WO2016049353A1 - Procédés et appareil pour un accès hybride à un réseau principal sur la base d'une authentification mandatée - Google Patents

Procédés et appareil pour un accès hybride à un réseau principal sur la base d'une authentification mandatée Download PDF

Info

Publication number
WO2016049353A1
WO2016049353A1 PCT/US2015/052016 US2015052016W WO2016049353A1 WO 2016049353 A1 WO2016049353 A1 WO 2016049353A1 US 2015052016 W US2015052016 W US 2015052016W WO 2016049353 A1 WO2016049353 A1 WO 2016049353A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
wireless station
subscriber device
lte
node
Prior art date
Application number
PCT/US2015/052016
Other languages
English (en)
Inventor
Behzad Mohebbi
Original Assignee
Behzad Mohebbi
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US14/863,239 external-priority patent/US20160014127A1/en
Application filed by Behzad Mohebbi filed Critical Behzad Mohebbi
Priority to EP15843308.6A priority Critical patent/EP3198787A4/fr
Priority to CN201580051942.5A priority patent/CN106716920A/zh
Priority to JP2017516330A priority patent/JP2017532889A/ja
Publication of WO2016049353A1 publication Critical patent/WO2016049353A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/08Access point devices
    • H04W88/10Access point devices adapted for operation in multiple networks, e.g. multi-mode access points
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/40Security arrangements using identity modules
    • H04W12/43Security arrangements using identity modules using shared identity modules, e.g. SIM sharing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/02Access restriction performed under specific conditions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/12Setup of transport tunnels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/15Setup of multiple wireless link connections
    • H04W76/16Involving different core network technologies, e.g. a packet-switched [PS] bearer in combination with a circuit-switched [CS] bearer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/06Transport layer protocols, e.g. TCP [Transport Control Protocol] over wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices
    • H04W88/06Terminal devices adapted for operation in multiple networks or having at least two operational modes, e.g. multi-mode terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/08Access point devices

Definitions

  • the present disclosure relates generally to the field of wireless communication and data networks. More particularly, in one exemplary aspect, the disclosure is directed to methods and apparatus for hybrid access to a core network.
  • incipient solutions include e.g., so-called “small cell” (e.g., femtocells, picocells, and microcells), "HetNet” (heterogeneous network) and "Wi-Fi Offloading”.
  • small cell e.g., femtocells, picocells, and microcells
  • HetNet heterogeneous network
  • Wi-Fi Offloading e.g., so-called “small cell” (e.g., femtocells, picocells, and microcells), "HetNet” (heterogeneous network) and "Wi-Fi Offloading”.
  • small cell technologies require backhaul connectivity to the network operator ' s core network; this can complicate deployment as small cells may not have access to sufficient frequency resources, but still require the high capacity underlay (i.e., carrier grade connectivity must be provided at much higher cost per bit).
  • HetNets incorporate multiple different network technologies, and can experience co-channel interference
  • Wi-Fi hotspots operate in unlicensed (license exempt) bands where there is an abundance of spectrum (the Industrial Scientific and Medical (ISM) and Unlicensed National Infonnation Infrastructure ( U-NII) bands may provide nearly 0.5 GHz of spectrum).
  • ISM Industrial Scientific and Medical
  • U-NII Unlicensed National Infonnation Infrastructure
  • Wi-Fi offloading is very attractive to network operators; in fact, some small cell base stations have integrated Wi-Fi Access Point (AP) functionalities (e.g., "Wi-Fi ready”).
  • AP Wi-Fi Access Point
  • Wi-Fi offloading systems and networks there are several fundamental problems associated with Wi-Fi offloading systems and networks.
  • Existing network operators treat the cellular and Wi-Fi networks as two separate business units, which are operated and managed separately. There is also very little integration and interworking between the two networks at operation and services levels. For example, Wi-Fi networks do not have a standard "'discovery”, “selection” and “access” mechanism and/or procedure. This can result in difficulty getting onto these networks and/or inconsistent Quality of Service (QoS), security and policies.
  • QoS Quality of Service
  • WISPr Wireless Internet Service Provider roaming
  • AAA Authentication, Authorization, and Accounting
  • RADIUS Remote Authentication Dial- In User Service
  • Such improvements would ideally provide an integrated solution for merging e.g., Wi-Fi and cellular networks, making e.g., user experience, policy control, discovery, selection and association, authentication, and QoS, seamless and similar in both networks.
  • Other benefits may include e.g., Wi-Fi roaming, Wi-Fi neutral host, and IP-mobility capabilities, while providing network handoffs for an integrated cellular- Wi-Fi network.
  • the present disclosure satisfies the aforementioned needs by providing, inter alia, improved apparatus and methods for hybrid access to a core network.
  • a method for wireless communications including a first and a second communications systems, where the first communications system has at least a first node and a second node in communications with each other is disclosed.
  • the method includes: executing a first portion of layers within the first node, and causing the second node to execute a second portion of layers; providing one or more identifying information from the first node to the second node, the one or more identifying information in conjunction with the execution of the second portion of layers configured to authenticate the first node with at least one logical entity in the first communications system; and wherein successful authentication establishes a connection between the second node and the at least one logical entity.
  • the executing the second portion of layers within the second node includes coupling to a Transmission Control Protocol/Internet Protocol) TCP/IP layer of the first node.
  • the executing the first portion of layers within the first node includes coupling to a complementary Transmission Control Protocol/Internet Protocol) TCP/IP layer of the second node.
  • the method includes causing the second portion of layers to derive one or more authentication information; and based on the derived one or more authentication information, the second portion of layers further configured to encrypt one or more data payloads for a first link between the second node and the at least one logical entity.
  • the method further include deriving the one or more authentication information at the first portion of layers; and based on the derived one or more authentication information, encrypting one or more data payloads for the second portion of layers at the first portion of layers.
  • the method includes receiving the one or more identifying information from a subscriber identity module (SIM) that is not local to the first node.
  • SIM subscriber identity module
  • the providing the one or more identifying information from the first node to the second node is performed via a public key encryption scheme.
  • the public key encryption scheme includes receiving a manually entered password from a user input.
  • the public key encryption scheme includes retrieving a pre-defined public key.
  • a wireless station apparatus configured to provide connectivity to a core network.
  • the wireless station apparatus includes: a network interface, the network interface configured to connect to the core network associated with a second radio technology; a radio interface, the radio interface configured to provide an open wireless network according to a first radio technology different than the second radio technology; a processor; and a non-transitory computer readable medium in data communication with the processor and including one or more instructions.
  • the one or more instructions when executed by the processor, the one or more instructions cause the wireless station apparatus to, responsive to a subscriber device of the open wireless network requesting access to the core network: receive one or more identifying information from the subscriber device; authenticate to the core network based on the one or more identifying information via the network interface, wherein the authentication results in a derivation of one or more authentication keys; and establish a secure link to the subscriber device via the open wireless network based on the one or more authentication keys.
  • the one or more instructions when executed by the processor, cause the wireless station apparatus to execute one or more software layers that are uniquely associated with the subscriber device and the second radio technology.
  • the executed one or more software layers mimic one or more portions of a call stack associated with the subscriber device.
  • at least one software layer is mimicked that authenticates the subscriber device to the second radio technology.
  • the received one or more identifying information is received via a public key encryption; and where the established secure link is based on a symmetric key encryption.
  • a subscriber device configured to communicate with a core network via a wireless station.
  • the subscriber device includes: a radio interface, the radio interface configured to communicate with a wireless station, where the wireless station is configured to communicate with the core network; a processor; and a non-transitory computer readable apparatus including one or more instructions.
  • the one or more instructions are configured to when executed by the processor, cause the subscriber device to: provide one or more identifying information to the wireless station; wherein the wireless station is configured to communicate with the core network; receive one or more authentication information from the wireless station; and establish a secure connection to the wireless station based on one or more keys derived from the one or more authentication information.
  • the identifying information includes a Long Term Evolution (LTE) evolved Packet System (EPS) ASME (Key Access Security Management Entity) encryption key.
  • LTE Long Term Evolution
  • EPS evolved Packet System
  • ASME Key Access Security Management Entity
  • the subscriber device is further configured to authorize the use of its one or more identifying information by at least one other subscriber device.
  • the at least one other subscriber device shares the secure connection to the wireless station.
  • the subscriber device is further configured to request another internet protocol (IP) address for the at least one other subscriber device.
  • IP internet protocol
  • the one or more identifying information is provided to the wireless station via a public key encryption scheme.
  • FIG. 1 is a block diagram representation of one prior art 3' d Generation Partnership Project (3GPP) Release 8 network architecture.
  • 3GPP 3' d Generation Partnership Project
  • FIG. 2 is a block diagram representation of one exemplary embodiment of a Wi- Fi over Long Term Evolution (WoLTEN) network architecture.
  • WiLTEN Wi- Fi over Long Term Evolution
  • FIG. 3 is a logical block diagram representation of one exemplary wireless station configured to provide hybrid access to a core network in accordance with various principles described herein.
  • FIG. 4 is a logical block diagram representation of one exemplary subscriber device configured to access a core network via a hybrid access scheme in accordance with various principles described herein.
  • FIG. 5 is a logical block diagram representing a Institute of Electrical and Electronics Engineers (IEEE) 802.1 In Physical (PHY) (LI ) and Medium Access Control (MAC) (L2) protocol stack useful in conjunction with various aspects of the present disclosure.
  • IEEE Institute of Electrical and Electronics Engineers
  • PHY Physical
  • MAC Medium Access Control
  • FIG. 6 is a logical representation of the Wi-Fi PIPE formed by the exemplary wireless station (e.g., as described in FIG. 3) and the exemplary subscriber device (e.g., as described in FIG. 4).
  • FIG. 7 is a logical software diagram representation of several of the Logical, Transport and Physical channels of prior art LTE radio architectures.
  • FIG. 8 is a logical software diagram representation of a prior art LTE software user-plane protocol stack.
  • FIG. 9 is a logical software diagram representation of a prior art LTE software control-plane protocol stack.
  • FIG. 10 is a logical software diagram illustrating one exemplary embodiment of a LTE radio user-plane protocol stack that operates between the user equipment (UE) and evolved NodeB (eNB), and a modification thereof, in accordance with various aspects of the present disclosure.
  • UE user equipment
  • eNB evolved NodeB
  • FIG. 1 1 is a logical software diagram illustrating one exemplary embodiment of the LTE radio control-plane protocol stack that operates between the user equipment (UE) and evolved NodeB (eNB), and a modification thereof, in accordance with various aspects of the present disclosure.
  • UE user equipment
  • eNB evolved NodeB
  • FIG. 1 1A is a logical block diagram of one exemplary user equipment (UE) in communication with a Wi-Fi access point (AP) using a second exemplary stack arrangement, in accordance with the principles described herein.
  • UE user equipment
  • AP Wi-Fi access point
  • FIG. 12 is a logical software diagram illustrating one exemplary embodiment of a conceptual architecture of the LTE MAC, useful in conjunction with various aspects of the present disclosure.
  • FIG. 3 is a logical software diagram representation of an overall protocol stack architecture (both user-plane and control-plane) for the subscriber device and the wireless station.
  • FIG. 14 is a logical flow diagram of one generalized process for discovery, initiation and configuration of a mobility management session.
  • FIG. 15 is a logical flow diagram illustrating the initialization of a Wi-Fi over Long Term Evolution (WoLTEN) connection of one exemplary WoLTEN application (APP) executed on a subscriber device.
  • WoLTEN Wi-Fi over Long Term Evolution
  • APP WoLTEN application
  • FIG. 16 is a logical flow diagram illustrating the initialization of a Wi-Fi over Long Term Evolution (WoLTEN) connection of one exemplary WoLTEN agent executed on a wireless station.
  • WiLTEN Wi-Fi over Long Term Evolution
  • FIG. 17 is a logical block diagram of one exemplary external subscriber identity module (SIM/USIM) useful in conjunction with the present disclosure.
  • SIM/USIM external subscriber identity module
  • an “access tunnel” e.g., a so-called “Wi-Fi PIPE”
  • a wireless station e.g., a so-called “Wi-Fi PIPE”
  • the wireless station is configured to directly connect to the core network, using protocols similar (or identical) to existing network entities (e.g., evolved NodeBs (eNBs)).
  • eNBs evolved NodeBs
  • an exemplary Wi-Fi access point (AP) provides access to a Long Term Evolution (LTE) network.
  • LTE Long Term Evolution
  • the subscriber device and wireless station are connected via the Wi-Fi PIPE; the wireless station executes a translation process (e.g., a user equipment (UE) medium access control (MAC), virtual physical layer (VPHY), and access point (AP) MAC), thereby seamlessly connecting the subscriber device to the LTE core network.
  • a translation process e.g., a user equipment (UE) medium access control (MAC), virtual physical layer (VPHY), and access point (AP) MAC
  • wireless ess' means any wireless signal, data, communication, or other interface including without limitation Wi-Fi (IEEE 802.1 1 and its derivatives such as * 'b", “a “ “g' ⁇ “iT, “ac' ⁇ etc.), Bluetooth, 3G (e.g., 3GPP, 3GPP2, and UMTS), 4G (LTE, LTE-A, WiMax), HSDPA/HSUPA, TDMA, CDMA (e.g., IS- 95A, WCDMA, etc.), FHSS, DSSS, GSM, PAN/802.15, WiMAX (802.16), 802.20, narrowband/FDMA, OFDM, PCS/DCS, analog cellular, CDPD, satellite systems, millimeter wave or microwave systems, acoustic, and infrared (i.e., IrDA).
  • Wi-Fi IEEE 802.1 1 and its derivatives such as * 'b", “a “g' ⁇ “iT, “ac' ⁇ etc.
  • Bluetooth 3G (
  • network refers generally to any type of data, telecommunications or other network including, without limitation, data networks (including MANs, PANs, WANs, LANs, WLANs, micronets, piconets, internets, and intranets), satellite networks, cellular networks, and telco networks.
  • data networks including MANs, PANs, WANs, LANs, WLANs, micronets, piconets, internets, and intranets
  • satellite networks including cellular networks, and telco networks.
  • Wi-Fi Wireless Fidelity
  • spectrum or bandwidth
  • Wi-Fi networks operate within unlicensed frequency bands which span several hundred MHz of spectrum.
  • ISM 2.4GHz Industrial, Scientific and Medical
  • U- NI1 5GHz Unlicensed National Information Infrastructure
  • ISM 2.4GHz Industrial, Scientific and Medical
  • U- NI1 5GHz Unlicensed National Information Infrastructure
  • network operators were concerned about the availability and quality of a license-free (exempt) spectrum and possible negative impacts on user experience; however, unlicensed technologies (such as Wi-Fi) continue to provide stable and effective connectivity even under congested and hostile scenarios.
  • Wi-Fi networks use Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) and contention-free (Point Coordination Function (PCF) or Distributed Coordination Function (DCF)) Medium Access Control (MAC) protocols specifically designed to enable ad hoc deployment.
  • CSMA/CA Carrier Sense Multiple Access with Collision Avoidance
  • PCF Point Coordination Function
  • DCF Distributed Coordination Function
  • MAC Medium Access Control
  • Wi-Fi technology was designed to support high throughput from conception.
  • Existing Wi-Fi devices are commonly capable of data rates in excess of 300Mbits/sec; future revisions promise Gbits/sec data rates.
  • Wi-Fi technology and devices have been manufactured for more than a decade, and the components were commoditized and available at a relatively low cost. Many existing consumer devices already incorporate Wi-Fi technology, thus the minimal cost of equipment (for both network operators and subscribers) does not present any significant hurdle to deployment.
  • Wi- Fi may have potential applicability as a complementary communication system for: (a) offloading data traffic and (b) improving coverage. More directly, Wi-Fi offloading can alleviate traffic congestion since the available spectrum for Wi-Fi exceeds the network operators spectrum. Furthermore, Wi-Fi is more cost effective and does not require network planning and operation for "difficult to cover" areas (e.g., indoors), when compared to small cell solution equivalents. To these ends, many newer small-cell base stations (so-called "NodeB” for 3G and evolved NodeB (eNodeB or eNB) for 4G LTE) have incorporated Wi-Fi Access Point (AP) capability.
  • NodeB for 3G
  • eNodeB or eNB evolved NodeB
  • AP Wi-Fi Access Point
  • Wi-Fi networks that offer Wi-Fi services treat the cellular and Wi-Fi networks as two separate business units, with the two networks operated and managed separately. From an implementation point of view, there is little to no integration and interworking between the two networks at operation and services levels. Additionally, Wi-Fi networks suffer from a lack of a standard "discovery”, “selection” and access mechanisms and procedures. For this reason, the subscriber usually has great difficulty finding and using such networks, and even once found the Quality of Service (QoS) services and policies are not consistent or guaranteed across networks. Inconsistent service provisioning is readily perceptible by subscribers, and can negatively impact customer satisfaction.
  • QoS Quality of Service
  • Wi-Fi networks are based on web-based authentication methods such as WlSPr (or similar variant) which is based on the traditional user name/password paradigm.
  • WlSPr subscriber identity module
  • EAP-AKA Extensible Authentication Protocol Authentication Key Agreement
  • some operators such as Swisscom® have used Wi-Fi SIM/USIM based authentication.
  • Cisco® has proprietary solutions (e.g., based on the Aggregation Services Router (ASR) series of products and Cisco Prime® for network management), as do Alcatel- Lucent® (e.g., Light Radio a Wi-Fi/WLAN Gateway) and Ericsson® (e.g., Service- Aware Charging and Control (SACC)) and its Network Integrated Wi-Fi solution as an Wi-Fi offloading solution).
  • ASR Aggregation Services Router
  • SACC Service- Aware Charging and Control
  • Wi-Fi network is a separate entity from the cellular network.
  • This distinction leads to different security levels and user experiences, and often requires the operator to manage two separate and distinct networks with additional investment in a number of network and interworking entities. For instance, depending on the solution there may be requirements for new or modified handset functional entities such as EAP-SIM and EAP-AKA for Wi-Fi and routing algorithms (such as client-based IP Flow Mobility and Seamless Offload (IFOM)).
  • EAP-SIM and EAP-AKA for Wi-Fi and routing algorithms (such as client-based IP Flow Mobility and Seamless Offload (IFOM)).
  • I-WLAN Interworking-WLAN
  • WAG Wireless Local Area Network
  • PSG Packet Data Gateway
  • AAA Authentication Authorization and Accounting
  • HA Home Agent
  • FIG. 1 depicts the prior art 3GPP Release 8 network architecture 100.
  • 3GPP Release 8 introduced three network components in the 3GPP Core Network (EPC), namely: the evolved Packet Data Gateway (ePDG) 102, the Authentication Authorization and Accounting (AAA) Server 104, and the Access Network Discovery and Selection Function (ANDSF) 1 06.
  • EPC 3GPP Core Network
  • ePDG evolved Packet Data Gateway
  • AAA Authentication Authorization and Accounting
  • ANDSF Access Network Discovery and Selection Function
  • Certain existing network entities in the Wi-Fi network were also modified or adapted to incorporate additional functionality (such as the Mobility/Controller Gateway 108).
  • the Wi-Fi AP 1 16 is a conventional IEEE 802.1 I n AP that conforms to the IEEE 802.1 I n standard.
  • the Wi-Fi AP 1 16 is connected to and controlled by Mobility/Controller Gateway 108, which is integrated with the EPC via the ePDG 1 02.
  • the UE 1 14 may also need corresponding functionality to support Client-based Mobile IP and IP Flow mobility for Wi-Fi offloading, as well the capability to support discovery, selection, association, and SIM based authentication and encryption via the Wi-Fi kV U ty.
  • the architecture of FIG. 1 enables so-called "non-trusted access”. Specifically, the inclusion of the AAA server 104 (which is also connected to the Home Subscriber Server (HSS) 1 10) allows SIM-based authentication of a Wi-Fi subscriber device by means of EAP-A A.
  • the Packet Data Gateway (PDG) (previously introduced in Release 6) was redefined in 3GPP Release 8 as an evolved PDG (ePDG) 102. As shown, the ePDG 102 is connected directly to the Packet Data Network (PDN) Gateway (P-GW) 1 12 to support IP-mobility for Wi-Fi,
  • PDN Packet Data Network
  • P-GW Packet Data Network Gateway
  • an user equipment (UE) 1 14 is configured to establish an Internet Protocol security (IPsec) tunnel between itself and the ePDG 102 (the intervening network components are not trusted entities, therefore this scheme provides non-trusted access). Since the intervening network components are not trusted, a UE 1 14 must establish an IPsec tunnel to the ePDG 102. This can be a significant processing burden, as the ePDG must support and maintain a separate IPsec tunnel for each UE.
  • IPsec Internet Protocol security
  • 3GPP Release 10 kept the network architecture 100 and introduced S2a Based Mobility over General Packet Radio Service (GPRS) Tunneling Protocol (SaMOG) which enabled "trusted " access network operation.
  • GPRS General Packet Radio Service
  • SaMOG General Packet Radio Service Tunneling Protocol
  • a IPsec tunnel is setup between the Wi-Fi AP 1 16 and the P-GW 1 12.
  • This configuration alleviates large (bandwidth) IPsec tunnels at the ePDG 102; however, since the IPsec tunnel does not extend to the Wi-Fi radio interface, the air interface has to be protected by another mechanism (e.g., the HotSpot 2.0 (IEEE 802.1 li) standard).
  • QoS Quality of Service
  • MAPCON Multi-Access PDN Connectivity
  • IFOM IP Flow Mobility
  • each PDN is a specific service network including but not limited to: Internet, IP Multimedia Subsystem (IMS), IPTV, etc. in the current 3GPP architecture.
  • Each PDN is further identified by an Access Point Name (APN).
  • APN Access Point Name
  • all PDNs are handed to a Wi-Fi offloading network or back to the cellular network.
  • MAPCON allows selection of access network based on the PDN QoS requirements or network load.
  • IFOM is a more advanced version of MAPCON, as it allows a given PDN to have several IP flows, further refining and optimizing performance based on QoS.
  • each PDN is associated with two IP addresses, one for cellular and one for Wi-Fi network access, allowing simultaneous access through both networks.
  • Wi-Fi To complete the integration of Wi-Fi with 3GPP cellular networks, a standard automated network "Discovery”, “Selection 1 ' and “Association”, and “Policy Control” framework was required for Wi-Fi networks.
  • the existing network architecture 100 provides the foregoing functionality with the Access Network Discover & Selection Function (ANDSF) 106 and Hotspot2.0.
  • ANDSF provides a Client-Server based policy control solution
  • Hotpot2.0 provides EAP-SIM and EAP-AKA based authentication with Wi-Fi networks (e.g., discovery, selection and association with the network operator via the Wi-Fi air interface).
  • Wi-Fi over Long Term Evolution (WoLTEN) Network Architecture
  • the proposed 3GPP solution for cellular/ Wi-Fi integration is not "holistic"; the proposed solutions are a patchwork of specialized and/or modified functional entities spread across network elements.
  • the resulting solution is complex, incomplete, impractical, and not scalable.
  • network operators still have to: (i) operate and maintain two different networks, and (ii) resolve different user experiences between the networks (e.g., security and QoS).
  • the Release 10 proposal e.g., SaMOG, MAPCON, IFOM, ANDSF and HotSpot2.0
  • Wi-Fi network requires the Wi-Fi network to be a "trusted network”. Practical implementations will most likely need to be owned by the network operator.
  • Such limitations exclude desirable features (e.g., Wi-Fi roaming, neutral host operation, etc.) and limit the deployment scenarios of Wi-Fi networks.
  • certain independent operators such as Boingo® use Wi-Fi to farm out networks in the unlicensed bands.
  • various embodiments of the present disclosure are directed to methods and apparatus for hybrid access to a core network.
  • Ideal solutions would be seamless and functionally similar in both networks (e.g., user experience, policy control, discovery, selection, association, authentication and QoS, etc.) Additionally, such embodiments should provide means for Wi-Fi roaming, Wi-Fi neutral host capabilities, and IP-mobility while also supporting network handoff for an integrated cellular/ Wi-Fi network.
  • Wi-Fi integration relies on incremental changes to the existing 3GPP and Wi-Fi networks e.g., by adding new functional entities while modifying some of the existing ones.
  • preferential solutions should build on the existing 3GPP network (i.e., where the 3GPP core network (e.g. EPC in an 4G LTE network) has no or minimal changes), instead modifying functionality at the Wi- Fi AP and UE to achieve the desired level of integration.
  • various solutions are disclosed that modify Wi-Fi AP functionality, along with middle-ware software in the UE, configured to enable total Wi-Fi integration with a 3GPP network (transparently to the end user) with minimal changes in the core network.
  • 3GPP core network providing a 4G-LTE (Frequency Division Duplex (FDD)) network operating in a 3GPP approved FDD licensed-band
  • FDD Frequency Division Duplex
  • Other examples of 3GPP network technologies include, without limitation, 3G WCDMA/UMTS/HSPA, 2G and 2.5G GSM-GPRS networks, as well as FDD and TDD cellular systems.
  • IEEE 802.1 In Access Point AP
  • AP Access Point
  • FHSS Frequency Hopping Spread Spectrum
  • DSSS Direct Sequence Spread Spectrum
  • IR infra-red
  • FIG. 2 depicts one exemplary embodiment of network architecture 200 hereinafter referred to as a "WoLTEN network " ( Wi-Fi over Long Term Evolution (LTE) Network.
  • Wi-Fi network Wi-Fi over Long Term Evolution (LTE) Network.
  • EPC evolved Packet Core
  • software functionalities of the Wi-Fi AP 204 and UE 206 are configured to accommodate the differences in radio operation (e.g., the differences between the cellular and IEEE 802.1 1 operation).
  • the Wi-Fi AP 204 is connected directly to the Security Gateway 208 of the EPC 202, and is treated as having the same privileges and security as an eNB 210 in the network (i.e. it is a ''trusted" AP).
  • the Security Gateway 208 is directly connected to a HeNB Gateway or a Local Gateway, or equivalent secure gateway entity.
  • the Wi-Fi AP can also be connected to a Mobility/Controller Gateway 212 to function as a conventional Wi-Fi AP (e.g., offering support for legacy devices, etc.).
  • Legacy operation is similar to existing proposals (e.g., see the network architecture 100 of FIG. 1 , and is not further described).
  • the link layer control (LLC) layer is excluded; in other variants the LLC layer may be included.
  • LLC link layer control
  • various embodiments of the present disclosure enable LTE specific functionality above the MAC layer. Specifically, the subscriber device behaves as a logical LTE user equipment (UE) above the MAC layer; similarly, the Wi-Fi AP behaves as a logical LTE evolved NodeB (eNB) above the MAC layer.
  • UE logical LTE user equipment
  • eNB logical LTE evolved NodeB
  • the Wi-Fi offloading algorithms can freely select either radio access technology (e.g., LTE or Wi-Fi) based on relevant considerations e.g., connectivity, power consumption, data requirements, etc.
  • radio access technology e.g., LTE or Wi-Fi
  • the WoLTEN network of FIG. 2 enables authentication with LTE Universal Subscriber Identity Module (USIM) (e.g., based on Extensible Authentication Protocol Authentication Key Agreement (EAP-AKA)) and as such, the Wi-Fi network can operate under an ''open system authentication" mode (i.e. the Wi-Fi access does not require credentials for access to the integrated network).
  • USIM Universal Subscriber Identity Module
  • EAP-AKA Extensible Authentication Protocol Authentication Key Agreement
  • the Wi-Fi offloading selection algorithm can either reside in the UE (UE- based) 206 or in the network (e.g. MME 214) or both, and can be based on a number of considerations such as load and/or radio conditions on each radio access units. Quality of Service (QoS) of the provided service, etc.
  • QoS Quality of Service
  • a UE- based algorithm may prefer to use Wi-Fi access, and if Wi-Fi access is not available, then the UE falls back to L
  • the policy and charging mles function (PCRF) 216 can use the same policies and charging rules for eNB bearers and appropriately enabled Wi-Fi APs.
  • an operator may prefer to have different policies and charging rules for the two access units (LTE eNBs and Wi-Fi APs).
  • various embodiments of the present disclosure may be used in conjunction with middle-ware software located in the subscriber UE (UE-S) device, in some embodiments, the middle-ware software can be downloaded (e.g., by the user); alternatively, the middle-ware software may be pre-loaded during device manufacture. In still other embodiments, various embodiments of the present disclosure may be used in conjunction with subscriber devices which include specialized hardware to support the appropriate functionality.
  • UE-S subscriber UE
  • one exemplary wireless station 300 configured to provide hybrid access to a core network is presented.
  • the wireless station 300 is a standalone device, however those of ordinary skill in the related arts will recognize that the described functionality may be incorporated in a wide variety of devices including without limitation: a base station (e.g., a Long Term Evolution (LTE) evolved Node B (eNB), etc.), a portable computer, desktop computer, etc.
  • a base station e.g., a Long Term Evolution (LTE) evolved Node B (eNB), etc.
  • eNB Long Term Evolution
  • desktop computer etc.
  • the exemplary apparatus 300 includes one or more substrates(s) 302 that further include a plurality of integrated circuits including a processing subsystem 304 such as a digital signal processor (DSP), microprocessor, programmable logic device (PLD), gate array, or plurality of processing components as well as a power management subsystem 306 that provides power to the apparatus 300, a memory subsystem 308, and a first radio modem subsystem 310 and an Ethernet switch 312 and associated Ethernet port(s).
  • DSP digital signal processor
  • PLD programmable logic device
  • a power management subsystem 306 that provides power to the apparatus 300
  • memory subsystem 308 and a first radio modem subsystem 310 and an Ethernet switch 312 and associated Ethernet port(s).
  • a first radio modem subsystem 310 and an Ethernet switch 312 and associated Ethernet port(s) may also be present.
  • the processing subsystem may also include an internal cache memory.
  • the processing subsystem 304 is connected to a memory subsystem 308 including non-transitory computer-readable memory which may, for example, include SRAM, Flash and SDRAM components.
  • the memory subsystem may implement one or a more of DMA type hardware, so as to facilitate data accesses as is well known in the art.
  • the processing system is configured to read one or more instructions which are stored within the memory, and execute one or more actions based on the read instructions.
  • the processing system 304 has sufficient processing capability to support the first radio subsystem 310 and core network connectivity simultaneously.
  • wireless station 300 is configured to provide additional functionality (i.e., Wi-Fi protocol stacks which are modified to support higher layer LTE protocol stacks and control software) running on the processing subsystem 304, beyond existing wireless station functionality (i.e., legacy Wi-Fi operation).
  • the processor subsystem 304 is configured to execute software for operation and control of the wireless station.
  • One such commercial example is the Broadcom BCM4705 processor chip (which includes a processor core and a number of IOs such as GPIO, RS232 UART, PCI, GMII, RGMII as well as DDR SDRAM controller).
  • the illustrated power management subsystem (PMS) 306 provides power to the wireless station 300, and may include an integrated circuit and or a plurality of discrete electrical components.
  • power management subsystems 306 include without limitation: a rechargeable battery power source and/or an external power source e.g., from a wall socket, inductive charger, etc.
  • the user IO 314 includes any number of well-known IO including, without limitation: LED lights, speakers, etc.
  • a set of LEDs can be used to indicate connection status (e.g., "green” indicates an online status, "red” indicates a malfunction or connectivity issue, etc.).
  • the IO may incorporate a keypad, touch screen (e.g., multi-touch interface), LCD display, backlight, speaker, and/or microphone or other 10s such as USB, GPIO, RS232 UART, PCI, GMII, RGMII.
  • the first radio subsystem is 310 is configured to generate a wireless network that accepts one or more subscriber devices.
  • the generated wireless network is an "open " network i.e., the generated wireless network does not require any access control measures (e.g., authentication, authorization, or accounting, etc.). While open network operation is described herein, it is appreciated that access control schemes need not be open; Hmited access, and closed access may be used with equal success.
  • the credentials for wireless radio subsystem 310 can be entered and set vi the Ethernet switch 312 and associated Ethernet port that connects to the core network (as described in greater detail hereinafter).
  • the open networks may incorporate so-called "ad hoc " networking, mesh networking, etc.
  • the first radio subsystem is configured to generate a wireless network.
  • the first radio subsystem generates a Wi-Fi network (based on IEEE e.g., 802.1 I n, etc.)
  • Wi-Fi network based on IEEE e.g., 802.1 I n, etc.
  • Other examples of suitable wireless technologies include, without limitation, Bluetooth, WiMAX, etc.
  • each RF frontend includes e.g., filters, duplexers, RF switches, RF signal power level monitoring, LNA (Low-Noise Amplifier) and PAs (Power Amplifier) that may be required for the device ' s radio subsystem.
  • the first radio subsystem 310 includes the functionalities needed to configure and operate an IEEE 802.1 1 ⁇ modem, including the transceiver part, PHY (physical layer) and MAC (Media Access Controller) units, as well as the associated control and operation software.
  • PHY physical layer
  • MAC Media Access Controller
  • the Ethernet switch 312 and associated Ethernet port(s) are configured to provide access to the Core Network (e.g., EPC 202), and potentially other network entities (e.g. eNBs, HeNBs, etc.). Other common forms of access include, for example. Digital Subscriber Line (DSL), Tl, Integrated Services Digital Network (ISDN), satellite link, Data Over Cable Service Interface Specifications (DOCSIS) cable modem, etc.
  • DSL Digital Subscriber Line
  • Tl Integrated Services Digital Network
  • ISDN Integrated Services Digital Network
  • DOCSIS Data Over Cable Service Interface Specifications
  • One commercial example of an Ethernet switch 312 is the Broadcom BCM531 15 chip which provides up to five (5) Ethernet ports.
  • the wireless station is configured to directly connect to the core network of a network operator to enable the aforementioned WoLTEN operation, via the Ethernet switch 3 12.
  • one exemplary subscriber device 400 configured to access a core network via a hybrid access scheme (via the wireless station 300 of FIG. 3).
  • the subscriber device 400 is a dedicated device, however those of ordinary skill in the related arts will recognize that the described functionality may be incorporated in a wide variety of devices including without limitation: a smartphone, portable computer, desktop computer, and even standalone devices with only one radio modem for Wi-Fi IEEE 802.1 In communications, etc.
  • the exemplary apparatus 400 includes one or more substrates(s) 402 that further include a plurality of integrated circuits including a processing subsystem 404 such as a digital signal processor (DSP), microprocessor, programmable logic device (PLD), gate array, or plurality of processing components as well as a power management subsystem 406 that provides power to the apparatus 400, a memory subsystem 408, and one or more radio modem subsystems.
  • a processing subsystem 404 such as a digital signal processor (DSP), microprocessor, programmable logic device (PLD), gate array, or plurality of processing components as well as a power management subsystem 406 that provides power to the apparatus 400, a memory subsystem 408, and one or more radio modem subsystems.
  • the exemplary apparatus includes four (4) radio modem subsystems: a LTE cellular air-interface 41 OA, a Wi-Fi IEEE 802.1 1 ⁇ air-interface 410B, GPS air-interface 4 I OC, and a Bluetooth air-interface 410D
  • user input/output (IO) 412 may also be present.
  • the exemplary user input/output (IO) 412 includes: a screen display 412A, a keypad 412B, a microphone and speaker 412C, an audio codec 412D, and a camera 412E.
  • Other peripherals may include external media interfaces (e.g., SD/MMC card interfaces, etc.) and/or sensors, etc.
  • the processing subsystem may also include an internal cache memory.
  • the processing subsystem 404 is connected to a memory subsystem 408 including non-transitory computer-readable memory which may, for example, include SRAM, Flash and SDRAM components.
  • the memory subsystem may implement one or a more of DMA type hardware, so as to facilitate data accesses as is well known in the art.
  • the processing system is configured to read one or more instructions which are stored within the memory, and execute one or more actions based on the read instructions.
  • the processing system 404 of FIG. 4 (also referred to as the "application processor') has sufficient processing capabilities and access to memory components to at least support the Wi-Fi radio subsystems 410B and core network connectivity simultaneously.
  • One commercial example of a processing system 404 is the Freescale i X53 1 GHz ARM Cortex -A8 Processor or QUALCOMM Qualcomm 800.
  • the illustrated power management subsystem (PMS) 406 provides power to the subscriber device 400, and may include an integrated circuit and or a plurality of discrete electrical components.
  • power management subsystems 406 include without limitation: a rechargeable battery power source and/or an external power source e.g., from a wall socket, induction charger, etc.
  • the user 10 412 may include any number of well-known 10 common to consumer electronics including, without limitation: a keypad, touch screen (e.g., multi-touch interface), LCD display, backlight, speaker, and/or microphone or USB and other interfaces.
  • the subscriber device may have multiple other components (e.g., multiple additional radio subsystems, graphics processors, etc.), the foregoing being merely illustrative.
  • the cellular radio subsystem 41 OA is configured to join a cellular network provided by a network operator.
  • the cellular radio subsystem 41 OA is a Fourth Generation (4G) Long Term Evolution (LTE) modem.
  • 4G Fourth Generation
  • LTE Long Term Evolution
  • each RF frontend includes e.g., filters, duplexers, RF switches, RF signal power level monitoring, LNAs, and PAs, that may be required for the device's radio subsystem.
  • the subscriber device 400 is associated with an identification module that verifies the subscriber device to the network operator. Generally, the identification module securely identifies the subscriber device (or subscriber account associated with the device) as being authentic and authorized for access.
  • identification modules include, without limitation, Subscriber Identity Module (SIM), Universal SIM (USIM), Removable Identity Module (RUIM), Code Division Multiple Access (CDMA) SIM (CSIM), etc.
  • the identification modules may be removable (e.g., a SIM card), or alternatively an integral part of the device (e.g., an embedded element having the identification module programmed therein).
  • SIM Subscriber Identity Module
  • USIM Universal SIM
  • RUIM Removable Identity Module
  • CDMA Code Division Multiple Access
  • the identification modules may be removable (e.g., a SIM card), or alternatively an integral part of the device (e.g., an embedded element having the identification module programmed therein).
  • a cellular radio subsystem 41 OA is the QUALCOMM Gobi MDM9600 and its associated RF and peripheral chips.
  • the Wi-Fi radio subsystem 41 OB is configured to join a wireless network generated e.g., by the wireless station 300 of FIG. 3.
  • the wireless network radio subsystem 41 OB is an IEEE 802.1 1 ⁇ compliant modem. While not expressly shown, it is appreciated that each RF frontend includes e.g., filters, duplexers, RF switches, RF signal power level monitoring, LNAs, and PAs, that may be required for the device ' s radio subsystem.
  • the Wi- Fi radio subsystem 410B is configured to execute software for operation and control of the IEEE 802.1 In PHY (physical layer) and MAC (Media Access Controller) units, as well as the associated control and operation software.
  • One commercial example of a Wi-Fi radio subsystem 410B is the Atheros single chip ⁇ 802.1 1 ⁇ product, AR9285.
  • the subscriber device 400 is further configured to provide additional functionality (i.e., Wi-Fi protocol stacks which are modified to support higher layer LTE protocol stacks and control software) running on the processing subsystem 404.
  • additional functionality i.e., Wi-Fi protocol stacks which are modified to support higher layer LTE protocol stacks and control software
  • FIG. 5 illustrates a logical block diagram representing a IEEE 802.1 In PHY (LI ) and MAC (L2) protocol stack 500 useful in conjunction with various aspects of the present disclosure.
  • the application software 508 operates directly above the MAC layer 506. It is appreciated that other variants may incorporate other software layers (e.g., a Logical Link Control (LLC) and/or IP layer) based on design considerations.
  • LLC Logical Link Control
  • the illustrative PHY can operate in either the U-NII band 502 or ISM band 504, or both at the same time.
  • the MAC layer 506 can either be set to operate in the "Contention ' or "Contention-Free” mode.
  • the MAC uses a Point Coordination Function (PCF); during contention mode operation, the MAC uses a Distributed Coordination Function (DCF).
  • PCF Point Coordination Function
  • DCF Distributed Coordination Function
  • Other Wi-Fi MAC functions include registration, hand-off, power management, security and Quality of Service (QoS). Where not otherwise stated herein, existing Wi-Fi components and functionality are well understood within the related arts and not discussed further.
  • the exemplary wireless station 300 e.g., as described in FIG. 3 and discussion supra
  • the exemplary subscriber device 400 e.g., as described in FIG. 4 and discussion supra
  • the end-to-end MAC connection between the subscriber device 400 and the wireless station 300 forms a "transparent" connection pipe (or access tunnel) which is termed hereafter a Wi-Fi PIPE ' 602.
  • the Wi-Fi PIPE tunnel itself is unsecure (e.g...
  • Wi-Fi PIPE is implemented via a closed network and incorporates native encryption, etc. (Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), WPA2, etc.).
  • WEP Wi-Fi Equivalent Privacy
  • WPA Wi-Fi Protected Access
  • WPA2 Wi-Fi Protected Access
  • the Wi-Fi PIPE enables the two logical endpoints running a first application 604 and a second application 606 (respectively) to communicate directly without any intervening translation (i.e., data transfers are not modified).
  • the logical endpoints are unaware of the underlying physical and data link transactions which are occurring in their respective Wi-Fi interfaces.
  • the first application 604 is coupled to the subscriber device's software stack
  • the second application 606 is coupled to the wireless station's software stack (not shown)
  • the Wi-Fi PIPE enables the subscriber device's stack (the SIM/USIM card on the subscriber device 700) to directly connect to the wireless station ' s stack (on the wireless station 300).
  • the wireless station is connected to the evolved packet core (EPC) (via e.g., the Security- Gateway 208) directly.
  • EPC evolved packet core
  • the wireless station is configured to use all or some of the existing eNB LTE software structures and entities (e.g., logical channels, protocols and software stack, RRM etc) for communicating and/or interacting with the LTE EPC and UE.
  • FIG. 7 illustrates several of the Logical, Transport and Physical channels of prior art LTE radio architectures, along with the respective protocol stack layers.
  • FIG. 1 illustrates several of the Logical, Transport and Physical channels of prior art LTE radio architectures, along with the respective protocol stack layers.
  • FIG. 8 illustrates the prior art LTE radio user-plane protocol stack that operates between the user equipment (UE), evolved NodeB (eNB), Serving Gateway (SGW), and PDN Gateway (PGW).
  • FIG. 9 depicts the prior art LTE control-plane protocol stack for between the UE, eNB and Mobility Management Entity (MME).
  • MME Mobility Management Entity
  • RRM Radio Resource Manager
  • the wireless station 300 configures its Ethernet interface and executes a communication protocol as a logical eNB, thereby seamlessly integrating with the existing LTE network architecture.
  • the wireless station 300 appears as an eNB to the EPC and communicates with the SGW using the protocols used between eNB and SGW (e.g., the General Packet Radio Service (GPRS) Tunneling Protocol (GTPU )); communication is performed over user datagram protocol (UDP) internet protocol (IP) (via the wireless station ' s 300 Ethernet interface 312).
  • GPRS General Packet Radio Service
  • GTPU General Packet Radio Service
  • UDP user datagram protocol
  • IP internet protocol
  • the wireless station 300 communicates with the MME using the protocols used between eNB and MME (e.g., the Sl -AP over Stream Control Transmission Protocol (SCTP)); communications are performed over IP.
  • SCTP Stream Control Transmission Protocol
  • the foregoing example is presented with respect to the wireless station ' s Ethernet interface, it is appreciated by those of ordinary skill in the related arts that the user-plane and control-plane communications may be performed over other interfaces (e.g., over any MAC (L2) and physical (LI ) layer that is used for the backbone network between the wireless station and the EPC), given the contents of the present disclosure.
  • L2 MAC
  • LI physical
  • FIG. 10 illustrates one exemplary embodiment of the LTE radio user-plane protocol stack that operates between the user equipment (UE) and evolved NodeB (eNB), and the modification to support the exemplary subscriber device and exemplary wireless station, in accordance with the principles described herein.
  • FIG. 1 1 illustrates one exemplary embodiment of the LTE radio control-plane protocol stack that operates between the user equipment (UE) and evolved NodeB (eNB), and the modification to support the exemplary subscriber device and exemplary wireless station, in accordance with the principles described herein.
  • the exemplary hybrid Wi-Fi PIPE protocol stack operates beneath the Radio Link Control (RLC) layer, and which has replaced the LTE MAC and LI layers with corresponding Buffer and MUX/DeMUX assemblies ( 1002, 1004), Wi-Fi PIPE 1006, and virtualized PHY 1008, user equipment (UE) MAC 1010 and access point (AP) MAC 1012.
  • RLC Radio Link Control
  • UE user equipment
  • AP access point
  • the Wi-Fi PIPE is coupled to First-In-First-Out (FIFO) data buffers on both sides (e.g., at the subscriber device 400 and the wireless station 300) to handle time of arrival issues (e.g., jitter) which might otherwise cause scheduling problems for the Wi-Fi PIPE or LTE operation.
  • FIFO First-In-First-Out
  • the station may incorporate multiple buffers corresponding to each user, a single buffer which is divided into multiple partitions for each user, etc.
  • the LTE RLC is configured to disassemble (and re- assemble) data packets from (and to) the Packet Data Convergence Protocol (PDCP) layer into manageable sizes for the Wi-Fi PIPE.
  • the LTE RLC is further configured to ensure that all received packets are in order before passing them to the PDCP layer. In the event that a packet is lost, the LTE RLC layer can perform re-transmission to recover lost packets by initiating Automatic Repeat Request (ARQ) procedures.
  • ARQ Automatic Repeat Request
  • the LTE PDCP entity is configured to provide the ciphering (and integrity) protection (over untrusted connections, such as the Wi-Fi PIPE).
  • the LTE PDCP is further configured to provide Robust Header Compression (ROHC) which may reduce the overhead of transmitting small packets (further improving Wi-Fi PIPE performance).
  • ROHC Robust Header Compression
  • the PDCP entity can provide reordering and re-transmission of packets during hand-off operation.
  • the Wi-Fi PIPE 1006 and corresponding Buffer and MUX DeMUX assemblies (1002, 1004) enable a Wi-Fi radio link between the exemplary subscriber and the exemplary wireless station
  • the higher layers e.g., the RLC, PDCP, RRM etc.
  • the virtualized PHY 1008, UE MAC 1010 and AP MAC 1012 ensure that the LTE based higher layers are unaware of the Wi-Fi radio link operation.
  • the UE MAC 1010 is emulated on the wireless station 300, which communicates with a virtualized PHY 1008 (VPHY) to pass the emulated MAC PDUs with minimum meditation to the wireless station's AP MAC 1012.
  • VPHY virtualized PHY 1008
  • the VPHY may effectively "bypass " or "Take” the extraneous PHY operations for correct operation of the UE MAC 1010 and AP MAC 1012. For example, procedures such as e.g., the Random Access Channel (RACH), Timing Advance (TA), etc. associated with physical iayer operation are no longer needed.
  • RACH Random Access Channel
  • TA Timing Advance
  • the VPHY, UE MAC 1010 and AP MAC 1012 can be further optimized ⁇ since there is no actual physical propagation channel), as a "thin MAC " ' which performs the minimal formatting and translation functionality needed for successful interoperation of the Wi-Fi PIPE with the higher layers.
  • FIG. 12 depicts a conceptual architecture of the LTE MAC (UE-side) (the LTE MAC on the eNB side has similar functionality).
  • the MAC controls operations such as RACH, TA, scheduling of channels and discontinuous reception/transmission (DRX/DTX).
  • HARQ Downlink Hybrid Automatic Repeat Request
  • uplink HARQ can be disabled as data packet errors and losses are handled before the UE MAC ⁇ e.g., by the Wi-Fi PIPE), Channel multiplexing and demultiplexing can also be omitted as the MAC Service Data Units (SDUs) (or Protocol Data Units (PDUs) at the MAC output) can be passed directly between the UE MAC and AP MAC via the VPHY.
  • SDUs Service Data Units
  • PDUs Protocol Data Units
  • Other MAC associated functions including without limitation, buffer status reporting, power headroom reporting, downlink and uplink channel resource scheduling, logical channel prioritization, etc. can also be optimized and/or omitted.
  • Wi-Fi PIPE functionality at the MAC and LI layers
  • other embodiments may implement similar operations at any layer of the subscriber device and/or wireless station device.
  • the Wi-Fi PIPE is implemented internally within a higher software layer of the protocol stack; i.e., operating at the (Transmission Control Protocol/Internet Protocol) TCP/IP layers.
  • splitting higher software layers of the protocol stack may result in changes to the underlying security architecture of the LTE system.
  • PDCP packet data convergence protocol
  • RHOC Robust Header Compression
  • the UE's SIM/USIM information must be provided to the wireless station 204 such that the wireless station 204 can "proxy" for the UE 206; and 2) the Wi-Fi PIPE transmissions over the radio link must be further encrypted, since the LTE encryption provided by the SIM USIM terminates at the wireless station 204.
  • the wireless station e.g., Wi-Fi AP in this exemplary embodiment
  • the wireless station can incorporate one or several optional virtual (i.e., secure memory) or physical embedded or removable SIM/USIM modules within.
  • the SIM/USIM modules may be statically programmed, or in some cases, dynamically reprogrammable.
  • the SIM/USIM modules allow the wireless station 204 to proxy for one or more connected UEs 206 (which are serviced via Wi-Fi PIPEs),
  • one or more identity modules such as USIM
  • one or more UE protocol stacks including PHY layer
  • the content of the UE's SIM/USIM can then be transferred to one of the SIM/USIM modules in wireless station (Wi-Fi AP) 204.
  • the entire UE protocol stack of UE 206 can be mimicked by the wireless station (Wi-Fi AP) 204 to the serving Gateway (S-GW).
  • the UE can transact data via the Wi-Fi PIPE, which connects at the TCP/IP layer (or an even higher layer) of the wireless station (Wi-Fi AP) 204 UE protocol stack.
  • the transfer of the SIM/USIM content from UE 206 to wireless station ( Wi-Fi AP) 204 should be performed over a secure link.
  • the SIM/USIM content is transmitted securely over the Wi-Fi PIPE using e.g., the PGP (Pretty-Good-Privacy) protocol.
  • PGP is a well-known public key encryption scheme useful for securely transferring data. Other encryption schemes can be used with equal success, including without limitation, symmetric key systems, chain of trust based systems, etc.
  • the Wi-Fi PIPE between the UE 206 and wireless station 204 requires additional encryption to ensure secure transactions.
  • the Wi-Fi PIPE encryption can be based on an extension of the existing LTE encryption scheme; for example, during operation, the LTE symmetric key encryption information can be used to generate keys at both the UE 206 and wireless station 204 locations so as to extend symmetric key encryption over the Wi-Fi PIPE.
  • the native Wi-Fi encryption algorithms and dedicated HW accelerators (Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), WPA2, etc.) support key transfers based on either pre-agreed schemes, or are dynamically negotiated over-the-air.
  • Wi-Fi encryption algorithms and dedicated HW accelerators can be leveraged (with modifications) and/or combined with the subsequently generated and associated LTE keys so as to enable over-the-air Wi-Fi PIPE security.
  • native LTE Non-Access Stratum (NAS) security and integrity protection can be implemented in the UE 206 in SW or HW emulation, as the data rate and volume of NAS messages are very low.
  • NAS Non-Access Stratum
  • Wi-Fi PIPE encryption can be based on one or more of associated derived LTE encryption keys, and communicated (without a SIM/USIM encryption protocol) to the UE using any secure public key based protocol, such as the aforementioned PGP protocol.
  • the UE 206 transmits a public key to the Wi-Fi AP 204, which is then used by Wi-Fi AP 204 to securely send appropriate keys (e.g.
  • Wi-Fi PIPE security can be based on symmetric key encryption via the native encryption engine of Wi-Fi PIPE and available HW accelerators (Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), WPA2, etc.)
  • WEP Wi-Fi Equivalent Privacy
  • WPA Wi-Fi Protected Access
  • WPA2 Wi-Fi Protected Access
  • the UE 206 can support the manual entry of an encryption key, password, etc. via an appropriate software user interface (UI) application for use with the native Wi-Fi PIPE encryption engine.
  • UI software user interface
  • manual authentication further enables access control to WoLTEN operation(s) as well.
  • the '"manually" entered key corresponds to a pre-determined key that was set on the Wi-Fi AP 204 side (via a server or stored in one or more preset wireless stations such as Wi-Fi AP 204).
  • the pre-determined key may be communicated the Wi-Fi AP 204 according to an out-of-band process using a public key encryption scheme (e.g., PGP).
  • PGP public key encryption scheme
  • the proxied Wi-Fi AP 204 SIM/USIM operation enables network operators to identify data that is transacted during Wi-Fi service i.e., off-line subscriber use of UE 206.
  • Off-line usage metrics may be useful for, e.g., direct billing, identifying underserviced cellular coverage, identifying user habits and/or usage, determining unrealized revenue opportunities, etc.
  • the Wi-Fi PIPE may be configured to indicate the available capacity to the LTE network such that the LTE network can make appropriate adjustments to the radio bearers (e.g. resource and bandwidth allocation to each UE MAC is limited).
  • Such scenarios may, for example, occur where the wireless station offers both cellular network connectivity and simultaneous legacy wireless station operation; the two functions may be "capped" at a certain proportion of the stations bandwidth to ensure that both 2015/052016
  • the two-way auxiliary control channels (1302, 1304) and the supporting application and agent (1306, 1308) are collectively called the Wi-Fi over LTE (WoLTEN) protocol stack.
  • WiLTEN Wi-Fi over LTE
  • the WoLTEN APP (application) 1306 resides in the subscriber device 400 and includes an LTE stack that supports the radio link control (RLC) layer to non- access stratum (NAS) 1314 for control-plane operations, and RLC layer to internet protocol (IP) 1316 for user-plane operations.
  • the WoLTEN APP 1306 also includes the Buffer and MUX/DeMUX 1310, as well as the WoLTEN Control Channel 1302 and control and operation software.
  • the counterpart WoLTEN Agent 1308 resides in the wireless station 300 and includes LTE UE MAC, VPHY, and LTE AP MAC entities which handle the counterpart control-plane and user-plane for one or more subscriber devices.
  • the WoLTEN Agent may also include other logical and/or physical entities (such as e.g., a Radio Resource Management (RRM), etc.) to handle additional functionality typically provided by a LTE eNB.
  • RRM Radio Resource Management
  • the WoLTEN Control Channel can be opened or encrypted using a security protocol (such as PGP) to exchange keys, and to use the exchanged keys with the native encryption engine of the Wi-Fi PIPE and available HW accelerators (Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), WPA2, etc.) to provide security for the WoLTEN control channel.
  • a security protocol such as PGP
  • WEP Wi-Fi Protected Access
  • WPA2 Wi-Fi Protected Access
  • the WoLTEN APP is a downloadable application (e.g., for purchase) and/or included in the subscriber device during manufacture.
  • the WoLTEN APP can replace in whole or part, the indigenous LTE protocol stack during operation.
  • the WoLTEN APP may have its own copy of the relevant LTE protocol stack; in other embodiments, the WoLTEN APP may be configured to interface with supported LTE 2016
  • the Buffer and MUX/DeMUX 1310 is configured to multiplex RLC packets of different signaling radio bearer (SRBs), data radio bearers (DRBs), control -plane, user-plane, and WoLTEN Control Channel packets into a single stream for delivery via the Wi-Fi PIPE in the uplink.
  • SRBs signaling radio bearer
  • DRBs data radio bearers
  • control -plane user-plane
  • WoLTEN Control Channel Packed Control Channel
  • the multiple user (MU) Buffer and MUX/DeMUX 1312 of the WoLTEN Agent is configured to multiplex different users' MAC packets (which includes SRB & DRB), and packets from their corresponding WoLTEN Control Channel into a single stream before buffering and delivering it to Wi-Fi PIPE for transmission to the subscriber.
  • the MUX/DeMUX 1312 is configured to buffer and demultiplex packets (from multiple users) delivered via the Wi-Fi PIPE, before passing it to respective LTE MAC and PHY entities corresponding to the subscriber. Every subscriber attached to the network via the WoLTEN agent has a unique instance of a corresponding WoLTEN protocol stack.
  • the exemplary Wi-Fi PIPE between the WoLTEN APP 1306 and WoLTEN Agent 1308 is self-contained.
  • the Wi-Fi link is managed without input from external entities.
  • the WoLTEN APP and WoLTEN Agent communicate bi-directionally over the WoLTEN Control Channel and are responsible for:
  • Wi-Fi PIPE management when in the coverage area of AP 300 which further may include:
  • EPC Evolved Packet Core
  • LTE link management (to assist in selection between LTE and Wi-Fi interfaces) which generally includes: 6
  • RRC radio resource control
  • the Wi-Fi PIPE management controls the wireless connectivity between the subscriber device and wireless station.
  • Wi-Fi hotspot functionality is based on legacy components operating according to e.g., existing IEEE 802.1 In specifications; in other embodiments, the Wi-Fi hotspot functionality may be integrated with the WoLTEN APP and/or WoLTEN Agent to optimize performance for use specific to the Wi-Fi PIPE.
  • the WoLTEN Agent can monitor the perfonnance of the LTE network connectivity and use the monitored performance to inform Wi-Fi PIPE operation to e.g., improve resource allocation of users, etc. By coordinating channel and bandwidth assignments, the WoLTEN Agent can reduce the amount of buffering and/or provide better quality (e.g.
  • low latency and low jitter links configured for services such as VoLTE (Voice over LTE) or VoIP (Voice over IP). It is appreciated that certain operations may not directly affect the radio link (e.g., Wi-Fi registration, Intra- Wi-Fi hand-off, Wi-Fi Power management and Wi-Fi QoS, etc.); depending on implementation, these features can be handled within either legacy components and/or the WoLTEN APP/Agent.
  • LTE network connectivity is based on legacy components operating according to e.g., existing LTE specifications; in other embodiments, the LTE link functionality may be integrated with the WoLTEN APP and/or WoLTEN Agent to optimize performance for use specific to the Wi-Fi PIPE. As previously alluded to, the 2016
  • LTE network acquisition selection and reselection
  • Authentication Encryption
  • Integrity Protection Call Control (call/session set-up/tear-down)
  • Mobility Intra and Inter LTE hand-off), etc.
  • FIG. 14 one embodiment of a generalized process for discovery, initiation and configuration of a session is depicted within FIG. 14.
  • the WoLTEN APP and/or WoLTEN Agent are configured to discover, initiate and configure the WoLTEN session and Wi-Fi PIPE.
  • a subscriber device discovers an enabled wireless network.
  • the subscriber device determines whether the wireless network supports WoLTEN operation.
  • Common examples of discovery include without limitation: decoding control broadcasts, direct inquiry, etc.
  • the wireless network is an ''open" network. Open networks do not have restrictive access controls (e.g., authentication, authorization, etc.). In other networks, the network may be closed, partially limited, etc. For example, the subscriber device may be required to prompt the user for a password or to press a button on the wireless station, etc. In still other cases, the subscriber device may be allowed access via out-of-band procedures (e.g., allowed by an administrator, etc.). Various other suitable schemes are appreciated by those of ordinary skill within the related arts, given the contents of the present disclosure.
  • the WoLTEN APP attempts to establish an access tunnel (or Wi-Fi PIPE session) between the subscriber device and a network operator via the wireless station.
  • the access tunnel includes a Wi-Fi PIPE between the subscriber device and the wireless station.
  • a WoLTEN APP (or WoLTEN Agent) transmits a WoLTEN Connection Request via a WoLTEN Control Channel; the Connection Request includes information pertinent to connection establishment. Common examples of information include e.g., software version, a list of Wi-Fi and LTE neighbors, etc.
  • the WoLTEN Agent determines whether a WoLTEN connection can be established. In some cases the WoLTEN Agent may be unable to support the connection request due to resource limitations (e.g., lack of memory, insufficient processing power, unable to access network operators, etc.). If the WoLTEN Agent can support the connection request, then the WoLTEN Agent allocates or reserves memory for the data stream buffering corresponding to the subscriber device. In one embodiment, a portion or partition of the MU Buffer & MUX/DeMUX buffer of the WoLTEN Agent is reserved and issued a Buffer ID (Handler). The Buffer ID is provided to the WoLTEN APP, and thereafter the subscriber device WoLTEN APP will use the Buffer ID to access/modify its corresponding WoLTEN connection (the WoLTEN Agent may be handling multiple distinct subscribers simultaneously).
  • resource limitations e.g., lack of memory, insufficient processing power, unable to access network operators, etc.
  • the WoLTEN Agent allocates or reserves memory for the data stream buffering corresponding to the subscribe
  • connection parameters include the Buffer ID.
  • connection parameters may include e.g., quality of the connection, maximum data rate and/or throughput, minimum data rate and/or throughput, latency, other connection limitations (e.g., QoS), etc.
  • the subscriber device can transact data via the WoLTEN connection. More generally, the subscriber device can perform "access tunneled " LTE operation e.g., system acquisition, connection establishment, activation, radio bearer establishment, and data flow, etc.
  • LTE operation e.g., system acquisition, connection establishment, activation, radio bearer establishment, and data flow, etc.
  • FIG. 15 illustrates an exemplary logical flow for initiating a WoLTEN connection of one exemplary embodiment of a WoLTEN APP executed on a subscriber device platform.
  • WoLTEN APP initializes and sets its internal variables and flags to default values (e.g.
  • LTE Flag is reset to “0” to indicate that no LTE network is currently available).
  • the WoLTEN APP enables the LTE Modem and searches for available LTE eNBs and networks. Upon detecting a desired network and eNB, the WoLTEN APP sets the "LTE Flag" to " I " to indicate that LTE network access is available.
  • the WoLTEN APP Before attaching to the LTE network, the WoLTEN APP attempts to search for a Wi-Fi network to attempt WoLTEN operation. Generally, WoLTEN is preferable to LTE access as WoLTEN operation consumes less power and/or supports higher data rates, etc. It is appreciated that certain other implementations may incoiporate different priority schemes.
  • the WoLTEN APP enables a Wi-Fi modem and looks for nearby Wi-Fi APs.
  • the WoLTEN APP may have a preferred access mode that is configured specifically to find wireless stations.
  • the WoLTEN APP will register with it.
  • the Wi-Fi AP is operating in an 'Open' " mode. If the WoLTEN APP cannot register with the Wi-Fi AP then the WoLTEN APP proceeds as if no Wi-Fi AP was found. Closed Wi-Fi APs may still be accessible via an alternative access scheme (described subsequently).
  • the WoLTEN APP will interrogate the AP to find out whether or not it has a suitable WoLTEN Agent.
  • the interrogation includes a WoLTEN Connection RequestAVoLTEN Connection Grant transaction. If the WoLTEN interrogation is successful then the "WoLTEN APP' * can continue with LTE network acquisition/registration via the Wi-Fi PIPE, using the wireless station ' s network connection (e.g., Ethernet).
  • the WoLTEN APP Periodically during the WoLTEN connection, the WoLTEN APP will measure performance to determine whether a better Wi-Fi AP or LTE eNB is available.
  • the subscriber device may periodically power its own LTE cellular interface to perform appropriate measurements. These measurements are reported to the LTE network; the LTE network may responsively cause a hand-off (HO).
  • Exemplary measurements which are useful for HO may include, without limitation: Received Signal Strength Indicator (RSSI) signal level measurements, Signal to Noise Ratio (SNR), Bit Error Rate (BER), etc.
  • RSSI Received Signal Strength Indicator
  • SNR Signal to Noise Ratio
  • BER Bit Error Rate
  • Other useful information may include e.g., the neighbor list for LTE eNBs which is based on measurements made by the subscriber device's LTE PHY.
  • the WoLTEN APP will proceed to use LTE network, while continuously looking for a WoLTEN enabled Wi-Fi AP.
  • FIG. 16 illustrates a logical flow for initiating a WoLTEN connection of one exemplary embodiment of a WoLTEN Agent executed on a wireless station.
  • the WoLTEN APP initializes and sets its internal variables and flags to default values (e.g. "USER” set to "0" to indicate that no users are currently being served, and MAX_USER set to "V for single user operation), and proceeds to switch ON the Wi-Fi Modem.
  • default values e.g. "USER” set to "0” to indicate that no users are currently being served, and MAX_USER set to "V for single user operation
  • the WoLTEN Agent determines whether or not the Connection Request can be serviced.
  • the WoLTEN Agent increments the USER register and verifies that the number of users has not exceeded the maximum allowed number of users. If the maximum allowed number of users is not reached, then the WoLTEN Agent proceeds to allocate buffer space on a MU Buffer & MUX/DeMUX buffer and allocate a Buffer ID to the WoLTEN APP, which is communicated to the WoLTEN APP with a WoLTEN Connection Grant.
  • the WoLTEN APP is expected to use the Buffer ID every time it sends a message; in some implementations, the Buffer ID may be extracted by association with a Wi-Fi user ID (e.g. MAC address) of the incoming packets).
  • a Wi-Fi user ID e.g. MAC address
  • Connection Request cannot be serviced (e.g., the maximum number of users is reached)
  • the new user is denied access.
  • an informational message is sent to inform them of the failure (e.g., system overload).
  • the WoLTEN Agent launches an instance of the WoLTEN protocol stack for the new user (Each WoLTEN APP requires an instance of a WoLTEN protocol stack).
  • the WoLTEN Agent checks to see whether or not a user has terminated a connection (step 1608).
  • the WoLTEN Agent decrements the USER register and stops the corresponding WoLTEN protocol stack instance associated with the corresponding WoLTEN APP.
  • SIM-less 7 refers generally and without limitation to the absence of a local subscriber identity module (SIM, USIM, UICC, CSIM or RUIM) with respect to e.g., software, hardware, and/or firmware operation.
  • a SIM USIM module that "proxies" a portion of the UE protocol stack (for an associated UE 206) is integrated within the Wi-Fi AP 204.
  • proxy refers generally to the ability of a wireless station (or other intermediary node) to perform as an authorized substitute for a mobile device, with respect to a larger network.
  • the PDCP layer has been functionally split and is managed by the WoLTEN protocol stack of a Wi- Fi PIPE, in order to support the security requirements of the Authentication and Encryption and Integrity Protection of the PDCP layer, the proxy UE protocol stack that is executed at the Wi-Fi AP 204 includes all of the subordinate software layers (e.g., all of the LTE UE layers up to and including PDCP); the remaining software layers in this implementation reside at the UE 206 on the user-plane (which is operating in a SIM-less mode). Furthermore, in the exemplary implementation, the control-plane is terminated at the Wi-Fi AP 204.
  • the subordinate software layers e.g., all of the LTE UE layers up to and including PDCP
  • the remaining software layers in this implementation reside at the UE 206 on the user-plane (which is operating in a SIM-less mode).
  • the control-plane is terminated at the Wi-Fi AP 204.
  • an alternative variant may dispose the Wi-Fi PIPE inside the PDCP layer, such that uplink encryption and downlink decryption functions are supported in the wireless station 204, while uplink and downlink Robust Header Compression (RHOC) compression and decompression functions of PDCP layer are supported in the SIM-less UE.
  • RHOC Robust Header Compression
  • the LTE encryption/decryption is handled at the Wi-Fi AP 204, thus additional encryption is desired to protect the Wi-Fi PIPE transmissions, as the data stream between the SIM-less UE and wireless station 204 is no longer protected.
  • the Wi-Fi PIPE encryption can be based for example on the one or more associated/derived LTE encryption keys, which can be communicated to the SIM-less UE via e.g., PGP security protocols.
  • an external subscriber identity module is coupled to the SIM-less UE via an available wired (e.g., USB) or wireless (e.g., Bluetooth) I/O port.
  • the external SIM/USIM natively is coupled to the LTE stack of the SIM-less UE.
  • FIG. 17 illustrates one such exemplary configuration of the external module 1700 including: a SIM USIM 1702, a processor 1704, a non-transitory computer-readable memory 1706, a power unit (e.g., battery) 1708 and an I/O communications module (such as Bluetooth, USB, etc.) 1 710.
  • the I/O communications module the USIM module 1700 and the SIM-less UE can be secured via e.g., bi-directional public key-private key encryption, symmetric key encryption (e.g., manually entered key or pre-installed key),
  • the external module 1700 holds the LTE evolved
  • EPS Packet System
  • KASME Key Access Security Management Entity
  • MME mobility management entity
  • the subsequent LTE EPS derived keys e.g., KeNB (evolved NodeB Key), CK (Cipher Key) and CI (Integrity Check)
  • KeNB evolved NodeB Key
  • CK Cipher Key
  • CI Intelligent Network
  • the subsequent encryption/decryption can be handled at the SIM-less UE using, for instance, a software emulated implementation of the remaining LTE security algorithms.
  • the native Wi-Fi encryption engine can utilize the LTE EPS derived keys (e.g., KeNB, CK and CI) at the Wi-Fi AP 204 and SIM-less UE to secure the Wi-Fi PIPE transmissions.
  • LTE EPS derived keys e.g., KeNB, CK and CI
  • these functions can be implemented in the SIM-less UE, such as in software, as the data rate and volume of NAS messages are very low.
  • Still other implementations may transfer the LTE EPS derived keys from the Wi- Fi AP 204 to the UE 206 using a secure protocol.
  • some variants may use a NULL encryption (i.e., no encryption) for the user-plane, but use a software based security for LTE encryption/decryption and integrity checking at the SIM-less UE.
  • the native Wi-Fi encryption engine Wi-Fi Protected Access (WEP), Wi- Fi Protected Access (WPA), WPA2, etc.
  • WEP Wi-Fi Protected Access
  • WPA2 Wi- Fi Protected Access
  • a SIM-less UE "piggy-backs" on a connected UE 206 identity module (e.g. SIM/US IM).
  • a connected UE 206 identity module e.g. SIM/US IM.
  • the WoLTEN Application can trigger a state transition to the RRC CONNECTED mode (i.e., initiating an active session). Thereafter, the SIM-less UE can request to share (or piggy back) the active RRC connection.
  • the Wi-Fi AP 204 may verify that the SIM-less UE is authorized to piggy-back on the previously associated UE; common authorization schemes include without limitation, password based schemes, user prompt (i.e., the user of the associated UE is prompted to add the SIM-less UE), etc.
  • common authorization schemes include without limitation, password based schemes, user prompt (i.e., the user of the associated UE is prompted to add the SIM-less UE), etc.
  • both NAS and RRC operation can be controlled by the Wi-Fi AP WoLTEN Agent (running on either the associated UE and/or the SIM-less UE) via the WoLTEN App, through the dedicated WoLTEN control channel.
  • the Wi-Fi AP 204 may support the SIM-less UE according to multiple different schemes.
  • a first scheme if dual- IP stack UEs are supported by the LTE network, then the Wi-Fi AP 204 requests a new IP address (from the LTE evolved packet core (EPC)) for the same USIM entity.
  • the Wi-Fi AP 204 can set up an additional bearer for the second IP address intended for the SIM-less UE, and create a second LTE UE stack (up to the IP layer).
  • the second LTE UE stack runnels the appropriate IP packets over the Wi-Fi PIPE to the SIM-less UE.
  • the Wi-Fi PIPE security can be implemented in a variety of schemes.
  • the WoLTEN network for the associated UE is completely independent of the network for the SIM-less UE.
  • the associated UE and the SIM-less UE may use the same LTE UE stack to service both IP addresses which are subsequently relayed by the Wi-Fi PIPE.
  • the IP addresses are used by the associated UE and the SIM-less UE via Wi-Fi access. More directly, both sets of IP packets are transmitted over the Wi- Fi PIPE to the associated UE and the SIM-less UE.
  • the associated UE and the SIM-less UE both internally detennine which packets are addressed to them.
  • the WoLTEN network uses the same bearer for both the SIM-less UE and the associated UE but with unique port numbers for the SIM-less UE and the associated UE. Thereafter, IP packets can be routed to the intended UE (SIM-less UE or the associated UE) over the Wi-Fi PIPE.
  • the WoLTEN network uses unique port numbers for the SIM-less UE and associated UE, and sets up additional bearers for the SIM-less UE. In this manner, the SIM-less UE has a separate protocol stack up to the IP level at Wi-Fi AP 204, the lower levels handle the selection and transmission of the appropriate IP packets over the Wi-Fi PIPE to SIM-less UE and associated UE.
  • the Wi-Fi PIPE security can be seeded with the associated UEs cryptographic information, etc. as described supra.
  • the Wi- Fi PIPE security may be implemented based on a PGP protocol to exchange keys used with the native Wi-Fi encryption algorithms (Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), WPA2, etc.).
  • WEP Wi-Fi Equivalent Privacy
  • WPA Wi-Fi Protected Access
  • WPA2 Wi-Fi Protected Access
  • NULL encryption for the user-plane
  • WEP Wi-Fi Protected Access
  • WPA Wi-Fi Protected Access
  • WPA2 Wi-Fi Protected Access
  • Still other implementations may handle the bearer associated with the associated UE differently and/or with a different stack partitioning from the SIM-less UE.
  • the SIM-less UE uses a virtual identity module to store and/or manage one or more SIM USIM protocols.
  • the KASME key of a USIM along with pre-installed authentication and key generation algorithms are received and stored (manually, via an out-of-band software process (such as a user application), via an external SIM/USIM module, etc.) in a secure memory area at the SIM-less UE.
  • the subsequent encryption and/or decryption can be handled by the SIM- less UE using e.g., any of the aforementioned processes.
  • security may be handled via a software implementation of LTE algorithms, and/or the native Wi-Fi encryption engine with one or more generated LTE keys for over-the-air security of Wi- Fi PIPE.
  • LTE keys are symmetric at the Wi-Fi AP 204 and the SIM-less UE, these keys can be independently generated at both ends of the Wi- Fi PIPE.
  • the LTE keys can be transferred from Wi-Fi AP 204 to SIM-less UE using a PGP protocol.
  • NULL encryption rbr the user- plane
  • a software implementation for LTE encryption/decryption and Integrity checking at the SIM-less UE while using the native Wi-Fi encryption engine (Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), WPA2, etc.) in conjunction with one or more associated LTE symmetric keys for the user-plane encryption/decryption within the SIM-less UE.
  • WEP Wi-Fi Protected Access
  • WPA2 Wi-Fi Protected Access
  • WPA2 Wi-Fi Protected Access
  • some implementations may perform NAS security and integrity protection in the SIM-less UE software as the data rate and volume of NAS messages are very low.
  • the UE 206 stack for example including NAS layer, within the access point (e.g., Wi-Fi AP 204), as shown in Figure 18.
  • the access point e.g., Wi-Fi AP 204
  • part of the UE 206 NAS that is responsible for Authentication is placed in the UE 206 App (which can be downloadable), connected to the other parts of the UE 206 NAS residing within the Wi-Fi AP 204 by the dedicated control channel that exists between the UE 206 App and the Wi-Fi AP 204 Agent. Therefore, the Agent in Wi-Fi AP 204 has to have a connection to the NAS parts residing in the UE 206 protocol stack residing in Wi-Fi AP 204.
  • UE 206 App has to have a connection to the part of the NAS that is residing within the UE 206. In fact it is possible to keep the entire UE 206 NAS entity within the Wi-Fi AP 204, and using the control channel that exists between the UE 206 App and the Wi-Fi AP 204 Agent to connect the USIM API to the UE 206 NAS which is in the Wi-Fi AP 204 Agent.
  • the UE further includes a user interface application which resides above the high level operating system.
  • the user interface application is configured to emulate in software, traditionally hardware-based elements for processing Voice over LTE (VoLTE) telephone calls and LTE messaging.
  • the user interface application incorporates one or more software based: voice codecs, echo cancellation, dialing pad, etc.
  • the user interface application is configured to connect a VoLTE call via the aforementioned WoLTEN network connection.
  • the UE 206 protocol stack residing in Wi-Fi AP 204 and the eNB protocol stack residing in Wi-Fi AP 204 can greatly reduce PHY, MAC, RLC and PDCP software transactions, as these software layers are useful only for LTE radio operation ⁇ and thus is subsumed by the Wi-Fi PIPE operations).
  • vestigial versions of these layers may be executed to ensure correct end-to-end operation of the LTE procedures, and/or to allow the remaining portions of the software stack to operate with minimal impact.
  • LTE RRC functionality on both UE and eNB software stacks can be minimized since e.g., there is no LTE radio, and thus LTE handoff and measurement operations are obviated.
  • PDCP ROHC and/or internal encryption are unnecessary, thus a NULL encryption can be used for user plane operations.
  • any encryption and integrity protection can be performed in software for both the UE 206 and Wi-Fi AP 204 sides.
  • LTE keys generated on both UE 206 and Wi-Fi AP 204 sides can be used in the Wi-Fi native encryption engine to encrypt the user and control plane data between UE 206 and Wi-Fi AP 204.
  • the dedicated control channel that exists between the UE 206 App and Wi-Fi AP 204 Agent can be either open (un-encrypted) or encrypted by PGP key exchange between the App and Agent.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un appareil et des procédés pour un accès hybride à un réseau principal. Dans un mode de réalisation, une station sans fil permet à un dispositif d'abonné de se connecter à un réseau principal par l'intermédiaire d'un réseau intermédiaire (par exemple, un réseauWi-Fi) plutôt que par l'intermédiaire du réseau associé de manière classique au réseau principal (par exemple, un réseau cellulaire). Dans une mise en œuvre, le dispositif d'abonné se connecte à la station sans fil au niveau des couches TCP/IP (protocole de commande de transmission/protocole Internet). La présente invention concerne des procédés et un appareil pour authentifier de manière sécurisée le dispositif d'abonné par l'intermédiaire de la station sans fil. Dans une telle variante, le dispositif d'abonné est un dispositif sans module d'identité d'abonné (SIM).
PCT/US2015/052016 2014-09-25 2015-09-24 Procédés et appareil pour un accès hybride à un réseau principal sur la base d'une authentification mandatée WO2016049353A1 (fr)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP15843308.6A EP3198787A4 (fr) 2014-09-25 2015-09-24 Procédés et appareil pour un accès hybride à un réseau principal sur la base d'une authentification mandatée
CN201580051942.5A CN106716920A (zh) 2014-09-25 2015-09-24 基于代理验证对核心网络的混合式接入的方法及设备
JP2017516330A JP2017532889A (ja) 2014-09-25 2015-09-24 プロキシされた認証に基づくコアネットワークへのハイブリッドアクセスの方法および機器

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US201462071517P 2014-09-25 2014-09-25
US62/071,517 2014-09-25
US14/863,239 2015-09-23
US14/863,239 US20160014127A1 (en) 2013-01-16 2015-09-23 Methods and apparatus for hybrid access to a core network based on proxied authentication

Publications (1)

Publication Number Publication Date
WO2016049353A1 true WO2016049353A1 (fr) 2016-03-31

Family

ID=55582018

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2015/052016 WO2016049353A1 (fr) 2014-09-25 2015-09-24 Procédés et appareil pour un accès hybride à un réseau principal sur la base d'une authentification mandatée

Country Status (5)

Country Link
EP (1) EP3198787A4 (fr)
JP (1) JP2017532889A (fr)
CN (1) CN106716920A (fr)
TW (1) TW201630395A (fr)
WO (1) WO2016049353A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106953771A (zh) * 2017-05-12 2017-07-14 深圳市四海众联网络科技有限公司 一种主从设备的角色变换和管理方法
WO2017179800A1 (fr) * 2016-04-12 2017-10-19 엘지전자 주식회사 Procédé et dispositif sans fil permettant de transmettre un message de commande de ressource radio (rrc) lors de l'utilisation d'une optimisation d'eps de ciot de cp
WO2018101452A1 (fr) * 2016-11-30 2018-06-07 株式会社Lte-X Procédé de communication et appareil de relais
EP3476137A4 (fr) * 2016-06-27 2019-12-18 Corning Optical Communications LLC Système et procédé d'accès à distance spécifique d'un fournisseur de services par l'intermédiaire de réseaux hôtes neutres

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB201621507D0 (en) * 2016-12-16 2017-02-01 Close Comms Ltd Controlling access and accessing a traffic network in a high density enviroment
EP3481027A1 (fr) 2017-11-02 2019-05-08 Thomson Licensing Procédé et dispositif destinés à établir une connexion sans fil sécurisée
EP3618382A1 (fr) * 2018-08-30 2020-03-04 Koninklijke Philips N.V. Accès d'un dispositif non-3gpp à un réseau c ur
EP3618383A1 (fr) * 2018-08-30 2020-03-04 Koninklijke Philips N.V. Accès à un dispositif non-3gpp à un réseau c ur
WO2020187387A1 (fr) * 2019-03-15 2020-09-24 Telefonaktiebolaget Lm Ericsson (Publ) Authentification d'un dispositif de communication radio auprès d'un réseau
TWI735942B (zh) * 2019-09-05 2021-08-11 中華電信股份有限公司 基於機器學習預測與防範網路通訊設備發生障礙之系統及方法

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2353918B (en) * 1999-09-03 2003-12-31 Ericsson Telefon Ab L M Access rights in a mobile communications system
US7899755B2 (en) * 1998-12-24 2011-03-01 S.F. Ip Properties 59 Llc Secure system for the issuance, acquisition, and redemption of certificates in a transaction network
US20130047218A1 (en) * 2005-12-23 2013-02-21 Bce Inc. Wireless device authentication between different networks
US8700710B1 (en) * 2012-03-29 2014-04-15 Google Inc. Constructing social networks
US8724812B2 (en) * 2010-12-31 2014-05-13 Motorola Solutions, Inc. Methods for establishing a secure point-to-point call on a trunked network
US20140171029A1 (en) * 2011-07-08 2014-06-19 Nokia Corporation Method and apparatus for authenticating subscribers to long term evolution telecommunication networks or universal mobile telecommunications system
US8774759B2 (en) * 2007-05-08 2014-07-08 Huawei Technologies Co., Ltd. Security capability negotiation method, system, and equipment
US8788823B1 (en) * 2003-09-03 2014-07-22 Cisco Technology, Inc. System and method for filtering network traffic
US8793493B2 (en) * 2006-10-05 2014-07-29 Ceelox Patents, LLC System and method of secure encryption for electronic data transfer
US20140245007A1 (en) * 2004-10-20 2014-08-28 Broadcom Corporation User Authentication System
US8842524B2 (en) * 2012-02-29 2014-09-23 Red Hat, Inc. Redundant ring automatic recovery

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FI119346B (fi) * 2006-09-28 2008-10-15 Teliasonera Ab Resurssien allokointi langattomassa viestintäjärjestelmässä
US9119167B2 (en) * 2011-08-30 2015-08-25 Qualcomm Incorporated Generic broadcast of location assistance data
GB2495550A (en) * 2011-10-14 2013-04-17 Ubiquisys Ltd An access point that can be used to establish connections with UE devices using both cellular and wifi air interfaces
US9549317B2 (en) * 2011-10-17 2017-01-17 Mitel Mobility Inc. Methods and apparatuses to provide secure communication between an untrusted wireless access network and a trusted controlled network
EP2592863B1 (fr) * 2011-11-14 2014-01-08 Alcatel Lucent Équilibrage de charge distribuée dans un réseau d'accès radio
US20140199963A1 (en) * 2013-01-16 2014-07-17 Behzad Mohebbi Methods and apparatus for a network-agnostic wireless router
US9603192B2 (en) * 2013-01-16 2017-03-21 Ncore Communications, Inc. Methods and apparatus for hybrid access to a core network

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7899755B2 (en) * 1998-12-24 2011-03-01 S.F. Ip Properties 59 Llc Secure system for the issuance, acquisition, and redemption of certificates in a transaction network
GB2353918B (en) * 1999-09-03 2003-12-31 Ericsson Telefon Ab L M Access rights in a mobile communications system
US8788823B1 (en) * 2003-09-03 2014-07-22 Cisco Technology, Inc. System and method for filtering network traffic
US20140245007A1 (en) * 2004-10-20 2014-08-28 Broadcom Corporation User Authentication System
US20130047218A1 (en) * 2005-12-23 2013-02-21 Bce Inc. Wireless device authentication between different networks
US8793493B2 (en) * 2006-10-05 2014-07-29 Ceelox Patents, LLC System and method of secure encryption for electronic data transfer
US8774759B2 (en) * 2007-05-08 2014-07-08 Huawei Technologies Co., Ltd. Security capability negotiation method, system, and equipment
US8724812B2 (en) * 2010-12-31 2014-05-13 Motorola Solutions, Inc. Methods for establishing a secure point-to-point call on a trunked network
US20140171029A1 (en) * 2011-07-08 2014-06-19 Nokia Corporation Method and apparatus for authenticating subscribers to long term evolution telecommunication networks or universal mobile telecommunications system
US8842524B2 (en) * 2012-02-29 2014-09-23 Red Hat, Inc. Redundant ring automatic recovery
US8700710B1 (en) * 2012-03-29 2014-04-15 Google Inc. Constructing social networks

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3198787A4 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017179800A1 (fr) * 2016-04-12 2017-10-19 엘지전자 주식회사 Procédé et dispositif sans fil permettant de transmettre un message de commande de ressource radio (rrc) lors de l'utilisation d'une optimisation d'eps de ciot de cp
EP3476137A4 (fr) * 2016-06-27 2019-12-18 Corning Optical Communications LLC Système et procédé d'accès à distance spécifique d'un fournisseur de services par l'intermédiaire de réseaux hôtes neutres
US11889305B2 (en) 2016-06-27 2024-01-30 Corning Optical Communications LLC System and method for service provider specific remote access via neutral host networks
WO2018101452A1 (fr) * 2016-11-30 2018-06-07 株式会社Lte-X Procédé de communication et appareil de relais
CN106953771A (zh) * 2017-05-12 2017-07-14 深圳市四海众联网络科技有限公司 一种主从设备的角色变换和管理方法
CN106953771B (zh) * 2017-05-12 2020-04-21 深圳市四海众联网络科技有限公司 一种主从设备的角色变换和管理方法

Also Published As

Publication number Publication date
TW201630395A (zh) 2016-08-16
JP2017532889A (ja) 2017-11-02
EP3198787A1 (fr) 2017-08-02
EP3198787A4 (fr) 2018-02-14
CN106716920A (zh) 2017-05-24

Similar Documents

Publication Publication Date Title
US9603192B2 (en) Methods and apparatus for hybrid access to a core network
US20160014127A1 (en) Methods and apparatus for hybrid access to a core network based on proxied authentication
US20170105239A1 (en) Methods and apparatus for a network-agnostic wireless router
WO2016049353A1 (fr) Procédés et appareil pour un accès hybride à un réseau principal sur la base d'une authentification mandatée
US10812629B2 (en) Radio resource control capability information
US11228959B2 (en) Aggregated handover in integrated small cell and WiFi networks
EP2688363B1 (fr) Système, dispositif de transmission de convergence et procédé pour la convergence de la distribution de données
US10230654B2 (en) Multiband aggregation data encapsulation
US20150139184A1 (en) System, User Equipment and Method for Implementing Multi-network Joint Transmission
AU2018202590A1 (en) Apparatus, system and method of securing communications of a user equipment (ue) in a wireless local area network
KR20130061101A (ko) 기회적 네트워크 관련 메시지 전송 방법
JP2013131793A (ja) 無線通信システムおよび無線通信方法、ならびに移動端末
WO2012116623A1 (fr) Système de communication mobile et procédé de réseautage
EP3687223B1 (fr) Dispositif de terminal, dispositif de réseau d'accès, procédé de configuration d'une interface d'air et système de communication sans fil
EP3119117A1 (fr) Dispositif et procédé de gestion de procédure d'authentification

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15843308

Country of ref document: EP

Kind code of ref document: A1

REEP Request for entry into the european phase

Ref document number: 2015843308

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2015843308

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 2017516330

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE