Classifications

• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
  • H04L69/24—Negotiation of communication capabilities
• • G—PHYSICS
  • G06—COMPUTING; CALCULATING OR COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
  • G06F16/90—Details of database functions independent of the retrieved data types
  • G06F16/95—Retrieval from the web
  • G06F16/957—Browsing optimisation, e.g. caching or content distillation
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L67/00—Network arrangements or protocols for supporting network services or applications
  • H04L67/01—Protocols
  • H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L67/00—Network arrangements or protocols for supporting network services or applications
  • H04L67/2866—Architectures; Arrangements
  • H04L67/30—Profiles
  • H04L67/306—User profiles
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
  • H04L69/04—Protocols for data compression, e.g. ROHC

Definitions

• the invention relates to communications systems, and particularly to data compression.
• the Internet is a global network of networks of computers. Nodes in the Internet may include routers, gateways and hosts. At the edge of the Internet, there are hosts, end devices, which provide the services and facilities used by other applications and hosts. Typically, a client-server protocol is used between the networked hosts in which one computer (the client) requests the services of the other (the server).
• the end devices may include, for example, large mainframe computers, personal computers (PCs), laptops, palmtops, personal digital assistants, (PDAs), mobile phones, etc.
• Routers are machines that forward packets between other machines
• gateways are machines that are typically situated on the boundary between two networks to allow communications to pass between the networks.
• WWW World Wide Web
• a WWW page is an information entity based, for example, on an hypertext markup language (HTML) file or Java file in the Web that can be reproduced with the user's web browser.
• HTML hypertext markup language
• Java Java file in the Web that can be reproduced with the user's web browser.
• a web page can contain text, images, animations, sound, moving video images and hypertext links to other web pages.
• the client device is connected to the Internet through an access network.
• the access network could be any one of many possibilities, including wire-line alternatives like telephone-line modem dial-up, cable modem, or Digital Subscriber Line (DSL). It could also be one of the wireless alternatives, such as wireless LAN and digital mobile networks, such as GPRS that is an enhanced packet service added to GSM systems.
• Wire-line modem dial-up provides a relatively low rate connection (up to 56 kbs) which has become insufficient for the increasing data volumes downloaded from the Internet.
• This problem has been alleviated with a utility program provided both in the client device and the server to compress the data content transferred therebetween.
• Cable modem and DSL such as Asymmetric DSL, can provide a high speed, always-on access to the Internet from user's home or business telephone line. Similar broadband always-on Internet access is also available through local area networks. The broadband access has made the data com- pression less important for the wire-line users.
• a mobile user uses a mobile communications network as an access network.
• the data rate in mobile communications networks is relatively low, comparable with the modem dial-up connection in wire-line access networks.
• the basic user data rate is 9,6 kbs, which can be increased up to 56 kbs by means of high-speed multi-channel techniques.
• Charge of mobile data transmission depends on the transmission rate employed and/or data volume transferred.
• data compression in a wireless mobile internet access would offer both performance and monetary advantages. For example, with gzip compression, the reduction in the transferred data volume would be 20-65 % depending on the nature of data material.
• HTTP 1.1 hypertext transfer protocol
• HTTP 1.1 hypertext transfer protocol
• HTTP 1.1 allows compressing the data transmitted to a web browser, and majority of web browsers are able to handle compressed data.
• part of the web servers supports the compression feature but the activation of the feature is server-specific.
• this feature is not in use in a server, and therefore an insignificant portion of the data traffic in the Internet is compressed today. Compression in servers is not preferred due to the capacity and performance reasons: the compression would slower the operation of the server. Consequently, the present situation is not optimal in the point of view of utilization of the features of servers and browsers, and no extensive solution is not in view due to the variety of server and browser techniques.
• One approach could be a proxy server that compresses all passing traffic in direction to a browser.
• An object of the invention to provide an alternative way to provide data compression for a low-rate connection.
• the invention is based on the idea of implementing the selective compression in a server device which also controls access of the client devices to the application servers, such that upon observing a given connection as a low-rate connection based on identification of the user or the user type, the server activates data compression for the observed low-rate connection.
• the server device may be arranged to activate data compression for users of a mobile communications system, and to not activate data compression for users of a broadband wire-line communications system.
• the invention enables to selectively apply compression to a specific browser of a specific user, so that only traffic transferred over low-rate connections is compressed.
• the invention also allows a user change his/her com- pression settings.
• the invention further allows customized compression policy for a group of users, such personnel of a company, and/or for certain type of users, such as mobile users.
• the compression policy may be defined to optimize the amount of data transferred, and thereby the traffic cost, as an additional advantage to the higher effective data rate.
• Figure 1 is a block diagram showing an example of an arrangement according to the present invention
• Figures 2 and 3 depict scenarios where the access control server is used to perform access control on a web server.
• IPv4 Internet Protocol version 4, defined in http://www.ietf.org/rfc/rfc791.txt
• IPv6 Internet Protocol version 6, defined in http://www.ietf.org/rfc/rfc2460.txt
• VLAN Virtual LAN A method of multiplexing several independent virtual
• DHCP Dynamic Host Configuration Protocol defined in , http://www.ietf.org/rfc/rfc2131.txt and http://www.ietf.org/rfc/rfc2132.txt.
• HTTPS Secure HTTP or HTTP over SSL, defined in http://www.ietf.org/rfc/rfc2660.txt
• URL Uniform Resource Locator Defines a protocol, address, parameters triple. See http://www.ietf.org/rfc/rfc2616.txt
• Cookie A mechanism for storing server or transaction state in a HTTP client application, defined in http://www.ietf.org/rfc/rfc2109.txt. NTP Network Time Protocol.
• ASN.1 Abstract Syntax Notation One. An abstract language for describing messages exchanged between distributed computing systems.
• FIG. 1 shows an example of a communication arrangement which contains an access control server device 10 implementing the present invention.
• the authentication is distributed to a separate login server 11 but all login functions may also be built in the access server 10.
• the access control server 10 may be an HTTP proxy that can be used to implement access control into one or several web applications 17 and 18, and/or to non-web applications 8 and 9.
• the access control server 10 may be implemented by a computer program designed to be run on most PC-compatible hardware, supporting tagged VLAN, IPv4, IPSEC, and a selected set of network adapters.
• Example of a hardware is a PC-compatible computer equipped with an IDE hard disk, 16 MB or more of memory, and a 386 or compatible CPU.
• a common control unit 103 in Figure 1 represents various intelligent features of the server 10 described below.
• Main features of the access control server 10 may include remote control via a simple network protocol, transparent HTTP proxying with URL rewrite, SSL acceleration, pluggable authentication modules, and embedded IP firewall and routing functionality.
• Multiple access control servers can be connected together to form a transparently load-balancing, fault-tolerant clus- ter.
• the access control server 10 may perform access control on HTTP/HTTPS protocols by using embedded authentication tokens in the requests, or on arbitrary TCP/IP connections based on IP addresses by using its IP firewall functionality.
• the access control server 10 may be controlled via a simple remote control protocol. The protocol is used to register authorized users, and configure the behaviour of the authentication engine on a per-session basis.
• the access control server 10 may include a HTTP/HTTPS authenti- cator that may support the HTTP/1.1 protocol, HTTP session management extensions, SSLv2, SSLv3, and TLS/1.0.
• the HTTP/HTTPS authenticator may offer rich services for virtual server configuration and redirection.
• the authenti- cator may map requests for different URLs in one virtual server to configurable locations in multiple target servers.
• a virtual host defines a public name the control access server 10 is seen as from the public network. This typically re- quires a valid address-name mapping to exist in the public DNS. When requests for this public name are received, the access control server 10 authenticates and serves them according to the virtual host configuration 104.
• a virtual host may define a login URI, where unauthenticated clients are redirected to obtain valid authentication.
• a virtual host configuration may define map rules to transform request URLs. For example, authenticated requests to http:://server1 :80/directory1 can be mapped to go to https:://server2:443/otherplace.
• the access control server performs the reverse mapping on the response data, making the mapping fully transparent to the client.
• the number of virtual hosts and request mappings is limited only by available memory.
• the HTTP/HTTPS authenticator may add cookies or URL parameters to authenticated requests. It may also perform HTTP basic authentication to the protected servers on behalf of the user. There may be rich services for logging elements of authenticated requests, as well as all authenticated and rejected requests.
• the HTTP/HTTPS authenticator may also be used to offer a HTTPS service to the public network, and use the lighter HTTP protocol to access the protected servers in the internal network, thus reducing load from the protected servers.
• HTTP and by extension, HTTPS are connectionless protocols and typically transferred through a proxy server. These properties imply two things: one "access”, e.g. access of a web site, consists of a series of TCP connections; and the connections do not originate from the user's real IP address.
• the access control preferably authenticate every individual TCP connection, and it cannot rely on the originating IP address. Since the TCP connections cannot be authenticated based on IP addresses, the request content is examined for authentication tokens. The user is first expected to go to a login server 11 , e.g. via a virtual host public rule, to obtain the authentication token.
• IP based access control is suitable for connection-oriented protocols such as RDP (used with Microsoft Windows Terminal Services), SSH and I MAP/I MAPS. Due to the nature of modern Internet, many networks utilize Network Address Translation (NAT). NAT makes all connections from the network to appear to come from a single source address (or a small set of shared source addresses). IP based access control is reliable only when it is known that the clients do not connect to the service from a NATed network, or when the entire NATed client network can be trusted. IP based access control requires that the access control server functions as a router between client networks and the protected server.
• NAT Network Address Translation
• Connection redirection may be configured, in order to allow connections made to the address of the access control server 10 be redirected to internal network servers transparently.
• the user is first expected to go to a login server, e.g. via a virtual host public rule.
• the login server may authenticate the user by any means, e.g. using CallSign security server from Fujitsu Ltd.
• the login server 11 may then use the control access server remote control interface to register the user's IP address to the access control server, together with the allowed target server address and session parameters.
• the access control server 10 allows the connection based on the session parameters.
• the session parameters may define that only a single TCP connection is allowed, or multiple TCP connections are allowed over a span of time.
• a virtual host configuration 104 also defines whether compression is used for the authenticated con- nection, and optionally the compression parameters to be used.
• a user may have dif- ferent user identities for low-rate connection (such as mobile access) and other connections.
• the authentication itself may define the virtual host to be used and thereby the need for compression.
• the compression parameters are given from the login server 11 when the login server register 11 the user to the control access server 10.
• the access control server 10 obtains compression parameters from a user profile database 13.
• the access control server is provided with a traffic analyser 105 analysing a data traffic from a browser of a client device 15/16 so as to determine whether the client device is accessing through a low-rate connection.
• the analyser 105 may be in use for all connections, or for certain virtual hosts, or when defined in the parameters given by the login server or user information from a database. When analyser 105 observers a low-rate connection, it triggers a compression.
• the access control server 102 comprises a data compressor and decompressor 102.
• the traffic to be sent a client device 15 over a low-rate connection is compressed with an appropriate compression method.
• the traffic received from the client device 15 is decompressed.
• the data compressor and decompressor 105 can be implemented by any means compatible with the compression used in client devices 15 and/or browsers.
• the compression includes preventing transmission of a predetermined type of data, such as images, over a low-rate connection based on the identification of user or user type, such as a mobile user 15.
• FIGs 2 and 3 depict scenarios where the access control server 10 is used to perform access control on a HTTP/HTTPS application server 17 or 18.
• the client 15/16 first connects to the login web server 11 and authenticates him/herself (step 20).
• the login web server 17 is located in the public network, and is accessed directly by clients 15/16.
• the login web server 18 is located in the intranet, and is accessed by the clients 15/16 via virtual host and public URL of the access control server 10.
• the client's connection to the login web server 10 may be HTTPS for security reasons. If the login web server 11 is accessed via virtual host public URL of the access control server 10, the access control server 10 may provide SSL acceleration for the login web server 11 itself.
• the login web server 11 generates an encrypted authentication to- ken, gives the token to the client 15/16 (step 21), and uses the remote control interface (addresses 10.0.1.1 and 10.0.2.2) via the control network to register the token to the access control server 10 (step 22).
• information relating to the compression may be provided to the access control server 10.
• SSL acceleration is used for the protected application servers if the access control virtual host is defined to serve HTTPS, and the session registration performed by the login web server 11 defines the target server protocol as "http:”.
• the access control server 10 allows or denies the connection based on the authentication tokens included in the request. If the authentication is valid, the connection is forwarded to the protected application server 17; if the authentication is not valid, the client 15/16 is redirected back to the login server 11.
• the access control server 10 applies data compression and decompression to a data traffic sent to and received from the client, if access control server 10 observers that the client device 15/16 is behind a low-rate connection, e.g. based on one or more of the ways described in the above example embodiments, or in another way. If the client device 15/16 is not behind a low-rate connection, or compression is not defined for the client, no compression is applied to the connection. It will be obvious to a person skilled in the art that, as the technology advances, the inventive concept can be implemented in various ways. The invention and its embodiments are not limited to the examples described above but may vary within the scope of the claims.

Applications Claiming Priority (2)

Publications (1)

Family

ID=34778493

Family Applications (1)

Country Status (2)

Cited By (3)

Citations (6)

• 2005
  • 2005-06-29 FI FI20055357A patent/FI20055357A/fi unknown
• 2006
  • 2006-06-27 WO PCT/FI2006/050282 patent/WO2007000493A1/en active Application Filing

Patent Citations (6)

Also Published As

Similar Documents

Legal Events