(19)
(11)EP 2 239 709 B1

(12)EUROPEAN PATENT SPECIFICATION

(45)Mention of the grant of the patent:
06.05.2020 Bulletin 2020/19

(21)Application number: 10157640.3

(22)Date of filing:  24.03.2010
(51)Int. Cl.: 
G07C 5/00  (2006.01)

(54)

METHODS, APPARATUS AND SYSTEMS FOR ACCESSING VEHICLE OPERATIONAL DATA USING AN INTELLIGENT NETWORK ROUTER

Verfahren, Vorrichtungen und Systeme zum Zugreifen auf Fahrzeugbetriebsdaten mittels intelligenter Netzwerkrouter

Procédés, appareil et systèmes pour accéder aux données opérationnelles de véhicule utilisant un routeur de réseau intelligent


(84)Designated Contracting States:
AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO SE SI SK SM TR

(30)Priority: 09.04.2009 US 421505

(43)Date of publication of application:
13.10.2010 Bulletin 2010/41

(73)Proprietor: Honeywell International Inc.
Morris Plains, NJ 07950 (US)

(72)Inventor:
  • Mahalingaiah, Pradeep
    Morristown, NJ 07962-2245 (US)

(74)Representative: Houghton, Mark Phillip et al
Patent Outsourcing Limited 1 King Street
Bakewell, Derbyshire DE45 1DZ
Bakewell, Derbyshire DE45 1DZ (GB)


(56)References cited: : 
WO-A1-02/103932
US-A1- 2009 010 200
  
      
    Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


    Description

    FIELD OF THE INVENTION



    [0001] The present invention generally relates to the remote retrieval of information from a host computer, and more particularly relates to the remote access and retrieval of aircraft maintenance data from an aircraft by a plurality of maintenance information users.

    BACKGROUND OF THE INVENTION



    [0002] Modern aircraft are often configured with various systems that monitor and record data during flight operations for later analysis by maintenance personnel. The data typically resides in a central maintenance computer ("CMC") somewhere aboard the aircraft. The CMC may be further equipped with a local terminal whereby a maintenance person interrogates the CMC to determine the "health" of the aircraft by determining what components may be in need of replacement or repair. This type of aircraft health monitoring activity occurs on a regular basis and/or when needed.

    [0003] Traditionally health monitoring of an aircraft required maintenance personnel to remain at, and work from, the CMC terminal. Maintenance personal were therefore required to travel to and remain onboard the aircraft to perform the requisite testing, all of which consumed valuable maintenance hours. Further, only a single mechanic at a time could access the information stored in the CMC.

    [0004] Accordingly, it is desirable to provide a method and system allowing more efficient access to vehicle health information resident within a vehicle. In addition, it is desirable to provide remote access to the health information by a plurality of users. Furthermore, other desirable features and characteristics of the present invention will become apparent from the subsequent detailed description of the invention and the appended claims, taken in conjunction with the accompanying drawings and this background of the invention.

    [0005] WO2002103932A1 discloses a method and system for providing data communication services over public wireless systems. The system includes a data communication server, having a plurality of interface units, for facilitating data communication between a moving object and one or more ground terminals via a radio communication path. The data communication server establishes the radio communication path over one of a plurality of wireless data networks including packet data networks and satellite data networks and preferably includes a pre-determined software architecture.

    [0006] US20090010200A1 describes a system for creating an air-to-ground IP tunnel in an airborne wireless cellular network to differentiate individual passengers which assigns a single IP address to each Point-to-Point Protocol link connecting the aircraft network to the ground-based communication network and creates an IP subnet onboard the aircraft. The IP subnet utilizes a plurality of IP addresses for each Point-to-Point link, enabling each passenger wireless device to be uniquely identified with their own IP address. This is enabled since both Point-to-Point Protocol IPCP endpoints have pre-defined IP address pools and / or topology configured, so each Point-to-Point Protocol endpoint can utilize a greater number of IP addresses than one per link.

    SUMMARY



    [0007] The present invention provides for a system for securely accessing a source of data from a vehicle and a corresponding method as claimed in the accompanying claims.

    BRIEF DESCRIPTION OF THE DRAWINGS



    [0008] 

    Figure 1 is a block diagram illustrating an exemplary network disclosed herein.

    Figure 2 is an illustration of exemplary Graphical User Interface.

    Figure 3 is a flow diagram illustrating an exemplary embodiment of the method disclosed herein.


    DETAILED DESCRIPTION OF THE INVENTION



    [0009] The following detailed description of the invention is merely exemplary in nature and is not intended to limit the invention or the application and uses of the invention. Furthermore, there is no intention to be bound by any theory presented in the preceding background of the invention or the following detailed description of the invention.

    [0010] The subject matter now will be described more fully below with reference to the attached drawings which are illustrative of various embodiments disclosed herein. Like numbers refer to like objects throughout the following disclosure. The attached drawings have been simplified to clarify the understanding of the systems, devices and methods disclosed. The subject matter may be embodied in a variety of forms. The exemplary configurations and descriptions, infra, are provided to more fully convey the subject matter disclosed herein.

    [0011] The subject matter herein will be disclosed below in the context of an aircraft. However, it will be understood by those of ordinary skill in the art that the subject matter is similarly applicable to many vehicle types and information types. Non-limiting examples of other vehicle types in which the subject matter herein below may be applied includes aircraft, spacecraft, watercraft and terrestrial motor vehicles. Without limitation, terrestrial motor vehicles may also include military combat and support vehicles of any description. The subject matter disclosed herein may also be incorporated into any suitable communication and/or computing system that currently exists or that may be developed in the future and may utilize any suitable router, network or other type of communication node known in the art.

    [0012] Figure 1 depicts of an exemplary embodiment of the subject matter disclosed herein. An exemplary communication network 100 is presented allowing remote access to a plurality of aircraft systems 110 by a plurality of technicians (1, 2...N) 120. The network 100 comprises at least one communication device 130 associated with the plurality of technicians 120, a communications node or a router 140, and at least one onboard gateway/protocol server 150. The gateway/protocol server 150 is in operable communication with one or more of the aircraft systems 110. The network 100 may be a wireline network, a wireless network or a combination thereof and may utilize any suitable wireless protocol as may be found useful. A non-limiting exemplary wireless protocol may be one of the IEEE 802.11 family of wireless protocols of which non-limiting examples may include Wi-fi, Wi-max, Bluetooth and Zigbee.

    [0013] Preferably, each technician 120 of the plurality is assigned, or otherwise associated with, a communication device 130 that has been programmed with its own unique identifier such as a source IP ("SrcIP") address. In other embodiments a single, or a small number of communication devices, may be used by the plurality of technicians. Each technician 120 may be identified by their own unique security pass code such as a traditional sign-on and password.

    [0014] The communication device 130 may be any suitable communication device that may be configured to digitally communicate over network 100. Non-limiting examples of a communication device 130 may be a computer, a lap top computer, a hand held computer, a cell phone, a personal digital assistant, a pager and the like that currently exist or that may be developed in the future. For the sake of brevity and clarity, the communications device 130 will be referred to hereinafter as a maintenance laptop ("ML") 130.

    [0015] The ML 130 may execute a number of software applications that may, for example, include an operating system (not shown), graphical user interface ("GUI") 200, and/or a web browser (not shown). The ML 130 may also execute various maintenance related applications. A non-limiting example of a maintenance related application is a Maintenance Control Display Function ("MCDF") 160.

    [0016] The MCDF 160, is a user interface application that allows the technician to communicate remotely with the onboard gateway/protocol server 150 via the GUI 200 that is rendered on his ML 130. The onboard gateway/protocol server may be the onboard maintenance system ("OMS") 150 and will be referred to as such hereinafter.

    [0017] Figure 2 illustrates a non-limiting example of such a GUI 200. Among other control features that will be appreciated as being well known in the art, the GUI 200 may include a drop down menu feature 109 that provides the technician 120 with a selection of an aircraft's systems 110 with which the MCDF 160 may communicate.

    [0018] The MCDF 160 may also be operable to launch a web browser that is commonly used to establish network communications. A non-limiting example of such a web browser is Internet Explorer® which is distributed by Microsoft Corporation of Redmond, Washington. However, it will be appreciated that communications across the network 100 may be established using other published and/or proprietary software.

    [0019] The ML 130 may be further configured to send and receive packetized communications across the network 100, to and from a destination IP address. The destination address may refer to an onboard computer such as the onboard computer 180. The onboard computer180 may be any suitably configured computing device such as the vehicle's central maintenance computer ("CMC") or other computing device working in conjunction with the vehicle's central maintenance computer such as OMLS 150. For the sake of brevity and clarity, the onboard computer 180 will be henceforth referred to as the vehicle's CMC 180.

    [0020] The CMC 180 may comprise a number of interrelated modules with different functions. These modules may comprise hardware, software, firmware or a combination thereof. One module is the OMS 150 which acts as a gateway/protocol server to other maintenance modules. Other maintenance modules may include an Onboard Maintenance Laptop Support ("OMLS") module 183, a Configuration Module ("CM") 186, and a Maintenance Terminal Function ("MTF") 189. The OMLS 183, the CM 186 and the MTF 189 may operate independently, may operate in cooperation with each other, or may operate as sub-modules to the OMS 150. The functions of the OMLS 183, the CM 186 and the MTF 189 will be discussed more fully below.

    [0021] As described above, the network 100 may also include a communication node 140. Non-limiting examples of a communication node 140 may be any type of computing device capable of sending, receiving and processing packetized digital data as is well known in the art. The communications node 140 may be a general purpose computer, a special purpose computer, a router, a digital switch and the like that is configured to process and transmit packetized data. The communication node 140 may also be an intermediary communications network such as the internet or a telephonic communication system (e.g. a packet switched telephone network ("PSTN")).

    [0022] Among other functions, the communication node 140 may perform IP address translation which may serve to mask a session connection between network participants, thereby providing a layer of communications security. The communications node 140 may also act as a firewall which guards access to the CMC 180. For the sake of clarity and brevity, the communications node 140 will be referred to hereinafter as a router 140.

    [0023] In an exemplary embodiment, the router 140 may include a Network Intelligence Module ("NIM") 170. The NIM 170 may be comprised of software, hardware, firmware or a combination thereof. The NIM 170 is a security and traffic control module that maps (i.e. translates) communication requests from the various ML's 130, to various replies to those requests transmitted from a host computer, such as the CMC 180. The translation may include the use of SrcIP addresses that may be foreign to the initiating ML 130.

    [0024] Specifically, the router 140 acts as a firewall between the various ML's 130 and the CMC 180. The NIM 170 then acts to create a tunnel 141 through the router140. As may be appreciated, the IP tunnel 141 is a means for connecting two distinct IP networks that do not have a native routing path over which to communicate with each other. The tunnel 141 may also be used to create a virtual private network ("VPN") across a public network such as the internet. It will be appreciated that an IP tunnel 141 operates by establishing a gateway (i.e. a computing device or software module) at either end of the IP tunnel 141. The first gateway encapsulates a message created in one network within another message format that is native to the intermediary network and then reverses the process at the other end of the tunnel 141 to retrieve the original message by the second gateway. As will be more fully described below, the NIM 170 creates an IP tunnel 141 allowing limited user access to the CMC 180 through the router 140 and/or network(s) 303. (See Fig. 3)

    [0025] A SrcIP address is a logical address that is assigned to devices participating in a computer network for communication with and between the various network nodes. Although a binary number, an exemplary human readable IP address may take the form of 123.45.188.166, using the internationally recognized version 4, 32-bit format or take the form of 2001:db8:0:1234:0:567:1:1 using the version 6, 128 bit format.

    [0026] IP source addresses may be static addresses that are assigned to a particular network node or may be dynamic addresses that change each time that the computing device acting as a network participant is powered up. The IP source addresses contemplated herein may be either static or dynamic. However, in the interest of clarity and brevity, only the use of static SrcIP addresses will be discussed herein. The use of dynamic SrcIP addresses requires additional housekeeping functions to merely keep track and update the addresses of various components of the network 100 and, while well known in the art, extend beyond the scope of this disclosure. To further improve clarity, SrcIP addresses will be represented in the form (ABCD)i instead of the 32 or 128 bit formats discussed above.

    [0027] As touched on above, the OMS 150 comprises a number of modules. The OMLS module 183 may act as a gateway server or a protocol server for the OMS 150. The OMLS 183 may be comprised of software, hardware, firmware or a combination thereof. As will be more fully described below, the OMLS 183 receives a connection request message from an MCDF 160 and determines whether the SrcIP address in the connection request message is one of a number of authorized SrcIP addresses that are stored in the CM 186. The CM 186 stores a defined list of SrcIP addresses that are pre-authorized to communicate with the MTF module 189 and maintains a registry of those addresses. For example, if the SrcIP address is not recognized by the CM 186, then a denial message is retuned to the requesting MCDF 160. If the SrcIP address is recognized, then communications between the MTF module 189 and the ML 130 is allowed.

    [0028] The MTF module 189 is a computer interface that receives a request for data from an ML 130 and retrieves the requested data from one or more aircraft system 110 executing within the CMC 180, or retrieves the data from a standalone application executing within an aircraft system 110. The MTF 189 may also cause an application to provide information directly. The requested data may also be retrieved from a storage location (not shown) within the CMC 180. Upon receiving the data request, the MTF 189 then formats the information and transmits a reply message back to the SrcIP address that includes the requested information. The MTF 189 may be comprised of software, hardware, firmware or a combination thereof.

    [0029] Figure 3 is a flow diagram of an exemplary embodiment that may be used to establish remote, authorized communications between a technician 120 utilizing an ML 130 and the CMC 180 of an aircraft. It will be appreciated that as an exemplary embodiment, the method of Figure 3 may be altered and still remain within the scope of the disclosure herein. Processes may be broken out into sub-processes, processes may be combined into higher level processes and processes may be replaced with other processes that may accomplish the same or a similar function.

    [0030] At process 300, the technician 120 may launch a web browser 161 from his ML 130 which sends a request message 301 to the CMC 180 onboard a particular aircraft that may be parked on the tarmac at a particular location. The tunnel request message 301 may have any number of digital formats as may be known in the art that are suitable for traversing the network(s) 100. The request message may have at least a SrcIP address of the requesting ML (ABCD)i and a message header indicating that the message is a request message 301 and also indicating the network destination address of the CMC 180 onboard the aircraft.

    [0031] The aircraft may be at the same location as the technician 120 or it may be at location very remote from the technician 120. Further, the technician may be a third party contractor and may not be under the direct employ of either the operating airline or the manufacturer of the aircraft. As such, any communications between the ML 130 and the CMC 180 may occur over several different intermediary networks 303 that may range from private local area networks ("LAN"), to the internet, or a telephone network such as a PSTN..

    [0032] At decision point 307, the request message 301 passes through the router 140 which may or may not be associated with the location of the aircraft. It will be appreciated that the router 140 may be physically located anywhere but still be associated with and in operable communication with the aircraft. When received, the router 140 recognizes the intended destination IP address of the tunnel request message 301 and intercepts it. In other embodiments, the tunnel request message 301 may be addressed to the router 140 with a forwarding IP address of the intended destination which is the CMC 180 of the aircraft.

    [0033] Within the router 140, the NIM 170 scrutinizes the tunnel request message header to determine if the SrcIP address (ABCD)i in the header is a SrcIP address of an authorized ML 130. If the SrcIP address is not recognized or is not authorized, the tunnel request message 301 is rejected at process 314. The NIM 170 may determine that the SrcIP address (ABCD)i is not an authorized address by comparing the SrcIP address (ABCD)i to a set of pre-authorized source addresses that are stored in the NIM 170, or in a memory device (not shown) in operable communication with the NIM 170.

    [0034] If the SrcIP address (ABCD)i is recognized and authorized, then the NIM 170 assigns a tunnel 141 address (PQRS)i from a list of pre-established tunnel addresses (PQRS)i-n that will be automatically recognized and forwarded by the router 140. A tunnel reply message 302 is then returned to the requesting MLi 130 by the router 140 that includes the assigned tunnel 141 address (PQRS)i.

    [0035] At process 328, the requesting MLi 130 sends a connection request message 324 to the CMC 180 of the aircraft of interest. The message is a nested message as is known in the art that allows unhindered tunneling across an intermediary network such as the router 140. As such, the connection request message 324 will exhibit the tunnel 141 SrcIP address (PQRS)i with the actual SrcIP address of the MLi (ABCD)i being encapsulated within body of the connection request message 324.

    [0036] At process 335, the router 140 receives the connection request message 324. The router 140 then acknowledges the tunnel 141 source ID address (PQRS)i, changes the SrcIP address in the message from (PQRS)i to (WXYZ)i, and then forwards the amended connection request message 324' to the OMS 150 of the destination CCM 180. The SrcIP address (PQRS)i is encapsulated within the body of the amended request message 324'. The purpose of changing the SrcIP address from (PQRS)i to (WXYZ)i is one of security. The CM 186 aboard the aircraft may only recognize a limited number of authorized SrcIP addresses of which (ABCD)i and (PQRS)i may not be included.

    [0037] When the amended communication request 324' is received at the CMC 180, a determination is made as to whether the SrcIP address (WXYZ)i is a SrcIP address that is recognized by the OMLS 183, at decision point 342. This determination may be accomplished by comparing the SrcIP addresses (WXYZ)i to a list of pre-authorized SrcIP addresses stored in the CM 186. This list may be referred to as a Logical Diagnostic Index ("LDI") 187. If the SrcIP address (WXYZ)i is not recognized from the LDI, the amended connection request message 324' is rejected. If the SrcIP addresses (WXYZ)i is recognized from the LDI, then a communication session 371 is granted by the OMLS 183 at process 356. The communication session 371 will be conducted between the MTF 189 and the MLi 130. Also at process 356, a router flag or a router bit is set indicating that the message may be automatically passed through the router 140. The router flag is also set for all subsequent messages sent and received during the communication session.

    [0038] To confirm that the communication session 371 is granted, a unicast completion message 357 is sent back to the requesting MLi 130. The unicast message may now utilize the IP addresses (PQRS)i and (WXYZ)i as destination IP addresses. At process 385, the communication session 371 is conducted through the tunnel 141 in the same manner discussed above, using the same SrcIP addresses (PQRS)i and (WXYZ)i to pass back and forth through the router 140 .

    [0039] Concurrently with the communication session 371 being granted, the SrcIP address (WXYZ)i is registered at the CM 186. The OLMS 183 reads the encapsulated SrcIP address (PQRS)i, associates and records the encapsulated SrcIP address (PQRS)i address with the corresponding SrcIP address (WXYZ)i in the CM 186.

    [0040] In order to control the number of MLs that can conduct a simultaneous communication session 371 with the MTF 189, the CM 186 may have a finite register 188. As each communication session 371 is granted, the registration of the SrcIP address (WXYZ)i takes one available registration slot in the register 188. When the available slots on the register 188 are completely filled then all further communication requests are summarily rejected until a communication session 371 is broken down and a slot in the register 188 becomes available. One of ordinary skill in the art will recognize the slots in the register 188 may have a relationship to a number of communication ports of the OMLS 183 or the MTF 189 as may be the case depending on the design of the OMS 150.

    [0041] The CM 186 may comprise a memory 187 in which is stored the LDI 187 and the register 188. Before the OMLS 183 may allow the MTF 189 to commence a communication session 371 between the MTF 189 and the MLi 130, a recognizable source address (WXYZ)i must be received by the OMLS 183 that is also on the LDI 187. This precaution ensures that the CMC 180 does not communicate with an unauthorized computing device.

    [0042] It will be appreciated that the maintenance information on an aircraft would be sensitive information. As such, requiring the validation of the original source ID (ABCD)i by the router 140, changing the source ID first to (PQRS)i to gain tunnel access through the router 140 and then changing the SrcIP address to (WXYZ)i in order to be recognized by the CMC 180, provides three levels of security. The disclosed method thereby complicates access by an unauthorized computing device.

    [0043] After a session 371 has been commenced, the MCDFi 160 may periodically transmit a keep-alive message to the OMLS 183 to determine if the communication link through the tunnel 141 is still intact. If after a predefined number of keep-alive retrys has failed to raise a response from the OMLS 183 (e.g. 3 retrys), then it is assumed that the connection with the OMLS 183 has been lost. At that point the flow diagram returns to process 328 where a new connection request message 324 is sent. If the connection has been lost to MLi, the SrcIP address (WXYZ)i and (PQRS)i corresponding to MLi 130 are unregistered from the CM 186, thus freeing up a communications slot for another ML 130.

    [0044] Further, after a session 371 has been commenced, the MCDFi 160 may periodically transmit a list of currently accessed aircraft systems 110 to the OMLS 183 that are being accessed directly from the MTF 189 by the MLi130 such that the OMS 150 may properly coordinate communications functions, interfaces and data delivery among the OMLS 183, CM 186 and MTF 189.

    [0045] While at least one exemplary embodiment has been presented in the foregoing detailed description of the invention, it should be appreciated that a vast number of variations exist. It should also be appreciated that the exemplary embodiment or exemplary embodiments are only examples, and are not intended to limit the scope, applicability, or configuration of the invention in any way. Rather, the foregoing detailed description will provide those skilled in the art with a convenient road map for implementing an exemplary embodiment of the invention, it being understood that various changes may be made in the function and arrangement of elements described in an exemplary embodiment without departing from the scope of the invention as set forth in the appended claims.


    Claims

    1. A system for securely accessing a source of data from a vehicle, comprising: an internet protocol (IP) network(303);
    a remote communication device (130) in communication with the IP network (303), the remote communication device (130) being configured to transmit and receive data; a first intermediary computing device (140) within the IP network (303), the first intermediary computing device (140) preventing communication between the remote communication device (130) and a source of the data (110), wherein the first intermediary computing device (140) is configured to allow communications between the remote communication device (130) and the source of the data (110) when the first intermediary computing device (140) determines that a first source internet protocol, SrcIP, address of the remote communication device (130) is an authorized first SrcIP address, and wherein, when the first intermediary computing device (140) determines that the first SrcIP address of the remote communication device (130) is an authorized first SrcIP address, an internet protocol tunnel is created between the remote communication device and the source of the data and the first intermediary computing device (140) is configured to change the first SrcIP address to a second SrcIP address different to the authorized first SrcIP address; the system further comprising a second intermediary computing device (180) within the network (303) behind the first intermediary computing device (140), the second intermediary computing device (180) preventing communication between the remote communication device (130) and the source of the data (110), wherein the second intermediary computing device (180) is configured to allow communications between the remote communication device (130) and the source of the data (110) when the second intermediary computing device (180) determines that the second SrcIP address of the remote communication device (130) is an authorized second SrcIP address.
     
    2. The system of claim 1, wherein the first intermediary computing device (140) includes a first module (170), the first module (170) containing a list of the authorized first SrcIP addresses.
     
    3. The system of claim 1 or 2, wherein the second intermediary computing device (180) includes a second module (186), the second module (186) containing a list of the authorized SrcIP addresses.
     
    4. A method for securely accessing a source of data (110), comprising:

    receiving, at a first intermediary computing device (140) a tunnel request message (301) from a remote communication device (130), the remote communication device (130) having a first source internet protocol, SrcIP, address;

    determining if the first SrcIP address is an authorized first SrcIP address;

    if the first SrcIP address is an authorized first SrcIP address, establishing an IP tunnel (141) by assigning a second SrcIP address, different to the first SrcIP address, to the remote communication device (130), wherein the second SrcIP address is an automatically authorized SrcIP address by the first intermediary computing device (140), otherwise rejecting the tunnel request message (141);

    sending a reply message (302) to the remote communication device (130) with the second SrcIP address acknowledging access to the source of the data (110);

    receiving, at the first intermediary computing device (140), a connection request message (324) from the remote communication device (130) for connection to a source of data (110), the connection request message (324) including the second SrcIP address;

    encapsulating the second SrcIP address within an amended connection message (324');
    using a second intermediary computing device (180), determining if the second SrcIP is an authorized second SrcIP address;

    if the second SrcIP is an authorized second SrcIP address, assigning a third SrcIP address to the amended connection message (324'), wherein

    the third SrcIP address is recognized as an authorized SrcIP address by the source of the data (110); and

    relaying subsequent messages associated with the data between the remote communications device (130) and the source of the data (110) through the IP tunnel (141) utilizing both the first SrcIP address and the second SrcIP address.


     
    5. A method for securely accessing a source of data (110), comprising:

    receiving, at a first intermediary computing device (140), a connection request message (301) from a computing device (130) within a network, the connection request message (301) including a first source internet protocol, SrcIP, address and an embedded second SrcIP address;

    determining if the first SrcIP address is an authorized SrcIP address and determining if the second SrcIP address is an authorized SrcIP address;

    if the first SrcIP address is an authorized SrcIP address, creating an internet protocol tunnel to the source of the data, and and, if the second SrcIP address is an authorized SrcIP address, then granting a communication session to the computing device (103) with the first SrcIP address and second SrcIP address, thereby allowing access to the source of the data (110), otherwise rejecting the connection request message.


     
    6. The method of claim 5 further comprising returning an acknowledgement message to the first SrcIP including a flag indicating that the first SrcIP and the embedded SrcIP are authorized SrcIP addresses.
     
    7. The method of claim 5 or 6, wherein the first SrcIP address and an embedded second SrcIP address are registered in a register.
     


    Ansprüche

    1. System zum sicheren Zugreifen auf eine Quelle von Daten von einem Fahrzeug, umfassend: ein Internetprotokoll (IP)-Netzwerk (303);
    eine Fernkommunikationsvorrichtung (130) in Kommunikation mit dem IP-Netzwerk (303), wobei die Fernkommunikationsvorrichtung (130) zum Senden und Empfangen von Daten konfiguriert ist; eine erste zwischengeschaltete Computervorrichtung (140) innerhalb des IP-Netzwerks (303), wobei die erste zwischengeschaltete Computervorrichtung (140) Kommunikation zwischen der Fernkommunikationsvorrichtung (130) und einer Quelle der Daten (110) verhindert, wobei die erste zwischengeschaltete Computervorrichtung (140) so konfiguriert ist, dass sie Kommunikationen zwischen der Fernkommunikationsvorrichtung (130) und der Quelle der Daten (110) zulässt, wenn die erste zwischengeschaltete Computervorrichtung (140) bestimmt, dass eine erste Internetprotokoll-Quell, SrcIP,-Adresse der Fernkommunikationsvorrichtung (130) eine autorisierte erste SrcIP-Adresse ist, und wobei, wenn die erste zwischengeschaltete Computervorrichtung (140) bestimmt, dass die erste SrcIP-Adresse der Fernkommunikationsvorrichtung (130) eine autorisierte erste SrcIP-Adresse ist, ein Internetprotokolltunnel zwischen der Fernkommunikationsvorrichtung und der Quelle der Daten aufgebaut wird, und die erste zwischengeschaltete Computervorrichtung (140) so konfiguriert ist, dass sie die erste SrcIP-Adresse in eine zweite SrcIP-Adresse umändert, die von der ersten autorisierten SrcIP-Adresse verschieden ist; wobei das System ferner eine zweite zwischengeschaltete Computervorrichtung (180) innerhalb des Netzwerks (303) nach der ersten zwischengeschalteten Computervorrichtung (140) umfasst, wobei die zweite zwischengeschaltete Computervorrichtung (180) Kommunikation zwischen der Fernkommunikationsvorrichtung (130) und der Quelle der Daten (110) verhindert, wobei die zweite zwischengeschaltete Computervorrichtung (180) so konfiguriert ist, dass sie Kommunikationen zwischen der Fernkommunikationsvorrichtung (130) und der Quelle der Daten (110) zulässt, wenn die zweite zwischengeschaltete Computervorrichtung (180) bestimmt, dass die zweite SrcIP-Adresse der Fernkommunikationsvorrichtung (130) eine autorisierte SrcIP-Adresse ist.
     
    2. System nach Anspruch 1, wobei die erste zwischengeschaltete Computervorrichtung (140) ein erstes Modul (170) umfasst, wobei das erste Modul (170) eine Liste der autorisierten ersten SrcIP-Adressen enthält.
     
    3. System nach Anspruch 1 oder 2, wobei die zweite zwischengeschaltete Computervorrichtung (180) ein zweites Modul (186) umfasst, wobei das zweite Modul (186) eine Liste der autorisierten SrcIP-Adressen enthält.
     
    4. Verfahren zum sicheren Zugreifen auf eine Quelle von Daten (110), umfassend:

    Empfangen an einer ersten zwischengeschalteten Computervorrichtung (140) einer Tunnelanforderungsnachricht (301) von einer Fernkommunikationsvorrichtung (130), wobei die Fernkommunikationsvorrichtung (130) eine erste Internetprotokoll-Quell, SrcIP,-Adresse aufweist;

    Bestimmen, ob die erste SrcIP-Adresse eine autorisierte erste SrcIP -Adresse ist;

    Aufbauen, wenn die erste SrcIP-Adresse eine autorisierte erste SrcIP-Adresse ist, eines IP-Tunnels (141) durch Zuordnen einer zweiten SrcIP-Adresse, die von der ersten SrcIP-Adresse verschieden ist, zur Fernkommunikationsvorrichtung (130), wobei die zweite SrcIP-Adresse eine automatisch autorisierte SrcIP-Adresse durch die erste zwischengeschaltete Computervorrichtung (140) ist, andernfalls Zurückweisen der Tunnelanforderungsnachricht (141);

    Senden einer Antwortnachricht (302) an die Fernkommunikationsvorrichtung (130) mit der zweiten SrcIP-Adresse, die den Zugriff auf die Quelle der Daten (110) bestätigt;

    Empfangen an der ersten zwischengeschalteten Computervorrichtung (140) einer Verbindungsanforderungsnachricht (324) von der Fernkommunikationsvorrichtung (130) zur Verbindung mit einer Quelle von Daten (110), wobei die Verbindungsanforderungsnachricht (324) die zweite SrcIP-Adresse umfasst;

    Verkapseln der zweiten SrcIP-Adresse innerhalb einer geänderten Verbindungsnachricht (324');

    Verwenden einer zweiten zwischengeschalteten Computervorrichtung (180), die bestimmt, ob die zweite SrcIP eine autorisierte zweite SrcIP-Adresse ist;

    Zuordnen, wenn die zweite SrcIP-Adresse eine autorisierte zweite SrcIP-Adresse ist, einer dritten SrcIP-Adresse zur geänderten Verbindungsnachricht (324'), wobei

    die dritte SrcIP-Adresse durch die Quelle der Daten (110) als eine autorisierte SrcIP-Adresse anerkannt wird; und

    Weiterleiten von nachfolgenden Nachrichten, die mit den Daten zwischen der Fernkommunikationsvorrichtung (130) und der Quelle der Daten (110) assoziiert sind, durch den IP-Tunnel (141) sowohl unter Verwendung der ersten SrcIP-Adresse als auch der zweiten SrcIP-Adresse.


     
    5. Verfahren zum sicheren Zugreifen auf eine Quelle von Daten (110), umfassend:

    Empfangen an einer ersten zwischengeschalteten Computervorrichtung (140) einer Verbindungsanforderungsnachricht (301) von einer Computervorrichtung (130) innerhalb eines Netzwerks, wobei die Verbindungsanforderungsnachricht (301) eine erste Internetprotokoll-Quell, SrcIP,-Adresse und eine eingebettete zweite SrcIP-Adresse umfasst;

    Bestimmen, ob die erste SrcIP-Adresse eine autorisierte SrcIP-Adresse ist, und Bestimmen, ob die zweite SrcIP-Adresse eine autorisierte SrcIP-Adresse ist;

    Aufbauen, wenn die erste SrcIP-Adresse eine autorisierte SrcIP-Adresse ist, eines Internetprotokolltunnels zur Quelle der Daten, und dann, wenn die zweite SrcIP-Adresse eine autorisierte SrcIP-Adresse ist, Gewähren einer Kommunikationssitzung für die Computervorrichtung (103) mit der ersten SrcIP-Adresse und der zweiten SrcIP-Adressen, um dadurch Zugriff auf die Quelle der Daten (110) zu ermöglichen, andernfalls Zurückweisen der Verbindungsanforderung.


     
    6. Verfahren nach Anspruch 5, ferner umfassend ein Zurücksenden einer Bestätigungsnachricht an die erste SrcIP, die ein Flag umfasst, das anzeigt, dass die erste SrcIP und die eingebettete SrcIP autorisierte SrcIP-Adressen sind.
     
    7. Verfahren nach Anspruch 5 oder 6, wobei die erste SrcIP-Adresse und eine eingebettete zweite SrcIP-Adresse in einem Register eingetragen werden.
     


    Revendications

    1. Système d'accès sécurisé à une source de données provenant d'un véhicule, comprenant :

    un réseau à protocole Internet (IP) (303) ;

    un dispositif de communication à distance (130) en communication avec le réseau IP (303), le dispositif de communication à distance (130) étant configuré pour émettre et recevoir des données ;

    un premier dispositif informatique intermédiaire (140) dans le réseau IP (303), le premier dispositif informatique intermédiaire (140) empêchant la communication entre le dispositif de communication à distance (130) et une source des données (110), où le premier dispositif informatique intermédiaire (140) est configuré pour permettre les communications entre le dispositif de communication à distance (130) et la source des données (110) lorsque le premier dispositif informatique intermédiaire (140) détermine qu'une première adresse de protocole Internet source, SrcIP du dispositif de communication à distance (130) est une première adresse SrcIP autorisée, et où, lorsque le premier dispositif informatique intermédiaire (140) détermine que la première adresse SrcIP du dispositif de communication à distance (130) est une première adresse SrcIP autorisée, un tunnel de protocole Internet est créé entre le dispositif de communication à distance et la source des données, et le premier dispositif informatique intermédiaire (140) est configuré pour changer la première adresse SrcIP en une deuxième adresse SrcIP différente de la première adresse SrcIP autorisée ;

    le système comprenant en outre un second dispositif informatique intermédiaire (180) à l'intérieur du réseau (303) derrière le premier dispositif informatique intermédiaire (140), le second dispositif informatique intermédiaire (180) empêchant la communication entre le dispositif de communication à distance (130) et la source des données (110), où le second dispositif informatique intermédiaire (180) est configuré pour permettre les communications entre le dispositif informatique distant (130) et la source des données (110) lorsque le second dispositif informatique intermédiaire (180) détermine que la deuxième adresse SrcIP du dispositif de communication à distance (130) est une deuxième adresse SrcIP autorisée.


     
    2. Système selon la revendication 1, dans lequel le premier dispositif informatique intermédiaire (140) comprend un premier module (170), le premier module (170) contenant une liste des premières adresses SrcIP autorisées.
     
    3. Système selon la revendication 1 ou la revendication 2, dans lequel le second dispositif informatique intermédiaire (180) comprend un second module (186), le second module (186) contenant une liste des adresses SrcIP autorisées.
     
    4. Procédé d'accès sécurisé à une source de données (110), comprenant les étapes suivantes :

    recevoir, au niveau d'un premier dispositif informatique intermédiaire (140), un message de demande de tunnel (301) provenant d'un dispositif de communication à distance (130), le dispositif de communication à distance (130) ayant une première adresse de protocole Internet source, SrcIP ;

    déterminer si la première adresse SrcIP est une première adresse SrcIP autorisée ;

    si la première adresse SrcIP est une première adresse SrcIP autorisée, établir un tunnel IP (141) en attribuant une deuxième adresse SrcIP, différente de la première adresse SrcIP, au dispositif de communication à distance (130), où la deuxième adresse SrcIP est une adresse SrcIP automatiquement autorisée par le premier dispositif informatique intermédiaire (140), sinon rejeter le message de demande de tunnel (141) ;

    envoyer un message de réponse (302) au dispositif de communication à distance (130) avec la deuxième adresse SrcIP reconnaissant l'accès à la source des données (110) ;

    recevoir, au niveau du premier dispositif informatique intermédiaire (140), un message de demande de connexion (324) provenant du dispositif de communication à distance (130) pour une connexion à une source de données (110), le message de demande de connexion (324) incluant la deuxième adresse SrcIP ;

    encapsuler la deuxième adresse SrcIP dans un message de connexion modifié (324') ;

    utiliser un second dispositif informatique intermédiaire (180), en déterminant si la deuxième SrcIP est une deuxième adresse SrcIP autorisée ;

    si la deuxième SrcIP est une deuxième adresse SrcIP autorisée, affecter une troisième adresse SrcIP au message de connexion modifié (324'), où

    la troisième adresse SrcIP est reconnue comme étant une adresse SrcIP autorisée par la source des données (110) ; et

    relayer les messages subséquents associés aux données entre le dispositif de communication à distance (130) et la source des données (110) par le tunnel IP (141) en utilisant à la fois la première adresse SrcIP et la deuxième adresse SrcIP.


     
    5. Procédé d'accès sécurisé à une source de données (110), comprenant les étapes suivantes :

    recevoir, au niveau d'un premier dispositif informatique intermédiaire (140), un message de demande de connexion (301) provenant d'un dispositif informatique (130) dans un réseau, le message de demande de connexion (301) comprenant une première adresse de protocole Internet source, SrcIP, et une deuxième adresse SrcIP intégrée ;

    déterminer si la première adresse SrcIP est une adresse SrcIP autorisée et déterminer si la deuxième adresse SrcIP est une adresse SrcIP autorisée ;

    si la première adresse SrcIP est une adresse SrcIP autorisée, créer un tunnel de protocole Internet vers la source des données et, si la deuxième adresse SrcIP est une adresse SrcIP autorisée, octroyer alors une session de communication au dispositif informatique (103) avec la première adresse SrcIP et la deuxième adresse SrcIP, permettant ainsi l'accès à la source des données (110), sinon, rejeter le message de demande de connexion.


     
    6. Procédé selon la revendication 5, comprenant en outre le renvoi d'un message d'accusé de réception à la première SrcIP comprenant un indicateur indiquant que la première SrcIP et la SrcIP intégrée sont des adresses SrcIP autorisées.
     
    7. Procédé selon la revendication 5 ou la revendication 6, dans lequel la première adresse SrcIP et une deuxième adresse SrcIP intégrée sont enregistrées dans un registre.
     




    Drawing












    REFERENCES CITED IN THE DESCRIPTION



    This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

    Patent documents cited in the description