US20100071049A1 - A method for identifying a task authorization - Google Patents

A method for identifying a task authorization Download PDF

Info

Publication number
US20100071049A1
US20100071049A1 US12/226,177 US22617707A US2010071049A1 US 20100071049 A1 US20100071049 A1 US 20100071049A1 US 22617707 A US22617707 A US 22617707A US 2010071049 A1 US2010071049 A1 US 2010071049A1
Authority
US
United States
Prior art keywords
network node
network
message
task
mesh
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US12/226,177
Inventor
Michael Bahr
Cheistian Schwingerschlögl
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Unify GmbH and Co KG
Original Assignee
Siemens Enterprise Communications GmbH and Co KG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Enterprise Communications GmbH and Co KG filed Critical Siemens Enterprise Communications GmbH and Co KG
Publication of US20100071049A1 publication Critical patent/US20100071049A1/en
Assigned to UNIFY GMBH & CO. KG reassignment UNIFY GMBH & CO. KG CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: SIEMENS ENTERPRISE COMMUNICATIONS GMBH & CO. KG
Assigned to SIEMENS ENTERPRISE COMMUNICATIONS GMBH & CO. KG reassignment SIEMENS ENTERPRISE COMMUNICATIONS GMBH & CO. KG ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: SCHWINGENSCHLOGL, CHRISTIAN, DR., BAHR, MICHAEL
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/18Self-organising networks, e.g. ad-hoc networks or sensor networks
    • H04W84/20Master-slave selection or change arrangements

Definitions

  • the invention relates to a method for safeguarding a transmission of a message from a first network node to a second network node as well as to a network node.
  • Self-organizing networks are currently standardized within IEEE 802.11S.
  • node classes are envisaged within the IEEE.
  • Such node classes are for example:
  • node classes also referred to as roles, define functions which a particular network node can execute in the network.
  • the node classes or roles thus correspond to the technical facilities of a respective network node in the network.
  • the object underlying the invention is to specify a method and a network node with which increased security is provided as regards its roles.
  • the method for identifying a task authorization for a task for a first network node comprises the following steps:
  • the network involved can be a wired network or a wireless network.
  • Wired networks are for example Ethernet networks or optical networks.
  • Wireless network include WLAN networks, ad-hoc networks or mesh networks for example
  • the network can also consist of a mixture of the categories given.
  • One advantage of the inventive method lies in its enhanced security. The reason for this is that the task authorization is refused if the first network node does not fulfill the security requirement.
  • the task comprises the receipt of a message to be sent by a network node to the first network node.
  • the refusal includes the suppression of a transmission of the message from a network node to the first network node.
  • the security for the transmission of messages is increased.
  • the network node checks the security requirement assigned to the message. If the first network node does not meet this requirement, the transmission of the message to the latter is suppressed.
  • the security requirement is determined on the basis of the message type. Possible types of message are as follows:
  • the task comprises routing a message of a network node by the first network node.
  • the refusal includes not entering or removing the network node from a routing table of the network node.
  • a certificate of the first network node is used for checking the security requirement, especially a certificate in accordance with X.509v3
  • the certificate has attributes on the basis of which the check is undertaken.
  • an attribute certificate has the advantage, as well as certification of an identity, of also making possible a certification of a characteristic linked to the identity, i.e. an attribute. It is thus possible for example to issue a certificate with an attribute “Mesh Portal” to a network node.
  • a network node class is used as a task authorization, especially one of the following network node classes:
  • the network node has a processing unit which is embodied such that, to determine a task authorization for a task for a first network node, it is able to undertake a determination of a security requirement assigned to the task, a check whether the first network node meets the security requirement and, if it does not, a refusal of the task authorization for the first network node.
  • the network node can for example be a VoIP-enabled telephone, a laptop, a mobile telephone, a PDA or a printer. Further possibilities are a computer, a router or a gateway.
  • the network node is embodied such that the refusal comprises the first network node not being entered into or being removed from the routing table of the network node.
  • the task comprises receiving a message to be sent by a network node to the first network node and the refusal comprises the suppression of a transmission of the message to be sent.
  • the network features at least one such inventive network node.
  • it is embodied as an ad-hoc network or a mesh network.
  • FIG. 1 a mesh network.
  • the typical network shown in FIG. 1 consists of a first through fifth network node K 1 . . . K 5 , a gateway G and a WLAN-enabled network node W. Furthermore the Internet I is shown schematically in FIG. 1 , connected to the gateway G and the first network node K 1 .
  • wireless connections F between the gateway G and the second network node K 2 , between the second network node K 2 and the fourth, fifth and third network node K 4 , K 5 , K 3 , between the fourth network node K 4 and the fifth network node K 5 , between the fifth network node K 5 and the third network node K 3 , between the first network node K 1 and the third network node K 3 , as well as between the WLAN-enabled network node W and the first and third network node K 1 , K 3 .
  • cabled connections K between the Internet I and the gateway G as well as between the Internet I and the first network node K 1 .
  • Each of the network nodes K 1 . . . K 5 , as well as the gateway G and the WLAN-enabled network node W is assigned a respective attribute certificate. This is checked to allow an assignment of roles, i.e. network node classes, to the network nodes K 1 . . . K 5 , the gateway G and the WLAN-enabled network node W.
  • the WLAN-enabled network node W is not enabled for the mesh network.
  • the WLAN-enabled network node W In order to be able to communicate with the mesh network, i.e. the network nodes K 1 . . . K 5 or the gateway G or the Internet I, the WLAN-enabled network node W must be given access to the mesh network.
  • MAP Mesh Access Point
  • this network node K 1 , K 3 must be in direct connection with the WLAN-enabled network node W.
  • the first and third network node K 1 , K 3 should be technically capable of making it possible for the WLAN-enabled network node W to have access to the mesh network.
  • the third network node K 3 does not have this attribute in its attribute certificate. This means that the third network node K 3 may not assume the role, i.e. network node class, of a Mesh Access Point.
  • the WLAN-enabled network node W takes on the checking of the corresponding attribute certificate. For example the WLAN-enabled network node W would like to send a message to the fourth network node K 4 .
  • the WLAN-enabled network node W knows about the presence of the first and third network node K 1 , K 3 .
  • the WLAN-enabled network node W thus sends its message directed to the fourth network node K 4 to the first network node K 1 , which routes said message, for example via the third and fifth network node K 3 , K 5 to the fourth network node K 4 .
  • the role concerned is that of a Mesh Point (MP).
  • MP Mesh Point
  • the first network node K 1 checks whether the third network node K 3 may fulfill the role of a Mesh Point.
  • the first and third network nodes K 1 , K 3 are members of the mesh network.
  • the first network node K 1 thus maintains the third network node K 3 in a routing table. Also stored in this routing table are the roles that the third network node K 3 may fulfill, based on its attribute certificate.
  • the third network node K 3 is to be able to assume the role of a Mesh Point. This means that the third network node K 3 may route the message from the WLAN-enabled network node W within the mesh network. It is thus ensured in this exemplary embodiment that, although the third network node K 3 may not undertake the connection of merely WLAN-enabled network nodes W to the mesh network, it may however route messages, even those from the WLAN-enabled network node W into the mesh network if they thus do not come directly from the WLAN-enabled network node W. The first network node K 1 thus sends the message to the third network node K 3 . In a similar way the third network node K 3 checks whether the fifth network node K 5 may route the message.
  • the third network node K 3 sends to the fifth network node K 5 . No further checking is required for routing the message to the fourth network node K 4 , for which the message is intended.
  • each network node K 1 , K 3 , K 5 lying on the way knows the path to the fourth network node, i.e. the next network node on the route. If however this is not the case, a routing algorithm must be executed. If the Ad hoc On-Demand Distance Vector (AODV) routing protocol is used, Route-Request messages are sent from the egress node for routing. If these reach the respective destination node K 1 . . . K 5 or another network node K 1 . . . K 5 , that knows a route to the destination node K 1 . . . K 5 Route-Reply messages are sent back to the egress node.
  • AODV Ad hoc On-Demand Distance Vector
  • a receiving network node K 1 . . . K 5 may assume the role of a Mesh Point for routing messages. If a respective network node K 1 . . . K 5 does not do this, the Route-Request message is not send. This avoids routes being found that contain a network node which does have the necessary authorization, since a routing of messages via such a route would not be successful.
  • Route-Reply messages it is also possible in one embodiment variant to check in the Route-Reply messages whether a corresponding network node has the necessary authorization for assuming a role as the Mesh Point. Since a Route-Reply message is normally sent as a unicast message, it must be ensured here that a path will actually be found. To this end for example a number of Route-Reply messages can be sent. Another possibility lies in carrying out a repeated execution of the routing method with Route-Request and Route-Reply messages until a suitable path is found.
  • a further role to be checked represents the role of the Mesh Portal.
  • a network node with the Mesh Portal role can provide a connection between network node K 1 . . . K 5 in the mesh network and network nodes in an external network, such as for example the Internet I.
  • each network node K 1 . . . K 5 wishing to send a message to the Internet I checks the attribute certificate of the respective next routing network node K 1 . . . K 5 to see whether only one further hop exists in the mesh network between the Internet I and the current network node K 1 . . . K 5 .
  • This prerequisite is fulfilled if the next following routing network node K 1 . . . K 5 , G represents a Mesh Portal from the technical standpoint. In this case it must be checked whether this network node may also assume the role of the Mesh Portal.
  • the third network node K 3 would like to send a message into the Internet I.
  • the given example network there are two options.
  • the message can be sent via the gateway G to the Internet I, on the other via the first network node K 1 .
  • the gateway G has an authorization to act as a Mesh Portal in its attribute certificate.
  • the first network node K 1 does not have this attribute in its attribute certificate.
  • the first network node K 1 despite its connection to the Internet I, may thus not route any messages from the mesh network to the Internet I.
  • the third network node K 3 now establishes for example that the path to the Internet I is at its shortest via the first network node K 1 .
  • the message Before the message is sent to the first network node K 1 it checks the attribute certificate of the first network node K 1 however.
  • the attribute certificate of the first network node K 1 is checked by the third network node K 3 as to whether the first network node K 1 may assume the role of a Mesh Portal. This is not the case.
  • the third network node K 3 must thus seek another route for its message into the Internet I. Such a route is available for example via the second network node K 2 and the gateway G.
  • a check is now due, as described above, as to whether the second network node K 2 may assume the function of a Mesh Point, in order to be able to route the message to the gateway G at all. This is the case.
  • the message is thus transmitted to the second network node K 2 .
  • the reason for this is that two links of the mesh network are still to be negotiated from the third network node K 3 to the gateway G. In its turn this means that the second network node K 2 is not that network node which takes care of a direct routing of the message into the Internet I.
  • the second network node K 2 in its turn must check for the gateway G, whether the latter may execute the Mesh Portal function. According to the attribute certificate of the gateway G the latter is authorized for executing the role of the Mesh Portal. Thus the second network node K 2 may route the message to the gateway G. The gateway G in its turn takes care of routing the message into the Internet I.
  • the second network node K 2 must know or be able to establish for the message of the third network node K, that it has the Internet I as its destination. This is for example able to be detected on the basis of the address area of the destination address of that of the message.
  • a similar mechanism is employed as is used for routing via Route Request and Route Reply messages.
  • a network node K 1 . . . 5 wishing for example to send a message into the Internet I, typically sends Mesh Portal Request messages into the network.
  • Mesh Portal reply messages are however only sent if a further network node K 1 . . . 5 has a Mesh Portal network node as its neighboring node.
  • the Mesh Portal reply messages are only sent if a check has also been made for the neighboring nodes as to whether its attribute certificate allows it to assume the role of Mesh Portal.
  • a second embodiment of the invention consists of the routing tables for messages being created in a passive manner at the network nodes K 1 . . . 5 .
  • a passive manner means that beacon messages are primarily used for creating the routing tables.
  • a network node K 1 . . . 5 accepts the beacon messages (beacons) that it can receive and creates a routing table from these.
  • the beacons each contain in this second embodiment the security certificate of the sending network node K 1 . . . 5 .
  • a network node K 1 . . . 5 that receives a beacon only inserts the sending network node K 1 . . . 5 into its routing table if the security for routing is fulfilled, i.e. if its attribute certificate contains the Mesh Point role as an attribute.
  • the result achieved is that a message can be routed without new checking of the attribute certificate, since only the network nodes K 1 . . . 5 are in the routing table which enter into consideration at all for routing.
  • a first routing table can be used for routing messages within the mesh network; i.e. the first routing table only contains network nodes K 1 . . . 5 , that may assume the role of Mesh Point.
  • a second routing table is used to hold such network nodes K 1 . . . 5 as may exercise the role of Mesh Portal or Mesh Access Point.
  • a network node K 1 . . . 5 can look into one of the routing tables for the network node K 1 . . . 5 to which it may route a predetermined message.
  • FIG. 2 shows a typical execution sequence of a process which runs in a network node K 1 . . . 5 , if a message is to be sent from this network node K 1 . . . 5 to a destination node.
  • the message can originate from the network node K 1 . . . 5 itself or can already have been sent to this for routing.
  • the process is executed in this way if the destination node is not directly accessible for the network node K 1 . . . 5 , i.e. if routing through an intermediate node is necessary.
  • a first step S 1 the network node K 1 . . . 5 receives the message for routing.
  • the network node K 1 . . . 5 decides on the intermediate node to which the message is to be routed. This decision can typically be made on the basis of a routing table.
  • the network node K 1 . . . 5 checks whether an attribute certificate for the intermediate node is known to it. If is not, an attempt is made in an intermediate step S 31 to obtain this attribute certificate. This is done by a request message being transmitted to the intermediate node in which the intermediate node is requested to send its attribute certificate in a response to the network node K 1 . . . 5 .
  • the network node K 1 . . . 5 checks in a fourth step S 4 , whether the attribute certificate has the necessary attribute for the routing, i.e. whether the intermediate node may undertake the routing. If it may not, the network node K 1 . . . 5 returns to the second step S 2 and attempts to find another intermediate node.
  • the network node K 1 . . . 5 sends the message to the intermediate node.

Abstract

In an ad hoc mesh network, roles are assignment to the different network nodes, for example mesh point or mesh portal. The invention envisages that a network node identifies the certification and thus the permitted roles of another network node before it sends a message to said other network node. This ensures that the roles maintain their integrity and the security in the network is enhanced.

Description

    CROSS REFERENCE TO RELATED APPLICATIONS
  • This application is the US National Stage of International Application No. PCT/EP2007/052570, filed Mar. 19, 2007 and claims the benefit thereof. The International Application claims the benefits of German application No. 10 2006 017 029.6 filed Apr. 11, 2006, and German application No. 10 2206 036 107.5 filed Aug. 2, 2006, all three applications are incorporated by reference herein in their entirety.
    • FIELD OF INVENTION
  • The invention relates to a method for safeguarding a transmission of a message from a first network node to a second network node as well as to a network node.
    • BACKGROUND OF THE INVENTION
  • Self-organizing networks are currently standardized within IEEE 802.11S. In this standard different node classes are envisaged within the IEEE. Such node classes are for example:
      • Mesh Point (MP)
      • Mesh Access Point (MAP)
      • Lightweight Mesh Point (LWMP)
      • Station (STA)
      • Mesh Portal (MPort).
  • These node classes, also referred to as roles, define functions which a particular network node can execute in the network. The node classes or roles thus correspond to the technical facilities of a respective network node in the network.
    • SUMMARY OF INVENTION
  • The object underlying the invention is to specify a method and a network node with which increased security is provided as regards its roles.
  • This object is achieved in respect of the method and the network node by the features of the claims.
  • The method for identifying a task authorization for a task for a first network node comprises the following steps:
      • Determining a security requirement assigned to the task;
      • Checking whether the first network node fulfills the security requirement;
      • If is does not, refusing the task authorization for the first network node.
  • The network involved can be a wired network or a wireless network. Wired networks are for example Ethernet networks or optical networks. Wireless network include WLAN networks, ad-hoc networks or mesh networks for example The network can also consist of a mixture of the categories given.
  • One advantage of the inventive method lies in its enhanced security. The reason for this is that the task authorization is refused if the first network node does not fulfill the security requirement.
  • in a preferred embodiment of the invention the task comprises the receipt of a message to be sent by a network node to the first network node. Preferably the refusal includes the suppression of a transmission of the message from a network node to the first network node.
  • The result of this is that the security for the transmission of messages is increased. For transmission of the message the network node checks the security requirement assigned to the message. If the first network node does not meet this requirement, the transmission of the message to the latter is suppressed.
  • In an advantageous embodiment of the invention the security requirement is determined on the basis of the message type. Possible types of message are as follows:
      • a message intended for the first network node;
      • a message intended to be routed by the first network node;
      • a route message, especially a Route Request or Route Reply message;
      • a message of a further network node without mesh capabilities for routing into a mesh network.
  • In an alternate embodiment of the invention the task comprises routing a message of a network node by the first network node. Preferably the refusal includes not entering or removing the network node from a routing table of the network node.
  • The result able to be achieved by this is that a first network node which does not meet the security requirement will not be used at a later time for example for routing messages. This removal from the routing table means that it will no longer be necessary to check the security requirement at the later time.
  • It is useful for the check to be performed by the network node. This results in only a low load being imposed on the network by additional messages.
  • In an advantageous embodiment of the invention a certificate of the first network node is used for checking the security requirement, especially a certificate in accordance with X.509v3 Preferably the certificate has attributes on the basis of which the check is undertaken.
  • The use of an attribute certificate has the advantage, as well as certification of an identity, of also making possible a certification of a characteristic linked to the identity, i.e. an attribute. It is thus possible for example to issue a certificate with an attribute “Mesh Portal” to a network node.
  • Preferably a network node class is used as a task authorization, especially one of the following network node classes:
      • Mesh Point;
      • Mesh Access Point;
      • Lightweight Mesh Point;
      • Station;
      • Mesh Portal.
  • This produces the advantage of the second network node being allocated a clear role, i.e. a node class, and simultaneously of the checking of the security requirement ensuring a secure transmission of the message. A further result is that a network node cannot always execute its full technical capabilities in the network.
  • The network node has a processing unit which is embodied such that, to determine a task authorization for a task for a first network node, it is able to undertake a determination of a security requirement assigned to the task, a check whether the first network node meets the security requirement and, if it does not, a refusal of the task authorization for the first network node.
  • The network node can for example be a VoIP-enabled telephone, a laptop, a mobile telephone, a PDA or a printer. Further possibilities are a computer, a router or a gateway.
  • Preferably the network node is embodied such that the refusal comprises the first network node not being entered into or being removed from the routing table of the network node.
  • In a preferred embodiment of the network node the task comprises receiving a message to be sent by a network node to the first network node and the refusal comprises the suppression of a transmission of the message to be sent.
  • The network features at least one such inventive network node. Preferably it is embodied as an ad-hoc network or a mesh network.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • Further details and advantages of the invention are explained on the basis of the drawing. The figures show:
  • FIG. 1 a mesh network.
    •  DETAILED DESCRIPTION OF INVENTION
  • The typical network shown in FIG. 1, the embodiments of which will be used as a basis to present the inventive method, consists of a first through fifth network node K1 . . . K5, a gateway G and a WLAN-enabled network node W. Furthermore the Internet I is shown schematically in FIG. 1, connected to the gateway G and the first network node K1.
  • In the network there are wireless connections F between the gateway G and the second network node K2, between the second network node K2 and the fourth, fifth and third network node K4, K5, K3, between the fourth network node K4 and the fifth network node K5, between the fifth network node K5 and the third network node K3, between the first network node K1 and the third network node K3, as well as between the WLAN-enabled network node W and the first and third network node K1, K3. There are also cabled connections K between the Internet I and the gateway G as well as between the Internet I and the first network node K1.
  • Each of the network nodes K1 . . . K5, as well as the gateway G and the WLAN-enabled network node W is assigned a respective attribute certificate. This is checked to allow an assignment of roles, i.e. network node classes, to the network nodes K1 . . . K5, the gateway G and the WLAN-enabled network node W.
  • The WLAN-enabled network node W is not enabled for the mesh network. In order to be able to communicate with the mesh network, i.e. the network nodes K1 . . . K5 or the gateway G or the Internet I, the WLAN-enabled network node W must be given access to the mesh network. This requires a network node K1 . . . K5 with a technical capability to function as a Mesh Access Point (MAP), and with the authorization to do this. Furthermore this network node K1, K3 must be in direct connection with the WLAN-enabled network node W. In this typical network the first and third network node K1, K3 should be technically capable of making it possible for the WLAN-enabled network node W to have access to the mesh network. Furthermore however only the first network node K1 should have the attribute “Mesh Access Point” in its attribute certificate. The third network node K3 does not have this attribute in its attribute certificate. This means that the third network node K3 may not assume the role, i.e. network node class, of a Mesh Access Point. The WLAN-enabled network node W takes on the checking of the corresponding attribute certificate. For example the WLAN-enabled network node W would like to send a message to the fourth network node K4. The WLAN-enabled network node W knows about the presence of the first and third network node K1, K3. It now first checks the attribute certificate of the third network node K3, by sending a message to this network node K3 and receiving the attribute certificate as a reply from the third network node K3. The outcome of the check on the attribute certificate is that third network node K3 may not assume the role of a Mesh Access Point. The WLAN-enabled network node W therefore does not send the message to the third network node K3. The outcome of a similar check on the first network node K1 is that the first network node K1 may assume the role of the Mesh Access Point. The WLAN-enabled network node W thus sends its message directed to the fourth network node K4 to the first network node K1, which routes said message, for example via the third and fifth network node K3, K5 to the fourth network node K4.
  • For routing of messages of the WLAN-enabled network node W to the fourth network node K4 via the first network node K1 further roles are necessary at the third and fifth network nodes K3, K5. In this case the role concerned is that of a Mesh Point (MP). Before the first network node K1 routes the message of the WLAN-enabled network node W to the third network node K3, it checks whether the third network node K3 may fulfill the role of a Mesh Point. The first and third network nodes K1, K3 are members of the mesh network. The first network node K1 thus maintains the third network node K3 in a routing table. Also stored in this routing table are the roles that the third network node K3 may fulfill, based on its attribute certificate. In the example given the third network node K3 is to be able to assume the role of a Mesh Point. This means that the third network node K3 may route the message from the WLAN-enabled network node W within the mesh network. It is thus ensured in this exemplary embodiment that, although the third network node K3 may not undertake the connection of merely WLAN-enabled network nodes W to the mesh network, it may however route messages, even those from the WLAN-enabled network node W into the mesh network if they thus do not come directly from the WLAN-enabled network node W. The first network node K1 thus sends the message to the third network node K3. In a similar way the third network node K3 checks whether the fifth network node K5 may route the message. Since also the fifth network node K5 in this example may assume the role of a Mesh Point, the third network node K3 sends to the fifth network node K5. No further checking is required for routing the message to the fourth network node K4, for which the message is intended.
  • In the given example for the message of the WLAN-enabled network node W it has been assumed that each network node K1, K3, K5 lying on the way knows the path to the fourth network node, i.e. the next network node on the route. If however this is not the case, a routing algorithm must be executed. If the Ad hoc On-Demand Distance Vector (AODV) routing protocol is used, Route-Request messages are sent from the egress node for routing. If these reach the respective destination node K1 . . . K5 or another network node K1 . . . K5, that knows a route to the destination node K1 . . . K5 Route-Reply messages are sent back to the egress node. In this exemplary embodiment of the inventive method even before sending of the Route-Request messages it is checked in each case whether a receiving network node K1 . . . K5 may assume the role of a Mesh Point for routing messages. If a respective network node K1 . . . K5 does not do this, the Route-Request message is not send. This avoids routes being found that contain a network node which does have the necessary authorization, since a routing of messages via such a route would not be successful.
  • It is also possible in one embodiment variant to check in the Route-Reply messages whether a corresponding network node has the necessary authorization for assuming a role as the Mesh Point. Since a Route-Reply message is normally sent as a unicast message, it must be ensured here that a path will actually be found. To this end for example a number of Route-Reply messages can be sent. Another possibility lies in carrying out a repeated execution of the routing method with Route-Request and Route-Reply messages until a suitable path is found.
  • A further role to be checked represents the role of the Mesh Portal. A network node with the Mesh Portal role can provide a connection between network node K1 . . . K5 in the mesh network and network nodes in an external network, such as for example the Internet I. To make sure that this functionality also can only be offered by network nodes K1 . . . K5 authorized to do so can, each network node K1 . . . K5, wishing to send a message to the Internet I checks the attribute certificate of the respective next routing network node K1 . . . K5 to see whether only one further hop exists in the mesh network between the Internet I and the current network node K1 . . . K5. This prerequisite is fulfilled if the next following routing network node K1 . . . K5, G represents a Mesh Portal from the technical standpoint. In this case it must be checked whether this network node may also assume the role of the Mesh Portal.
  • To this end an example is given in which the third network node K3 would like to send a message into the Internet I. In the given example network there are two options. On the one hand the message can be sent via the gateway G to the Internet I, on the other via the first network node K1.
  • However in this example it is the case that only the gateway G has an authorization to act as a Mesh Portal in its attribute certificate. The first network node K1 does not have this attribute in its attribute certificate. The first network node K1, despite its connection to the Internet I, may thus not route any messages from the mesh network to the Internet I. The third network node K3 now establishes for example that the path to the Internet I is at its shortest via the first network node K1. Before the message is sent to the first network node K1 it checks the attribute certificate of the first network node K1 however. Since the first network node K1 would already be that network node which would have to undertake the routing into the Internet I, the attribute certificate of the first network node K1 is checked by the third network node K3 as to whether the first network node K1 may assume the role of a Mesh Portal. This is not the case. The third network node K3 must thus seek another route for its message into the Internet I. Such a route is available for example via the second network node K2 and the gateway G. A check is now due, as described above, as to whether the second network node K2 may assume the function of a Mesh Point, in order to be able to route the message to the gateway G at all. This is the case. The message is thus transmitted to the second network node K2.
  • A check as to whether the second network node K2 may assume Mesh Portal functionality does not have to be conducted by the third network node K3. The reason for this is that two links of the mesh network are still to be negotiated from the third network node K3 to the gateway G. In its turn this means that the second network node K2 is not that network node which takes care of a direct routing of the message into the Internet I.
  • The second network node K2 in its turn must check for the gateway G, whether the latter may execute the Mesh Portal function. According to the attribute certificate of the gateway G the latter is authorized for executing the role of the Mesh Portal. Thus the second network node K2 may route the message to the gateway G. The gateway G in its turn takes care of routing the message into the Internet I.
  • The second network node K2 must know or be able to establish for the message of the third network node K, that it has the Internet I as its destination. This is for example able to be detected on the basis of the address area of the destination address of that of the message.
  • There is a further embodiment variable for checking the role of the Mesh Portal. In this alternative all network nodes wishing to offer a mesh portal function, i.e. those wishing to assume the network node class of the Mesh Portal, must send messages into the network, with which they make their function known. In this alternative these messages are only accepted, if a simultaneous checking of its attribute certificate by the other network node K1 . . . 5 of the network is successful, i.e. if the corresponding network node may offer the Mesh Portal functionality.
  • In a further variant, to discover Mesh Portal network nodes, a similar mechanism is employed as is used for routing via Route Request and Route Reply messages. This means that a network node K1 . . . 5, wishing for example to send a message into the Internet I, typically sends Mesh Portal Request messages into the network. Mesh Portal reply messages are however only sent if a further network node K1 . . . 5 has a Mesh Portal network node as its neighboring node. Furthermore the Mesh Portal reply messages are only sent if a check has also been made for the neighboring nodes as to whether its attribute certificate allows it to assume the role of Mesh Portal.
  • By means of the inventive method and for example the execution options of the inventive method described it is made possible to maintain different roles of network nodes in for example multi-hop mesh networks and thereby for example to implement the security features necessary for enterprise networks. Via the definition of additional attributes, which describe further roles for example, there is also the option of designing a significantly finer security management. Furthermore the attribute certificates employed are also able to be used for safeguarding services on higher layers, for example the certification of components and services in Service Discovery protocols.
  • A second embodiment of the invention consists of the routing tables for messages being created in a passive manner at the network nodes K1 . . . 5. In a passive manner means that beacon messages are primarily used for creating the routing tables.
  • A network node K1 . . . 5 accepts the beacon messages (beacons) that it can receive and creates a routing table from these. The beacons each contain in this second embodiment the security certificate of the sending network node K1 . . . 5. A network node K1 . . . 5 that receives a beacon only inserts the sending network node K1 . . . 5 into its routing table if the security for routing is fulfilled, i.e. if its attribute certificate contains the Mesh Point role as an attribute.
  • The result achieved is that a message can be routed without new checking of the attribute certificate, since only the network nodes K1 . . . 5 are in the routing table which enter into consideration at all for routing.
  • It is worthwhile here to maintain routing tables for different roles, i.e. node classes. Thus a first routing table can be used for routing messages within the mesh network; i.e. the first routing table only contains network nodes K1 . . . 5, that may assume the role of Mesh Point. A second routing table is used to hold such network nodes K1 . . . 5 as may exercise the role of Mesh Portal or Mesh Access Point. Depending on the task set, a network node K1 . . . 5 can look into one of the routing tables for the network node K1 . . . 5 to which it may route a predetermined message.
  • FIG. 2 shows a typical execution sequence of a process which runs in a network node K1 . . . 5, if a message is to be sent from this network node K1 . . . 5 to a destination node. In this case the message can originate from the network node K1 . . . 5 itself or can already have been sent to this for routing. The process is executed in this way if the destination node is not directly accessible for the network node K1 . . . 5, i.e. if routing through an intermediate node is necessary.
  • In a first step S1 the network node K1 . . . 5 receives the message for routing. In a second step S2 the network node K1 . . . 5, decides on the intermediate node to which the message is to be routed. This decision can typically be made on the basis of a routing table. In a subsequent third step S3 the network node K1 . . . 5, checks whether an attribute certificate for the intermediate node is known to it. If is not, an attempt is made in an intermediate step S31 to obtain this attribute certificate. This is done by a request message being transmitted to the intermediate node in which the intermediate node is requested to send its attribute certificate in a response to the network node K1 . . . 5.
  • With the now known attribute certificate the network node K1 . . . 5 checks in a fourth step S4, whether the attribute certificate has the necessary attribute for the routing, i.e. whether the intermediate node may undertake the routing. If it may not, the network node K1 . . . 5 returns to the second step S2 and attempts to find another intermediate node.
  • If however the intermediate node may accept the task, in a fifth step the network node K1 . . . 5 sends the message to the intermediate node.

Claims (19)

1.-15. (canceled)
16. A method for identifying a task authorization for a task for a first network node, comprising:
determining a security requirement assigned to the task;
checking whether the first network node fulfills the security requirement; and
if the security requirement is not fulfilled, refusing the task authorization for the first network node.
17. The method as claimed in claim 16, wherein the task comprises the receipt of message to be sent by a network node to the first network node.
18. The method as claimed in claim 16, wherein the refusal includes a suppression of sending the message from the network node to the first network node.
19. The method as claimed in claim 18, wherein the determination of the security requirement undertaken is based on the type of message.
20. The method as claimed in claim 18, wherein the determination of the security requirement undertaken is based on at least one of the following types:
a message intended for the first network node,
a message intended to be routed by the first network node,
a Route-Request or Route-Reply message, or
a message from a non-mesh-enabled further network node for routing into a mesh network.
21. The method as claimed in claim 16, wherein the task comprises the routing of a message of a network node by the first network node.
22. The method as claimed in claim 21, wherein the refusal comprises not entering and/or removing an entry of the network node from a routing table of the network node.
23. The method as claimed in claim 21, wherein the check is conducted by the network node.
24. The method as claimed in claim 23, wherein a certificate of the first network node is used for checking a security request.
25. The method as claimed in claim 23, wherein a certificate of the first network node in accordance with X.509v3 is used to check a security request.
26. The method as claimed in claim 24, wherein the certificate has attributes on the basis of which the check is conducted.
27. The method as claimed in claim 26, wherein a network node class is used as the task authorization.
28. The method as claimed in claim 27, wherein the network node class is selected from the group consisting of: mesh point, mesh access point, lightweight mesh point, station, and mesh portal.
29. A network node, comprising:
a processing unit constructed and arranged such that,
to determine a task authorization for a task for a first network node, the node determines a security requirement assigned to the task,
to check whether the first network node meets the security requirement, and
to refuse the task authorization for the first network node if the first network node does not meet the security requirement.
30. The network node as claimed in claim 29, wherein the refusal comprises not entering the first network node into or removing it from a routing table of the network node.
31. The network node as claimed in claim 29, wherein the task comprises the receipt of a message to be sent by a network node to the first network node and the refusal includes suppression of the transmission of the message to be sent.
32. A network, comprising:
at least one network node,
wherein the at least one network node has:
a processing unit embodied,
to determine a task authorization for a task for a first network node, where the node determines a security requirement assigned to the task,
to check whether the first network node meets the security requirement, and
to refuse the task authorization for the first network node if the first network node does not meet the security requirement.
33. The network in accordance with claim 32, wherein the network is an ad-hoc network or a mesh network.
US12/226,177 2006-04-11 2007-03-19 A method for identifying a task authorization Abandoned US20100071049A1 (en)

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
DE102006017029 2006-04-11
DE102006017029.6 2006-04-11
DE102006036107A DE102006036107A1 (en) 2006-04-11 2006-08-02 Procedure for determining a task permit
DE102006036107.5 2006-08-02
PCT/EP2007/052570 WO2007118746A1 (en) 2006-04-11 2007-03-19 A method for identifying a task authorization

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2007/052570 A-371-Of-International WO2007118746A1 (en) 2006-04-11 2007-03-19 A method for identifying a task authorization

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US14/754,795 Continuation US9712517B2 (en) 2006-04-11 2015-06-30 Method for identifying a task authorization

Publications (1)

Publication Number Publication Date
US20100071049A1 true US20100071049A1 (en) 2010-03-18

Family

ID=38229419

Family Applications (2)

Application Number Title Priority Date Filing Date
US12/226,177 Abandoned US20100071049A1 (en) 2006-04-11 2007-03-19 A method for identifying a task authorization
US14/754,795 Active 2027-06-21 US9712517B2 (en) 2006-04-11 2015-06-30 Method for identifying a task authorization

Family Applications After (1)

Application Number Title Priority Date Filing Date
US14/754,795 Active 2027-06-21 US9712517B2 (en) 2006-04-11 2015-06-30 Method for identifying a task authorization

Country Status (5)

Country Link
US (2) US20100071049A1 (en)
EP (1) EP2005700B1 (en)
CN (1) CN101422012B (en)
DE (1) DE102006036107A1 (en)
WO (1) WO2007118746A1 (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2539730A (en) * 2015-06-25 2016-12-28 Airspan Networks Inc Node role assignment in networks
US9706419B2 (en) 2015-06-25 2017-07-11 Airspan Networks Inc. Antenna apparatus and method of performing spatial nulling within the antenna apparatus
US9924385B2 (en) 2015-06-25 2018-03-20 Airspan Networks Inc. Antenna apparatus and method of configuring a transmission beam for the antenna apparatus
US9973943B2 (en) 2015-06-25 2018-05-15 Airspan Networks Inc. Wireless network configuration using path loss determination between nodes
US10070325B2 (en) 2015-06-25 2018-09-04 Airspan Networks Inc. Sub-sampling antenna elements
US10098018B2 (en) 2015-06-25 2018-10-09 Airspan Networks Inc. Configurable antenna and method of operating such a configurable antenna
US10257733B2 (en) 2015-06-25 2019-04-09 Airspan Networks Inc. Managing external interference in a wireless network
US10306485B2 (en) 2015-06-25 2019-05-28 Airspan Networks Inc. Configurable antenna and method of operating such a configurable antenna
US10667145B2 (en) 2015-06-25 2020-05-26 Airspan Networks Inc. Bearing calculation
US10834614B2 (en) 2015-06-25 2020-11-10 Airspan Networks Inc. Quality of service in wireless backhauls
US11405275B2 (en) * 2018-04-27 2022-08-02 Hewlett Packard Enterprise Development Lp Automatically determining mesh network role of network device

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102006036107A1 (en) 2006-04-11 2007-10-18 Siemens Ag Procedure for determining a task permit

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6751729B1 (en) * 1998-07-24 2004-06-15 Spatial Adventures, Inc. Automated operation and security system for virtual private networks
US20050228886A1 (en) * 2004-04-12 2005-10-13 Nokia, Inc. System and method for enabling authorization of a network device using attribute certificates

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3600095B2 (en) * 1999-12-07 2004-12-08 松下電器産業株式会社 Interrupt management device and interrupt management method
AU2002343424A1 (en) * 2001-09-28 2003-04-14 Bluesocket, Inc. Method and system for managing data traffic in wireless networks
US7665126B2 (en) 2003-12-17 2010-02-16 Microsoft Corporation Mesh networks with exclusion capability
DE102006036107A1 (en) 2006-04-11 2007-10-18 Siemens Ag Procedure for determining a task permit
US7561551B2 (en) * 2006-04-25 2009-07-14 Motorola, Inc. Method and system for propagating mutual authentication data in wireless communication networks
CA2585808A1 (en) * 2007-03-26 2008-09-26 David Ker Method and system for implementing a secured and centrally managed virtual ip network on a common ip network infrastructure

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6751729B1 (en) * 1998-07-24 2004-06-15 Spatial Adventures, Inc. Automated operation and security system for virtual private networks
US20050228886A1 (en) * 2004-04-12 2005-10-13 Nokia, Inc. System and method for enabling authorization of a network device using attribute certificates

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10231139B2 (en) 2015-06-25 2019-03-12 Airspan Networks Inc. Node role assignment in networks
GB2539730A (en) * 2015-06-25 2016-12-28 Airspan Networks Inc Node role assignment in networks
US9924385B2 (en) 2015-06-25 2018-03-20 Airspan Networks Inc. Antenna apparatus and method of configuring a transmission beam for the antenna apparatus
US9973943B2 (en) 2015-06-25 2018-05-15 Airspan Networks Inc. Wireless network configuration using path loss determination between nodes
US10070325B2 (en) 2015-06-25 2018-09-04 Airspan Networks Inc. Sub-sampling antenna elements
US10098018B2 (en) 2015-06-25 2018-10-09 Airspan Networks Inc. Configurable antenna and method of operating such a configurable antenna
US9706419B2 (en) 2015-06-25 2017-07-11 Airspan Networks Inc. Antenna apparatus and method of performing spatial nulling within the antenna apparatus
US10257733B2 (en) 2015-06-25 2019-04-09 Airspan Networks Inc. Managing external interference in a wireless network
US10834614B2 (en) 2015-06-25 2020-11-10 Airspan Networks Inc. Quality of service in wireless backhauls
US10667145B2 (en) 2015-06-25 2020-05-26 Airspan Networks Inc. Bearing calculation
US10306485B2 (en) 2015-06-25 2019-05-28 Airspan Networks Inc. Configurable antenna and method of operating such a configurable antenna
GB2539730B (en) * 2015-06-25 2021-04-07 Airspan Ip Holdco Llc Node role assignment in networks
US11811127B2 (en) 2015-06-25 2023-11-07 Airspan Ip Holdco Llc Wireless network controller and method of controlling a wireless network
US11405275B2 (en) * 2018-04-27 2022-08-02 Hewlett Packard Enterprise Development Lp Automatically determining mesh network role of network device

Also Published As

Publication number Publication date
CN101422012A (en) 2009-04-29
WO2007118746A1 (en) 2007-10-25
DE102006036107A1 (en) 2007-10-18
EP2005700A1 (en) 2008-12-24
EP2005700B1 (en) 2012-08-29
US9712517B2 (en) 2017-07-18
US20150319163A1 (en) 2015-11-05
CN101422012B (en) 2016-05-18

Similar Documents

Publication Publication Date Title
US9712517B2 (en) Method for identifying a task authorization
CN102845026B (en) For providing the method for initial route, system and computer-readable medium at DIAMETER node place
JP4047278B2 (en) Communication control between devices in mobile ad hoc networks
EP4329370A2 (en) Application-friendly protocol data unit (pdu) session management
EP1766827B1 (en) System and method for loadbalancing in a network environment using feedback information
US8462735B2 (en) Multiple simultaneous wireless connections in a wireless local area network
EP1925123B1 (en) Controlled temporary mobile network
US20090232026A1 (en) Multi-radio wireless mesh network solutions
JP2002016600A (en) Method for verifying notice of newly specified customer network router
CN101047582B (en) Method for setting communication link in radio coordinate network
CN108881018B (en) Methods, systems, and devices for routing DIAMETER messages at DIAMETER signaling routers
JP2006087132A (en) Security in area network
US20080304497A1 (en) Methods of route control in communications network
US8638690B2 (en) Access point and node for controlling routing in a hybrid network
CN101094153A (en) Method and apparatus for transmitting data between the sending station and the receiving station
US20060126625A1 (en) Method for distributing traffic using hash-codes corresponding to a desired traffic distribution in a packet-oriented network comprising multipath routing
US10827345B1 (en) Methods and systems for LoRaWAN traffic routing and control
JP2007520154A (en) Method for forwarding packets in a network with multiple intermediate networks
CN1937619A (en) Method for realizing TPSM under carrier's carrier condition
CN106034079B (en) A kind of method for configuring route, service routing method and core router
US20080181237A1 (en) Building communities of interest and selecting borders between them based on relative motion
CN114980243A (en) Data forwarding method and device and storage medium
JP2004193842A (en) Resource reservation method and packet communication system
WO2007074885A1 (en) Proxy node discovering method, and relay node used in the method, and, node discovering method, and first node, second node and relay node used in the method
US8379621B2 (en) Method for address assignment in ad-hoc network

Legal Events

Date Code Title Description
AS Assignment

Owner name: UNIFY GMBH & CO. KG, GERMANY

Free format text: CHANGE OF NAME;ASSIGNOR:SIEMENS ENTERPRISE COMMUNICATIONS GMBH & CO. KG;REEL/FRAME:034537/0869

Effective date: 20131021

AS Assignment

Owner name: SIEMENS ENTERPRISE COMMUNICATIONS GMBH & CO. KG, G

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:BAHR, MICHAEL;SCHWINGENSCHLOGL, CHRISTIAN, DR.;SIGNING DATES FROM 20080915 TO 20080929;REEL/FRAME:035465/0922

STCB Information on status: application discontinuation

Free format text: ABANDONED -- AFTER EXAMINER'S ANSWER OR BOARD OF APPEALS DECISION