Home gateway devices

EP4762755A1Pending Publication Date: 2026-06-24BRITISH TELECOM PLC

Patent Information

Authority / Receiving Office
EP · EP
Patent Type
Applications
Current Assignee / Owner
BRITISH TELECOM PLC
Filing Date
2024-07-29
Publication Date
2026-06-24

Smart Images

  • Figure EP2024071434_27022025_PF_FP_ABST
    Figure EP2024071434_27022025_PF_FP_ABST
Patent Text Reader

Abstract

A home gateway device comprising a processor and a memory storing a domain name algorithm which receives as input an identifier associated with the home gateway device and which computes a domain name as a function of the identifier, is described. The memory stores instructions that when executed by the processor, cause the processor to configure a local DNS in the home gateway device to resolve the domain name to an edge server associated with the home gateway device.
Need to check novelty before this filing date? Find Prior Art

Description

HOME GATEWAY DEVICES

[0001] The present disclosure relates to home gateway devices and in particular but not limited to home gateway devices for enabling client applications in the home to access content.BACKGROUND

[0002] A home gateway device is a physical interface between a communications network in a home and the internet or other external communications network. Home gateway devices are widely used to enable residential users to access cloud services or other services which may be paid for services such as internet television or other content streaming services. Where the services are paid for services security is a particular concern as residential users access to services is controlled on a paid for basis. If malicious parties gain access to security certificates and / or credentials it is possible for services to be accessed in an unauthorised manner, where services could therefore be spoofed.

[0003] The examples described herein are not limited to examples which solve problems mentioned in this background section.SUMMARY

[0004] Examples of preferred aspects and embodiments of the invention are as set out in the accompanying independent and dependent claims.

[0005] This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.

[0006] A first aspect of the disclosed technology comprises a home gateway device, comprising: a processor; and an edge server associated with the home gateway device, said edge server comprising a content cache a memory storing a domain name algorithm which receives as input an identifier associated with the home gateway device and which computes a domain name as a function of the identifier, the memory storing instructions that when executed by the processor, cause the processor to: configure a local Domain Name System, DNS, in the home gateway device to resolve the domain name to the edge server associated with the home gateway device.

[0007] In this way, a device is provided that provides a way of allocating domains and enabling the routing of domain specific requests, which when used enables the enhancing of the security of a domain specific request routing system by configuring the device suchthat, upon receiving a DNS query for a domain name that is based on an identifier of the device, the query is resolved to an edge server associated with the device. This means that a certificate and private key specific to a characteristic of the device are used to authenticate the edge server. Thus, even if the edge server associated with the device is compromised, a potential attack surface is narrowed to only additional edge servers and associated domain names with the same certificates, i.e. with the same characteristic of the device.

[0008] In some preferred example embodiments, the memory of the home gateway device stores instructions that, when executed by the processor, cause the processor to further: cause the home gateway device to, in response to receiving a DNS query comprising the domain name from a client application, send a response resolving the DNS query to the edge server.

[0009] In some preferred example embodiments, the domain name algorithm of the home gateway device computes a unique domain name as a function of the identifier.

[0010] In this way, the security of a domain specific request routing system is improved by causing each home gateway device of a distributed system to have a unique domain name associated with their edge server, which results in a unique domain specific certificate and private key that is used to authenticate an edge server. As such, compromising a single edge server has a potential attack surface confined to the compromised edge server and associated domain name, and the compromised certificate and private key are not usable for example to impersonate the other edge servers and domains of other home gateway devices.

[0011] In some preferred example embodiments, the domain name algorithm computes a non-unique domain name as a function of the identifier.

[0012] In this way, a way of allocating domains and enabling the routing of domain specific requests is provided, which trades a reduction in isolation-based security with increased efficiency. Reducing the number of domain-specific certificates to be provided to edge servers as compared with an entirely unique domain name allocation process reduces the monetary and computational cost of provisioning where each certificate has an associated cost, and reduces the number of certificates that must each be securely provided to the relevant edge devices, where more unique certificates means a higher complexity method of distribution to edge servers. As such, the domain algorithm is dynamically adjustable to trade-off isolation-based security with cost.

[0013] In some preferred example embodiments, computing the non-unique domain name comprises determining whether the identifier meets a predetermined condition.

[0014] In some preferred example embodiments, the identifier is a numerical value, the predetermined condition is that the identifier is even, and computing the non-uniquedomain name comprises outputting a same domain name in response to the identifier being even.

[0015] In some preferred example embodiments, the identifier is one of: a Media Access Control, MAC, address of the home gateway device; an Internet Protocol, IP, address of the home gateway device; a serial number of the home gateway device.

[0016] In some preferred example embodiments, data requested by a client application from the edge server is provided only in response to a domain name-specific certificate and private key of the edge server being authenticated.

[0017] Another aspect of the disclosed technology comprises a computing system comprising a home gateway device and a redirect function device, the home gateway device comprising: a processor; an edge server associated with the home gateway device, said edge server comprising a content cache; and a memory storing a domain name algorithm which receives as input an identifier associated with the home gateway device and which computes a domain name as a function of the identifier, the memory storing instructions that when executed by the processor, cause the processor to: configure a local Domain Name System, DNS, in the home gateway device to resolve the domain name to the edge server associated with the home gateway device, the redirect function device comprising: a processor; and a memory storing the domain name algorithm, the memory storing instructions that when executed by the processor, cause the processor to: in response to receiving a data request via a home gateway device from a client application, respond with a domain name associated with a location of the data.

[0018] In this way, a system is provided that provides a way of allocating domains and enabling the routing of domain specific requests. Including the same domain name algorithm on both a redirect function device and a home gateway device enables a single redirect function device to serve domain names associated with data locations requested via multiple home gateway devices (thereby making the system efficient) whilst improving the security of a domain specific request routing system by configuring a home gateway device such that, upon receiving a DNS query for a domain name that is based on an identifier of the home gateway device, the query is resolved to an edge server associated with the home gateway device, which means that a potential attack surface if the home gateway device is compromised is confined only to edge servers with a samecharacteristic as the compromised device (i.e. same domain specific certificates for the edge server).

[0019] In some preferred example embodiments, the location of the data of the data location request is the edge server associated with the home gateway device.

[0020] In some preferred example embodiments, the computing system further comprises a content server, wherein data is configured to be provided to the edge server associated with the home gateway device by the content server, wherein the content server is configured to provide data to edge servers of multiple home gateway devices, and wherein the content server has a wildcard certificate authenticating the content server for domain names associated with all edge servers to which the content server is configured to provide data.

[0021] In this way, a system is provided that enables the serving of data i.e. content, to multiple edge servers each potentially associated with different domain names whilst improving efficiency of resource usage given that only a single content server is needed compared to a content server per home gateway device. A content server also reduces the need for edge servers to store all possible data potentially requested by an application via a home gateway device.

[0022] A third aspect of the disclosed technology comprises a method performed by a home gateway device, the method comprising: providing as input to a domain name algorithm which computes a domain name as a function of an input identifier, an identifier associated with the home gateway device; using the domain name algorithm to compute a domain name; and configuring a local Domain Name System, DNS, in the home gateway device to resolve the domain name to an edge server associated with the home gateway device.

[0023] In this way, a method is provided that provides a way of allocating domains and enabling the routing of domain specific requests, which when used enables the enhancing of the security of a domain specific request routing system by configuring a home gateway device implementing the method such that, upon receiving a DNS query for a domain name that is based on an identifier of the device, the query is resolved to an edge server associated with the device. This means that a certificate and private key specific to a characteristic of the device are used to authenticate the edge server. Thus, even if the edge server associated with the device is compromised, a potential attack surface is narrowed to only additional edge servers and associated domain names with the same certificates, i.e. with the same characteristic of the device.

[0024] In some preferred example embodiments, the method further comprises receiving a DNS query comprising the domain name from a client application; and responding, using the local DNS, to the DNS query by resolving the DNS query to the edge server.

[0025] In some preferred example embodiments, the domain name of the DNS query is obtained by the client application through querying a redirect function comprising the domain name algorithm for the location of data for use by the client application.

[0026] Another aspect of the disclosed technology comprises at least one computer- readable media having computer-executable instructions, which when executed by a home gateway device, perform the methods described herein.

[0027] It will also be apparent to anyone of ordinary skill in the art, that some of the preferred features indicated above as preferable in the context of one of the aspects of the disclosed technology indicated may replace one or more preferred features of other ones of the preferred aspects of the disclosed technology. Such apparent combinations are not explicitly listed above under each such possible additional aspect for the sake of conciseness.

[0028] Other examples will become apparent from the following detailed description, which, when taken in conjunction with the drawings, illustrate by way of example the principles of the disclosed technology.BRIEF DESCRIPTION OF THE DRAWINGS

[0029] FIG. 1 illustrates schematically a system in which client applications retrieve data from a respective edge server associated with a home gateway device.

[0030] FIG. 2 illustrates schematically a system in which client applications retrieve data from a respective edge server with a domain name unique to its associated home gateway device.

[0031] FIG. 3 illustrates schematically a system in which client applications retrieve data from a respective edge server with a domain name non-unique to its associated home gateway device, wherein there are two possible allocated domain names;

[0032] FIG. 4 is a schematic diagram showing components of a redirect function and a home gateway device that enable the present invention;

[0033] FIG. 5 is a signalling diagram showing requests and responses from the devices and components of a system such as that in FIG. 3 or FIG. 4;

[0034] FIG. 6 illustrates an exemplary computing-based device in which examples of a gateway configuration component, for configuring a home gateway device and enabling the improving of the security of a domain specific request routing system, are implemented.

[0035] The accompanying drawings illustrate various examples. The skilled person will appreciate that the illustrated element boundaries (e.g., boxes, groups of boxes, or other shapes) in the drawings represent one example of the boundaries. It may be that in someexamples, one element may be designed as multiple elements or that multiple elements may be designed as one element. Common reference numerals are used throughout the figures, where appropriate, to indicate similar features.DETAILED DESCRIPTION

[0036] The following description is made for the purpose of illustrating the general principles of the present technology and is not meant to limit the inventive concepts claimed herein. As will be apparent to anyone of ordinary skill in the art, one or more or all of the particular features described herein in the context of one embodiment are also present in some other embodiment(s) and / or can be used in combination with other described features in various possible combinations and permutations in some other embodiment(s).

[0037] In various examples there are home gateway devices in many thousands, hundreds of thousands or millions of homes. Each home gateway device may comprise an edge server having a content cache, enabling the edge server to cache content retrieved from the internet or other communications network outside the home. The result is a highly distributed system comprising multiple edge servers where requests for data sent from an application running on a client device are to be routed to an appropriate edge server. The client device may be an internet television, internet radio, tablet computer or any other device suitable for accessing content from a communications network outside the home. Where there is a need to control access to the content, such as for security or other reasons, certificates and / or credentials may be used. Where all the edge servers use the same certificate or credentials there is a high security risk since a breach will impact all the edge servers.

[0038] An edge server as described herein is a server that is located at an edge location, such as in a home gateway or other location remote from a core communications network. For example, an edge server in various examples is located at a home gateway device that provides network access to a client device.

[0039] Moreover, it is often the case that such highly distributed systems use servers operating in Secure HyperText Transfer Protocol (HTTPS) mode, wherein a Transport Layer Security (TLS) certificate and private key are used to declare the authenticity of each server. Such a TLS certificate and key are specific to a domain being hosted by a server, and are stored locally.

[0040] One approach to routing requests from client devices in a highly distributed network is to use the same (i.e common) domain name for each edge server of the network, and route client requests to the common domain name in order to enable a client device to retrieve requested data, where each edge server hosts a TLS certificate and private key specific to the common domain name. This routing, since the common domainname can be pre-set, is in various approaches performed automatically, where each client request is routed directly to the common domain name.

[0041] The inventors have recognised that by using a common domain name, if a certificate and private key associated with one edge server are compromised, a potential attack surface is large in that all edge servers of the system can be subsequently compromised. For example, an attacker in possession of a certificate and private key from a single edge server, allowing them to spoof (and therefore deliver malicious data to a client device originating a data access request, as a client device would determine that the spoofed domain name is authenticated) a domain name, would be capable of spoofing such a domain across the entire network, including over multiple edge servers. Additionally, the inventors have recognised that assigning a single common domain name to all edge servers of a network is inflexible.

[0042] The technology described herein uses a home gateway device storing a domain name algorithm which receives an identifier associated with the home gateway device and which computes a domain name as a function of the identifier, to configure a local Domain Name System (DNS) of the home gateway device to resolve the domain name to an edge server associated with the home gateway device. This device enables the dynamic, flexible allocation of gateway-specific domain names to edge servers, which enables the reducing of a potential attack vector in the event that an edge server is compromised.

[0043] A home gateway device is, as described herein, a device that is configured to receive data requests from a client application, which in various examples is operating on a client device, and is configured to process such a data request by routing and / or responding to the request. In various examples, a home gateway device is an entry point to a network. In various examples, a home gateway device responds to a data request from a client application with the location of the requested data, wherein the location is or comprises in various examples a domain name associated with an edge server storing the requested data. In various examples, the home gateway device provides a local network for devices attached to it.

[0044] FIG. 1 of the accompanying drawings shows schematically a system in which client applications 1 10A-110D retrieve data from a respective edge server 108A-108D associated with a home gateway device 104A-104D.

[0045] Each home gateway device 104A-104D comprises a local DNS 106A-106D and an edge server 108A-108D, where each edge server has an associated content cache used to store content. It should be appreciated that, though an edge server is in various examples comprised in a home gateway device, an edge server is additionally or alternatively in various examples associated with a home gateway device, i.e. is located on a separate device that is in communication with the home gateway device.

[0046] Each home gateway device 104A-104D is associated with (i.e. configured to communicate with) a respective client application 1 10A-110D. In various examples, each home gateway device 104A-104D is associated with at least one client application 1 10A- 110D.

[0047] The system of FIG. 1 further comprises a redirect function 102, which receives a data request from a client application 110A-110D via a respective home gateway device 104A-104D, and responds with a location, in various examples a domain name, of the requested data. In various examples, communication between the devices described herein occurs using one or more of: a hyper text transfer protocol HTTP, the HTTP Live Streaming protocol (trade mark), the Dynamic Adaptive Streaming over HTTP protocol (an International Standard). In various examples, data stored on edge servers 108A-108D is associated with media, where the media is split into segments of data which are generated and stored independently. In various examples, the segments of data are referenced in a manifest file. In various examples, the data request from a client application 1 10A-110D is a request for data and comprises a request for a manifest file. In various examples, the data request from a client application 110A-1 10D is a request for data and comprises a request for data segments, in various examples data segments are referenced in a manifest file, in various examples a manifest file has been previously requested (such as by the client application 1 10A-1 10D). In various examples, as data segments are received by a client application 110A-110D, they are buffered, decoded and displayed, which in various examples results in continuous media presented to the end user. In various examples, such media is video or audio.

[0048] The redirect function 102 in various examples receives data requests via multiple home gateway devices 104A-104D, and responds with the location of the requested data accordingly. In various examples, the redirect function 102 receives a data request for a manifest file, and subsequent requests for data segments referenced in the manifest file are directed to the location of the manifest file, in various examples by a client application that requested the manifest file, without the redirect function 102 determining a location of the data segments explicitly.

[0049] In various examples, requests via the home gateway device 104A-104D are requests that are received by the home gateway device 104A-104D and are then forwarded or routed to a destination. In various examples, a home gateway device of a distributed system comprising a plurality of home gateway devices performs methods described herein. In various examples each home gateway device of the distributed system is configured to communicate with at least one client application and, additionally or alternatively, in various examples, each client application is configured to communicate with a home gateway device. In various examples, the distributed system further comprises one or more of: a redirect function, a redirect function device, a content server.In various examples, the content server and / or the redirect function or redirect function device are configured to communicate with the home gateway devices of the distributed system, and, additionally or alternatively, in various examples each home gateway device of the distributed system is configured to communicate with a redirect function device, in various examples a single redirect function device. In various examples, reference to a redirect function device herein is replaced with reference to a redirect function, which in various examples is located on an existing device of a network comprising a home gateway device. In various examples a single redirect function or redirect function device and / or content server are comprised in the distributed system.

[0050] In various examples, upon receiving the location of the data of a data request (from a client application 1 10A-110D) from the redirect function 102, the home gateway device 104A-104D responds to the client application 110A-1 10D with the location of the data of its request. In various examples, communication between a client application 1 10A-110D and a home gateway device 104A-104D configured to communicate with the client application is via HTTPS protocol. In various examples, the location of the data of its request is a location associated with an edge server 108A-108D associated with a home gateway device 104A-104D associated with the client application 110A-1 10D, i.e. the data requested by the client application is stored on the edge server 108A-108D associated with the gateway device 104A-104D with which the client application is configured to communicate with.

[0051] In FIG. 1 , each edge server 108A-108D is allocated the same domain name of ‘an.example.com’, thus such a location in various examples comprises the domain name ‘an.example.com’. The client application 1 10A-110D then requests the data from the domain name provided to it via the home gateway device 104A-104D, which corresponds to requesting the data from a specific edge server associated with the provided domain name. The client application requesting data from a domain name in various examples comprises the client application sending a DNS query to a home gateway device 104A- 104D, which is processed by a local DNS on the home gateway device 104A-104D, and which takes as input a domain name and resolves an Internet Protocol (IP) address of an edge server associated with the domain name, which is sent to the client application that originated the DNS query. The data request is then sent to the resolved IP address, and the requested data retrieved by the client application 110A-1 10D.

[0052] In various examples, the client application requesting data from a domain name comprises the client application sending a data request to a home gateway device 104A- 104D with a target domain name, wherein the home gateway device processes the target domain name using the local DNS to resolve an IP address of an edge server, and wherein the home gateway device forwards the data request to the edge server.

[0053] In various examples, data requested from an edge server is only consumed by a requestor in response to a domain name-specific certificate and private key of the edge server being authenticated. In various examples, authentication of the domain-name specific certificate and private key comprises, when data is requested from a server, the server communicating its certificate to the requester, and the requester validating the certificate, wherein the requester subsequently sends data to the server using a public key associated with the certificate, and the server decrypts the received data using its private key. Validating the certificate in various examples comprises checking that the present date is within a validity period of the certificate, that a Certificate Authority that issued the certificate is trusted (in various examples by comparing to a list of trusted Certificate Authorities), that the public key of the issuing Certificate Authority correctly decrypts a digital signature of the certificate, and that the domain name of the certificate matches the server’s domain name. Certificates are issued by Certificate Authorities (CA) that check the owners of domains and, for high security level certificates, that the organisation itself is legitimate and operating legally. In various examples, certificates are distributed to respective entities via one of: pre-loading, multicast push, unicast request from a certificate store. Pre-loading refers to loading required certificates in advance of such a certificate being requested, in various examples performed at startup of the entity to which a certificate is distributed. Multicast push refers to the distribution of data (for example a certificate) which is copied by a network to multiple target entities, without the data first being requested. Unicast request refers to the distribution of data (for example a certificate) to a single entity where the data is requested.

[0054] It should be appreciated that mention of receiving and responding herein should equivalently be interpreted as configured to receive and configured to respond respectively, where a device or function in various examples is not actively performing the mentioned process. It should further be appreciated that any number of home gateway devices and client applications may be implemented without departing from the scope of the present invention.

[0055] In various examples, a content server 100 is implemented, which is configured to communicate with the home gateway devices 104A-104D. The content server is a server storing data that is sent to each edge server associated with the home gateway devices 104A-104D. In various examples, data is distributed to edge servers from the content server 100 such that data most likely to be requested by a client application configured to communicate with the home gateway device associated with an edge server is stored on the edge server, which reduces the storage requirements of the edge servers 108A-108D by not requiring them to store all possible data requestable by client applications, alongside enabling the requesting of dynamic content i.e. content that changes over time without needing to redistribute content to every applicable edge server. In variousexamples, a system such as FIG. 1 is implemented by a streaming system such that client applications each request video data from an edge server as it is required, and video data is buffered, i.e. temporarily stored in advance of it being required, in an edge server, wherein the content server 100 distributes the content to be buffered. In various examples, the content server 100 distributes contents to the edge servers 108A-108D based on the client application 1 10A-110D in communication with the home gateway device 104A-104D associated with an edge server 108A-108D, in various examples based on what content the client application 110A-110D is streaming.

[0056] In various examples, content is distributed by the content server 100 via the home gateway device 104A-104D associated with a destination edge server 108A-108D. In various examples, content is distributed by the content server via one of: multicast methods, unicast push methods, unicast pull methods. Multicast methods are methods wherein a single copy of data is sent by an entity of a network and the network copies (in various examples by entities forwarding a copy of the data and retaining a copy of the data) the sent data to multiple target entities within the network. Unicast push methods are methods wherein data is sent to a single target entity of a network without the data being requested, and unicast pull methods are method wherein data is sent to a single target entity when the target entity requests the data.

[0057] In various examples, the content server 100 stores a certificate and private key authenticating it as a provider of data associated with the domain name that is common to the edge servers 108A-108D.

[0058] FIG. 2 shows an improved system over the system of FIG. 1 , wherein the domain names allocated to each edge server 208A-208D are unique to the home gateway device associated with the edge server. For example, edge server 208A has an associated domain name ‘204A.example.com’ and edge server 208B has an associated domain name ‘204B.example.com’. As such, the edge servers each store a domain-specific certificate and private key that are different to the domain-specific certificate and private key of the other edge servers. This allocation of different domain names is enabled by the use of a home gateway device as elaborated on with respect to FIG. 4.

[0059] Using different domain names per edge server and therefore different domainspecific certificates and private keys means that, should an edge server be compromised, a potential attack surface is narrowed to only edge servers sharing the same domain name.

[0060] The content server 200 stores a wildcard certificate authenticating the domain ‘*. example.com’, i.e. authenticating the content server 200 for all sub-domains, namely all domain names allocated to the edge servers to which the content server 200 is configured to provide data. In various examples, a content server as described herein is a node of a content delivery network CDN.

[0061] FIG. 3 shows an alternative system to that of FIG. 2, wherein the domain names allocated to each edge server 308A-308D are non-unique to the home gateway device associated with the edge server. In various examples, though, there are at least two different domain names allocated across all edge servers, meaning that a security improvement by reducing a potential attack surface is present, but that there is a reduction in the total number of unique domain names as compared to a completely unique domain name allocation strategy, such as in FIG. 2.

[0062] In FIG. 3, there are two domain names allocated across the edge servers 308A- 308D; ‘304AC.example.com’ and ‘304BD.example.com’.

[0063] Reducing the total number of unique domain names reduces cost both computationally and monetarily, as there is a cost associated with provisioning a certificate specific to a domain name. Additionally, the more unique certificates there are, the more unique certificates need to be distributed to edge servers, which increases the complexity of a required distribution system.

[0064] As such, the present invention enables the trading off of isolation-based security (i.e. reducing the potential attack surface should an edge server be compromised) compared to computational and monetary cost, providing a flexible domain name allocation system, as will be elaborated on with respect to FIG. 4.

[0065] FIG. 4 is a schematic diagram showing components of a redirect function 402 and a home gateway device 404. The home gateway device 404 comprises a domain name (DN) algorithm which is a process which computes a domain name as a function of an identifier of the home gateway device 404. Optionally the redirection function 402 has a copy of the DN algorithm 412. In some cases the DN algorithm computes a fully qualified domain name but that is not essential as any domain name may be computed by the DN algorithm. Where the DN algorithm computes a fully qualified domain name the domain name specifies an exact location in a tree hierarchy of the Domain Name System (DNS). The fully qualified domain name specifies all domain levels, including the top-level domain and the root zone and can be interpreted only in one way. Thus using a DN algorithm that computes a fully qualified domain name is beneficial for use by the edge server in accessing content for the client application. However, using a DN algorithm that computes a fully qualified domain name is not necessary in some deployments where some degree of ambiguity can be tolerated in the domain name due to the specific deployment where the home gateway is deployed. The components of FIG. 4 are deployed in order to enable the systems of FIG. 2 and FIG. 3, and to flexibly implement FIG. 1 .

[0066] The DN algorithm 412 is stored in memory of the home gateway device 404 and, in various examples, in memory of the redirect function 402, where the DN algorithm 412 receives as input an identifier associated with the home gateway device 404 on which it is stored, and computes a domain name as a function of the identifier.

[0067] There are a range of possible methods of computing the domain name, all of which enable the present invention, and the choice of such a method depends on the context of use of the invention and the desired trade-off between isolation-based security and cost of a system in which the DN algorithm is implemented.

[0068] An identifier associated with the home gateway device is described herein as any data which is related to a characteristic of the home gateway device, and in various examples refers to one of: a Media Access Control, MAC, address of the home gateway device; an Internet Protocol, IP, address of the home gateway device; a serial number of the home gateway device. In various examples, the identifier is a composite identifier comprising one or more of the above identifiers.

[0069] In various examples, the DN algorithm is configured to compute a unique domain name as a function of the identifier, such as via computing a hash of an IP address of the home gateway device, wherein the IP address of the home gateway device is the identifier. In various examples, the DN algorithm receives as input a unique identifier associated with the home gateway device, i.e. an identifier that is unique to the home gateway device. In various examples, the DN algorithm computes a domain name that is based on a unique characteristic of the home gateway device.

[0070] In various examples, the DN algorithm is configured to compute a non-unique domain name, in various example comprising determining whether the identifier meets a pre-determined condition. In various examples, the identifier is a numerical value, the predetermined condition is that the identifier is even, and computing the non-unique domain name comprises outputting a same domain name in response to the identifier being even, and, in various examples, outputting a different same domain name in response to the identifier being odd. In this way, the system of FIG. 4 enables the implementing of the system of FIG. 3. In various examples, a non-unique domain name is computed by the DN algorithm by summing the four octets of an IP version 4 address of the home gateway device comprising the DN algorithm, where in response to the result being odd a first domain name is computed, and where in response to the result being even, a second domain name is computed.

[0071] It should be appreciated that the DN algorithm may be designed in any way as long as it produces a consistent resulting domain name given an input identifier associated with the home gateway device upon which it is stored.

[0072] The DN algorithm 412 is configured such that the identifier is provided to or obtained by the DN algorithm 412 and the resulting domain name is used to configure the local DNS 406 on the same home gateway device 404 to resolve the domain name to an edge server 408 associated with the home gateway device 404. In various examples, the local DNS 406 comprises a mapping of IP address to domain name, and determines an IP address given an input domain name. In various examples, configuring the local DNS406 to resolve the domain name computed by the DN algorithm 412 to the edge server 408 comprises modifying the domain name of the local DNS mapping for the IP address of the edge server 408, in various examples pre-set, to the domain name computed by the DN algorithm 412. In various examples, such a configuration of the local DNS 406 is performed upon startup of the home gateway device, and additionally or alternatively, in various examples, at regular time periods.

[0073] As such, the home gateway device provides a way of allocating domain names to edge servers based on a characteristic of the home gateway device associated with the edge server, which improves the flexibility of domain name allocation methods. Moreover, this enables the allocation of unique and non-unique domain names in order to improve the isolation-based security of a distributed system such as a content delivery system.

[0074] In various examples, not only does the home gateway device 404 have stored an DN algorithm 412, but so too does the redirect function 402. In various examples, the redirect function 402 is comprised in a redirect function device comprising a processor and a memory, the memory storing the DN algorithm 412. The DN algorithm 412 of the redirect function 402 and the home gateway device 404 are configured in the same way, such that they compute the same output domain name given the same input home gateway device identifier. In this way, a client application 410, when obtaining a domain name to use as the target of a data request (sent to the home gateway device 404 as a DNS query, in various examples) by querying the redirect function, obtains the correct domain name.

[0075] The identifier provided to the DN algorithm 412 of the redirect function is in various examples obtained by the home gateway device 404 attaching, in various examples in a header of a data request forwarded from a client application 410 to the redirect function 402, an identifier of the home gateway device 404. Alternatively, the redirect function 402 receives an unmodified data request via the home gateway device 404 from the client application 410 and determines an identifier associated with the home gateway device 404, such as by obtaining the IP address of the home gateway device 404 which sent the request to the redirect function 402.

[0076] In this way, the DN algorithm 412 works in tandem across the redirect function 402 and the home gateway devices of a system such as device 404, to route a request from a client application to a correct domain name where the domain name is allocated by the DN algorithm, correctly and flexibly.

[0077] FIG. 5 is a signalling diagram showing the requests and responses exchanged within a system implementing the present invention. Entities within the system are illustrated horizontally across the diagram, and time is represented vertically downwards. In various examples, the local DNS 506 is configured using an DN algorithm as described above, such that it resolves 516 a domain name based on an identifier of a home gatewaydevice with which an edge server is associated, to the edge server, wherein in various examples this configuration occurs before a client application 510 sends a request, for example request 518, via a home gateway device.

[0078] A client application 510, of which there are in various examples multiple, each communicating with a respective home gateway device, requests 518 a target from a redirect function 502. In various examples, this request is directed to the redirect function 502 via a home gateway device. In various examples, requesting a target comprises sending a data request i.e. a request for data, to the redirect function 502, and in various examples alternatively comprises requesting a location of data directly. The redirect function 502 computes 520 the target using an DN algorithm as elaborated upon above, using an identifier associated with the home gateway device through which the request from the client application 510 was directed. The redirect function 502 then responds 522 to the target request by sending a domain name of an edge server storing the data requested. In various examples, the redirect function 502 responds 522 to the target request by including a ‘302 Found’ redirect status response code associated with an HTTP protocol used to communicate, in a response header of the response, which indicates that requested data has been temporarily moved to the domain name of the edge server storing the data requested, where the domain name in various examples is included in a location header of the response. In various examples, the location of the data requested by the client application 510 is an edge server associated with the home gateway device in communication with the client application 510. Where this is the case, and where the edge server associated with the home gateway device is active and able to receive data requests, the client application 510 then sends a DNS request 524 i.e. a DNS query to the local DNS 506 of the home gateway device to resolve the target domain name, the DNS query comprising the domain name obtained by the client application 510 from the redirect function 502.

[0079] The local DNS 506 processes the DNS query to obtain an IP address of the edge server associated with the domain name received by the local DNS 506, and responds 526 to the DNS query with an IP address of the edge server. More generally, the local DNS 506 is configured using the DN algorithm and, in response to receiving a DNS query 524 comprising the domain name computed by the DN algorithm based on an identifier associated with a home gateway device comprising the DN algorithm, the home gateway device uses the local DNS to respond 526 to the DNS query by resolving the DNS query to an edge server associated with the home gateway device.

[0080] In various examples, the IP address is an address usable within a local network comprising the client application, the home gateway device and the edge server.

[0081] The client application 510 then uses the received IP address to send a request for content 528 from the edge server 508 which is associated with the received IP address, where the edge server 508 responds 530 with the requested content.

[0082] In various examples, the content server 500 provides content i.e. data to the edge server 508. In various examples, the content server 500 pushes 532 content that is most likely to be requested by the client application 510 to the edge server 508 at regular time intervals.

[0083] It should be noted that in various examples the process of identifying a location and routing a request to the domain name computed by the DN algorithm is not performed for subsequent data requests of a same data stream, where the client application merely directly routes the data requests to the domain name obtained via the first data request or data location request of the stream.

[0084] In other cases, however, where an edge server is not present, such as when an edge server located by the redirect function is inactive (for example during a service outage) and / or when no edge server is associated with the home gateway device in communication with a client application, the redirect function queried by the client application optionally returns a domain name using the DN algorithm described herein, the domain name based on an identifier of the home gateway device. The client application then queries 534, via the home gateway device, a Wide Area Network (WAN) DNS 514, which is configured to resolve 536, in various examples via the same method of configuration using the DN algorithm as the local DNS, the domain name to the content server 500. In various examples, the local DNS 506 determines that the domain name has not been mapped (in various examples as there is no edge server present) and forwards the DNS query to the WAN DNS 514, in various examples configured 536 to redirect any subdomain of the range of possible domains computed by the DN algorithm to the content server 500. The WAN DNS 514 returns 538 an IP address of the content server 500 to the client application 510, which then sends a request for content 540 i.e. data to the content server 500, in various examples via the home gateway device in communication with the client application 510. In various examples, the content server 500 returns 542 the requested data to the client application 510, in various examples via the home gateway device.

[0085] In this way, the present invention is enabled through the implementation of an DN algorithm that generates a domain name based on an input identifier associated with a home gateway device, where the identifier is provided as input to the DN algorithm, the DN algorithm is used to compute a domain name, and the resulting domain name used in a domain specific routing system. A local DNS of the home gateway device is configured to resolve the domain name output by the DN algorithm to an edge server associated with the home gateway device. Additionally, in various examples, a redirect function comprisesthe DN algorithm, and the redirect function is queried by a client application for the location of data, in various examples data for use by the client application, where the resulting domain name received, in various examples by the client application, from the redirect function is comprised in a DNS query to the local DNS or in various examples to a WAN DNS.

[0086] In various examples, a plurality of home gateway devices is implemented, each comprising a processor and a memory storing a domain name algorithm which receives as input an identifier associated with the home gateway device in which the algorithm is implemented, and which computes a domain name as a function of the identifier, the memory storing instructions that when executed by the processor cause the processor to configure a local DNS in the home gateway device to resolve the domain name to an edge server associated with the home gateway device. In various examples, at least one client application is configured to communicate with each home gateway device of the plurality of home gateway devices. In various examples, a single redirect function is configured to communicate with the plurality of home gateway devices, in various examples all of the plurality of home gateway devices. In various examples, the identifier used in the DN algorithm of each home gateway device is specific to the home gateway device, and therefore in various examples results in a unique domain name allocation to edge servers associated with each edge server associated with the home gateway devices. In various examples (including examples wherein an identifier specific to each home gateway device is used), at least two different non-unique domain names are allocated across all of the edge servers by the DN algorithm.

[0087] FIG. 6 illustrates various components of an example computing device 600, in various examples a home gateway device, in which embodiments of a gateway configuration component 610 are implemented in some examples, the gateway configuration component 610 implementing methods as described herein. The computing device is of any suitable form such as a smart phone, a desktop computer, a tablet computer, a laptop computer, a server, a router.

[0088] The computing device 600 comprises one or more processors 602 which are microprocessors, controllers or any other suitable type of processors for processing computer executable instructions to control the operation of the device in order to perform the methods of FIG. 5, in various examples enabled by implementing FIG. 4. In some examples, for example where a system on a chip architecture is used, the processors 602 include one or more fixed function blocks (also referred to as accelerators) which implement a part of the method of FIG. 5 in hardware (rather than software or firmware). That is, the methods described herein are implemented in any one or more of software, firmware, hardware. The computing device has a gateway configuration component 610 comprising a domain name algorithm 614, local DNS 616 and edge server cache 618. Invarious examples the edge server cache 618 is storage located on an edge server associated with the computing device 600. Platform software comprising an operating system 606 or any other suitable platform software is provided at the computing-based device to enable application software 608 to be executed on the device. Although the computer storage media (memory 612) is shown within the computing-based device 600 it will be appreciated that the storage is, in some examples, distributed or located remotely and accessed via a network or other communication link (e.g. using communication interface 604). The computing device 600 uses the communication interface 604 to communicate with entities as described in the methods herein, including in various examples one or more of: a client application, a redirect function, a content server.

[0089] Though the computing device 600 illustrated comprises a gateway configuration component 610, in various examples the redirect function as described herein is implemented in a similar computing device (in various examples a redirect function device) also having the domain name algorithm 614 and components of the device 600 except the local DNS 616 and the edge server cache 618, wherein the redirect function device has instructions stored in memory that when executed by a processor of the redirect function device cause the processor to, in response to receiving a data location request via a home gateway device from a client application, respond with a domain name associated with a location of the data of the data location request. More generally, the redirect function device may respond with a domain name given the receiving of a data location request, in various examples from a home gateway device.

[0090] Any reference to 'an' item refers to one or more of those items. The term 'comprising' is used herein to mean including the method blocks or elements identified, but that such blocks or elements do not comprise an exclusive list and an apparatus may contain additional blocks or elements and a method may contain additional operations or elements. Furthermore, the blocks, elements and operations are themselves not impliedly closed.

[0091] It should further be noted that the methods as described herein and as performed by the systems and devices described herein are in various examples performed when computer-executable instructions of at least one computer-readable media are executed, in various examples by a home gateway device. In various examples, such computer- readable media are executed by a redirect function device, defined herein as a device that implements a redirect function i.e. upon receiving a request for a location, the function responds with a domain name associated with the location of the request.

[0092] Where the description has explicitly disclosed in isolation some individual features, any apparent combination of two or more such features is considered also to be disclosed, to the extent that such features or combinations are apparent and capable of being carried out based on the present specification as a whole in the light of the common generalknowledge of a person skilled in the art, irrespective of whether such features or combinations of features solve any problems disclosed herein. In view of the foregoing description it will be evident to a person skilled in the art that various modifications may be made within the scope of the invention.

Claims

CLAIMS1 . A home gateway device, comprising: a processor; an edge server associated with the home gateway device, said edge server comprising a content cache; and a memory storing a domain name algorithm which receives as input an identifier associated with the home gateway device and which computes a domain name as a function of the identifier, the memory storing instructions that when executed by the processor, cause the processor to: configure a local Domain Name System, DNS, in the home gateway device to resolve the domain name to the edge server associated with the home gateway device.

2. The home gateway device of claim 1 , the memory storing instructions that, when executed by the processor, cause the processor to further: cause the home gateway device to, in response to receiving a DNS query comprising the domain name from a client application, send a response resolving the DNS query to the edge server.

3. The home gateway device of any of claims 1 to 2, wherein the domain name algorithm computes a unique domain name as a function of the identifier.

4. The home gateway device of any of claims 1 to 2, wherein the domain name algorithm computes a non-unique domain name as a function of the identifier.

5. The home gateway device of claim 4, wherein computing the non-unique domain name comprises determining whether the identifier meets a predetermined condition.

6. The home gateway device of claim 5, wherein the identifier is a numerical value, wherein the predetermined condition is that the identifier is even, and wherein computing the non-unique domain name comprises outputting a same domain name in response to the identifier being even.

7. The home gateway device of any of claims 1 to 6, wherein the identifier is one of: a Media Access Control, MAC, address of the home gateway device; an Internet Protocol, IP, address of the home gateway device; a serial number of the home gateway device.

8. The home gateway device of any of claims 1 to 7, wherein data requested by a client application from the edge server is provided only in response to a domain name-specific certificate and private key of the edge server being authenticated.

9. A computing system comprising a home gateway device and a redirect function device, the home gateway device comprising: a processor; an edge server associated with the home gateway device, said edge server comprising a content cache; and a memory storing a domain name algorithm which receives as input an identifier associated with the home gateway device and which computes a domain name as a function of the identifier, the memory storing instructions that when executed by the processor, cause the processor to: configure a local Domain Name System, DNS, in the home gateway device to resolve the domain name to the edge server associated with the home gateway device, the redirect function device comprising: a processor; and a memory storing the domain name algorithm, the memory storing instructions that when executed by the processor, cause the processor to: in response to receiving a data request via a home gateway device from a client application, respond with a domain name associated with a location of the data.

10. The computing system of claim 9, wherein the location of the data is the edge server associated with the home gateway device.11 . The computing system of any of claims 9 to 10, the computing system further comprising a content server, wherein data is configured to be provided to the edge server associated with the home gateway device by the content server, wherein the content server is configured to provide data to edge servers of multiple home gateway devices, and wherein the content server has a wildcard certificate authenticating the content server for domain names associated with all edge servers to which the content server is configured to provide data.

12. A method performed by a home gateway device, the method comprising: providing as input to a domain name algorithm which computes a domain name as a function of an input identifier, an identifier associated with the home gateway device; using the domain name algorithm to compute a domain name; and configuring a local Domain Name System, DNS, in the home gateway device to resolve the domain name to an edge server associated with the home gateway device.

13. The method of claim 12, further comprising: receiving a DNS query comprising the domain name from a client application; andresponding, using the local DNS, to the DNS query by resolving the DNS query to the edge server.

14. The method of claim 13, wherein the domain name of the DNS query is obtained by the client application through querying a redirect function comprising the domain name algorithm for the location of data for use by the client application.

15. At least one computer-readable media having computer-executable instructions, which when executed by a home gateway device, perform the method of any one of claims 12 to 14.