DE102015005387B4 - A method, communication terminal, router device, server device, Internet access, and computer program product for establishing and conducting communication links between at least one terminal and the Internet - Google Patents

Abstract

Method for the production and implementation of communication links between at least one terminal and the Internet, characterized in that a connection of a terminal MD guest as a guest following a local area network LANFI, which grants free Internet access, can be built and operated on the public Internet, wherein in a first step, the MD guest transmits a connection request to a service provider ISP guest by transmitting an ISP guest identifier to the LANFI, in a second step the LANFI checking the connection request for at least plausibility and automatically checking the relevant ISP guest identity by verifying the ISP guest ID in a stored list listing only ISPs operating within the scope of the law, a. in the positive case, the IP address of the ISP guest is read out as confirmation andb. LANFI then sets up an Internet connection exclusively to this IP address for the MD guest, with the MD guest at ISPGasta in a third step. is authenticated and finally authorized for access to services in the ISP guest andb. accordingly, the MD guest is assigned an IP address from the address quota of the ISP guest andc. a technical connection to the Internet is made in the ISP guest, d. whereby in the inventive method the guest terminal MD guest and the LANFI network are completely decoupled from each other and mutually tamper-proof, I. the guest connection is made exclusively via the legal ISP guest to the Internet andII. all activities of the guest on the Internet are subject to legal surveillance measures, III. without the LANFI having to connect the users and corresponding technical LI monitoring devices.

Description

The present invention relates to a method, a communication terminal, a router device, a server device, an Internet access, and a computer program product for establishing and performing communication links between at least one terminal and the Internet.

Methods for communication between a terminal and the Internet are already known. The usual access of one LAN -capable device (Local Area Network) or one WIRELESS INTERNET ACCESS - capable terminal (Wireless Local Area Network), here as WIRELESS INTERNET ACCESS Device WD refers to the public Internet using a WIRELESS INTERNET ACCESS capable router (WR) via a wired digital transmission (copper, fiber optics etc, for example via DSL, SDSLetc connection) or alternatively via a radio transmission (mobile, GPRS, UMTS, LTE etc.) in the direct connection or alternatively in the indirect connection (For example, following a telecommunications network) to an Internet service provider ISP , which provides the technical facilities for connection to the Internet.

More and more mobile devices can also be used by third parties WIRELESS INTERNET ACCESS get to the internet. There are different methods for this, but they each have specific disadvantages.

The prior art was the published patent application DE 10 2007 034 889 A1 researched. It relates to: a method, system and computer program product for monitoring the availability of network access. The invention relates to the monitoring of the availability of network access points with the task of a high and consistent network quality providers of public access points, such as operators of public facilities, such as airports, stations, but also owners of hotels, restaurants, bars or cafes or Wi-Fi hotspots in major cities to ensure their guests. In accordance with the invention, network access points, against which an authentication is required in the event of access to the public network, are monitored in the sense of continuous monitoring.

However, a disadvantage of this procedure is the necessity for the guest to authenticate himself to the "authentication platform" of the operator of the network access points. For example, he can use a password for authentication. For authentication, however, a verification of the authentication by the authentication platform is required so that the guest (his authentication) can be clearly checked for authenticity, after which the guest is connected through the network infrastructure of the access point provider to the Internet or is authorized to do so. The advantage of such a procedure is the complete identification of the guest, who must already be known in advance in the authentication platform. Thus, the legal requirements according to, for example, Telecommunications Surveillance Ordinance TKÜV (Lawful interception, data retention, Störerhaftung) can be met. Of great disadvantage, however, is the considerable technical and administrative effort for the authentication platform and the fact that the network access point for the customer is almost a service provider, in which he must be registered as a customer in advance. For a universal solution, for example for providers of small or even private hotspots, this procedure is unsuitable. Information about the protection of the data transmitted by the customer against misuse by the provider of the hotspot or vice versa protection of the network access points against misuse by the guest is not disclosed.

The US 2009/0 187 983 A1 discloses a Method and System for Distributed, Localized Authentication in the Framework of 802.11.

The invention describes the usual procedure when accessing a wireless device to the Internet. It is divided into two categories. The first are so-called "captive portals", whereby the Internet access through the network of the operator takes place after an authentication with the operator - that is comparable with the view in DE 10 2007 034 889 A1 ,

Captive portals are described as password-based methods and as common for hotspots and various Wi-Fi projects. Furthermore, a LAN Port authentication scheme, wherein the WIRELESS INTERNET ACCESS an authentication server connects to an access point and the authentication server is preferably implemented as a RADIUS server.

This practice is known to many employees of larger companies who own their corporate notebook at home over their own LAN following the business.

A special client software on the notebook dials into the RADIUS server of the company, which authenticates the "employee" and allows the connection to the corporate network and / or Internet. Subsequently, the data exchange to the network of the company usually takes place via a protected protocol. The necessary transition to the Internet also takes place in the company.

The invention relates to a type of mixing system in which a number of geographically distributed access points can communicate with each other from a number of previously known and stored by various parameters stored in the terminal and the access points and by the help of a central authentication entity (CA server). The central server also allows editing of network shares as well as manual configuration and distribution of updates.

For authentication, the access point contains an authentication module, which communicates with a central server and enables the connection of the terminal.

It is actually the implementation of a closed-user group, the terminals are known in advance and stored in the common database of the authentication device. The advantage of the method is that the terminals can be mobile at different access points, for example, regionally or geographically distributed, logged in and can get access to the Internet, which is possible in conjunction with a central authentication device.

The difference to DE 10 2007 034 889 A1 consists essentially in that this is a local access provider, for example, a city network, while at US 2009/0 187 983 A1 the access points can be distributed nationally. A typical area of application for this is a research network through several research institutions or, for example, a company with several branches. Employees can log in to the respective network with their terminal at the different participating locations by accessing the central authentication device. Local authentication facilities are not required. The disadvantages of a necessary authentication platform are also included US 2009/0 187 983 A1 given and comparable in both inventions.

The availability as a free Internet for a guest is not given here.

The publication Mansmann, Urs: Invitation to the hotspot. In: c't, Issue 7/2015, 07.03.2015, S. 116-121, gives a good overview of the state of the art on the subject of "free Internet".

Already at the beginning, the problem for private individuals and traders is pointed out when they make their Internet access available to their customers. This is a direct indication of disruption liability and the fact that customers (guests) may also be able to access internal devices and network components.

Then we read under the introduction: "Some companies have recognized this gap in the market and offer customer and guest hotspots to ..." described the previous solution variant of the problem. The listing and description of the article concerns hotspot providers and so-called "social WLAN" providers, which must be regarded as service providers in the narrow sense, because they are not ad-hock usable for each guest, but require a contractual relationship and one each corresponding authentication procedure at a so-called. Operator (a service provider), whereby monthly also mainly incurred fees.

However, these types of hotspots do not provide free Internet access, but are comparable service providers such as Telekom or Vodafon, which are also for their customers WIRELESS INTERNET ACCESS Provide hot spots. The overview is completed by a table "Wi-Fi access for guests with disclaimer (selection)", in which six hotspot providers and two "social Wi-Fi" providers, comparing the terms and conditions and costs are compared.

Also described is the "free-radio method", which does not solve the security risks described, but bypasses, for example, by the traffic is redirected abroad. This is in the legal gray area.

The c't article also refers to networks (here, for example, private user routers) that establish a connection between a guest and the Internet.

In all variants described, there are considerable disadvantages. Either an authentication platform is used and it is in the real sense a service provider and by no means a free Internet access, or alternatively the guest under the identity of the access point operator (free radio method) with the resulting legal abuse problem to Internet switched on, or alternatively the Internet access is made abroad, which is also legally problematic and in turn requires a kind of membership to this procedure.

The present invention seeks to eliminate the disadvantages of existing methods. For a more precise definition of the task, a deeper understanding of the existing technical scenario is required. In principle, a so-called Internet Access Provider IAP meets the connection requirements. As a rule, an IAP offers additional services / Services such as cloud storage, e-mail accounts, fax transitions, etc. For the purposes of the present invention, therefore, a technical device, which provides an Internet transition for customers following the public Internet, is represented as ISP designated. It is not between IAP and ISP distinguished, both are considered identical.

As a rule, the ISP in the possession of a service or for example telecommunications enterprise, which in its entirety including the technical components as ISP referred to as. For the purposes of the present invention, for example, T-Online is a company of Deutsche Telekom AG ISP and enables customers to access the Internet via the technical conditions.

For the fulfillment of the legal monitoring measures and for data retention according to the Telecommunications Surveillance Ordinance TKÜV (successor of the Telecommunications Surveillance Ordinance FÜV) the ISP additionally via the corresponding technical facilities LI (Lawful Interception) according to, for example, ETSI TR 101 943. For the purposes of the present invention, such ISP favors that meet these requirements. They are sometimes referred to as L for clarity ISP (legal or lawfull ISP ) designated.

In this technical constellation orders the ISP the WD a temporary or a fixed Internet address (IP address) from its address quota when entering the Internet. WD and WR are usually a legal or private person ( ISP Customer). Between ISP and the ISP Customer ( ISP - K ) there is usually a contractual agreement governing the monetary remuneration of the Internet access by the customer (for example, data transfer rate, quality of service QoS, volume of data, use of additional services, etc.) and whereby the customer is identified by name and locally (name , Place of residence, date of birth, account details, etc.). The customer data and the respective IP address of an Internet connection and, if necessary, other connection data such as time stamp, date, Internet activities, port address, e-mail address, etc. are at ISP stored electronically, whereby a clear assignment of Internet activities to a person and thus the legal requirements for the prosecution or destruction of criminal offenses are feasible.

The law enforcement agencies LEA (Law Enforcement Agencies) have automated access to the appropriate by law LI -Components of ISP via special connections.

Often used ISP -K several and different communication devices for connection to the Internet, such as personal computer PC, notebook and mobile device Mobile Device MD , For ease of illustration, all of these computer and communication devices in the sense of the present invention are collectively grouped under the name MD (Mobile Device, mobile terminal).

One MD For the purposes of the present invention is typically a mobile station with WIRELESS INTERNET ACCESS Interface (smartphone, mobile phone), but alternatively with any cable connection (copper, fiber optic) and / or one with any wireless connection (DECT, GSM, UMTS, LTE, optical infrared, Bluetooth, WIRELESS INTERNET ACCESS etc.) connected device of any kind.

A WR is often a comfortable multifunctional device. It has according to the prior art often at least one DSL modem or alternatively a mobile radio modem, multiple Ethernet cable connections, at least one WIRELESS INTERNET ACCESS Transceiver, memory space, a USB device interface, a DECT telephone system and the corresponding internal network components and the actual router to communicate with each other and the Internet to the connected devices. Such a device with all the wiring and accessories, for example WIRELESS INTERNET ACCESS Repeater, NAS storage devices, etc. according to the invention below under the name LAN summarized.

One LAN According to the present invention may accordingly consist of a single WR, alternatively from any number of any network components, such as corporate LAN or a LAN a city or region. It can handle any number of internal and external cable and wireless connections, too WIRELESS INTERNET ACCESS Networks.

The nomenclature MD and LAN thus follows the supposedly most common method of using a mobile station with WIRELESS INTERNET ACCESS - Interface on WIRELESS INTERNET ACCESS capable router, but connects the connection of any other devices with any Anschalteart following LAN of any form explicitly not.

In general, the Internet access is from ISP -Customs with full legal liability personally used. In addition, he is shared in the home at least by family members. For all Internet activities and thus the lawful and contract-compliant communication thereby is the ISP -Customer responsible and fully liable.

Now there is a variety of desire that guests with their own MD an internet connection via the LAN one ISP -K and its ISP want to build and operate in the public Internet. This desire is often in the private sphere (guests, friends, children's friends, etc.), but also in companies (business and private customers, partners, employees, visitors, etc.), in the hotel and restaurant industry, at airports, railway stations Ships, in trains, in the bus, in the truck or car, in the municipal area etc.

An Internet connection that allows a guest to connect to the Internet is often referred to as "Free Internet Access" or "Free Internet" and here below FI designated. As operator of a LAN With FI Possibility is therefore available to private persons, companies and / or public institutions.

For the realization of a FI There are several approaches to the prior art, but unfortunately all are associated with significant limitations.

One ISP - K For example, he may provide access to his guest through his own WR. Some routers offer a guest function for this purpose. For example, the router FRITZ! Box 7390 AVM an additional LAN as a guest- WIRELESS INTERNET ACCESS span. This guest WIRELESS INTERNET ACCESS which can be called a separate name can be turned on and off on a temporary basis and offers some software protection measures to allow the guest to change others LAN Components can not endanger. From the perspective of ISP such a guest can not of the ISP -K are distinguished.

As a guest is understood in the context of the present invention, a person or an automatic device, which with its own MD about a foreign LAN following a stranger ISP wants to operate or operate an Internet connection, whereby he has no contractual relationship with this ISP and there are also no authentication data for legal supervision for his person.

To the state of the art there is no technical procedure or device, which the legal monitoring requirements for any guests on LAN automatically fulfilled. Any communication with the internet will be at ISP as communication of ISP -K treated. He is fully liable for all activities at his terminal.

If the ISP -K about a suitable one LAN If he has the appropriate technical expertise, he can write down the device data and personal data of his guests and log connection data in the router. However, this is associated with considerable manual, organizational and technical effort, hardly manageable in practice and also does not meet all legal requirements. For example, a guest can not be targeted and automatically by the legislature ( LEA ) be monitored. Also, a subsequent argument is problematic, if the ISP -K in turn manipulates the records.

As a legal Internet access or legal Internet connection (Lawful Internet Connection LIC) is in the context of the present invention, a connection between a MD and the public Internet, which takes place in accordance with the legal requirements, ie the user of the MD must be at least authenticatable and monitorable (typically at ISP ). Of the ISP must have the technical facilities to comply with the legal supervision measures. One ISP in this sense is subsequently considered legal ISP considered (LISP). As a rule, there is between MD Owner as LAN -K and LISP a contractual relationship.

One ISP , which for example a MD within the Federal Republic of Germany provides Internet access via the detour abroad, s. c't 2015, Issue 7 p. 120 "Freifunk" first paragraph, is not understood in the sense of the present invention as LISP, since it is subject to legal supervision at the location of the MD withdraws. This definition is made here independently of a legal examination or consideration exclusively within the scope of the present invention for the purpose of better illustrating the method according to the invention.

A method with limited monitoring capability according to the prior art is realized as follows. One ISP can install several WR in public areas for his clients. For example, Telekom has a large number of so-called hotspots. However, these are usable only for Telekom's own customers with a special contractual relationship and stored authentication data. For the purposes of the present invention, however, this is not FI for guests, as the user is a customer of ISP (Hotspot) must be.

An alternative realization of a FI currently exists in that one ISP allows his own customers to get into that WIRELESS INTERNET ACCESS of another of his own customers and connect to the Internet. The WR has a special technical prerequisite for the connection. The guest can at the ISP be authenticated because he is contractually associated with him. The procedure is similar to the hotspot technique with the difference that the hotspot in this case the Router is a paying customer. The procedure can be restricted exclusively by contract customers of the ISP to be used. Accordingly, for the purposes of the present invention, this is not FI for guests, as the user is a customer of ISP have to be.

A good overview of the aforementioned and other similar realizations offers the article sequence: "Invitation to the hotspot", "Sharing for professionals" and "Sharing with law" in the magazine c't magazine for computer technology, issue 7/2015 from page 116. There is also detailed on the monitoring and liability issue.

The report of the "Rheinische Post" of Tue, April 14, 2015, which reports that the President of the Federal Network Agency wrote to the operators of public WIRELESS INTERNET ACCESS Hotspots has been asked to equip their networks with a monitoring access, as the illegal area should no longer be tolerated.

This procedure, if it were implemented, would be associated with very considerable technical and organizational effort, in addition to the high number of hotspot and FI Operators, which must be equipped with a monitoring access, including the corresponding technical LI Supervision facilities within the hotspots would have to be present - including, for example, in terms of § 88 TGK telecommunications secrecy trained and sworn staff in appropriately designed access secure premises.

The publication strongly suggests that a suitable technical method or procedure for monitoring the FI currently unknown and urgently needed.

A good overview of the technical and legal requirements for Telecommunications Surveillance Regulations with reference to the applicable technical standards and regulations can be found in the European Patent EP 1 358 736 B1 such as EP 1 340 353 B1 and EP 1 317 860 B1 (all Deutsche Telekom AG, inventor in each case Walter Keller).

A good overview of the technical realization of DSL accesses can be found in EP 2 522 125 B1 respectively. EP 2 232 841 A1 (also Deutsche Telekom AG, inventor in each case Walter Keller).

It is the object of the present invention to eliminate the existing shortcomings of an outstanding monitorability of guests with free Internet access at the hotspot and / or in a free Internet access and to provide a technical possibility, the legal access to the Internet via hotspots and FI Networks under the fulfillment of state surveillance measures, for example, the TKÜV and the associated technical guidelines, for example, according to ETSI TR 101 943 for at least one guest optional for a plurality of guests simultaneously.

The invention will be explained below using embodiments and the attached figures, wherein the drawing figures are not limiting for an illustrated exclusive technical realization.

The components shown in the pictures MD . LAN . ISP , LIR, guest and customer meet the above definition. The names are therefore not restrictive.

The extension "FI" indicates that the customer in question is his own ISP (here ISPFI) with his LAN (here LANFI) allows free access to the Internet for guests, whereby a guest can also be a customer of the ISPFI or alternatively a customer of any other ISP.

1 shows an example WIRELESS INTERNET ACCESS -Complete terminal MDFI of the customer FI following its LANFI, for example a WIRELESS INTERNET ACCESS capable router connected to the legal Internet Service Proivider LISPFI (Lawful Interception LIFI) via a wired or, alternatively, wireless connection to connect to the Internet. The customer database KDBFI contains the customer's personal customer data required for monitoring FI as well as the relevant connection data of the terminal MDFI during the Internet session.

Another terminal MD1 of the customer 1 is also connected to the Internet via the service provider ISP1 with LI1. The personal data of this customer are accordingly in the database KDB1.

Both ISP each have the appropriate monitoring facilities LIFI and LI1, on the part of the supervisory bodies LEA can be accessed via the monitoring access UFI and U2.

To enlarge the overview in the further figures, the respective components customer database and Lawful Interception device with the corresponding ISP each as LISPFI, LISP1 to LISPn.

On the picture of the LEA is therefore omitted in the other figures, but it is assumed for a regular legal operation.

In 2 , represents the customer FI for the customer 1 and other non-pictured customers a free Internet access FI to disposal. The customer 1 moves exemplarily as a guest 1 with his MD1 terminal to the customer's LANFI FI (1) and would like to have free internet access there. The guest 1 can optionally log on manually by activating the connection request and / or input of data in his MD1 at LANFI or alternatively can have an automatic connection performed by his MD1. Both variants and any combinations of these are subsumed below as "Guest Guest x in LANFI".

With a direct internet connection of MD1 over LISPFI and its ISPFI is the customer FI legally liable for all activities of the guest 1 on the Internet, since only personal data for the guest FI in connection with whose connection (DSLFI, LANFI, MDFI) are stored in the customer database of LISPFI.

The method according to the invention solves this problem and therefore deviates from the usual prior art direct connection by providing the technical realization described below.

MD1 establishes a connection to LANFI (2), logs in and makes an automatic connection request to the Internet access. MD1 transmits the name (identification) of its own LISP1 to LANFI. In LANFI, such connection requests can be individually configured or treated for all guests (MD1 ... n). For example, the customer FI individually, alternatively groups of guests or the total collective of the guests the Internet access in principle (see below) and / or grant access to internal components of the LANFI, lock or configure individually. These include the configuration of transmission bandwidth, time window, connection time duration, priority, QoS, charge parameters etc.

If the guest 1 is authorized for the Internet access, if configured accordingly by LANFI according to the plausibility check carried out, LANFI establishes an internet connection via its LISPFI (3), if it does not already exist and transmits it ISP Name of LISP1 to the server device LARS (Legal Address Resolution Server) (4) and receives in the positive case, an Internet address (IP address) of LISP1 on the connection (5 and 6) side LARS back.

For this purpose has LARS via a database with all LISP, the LI and are capable of the inventive method for FI take part. The LISPs are characterized at least by their name and the associated IP address, with the IP address the respective dial-in server for their own customers via the public Internet in the respective LARS addressed. Optionally, several addresses may also be available for a LISP, for example for redundancy purposes and / or for load sharing.

For a wrong address request or a request for one ISP who does not participate in the procedure and / or none LI Device or alternatively is blocked for the procedure (for example, because of misuse) or in the LARS Database is not known, accordingly no IP address LARS transmitted. Optionally, a detection of the wrong query with an automatic response, such as a journal entry, an alarm or a warning o.ä. be acknowledged and / or recorded. Optionally, LANFI and / or LISPFI may provide further information for monitoring purposes LARS be transmitted, for example, a device identifier of MD1 etc.

The LARS Address and name list can alternatively be managed or buffered in LANFI's own memory. The table may alternatively be in the public DNS server (Domain Name System of the Internet), in a data store at the ISPFI, in a server connected to the ISPFI or a server connected to the Internet at a corresponding service provider or again alternatively and preferably at the Authority, for example, the Federal Network Agency.

The table must always be maintained promptly, stored correctly and tamper-proof.

It can be a single one LARS be present or in an alternative embodiment, a plurality of LARS ,

In 3 is an example of the automatic connection establishment to LISP1 by means of LARS referenced IP address. For this purpose, preferably a secure connection, such as a virtual private network VPN ( VPN Tunnel) optionally by LANFI or MD1.

Under the name used synonymously in the present invention VPN will be any secure point-to-point connection between one MD or one LAN (also LANFI) and the respective ISP understood, so one VPN , Secure Sockets Layer SSL, Point-to-Point Protocol PPP etc.

A preferred embodiment provides the structure between MD1 and LISP1 (7 ... 9), with LANFI filtering the IP address and excluding those of LARS transmitted IP address from LISP1 to Addressing the VPN allowed. MD1 can not use a different IP address and therefore can not operate any unauthorized traffic on the Internet.

The dial-in server of VPN Connection in LISP1 can be, for example, a RADIUS server (Remote Access Dial In User Service) or, for example, a RAMSES server (Remote Access Management Subscriber Enhanced Service according to US Pat EP 1 238 513 B1 Deutsche Telekom AG, inventor Walter Keller).

The technical realization of a single VPN is state of the art, but the combination is multiple VPN to different LISP with corresponding individual filter restriction in the LANFI not yet known.

The dial-in procedure by means of password and password or by means of individual device data is also assumed to be known.

The VPN Connection secures MD1 to the customer FI and all other guests who are connected to the LANFI, from each other, so that all activities of MD1 for the customer FI and other guests stay secret. Conversely, the same applies, an access of MD1 etc. to network components or a manipulation of LANFI is also excluded.

This functionality is also new. In the known hot-spot method, the router establishes a VPN connection, so that the customer data is partially transmitted unprotected.

LISP1 then allocates a dynamic or static IP address from its MD1 contingent

And establishes a data connection to the Internet for MD1 (10). Afterwards MD1 can over the VPN Connect transparently via LANFI and LISPFI with LISP1 and continue to communicate with the Internet.

It is guaranteed that any activity of MD1 on the internet in LISP1 can be legally controlled.

LANFI does not require any special monitoring or logging, a LI -Monitoring device and also a LEA -Monitoring connection are dispensable. MDFI itself is monitored in LISFI.

This is independent of the size and characteristics of the technical facilities of the LANFI. It can be a private customer with a simple one WIRELESS INTERNET ACCESS Routers that want to give handpicked friends free internet access without any legal problems, or alternatively a complete city network that would allow anyone to freely access the Internet if they have a contractual relationship with any LISPx.

4 shows by way of example the connection diagram for the case where several guests 1..n communicate simultaneously with different LISP 1..n and are switched through to the Internet.

5 shows a particular alternative embodiment of the procedure according to the invention. Here, at least one customer, here by way of example the customer 1, dispenses with at least one own DSL connection to his own ISP1 and / or to his own LAN1. Customer 1 acts with MD1 exclusively as a guest at LANFI or any other provider of the FI Services.

For example, a residential community, a business building with different companies, a block or even an entire city with a fast Internet connection could be used in this procedure FI be supplied via a telecommunications provider, all customers via the same or any ISPx get access to the Internet.

The connection FI can, for example, alternatively by a telecommunications company or ISP installed and operated.

In this procedure, there is a complete logical decoupling and unbundling the Internet access of all customers involved on the so-called last mile (subscriber line) of the connection FI , In addition, considerable cabling is saved.

Optionally, in this embodiment, alternatively or in parallel to WIRELESS INTERNET ACCESS an LTE connection with significantly greater wireless range and multiple antennas can be used in the LANFI.

The current state-of-the-art technique poses significant legal and physical problems when a telecommunications company (for example, a quasi-monopolist) routes a fast fiber optic cable to a building complex (fiber dead building or fiber to the curb). In principle, one fiber is often sufficient for all relevant customers, but for competitive reasons, the connection must be unbundled and each customer receives his own fiber so that he can meet different requirements ISP can be connected.

The inventive method enables the centralized or distributed installation of a LANFI at the end of the fiber, over which all potential customers completely logically decoupled via the LANFI (by cable, fiber or radio) to its respective ISPx.

Cable connections also have advantages. In the current procedure, the cable owner of the subscriber line TAL (for example, Deutsche Telekom AG) must use individual pairs of wires in the subscriber line cable for other competitors (telecommunications companies, ISP etc.), if the customer so wishes. This "unbundling" of the TAL creates a plurality of separate digital transmission channels within a multi-pair cable, resulting in significant mutual electromagnetic interference as well as a reduction in the transmission bandwidth for the respective channels on the subscriber lines (see DSL literature cited).

In the procedure according to the invention, a fast cable connection of the FI or the parallel operation on multiple leads of the same FI without external interference of other Internet connections or with less interference by a smaller number of other Internet connections in the same cable for several guests on FI Connection with a statistical traffic distribution lead to significantly higher data transfer rates for all parties involved.

The logical unbundling here also replaces the physical unbundling according to the invention. In this procedure, the present invention may be advantageous with the inventions EP 2 522 125 B1 respectively. EP 2 232 841 A1 (Deutsche Telekom AG, inventor in each case Walter Keller) combined and lead to significant performance increases in the download and upload.

5 shows another option. Customer n operates his LANn in addition to his own DSL line or alternatively exclusively (shown here) complete with all network components and terminals MDn1 to MDnm in connection 7n via cable, radio or optical fiber connection as a guest on the LANFI.

The guest operates here not a single terminal, but his entire network as a "guest network" (for example, a small company network) via the LANFI.

To identify a LANFI according to the invention a WIRELESS INTERNET ACCESS Identifier SSID proposed, which consists of the three letters of the designating initial identifier for a Lawfull or Legal Free Internet "LFI", followed by a hyphen and an individual network identifier, for example "LFI-Stadtnetz Düsseldorf", "LFI" Laubpieper "or similar exists so that a guest can quickly and easily recognize any LANFI and the letter combination can also be used on the device side for an automatic dial-in for network identification.

6 shows a further preferred embodiment. The LANFI is designed as a hotspot and supplies the customers 1 to n of a block of flats or, for example, a housing estate etc. The technical equipment of the LANFI is installed, for example, at the location of the cable divider, Digital Subscriber Line Multiplexer DSLAM, etc., and spans the radio network, by way of example LFI Campus on. By way of example, the customer n has any LAN and is equipped with a radio repeater that the LFI Campus network and thus increases the LANFI range and illustrated here exemplifies the same SSID carries. An additional enlargement of the FI Connection area results, for example, by using an optical or conventional radio link.

This approach brings particular benefits through increased bandwidth and cabling savings associated with fiber to the building or fiber to the curb, a DSL vectoring process on the copper line, or a DSL method EP 2 522 125 B1 respectively. EP 2 232 841 A1 with, for example, customer configurable upload download bandwidth (Deutsche Telekom AG, inventor in each case Walter Keller).

In addition to extending the bandwidth for customers, it can accelerate fiber optic expansion by eliminating the need for individual cabling or fiber access.

Another advantage arises when using a UMTS or LTE radio network or the like due to the greater range WIRELESS INTERNET ACCESS , Currently, in the case of poor line quality or if there is no TAL, a customer may alternatively operate a router device with LTE interface. For example, T-Online offers such Internet connections as "Call & Surf Comfort via radio". The disadvantage is compared to a cable or fiber connection in the significantly reduced bandwidth of the mobile network and the limited data volume. There is no data flatrate offered. Another disadvantage is that about such a compound no inventive legal FI Connections to different ones ISP can be produced. Ie it is a normal Internet connection to a single ISP as a direct replacement of the DSL connection with a reduced scope of services.

In contrast, the method according to the invention can offer an unbundled high-speed connection for all customers 1..n.

Among other things, this is particularly interesting when fiber optic lines are subsidized and / or financed by public funds for rapid Internet expansion and the ISP or telecommunication companies charge users for use and Internet access, thereby re-charging the public for the cost of the investment. In the method according to the invention, access is automatically unbundled, since the customer does not need a hardware connection.

According to the invention, a separation between (transport network) and service network (service offer by independent ISP and / or telecommunications company). This promotes competition and creates equal starting conditions for all ISP , Such a transport network can for example be installed and operated by municipalities.

Conventionally required extremely expensive components, such as Digital Subscriber Line Access Multiplexer DSLAM (DSL access multiplexer), which in the optical fiber or Vektoring method the transition between the transmission method in the (local) cable and the DSL, VDSL, etc. connections to divide the individual subscriber lines in the connection area to the customers / households and the other party to the transition to the Internet (typically in the exchange) can be completely dispensed with, if the entire traffic is handled directly at IP level and the participants (customers) not using DSL Connection line but via Ethernet or radio (for example WIRELESS INTERNET ACCESS ) are connected to the LANFI.

Of particular advantage is that such a transport network can be operated fully automatically.

A further advantage is that the essential scope of the procedure according to the invention by a software change and additional software components and / or sequential control in many commercially available smartphones, routers and ISP Components can be retrofitted.

LIST OF REFERENCE NUMBERS

FI

free internet (also in combination with other abbreviations)

ISP

Internet service provider

K

Customer (also in combination with other abbreviations)

LAN

Local Area Network

LARS

Legal address resolution server

L

Legal (also in combination with other abbreviations)

LI

Leawfull interception (also in combination with other abbreviations)

LEA

Law Enforcement Agencies

LFI

legal free internet

MD

mobile terminal

VPN

Virtual private network

WD

wireless terminal

WIRELESS INTERNET ACCESS

Wireless Local Area Network

Claims (16)

Method for the production and implementation of communication links between at least one terminal and the Internet, characterized in that a connection of a terminal MD guest as a guest following a local area network LANFI, which grants free Internet access, can be built and operated on the public Internet, wherein in a first step, the MD guest transmits a connection request to a service provider ISP guest by transmitting an ISP guest identifier to the LANFI, in a second step the LANFI checking the connection request for at least plausibility and automatically checking the relevant ISP guest identity by verifying the ISP guest ID in a stored list listing only ISPs operating within the scope of the law, a. in the positive case, the IP address of the ISP guest is read out as confirmation and b. LANFI then sets up an Internet connection to exclusively this IP address for the MD guest, whereby in a third step the MD guest in the ISP guest a. is authenticated and finally authorized for access to services in the ISP guest and b. Accordingly, the MD guest is assigned an IP address from the address quota of the ISP guest and c. a technical connection to the Internet is made in the ISP guest, d. whereby in the method according to the invention the guest terminal MD guest and the LANFI network are completely decoupled from each other and mutually tamper-proof, I. the guest connection takes place exclusively via the legal ISP guest to the Internet and II. All activities of the guest on the Internet are subject to legal surveillance measures, III. without the LANFI having to connect the users and corresponding technical LI monitoring devices. Method according to Claim 1 , characterized in that simultaneously or with a time delay, a plurality of guests with at least one terminal MD or a plurality of terminals MDx on the LANFI can be connected to the same ISP guest or a plurality of different ISPGast and can be active on the Internet. Method according to Claim 1 , characterized in that the LANFI can be technically implemented as a single network component with DSL modem, LAN or WLAN interface or as a WLAN-enabled router or alternatively consists of a plurality of individual network components to a large on a building complex, a city or Region distributed network of any network components and any connections and any number spanned radio interfaces. Method according to at least one of the preceding claims, characterized in that the terminals of the guests on a LANFI can be configured and also locked individually, in groups and / or in their entirety with regard to the access rights to network components within the LANFI and with regard to the connection to the Internet, this includes the transmission bandwidth, the transmission quality, Quality of Service QoS, the time and / or the duration of the connection. Method according to at least one of the preceding claims, characterized in that individual MD guest device identifiers, a MAG address, a MSISDN, a fixed IP address and / or an individual operating system ID of the MD guest in the LANFI for identification and / or denial of the guests in LANFI can be stored in order to lock out MDGast devices in case of misuse of the connection or, alternatively, to carry out billing, payment transactions, usage costs, connection statements or connection statistics. Method according to at least one of the preceding claims, characterized in that the LANFI can filter the connection establishment of a connected MD guest such that the MD guest can only establish IP connections if they are released by the LANFI, so that no arbitrary IP connections in the Internet come about. The same applies mutatis mutandis to alternative types of addressing in the Internet, which can be operated without an IP address. Method according to at least one of the preceding claims, characterized in that at least one external server device (here called Legal Address Resolution Server LARS) is preferably present following the public Internet, which contains at least the ISP names and the IP addresses of the dial-in accesses of the ISPs with legally prescribed monitoring device (Legal ISPs = LISPs), which can be addressed as LISP guest and participate in the FI procedure (here called ISP guest for short). Method according to at least one of the preceding claims, characterized in that MD guest terminals are used exclusively following guest networks LANFI, with this procedure, a logical unbundling of the subscriber line takes place because Internet connections of different customers (MDx) to different ISPGast in the same transmission medium between LANFI and LISPFI on the subscriber line. Method according to at least one of the preceding claims, characterized in that at least one customer or a plurality of customers can operate a LANx without its own direct connection neither by radio interface, by fiber optic connection or by cable connection to a telecommunication network or to an ISPx by temporarily or permanently connected to a LANFI via any cable, radio or fiber optic connection, whereby in this procedure a logical unbundling of the subscriber line takes place since Internet connections to different ISP guests take place in the same transmission medium between LANFI and LISPFI on the subscriber line. Method according to at least one of the preceding claims, characterized in that a transport network consisting of at least the components LISPFI, the connection line and at least one LANFI can be implemented and operated without own direct subscriber line with associated DSL transmission, whereby the complete communication of the guest MDx via secured IP connections via the LANFI to the respective ISPGast (LISPs) is forwarded and according to the invention also here no deviating communication of customers with the Internet takes place, so that a complete decoupling of the network infrastructure of the network services of telecommunications and LISP takes place, creating a cost-effective Realization of the FI network as a transport network without time-consuming DSL multiplexers (Digital Subscriber Line Access Multiplexer DSLAM) and without necessary monitoring and surveillance accesses in the transport network, which is advantageous for rapid network expansion with fast Internet access in rural areas and metropolitan areas, especially if the transport network is publicly or locally funded and available to all ISPs in free competition should. Communication terminal for participation in a method for the production and implementation of communication links according to Claim 1 , characterized in that the communication terminal MD guest contains special circuit accessories, an electronic sequence control or a code-controlled computer program, which is coupled to a radio transceiver and automatically a WLAN with free Internet access FI optionally at the SSID address (for example a prefix LFI-) can be detected by comparison with a previously stored name in a memory location or alternatively automatically connects to the or the locally detectable WLAN and starts an automatic log-in procedure, which leads to the automatic detection of a LANFI in the positive case, the controller automatically or after tactile confirmation initiates an automatic connection procedure in such a way that a connection request with the destination LISPx is sent to the LANFI and after receipt of the corresponding IP address an automatic VPN connection is established, which is replaced by an eb if automatic log-in procedure is carried out fully automatically or after a tactile confirmation in the ISP guest (LISPx), wherein instead of the WLAN connection an alternative radio network can be used according to the invention. Communication terminal after Claim 11 , characterized in that the communication terminal MD contains special circuit accessories, an electronic sequence control or a code-controlled computer program, which is connected by means of a serial cable or fiber optic interface and automatically when connecting to a LANFI automatically starts a Einbuchprozedur that in the positive case for automatic detection of a LANFI leads, whereby the control automatically or after tactile confirmation initiates an automatic connection procedure in such a way that a connection request with the destination LISPx is sent to the LANFI and after receipt of the appropriate IP address an automatic VPN connection is established, which by a also automatic log-in procedure is carried out fully automatically or after tactile confirmation. Router device for participation in a method for the production and implementation of communication links according to Claim 1 , characterized in that a router with special hardware and program components is extended such that foreign terminals MD guest, which are wired via fiber or cable or alternatively via radio interface, are recognized as foreign terminals and that the router after a respective optional log Procedure can detect a connection request to an ISP guest by receiving an ISP guest identifier from the terminal and then automatically start a query in an internal list or in an external server LARS, can receive an IP address for ISP guest from LARS and then a connection between MD guest to which its ISP guest can build or, in an alternative embodiment, enables the connection between MD guest and ISP guest. Server device for participation in a method for the production and implementation of communication links according to Claim 1 , Characterized in that a server device LARS is present in connection to the public Internet, which contains at least a list of those ISP name and the corresponding IP addresses of the dial-in access to the ISPs, which meet legal requirements, and thus addressed as LISP Rating and participate in the FI procedure. An access server device for participating in a method of establishing and performing communication connections in accordance with Claim 1 , characterized in that an Internet service provider ISP or an Internet access provider IAP has an access server device with the technical facilities to manufacture and operate in conjunction with a LANFI the secure connection to a connected to the LANFI GASTFI and the required authentication and authorization. Computer program product for participation in a method for the production and implementation of communication links according to Claim 1 , characterized in that an MD is equipped with a code-controlled computer program which has connection to at least one WLAN transmitting / receiving device and / or one or more serial interfaces and programmatically automatically a WLAN with free Internet FI optionally either at the SSID address can detect by comparison with a previously stored name in a memory location or alternatively automatically connects to the or the locally detectable WLAN or alternatively again can detect the cable connection to a LANFI and starts an automatic Einbuchprozedur that leads to the automatic detection of a LANFI in the positive case , where the Automatically or after tactile confirmation initiates a connection procedure in such a way that a connection request with the destination LISPx is sent to the LANFI and after receipt of the corresponding IP address an automatic VPN connection is set up, which is also activated by an automatic log-in. Procedure or after tactile confirmation is performed, wherein alternatively or in addition to WLAN, a radio interface for the inventive method can be used.

Images