Title of Invention

COMMUNICATION SYSTEM AND METHOD FOR PROVIDING A MOBILE COMMUNICATION SERVICE

Abstract The invention relates to a communication system and a method for providing a mobile telecommunication service. A communication network (IN) transmits messages on the basis of at least one internet protocol. A network connection computer (GW) connects an access network (AN) for mobile computers (MN) and the communication network (IN). The access network is equipped with several access points (AP) comprising corresponding access point connection computers (MEP), which are configured to create a communication connection between variable access points (AP) and the mobile computers (MN). An authorization verification computer (AAA) establishes and manages trusted relationships (SA) between several communication elements (GW, MEP, AAA, MN). The network connection computer (GW) and the access point connection computer (MEP) are configured to execute packet filtering during the receipt and transmission of messages for the secure protection of the communication system. The network connection computer (GW) and the authorization verification computer (AAA) are also configured to execute a method for controlling an overload, by the provision of a communication protocol for the communication elements (GW, MEP, AAA, MN), in order to prevent the malfunction of one of the communication elements as a result of an attack.
Full Text Description
Communication system and method for providing a mobile communication service
The present invention relates to a communication system and a method for providing a mobile communication service by means of a communication network which is configured to transmit messages on the basis of at least one Internet protocol, and by means of an access network for mobile computers within which a message is transmitted using a multicast process.
Some existing communication systems for providing a mobile telecommunication service utilize a communication network which is configured to transmit messages on the basis of at least one Internet protocol. However, it has been usual hitherto to use Internet protocol-based communication only within a core network, so that it continues to be necessary to use dedicated communication protocols to provide mobile communication services. A communication network which operates on the basis of an Internet protocol permits internetworking packet-oriented data exchange between terminal systems of the communication system. Thus, a communication protocol is provided which makes possible internetworking transmission of messages between geographically dispersed computers of different networks.
A specification which makes possible mobile telecommunication services on the Internet has been presented by the Internet Engineering Task Force (IETF). The main starting point in specifying the "Mobile IP" concept presented was the, shortcomings of a conventional Internet protocol (IP) with regard to mobility. "Mobile IP" makes available a solution for mobility on the Internet which is

scalable, robust and secure. In particular, mechanisms for the routing of IP packets to mobile computers are made available which can reside in a foreign network while retaining their permanent IP address. A problem of "Mobile IP" is that the basic concept is not suited to supporting automatic tracking of an existing useful data connection, the so-called "seamless handover".
An architecture for a communication system called "MOMBASA" which operates on the basis of the Internet protocol is presented, in particular, in A. Festag, L. Westerhoff and A. Wolisz, The MOMBASA Software Environment - a Toolkit for Performance Evaluation of Multicast-based Mobility Support, in Proc. of Performance Tools 2002, pages 212-219, London, GB, April 2002. In this communication system an access network for a mobile computer operates by using a multicast process to transfer the individual messages. In point-to-multipoint communication, multicasting is a process in which a message is transmitted with a group address to a fixed group or class of recipients in one transmission process.
An infrastructure of the MOMBASA communication system provides the following components as communication elements: in the access network for the mobile computer a plurality of access points each having a respective access point connection computer (called mobility-enabling proxies) and being connected to one another via multicast-capable routers are provided. A network connection computer, for example, in the form of the gateway, serves to connect the access network to the public or private fixed Internet network. The so-called mobile agents or mobility agents, which represent a network authority used to support the mobility of the mobile computers in individual subnetworks, are implemented by the mobile computers.
A mobile computer must be able to communicate with other computers even after changing of the access point to the Internet. For this purpose a globally reachable IP address located within the address area of the access network is

allocated to mobile computers, at least for the duration of their visit to an access network. Consequently, all message packets from the public Internet network which are addressed to the mobile computer are sent via normal Internet routing to the network connection computer for connection to the access network. A block of unicast addresses of a plurality of mobile computers is allocated to a block of multicast groups within the access network. If a mobile computer registers at an access point connection computer, this access point connection computer becomes part of an allocated multicast group. At the network connection computer for connecting the access network to the Internet network a message packet for a mobile computer is transmitted to a defined group of access points, and from the allocated access point to the mobile computer.
The use of a multicast process within the access network simplifies the process of predictive tracking of an existing useful data connection between two access points. Starting from the access point connection computer at which the mobile computer is directly registered, adjacent access point connection computers become part of a multicast group. These computers store data in a ring buffer; in the tracking of an existing useful data connection, called the handover, the messages received downstream are transmitted onwards in the ring buffer to the mobile computer in order to compensate for a loss of messages during the handover.
In the event that a mobile computer neither receives nor transmits data for a certain length of time, the mobile computer switches to idle mode. This is an operating state in which the mobile computer, although switched on, has not yet logged on and therefore cannot yet be reached from the access network. In this case a multicast group concerned is dismantled and the position of a mobile computer is known in only a rudimentary fashion as a paging area, represented by a permanent multicast group which is independent of the mobile computer. If messages for a mobile computer which is in the idle state are received at the network connection computer, a paging request is transmitted to a defined

multicast group of the last known paging area of the mobile computer and transferred to the last-addressed access point connection computers of this paging area, whereby the mobile computer is switched to the active state and logs on to the access network.
Such a communication system is exposed to a considerable number of security threats which endanger the operation of the mobile telecommunication service. Firstly, the internal exchange of messages within the access network can be endangered by external attacks from external links. Furthermore, the internal exchange of messages within the access network can be used by an attacker, who can gain access to the access network in various ways. In addition, messages or information can be tapped of manipulated by an attacker during their transmission, if the attacker purports to be a legitimate user of the access network. The attacker could additionally use this to utilize a telecommunication service at the expense of a personified mobile computer.
In general, a mobile computer does not know in advance which of the access points in the access network is responsible for it. For this reason falsified so-called advertisements, i.e. messages with which mobility agents offer their services to the mobile computer and which are produced via the access point last used, can cause the mobile computer to erroneously register itself with an attacker. Here the problem is as follows: the so-called MEP advertisements (Mobility-Enabling Proxies advertisements) are not designed for a single mobile computer but for a group of mobile computers. In the event of use of symmetrical encryption, it would be possible for each mobile computer involved to produce falsified advertisements. However, if an asymmetrical cryptographic method were used, this would mean that checking values of, at present, several hundred to 2048 bits would have to be used. Nevertheless, a false access point could potentially still be unmasked later during the registration process if the mobile computer and the access point communicated directly with one another.

So-called denial of service attacks are a further threat which should be mentioned. Here, denial of service means the same thing as functional failure or denial of function. This includes a large number of different possible attacks which all have the aim of causing certain computers to crash or to be disabled in certain functions. Such attacks can be directed, from the access point last used, against an authentication process itself, at a time in which authentication of the identity of the data transfer point (called the peer node) cannot be guaranteed. Furthermore, denial of service attacks can be executed from the Internet by the use of data packets. If data packets are sent to a plurality of mobile computers in the idle state (for example, with varying sources and protocols) they are addressed simultaneously by a paging request and caused to switch to the active mode. This leads to a signal overload within the access network and at an authentication verification computer for executing authentication, authorization and accounting (an AM server).
It is the object of the present invention to specify a communication system and a method for providing a mobile telecommunication service of the type mentioned in the introduction, with which suitable precautionary measures against such security threats can be taken and which, furthermore, are suitable for automatically tracking an existing useful data connection.
This object is achieved by a communication system for providing a mobile telecommunication service as claimed in claim 1 and by a method for providing a mobile telecommunication service as claimed in claim 8.
The communication system for providing a mobile telecommunication service according to the invention comprises a plurality of communication elements: a communication network is configured to transmit messages on the basis of at least one Internet protocol. In addition, there is provided at least one mobile computer and an access network for the mobile computer in which messages are transmitted using a multicast process. A network connection computer is used to

connect the access network to the communication network. In the access network there are provided a plurality of access points each having respective access point connection computers which are configured to be able to establish a communication connection between variable access points and the mobile computer. An authentication verification computer is used to establish and manage trusted relationships between a plurality of the communication elements. The network communication computer and the access point connection computer are configured to execute a packet filtering method when receiving and transmitting messages for security-related protection of the communication system. In addition, the network connection computer and the authentication verification computer are configured to execute an overload control method by providing a communication protocol for the communication elements, in order to prevent malfunction of one of the communication elements as a result of an attack.
According to the invention, therefore, a packet filtering method is executed when receiving and transmitting messages for security-related protection of the communication system at the boundaries of the access network. In addition, trusted relationships between a plurality of communication elements of the communication system are established and managed and, in addition, an overload control is executed by providing a communication protocol for the communication elements of the communication system, in order to prevent malfunction of one of the communication elements as a result of an attack. The combination of these different technical measures offers, in particular, the following advantages: with the packet filtering method for security-related protection of the communication system at the boundaries of the access network an internal exchange of messages within the access network can be protected from external attacks. With the overload control, above all denial of service attacks against the authentication verification computer and the network connection computer can be repelled. In particular, the overload control method is executed in an initial registration process of the mobile computer and/or when

performing or updating paging services. These operations must be carried out via the authentication verification computer or the network connection computer. The overload control (called Rate-based Congestion Control) can be implemented using Linux net filter architecture, so that it can be integrated to a high degree with the packet filtering process. The overload control method can also be executed on several levels, in particular decentrally on a level of geographical cells and centrally on a level of the total network load. A negative effect of the overload control method on legitimate users of the communication system can thereby be reduced to a minimum.
According to a further advantageous embodiment of the invention, by means of a distribution of keys to adjacent communication elements of an access point of the access network, it is made possible for a further access point to execute local authentication of a mobile computer when automatically tracking an existing useful data connection. A signal stream to a central authentication verification computer is thereby avoided and at the same time the increase in handover latency as a result of the authentication process is minimal. Through the decentralized handling of handover processes, denial of service attacks against the authentication verification computer are avoided or repelled, without detriment to a legitimate user.
To summarize, the invention makes available effective protection against security threats in a communication system of the type mentioned in the introduction, without significantly increasing handover latency. A negative effect of the overload control on legitimate users is minimized.
Concerning the implementation of the packet filter method, an advantageous embodiment of the invention provides that the network connection computer and the access point connection computer are configured to execute a packet filtering method in order to repel a predetermined class of attacks which use deliberately changed source addresses. It should be taken into account in this connection

that source addresses of a mobile computer must appear only from the direction of the wireless link, while source addresses of non-mobile elements and of communication elements which do not belong to the access network must be transmitted only via the network connection computer.
Further advantageous embodiments and developments of the invention are specified in subclaims.
The invention is explained in more detail below with reference to the figures, which represent advantageous embodiments of the present invention and in which:
Fig. 1 is a diagrammatic overview of a basic structure of a
MOMBASA communication system;
Fig. 2 is a further schematic representation of such a
communication system, representing trusted relationships between the individual communication elements;
Fig. 3 shows the initial registration process of a mobile computer on
a communication system according to the invention;
Fig. 4 shows an example of a handover process of a mobile
computer when changing between different access points;
Fig. 5 shows switching of the mobile computer to the inactive state
and a paging update process;
Fig. 6 shows an example of a paging process, and

Fig. 7 is an exemplary table regarding the filtering of denial of
service attacks at a network connection computer.
Fig. 1 shows an exemplary architecture of a MOMBASA communication system which comprises a plurality of communication elements. A communication network IN serves to transfer messages on the basis of at least one Internet protocol and is therefore configured, in particular, as an Internet network. In addition, there is provided an access network AN for a mobile computer MN in which messages are transmitted using a multicast process. In point-to-multipoint communication, multicasting is a process in which a message is transmitted with a group address to a defined group or class of recipients in one transmission process. In the access network AN there are provided a plurality of access points AP, each having a respective access point connection computer MEP (Mobility-Enabling Proxies), which are each configured to be able to establish a communication connection between variable access points AP and the mobile computer MN. A network connection computer GW in the form of a gateway is used to connect the access network AN to the Internet network IN. For a communication connection between two terminal devices, a connection between the correspondence computer CH and the mobile computer MN, for example, is established via the Internet network IN and the access network AN. Two of the access points AP with associated access point connection computers MEP are connected to one another via a multicast router MR. To establish a communication connection, mobility agents, which are used to support the mobility of the mobile computer MN when changing access points, are implemented by the mobile computer MN.
According to the invention the network connection computer GW and the access point connection computers MEP are configured to execute a packet filtering method for security-related protection of the communication system when receiving and transmitting messages. In particular, the packet filtering method is executed in order to repel a predetermined class of attacks which use

deliberately changed source addresses. It should be taken into account in this connection that source addresses of mobile computers must appear only from the direction of the wireless link, whereas source addresses of non-mobile communication elements and of communication elements which do not form part of the access network are transmitted only via the network connection computer GW.
At the network connection computer GW messages of the wireless link and paging requests should be rejected unless they originate from the network connection computer GW itself. If a message arrives from the Internet network it should be rejected if it contains a source address of a mobile computer or of the access network or is a MOMBASA-internal message, or is a message conforming to the Internet Group Management Protocol (IGMP) or to the Independent Multicast-Sparse Mode (PIM-SM) protocol, which designates a multicast address which is used internally by the access network. At the access points AP the following message packets should be rejected if they originate from the wireless link: every message packet which designates a source address of a non-mobile communication element, inter-MEP advertisements, paging requests, updates of paging services (paging updates) and every IGMP- or PIM-SM-based message which designates a multicast address which is used internally by the access network. Messages of the wireless link should be rejected if they arrive at the upstream interface.
The following message packets should be generated only by an access point; however, they should not be transmitted onwards by the access point, i.e. they should be rejected, if they arrive at an input-side interface: advertisements from access point connection computers MEP, responses to message communications with respect to the registration process (MH registration response, MH: message handling), IGMP Membership Reports and IGMP Leave Groups.

The packet filtering method is a relatively simple variant of a firewall for protecting the communication system. The packet filtering method is not designed to protect the mobile computer from attacks, but is provided only to protect the internal message exchange within the access network from external attacks.
Fig. 2 is a further illustration according to which an authentication verification computer in the form of an AM server continues to be provided in the communication system according to the invention. This is a multifunctional communication server for providing services for authenticating persons or users, for verifying the entitlement of these persons to access to particular applications and resources (authorization), and for logging the activities (accounting) of these persons. According to the invention, therefore, a trust model is introduced in order to offer telecommunication services only for legitimate users. For this purpose the mobile computers are authenticated and authorized if they wish to use the service level requested by them. Message transmissions must be secured against falsification and manipulation, and security-critical contents must additionally be secured against tapping, for example, in the form of a "listening attack".
For this purpose a security architecture is used which utilizes, in particular, a method for symmetrical cryptography, for example, by means of so-called cryptographic hash functions and symmetrical encryption. In symmetrical encryption a message is subjected to an encryption operation. Here, in addition to the message itself, the key is a further input value of the encryption operation. The encrypted message (cryptogram) can be transmitted via a non-secure channel and decrypted at the recipient end by means of the key. To make this process reversible, sender and recipient must agree, among other things, on a key which must be exchanged via a secure channel before commencement of the operation.

The security architecture of the present invention distinguishes between permanent and temporary trusted relationships. In this case at least one of the following permanent trusted relationships is established and managed via the authentication verification computer AAA:
trusted relationships SAMEP:i,AM between each of the access point
connection computers MEP and the authentication verification computer
AAA;
trusted relationships SAQWP.AAA between the network connection computer
GW and the authentication verification computer AAA;
trusted relationships SAGWP.MEPIJ between the network connection computer
GW and each of the access point connection computers MEP;
trusted relationships SAMG:i between access point connection computers
MEP of a group MCG of access point connection computers MEP;
trusted relationships SAPA.J between communication elements in a network
area PA (paging area) established for receiving a uniform paging service.
The trusted relationships SAMGM are known only to the members of a respective group MGC and the trusted relationships SApA:i only to the members within a paging area PA:i.
In addition, a permanent trusted relationship SAMNH.AAA between the authentication verification computer AAA and the mobile computer MN is established and managed by the authentication verification computer AAA. This is done for each mobile computer which is logged on to the access network AN. During the initial registration of the mobile computer MN a temporary trusted relationship SAMNM.AN between the mobile computer MN and at least one of the communication elements MEP, GW of the access network AN is established and managed by the authentication verification computer AAA. For external users the local AAA server can contact other AAA servers of other communication networks to establish respective trusted relationships.

Various steps for securing protocol operations within a MOMBASA communication system are described in more detail below.
When a mobile computer executes an initial registration on an access network of a MOMBASA communication system, a message sequence for this operation is executed, as shown in an exemplary manner in Fig. 3.
In a first step the access point connection computers MEP send regular advertisement messages to a so-called challenge/response mechanism. This is an authentication method which can be executed with symmetrical and asymmetrical encryption algorithms. In the method, any desired number, the so-called challenge, is transmitted by the authenticating party to the party to be authenticated. The party to be authenticated takes account of this challenge when calculating its authentication value of the transmitted MH registration request, in order to prevent so-called replay attacks. A replay attack is an active attack in which the attacker replays data obtained in an earlier session at a later time in the system in order to reach the desired information. Without the challenge/response mechanism it would be possible for an attacker to spy on valid, i.e. authenticated, MH registration requests and replay them at another access point connection computer or at a later time. With the challenge/response mechanism, by contrast, an attacker can replay the MH registration request only at the same access point connection computer MEP as the legitimate mobile computer, and can do so only within a short time in which, in effect, he repeats the request in place of the legitimate user. Step 1 is represented in Fig. 3 by "MEP Adv".
In a second step the mobile computer sends an MH registration request containing the last challenge which was incorporated in an MEP advertisement and was authenticated with the trusted relationship SAMN:I,AAA (MH RegReq).

In a third step (KeyReq) an access point connection computer MEP checks the validity of the challenge. However, the access point connection computer MEP cannot determine whether the message has been modified by an attacker. The access point connection computer MEP sends a key request requesting a key to the AM server, which request contains the original request and additional changes to the requested parameters (for example, limited lifetime as a result of a local principle). The message is authenticated with the trusted relationship
SAMEP:i,AAA-
In a fourth step (KeyRepI) the authentication verification computer AAA checks the message authentication code MAC of the message originating from the mobile computer and the message authentication code MAC that has been generated by the access point connection computer MEP for the whole message, and verifies that the requested telecommunication service is permitted for the mobile computer according to its profile. The authentication verification computer AAA creates the session trusted relationship SAMNH.AN, encrypts the session key with the trusted relationship SAMEP:J,AAA and generates the MH registration response, authenticated with the trusted relationship SAMN^AAA, which contains in encrypted form the session key for the mobile computer. The MH registration response is transmitted back to the requesting access point connection computer MEP.
In a fifth step (MH RegRepI) the access point connection computer MEP transmits the MH registration response that was contained in the key response, decrypts the session key and logs the mobile computer into its database.
In a sixth step (JoinMCG) the access point connection computer MEP becomes a part of the multicast group MCG which is associated with the mobile computer, and sets up a message transmission for the mobile computer.

In a seventh step the access point connection computer MEP inserts the mobile computer and its service class and its session key, encrypted via the trusted relationship SAMG:i, into the next advertisement between the access point connection computers MEP, which trusted relationship SAMG:J has been sent to the adjacent MEP multicast group (IMEP Adv).
In an eighth step (JoinMCG) the adjacent access point connection computers MEP generate a database entry of the mobile computer containing the trusted relationship SAMN:I,AN when they receive the inter-MEP advertisement, become a part of the multicast group associated with the mobile computer and begin to buffer the message transfer for the mobile computer.
The securing of messages with a message authentication code MAC ensures that only legitimate users receive a telecommunication service, and that messages cannot be modified without this being detected. The encryption of security-critical information and the use of message authentication codes within the access network protect against attackers who are able to tap a link in the internal access network if they are not able to compromise an access network junction.
A handover process to a new access point connection computer MEP is explained in more detail below with reference to Fig. 4.
In a first step the necessity for a handover is ascertained by the mobile computer, in that MEP advertisements are received by a new access point connection computer MEP (MEP Adv).
In a second step (MH RegReq) the mobile computer sends an MH registration request with the last challenge which was recorded in an MEP advertisement. Once a session has been set up in the access network, the message is authenticated with the trusted relationship SAMN:i,AN-

In a third step (MH RegRepI) the following operation is executed: normally the new access point connection computer MEP is one of the adjacent MEPs of the old access point connection computer MEP and is therefore already in possession of the session key of the incoming mobile computer. The new MEP can therefore check the message authentication code MAC locally and generate an MH registration response which is signed with the trusted relationship SAMM:i,AN- If the new access point connection computer MEP has no entry for the incoming mobile computer, an error is indicated to the mobile computer, so that the latter must execute an initial registration process in this case.
In a fourth step the new access point connection computer MEP sets up a transmission for the mobile computer and empties its buffer memory to compensate for message loss during the handover process.
In a fifth step (steps 5a and 4b) the process continues as in the case of the initial registration.
In a sixth step (Leave MCG) the access point connection computers MEP which are adjacent to the old MEP but not to the new MEP leave the multicast group MCG. In addition, they delete the entry with the trusted relationship when they receive the next inter-MEP advertisement of the old access point connection computer MEP which is no longer connected to the mobile computer.
A transition of the mobile computer to the inactive state is described in more detail below with reference to Fig. 5.
In a first step (MH RegReq) the mobile computer sends an MH registration request, with a flag set at inactive and authenticated with the trusted relationship SAMN.i,AN, to the currently allocated access point connection computer MEP.

In a second step (PagUpd) the latter checks the message and sends a paging update with the corresponding paging area and the encrypted session key of the mobile computer, authenticated with the trusted relationship SAGwp,MEP:i, to the network connection computer GW (gateway proxy).
In a third step (Leave MCG) the access point connection computer MEP leaves the multicast group MCG and deletes the entry of the mobile computer.
In a fourth step the network connection computer GW checks the message and generates a paging entry for the mobile computer.
In a fifth step (steps 5a, 5b) the adjacent access point connection computers MEP remove the entry of the mobile computer and leave the multicast group MCG as a result of communication traffic between the access point connection computers MEP.
In this case a paging update is executed as follows: the mobile computer in the idle state regularly refreshes its location, but with a lower frequency than in the active state. To this end, as explained in more detail with reference to Fig. 5, the following steps are executed:
The mobile computer transmits an MH registration request (MH RegReq) with an inactive flag, authenticated with the trusted relationship SAMN:J,AN. Since the access point connection computers MEP do not record every status regarding a mobile computer in the idle state, the receiving access point connection computer MEP cannot verify the validity of the message. For such messages an overload control method might be used. Such a method is implemented, for example, by so-called Rate-based Congestion Control, in order to repel denial of service attacks against the network connection computer GW.

In the next step (PagUpd) the message is transmitted as a paging update to the network connection computer GW, where it is validated. The paging entry in the network connection computer GW is updated.
A transition from inactive status to active status can be triggered by two events: the mobile computer wants, for example, to transmit messages; or messages intended for the mobile computer reach the network connection computer. In the first case an initial registration, as described above, is executed by the mobile computer; in the second case a paging process is executed for the mobile computer by the network connection computer.
A paging process is described in more detail below with reference to Fig. 6. If messages for a mobile computer MN arrive in the idle state, a paging process is executed by the network connection computer GW in the following manner:
In a first step (PagReq) the network connection computer transmits in a multicast process paging requests, authenticated with the trusted relationships SAMN:i,AN and SApA:i, to the paging area last transmitted.
In a second step (PagReq) all the access point connection computers MEP within the paging area check the paging request, strip off the SPpA:j authenticator and transmit the paging request to the access points last used.
In a third step (MH RegReq) the mobile computer verifies the paging request and executes an initial registration with an additional so-called wake-up flag.
In a fourth step (steps 4, 4a-4c), in addition to the operations relating to the initial registration, a paging update, signed with the trusted relationship SAGwp,MEP:i and with a lifetime of zero, is transmitted by the access point connection computer MEP to the network connection computer GW.

In a fifth step the network connection computer GW modifies the paging update and completes the paging process.
With regard to its security-relevant architecture, the communication system according to the invention continues to be configured to repel or prevent denial of service attacks. For this purpose the network connection computer GW and the authentication verification computer AM continue to be configured to execute an overload control method by providing a communication protocol for the communication elements GW, MEP, AM and MN, in order to prevent malfunction of one of these communication elements as a result of a denial of service attack. After the authentication of the user has been executed, as described above, decentrally at the access point connection computers MEP in the case of a handover process, attacks against the central authentication verification computer AM can be avoided, so that a malfunction would have only a local effect. Such an effect might also be caused by simpler processes, such as data congestion. On the other hand, processes such as initial registration, paging updates during idle periods and the wake-up sequence, must be executed via the authentication verification computer AM, because permanent storage of divided secrets at a non-central location would mean greater vulnerability for the architecture.
To repel denial of service attacks, the authentication verification computer AM is advantageously so configured that it executes an overload control process according to a token bucket process. The purpose of an overload control process (for example, so-called Rate-Based Congestion Control according to H. Ohsaki et al., Rate-Based Congestion Control for ATM Networks. Computer Communication Review, ACM SIGCOMM, vol. 25, no. 2, April 1995, pp. 60-72) is to prevent the messages transferred by transmitting units from overloading the capacity of the network. A method having this purpose is the token bucket algorithm, which is a method for smoothing traffic with the aim of shaping data traffic having a discontinuous traffic characteristic as far as possible in such a

way that approximately continuous data streams are produced. Token bucket operates with an intermediate memory (bucket) having limited volume. A token generator generates entitlement symbols, so-called tokens, at a constant rate. Incoming data is stored in the bucket. For each token a corresponding quantity of data is released from the bucket. If more is continuously transmitted than agreed, the bucket overflows, i.e. data losses result.
Such overload control (rate control) can be achieved with the Netfilter/IP tables architecture of a standard Linux kernel. Fig. 7 shows a table representing rules which are necessary to limit the number of message packets. In this context, message packets which cause paging requests must be limited, preferably to a number of 10 per second and with a burst length of 20. The net filter makes available a module which allows IP addresses to be dynamically inserted into, and removed from, a pool of addresses within a given area. This can be used to distinguish mobile computers with idle status from active mobile computers. The table shown in Fig. 7 presupposes a pool designated the active pool which initially contains all the addresses of mobile computers, the mobile computers in the idle state being removed from the pool by the network connection computer GW.
When an incoming message packet arrives at the network connection computer GW it is determined whether it agrees with rule no. 1 in the main table. If the destination address is contained in the active pool (-m pool: load module pool, -dst pool active: find destination address in pool active), it is accepted. Rule no. 2 is applied only to message packets which are directed to mobile computers in the idle state. This rule can be executed only 10 times per second with a burst rate which is twice the refresh rate, i.e. 20 message packets (-m limit: load module limit, -limit 10/s: restriction to 10/s, -limit-burst 2: burst length 20 packets). If the rule is applicable, the process is continued in the Idle table (-j idle). All other message packets which are not applicable to rule no. 1 and rule no. 2 are applicable to rule no. 3 and are rejected.

Rule no. 1 in the Idle table ensures that the destination of the message packet is added to the active pool (-j pool: execute pool operation, -pool active -add-dst-ip: add destination address of packet to active pool). The reason for this is that additional message packets to the same destination do not trigger a further paging process but are buffered in a ring buffer by the network connection computer GW. For this reason they can be treated by the packet filter in the same way as message packets to active mobile computers. Rule no. 2 causes the message packet to trigger the paging process in order to be accepted.
Operations which are affected by rate control are not time-critical. An initial registration generally takes place only when the communication network is contacted for the first time, a paging process generally takes place at the start of the communication session, and in any case paging update messages transmit the position of the mobile computer in only a rudimentary manner. For this reason a certain delay time as a result of overload control is acceptable even at high network load. Naturally, in a situation in which a denial of service attack is taking place, legitimate users are also affected, but only with regard to the operation which is currently being used for the attack. A denial of service attack, which without the invention would affect the whole access network and the users logged therein, is thereby limited locally. According to the invention such an attack is limited to those users who are currently inactive, and to users who are attempting to execute an initial registration process.




We Claim:
1.Communication system for providing a mobile telecommunication service which comprises the following as communication elements:
a communication network (IN) which is configured to transmit messages on the basis of at least one Internet protocol;
- at least one mobile computer (MN);
- an access network (AN) for the mobile computer (MN) in which messages are transferred using a multicast process;
- a network connection computer (GW) for connecting the access network (AN) to the communication network (IN);
- a plurality of access points (AP) in the access network, each having respective access point connection computers (MEP)which are configured to be able to establish a communication connection between variable access points (AP) and the mobile computer (MN);
an authentication verification computer (AAA) for
establishing and managing trusted relationships (SA)
between a plurality of the communication elements (GW, MEP,
AAA, MN);
- wherein the network connection computer (GW) and the
access point connection computer (MEP) are configured to
execute a packet filtering method for security-related
protection of the communication system when receiving and
transmitting messages;
- and wherein the network connection computer (GW) and the
authentication verification computer (AAA) continue to be
configured to execute an overload control method by
providing a communication protocol for the communication
elements (GW,MEP, AAA, MN) in order to prevent a
malfunction of the communication elements as a result of an
attack.
2.Communication system as claimed in claim 1, wherein the network connection computer (GW) and the access point connection computer (MEP) are configured to execute a packet filtering method in order to repel a predetermined class of attacks which use deliberately changed source addresses.
3.Communication system as claimed in claim 1 or 2, wherein the network connection computer (GW) and the access point connection computer (MEP) are configured to execute the packet filtering method to protect an internal message exchange within the access network (AN) from external attacks.
4.Communication system as claimed in any one of the
preceding claims, wherein the authentication verification computer (AAA) is configured to establish and manage at least one permanent trusted relationship (SA):
- between each of the access point connection computers (MEP)and the authentication verification computer (AAA);
- between the network connection computer (GW) and the authentication verification computer (AAA),

- between the network connection computer (GW) and each of the access point connection computers (MEP),
- between the access point connection computers (MEP) of a group (MCG) of access point connection computers (MEP),
- between communication elements in a network area (PA)
which are configured to receive a uniform paging service.
5 .Communication system as claimed in any one of the preceding claims, wherein the authentication verification computer (AAA) establishes and manages a permanent trusted relationship (SA) between the authentication verification computer (AAA) and' the mobile computer (MN) .
6. Communication system as claimed in any one of the preceding claims, wherein during the initial registration of the mobile computer (MN)the authentication verification computer (AAA) establishes and manages a temporary trusted relationship (SA) between the mobile computer (MN) and at
least one of the communication elements (MEP, GW) of the access network (AN).
7 .Communication system as claimed in any one of the preceding claims, . wherein the authentication verification computer (AAA) is configured to execute an overload control method according to a token bucket method.
8. A method for providing a mobile telecommunication service by means of a communication network (IN) which is configured to transmit messages on the basis of at least one Internet protocol comprising the following steps:
- transmitting a message using a multicast process within an access network (AN) for mobile computers (MN),
- connecting a plurality of access points (AP, MEP) in the access network (AN) to the communication network (IN) via a network connection computer (GW)
establishing a communication connection in each case
between the access network (AN) and a mobile computer (MN)
which can communicate with variable access points (AP, MEP)
in the access network (AN),
establishing trusted relationships (SA) between a plurality of communication elements (GW, MEP, AAA, MN) of the communication system and managing the trusted relationships(SA)with the aid of the authentication verification computer (AAA),
- executing a packet filtering method for security-related
protection of the communication system at the boundaries of
the access network (AN) when receiving and transmitting
messages with the aid of the network connection computer
(GW) and the access point connection computer (MEP),
- wherein an overload control is carried out with the aid
of the network connection computer (GW) and the
authentication verification computer (AAA) by providing a
communication protocol for the communication elements (GW,
MEP, AAA, MN) of the communication system in order to
prevent malfunction of one of the communication elements as
a result of an attack.
9.A method as claimed in claim 8, wherein a packet filtering method for repelling a predetermined class of attacks using deliberately changed source addresses is executed.
10.A method as claimed in claim 8 or 9,wherein the packet filtering method is executed for protection of an internal message exchange within the access network (AN) from external attacks.
11.A method as claimed in any one of claims 8 to 10, wherein it is made possible, by means of a distribution of keys to adjacent communication elements of an access point (AP, MEP) of the access network (AN) , for a further access point (AP, EP,MEP) to execute local authentication of a
mobile computer (MN) while automatically tracking an existing useful data connection.
12.A method as claimed in any one of claims 8 to 11, wherein the overload control method is executed during an initial registration process of the mobile computer (MN) and/or while executing or updating paging services.
13.A method as claimed in claims 12, wherein the overload control method is implemented by a Linux net filter architecture.
14.A method as claimed in claim 11, wherein the overload control method is executed on a plurality of levels, in particular decentrally on a level of geographical cells and centrally on a level of the total network load.
15.A method as claimed in claim 11, wherein the overload control method is executed according to a token bucket method.

Documents:

5342-delnp-2006-abstract.pdf

5342-DELNP-2006-Claims-(14-09-2011).pdf

5342-delnp-2006-claims.pdf

5342-DELNP-2006-Correspondence Others-(14-09-2011).pdf

5342-delnp-2006-correspondence-others-1.pdf

5342-delnp-2006-correspondence-others.pdf

5342-delnp-2006-description (complete).pdf

5342-DELNP-2006-Drawings-(14-09-2011).pdf

5342-delnp-2006-drawings.pdf

5342-delnp-2006-form-1.pdf

5342-delnp-2006-form-18.pdf

5342-delnp-2006-form-2.pdf

5342-DELNP-2006-Form-3-(14-09-2011).pdf

5342-delnp-2006-form-3.pdf

5342-delnp-2006-form-5.pdf

5342-delnp-2006-pct-210.pdf

5342-delnp-2006-pct-237.pdf

5342-DELNP-2006-Petition 137-(14-09-2011).pdf

abstract.jpg


Patent Number 252587
Indian Patent Application Number 5342/DELNP/2006
PG Journal Number 21/2012
Publication Date 25-May-2012
Grant Date 23-May-2012
Date of Filing 15-Sep-2006
Name of Patentee SIEMENS AKTIENGESELLSCHAFT
Applicant Address WITTELSBACHERPLATZ 2, 80333 MUNICH, GERMANY
Inventors:
# Inventor's Name Inventor's Address
1 FARTMANN, ALFONS LUSENWEG 9, 85748 GARCHING, GERMANY
2 SCHAFER.GUNTER TURMSTR, 47, 10551 BERLIN, GERMANY
3 TOTZKE,JURGEN BLUMENSTR, 49, 85586 POING, GERMANY
4 WESTERHOFF, LARS BECHERWEG 36, 13407 BERLIN, GERMANY
PCT International Classification Number G06F 1/00
PCT International Application Number PCT/EP2005/054245
PCT International Filing date 2005-08-29
PCT Conventions:
# PCT Application Number Date of Convention Priority Country
1 10 2004 047 692.6 2004-09-30 Germany
2 PCT/EP2005/054245 2005-08-29 Germany