JP5559882B2 - Discovery of femto access security gateway in wireless communication - Google Patents

Description

  This application claims priority from US Provisional Application No. 61 / 227,028, title of invention, “FEMTO ACCESS SECURITY GATEWAY DISCOVERY” filed on July 20, 2009, the entire disclosure of which is Which is incorporated herein by reference.

  The present invention relates to wireless communications and systems.

  In various wireless communication networks, radio coverage can be divided into many small geographic areas called cells. Cells can be classified as macrocells, microcells or picocells depending on their size and capacity. Access network equipment (i.e., base stations) is typically installed in each cell and serves, via wireless connections, access terminals or mobile stations located within the base station's radio coverage area.

  A wireless communication system includes one or more wireless devices, eg, mobile devices, mobile phones, wireless air cards, mobile stations (MS), user equipment (UE), access terminals (AT). Or it may include a network of one or more base stations in communication with a subscriber station (SS). Each base station can transmit wireless signals carrying data, eg, voice data and other data content, to the wireless device. A base station can also be called an access point (AP) or an access network (AN), and may be included in a part of the access network. A wireless communication system may include one or more access networks that control one or more base stations.

  The radio coverage of the base station may be limited in certain situations. For example, certain areas between indoor areas and high-rise buildings may not have good radio coverage by the base station. An extension base station can be installed to extend the coverage of the base station, and such an extended base station is often referred to as a femtocell base station (FBS). A mobile station or subscriber station located in a femto cell using a femto base station (FBS) or a femto access point (FAP) based on a wireless air link standard such as the WiMAX standard. Wireless coverage is provided to the femtocell by transmitting wireless signals wirelessly. The FAP can employ a home or office wired broadband connection such as an ADSL, a cable modem, or an in-house fiber link as a backhaul connected to the wireless core network. When the mobile station enters femto cell coverage, the mobile station can switch the connection from the macro cell to the FAP and continue the radio service connection.

  Techniques and systems for discovering a security gateway for attaching a wireless access point to a wireless communication system are provided.

  In one aspect, a method is provided for discovering a security gateway for attaching a wireless access point to a wireless communication system, the method connecting the wireless access point to a communication network, wherein the wireless access point is within the system. Obtaining an IP address of a security server configured to assist in discovering the security gateway; establishing communication between the wireless access point and the security server using the obtained IP address; Operating the security server, obtaining the wireless access point information, selecting the security gateway from the security gateways in the system based on the wireless access point information, and operating the wireless access point The communication server establishes communication between the wireless access point and the security gateway using the acquired IP address of the selected security gateway from the security server and the acquired IP address of the selected security gateway. Attaching a wireless point (access point) to the system via the gateway.

  A wireless communication system provided as another aspect includes a wireless access service network (ASN) including a security gateway capable of attaching one or more wireless access points, and a wireless access point connected to the ASN. And a security server configured to assist in discovering one of the security gateways to which it attaches. Each security gateway includes a mechanism operable to authenticate the security server to the wireless access point prior to authenticating the wireless access point. The security server selects one of the security gateways based on the information from the wireless access point, sends the IP address of the selected security gateway to the wireless access point, and connects the wireless access point and the selected security gateway. Including a mechanism to establish communication between them.

  These and other aspects, as well as various embodiments, are disclosed in further detail in the drawings, description, and claims.

It is a figure which shows the specific example of the radio | wireless communications system which has a femto base station. FIG. 2 is a diagram illustrating a specific example of a radio station architecture for the radio communication device or base station of FIG. 1. 2 is a diagram showing a specific example of the WiMAX implementation of the system of FIG. 1 that obtains the SeGw IP address via the security server's preconfigured FQDN, URL, or public IP address. FIG. 2 is a diagram showing a specific example of the WiMAX implementation of the system of FIG. 1 that obtains the SeGw IP address via the security server's preconfigured FQDN, URL, or public IP address. FIG. FIG. 2 is a diagram illustrating a specific example of WiMAX implementation of the system of FIG. 1 that acquires the SeGw IP address via a pre-configured FQDN, URL, or public IP address of a femto DHCP server. FIG. 2 is a diagram illustrating a specific example of WiMAX implementation of the system of FIG. 1 that acquires the SeGw IP address via a pre-configured FQDN, URL, or public IP address of a femto DHCP server.

  FIG. 1 shows a specific example of a wireless communication system having a femto base station. A wireless communication system may be a wireless network and includes one or more base stations 105, for example, a macrocell base station, a microcell base station, or a picocell base station. One or more femtocell base stations 120 may be provided as femto-cell wireless access points (WFAP), thereby extending the wireless service provided by the base station 105. Base station 105 and femtocell base station 120 can provide wireless services to wireless devices such as mobile station 110 (MS). The system can include one or more core network components 125 that provide wireless services via base stations 105, 120. In FIG. 1, a radio communication system based on Code Division Multiple Access (CDMA), for example, CDMA2000 1x, HRPD (High Rate Packet Data), eHRPD (evolved HRPD), UMTS (Universal Mobile Telecommunications System), UTRAN. Various wireless communication technologies such as (Universal Terrestrial Radio Access Network), E-UTRAN (Evolved UTRAN), LTE (Long-Term Evolution), WiMAX (Worldwide Interoperability for Microwave Access) based on the IEEE 802.16 standard may be adopted. it can.

  FIG. 2 shows a specific example of the radio station architecture of the radio communication device 110 or the base stations 105 and 120 shown in FIG. The wireless station 205 can include a processor circuit 210, such as a microprocessor, that implements one or more of the wireless technologies disclosed herein. The wireless station 205 can include a transceiver circuit 215 that transmits and / or receives wireless signals via one or more communication interfaces, such as an antenna 220. The wireless station 205 can include other communication interfaces for transmitting and receiving data. The wireless station 205 can include one or more memories configured to store information such as data and / or instructions.

  The wireless communication device 110 is also referred to as a wireless subscriber station or a mobile station (MS), can perform wireless communication with the base station 105 or the WFAP 120, and may be realized as a mobile device or a fixed device. The fixed device may be repositioned within the system. Specific examples of fixed wireless devices can include desktop computers and computer servers. Specific examples of mobile radio devices can include mobile radio telephones, personal digital assistants (PDAs), and mobile computers. The system base station 105 is conceptually centered on a cell and is a radio transceiver that communicates wirelessly with an MS in the cell via a downlink radio signal. Each BS may be designed to have a directional antenna, generate two or more directional beams, and further divide each cell into different sections. The system is provided with a base station controller (BSC) for controlling the BS. Each BSC is connected to two or more specified groups of BSs and controls the connected BSs.

  Within a wireless communication system, a wireless femto access point (WFAP) 120 is directly attached to a wired or wireless broadband network infrastructure 125, such as DSL, cable modem, or the like. In various embodiments, the wired or wireless broadband network infrastructure may not belong to the same operator that manages a femto network service provider (NSP). In such a situation, it is desirable to provide the WFAP with a mechanism for obtaining the IP address of a security gateway (Security Gateway: SeGw) that protects the WFAP access to the corresponding femto gateway and the back-end network of the femto NSP. In many cases, the specific location of WFAP access cannot be determined in advance and may be deployed at any location, for example, across the country or internationally. Therefore, it is important for WFAP to obtain the SeGw IP address from any deployment position. For example, the WFAP can obtain the SeGw IP address via the SeGw pre-configured Fully Qualified Domain Name (FQDN), URL, or public IP address. In the following specific example, the SeGw IP address is obtained using a special security server for the Femto ASN and Dynamic Host Configuration Protocol (DHCP) server.

  FIG. 3 shows a specific example of the WiMAX implementation of the system of FIG. 1 that obtains the SeGw IP address via the security server's pre-configured FQDN, URL, or public IP address. In this example, the system is for one or more macro radio access service networks (ASNs) 310, AAA modules 322 for authentication, authorization and charging functions and user registration functions for WiMAX communications. A connectivity serving network (CSN) 320 including a home agent module 324 and one or more femto radio access service networks (femto ASNs) 330 are included. A femto network service provider (NSP) module 340 is provided for managing or controlling the femto ASN 330.

  The ASN 310 controls one or more base stations (BSs) 312 or base transceiver stations (BSTs) that are spatially distributed in a service area and provide radio access, and controls the BS 312. And an ASN gateway (GW) 314 that manages communications with the CSN 320 and the femto ASN 330 by the ASN 310. The femto ASN 330 includes one or more WFAPs 332, one or more security gateways (SeGW) 334 that protect WFAP access by the WFAPs 332, and a femto gateway (femto gateway) that manages communication between the ASNs 310 and the CSNs 320 by the femto ASN 330. : Femto GW) 336.

  In FIG. 3, a femto NSP 340 that manages the femto ASN 330 and is responsible for the operation, authentication, and management of the WFAP 332 is provided. The femto NSP 340 includes a femto AAA module 342 that performs authentication and charging of the WFAP 332 and a security server 344 that handles the initial process of checking the identity of the WFAP 332 and directs the WFAP 332 to the appropriate SeGW 334 in the femto ASN 330. Security server 344 supports initial bootstrapping to the network of WFAP 332 and is therefore also referred to as a bootstrap server. There is also provided a WFAP management server that provides a WFAP operation and maintenance (O & M) function based on a standard such as Simple Network Management Protocol (SNMP), TR069, or DOCSIS. In some implementations, the WFAP management server may be part of the femto NSP 340.

  In FIG. 3, Reference Point R3 includes a set of control plane protocol and bearer plane protocol, supports AAA functions, and transfers user data between femto ASN 330 and CSN 320. AAA 322 is responsible for subscriber authentication and billing operations. Reference point R4 includes a set of control plane and bearer plane protocols that initiate / end various functional entities of ASN that coordinate MS mobility between different ASNs and Fe-GWs and between Fe-GWs. Further, the Fe-GW 336 may be connected to the macro ASN-GW 314 via R4. Reference point R6-F includes a set of control and bearer planes for communication between WFAP 332 and Fe-GW 336. Control plane traffic and bearer plane traffic via the reference point R6-F are transmitted via the IPsec 9 tunnel between the WFAP and the Se-GW. Reference point R3-F includes a set of control plane protocols based on the protocol for R3 in the macro WiMAX network and supports WFAP 332 authorization, authentication and charging between femto ASN 330 26 and femto NSP 340. R3-F can also include a management plane protocol between the management server and WFAP. The reference point Rx includes a set of initial bootstrapping protocols between the WFAP and the bootstrap server.

  FIG. 4 shows a specific example of an operation flow for discovery of SeGw 334 via the security server or bootstrap server 344.

  In step 1, the WFAP 332 is booted up.

  In step 2, the WFAP 332 acquires an (external) IP address from the backhaul network (eg, DSL, cable) via a DHCP server. If the WFAP 332 does not have the pre-provisioned FQDN (FQDN) of the bootstrap server 344, the IP address of the bootstrap server 344 can be provided as a DHCP option.

  If the FQDN of the bootstrap server 344 is previously provided to the WFAP 332, the WFAP sends a domain name server (DNS) query for the IP address of the bootstrap server 344, as indicated by step 3.

  If WFAP 332 determines the IP address of bootstrap server 344 in either step 2 or step 3, WFAP 332 determines in step 4 that the pre-provided certificate, such as a digital certificate for bootstrap server 344, is provided. Based on HTTPS, it authenticates the server 344 and establishes a secure connection with the bootstrap server. WFAP 332 does not provide its certificate to server 344. Only the bootstrap server 344 is authenticated.

  In step 5, the WFAP 332 connects to the bootstrap server 344, requests initial configuration information, eg, the IP address of the SeGw 334, from the bootstrap server 344 and downloads it. The WFAP 332 may provide its own IP address as well as other location information (eg, GPS information) so that the bootstrap server 344 can select the appropriate Se-GW 334 for the WFAP 332. The WFAP 332 acquires the Se-GW 334 IP address from the bootstrap server 344. Furthermore, the WFAP 332 can acquire the FQDN of the management server.

  In step 6, the WFAP 332 and the Se-GW 334 authenticate each other and establish a VPN tunnel. The Se-GW 334 communicates with the femto AAA 342 via the femto GW 314 for authorization of the WFAP 332. Further, the Se-GW 334 also assigns an internal IP address to the WFAP 332.

  In step 7, the WFAP 332 and the femto AAA 342 communicate to execute WFAP authentication. The WFAP 332 performs a DNS query, and acquires the IP address of the management server from the FQDN of the management server in step 5.

  In step 8, the WFAP 332 connects to the management server. The WFAP 332 transmits local information such as the IP address of the WFAP 332 and its position information to the management server. The WFAP 332 downloads the configuration information of the WFAP 332 from the management server.

  In Step 9, the WFAP 332 and the femto GW 336 establish a communication R6-F via the SeGw 334.

  In the process described above, the WFAP 332 may authenticate the security server 344 to prevent, for example, malicious spoofing via a server certificate of the security server. If a fully qualified domain name (FQDN) is pre-configured in WFAP 332, WFAP 332 performs a DNS query and, if necessary, the public IP address or URL of security server 344 before authenticating security server 344. To get. If the WFAP is deployed nationally or internationally, the security server 344 is often deployed based on a server farm-based architecture, and the WFAP 332 approaches the nearest security server 344 to provide SeGw 334. Get the IP address or URL. When the security server 344 communicates with the WFAP 332 via HTTPS or HTTP, the format of the initial configuration parameter including the SeGw IP address or URL can be standardized, for example, in the form of SOAP / XML.

  In the process of FIG. 4, WFAP 332 opens an HTTPS session to bootstrap server 344. During authentication, the bootstrap server certificate is presented without using the WFAP certificate. As a result, the WFAP 332 authenticates the bootstrap server 334. Using this session, the WFAP 332 notifies the bootstrap server 344 of its IP address and location information, and acquires the Se-GWIP address and FQDN of the management server.

  Alternatively, the WFAP 332 may provide a system that can obtain the SeGw IP address or URL via the preconfigured FQDN or public IP address of the DHCP server. Specific examples thereof are shown in FIGS.

  FIG. 5 shows a specific example of the WiMAX implementation of the system of FIG. 1 that obtains the SeGw IP address via the pre-configured FQDN, URL or public IP address of the femto DHCP server 510. In this specific example, if the FQDN is pre-configured in the WFAP, the WFAP executes a DNS query to obtain the public IP address of the femto DHCP server 510. When deployed nationally or internationally, the femto DHCP server 510 is often deployed based on a server farm-based architecture, and the WFAP approaches the nearest femto DHCP server 510 to create a SeGw Get the IP address. A safety mechanism based on a standard in which the DHCP protocol is supported can also be applied to FIG. Since the DHCP protocol is officially standardized in a well-known format, this design can support this capability without the need for any additional format in the DHCP configuration file. Only certain parameters for the initial configuration need be specified.

  FIG. 6 shows a control flow of system interaction in which the WFAP acquires the SeGw IP address via the DHCP server access.

  The embodiments disclosed herein and other embodiments, modules, and functional operations may be implemented in digital electronic circuitry, and include the structures disclosed herein and their structural equivalents. It may be realized by software, firmware or hardware, and may be realized by a combination of one or more of these. The disclosed embodiments and other embodiments can be encoded in one or more computer program products, ie, computer readable media, executed by a data processing device, or operations of a data processing device. It can also be implemented as one or more modules of computer program instructions that control The computer readable medium may be a machine readable storage device, a machine readable storage substrate, a memory device, a composition that acts on a machine readable propagation signal, or a combination of one or more thereof. The term “data processing device” encompasses all devices, devices, and machines for processing data, including by way of example a programmable processor, computer, multiple processors or computers. In addition to hardware, the apparatus may include code for creating an execution environment of the computer program, for example, code constituting processor firmware, a protocol stack, a database management system, an operating system, or a combination of one or more of these. it can. A propagated signal is an artificially generated signal, for example, an electrical signal, an optical signal, or an electromagnetic wave signal generated by a machine to encode information for transmission to a suitable receiving device.

  A computer program (also called a program, software, software application, script or code) may be written in any form of programming language, including a compiler language or an interpreter language, for example as a stand-alone program or as a module, component, subroutine or As other units suitable for use in a computing environment, they may be deployed in any form. A computer program does not necessarily correspond to a file in a file system. The program may be stored in a part of a file containing other programs or data (eg, one or more scripts stored in a markup language document) and stored in a single file dedicated to that program Alternatively, the files may be stored in a plurality of files to be linked (for example, one or more files storing a module, a subprogram, or a part of code). A computer program may be deployed to be executed on a single computer, and may be executed on a plurality of computers provided at one location or distributed across multiple locations and interconnected by a communication network May be deployed as is.

  The processes and logic flows disclosed herein may be implemented by one or more programmable processors that execute one or more computer programs that implement functions by processing input data and generating output. Good. The process and logic flow may be performed by a dedicated logic circuit such as, for example, a field programmable gate array (FPGA) or an application specific integrated circuit (ASIC).

  Processors suitable for the execution of computer programs may include, by way of example, both general and special purpose microprocessors, as well as any one or more processors of any type of digital computer. A processor typically receives instructions and data from a read-only memory or a random access memory, or both. The basic elements of a computer are a processor that executes instructions and one or more memory devices that store instructions and data. The computer also typically includes one or more mass storage devices for storing data, eg, a magnetic disk, magneto-optical disk or optical disk, or receives data from the mass storage device and stores mass data. It is operatively connected to the mass storage device to transmit data to the device or to perform both operations. However, the computer does not necessarily have such a device. Devices suitable for storage of computer program instructions and data include, by way of example, semiconductor storage devices such as all types of non-volatile memory including EPROM, EEPROM and flash memory devices, magnetic disks such as internal hard disks or removable devices. Discs, magneto-optical discs, CD-ROM discs and DVD-ROM discs are included. The processor and the memory may be supplemented by a dedicated logic circuit or may be incorporated in the dedicated logic circuit.

  This specification includes many details, but these details are not to be construed as limiting the scope of the invention as claimed or claimable. To be construed as a description of particular features of a particular embodiment. In this specification, several features disclosed in the context of separate embodiments may be combined and implemented in a single embodiment. Conversely, various features disclosed in the context of a single embodiment can be embodied separately in multiple embodiments and can be embodied in any suitable subcombination. Furthermore, although the above describes some features as functioning in a certain combination, initially, even if so claimed, from the claimed combination One or more features may be excluded from the combination in some cases, and the claimed combination may be changed to a partial combination or a variation of a partial combination. Similarly, in the drawings, the operations are shown in a particular order, but such operations need not be performed in the particular order or sequential order shown to achieve the desired result, and It is not necessary to perform all the operations shown.

  Only a few specific examples and examples have been disclosed. Based on the content disclosed here, the above-described specific examples, examples, and other examples can be modified, changed, and extended.

Claims (10)

A method for discovering a security gateway for attaching a wireless access point to a wireless communication system, comprising:
A step in which the wireless access point, connected to the communication network, the wireless access point to obtain the IP address of the security server configured to assist finding the security gateway in the system,
The wireless access point establishes communication between the wireless access point and the security server using the acquired IP address;
The wireless access point provides the security server with the wireless access point information so that the security server selects a security gateway from security gateways in the system based on the wireless access point information. When,
The wireless access point obtaining an IP address of the selected security gateway from the security server;
The wireless access point establishes communication between the wireless access point and the security gateway using the acquired IP address of the selected security gateway, and wirelessly communicates with the system via the security gateway. Attaching the access point. After connecting the wireless access point to the communication network, the wireless access point sends a domain name server query to obtain an IP address of the security server;
The method of claim 1, wherein the wireless access point authenticates the security server based on the acquired IP address of the security server before the security server selects the security gateway.   The method of claim 2, further comprising the step of authenticating the security gateway after the establishment of communication between the wireless access point and the security gateway. After connecting the wireless access point to the communication network, the wireless access point obtains an IP address of the security server using information previously provided in the wireless access point;
The method according to claim 1, wherein the wireless access point authenticates the security server based on an IP address obtained by the security server. A wireless access service network (ASN) including a security gateway capable of attaching one or more wireless access points;
A security server connected to the ASN and configured to assist in discovering one of the security gateways to which the wireless access point attaches;
Before authenticating the previous SL security gateway, wireless access point is operable to authenticate the security server for the wireless access point,
The security server selects one of the security gateways based on information from the wireless access point, transmits the IP address of the selected security gateway to the wireless access point, and selects the wireless access point and the selection A wireless communication system including a mechanism that allows communication to be established with a designated security gateway.   6. The system of claim 5, comprising a mechanism for performing a domain name search from a domain name server to obtain an IP address of the security server before selecting one of the security gateways. In a method for discovering a security gateway for attaching a wireless femto access point in a wireless communication system based on WiMAX,
A step of pre-Symbol wireless femto access point, acquires the configured IP address of the bootstrap server to assist in finding the security gateway in the system,
The wireless femto access point establishes communication between the wireless femto access point and the bootstrap server using the acquired IP address;
Based on the information of the wireless femto access point, the wireless femto access point causes the bootstrap server to select a security gateway from security gateways in the system. Providing information, and
The wireless femto access point obtaining an IP address of the selected security gateway from the bootstrap server;
The wireless femto access point establishes communication between the wireless femto access point and the security gateway using the acquired IP address of the selected security gateway, and through the security gateway, the system Attaching the wireless femto point to
The method wherein the wireless femto access point operates to extend a wireless service provided by a wireless base station in the system. The wireless femto access point performs a domain name search from a domain name server to obtain an IP address of the bootstrap server;
The wireless femto access point comprises authenticating the bootstrap server based on an acquired IP address of the bootstrap server before the bootstrap server selects the security gateway. Method.   The method of claim 8, comprising establishing authentication between the wireless femto access point and the security gateway, the wireless femto access point authenticating the security gateway. The wireless femto access point obtains an IP address of the bootstrap server using information previously provided in the wireless femto access point;
8. The method of claim 7, comprising: the wireless femto access point authenticating the bootstrap server based on the acquired IP address of the bootstrap server.

Images