METHOD AND APPARATUS FOR RELAYING REMOTE ACCESS FROM A PUBLIC NETWORK TO A LOCAL NETWORK

1 . Technical Field The present invention relates to method and apparatus for relaying remote access from a public network to a local network such as a home network.

2. Background Art

As an increasing number of electronic appliances such as video or audio apparatuses or PCs have been used in a home and digital techniques have become dominant in video and audio signal processing, the need for communication between home electronic appliances or communication with other networks is also increasing. In addition, the demand for controlling home electronic appliances through a single mobile apparatus such as a PDA is also increasing.

To meet the demand, home networking technology has emerged for connecting home electronic appliances such as digital TVs or DVD players. The UPnP (Universal Plug and Play) is a key technology required for implementing the home network.

According to the UPnP specification, every home network requires a device for assigning addresses to elements or nodes connected to the network. The device is assigned a public IP address and thus additionally acts as a gateway to a public network to enable devices on the home network to communicate with external networks (e.g., the Internet). Such a device is called an Internet gateway device (IGD) . The IGD can be a stand-alone device or embedded within another apparatus such as a PC or refrigerator. To utilize limited public IP addresses efficiently, each of devices on the home network is generally assigned a private IP address available only on the home network instead of a public IP address.

The user of the home network can request query or control

for a device on the home network using a device on the home network. The user may also want to request remote query or control for a device on the home network. In this case, a terminal which has a public IP address should communicate with a home network device which has a private IP address via the Internet; therefore an address conversion between public IP addresses and private IP addresses is required for exchanging messages. Such a conversion is called the IP tunneling. The virtual private network (VPN) client-server system is one method for tunneling. In the VPN client-server system, a VPN client is executed on a remote device which requests a remote access to a device on the home network and the target device or a gateway device of the home network is equipped with a VPN server, between which the address conversion is performed. As a result, the remote terminal can communicate with a device on the local network via the public network as if the remote device were directly connected to the local network, as shown in FIG. 1.

It is common that the remote terminal accesses the home network via the Internet as shown in FIG. 1. However, data packets may be lost or a significant amount of data transmission delay may occur on the Internet. The probability of data loss and data transmission delay increase in proportion to the length of the path across which data packets travel. Therefore, the data loss and data transmission delay may become critical when the home network is accessed from a remote site which is distant from the home network.

3. Disclosure of the Invention

It is an object of the present invention to provide method and apparatus for relaying remote access from a public network to a local network via the network of the Internet service provider (ISP) which provides the Internet service for the local network such that the network of the ISP is utilized as much as possible. A method for relaying remote access to a local network according to the invention selects one tunneling agent from among a plurality of tunneling agents and provides connection information for the tunneling agent if a request for connection information for remote access is received and

converts a tunneling message created for remote access and received via a first network to a tunneling message for a second network, and relays the tunneling message to a gateway device of the local network, connected to the second network. Another method for relaying remote access to a local network according to the invention establishes a first tunnel for VPN on a public network and a second tunnel for VPN on a proprietary network built by an ISP which provides Internet service for the local network and relays messages exchanged between a device connected to the public network and a device connected to the local network with tunneling via the first tunnel and the second tunnel .

A method for supporting remote access to a local network according to the invention stores connection information for a server connected to a first or a second network and provides the stored connection information if there is a request from a remote device, the server storing connection information for a plurality of tunneling agents.

A method for remote access to a local network according to the invention obtains connection information for a tunneling agent by connecting to a server connected to a first network using connection information for the server, connects to the tunneling agent using the obtained connection information, and connects to a gateway device of the local network via a proprietary network built by an ISP which provides Internet service for the local network through the tunneling agent.

In one embodiment of the invention, the first network is the Internet and the second network is a proprietary network built by an ISP (Internet service provider) which provides Internet service for the local network.

In one embodiment of the invention, the tunneling agent which is closet in location to the device attempting remote access to the local network or has the shortest message path from the device is selected from among the plurality of tunneling agents.

In one embodiment of the invention, the connection information for the server is stored in the gateway device of the local network and provided for a device attempting remote

access to the local network.

In another embodiment of the invention, the connection information for the server is stored in a device attempting remote access to the local network or a program running thereon.

4. Brief Description of the Drawings

FIG. 1 illustrates a typical network structure on which the data path for a remote access to a home network is marked;

FIG. 2 illustrates a network structure in accordance with one embodiment of the present invention and the steps for relaying a remote access performed thereon; and

FIG. 3 illustrates an address conversion process for tunneling performed during the relay of a remote access in accordance with one embodiment of the present invention. 5. Best Mode for Carrying Out the Invention

In order that the invention may be fully understood, preferred embodiments thereof will now be described with reference to the accompanying drawings.

FIG. 2 shows a network structure in accordance with one embodiment of the present invention and the steps for relaying a remote access performed thereon. The network includes a tunneling managing server 10 and a tunneling agent 11 for performing the tunneling of messages. The tunneling agent 11 is one of a plurality of tunneling agents connected to the backbone network of the ISP which provides the Internet service for the home network. The tunneling managing server 10 is also built up by the ISP. In FIG. 2, the tunneling managing server 10, a server built by the ISP, is connected to a public network but the tunneling managing server 10 can also be connected to the backbone network of the ISP. The backbone network of the ISP is a proprietary network (e.g., a nationwide individual network) , on which the packet transmission delay is very small and QoS (quality of service) which does not yield data loss is provided, which is a general property of common ISP backbone networks.

A VPN client is executed on a remote terminal 2 and a VPN server is executed on an internet gateway device (IGD) 1 of the home network to which a plurality of devices are connected. In one embodiment of the invention, the address

information of the tunneling managing server 10 (e.g., the IP address thereof) is set in the IGD 1. In another embodiment of the invention, the IP address of the tunneling managing server 10 may be set in the remote terminal 2 or the VPN client running thereon.

The method for relaying remote access in accordance with one embodiment of the invention will now be described in detail .

A user first invokes the VPN client on the remote terminal 2. When invoked, the VPN client transmits information provided by the user to the tunneling managing server 10 with requesting tunneling information (SOl) . The information provided by the user comprises a unique ID assigned to the home network or a user of the home network and a password. If necessary, the information may further comprise location information indicative of the current remote site. Address information for accessing the tunneling managing server 10 is set in the VPN client. If the VPN client does not have the address information, the VPN client obtains the address information from the IGD 1 after connecting to the IGD 1.

The tunneling managing server 10 determines the tunneling information after authentification if necessary based on the information provided by the VPN client (S02) and provides the tunneling information for the VPN client (S03) . The provided tunneling information includes address information of the tunneling agent to which the VPN client will connect (e.g., the IP address of the tunneling agent) . The tunneling managing server 10 selects one tunneling agent from among the plurality of tunneling agents connected to the backbone network of the ISP to which the tunneling managing server 10 belongs and provides the address information of the selected tunneling agent. The selection is based on the shortest path across the public network GN (e.g., the Internet) from the VPN client which requests the tunneling information. This guarantees that messages travel across the backbone network of the ISP as much as possible rather than the public network.

In one embodiment of the invention, the tunneling agent which is closest, in location, to the VPN client which requests the tunneling information is selected as the

tunneling agent having the shortest path across the public network GN. To this end, the tunneling managing server 10 has location information about every tunneling agent connected to the backbone network of the ISP to which it belongs. To determine the tunneling agent closest in location, the tunneling managing server 10 utilizes either the location information which is received by the VPN client from the user and then transmitted by the VPN client or the information stored in an IGD (not illustrated here) for relaying data packets to the tunneling managing server 10.

In another embodiment of the invention, the IP address of the sender of the data packet transmitted from the VPN client may be utilized. In this case, an IP address assignment scheme which assigns IP addresses according to location is required and the tunneling managing server 10 stores information on the IP address assignment scheme.

In another embodiment of the invention, instead of the tunneling agent which is closest in location, a tunneling agent which the message for requesting the tunneling information reaches via the minimum number of links on the public network is selected based on information about various data routes of major remote access zones across the public network GN if the information about the various data routes is available in advance. Receiving the tunneling information, the VPN client running on the remote terminal 2 connects to the tunneling agent 11, which is specified to be closest, in location, to the VPN client by the tunneling information (S04) , thereby establishing a first VPN tunnel. If the first VPN tunnel is established, the tunneling agent 11 executes a VPN client (S05) and requests a connection to the VPN server running on the IGD 1 (S06) . The information required to specify the IGD 1, which may be either the IP address or the domain name thereof, can be provided by the user via the VPN client running on the remote terminal 2 after the first VPN tunnel is established.

The VPN client running on the tunneling agent 11 connects to the VPN server running on the IGD 1, thereby establishing a second VPN tunnel. As shown in FIG. 2, the second VPN tunnel is established on the backbone network BN built by the ISP. As

a result, the second VPN tunnel can take advantage of the high quality services (e.g., small delay time, no loss of data packets, etc) available on the backbone network BN.

If the second VPN tunnel is established, the tunneling 5 agent 11 creates address mapping information required between the VPN server for the first VPN tunnel and the VPN client for the second VPN tunnel . The address mapping information is created based on socket information for establishing each of the tunnels.

10 FIG. 3 shows the steps required for exchanging messages between the remote terminal 2 (e.g., PDA) having a public IP address and a media server Ia having a private IP address available only on the home network HN. In FIG. 3, domain names such as private .m_server and public. IGD are used for brevity

15 of explanation. Because there is one-to-one correspondence between the domain names and IP addresses, the domain names can be regarded as IP addresses, private. xxx and public. xxx denote a private IP address and a public IP address, respectively.

20 When transmitting data 31c to the media server Ia, the remote terminal 2 sets the destination and source (Dest/Src) of the data 31c to private .m_server and public. PDA 31b, respectively. Because the media server Ia cannot be identified by its private address, private .m_server, on the public

25 network, the remote terminal 2 creates a tunneling message 31 by appending an IP address header 31a for the public network GN (Dest/Src=public. tnl_agent/public . PDA) to the front of the data 31c having the source and destination information 31b. This process is required to send the data 31c destined for the

30 media server Ia to the tunneling agent 11 having the corresponding VPN server first via the public network GN.

The tunneling message 31 arrives at the tunneling agent 11 via the public network GN. The VPN server running on the tunneling agent 11 hands over the received tunneling message

35 31 to the VPN client after removing the IP address header 31a thereof. The VPN client changes the source of the received message 31b + 31c to the address assigned to it, i.e., public . Tnl_agent , and appends an IP address header 3Ix for setting the destination of the message 31b + 31c to the IGD 1

on which the corresponding VPN server executes to the front thereof. As a consequence, the IP address header 31a transmitted from the VPN client running on the remote terminal 2 is converted to the IP address header 3Ix to be transmitted to the IGD 1 (S31) . The created address mapping information is utilized during the address conversion process.

The tunneling message initially transmitted by the remote terminal 2 is converted to a tunneling message for the backbone network built by the ISP by the address conversion process and received by the IGD 1 via the backbone network. The IGD 1 removes the IP address header 3 Ix from the received message so that the sub-address header 31b for specifying the real destination on the home network appears first and thereby the data 31c of the original tunneling message is finally received by the media server Ia.

To sends a response to the remote terminal 2, the media serer Ia, responsive to the received message, creates a response message 32 by appending a header 32a having the source contained in the received message, public .tnl_agent, as the destination and its private IP address as the source to the front of data and transmits the response message 32 to the home network. The transmitted response message 32 is received by the IGD 1 because the destination thereof is a public IP address. Because the source thereof is not a public IP address, the IGD 1 creates a new IP address header 33 and appends the created new IP address header to the front of the received message 32. In the new IP address header 33, the destination of the received response message 32 is copied to the destination and the public IP address of the IGD 1, public. IGD, is stored as the source. The constructed tunneling message 32+33 reaches the tunneling agent 11 via the backbone network of the ISP. The tunneling agent 11 changes the sub-address having the IP address thereof as the destination to the public IP address of the remote terminal 2, public. PDA, and converts the IP address header 33 into another IP address header 34 destined for the remote terminal 2 (S32) . As a consequence, the data 32b transmitted by the media server Ia is finally received by the remote terminal 2 via the public network. According to the aforementioned procedure, messages

exchanged between the remote terminal 2 on the public network and another device on the home network are relayed therebetween by the tunneling agent 11, which is closest in location to the remote terminal 2 or has the shortest path from the remote terminal 2 over the public network, so that the shortest possible path is formed on the public network and most of the path is formed on the backbone network of the ISP for relaying the messages. As the backbone network of the ISP guarantees QoS, the remote user does not have to wait for a long time before a response to a request message is received.

The present invention described in detail with reference to the preferred embodiments can reduce the time required for remote access to a home network using VPN significantly, thereby improving the convenience of the home network. While the invention has been disclosed with respect to a limited number of embodiments, those skilled in the art, having the benefit of this disclosure, will appreciate numerous modifications and variations therefrom. It is intended that all such modifications and variations fall within the spirit and scope of the invention.