The present invention relates to the securing of communications between workstations in a data transmission network and in particular to a method for assigning a dual IP (Internet Protocol) address to a workstation attached on an IP data transmission network.
When a workstation (or host) is connected to an IP data transmission network, an IP address is assigned to it so that any other workstation may communicate with it through the network. Presently, an IP Version 4 address is a 32-bit binary value. Each byte of the address is converted into a decimal number and the numbers are separated by dots, such a dot notation being the popular way of expressing an IP address so that users can read and write it easily. It must be noted that the next generation of networks will use IP Version 6 using 128-bit addresses.
There are three IP address formats: class A for large networks for which the address starts with a number between 0 and 127, class B for medium sized networks for which the address starts with a number between 128 and 191 and class C for small networks for which the address starts with a number between 192 and 223. An organization which has a class A or class B network address is very likely to use a fairly complex network made up of several Local Area Networks (LAN) and Wide Area Networks (WAN). Accordingly, it makes sense to partition the address space in a way that matches the network as a family of sub-networks. To do this, the address is broken according to the following way:
 less than network address greater than   less than subnetwork address greater than   less than host address greater than 
The workstation connecting to a network may have either a static address or a dynamic address. If a static address is chosen, this address is entered manually by the user at its workstation. But the user has the possibility of requesting a dynamic address automatically assigned by a Dynamic Host Configuration Protocol (DHCP) server. In such a case, the network administrator supervizes and distributes IP addresses from a central point and automatically sends a new IP address each time the workstation is plugged into a different location in the network. But an important drawback is that the DHCP server has no way to exchange and share addresses outside of the local network.
Another drawback is that DHCP server cannot share addresses with the Domain Name Server (DNS) which provides an application layer protocol that is part of the standard TCP/IP protocol suite and performs a naming service between hosts within the local administrative domain and across domain boundaries.
One of the benefits of a distributed network is the ability to add, remove or relocate system components such as servers and printers without disrupting the services provided by other components. Similarly, users of the network are regularly added, removed or relocated. These users must maintain appropriate access to the resources regardless of any changes in their location or status. Users should also have a seamless access to all the resources available, no matter where those resources are located in the network. In order to track and manage all the resources and users of a distributed network, most of today""s network operating systems employ a registration server (often called xe2x80x9cdirectory servicesxe2x80x9d) providing the capability to the user of accessing all servers and printers, to all the applications, messaging, database, communications and other services offered to them by the network, by utilizing a single network logon. But the reverse side of the present system of address assignment is that anyone can connect a workstation to the network in DHCP mode and get a dynamic IP address enabling him to access all the resources of the network without being allowed to do this.
At present, a user connecting with a workstation to a visited network in DHCP mode is not authenticated since the only way to do this is to check its MAC address and to reject him if this MAC address is not recognized. Now, such a MAC address is a physical address. It is therefore not possible with this address to know the home location of the user in order to give him authorization on the visited network. Therefore, the classical way of authentication is penalizing for the visited users. It would be useful to know which is the home IP address of a visiting user, but this address disappears on the network interface when a workstation is connecting the network in DHCP mode for assigning to it a dynamic IP address on the visited network.
Accordingly, the objet of the invention is to achieve a method of assigning to a workstation connected to an IP data transmission network, in addition to the dynamic address given by the DHCP server of the local network, a static address enabling the authentication of the workstation whatever accessible sub-network the workstation is connected to.
Another object of the invention is to achieve a method of assigning a dual address to any new workstation connecting an IP data transmission network, thus enabling securing any network which this workstation connects to by using the rights of the workstation associated with its home static address.
The invention relates therefore to a method for assigning a dual address to a workstation connecting anywhere to an IP data transmission network composed of at least a first Local Area Network (LAN) provided with a home Dynamic Host Configuration Protocol (DHCP) server, a home Domain Name Services (DNS) server and a home registration server. This method comprises the steps of:
a) off-line registering into the home registration server previously to connecting the workstation to the network, the workstation parameters including a static IP address, the name, the rights of the workstation, the station MAC address and a logon ID and password which have been provided to the user of the workstation,
b) connecting the workstation to the IP network, the workstation being configured in DHCP mode,
c) providing by the home registration server a dynamic IP address to the workstation,
d) calling the home registration server by the workstation using the logon ID and the password to get first the static IP address and, secondly a configuration file for the workstation,
e) configuring automatically the applications and protocols to be processed by the workstation with the static IP address or the dynamic IP address, such a configuration being based upon the configuration file.
According to another aspect of the invention, the IP data transmission network includes a second LAN to which the workstation is now connected, the second LAN including a visited DHCP server, a visited DNS server, and a visited registration server; and the method further comprises the steps of:
f) providing by the visited registration server a new dynamic IP address to the workstation,
g) calling the visited registration server by the workstation using a guest logon to provide the visited registration server with the IP static address of the workstation,
h) contacting the home registration server by the visited registration server in order to get the characteristics of the workstation for updating the visited registration server.