(12) INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT)
`
`(19) World Intellectual Property Organization
`International Bureau
`
`11111111111111111111111111111111111111111111111111111111111111111111111111111111
`
`(43) International Publication Date
`15 November 2001 (15.11.2001)
`
`PCT
`
`(10) International Publication Number
`WO 01/86906 A2
`
`(51) International Patent Classification7
`12/46
`
`:
`
`H04L 29/06,
`
`(21) International Application Number: PCT/CA01/00675
`
`(22) International Filing Date:
`
`14 May 2001 (14.05.2001)
`
`[CA/CA]; c/o Solutionlnc Limited, Suite 1506, 1969 Up(cid:173)
`per Water Street, Purdy's Wharf, Tower II, Halifax, Nova
`Scotia B3J 3R7 (CA). THOMPSON, Michael [CA/CA];
`c/o Solutioninc Limited, Suite 1506, 1969 Upper Water
`Street, Purdy's Wharf, Tower II, Halifax, Nova Scotia B3J
`3R7 (CA).
`
`(25) Filing Language:
`
`(26) Publication Language:
`
`English
`
`English
`
`(74) Agents: O'NEILL, Gary eta!.; Gowling La11eur Hender(cid:173)
`son LLP, Suite 2600, 160 Elgin Street, Ottawa, Ontario K1P
`1C3 (CA).
`
`(30) Priority Data:
`2,308,261
`
`12 May 2000 (12.05.2000) CA
`
`(71) Applicant (for all designated States except US): SOLU(cid:173)
`TIONINC LIMITED [CA/CA]; 1969 Upper Water Street,
`Suite 1506, Purdy's Wharf, Tower II, Halifax, Nova Scotia
`B3J 3R7 (CA).
`
`(81) Designated States (national): AE, AG, AL, AM, AT, AU,
`AZ, BA, BB, BG, BR, BY, BZ, CA, CH, CN, CO, CR, CU,
`CZ, DE, DK, DM, DZ, EC, EE, ES, FI, GB, GD, GE, GH,
`GM, HR, HU, ID, IL, IN, IS, JP, KE, KG, KP, KR, KZ, LC,
`LK, LR, LS, LT, LU, LV, MA, MD, MG, MK, MN, MW,
`MX, MZ, NO, NZ, PL, PT, RO, RU, SD, SE, SG, SI, SK,
`SL, TJ, TM, TR, TT, TZ, UA, UG, US, UZ, VN, YU, ZA,
`zw.
`
`(72) Inventors; and
`(75) Inventors/Applicants (for US only): WILSON, Tim
`
`(84) Designated States (regional): ARIPO patent (GH, GM,
`KE, LS, MW, MZ, SD, SL, SZ, TZ, UG, ZW), Eurasian
`
`[Continued on next page]
`
`(54) Title: SERVER AND METHOD FOR PROVIDING SPECIFIC NETWORK SERVICES
`
`---==
`--- --------------------------------------------------------------------------------------
`!!!!!!!! ---== ---iiiiiiiiiiii
`
`iiiiiiiiiiii
`
`iiiiiiiiiiii
`
`!!!!!!!!
`-
`
`iiiiiiiiiiii
`
`iiiiiiiiiiii ------------
`
`910
`
`INTERNET c- ROUTER
`
`I
`
`901 ~
`
`TAGGED
`
`/so
`(
`
`VBN
`SERVER
`
`CORE
`SWITCH
`
`SNMP
`CGI SCRIPT
`
`VLAN n
`
`S1~
`
`LEAF
`SWITCH
`
`TAGGED
`
`TAGGED
`
`LEAF
`.--------1 SWITCH
`
`!-------,
`
`VLANm
`UNTAGGED UNTAGGED
`
`VLAN k
`VLAN m [
`VLAN m
`UNTAGGED UNTAGGED[ UNTAGGED
`'----;
`
`CLIENT
`
`CLIENT
`
`CLIENT
`
`CLIENT
`
`CLIENT
`
`(
`C1
`
`(
`C2
`
`(
`C3
`
`(
`C4
`
`(
`C5
`
`(57) Abstract: A server and method is
`provided to provide a specific service to
`network users. The server and method
`automatically provide
`user-to-server
`security using VLANs. The server man(cid:173)
`ages VLAN based on the request from a
`user for creating/deleting/joining/leaving
`VLANs.
`The server allows user to
`control groupings and overcomes the
`VLAN limit with the filtering policies
`on the switching infrastructure.
`In
`the second aspect of invention,
`the
`server and method provide a specific
`address based on requests from users.
`The server dynamically handles
`the
`management and facilitation of the
`requests.
`The server offers users
`reassignment of IP addresses from a
`first set of characteristics to a second
`set of characteristics with minimal user
`intervention. This allows users the ability
`to run a broader range of protocols. In
`the third aspect of invention, the server
`and method is provided to provide a
`mutable IP address to a remote computer.
`The server allows pools of mutable
`addresses to be maintained on one or
`more remote servers. The server can
`solve the shortage of the mutable IP
`addresses.
`
`Exhibit 2002
`IPR2015-00974
`
`

`
`WO 01/86906 A2
`
`11111111111111111111111111111111111111111111111111111111111111111111111111111111
`
`patent (AM, AZ, BY, KG, KZ, MD, RU, TJ, TM), European For two-letter codes and other abbreviations, refer to the "Guid(cid:173)
`patent (AT, BE, CH, CY, DE, DK, ES, Fl, FR, GB, GR, IE,
`ance Notes on Codes and Abbreviations" appearing at the begin(cid:173)
`IT, LU, MC, NL, PT, SE, TR), OAPI patent (BF, BJ, CF,
`ning of each regular issue of the PCT Gazette.
`CG, Cl, CM, GA, GN, GW, ML, MR, NE, SN, TD, TG).
`
`Published:
`without international search report and to be republished
`upon receipt of that report
`
`

`
`wo 01/86906
`
`PCT/CAOl/00675
`
`-1-
`
`Server and Method For Providing Specific Network Services
`
`Field of the Invention
`
`This invention relates to an Internet access server such as described in U.S.
`
`5
`
`Application Serial No. 09/7 4 2, 006, filed December 22,2000, the contents of which are
`
`incorporated herein by reference. The preferred embodiment of the Internet access
`
`server described in U.S. Application Serial No. 09/742,006, will be referred herein as
`
`the SolutioniP server.
`
`Background of the Invention
`
`Local Area N etworks(LAN s) are data communication networks that span a physically
`
`limited m-ea. LAN s allow users to have shared access to many colTilllon resources, such
`
`as files, printers, or other communication devices. The concept of shared access to
`
`resources is central to the LAN philosophy.
`
`1 0
`
`15
`
`Security, on the other hand, in traditional LANs is a major problem. For instance, in
`
`broadcast networks, everyone can see every packet on the network. Therefore, without
`
`the use of Virtual Local Area Networks (VLANs), it is possible for users on the
`
`system to see network traffic from or destined for other users. This presents a security
`
`20
`
`problem for the system and its users.
`
`A VLAN is a logical subgroup within a Local Area Network that' offers an effective
`
`solution to the LANs problems. The major features ofVLANs are flexible network
`
`segmentation and enhanced network security.
`
`However, when VLANs are used for security and group collaboration, generally they
`
`have to be manually configured ahead of time, on switching hardware. Furthermore,
`
`there is a finite number ofVLANs that the switching hierarchy can support and this
`
`physical limitation on the number ofVLANs supported may be an issue.
`
`25
`
`30
`
`

`
`wo 01/86906
`
`PCT/CAOl/00675
`
`-2-
`
`In addition, some network protoc~ls require fully routable Internet Protocol(IP)
`
`addresses to function (e.g. tunnelling protocols including Virtual Private Networks
`
`(VPNs)). Typically a user requesting a dynamic IP address can be given either a
`
`routable or non-routable IP address depending upon the configuration of the Dynamic
`
`5
`
`Host Configuration Protocol (DHCP) server on that network.
`
`Since in a traditional network, dynamic switching from non-routable to routable IP
`
`address is not handled by the server, users are left to their own devices if they require
`
`a routable IP address, but were served a non-routable IP address.
`
`10
`
`Summary of the Invention
`
`It is an object of the present invention to overcome one or more of the problems cited
`
`above. A first aspect of the present invention is directed to a server and method for
`
`interpreting and processing VLAN tags coupled with server communication with the
`
`15
`
`switching infrastructure for VLAN management.
`
`A method according to the present invention for automatically providing enhanced and
`
`secure access to a group of users initiated by a non-technically trained user on a
`
`computer network without the intervention of information systems perso1111el includes
`
`20
`
`the steps of receiving a request from the a user to establish the group of
`
`users;configuring a network infrastructure to support the group;providing a group
`
`identifier;allowing users to join the group according to the group identifier; further
`
`configuring the network infrastructure to support the joining users; and dissolving the
`
`group based on predetermined rules.
`
`25
`
`A server according to the present invention provides enhanced and secure access to a
`
`group of users initiated by a non-technically trained user on a computer network
`
`without the intervention of information systems perso1111el and includes a registration
`
`module to receive a request including a group identifier from the user;a registration
`
`30
`
`driver to register the user to access the group of users, assign the group of users and
`
`maintain registration information· and state information of a network infrastructure
`
`

`
`wo 01/86906
`
`PCT/CAOl/00675
`
`-3-
`
`associated with the group of users; a module to assign VLAN tags based on
`
`registration status; and a packet driver module to insert/remove VLAN tags from
`
`packets based on registration status.
`
`5
`
`According to the aforementioned invention, user-to-server security is automatically
`
`provided using VLANs whose management is automated by the server. The server
`
`facilitates user initiated group collaboration by placing users requesting the service in
`
`the san1e VLAN. Additionally, VLAN limits can be overcome through creative use of
`
`the filtering policies on the switching infrastructure.
`
`10
`
`User-to-server security can be further provided by placing each individual user into a
`
`separate VLAN. The server's automation and management ofVLAN creation/ deletion
`
`facilitates this process, which allows a user to control groupings of users into common
`
`VLANs (i.e. group collaboration). Further, the filtering policies implemented on the
`
`15
`
`switches allow users to utilize a broad range of VLANs.
`
`Another aspect of the present invention is directed to a server and method for
`
`dynamically providing an address according to users' requests.
`
`20
`
`A method according to the present invention for dynamically managing pools of IP
`
`addresses on a computer network with different characteristics and moving a user from
`
`pool to pool as required includes the steps of maintaining a registry of user records
`
`and associated sets of characteristics; further maintaining a registry ofiP address pools
`
`with associated sets of characteristics; receiving a request from a user to switch from
`
`25
`
`a first set of characteristics to a second set of characteristics; modifying the user record
`
`in the registry so that the set of characteristics associated with the user matches the
`
`second set of characteristics; and assigning an IP address to the user from the IP
`
`address pool associated with the second set of characteristics.
`
`3 0
`
`A server according to the present invention dynamically manages pools ofiP addresses
`
`on a computer network with different characteristics and moves a user from pool to
`
`

`
`wo 01/86906
`
`PCT/CAOl/00675
`
`-4-
`
`pool as required, and includes a module to receive a request from a user to switch
`
`from a first set of characteristics to a second set of characteristics;a registration driver
`
`to register the user and assign an IP address to the user from IP address pools
`
`associated with the second set of characteristics, and maintain a registry of user
`
`5
`
`records, associated sets of characteristics and IP address pools with associated sets of
`
`characteristics; and a DHCP module to issue an address switching request to the
`
`registration driver and receive IP addresses from the registration driver and allocate IP
`
`addresses to users.
`
`10
`
`According to the aforementioned invention, the server dynamically handles the
`
`management and facilitation of the requests. The server offers users reassignment of
`
`IP addresses from a first set of characteristics to a second set of characteristics with
`
`minimal user intervention. This allows users the ability to run a broader range of
`
`protocols.
`
`15
`
`Another aspect of the present invention is directed to a server and method for
`
`providing a routable IP address to a remote computer.
`
`A method according to the present invention for providing a routable IP address to a
`
`20
`
`remote computer includes the steps of providing a pool of routable IP addresses on a
`
`server; receiving at the server a request from the remote computer to establish an IP
`
`tmmel between the remote computer and the server; establishing an IP tunnel between
`
`the remote computer and the server; further receiving a request from the remote
`
`computer through the tunnel for the routable IP address from the server; and further
`
`25
`
`providing the routable IP address to the remote computer from the server through the
`
`tunnel.
`
`A server according to the present invention provides a routable IP address to a remote
`
`computer, and includes a module to receive a request from the remote compute
`
`30
`
`through a
`
`tunnel for the routable IP address; a registration driver to assign the
`
`routable IP address to the remote computer from a pool of routable IP addresses and
`
`

`
`wo 01/86906
`
`PCT/CAOl/00675
`
`-5-
`
`establish an IP tunnel ; and a DHCP module to provide the routable IP address to the
`
`remote computer through the tunnel.
`
`According to the aforementioned invention, the server allows pools of routable
`
`5
`
`addresses to be maintained on one or more remote servers. The server can solve the
`
`shortage of the IP routable addresses.
`
`Brief Description of the Drawings
`
`FIG. 1 shows an example of a system structure of a first embodiment of the present
`
`10
`
`invention.
`
`FIG. 2 shows an example of the core components and interactions of the VBN server
`
`according to the first embodiment.
`
`FIG. 3 shows an example of Registration processing according to the first
`
`embodiment.
`
`15
`
`FIG. 4 shows an example of VLAN Group Administration (Create VLAN Group)
`
`processing according to the first embodiment.
`
`FIG. 5 shows an example ofVLAN Group Administration (Show VLAN Group)
`
`processing according to the first embodiment.
`
`FIG. 6 shows an example ofVLAN Group Administration (Delete VLAN Group)
`
`20
`
`processing according to the first embodiment.
`
`FIG. 7 is a pictorial representation of a typical server cmmection in a hotel
`
`environment.
`FIG. 8 shows a functional block diagram ofFig.7.
`
`FIG. 9 shows an example ofthe core components and interactions of the server shown
`
`25
`
`in Fig.7.
`
`FIG. 10 shows an example ofDHCP request processing.
`FIG. 11 shows an example of ARP request processing.
`
`FIG. 12 shows an example of unregistered HTTP request processing.
`FIG. 13 shows an example of registered HTTP request processing.
`
`30
`
`FIG. 14 shows billing components and interactions.
`
`

`
`wo 01/86906
`
`PCT/CAOl/00675
`
`-6-
`
`FIG. 15 shows an example of the VBN Server 1000 according to the first
`
`embodiment.
`
`FIG. 16 shows an example of the components and interactions of the VBN Server
`
`1100 according to a second embodiment..
`
`5
`
`FIG. 17 shows an example of Registration processing according to the second
`
`embodiment.
`
`FIG. 18 shows an example of the relation between RealiP Server and VBN Server
`
`according to the second embodiment.
`
`FIG. 19 shows a system architecture of a third embodiment.
`
`10
`
`FIG. 20 shows a scenario for Standard Internet Service Registration in the structure
`
`shown in Fig. 19.
`
`FIG. 21 shows a scenario for Premium Internet Service Registration in the structure
`
`shown in Fig. 19.
`
`FIG. 22 shows a scenario for Create VLAN Group in the structure shown in Fig. 19.
`
`15
`
`FIG. 23 shows a scenario for VLAN Group Service Registration in the structure
`
`shown in Fig. 19.
`
`20
`
`

`
`wo 01/86906
`
`PCT/CAOl/00675
`
`Description of the Preferred Embodiments
`
`The detailed description of the invention is set out below, including a description of
`
`the best mode of implementing the invention. The description is carried out with
`
`reference to the drawings.
`
`5
`
`The invention is referred to from time to time by its trade-mark and means the server
`
`and/or other aspects of the invention as the context may dictate. This invention is
`
`useful in multi-unit buildings whether used as offices, apartments and/or for hotels or
`
`similar accommodation buildings. It is also advantageous to use the invention in
`
`10
`
`seminar rooms, boardrooms, training rooms and like areas where users wish to access
`
`the network from the room.
`
`First Embodiment
`
`A VLAN implementation system according to a first embodiment will be described in
`
`15
`
`' detail with reference to the drawings.
`
`The main features of the VLAN implementation system are as follows:
`•
`•
`
`processing ofVLAN tags by the Internet access server .
`
`switch filtering policies that enable one to effectively bypass the physical limit
`
`20
`
`on the number of VLANs capable of being deployed on the switching
`
`infrastructure.
`
`•
`
`provision of secure collaborative workgroups.
`
`VLAN enabling of the server of the first embodiment allows the processing ofVLAN
`
`25
`
`tags and various VLAN services such as: create VLAN, show VLAN, join VLAN
`
`,leave VLAN and delete VLAN.
`
`INTERACTIVE VIRTUAL LOCAL NETWORK ( IVLAN)
`
`A preferred embodiment of the first aspect of the invention will be referred herein as
`
`30
`
`an Interactive Virtual Local Area Network ( IVLAN ).
`
`

`
`wo 01/86906
`
`PCT/CAOl/00675
`
`-8-
`
`IVLAN is a communications technology that enables devices communicating with the
`
`TCPIIP protocol (the communications protocol of the Internet) to gain secure private
`
`and group access to any foreign TCPIIP network that has IVLAN installed. A foreign
`
`TCPIIP network which allows access on a temporary basis is often termed a Visitor
`
`5
`
`Based Network (VBN), and is typically composed of core and leaf switches which
`
`route messages to and from client devices.
`
`A Virtual Local Area Network (VLAN) is typically established on the network of
`
`switches to facilitate message traffic. This technology allows for all clients of the VBN
`
`10
`
`to communicate with each other and any services available via the VBN Gateway. The
`
`capability for clients to communicate with each other is often suppressed on VBN s due
`
`to security considerations; for example, while guests at a hotel may wish to share data
`
`with some other guests, it would be considered unacceptable to share that data with
`
`every hotel guest registered with
`
`the hotel VBN. Since VLAN creation and
`
`15
`
`maintenance must typically be performed manually by a network administrator, most
`
`VBN systems will include at most one VLAN.
`
`OVERVIEW
`
`The IVLAN technology of the first embodiment allows for the dynan1ic creation of
`
`20
`
`secure VLAN s interactively by registered users of a VBN. The user( client) may create
`a VLAN group and grant access to other registered users on a group name/password
`basis. IVLAN also allows for registered users to access VBN Gateway 'service via a
`
`secure private VLAN in which no other user may participate.
`
`25
`
`IVLAN also allows the client who creates a VLAN Group ( referred to as
`
`administrator) to delete the created VLAN. IVLAN executes on a variety of operating
`
`systems. The preferred embodiment is based on a Linux operating system.
`
`The VLAN implementation system comprises:
`
`30
`
`1.
`
`IEEE (Institute of Electrical and Electronics Engineers) 802.1Q Compliant
`
`core switch;
`
`

`
`wo 01/86906
`
`PCT/CAOl/00675
`
`-9-
`
`IEEE 802.1 Q Compliant leaf switches;
`
`Custom built Simple Network Manager (SNM);
`
`Common Gateway Interface (CGI) Components accessed via HTML
`
`(Hypertext Meta Language) pages;
`
`Registration Device Driver incorporated into the Linux kernel; and
`
`Modified Linux kernel Packet Driver.
`
`2.
`
`3.
`
`4.
`
`5.
`6.
`
`5
`
`IEEE802.1 Q is a standard for providing VLAN identification. The IEEE 802.1 Q
`
`standard provides for the capability to add a "Q-Tag" to an Ethernet frame of a
`
`1 0
`
`message packet. Information for VLAN identification is added to the frame as a part
`
`of the Q-Tag. VLANs are implemented within the switched infrastructure by using Q(cid:173)
`
`Tags.
`
`The following paragraphs describe in more detail the technology encapsulated by
`
`15
`
`IVLAN in the creation, maintenance, and use ofVLANs.
`
`An example of a VBN utilizing IVLAN is shown in Fig. 1. Referring to Fig.1, the
`
`VLAN implementation system comprises VBN Server 901, core switch SO and leaf
`
`switches S 1 and S2. Clients C 1 and C2 connect to the leaf switch S 1 and Clients C3, C4
`
`20
`
`and C5 connect to the leaf switch S2. The leaf switches connect the clients to the core
`
`switch SO. The VBN server 901 is an Internet access server. The clients may access the
`
`Internet 909 via Router 910 connected to the VBN Server 901.
`
`Each port of the leaf switch can be assigned to at least one VLAN. Client ports are
`
`25
`
`only assigned one VLAN ID and that is the ID that they tag untagged client traffic
`
`with. Switch interconnect ports are tagged with every VLAN defined on that switch
`
`to allow VLAN traffic to traverse the switch infrastructure. In Fig.l, the clients are
`
`segmented into VLAN k, VLAN nand VLAN m regardless of physical location. For
`
`example, in the leaf switch S 1, one port is assigned to VLAN n and another port is
`
`30
`
`assigned to VLAN m. In the leaf switch S2, one port is assigned to VLANk and
`
`another is assigned to VLAN k and VLAN m.
`
`

`
`wo 01/86906
`
`PCT/CAOl/00675
`
`-10-
`
`The client C3 (an administrator) creates a VLAN group (VLAN m) via the VBN
`
`Server 901. The clients C2 and C3 are registered to join "VLAN m". Group access
`
`allows users to share files, printers, CD-ROMs and so on in a secure and closed
`
`5
`
`environment.
`
`The core switch SO forwards or filt~rs traffic based on the VLAN identification
`
`specified in the Q-Tag. On the Core switch, the packet filter enables group
`
`collaboration access by forwarding packets to all uplink ports( connections to the leaf
`
`10
`
`switches) that ary defined as members of the same VLAN.
`
`It is noted that the untagged packet is used to communicate between the VBN Server
`
`901 and the Router 910 and between the client and the corresponding leaf switch.
`
`Between the VBN Server 901 and the core-leaf switches, the packet is tagged (Q-tag
`
`15
`
`is inserted ) or untagged based on client port configuration.
`
`COMPONENTS AND INTERACTIONS OF THE VBN SERVER
`
`Fig.2 shows the breakdown of the core components of the invention and their
`
`interactions according to the first embodiment. The VBN Server 901 connects the core
`
`20
`
`switch and the Internet 909 via the internal interface 907 and the exterior interface 908
`
`respectively.
`
`REGISTRATION DEVICE DRIVER( sometimes referred to as Soln Device)
`
`The Registration Device Driver 904 is a pseudo driver in that it is not actually
`
`25
`
`associated with any physical device. The Registration Device Driver 904 manages the
`
`assignment of appropriate VLAN IDs for a given registration request
`
`The Registration Device Driver 904 maintains the following information;
`•
`
`registration information including;
`
`30
`
`1.
`
`2.
`
`the VLAN ID associated with the user;
`
`the switch and port the user is connecting on; and
`
`

`
`wo 01/86906
`
`PCT/CAOl/00675
`
`-11-
`
`3.
`
`the VLAN group information for the user.
`
`•
`
`driver state information including;
`
`1.
`
`2.
`
`5
`
`The state information on the switches to manage the switch
`
`configuration changes; and
`
`The state information for the VLAN groups.
`
`PACKET DRIVER
`
`The Packet Driver 903 has enhanced functionality over the standard Linux protocol
`
`handlers at the point where the generic packet handlers interfaqe with the hardware
`
`10
`
`specific Ethernet drivers.
`
`The Packet Driver 903 handles;
`
`•
`
`the reception of Q-tagged packets (replacing the Q-Tag header with a standard
`
`Ethernet header and recording the tag the packet arrived with in the registration
`
`entry for that Media Access Control (MAC)); and
`
`15
`
`•
`
`the transmission ofQ-tagged packets where appropriate (replacing the standard
`
`Ethernet header with a Q-Tag header, using the appropriate tag).
`
`Broadcast packets destined for the internal network are treated specially, if appropriate
`
`a copy of the tagged packet is sent to each known VLAN(Q-Tag) as well as sending
`
`20
`
`an untagged packet. The replication of broadcast packets is to ensure that the packet
`
`is received by all systems regardless of their VLAN.
`
`REGISTRATION WEB SERVER
`
`The Registration WEB Server 914 is a WEB Server that serves local content for the
`
`25
`
`VBN server 901. This includes the Registration WEB pages, the Administration WEB
`
`pages and Configuration WEB pages.
`
`The Registration WEB page serves as a client's gateway to the services provided by
`
`the VBN Server 901. The Registration page offers the clients the opportunity to
`
`30
`
`register for access to the Internet 910, to sign-up for group VLAN access, to create a
`
`VLAN group and so on. If the user elects to sign-up for an existing VLAN group, the
`
`

`
`wo 01/86906
`
`PCT/CAOl/00675
`
`user will enter the group name and password that will be checked against a database.
`
`If the user elects to create a VLAN group, they will be asked to provide a group name
`
`and password that will be stored in the database. The component which checks the
`
`group name and password against the database is referred to as Authenticator.
`
`5
`
`These various servers may be hardware or software implemented.
`
`Solsnmpd
`
`Solsnmpd 905 uses a proprietary protocol to accept requests and return results. This
`
`1 0
`
`daemon handles communications with switches and other network devices on the
`
`client network using Simple Network Management Protocol (SNMP). Solsnmpd 905
`
`enables creation of new VLANs on switches, delete VLANs from switches, add and
`
`remove ports from VLANs and so on. The Switch Commander is the functionality
`
`within the Solsnmpd which performs all VLAN operations. More specifically, the
`
`15
`
`Switch Commander maintains the VLAN definitions on the switches.
`
`THE FUNCTION OF THE VBN SERVER
`
`IVLAN client registration is performed via an HTML interface, where a client may
`
`interactively select to create a private VLAN, a group VLAN, or to join an existing
`
`20
`
`group VLAN. If a client registers for access to Internet services available from the
`
`VBN Gateway, a private VLAN is established using the core-leaf switch mechanism
`
`for the use of the client user.
`
`Alternatively, the client may register to administer a Group VLAN by supplying a
`
`25
`
`VLAN group name and password that other clients may use to gain access to the
`
`Group VLAN. The group name and password are recorded by the CGI components
`
`that underlie the IVLAN VBN Registration HTML pages. Other clients may indicate
`
`upon registration for VBN services that they wish to join an existing Group VLAN by
`
`providing the group name and password for authentication.
`
`30
`
`

`
`wo 01/86906
`
`PCT/CAOl/00675
`
`-13-
`
`During the registration process, the CGI components communicate with Solsnmpd
`
`through Command Line Daemon (or Soln Daemon)described below which executes
`
`on the VBN Server 901. The Solsnmpd process issues SNMP commands to create both
`
`private and group VLANs on the core-leaf switch system. Communication ports of the
`
`5
`
`core-leaf switch system are assigned as necessary to the created VLANs as clients
`
`register for access.
`
`Private and Group VLANs may co-exist within the VBN due to the ability to tag
`
`message packets as they flow through the routing system. As mentioned above, the
`
`10
`
`IEEE 802.1 Q standard provides for capability to include a Q-Tag as part of the
`
`Ethernet frame of a message packet. The VBN Server 901 manages the addition and
`
`removal of Q-Tags for the message traffic of the clients , which need not necessarily
`
`contain 802.1Q compliant Network Interface Card (NIC) hardware. The CGI
`
`components obtain a Q-Tag generation ID from the Registration Device Driver 904
`
`15
`
`of the VBN Server 901 during the registration process for the purpose of VLAN
`
`creation. The VLAN is created as a final activity of the registration process.
`
`For a private VLAN ,utilized for VBN Gateway access, Ethemet frames will be tagged
`
`and untagged as part of the packet routing through the core-leaf switch system. When
`
`20
`
`a message is transmitted by a client, the message is untagged. The leaf switch to which
`
`the client is connected will insert a Q-Tag in the Ethernet frame before it is routed to
`
`the core switch. The message packet is routed through the core switch to the VBN
`
`Server 901, where the Q-Tag is stripped from the Ethernet frame by the Packet Driver
`
`903 which executes as part of the VBN Server kernel. The Packet Driver 903 of the
`
`25
`
`VBN Server 901 also inserts Q-Tags into the Ethernet frames of incoming message
`
`packets destined for the client. The mapping between client and Q-Tags is based on the
`
`client's registration state information.
`
`For a Group VLAN, Ethernet Frames may or may not be tagged as part of the routing
`
`30
`
`of the packet through the system. If all clients belonging to the VLAN are physically
`connected to the same leaf switch, no Q-Tags need be inserted in the Ethernet frame
`
`

`
`wo 01/86906
`
`PCT/CAOl/00675
`
`of the packets. Whether ~ags are inserted or not in this instance is dependent on the
`
`implementation of the given switch, and is not relevant to the operation of IVLAN.
`
`However, if clients are connected to different leaf switches within the system, the
`
`packets must be routed through the core switch connected to each leaf switch. In this
`
`5
`
`instance, the Ethernet frames will be tagged before leaving the source leaf switch, and
`
`untagged before leaving the destination leaf switch. In Fig.l, as the clients C2,C3 and
`
`C4 belonging to VLAN m are physically connected to the different switches, the
`
`tagged packet is used for communication between the VBN Server 901 and the clients
`
`C2,C3 and C4.
`
`10
`
`'Both private and group VLANs are de-assigned from the communication ports of the
`
`switching system at the expiry of the user registration lease. The expiration of the
`
`registration is managed by the Registration Device Driver 904.
`
`15
`
`It is noted that "VLAN ID" or "VLID" is synonymous with a Q-Tag ID(identification).
`
`REGISTRATION PROCESS ~JOIN VLAN GROUP SERVICE
`
`Fig.3 shows the registration process for join VLAN Group Service. The Registration
`
`Driver corresponds to the Registration Device Driver 904 in Fig.1. The VBN Web
`
`20
`
`Server 914 A and the Authenticator 914 B correspond to the Registration WEB Server
`
`914 in Fig.2.
`
`Step sl:
`
`The Client/Browser 915 sends data including room number,
`
`registration type(VLAN group), group name and access password to
`
`VBN Web Server 914A.
`
`25
`
`Step s2:
`
`The VBN Web Server 914A passes data to the Registration Driver
`
`904.
`
`Step s3:
`
`If the user's startup parameters are invalid, the event will be logged for
`
`diagnostic purposes.
`
`Step s4:
`
`If the user's. startup parameters are valid, VLAN group name and
`
`30
`
`password are sent to the Authenticator 914B for validation.
`
`

`
`wo 01/86906
`
`PCT/CAOl/00675
`
`-15-
`
`Step s5:
`
`The Authenticator 914B queries the IP Billing database 920 to
`
`determine if the VLAN group name and password match.
`
`Step s6:
`
`If a match occurred, the Authenticator 914 B will send an authenticated
`
`response to the Registration Driver 904.
`
`5
`
`Steps7:
`
`Upon receiving the authenticated response, the Registration Driver 904
`
`will send an "Add Port to VLAN Group " request to the Switch
`
`Commander 917. The request will specify the VLAN ID assigned to
`
`the group, and the switch and port to be added to the VLAN.
`
`Step s8:
`
`On command completion, the Switch Commander 917 will report
`
`command status to the Registration Driver 904.
`
`Steps9:
`
`If the command is successful, the Registration Driver 904 will register
`
`the user by sending the port and registration type to the IP Billing
`
`database 920.
`
`Step s10:
`
`Registration status is returned to the VBN Web Server 914A.
`
`All client traffic originated or relayed by the VBN server will have the appropriate Q(cid:173)
`
`Tag inserted, if applicable, by the Packet Driver based on their registration status
`
`before being passed through the socket interface 918 and on to the switching
`
`infrastructure 919.
`
`VLAN GROUP ADMINISTRATION-CREATE VLAN GROUP
`
`Fig.4 shows the process for creating the VLAN Group.
`
`Step s21:
`
`The Client/Browser 915 sends data including room number, group
`
`administration command( Create VLAN Group), group name,
`
`administration password, usage period, and user access password to
`
`VBN Web Server 914A.
`
`Steps22:
`
`Step s23:
`
`The VBN Web Server 914A passes data to the Registration Driver 904.
`
`The Registration Driver 904 will send two command requests to the
`
`Switch Commander 917. The first command will create a unique
`
`VLAN group definition. The second will add the administrator's port
`
`to the VLAN definition.
`
`10
`
`15
`
`20
`
`25
`
`30
`
`

`
`wo 01/86906
`
`PCT/CAOl/00675
`
`-16-
`
`Steps24:
`
`For each command completion, the Switch Commander 917 will report
`
`command status to the Registration Driver 904 .
`
`Step s25:
`
`If the commands