Title of Invention

METHOD FOR PERFORMING DISCOVERY FOR AUTHENTICATION TO AN ACCESS NETWORK

Abstract The present invention in general relates to method for carrying Authentication for Network Access (PANA). Especially related to traffic driven discovery in PANA where a PANA Client [PaC] starts sending data packets without authenticating itself and expects the Enforcement Point [EP] to notify PANA Authentication Agent [PAA] to start authentication and authorization. This invention explains a method of enforcement point (EP) notifying PANA Client (PAC) in an access network where PANA is deployed but traffic driven discovery is not supported comprising the steps of, sending data without authenticating itself to the access network by PaC; sending an ICMP Destination Unreachable message to the PaC with code Authentication Required by EP; discovering by itself when PaC receives the said ICMP Destination Unreachable message; and optionally restricting all data traffic till authentication is complete by PaC.
Full Text FIELD OF THE INVENTION
The present invention in general relates to method for carrying Authentication for Network Access (PANA). Especially related to traffic driven discovery in PANA where a PANA Client [PaC] starts sending data packets without authenticating itself and expects the Enforcement Point [EP] to notify PANA Authentication Agent [PAA] to start authentication and authorization. More particularly, this invention relates to a method of EP notifying PAC.
DESCRIPTION OF RELATED ART
A PANA Client [PaC] can try to start accessing the network before it is authenticated and authorized to access the network. When a PaC is not authorized and it tries to start accessing the network, EP will drop the data traffic from the PaC and optionally it may send a notification to PAA upon receiving which PAA will start a PANA session with PaC. PAA will grant network access to the PaC if the PaC is authorized to access the network. If an EP does not support the traffic driven discovery, it will drop all the data traffic from the PaC and no notification is sent to the PAA.
When packets are dropped due to administrative reasons, routers send Internet Control Message Protocol [ICMP] Destination Unreachable message with code Administratively Prohibited. But the ICMP message goes to the application that started the data transfer and might be just ignored. Even if the PaC were to listen for that message, it has no way of knowing the reason for the packets getting dropped - whether it is not authorized or if the EP does not support traffic driven discovery.
SUMMARY OF THE INVENTION
The patent facilitates a PaC relying on traffic driven discovery mechanism being implemented in the access network to start authentication and authorization when it is not supported. More specifically, the PaC is notified by the EP that traffic driven discovery is not supported in the access network so that the PaC can start discovery by itself.
Accordingly, this invention explains a method of enforcement point (EP) notifying PANA Client (PAC) in an access network where PANA is deployed but traffic driven discovery is not supported comprising the steps of:
(a) sending data without authenticating itself to the access network by PaC;
(b) sending an ICMP Destination Unreachable message to the PaC with code Authentication Required by EP;
(c) discovering by itself when PaC receives the said ICMP Destination Unreachable message; and
(d) optionally restricting all data traffic till authentication is complete by PaC.
ICMP message is either ICMPv4 or ICMPv6 depending on the data traffic received by the EP. ICMP messages are constructed at the IP layer, from a normal IP datagram, which has generated an ICMP response. IP encapsulates the appropriate ICMP message with a new IP header and the said messages use a common general format, and are encapsulated in IP datagrams for transmission. ICMPv4 Destination Unreachable Message has an 8 bit Type field which identifies the ICMP message type where, for Destination Unreachable messages the said field is set to 3. ICMPv4 Destination Unreachable Message has an 8 bit Code field which identifies the "subtype" of unreachable error being communicated. ICMPv4 Destination Unreachable Message has a 16-bit Checksum field for the ICMP header which provides error detection coverage for the entire ICMP message. lnlCMPv4 Destination Unreachable Message the unused field 4 bytes are left blank and are not used. In ICMPv4 Destination Unreachable Message the original datagram portion is a variable field where the full IP header and the first 8 bytes of the payload of the datagram that prompted the error message to be sent.
ICMPv6 Destination Unreachable Message has an 8 bit Type field which identifies the ICMP message type where, for Destination Unreachable messages the said field is set to 1. ICMPv6 Destination Unreachable Message has an 8 bit Code field which identifies the "subtype" of unreachable error being communicated. ICMPv6 Destination Unreachable Message has a 16-bit Checksum field for the ICMP header which provides error detection coverage for the entire ICMP message. In ICMPv6 Destination Unreachable Message the unused field 4 bytes are left blank and is not used. In ICMPv6 Destination Unreachable Message the original datagram portion is a variable field where as much of the IPv6 datagram as will fit without causing the size of the ICMPv6 error message to exceed the minimum IPv6 maximum transmission unit of 1280 bytes.
These and other objects, features and advantages of the present invention will become more readily apparent from the ensuing detailed description of the invention taken in conjunction with the accompanying drawings.
BRIEF DESCRIPTION OF ACCOMPANYING DRAWINGS
Figure 1 depicts how the PaC starts PANA session, when the traffic driven discovery is not supported.
Figure 2 illustrates the format of the ICMPv4 Destination Unreachable Message. Figure 3 illustrates the format of the ICMPv6 Destination Unreachable Message.
DETAILED DESCRIPTION OF THE INVENTION
The preferred embodiments of the present invention will now be explained with reference to the accompanying drawings. It should be understood however that the disclosed embodiments are merely exemplary of the invention, which may be embodied in various forms. The following description and drawings are not to be construed as limiting the invention and numerous specific details are described to provide a thorough understanding of the present invention, as the basis for the claims and as a basis for teaching one skilled in the art how to make and/or use the
invention. However in certain instances, well-known or conventional details are not described in order not to unnecessarily obscure the present invention in detail.
Figure 1 depicts how the PaC starts PANA session, when the traffic driven discovery is not supported. A PaC can start accessing the network without getting authorized. If an EP does not support the traffic driven discovery, it will drop all the data traffic from the PaC and an ICMP Destination unreachable message is sent to PaC with the code authorization required'. ICMP message is either ICMPv4 or ICMPv6 depending on the data traffic received by the EP. Both the versions of ICMP are described in the following figures. No notification is sent to the PAA as the EP does not support traffic driven discovery. The PaC, on receiving such a message can restrict data traffic and start PANA discovery by itself. The PaC may optionally restrict all data traffic till authentication is complete. After the authentication is achieved PaC starts the PANA session.
Figure 2 illustrates the format of the ICMPv4 Destination Unreachable Message. Type is an 8 bit field which identifies the ICMP message type; for Destination Unreachable messages this is set to 3. Code is also 8 bit which identifies the "subtype" of unreachable error being communicated. Checksum is 16-bit field for the ICMP header which provides error detection coverage for the entire ICMP message. In the unused field 4 bytes that are left blank and not used. The original datagram portion is a variable field where the full IP header and the first 8 bytes of the payload of the datagram that prompted this error message to be sent.
Figure 3 illustrates the format of the ICMPv6 Destination Unreachable Message. Here also the type is an 8 bit field wherein for a Destination Unreachable messages the type is set 1. The code is also 8 bit which identifies the "subtype" of unreachable error being communicated. Checksum is 16-bit field for the ICMP header which provides error detection coverage for the entire ICMP message. In the unused field 4 bytes that are left blank and not used. The original datagram portion is a variable
field where as much of the IPv6 datagram as will fit without causing the size of the ICMPv6 error message (including its own IP header) to exceed the minimum IPv6 maximum transmission unit of 1280 bytes.
A PaC can start accessing the network without getting authorized. If an EP does not support the traffic driven discovery, it will drop all the data traffic from the PaC and an ICMP Destination unreachable message is sent to PaC with the code 'authorization required'. ICMP message is either ICMPv4 or ICMPv6 depending on the data traffic received by the EP. ICMP messages are constructed at the IP layer, usually from a normal IP datagram, which has generated an ICMP response. IP encapsulates the appropriate ICMP message with a new IP header. These messages use a common general format, and are encapsulated in IP data grams for transmission.
No notification is sent to the PAA as the EP does not support traffic driven discovery. The PaC, on receiving such a message can restrict data traffic and start PANA discovery by itself.
The above procedure can be described in the following steps:
1. The PaC starts sending data without authenticating itself to the access network
2. If traffic driven discovery is not supported.
2.1. EP sends an ICMP Destination Unreachable message to the PaC with code Authentication Required.
2.2. The PaC starts discovery by itself when it receives such a message.
2.3. The PaC may optionally restrict all data traffic till authentication is complete.
Advantages
1. PaC can know why it was denied network access, whether it was because it is not authorized to access the network or it is because EP does not support the traffic driven discovery.
2. In case it is because EP does not support traffic driven discovery it will start PAA discovery and start a PANA session.
3. If it is because it is not authorized to access the network it can restrict all the data traffic.
It will also be obvious to those skilled in the art that other control methods and apparatuses can be derived from the combinations of the various methods and apparatuses of the present invention as taught by the description and the accompanying drawings and these shall also be considered within the scope of the present invention. Further, description of such combinations and variations is therefore omitted above. It should also be noted that the host for storing the applications include but not limited to a microchip, microprocessor, handheld communication device, computer, rendering device or a multi function device.
Although the present invention has been fully described in connection with the preferred embodiments thereof with reference to the accompanying drawings, it is to be noted that various changes and modifications are possible and are apparent to those skilled in the art. Such changes and modifications are to be understood as included within the scope of the present invention as defined by the appended claims unless they depart therefrom.
GLOSSARY OF THE TERMS AND DEFINITIONS THEREOF
PANA : Protocol for Carrying Authentication for Network Access
EP : Enforcement Point
PaC : PANA Client
PAA : PANA Authetication Agent
ICMP : Internet Control Message Protocol
AAA : Authentication Authorization Accounting server






WE CLAIM
1. A method of enforcement point (EP) notifying PANA Client (PAC) in an access network where PANA is deployed but traffic driven discovery is not supported comprising the steps of:
(a) sending data without authenticating itself to the access network by PaC;
(b) sending an ICMP Destination Unreachable message to the PaC with code Authentication Required by EP;
(c) discovering by itself when PaC receives the said ICMP Destination Unreachable message; and
(d) optionally restricting all data traffic till authentication is complete by PaC.
2. A method as claimed in claim 1 wherein ICMP message is either ICMPv4 or ICMPv6 depending on the data traffic received by the EP.
3. A method as claimed in claim 1 wherein ICMP messages are constructed at the IP layer, from a normal IP datagram, which has generated an ICMP response.
4. A method as claimed in claim 1 wherein IP encapsulates the appropriate ICMP message with a new IP header and the said messages use a common general format, and are encapsulated in IP datagrams for transmission.
5. A method as claimed in claim 1 wherein ICMPv4 Destination Unreachable Message has a 8 bit Type field which identifies the ICMP message type where, for Destination Unreachable messages the said field is set to 3.
6. A method as claimed in claim 1 wherein ICMPv4 Destination Unreachable Message has a 8 bit Code field which identifies the "subtype" of unreachable error being communicated.
7. A method as claimed in claim 1 wherein ICMPv4 Destination Unreachable
' > V
Message has a 16-bit Checksum field for the ICMP header which provides error detection coverage for the entire ICMP message.
8. A method as claimed in claim 1 wherein in ICMPv4 Destination Unreachable Message the unused field 4 bytes are left blank and is not used.
9. A method as claimed in claim 1 wherein in ICMPv4 Destination Unreachable Message the original datagram portion is a variable field where the full IP header and the first 8 bytes of the payload of the datagram that prompted the error message to be sent.
10. A method as claimed in claim 1 wherein ICMPv6 Destination Unreachable Message has a 8 bit Type field which identifies the ICMP message type where, for Destination Unreachable messages the said field is set to 1.
11. A method as claimed in claim 1 wherein ICMPv6 Destination Unreachable Message has a 8 bit Code field which identifies the "subtype" of unreachable error being communicated.
12. A method as claimed in claim 1 wherein ICMPv6 Destination Unreachable Message has a 16-bit Checksum field for the ICMP header which provides error detection coverage for the entire ICMP message.
13. A method as claimed in claim 1 wherein in ICMPv6 Destination Unreachable Message the unused field 4 bytes are left blank and is not used.
14. A method as claimed in claim 1 wherein in ICMPv6 Destination Unreachable Message the original datagram portion is a variable field where as much of the IPv6 datagram as will fit without causing the size of the ICMPv6 error message to exceed the minimum IPv6 maximum transmission unit of 1280 bytes.
15. A method of enforcement point (EP) notifying PANA Client (PAC) substantially described particularly with reference to the accompanying drawings.

Documents:

1975-CHE-2005 AMENDED PAGES OF SPECIFICATION 27-11-2012.pdf

1975-CHE-2005 AMENDED CLAIMS 27-11-2012.pdf

1975-CHE-2005 EXAMINATION REPORT REPLY RECEIVED 27-11-2012.pdf

1975-CHE-2005 POWER OF ATTORNEY 27-11-2012.pdf

1975-CHE-2005 AMENDED CLAIMS 03-07-2014.pdf

1975-CHE-2005 AMENDED PAGES OF SPECIFICATION 03-07-2014.pdf

1975-CHE-2005 CORRESPONDENCE OTHERS 03-07-2014.pdf

1975-CHE-2005 FORM-1 27-11-2012.pdf

1975-CHE-2005 FORM-1 03-07-2014.pdf

1975-CHE-2005 FORM-13 27-11-2012.pdf

1975-CHE-2005 FORM-13 13-12-2013.pdf

1975-CHE-2005 OTHER PATENT DOCUMENT 27-11-2012.pdf

1975-CHE-2005 POWER OF ATTORNEY 03-07-2014.pdf

1975-CHE-2005 ABSTRACT.pdf

1975-CHE-2005 CLAIMS.pdf

1975-CHE-2005 CORRESPONDENCE OTHERS.pdf

1975-CHE-2005 DESCRIPTION (COMPLETE).pdf

1975-CHE-2005 DRAWINGS.pdf

1975-CHE-2005 FORM 1.pdf

1975-CHE-2005 FORM 13 19-06-2006.pdf

1975-CHE-2005 FORM 18 19-12-2007.pdf

1975-CHE-2005 FORM-13 17-12-2013.pdf

1975-CHE-2005 POWER OF ATTORNEY.pdf


Patent Number 262975
Indian Patent Application Number 1975/CHE/2005
PG Journal Number 40/2014
Publication Date 03-Oct-2014
Grant Date 26-Sep-2014
Date of Filing 30-Dec-2005
Name of Patentee SAMSUNG R&D INSTITUTE INDIA-BANGALORE PRIVATE LIMITED
Applicant Address #2870 ORION BUILDING BAGMANE CONSTELLATION BUSINESS PARK OUTER RING ROAD DODDANEKUNDI CIRCLE MARATHAHALLI POST BANGALORE 560037
Inventors:
# Inventor's Name Inventor's Address
1 NAGARAJU EDLA BOTH EMPLOYED AT SAMSUNG ELECTRONICS CO LTD INDIA SOFTWARE OPERATIONS (SISO) J.P TECHNO PARK 3/1 MILLERS ROAD BANGALORE 560 052 KARNATAKA
2 VIJAYARAJAN RANGANTHAN BOTH EMPLOYED AT SAMSUNG ELECTRONICS CO LTD INDIA SOFTWARE OPERATIONS (SISO) J.P TECHNO PARK 3/1 MILLERS ROAD BANGALORE 560 052 KARNATAKA
3 AMMANAMANCHI SASIKANTH BHARADWAJ BOTH EMPLOYED AT SAMSUNG ELECTRONICS CO LTD INDIA SOFTWARE OPERATIONS (SISO) J.P TECHNO PARK 3/1 MILLERS ROAD BANGALORE 560 052
4 SURAJ KUMAR BOTH EMPLOYED AT SAMSUNG ELECTRONICS CO LTD INDIA SOFTWARE OPERATIONS (SISO) J.P TECHNO PARK 3/1 MILLERS ROAD BANGALORE 560 052 KARNATAKA
PCT International Classification Number H04L12/00
PCT International Application Number N/A
PCT International Filing date
PCT Conventions:
# PCT Application Number Date of Convention Priority Country
1 NA