记帐过程,并且通过控制通知消息将适当的信息中继给普通控制基础架构组件(308)。如果该信息是无效的(307),则一般对用户提供另外的机会去向系统注册(310)。As part of the user's interaction with the registration server, the user will then select a desired application service level and provide payment-related information (305). This information is then sent by the registrar/authority to the appropriate, logically separate node for validation (306). If the information provided by the user is confirmed to be correct (307), the registration is considered successful. In this case, the billing process for the user session is initiated and the appropriate information is relayed to the normal control infrastructure components via control notification messages (308). If the information is invalid (307), the user is typically provided another opportunity to register with the system (310).

一旦系统已成功认可用户的特定应用服务等级选择,则可期望用户发起到该等级的应用服务的传输。图4示出了在一示例过程中,在这样的通信过程中由普通访问可控制基础架构(图2中的204)的一组件所遵从的步骤。在收到包(请求包或任何来自一设备的传输)401之后,检查该包以确定它的来源,即用户终端,以及它所属的应用服务等级402。该包被关联到一个特定用户终端和/或应用服务等级的机制依赖于可控制访问基础架构中实现该执行的确切组件。在图9中针对路由器的情况和在图10中针对无线接入点或Web代理的情况描述了这一点。如果应用服务符合与包来源相关的服务等级403,则将该包转发给下一跳(hop)404,以及,如果必要,在该特定应用服务的收费策略如此要求的情况下,更新与来源用户终端关联的记帐信息405。如果该应用服务不符合403,则或丢弃该包或采取适当的补救步骤406。在上面任一情况中,该基础架构组件开始处理下一个包。如果符合测试失败403,则系统可能希望采取其他可选的补救措施。Once the system has successfully approved the user's selection of a particular application service level, the user may be expected to initiate transfer to that level of application service. Figure 4 illustrates, in an example process, the steps followed by a component of the general access controllable infrastructure (204 in Figure 2) during such a communication. After receiving a packet (request packet or any transmission from a device) 401, the packet is examined to determine its source, ie the user terminal, and the application service class 402 it belongs to. The mechanism by which the package is associated to a particular user terminal and/or application service level depends on the exact components of the controllable access infrastructure that enable this implementation. This is depicted in Figure 9 for the case of a router and in Figure 10 for the case of a wireless access point or web proxy. If the application service complies with the class of service associated with the source of the packet 403, the packet is forwarded to the next hop (hop) 404 and, if necessary, updated with the source user if the billing policy for that particular application service so requires. Accounting information 405 associated with the terminal. If the application service is not compliant 403 then either drop the packet or take appropriate remedial steps 406 . In either case, the infrastructure component starts processing the next package. If the compliance test fails 403, the system may wish to take other optional remedial actions.

在一些实施例中,执行节点重定向包,和/或生成失败通知给注册服务器。如果未能通过符合测试的包相应于一基于Web的请求,则注册服务器接着能使用HTTP协议以一个通知响应用户终端,该通知指出用户试图进行的访问违背用户的当前应用服务等级。该基于Web的通知能提供给用户重新协商应用服务等级的选择,以使随后的用户访问偿试不会被拒绝。In some embodiments, the execution node redirects the packet, and/or generates a failure notification to the registration server. If the packet that fails the compliance test corresponds to a web-based request, the registry server can then respond to the user terminal using the HTTP protocol with a notification that the user attempted an access that violates the user's current application service level. This Web-based notification can provide the user with the option to renegotiate the application's service level so that subsequent user access attempts are not denied.

依赖于由用户在注册时提供的信息以及系统的能力,另一补救动作将是向用户发送“带外”通知。当用户当前未使用Web浏览器应用时或不含有任何系统可向其发送消息的专用应用时,后一情况是期望的。“带外”通知可包括到传呼机、交互式的个人电子邮件设备例如无线个人设备的消息传递,对蜂窝电话的电话呼叫,SMS(短信消息服务)消息等等。Depending on the information provided by the user at registration and the capabilities of the system, another remedial action would be to send an "out-of-band" notification to the user. The latter case is desirable when the user is not currently using a web browser application or does not have any dedicated applications to which the system can send messages. "Out-of-band" notifications may include messaging to pagers, interactive personal email devices such as wireless personal devices, telephone calls to cell phones, SMS (Short Message Message Service) messages, and the like.

接下来描述在与公共访问网络的正进行的关联期间,用户能重新协商或改变他们的应用服务等级的过程。如已解释过的,当用户发现特定的期望的应用服务当前在用户的当前等级选择范围之外时,可使用该过程。或者,在某一时刻,用户也可发现临时切换到不同的应用服务等级的需要。例如,用户可能突然发现访问没有包括在最初选择的应用服务等级之内的额外收费应用服务的需要。注意,有时为用户创建和存储的应用服务简档指出在某些条件下或当特定的属性例如基于位置的属性被满足时,优选的应用服务等级的选择。用户的服务简档能有助于应用服务等级的选择。The process by which users can renegotiate or change their application service levels during an ongoing association with the public access network is described next. As already explained, this process may be used when a user finds that a particular desired application service is currently outside the user's current level of selection. Or, at a certain moment, the user may also find the need to temporarily switch to a different application service level. For example, a user may suddenly discover a need to access a premium application service that is not included in the originally selected application service level. Note that application service profiles are sometimes created and stored for users to indicate selection of preferred application service levels under certain conditions or when specific attributes such as location-based attributes are met. The user's service profile can aid in the selection of the application service level.

虽然此处描述的本发明的实施例提到服务选择的用户选择,但用于便利用户等级选择的服务简档的使用不在本发明的精神之外。图5示出了改变与用户终端关联的应用服务等级的过程中包括的步骤。用户终端通过将浏览器定向到注册服务器来联系注册服务器501,请求改变应用服务当前等级(502),并提供所有必要的信息503(类似于305)。如果该信息是有效的504,则改变被接受,且一般基础架构中的访问控制的状态505和记帐506组件被更新。由于用户终端已经具有现存的与访问网络的关联(并因此具有唯一标识符),所以提供必要信息的过程503可能不象图3中的初始过程305那样详细。例如,用户可能不需要重新提供个人信息(例如,信用卡号);而是用户终端上的软件可以能够直接提供特定于用户的标识符(例如通过使用Web cookie)给注册服务器,从而帮助服务器将这一对应用服务等级的改变请求与现存的用户网络关系联系起来。While embodiments of the invention described herein refer to user selection of service selections, the use of service profiles to facilitate user level selection is not outside the spirit of the invention. Figure 5 shows the steps involved in the process of changing the service level of an application associated with a user terminal. The user terminal contacts the registration server 501 by directing the browser to the registration server, requests to change the application service current level (502), and provides all necessary information 503 (similar to 305). If the information is valid 504, the change is accepted and the state 505 of the access control and accounting 506 components in the general infrastructure are updated. The process 503 of providing the necessary information may not be as detailed as the initial process 305 in FIG. 3 since the user terminal already has an existing association with the visited network (and thus a unique identifier). For example, a user may not need to re-provide personal information (e.g., a credit card number); instead, software on the user's terminal may be able to directly provide a user-specific identifier (e.g., by using a Web cookie) to the registration server, thereby helping the server to A pair of application service level change requests are associated with existing user network relationships.

尽管图5中所述的更新服务的过程代表本发明的一个实施例,但其他的过程也是可能的而不脱离本发明的精神。例如,本领域技术人员可以通过使用户指出期望的应用服务且服务提供商用适当的用于包括所请求的应用服务的应用服务等级的注册页进行响应,得到同样的结果。这后一方案不要求用户去显性地联系注册服务器以进行更新。但是,它实现了与如图5中示出的实施例相同的最终结果。Although the process for updating services described in FIG. 5 represents one embodiment of the present invention, other processes are possible without departing from the spirit of the present invention. For example, one skilled in the art could achieve the same result by having the user indicate a desired application service and the service provider respond with an appropriate registration page for the application service level including the requested application service. This latter scheme does not require the user to explicitly contact the registration server for an update. However, it achieves the same end result as the embodiment shown in FIG. 5 .

由于对动态定义的应用服务的支持是本发明的一个元素,应该指定可终止服务关联的机制。例如,这种注销机制对在基于用户网络关联持续时间对用户收费的情形中的正确记帐是有用的。这样的机制还可被用户用于在作出关于继续或终止关联之前,核对当前的使用和帐单信息。图6示出了当用户终端有效地关闭所有的会话并终止它对各网络服务的访问时在用户终端和公共访问网络的(可能)最终交互中的步骤。在示出的实施例中,用户终端将浏览器定向到注册服务器上601,并使用标准HTTP协议去请求其会话的终止602。作为该请求的一部分,用户终端可能包括在注册进程中建立的特定于用户的唯一标识符,见图2中的201。然后,注册服务器从相关的执行设备中提取出适当的使用统计603,并向用户终端提供该适当的使用信息604。基于该使用信息,用户将接着决定605或是确认他们的关联终止或是继续利用该公共可用的服务基础架构。如果用户决定继续,那么终止进程被挂起,并且用户恢复他的或她的正常网络访问。这个机制提供给用户一个简单地查证他们的活动历史和相关的费用的手段。但是,如果用户决定终止他们的当前关联605,则注册服务器将执行必要步骤以移除与该用户在公共访问网络中的存在相关的信息。注册服务器将首先向执行设备发出适当的控制通知消息606,以禁止该用户终端的任何其他访问。这样的控制消息的成功执行有效地移除了执行设备中的不必要的访问控制信息。它也担当了预防任何后续未授权的访问企图的机制。在发送该通知之后,注册服务器还将从它的内部表中移除活动的特定于用户的信息(诸如与用户的当前会话关联的唯一标识符),并完成对用户适当收费的过程607。除了通知访问控制设备之外,注册服务器还将通知DHCP服务器608,以便DHCP服务器能适当更新它自己的表并释放资源。As support for dynamically defined application services is an element of the present invention, a mechanism by which service associations can be terminated should be specified. For example, this logout mechanism is useful for correct billing in situations where a user is charged based on the duration of the user's network association. Such a mechanism could also be used by the user to check current usage and billing information before making decisions about continuing or terminating the association. Figure 6 shows the steps in the (possible) final interaction of the user terminal and the public access network when the user terminal effectively closes all sessions and terminates its access to various network services. In the illustrated embodiment, the user terminal directs the browser 601 to the registration server and uses the standard HTTP protocol to request termination 602 of its session. As part of this request, the user terminal may include a user-specific unique identifier established during the registration process, see 201 in FIG. 2 . Then, the registration server extracts 603 appropriate usage statistics from the related execution devices, and provides the appropriate usage information 604 to the user terminal. Based on this usage information, the user will then decide 605 to either confirm the termination of their association or continue utilizing the publicly available service infrastructure. If the user decides to continue, the termination process is suspended and the user resumes his or her normal network access. This mechanism provides a means for users to easily verify their activity history and associated charges. However, if the user decides to terminate their current association 605, the registration server will perform the necessary steps to remove information related to the user's presence in the public access network. The registration server will first send an appropriate control notification message 606 to the executing device to prohibit any other access of the user terminal. Successful execution of such control messages effectively removes unnecessary access control information in the executing device. It also acts as a mechanism to prevent any subsequent unauthorized access attempts. After sending this notification, the registration server will also remove active user-specific information from its internal tables, such as the unique identifier associated with the user's current session, and complete the process 607 of charging the user appropriately. In addition to notifying the access control device, the registration server will also notify the DHCP server 608 so that the DHCP server can properly update its own tables and release resources.

图7示出了用于在无须用户显性地行动来进行终止的情况下管理和终止会话的另一示例实施例。在该实施例中,使用被称作cookie的Web技术来跟踪用户终端在系统中的存在。图7重复了图1的有关部分,另外增加了保存系统中的终端的记录703的会话数据库702。具体地,随着由DHCP服务器102向用户终端分配116IP地址,服务器通知701注册服务器114一个新IP地址已被分配给用户终端。在一个实施例中,注册过程将这一IP地址输入到IP地址的一“等待”池中。当用户访问该注册服务器以注册一个新服务、继续或更新现有服务时,该IP地址将从等待池被移除。在另一实施例中,注册服务器将这一IP地址与用户会话数据库702中的记录703相关联。任何情况下,都通知注册服务器新的IP地址分配。Figure 7 illustrates another example embodiment for managing and terminating sessions without explicit user action to terminate. In this embodiment, the presence of the user terminal in the system is tracked using a web technology known as a cookie. FIG. 7 repeats the relevant parts of FIG. 1 , and additionally adds a session database 702 for saving records 703 of terminals in the system. Specifically, following the assignment 116 of an IP address to the user terminal by the DHCP server 102, the server notifies 701 the registration server 114 that a new IP address has been assigned to the user terminal. In one embodiment, the registration process enters this IP address into a "waiting" pool of IP addresses. When a user visits the registration server to register a new service, continue or update an existing service, the IP address will be removed from the waiting pool. In another embodiment, the registration server associates this IP address with a record 703 in the user session database 702 . In any case, the registrar is notified of the new IP address assignment.

新的IP地址分配可以真正被给予全新的用户终端,或者给予可能具有正在进行的会话的终端。后一情况可能发生在出于各种原因的时候,诸如临时链路109失败,用户设备重新启动,由于移动造成的无线接入点的变化,访问技术从例如无线LAN到有线的以太网、到蓝牙无线技术的调整等等。用户设备可获得不同于以前使用的全新的IP地址。然而,用户可能选择仍旧有效的付费策略。例如,用户可能已请求了30分钟的时间块,并且在这一时间块的7到10分钟之间发生了通信中断。在这种情况下,该全新的IP地址不应当被关联系到全新的会话,而是被用于更新与现有会话相关的会话信息。New IP address assignments may indeed be given to completely new user terminals, or to terminals that may have ongoing sessions. The latter situation may occur for various reasons, such as temporary link 109 failure, user equipment reboot, change of wireless access point due to movement, access technology from e.g. wireless LAN to wired Ethernet, to Bluetooth wireless technology adjustments and more. The user equipment can obtain a brand new IP address different from that used before. However, the user may choose a payment policy that is still in effect. For example, a user may have requested a time block of 30 minutes, and a communication outage occurred between 7 and 10 minutes into that time block. In this case, the brand new IP address should not be associated to a brand new session, but used to update the session information related to the existing session.

在显示于图7和图8的实施例中,这是通过使用Web cookie来实现的。Web cookie是Web服务器发送给与该服务器交互的Web浏览器的一小段信息。Web浏览器将cookie本地存储在运行着该浏览器的用户终端中。在每次该特定Web浏览器再访问该特定Web服务器时,该cookie被该浏览器上载。这能用于追踪用户对特定Web站点的访问。在本实施例的情况中,当用户终端在分配给它一个新IP地址之后再访问注册服务器的时候,能再次将该cookie提供给注册服务器,并且注册过程能使用该cookie以提取出用于该用户终端的会话记录(如果存在的话),并相应地更新它。In the embodiment shown in Figures 7 and 8, this is accomplished through the use of Web cookies. A web cookie is a small piece of information that a web server sends to a web browser interacting with that server. Web browsers store cookies locally in the user terminal running the browser. Every time the particular web browser visits the particular web server, the cookie is uploaded by the browser. This can be used to track user visits to specific Web sites. In the case of this embodiment, when the user terminal accesses the registration server after assigning it a new IP address, the cookie can be provided to the registration server again, and the registration process can use the cookie to extract the The user terminal's session record (if it exists), and updates it accordingly.

在又一实施例中,省略了从DHCP服务器到注册服务器的新IP地址的传输。它允许新发起的会话或正进行的会话的会话数据被注册服务器专有地处理。这之所以可能,是因为Web服务器,如注册服务器,除cookie之外,还能提取出大量与用户终端有关的信息,包括其IP地址。然而,701中的IP地址传输,或者相反方向的相似地址,是被用于确认客户机设备所使用的IP地址是由DHCP服务器分配的合法IP地址的方法。In yet another embodiment, the transmission of the new IP address from the DHCP server to the registration server is omitted. It allows session data for newly initiated sessions or ongoing sessions to be handled exclusively by the registrar. This is possible because web servers, such as registration servers, can extract a large amount of information about the user terminal, including its IP address, in addition to cookies. However, the IP address transfer in 701, or a similar address in the opposite direction, is the method used to confirm that the IP address used by the client device is a legitimate IP address assigned by the DHCP server.

图8示出了由注册服务器遵循以决定如果其收到cookie将如何进行的步骤的实施例。如果cookie与活动的/正进行的会话相关联,则称cookie是有效的。为使cookie无效,若干事件807都可能起作用。例如,DHCP服务器可无效一IP地址。这发生在与由DHCP服务器分配的IP地址关联的“租约”时间在用户终端请求续订租约之前期满时。在图7中的实施例中,DHCP服务器通过传输“移除IP地址”消息704而传送这一信息。DHCP租约的粒度规定了“当使用时付费”的记帐策略的精确性能够如何;例如,如果租约是以二分钟递增的方式给出的,那么选择基于她的会话持续时间付费的用户将为使用系统2、或4、或6等分钟被记帐。如果用户已选择以30分钟的时间块付费且30分钟已过去,则会话也可能被无效。在图7中的会话记录703中,后者可以根据描述付费策略的选择时间(paymentSelectionTime)和/或由所选付费策略覆盖的时间(paymentDuration)的会话记录项,或其他存储在该会话记录中的有关数据来计算。选择付费的时间与选择服务等级的时间可能一致的,但这不是一般性的要求。各种时间间隔可进一步地与宽限期关联以考虑用户临时断开连接的可能。这些宽限期有利地与DHCP服务器协调,以便DHCP服务器不将已移除的IP地址分配给新用户终端,如果服务器还没有更新它的会话记录的话。Figure 8 shows an embodiment of the steps followed by a registration server to decide what to do if it receives a cookie. A cookie is said to be valid if it is associated with an active/ongoing session. To invalidate a cookie, several events 807 may work. For example, a DHCP server may invalidate an IP address. This occurs when the "lease" time associated with the IP address assigned by the DHCP server expires before the user terminal requests to renew the lease. In the embodiment in FIG. 7 , the DHCP server communicates this information by transmitting a "Remove IP Address" message 704 . The granularity of a DHCP lease dictates how precise a "pay-as-you-use" billing policy can be; for example, if leases are given in two-minute increments, a user who chooses to pay based on the duration of her session will Minutes are billed using system 2, or 4, or 6 etc. Sessions may also be invalidated if the user has chosen to pay in 30 minute time blocks and 30 minutes have elapsed. In the session record 703 in FIG. 7, the latter may be based on a session record item describing the selection time (paymentSelectionTime) of the payment policy and/or the time (paymentDuration) covered by the selected payment policy, or otherwise stored in the session record related data to calculate. The timing of selecting a payment may coincide with the timing of selecting a class of service, but this is not a general requirement. Various time intervals may further be associated with grace periods to account for the possibility of a user temporarily disconnecting. These grace periods are advantageously coordinated with the DHCP server so that the DHCP server does not assign removed IP addresses to new user terminals if the server has not updated its session records.

由于用户的移动和其他原因,如临时链路失败,用户设备重新启动,由于移动而造成的无线接入点的改变,从例如无线LAN到有线的以太网、到蓝牙无线技术的访问技术的调整等等,可能会发生短暂的连接中断。通过使用cookie,其中cookie有时被用作能持续存在于连接中断之后的会话标识符,用户能继续访问选定等级的服务,而不需要向注册服务器重新注册。使用每当用户终端访问注册服务器时它发送的cookie,注册服务器能恢复它需要的任何会话信息,而不管由许多原因引起的连接中断。这种能力经常称为服务漫游(service roaming)。Due to user movement and other reasons such as temporary link failure, user equipment reboot, change of wireless access point due to movement, adjustment of access technology from e.g. wireless LAN to wired Ethernet, to Bluetooth wireless technology Wait, a brief disconnection may occur. By using cookies, which are sometimes used as session identifiers that persist after connection interruptions, users can continue to access selected levels of service without having to re-register with the registration server. Using the cookies that the user terminal sends to the registration server each time it accesses it, the registration server can restore any session information it needs, regardless of connection interruptions caused by many reasons. This capability is often referred to as service roaming.

图9示出了更多关于怎样通过使用图1中访问网络101或者等效的图2中的可控制基础架构204中的路由器执行访问控制的细节。在图9中,假设使用DHCP协议向用户终端901分配了IP地址10.0.0.1;在其他的实施例中,这一IP地址和随后的IP地址可能是不同的。另外,假设服务提供商已定义了两个应用服务等级,金等级和银等级,其允许用户访问分别具有IP地址10.1.1.2和10.1.2.2的设备。(多个应用服务等级,其中每个等级具有IP地址和/或端口号的多个列表,这种一般化对熟悉本领域的技术人员来讲是简单明了的。)客户机接着通过无线接入点902联系注册机构903,以指定它所期望的应用服务等级。注册机构903提供904所有可获得的应用服务等级和它们相关收费的Web页列表。用户接着在两个应用服务的等级909(金等级和银等级)之间进行选择并向注册服务器发送回905这一选择(随同其他个人证书一起)。将服务分组为各应用服务等级可以是递增式的,就是说,例如选择金服务等级也使得能访问银服务等级中的所有服务。FIG. 9 shows more details on how access control is performed by using routers in the access network 101 of FIG. 1 or equivalently the controllable infrastructure 204 of FIG. 2 . In FIG. 9, it is assumed that the user terminal 901 is assigned an IP address 10.0.0.1 using the DHCP protocol; in other embodiments, this IP address and subsequent IP addresses may be different. Additionally, assume that the service provider has defined two application service levels, Gold and Silver, which allow users to access devices with IP addresses 10.1.1.2 and 10.1.2.2, respectively. (Multiple application service classes, where each class has multiple lists of IP addresses and/or port numbers, this generalization will be straightforward to those skilled in the art.) The client then accesses the Point 902 contacts Registration Authority 903 to specify its desired application service level. The registration authority 903 provides 904 a web page listing all available application service levels and their associated charges. The user then chooses 909 between two levels of application service (Gold and Silver) and sends back 905 this choice (along with other personal credentials) to the registration server. The grouping of services into application service classes may be incremental, that is to say eg selection of the Gold service class also enables access to all services in the Silver service class.

假设用户终端已选择了银服务等级。在其中能执行访问控制机制的节点之一是路由器906。如图9中所示,该基于路由器的访问控制方案可通过将基于用户终端和它所请求的应用服务等级的IP地址的一组过滤规则传送给907路由器而实现。在接收到这些过滤规则后,路由器把它们存储到本地路由表908中。在图9中,路由表显示IP地址10.0.0.1(正讨论的用户终端的IP地址)能访问在目的地址10.1.2.2上的TCP端口80上提供的应用服务。这相应于用于银服务的Web服务器;因此,与IP地址10.0.0.1关联的用户终端仅仅能访问银服务。Assume that the user terminal has selected the silver service class. One of the nodes where access control mechanisms can be implemented is router 906 . As shown in FIG. 9, the router-based access control scheme can be implemented by transmitting 907 a router a set of filtering rules based on the IP address of the user terminal and its requested application service level. After receiving these filtering rules, the router stores them in the local routing table 908 . In Figure 9, the routing table shows that the IP address 10.0.0.1 (the IP address of the user terminal in question) can access the application service provided on TCP port 80 at the destination address 10.1.2.2. This corresponds to the web server for the silver service; therefore, the user terminal associated with the IP address 10.0.0.1 can only access the silver service.

执行机制也可在访问网络基础架构中其他可选节点例如无线接入点或Web代理处执行。图10中示出了这些其他选择,在其中象以前一样假设,用户终端具有IP地址10.0.0.1。此外,假设与该用户终端关联的无线设备的硬件(MAC)地址是“MAC_ADDR_1”。首先,如图左侧所显示的,注册机构1002可将一组过滤规则1003、1004传递给一个或多个无线接入点(WiAP)1005、1006。由于无线接入点通过MAC地址来区分终端,所以无线接入点(图10中的1005)中的过滤表1007通常将包括用户终端的MAC地址(本例子中,即为“MAC_ADDR_1”)和该组允许目的节点的目的IP地址和/或端口号。此外,该图示出了在其中用户终端已选择银等级应用服务1008(目的地址10.1.2.2)的例子。The execution mechanism can also be executed at other optional nodes in the access network infrastructure, such as wireless access points or web proxies. These other options are shown in FIG. 10, in which it is assumed, as before, that the subscriber terminal has the IP address 10.0.0.1. Furthermore, assume that the hardware (MAC) address of the wireless device associated with the user terminal is "MAC_ADDR_1". First, as shown on the left side of the figure, the registration authority 1002 may communicate a set of filtering rules 1003, 1004 to one or more wireless access points (WiAPs) 1005, 1006. Since the wireless access point distinguishes terminals by MAC address, the filter table 1007 in the wireless access point (1005 in FIG. The group allows the destination IP address and/or port number of the destination node. Furthermore, the figure shows an example in which the user terminal has selected the silver level application service 1008 (destination address 10.1.2.2).

图10的右侧显示了当通过在Web代理1009上布置过滤器而执行访问控制时的情形。在这种情形中,注册机构1002将该组适当的过滤规则1010传递给Web代理。Web代理接着更新在它过滤表1011中的相应信息。应当理解,这其实是应用层过滤机制,因为Web代理仅截取来自基于Web的用户终端的通信流。在这种情形中,用户终端可或通过网络层标识符,如IP地址(本例中为10.0.0.1),或通过应用层的标识符,如Web cookie的一集合,而被唯一地标识。The right side of FIG. 10 shows the situation when access control is performed by arranging filters on the Web proxy 1009 . In this case, the Registry 1002 passes the appropriate set of filtering rules 1010 to the Web Proxy. The Web proxy then updates the corresponding information in its filter table 1011. It should be understood that this is actually an application layer filtering mechanism, because the web proxy only intercepts communication streams from web-based user terminals. In this case, the user terminal can be uniquely identified either by a network layer identifier, such as an IP address (10.0.0.1 in this example), or by an application layer identifier, such as a set of Web cookies.

图10示出了当过滤表1011通过用户终端的IP地址(10.0.0.1)识别用户终端,并通过一组URL(统一资源定位符)识别该组允许的目的地的情形。在该特定的例子中,假设用户已选择与URL http://10.1.2.2/sliver.html相关的银等级应用服务。统一资源定位符(URL)是在Web上命名、发现和检索对象的标准途径。FIG. 10 shows a situation when the filter table 1011 identifies a user terminal by its IP address (10.0.0.1), and identifies the set of allowed destinations by a set of URLs (Uniform Resource Locators). In this particular example, assume that the user has selected the silver application service associated with the URL http://10.1.2.2/sliver.html. Uniform Resource Locators (URLs) are the standard way to name, discover, and retrieve objects on the Web.

这里讨论的本发明实施例涉及使用接入点、路由器和Web代理控制对所选应用服务的访问。本领域技术人员可使用其他的网络通信流控制组件而不脱离本发明的本质。Embodiments of the invention discussed herein relate to controlling access to selected application services using access points, routers, and web proxies. Those skilled in the art can use other network communication flow control components without departing from the essence of the present invention.

迄今为止提出的本发明实施例是基于公共访问基础架构使用无线LAN以允许用户通过无线接口连接到网络的假设。然而,本发明中所描述的原理和方法可被应用于其他有线和无线访问技术。本领域的技术人员可以容易地开发本发明的其他实施例以用于其他访问技术,例如,使用有线IEEE802.3以太网技术而不是IEEE802.11无线LAN技术,而未脱离本发明的本质。Embodiments of the invention presented so far are based on the assumption that a public access infrastructure uses a wireless LAN to allow users to connect to the network through a wireless interface. However, the principles and methods described in this invention can be applied to other wired and wireless access technologies. Those skilled in the art can easily develop other embodiments of the present invention for other access technologies, for example, using wired IEEE802.3 Ethernet technology instead of IEEE802.11 wireless LAN technology, without departing from the essence of the present invention.

本发明可以硬件、软件或硬件和软件的结合来实现。根据本发明的可视化工具能以集中式方式在一个计算机系统中实现,或以分布式方式实现,其中不同组件分布在几个互相连接的计算机系统中。任何种类的计算机系统或适合于实现这里描述的方法和/或功能的其他装置都是合适的。硬件和软件的典型结合可以是具有计算机程序的通用计算机系统,当该程序被加载并执行时,其控制该计算机系统以使它执行这里所描述的方法。本发明也能被嵌入到计算机程序产品中,该计算机程序产品包括使能实现这里所描述的方法的所有特征,并且当该计算机程序产品被加载到计算机系统中时能执行这些方法。The present invention can be realized in hardware, software, or a combination of hardware and software. The visualization tool according to the invention can be implemented in a centralized manner in one computer system, or in a distributed manner, where different components are distributed among several interconnected computer systems. Any kind of computer system or other apparatus adapted for carrying out the methods and/or functions described herein is suitable. A typical combination of hardware and software could be a general purpose computer system with a computer program that, when being loaded and executed, controls the computer system such that it carries out the methods described herein. The invention can also be embedded in a computer program product which comprises all the features enabling the implementation of the methods described herein and which, when loaded into a computer system, is able to carry out these methods.

本文中的计算机程序手段或计算机程序包括一组指令的以任何语言、代码或符号表示的任何表达,其中该组指令旨在使具有信息处理能力的系统或直接地或在转换成另一种语言、代码或符号,和/或以不同材料形式再现之后执行特定的功能。Computer program means or a computer program in this context includes any expression in any language, code or symbol, of a set of instructions intended to cause a system having information processing capabilities to , codes or symbols, and/or perform specific functions after being reproduced in a different material form.

因此本发明包括包含计算机可用介质的制造物品,其中该计算机可用介质在其中嵌入了用于实现上述功能的计算机可读程序代码手段。在该制造物品中的该计算机可读程序代码手段包括用于使计算机实现本发明的方法的步骤的计算机可读程序代码手段。类似地,本发明还可以实现为包括计算机可用介质的计算机程序产品,其中该计算机可用介质具有嵌入在其中的用于实现上述功能的计算机可读程序代码手段。在该计算机程序产品中的该计算机可读程序代码手段包括用于使计算机实现本发明的一个或多个功能的计算机可读程序代码手段。此外,本发明还可以实现为机器可读的、有形地体现可由该机器执行以实现用于实现本发明的一个或多个功能的方法步骤的指令程序的程序存储装置。The present invention thus includes an article of manufacture comprising a computer-usable medium having embedded therein computer-readable program code means for implementing the functions described above. The computer readable program code means in the article of manufacture comprises computer readable program code means for causing a computer to implement the steps of the method of the present invention. Similarly, the present invention can also be realized as a computer program product comprising a computer-usable medium having embedded therein computer-readable program code means for realizing the functions described above. The computer-readable program code means in the computer program product includes computer-readable program code means for causing a computer to realize one or more functions of the present invention. Furthermore, the present invention can also be implemented as a program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to implement method steps for realizing one or more functions of the present invention.

应注意,前述已经概述了本发明的一些较为相关的目的和实施例。本发明可用于许多应用。因此,尽管该说明是针对特定安排、时间指示和方法而作出的,但本发明的目的和概念可适合和应用于其他结构安排和应用。本领域的技术人员将明白,可实现对所公开的实施例的修改,而不脱离本发明的本质和范围。所描述的实施例应被认为仅是本发明的较显著特征和应用中的某些的示例。通过以不同方式应用所公开的本发明或以本领域技术人员已知的方式修改本发明,可实现其他的有益结果。It should be noted that the foregoing has outlined some of the more relevant objects and embodiments of the invention. The invention can be used in many applications. Thus, although the description has been made with respect to particular arrangements, timing and methods, the objects and concepts of the present invention are adaptable and applicable to other structural arrangements and applications. It will be apparent to those skilled in the art that modifications to the disclosed embodiments can be made without departing from the spirit and scope of the invention. The described embodiments should be considered as merely examples of some of the more salient features and applications of the invention. Other beneficial results can be realized by applying the disclosed invention in a different manner or by modifying the invention in ways known to those skilled in the art.

Claims (29)

1. method comprises: make the user use one group of standard communication protocol to visit one group of specific application service on the equipment of network being connected to, described method comprises:
Provide many described equipment of group addressable application service, at least one the described application service in each described group can be used by described equipment;
Allow described user from described a plurality of groups, to select described one group of specific application service; And
Dynamically automatically described network is configured to allow described equipment by the described one group of specific application service of described access to netwoks based on described one group of specific application service.
2. the method for claim 1 further comprises:
Make described user can from described a plurality of groups, make the selection of another being organized application service subsequently; And
Dynamically automatically described network is reconfigured to allow described equipment by described another group application service of described access to netwoks based on described the selection subsequently.
3. the method for claim 1, wherein this network uses standard tcp/ip communication agreement.
4. the method for claim 1, wherein said one group of standard communication protocol comprises standard IEEE 802 communication protocols.
5. the method for claim 1, wherein this step that provides comprises the tabulation that extracts the application service of described many groups from local data.
6. the method for claim 1, wherein this step that provides comprises by described network from the position away from the tabulations of extracting the application service of described many groups one group of device of described equipment.
7. method as claimed in claim 6, wherein this step that provides is initiated by described one group of device and is comprised by the transmission of described one group of device to the unsolicited message of described equipment.
8. method as claimed in claim 7, the content-dependent of wherein said unsolicited message is in the attribute of at least one and described device association.
9. method as claimed in claim 6, wherein the step of this extraction comprises the Web server that uses the Web browser that is connected to described equipment to use and be connected to described network.
10. the method for claim 1, wherein this step that provides comprises at least one of from the available application service tabulation described many groups of dynamic creation application service.
11. described method as claimed in claim 1 further comprises the application service of described many groups is mapped at least one network identifier.
12. method as claimed in claim 11, wherein said at least one network identifier comprises at least one identifier of taking from a group identifier, and this group identifier comprises: the IP address; The TCP/UDP port numbers; Protocol identifier; Application identifier; With these combination.
13. the method for claim 1, wherein the step of configuration is included in and sets up the communication stream filtering rule in the described network automatically, and wherein said communication stream filtering rule is related with the application service of described equipment and described particular group.
14. method as claimed in claim 13, wherein said communication stream filtering rule is set at from one group of at least one network traffic flow Control Component that is connected to described network of network communication stream Control Component, and a described group network communication stream Control Component comprises: the data access point; Bridge; Switch; Hub; Router; Gateway; Acting server; The combination of Web server and any of these.
15. method as claimed in claim 14, wherein said communication stream filtering rule are based at least one identifier from a group identifier, a described group identifier comprises: the user of equipment; Described equipment medium accessing to control address; Described many group application service Media Access Control address; Described IP address of equipment; Described many group application service IP address; Described equipment TCP/UDP port numbers; Described many group application service TCP/UDP port numbers; URL(uniform resource locator); Combination with any of these.
16. method as claimed in claim 2 further comprises: at least one the visit charge of described equipment to the application service of described many groups, wherein Shou Fei step comprises provides and by the related optional charging policy of every group of application service of user's selection.
17. method as claimed in claim 16, wherein said optional charging policy is based at least one strategy from one group of optional charging policy, and this is organized optional charging policy and comprises:
Time-based charging policy, wherein expense depends on described network maintenance configuration so that described equipment can be visited the duration of the application service of described particular group;
Time-based charging policy with time quantum of selecting in advance;
Time-based charging policy, it has dynamically to reset puts the time quantum that stops to visit the application service of described particular group up to described equipment;
Per minute, hour, day or every month service order expense;
Based on the charging policy of using, the quantity of wherein charging depends at described network and keeps configuration so that described equipment can be visited under the situation of application service of described particular group, by the communication flows between the application service of described network in the application service of described equipment and described particular group;
Based on the charging policy of using, it has the communication flows of selecting in advance; And the combination of any of these.
18. method as claimed in claim 16, wherein the step of this charge comprises that the user with expense and described equipment associates, and the step that provides from least one user ID of one group of user ID is provided in described associated steps, described one group of user ID comprises: credit card information; Flight regular guest information; Customer loyalty information; The application service ordering information; Hotel information; User ID/password information; Be embedded in personal information in the individual smart card and these combination.
19. the method for claim 1 further comprises: the application service of another group of disable access.
20. method as claimed in claim 19 further comprises:
The application service of described another group of definition is the service of forbidding;
Allow described user from described a plurality of application services, to select at least one described service of forbidding; And
Dynamically the application service based on described particular group automatically is configured to allow described equipment by described at least one the described service forbidden of described access to netwoks described network.
21. method as claimed in claim 20 further is included as the visit charge to described at least one described service of forbidding, wherein expense is conditioned based on the charging policy that is relevant to described at least one described service of forbidding that the user selects.
22. method as claimed in claim 19 comprises that further be forbidden with indication to the described visit that another organizes application service at least one described equipment and another equipment dispatch order.
23. the method for claim 1, wherein this step that provides is based at least one attribute with described device association.
24. a method comprises:
Make subscriber equipment be connected to network, described subscriber equipment uses one group of standard agreement, and described network contains: at least one network configuration service; At least one Service Management application service; At least one network traffic flow Control Component; At least two groups can be by the application service of described user equipment access;
Described at least one network configuration service is configured described subscriber equipment;
Described at least one Service Management application service offers a tabulation of the described at least two group application services of described subscriber equipment;
Allow the user of described subscriber equipment from described at least two group application services, to select at least one group; And
Dynamically described at least one network traffic flow Control Component is disposed automatically so that only can be described at least one group of application service visit.
25. a method comprises:
Provide a tabulation of many groups application service to be connected to network to subscriber equipment to respond described equipment;
Send to described equipment one group identifier, the representative of this group identifier from the application service of described many groups to the selection of specific one group of application service; And
Use described identifier to indicate at least one network traffic flow Control Component and automatically and dynamically dispose described network so as to make described equipment and described specific one group of application service between can communicate by described network.
26. a method comprises:
For equipment is provided with access permission,
Allow described choice of equipment that application service selected from many groups of obtainable application services is conducted interviews, described equipment uses one group of standard agreement and is connected to network;
The described access permission that will be used for described equipment so that described device access related with at least one identifier is from least one group described selected application services of described many groups application service; And
Use described at least one identifier so that the described described application service of having selected of access permission visit of having set up can be roamed and use to described equipment.
27. method as claimed in claim 26 also keeps the described access permission that has been provided with even further comprise when the network connection state changes.
28. a device comprises:
One server, it allows user to use and is being connected to one group of standard communication protocol on the equipment of network to visit one group of specific application service, and described server comprises:
One list block, be used to provide many groups can be by a tabulation of the application service of described device access, the described application service of at least one in described every group can be used by described equipment;
One enable module, it makes described user select described specific one group of application service from the application service of described many groups; And
One configuration module, it dynamically automatically is configured to allow described equipment by described network described visit to be carried out in described specific one group of application service described network based on described specific one group of application service.
29. device as claimed in claim 28, wherein said enable module makes described user make the selection subsequently of another being organized application service from described many groups, and wherein said configuration module dynamically automatically reconfigures to allow described equipment by described network described visit to be carried out in described another group application service described network based on described the selection subsequently; Further comprise: a record keeping module, it is charged to described visit, and wherein expense is based on the optional charging policy that is associated with every group.
CNB028284941A 2002-03-08 2002-08-30 Differentiated connectivity in a pay-per-use public data access system Expired - Fee Related CN1326065C (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US36332702P 2002-03-08 2002-03-08
US60/363,327 2002-03-08

Publications (2)

Publication Number Publication Date
CN1647059A CN1647059A (en) 2005-07-27
CN1326065C true CN1326065C (en) 2007-07-11

Family

ID=28041752

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB028284941A Expired - Fee Related CN1326065C (en) 2002-03-08 2002-08-30 Differentiated connectivity in a pay-per-use public data access system

Country Status (6)

Country Link
EP (1) EP1483676A4 (en)
JP (1) JP4817602B2 (en)
KR (1) KR100745434B1 (en)
CN (1) CN1326065C (en)
AU (1) AU2002329940A1 (en)
WO (1) WO2003079210A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7490348B1 (en) 2003-03-17 2009-02-10 Harris Technology, Llc Wireless network having multiple communication allowances
EP1718094A1 (en) * 2005-04-28 2006-11-02 Research In Motion Limited System and method for providing network advertisement information via a network advertisement broker
US8428584B2 (en) 2005-07-01 2013-04-23 Research In Motion Limited System and method for accelerating network selection by a wireless user equipment (UE) device
EP1858278B1 (en) 2006-05-19 2013-05-15 Research In Motion Limited System and method for facilitating accelerated network selection in a radio network enviroment
KR100764475B1 (en) * 2006-08-02 2007-10-09 에스케이 텔레콤주식회사 Premium call service method and system using mobile communication network
US20080285737A1 (en) * 2007-05-17 2008-11-20 Tekelec Methods, systems, and computer program products for point code proxying between signaling points
KR101125852B1 (en) * 2010-06-09 2012-04-16 주식회사 오비고 Method, terminal, server and computer-readable recording medium for supporting various standards for device api in a single web platform
WO2014120220A1 (en) * 2013-01-31 2014-08-07 Hewlett-Packard Development Company, L.P. Providing access to information across multiple computing devices

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1281187A (en) * 1999-07-15 2001-01-24 国际商业机器公司 Customer control of world wide net browser customer data
WO2001061592A1 (en) * 2000-02-04 2001-08-23 Runonweb, Inc. A system for billing of software usage service over the internet
CN1333508A (en) * 2000-07-07 2002-01-30 株式会社日立制作所 Device and method for dynamic distributing computer resource according to user's agreement
US20020019879A1 (en) * 2000-05-15 2002-02-14 Mark Jasen Method and system for prioritizing network services
US20020026474A1 (en) * 2000-08-28 2002-02-28 Wang Lawrence C. Thin client for wireless device using java interface

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3446047B2 (en) * 1994-07-26 2003-09-16 日本電信電話株式会社 Multimedia service access method and multimedia service access method
US5682325A (en) * 1994-09-12 1997-10-28 Bell Atlantic Network Services, Inc. Level 1 gateway for video tone networks
US6205480B1 (en) * 1998-08-19 2001-03-20 Computer Associates Think, Inc. System and method for web server user authentication
US7673328B1 (en) * 1998-09-28 2010-03-02 Kojima Co., Ltd. Network authentication system using individual services providers and an authentication server
US7801775B1 (en) * 1999-03-29 2010-09-21 Amazon.Com, Inc. Method and system for authenticating users when conducting commercial transactions using a computer
GB2349548A (en) * 1999-04-27 2000-11-01 Roke Manor Research Downloading software to mobile telecommunication users
JP2003507803A (en) * 1999-08-17 2003-02-25 ジェネラル・インスツルメント・コーポレイション Impulse pay-per-use method and system for data and multimedia services
JP2002007909A (en) * 2000-06-21 2002-01-11 System House Kumakun:Kk Contract processing device, cancellation processing device, contract cancellation processing system, and recording medium
JP2002056304A (en) * 2000-08-11 2002-02-20 Oki Electric Ind Co Ltd Service providing system via communications network, service providing device, service package providing server, and storage medium
US7051315B2 (en) * 2000-09-26 2006-05-23 Appstream, Inc. Network streaming of multi-application program code

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1281187A (en) * 1999-07-15 2001-01-24 国际商业机器公司 Customer control of world wide net browser customer data
WO2001061592A1 (en) * 2000-02-04 2001-08-23 Runonweb, Inc. A system for billing of software usage service over the internet
US20020019879A1 (en) * 2000-05-15 2002-02-14 Mark Jasen Method and system for prioritizing network services
CN1333508A (en) * 2000-07-07 2002-01-30 株式会社日立制作所 Device and method for dynamic distributing computer resource according to user's agreement
US20020026474A1 (en) * 2000-08-28 2002-02-28 Wang Lawrence C. Thin client for wireless device using java interface

Also Published As

Publication number Publication date
KR20040096612A (en) 2004-11-16
EP1483676A4 (en) 2009-04-15
WO2003079210A1 (en) 2003-09-25
JP4817602B2 (en) 2011-11-16
KR100745434B1 (en) 2007-08-02
CN1647059A (en) 2005-07-27
AU2002329940A1 (en) 2003-09-29
JP2005520250A (en) 2005-07-07
EP1483676A1 (en) 2004-12-08

Similar Documents

Publication Publication Date Title
RU2758457C2 (en) Systems and methods for managing a session of a protocol data unit (pdu) adapted to an application
US7277948B2 (en) Network system with dynamic service profile updating functions
EP1997276B1 (en) Distributed policy services for mobile and nomadic networking
CA2462691C (en) Method and system for allowing multiple service providers to serve users via a common access network
JP6789322B2 (en) Systems and methods for user plane path selection, reselection, and notification of user plane changes
US7039037B2 (en) Method and apparatus for providing service selection, redirection and managing of subscriber access to multiple WAP (Wireless Application Protocol) gateways simultaneously
CN104363577B (en) For providing the method and system of mobile management in a network
US7743158B2 (en) Access network dynamic firewall
CN100459735C (en) System and method for pushing data in an internet protocol network environment
JP4629679B2 (en) Method and system for free internet protocol communication service
US20060047829A1 (en) Differentiated connectivity in a pay-per-use public data access system
US20040177247A1 (en) Policy enforcement in dynamic networks
JP2009260986A (en) Decision of method for controlling communications
EP1599806A2 (en) Method and apparatus providing prepaid billing for network services using explicit service authorization
EP1955556A2 (en) System and method for improved wifi/wimax retail installation management
CN102124455A (en) Providing services to packet flows in a network
CN1326065C (en) Differentiated connectivity in a pay-per-use public data access system
EP1422909A2 (en) Service control network system
CN101019384B (en) System and method for distributing and distributing end-user information in a network environment
WO2000074408A1 (en) Mobile agent based system for mobility support
CN101345684A (en) P2P node management method
CN101009611A (en) A method for terminal access to different service networks
HK1122925B (en) Distributed policy services for mobile and nomadic networking

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20070711

Termination date: 20200830