CN102273170B

CN102273170B - The credible judgement carried out for access authentication

Info

Publication number: CN102273170B
Application number: CN200980153737.4A
Authority: CN
Inventors: R.罗波尔伊; G.霍恩
Original assignee: Nokia Siemens Networks Oy
Current assignee: Nokia Solutions and Networks Oy
Filing date: 2009-01-05
Publication date: 2016-11-30
Anticipated expiration: 2029-01-05

Abstract

Providing such as relevant to the credibility of the non-3 GPP access network in the 3GPP compatibility block data system measure for carrying out credible judgement for access authentication, it exemplarily includes from accessing the network of network element reception interim credible instruction about the described access network of the most described user of the access network providing grouped data to access for roamer；Determine local break-out or the suitability of ownership route of each subscription APN about described user；And based on the interim credible instruction received and determined by about the route suitability of each subscription APN of described user, it is determined that described access network final credible.

Description

The credible judgement carried out for access authentication

Technical field

The present invention relates generally to the credible judgement (trustworthiness decision) carried out for access authentication.Such as, the present invention relates to the credible access authentication about the non-3 GPP access network in 3GPP compatibility block data system.

Background technology

In recent years, integrated (convergence) of communication system and subsystem has attracted the increasing concern in communication technology.In this context, different in terms of communication technology, agreement and/or principle systems and their different subsystem (such as, access network, core network etc.) will be integrated in total system framework.But, there is some problem when different systems and/or subsystem being integrated in common total system framework and operate the most integrated total system framework.

A networking haveing a problem in that between access network and core network under the background that communication system is integrated.In this system configures, in fact it could happen that safety problem, such as the credible problem of access network of viewpoint of access network (in the case of roaming) of core network or the home network of user or user.

Hereinafter, a kind of system configuration will exemplarily be proposed, wherein core network and/or home network and/or access network (in the case of roaming) meet specific standard criterion, such as 3GPP(third generation partnership projects) specification, but subscriber equipment does not meets 3GPP standard criterion via its at least one access network being connected to 3GPP core/ownership/access network.This access network is referred to as non-3 GPP access network.It may meet other standards, the HRDP standard such as defined by 3GPP or the WiMAX standard defined by WiMAX Forum.It should be noted that, the configuration of this system is considered non-limiting example, and similar system configuration is also equally applicable.

Non-limiting example as explained below, it is assumed that subscriber equipment is via non-3 gpp (such as HRDP(HRPD) or WiMAX(micro-wave access global inter communication)) access network is connected to 3GPP evolved packet system (EPS).According to the 3GPP standard criterion of such as 3GPP TS23.402 and 3GPP TS24.302, provide traffic connectivity, such as Internet protocol (IP) connectivity via non-3 GPP access network to the subscriber equipment being connected to EPC.About the safety need of credible and insincere non-3 GPP access network and the authentication method asked, and the AAA(authentication, authorization, accounting about non-3 GPP access network) interface and process be also according to the 3GPP standard criterion of such as 3GPP TS33.402 and 3GPP TS29.273.According to 3GPP standard criterion, such as EAP method (such as EAP-AKA and EAP-AKA'(EAP: Extensible Authentication Protocol, AKA: certification and cryptographic key agreement)) known authentication mechanism be applicable.In this non-limiting example, it is also assumed that subscriber equipment roams, being i.e. connected to its home network via non-3 GPP access network, this non-3 GPP access network is attached to accessed 3GPP compatible network.

During being initially attached to or being switched to non-3 GPP access network, such as by residing in HPLMN(Home Public Land Mobile Network network) in aaa server in the home network of user, carry out or incredible judgement credible about access network.This judgement is considered as the business/management condition direct Roaming agreements of the operator of access network (such as, with) and technical conditions.Network scenarios that necessary or relevant technical conditions depend on bottom and/or the agreement utilized.

Such as, according to current standard criterion, following technical conditions are adapted to ambulant (between access network and grouped data network gateway) S2a interface of network, i.e. as the proxy-mobile IP (PMIP) of IP mobility management protocol.MAG(Mobile Access Gateway) should be by LMA(Local Mobility Anchor, local mobility anchor) trust only to register these attached mobile nodes.About the PMIP message between MAG and LMA safety should by security association chain in hop-by-hop mode (for the often jumping in this chain, one security association in each direction is applied to and any user-dependent all PMIP message) provide, or for situation in territory, provided in mode end to end by about a security association with each direction of any user-dependent all PMIP message.PMIP should use only in conjunction with access authentication based on EAP-AKA.

Such as, according to current standard criterion, following technical conditions are adapted to ambulant (between subscriber equipment and grouped data network gateway) S2c interface of main frame, i.e. as double stack mobile IP v 6s (DSMIPv6) of IP mobility management protocol.When using Host Based mobility, access network needs to meet some safety need to be trusted.Credible access is by certification subscriber equipment and for providing safety chain from user device transmissions to the data of credible access.Credible access prevents source IP address from cheating.Credible access and grouped data network gateway (PDN GW) by the safety chain that has between them with the data across its transmission user.When subscriber equipment departs from credible access so that guaranteeing not know about changes (i.e. making PDN GW can remove the CoA(Care-of Address (care-of-address) about old subscriber equipment) binding at EPC) in the case of be assigned to the IP address of subscriber equipment when will not be used by another subscriber equipment, credible access and evolution block core (EPC) need coordination.

These set of circumstances right and wrong specified according to Current standard specifications are usually shown in, however, it may be desirable to other information is to determine that access network is the most credible.At present, each operator determine that the access network for trusting needs complete business (management) and the set of technical conditions met.Therefore, in order to carry out credible being appropriately determined for access network at the home network of user, need all relevant informations (such as, about the current data of all correlated conditions) available at home network.But, in roaming condition, guarantee that this point will be especially difficult.

In this regard it should be noted that, grouped data network gateway (PDN GW) dynamically can distribute during verification process.Therefore, such as in terms of the condition of the safe IP link between non-3 GPP access gateway and PDN GW, the IP link discussed may be located at and (selecting ownership route between non-3 GPP access network and home network, in the case of i.e. PDN GW is positioned in home network) or (selecting local break-out (local breakout), i.e. PDN GW is positioned at and accesses in the case of in network) between non-3 GPP access network and access network.

Directly carry out between two networks (i.e. access network and ownership or access network) in view of IP route, when ownership route and local break-out (LBO) situation, IP link can use different routes and different IP to transmit provider's (such as Virtual network operator).Secure context accordingly, with respect to each IP link is also likely to be different, thus hampers for carrying out the availability of adequate information judged at home network.

According to current standard criterion, do not exist and how can obtain all relevant informations needed for carrying out the judgement of the trusted status (i.e. credible) about access network about home network (such as, if selection local break-out, then obtain about non-3 GPP access network and the information of the safety of IP link that resides between the PDN GW accessed in network) mechanism.In view of such as GSM(global system for mobile communications) and/or UTRAN(universal terrestrial radio be electrically accessed network) Virtual network operator there may be hundreds of the roaming partners interspersing among the world, and the number of non-3 GPP access may be the highest, as needed especially in roaming condition, it is infeasible that home network has the up-to-date information about all access networks and the potential all IP links accessed between network.

Therefore, home network may the most correctly consider the judgement that all relevant conditions (such as by the safety of the link used) and doing make mistake.If home network judges that access network is insincere, although this will not be required, but this will cause unnecessary resource consumption and/or time delay.Such as, communication path may unnecessarily involve evolution packet data gateway (ePDG), and the tunnel establishment procedure between subscriber equipment and ePDG may be unnecessarily carried out.In the case of home network judges that access network is credible, although the most there is not access network and the safe IP link accessed between network, but this will cause the destruction of confidentiality needs, and the most such as eavesdropping can become possibility.

Therefore, there is not availability based on the credible information about the access network in block data system and guarantee any feasible solution of safe and efficient access procedure.

Summary of the invention

The present invention and embodiment are designed to the feasible solution providing a kind of availability based on the credible information about the access network in block data system to guarantee safe and efficient access procedure.

Exemplary first aspect according to the present invention, provide a method that, including: from accessing instruction (the receiving an indication about a that network of network element receives the interim credibility of the described access network about the most described user of the access network providing grouped data to access for roamer provisional trustworthiness of an access network, which provides packet data access for a roaming user, with respect to a visited network of said user from A network element of said visited network)；Determine local break-out or the suitability of ownership route of each subscription (subscribed) APN about described user；And based on the interim credible instruction received and determined by about the route suitability of each subscription APN of described user, it is determined that described access network final credible.

According to its further development or amendment, apply one or more following feature:

-described reception credible instruction temporarily includes receiving the attribute in certification request, and it is configured to indicate the interim credible of described access network,

-certification request includes diameter Extensible Authentication Protocol (Diameter Extensible Authentication Protocol) request,

-described the suitability determining the local break-out producing all subscription APNs about described user, described judgement further includes at technology determination factor aspect and accepts the interim credible of described access network, and consider to manage decision factor (if present), for carrying out the final credible final judgement about described access network

-described the suitability determining the ownership route producing all subscription APNs about described user, described judgement farther includes to abandon the interim credible of described access network the most described access network, and consider technology and the management (if present) decision factor of the home network of the most described user, for carrying out the final credible final judgement about described access network

-described decision factor includes: technology determination factor, one or more in the level of security of the link between it radio access technologies including described access network and described access network and the described access network of described user；And management decision factor, it is one or more that it includes in the existence of Roaming agreements between described access network and described home network, the level of trust between described access network and described home network, previous Quality of Service Experience,

The suitability that-described the suitability determining the local break-out producing some the subscription APNs about described user and other ownership subscribing to APNs about described user route, described judgement farther includes to carry out those subscription APNs of the suitability about generation local break-out and the sub-judgement of those the subscription APNs about the suitability producing ownership route, and combine the son judgement carried out for these two groups of APNs, make when have determined that described access network for these two groups of APNs credible time, judge that described access network is the most credible,

The suitability that-described the suitability determining the local break-out producing some the subscription APNs about described user and other ownership subscribing to APNs about described user route, described judgement farther includes to carry out those subscription APNs of the suitability about generation local break-out and the individually judgement of those the subscription APNs about the suitability producing ownership route, and inform the user access network to judge relative to each the independent of final credibility subscribing to APN of described user

The described network element of-described access network includes authentication, authorization, accounting agent entity, and/or provide grouped data to access via the interface between described access network and grouped data network gateway, and/or use proxy mobile internet protocol or double stack hierarchical mobile IP originally 6 to provide IP mobile management

The described network element of-described access network includes evolution packet data gateway, and/or provide grouped data to access via the interface between described user and grouped data network gateway, and/or use double stack Mobile Internet Protocol version 6 to provide IP mobile management

-described method can operate when being initially attached to or be switched to described access network,

The home network of-described user and described access network belong to the evolved packet system according to 3GPP specification, and described access network is non-3 gpp access network, and/or

-described method can operate at the AAA server in the described home network of described user.

Exemplary second aspect according to the present invention, provide a method that, including: from the network element of the home network of roamer receive about each of described user subscribe to APN, about the information of credible individually judgement of the access network providing grouped data to access for described user；And the credibility according to the access network about each subscription APN received, use each APN request packet data network to connect.

null-described request farther includes: can be considered the APN of believable instruction for receiving the access network about it，If use proxy mobile internet protocol，Then send packet data network connection request to non-3 gpp gateway，If or using double stack Mobile Internet Protocol version 6，Then set up security association and send packet data network connection request to grouped data network gateway，And/or the APN of incredible instruction will be considered for receiving the access network about it，If use proxy mobile internet protocol，The packet data network connection request being embedded into during secure tunnel is set up then is sent to evolution packet gateway，If and/or using double stack hierarchical mobile IP basis 6，Then set up the tunnel for evolution packet data gateway and set up security association and send packet data network connection request via the described tunnel for described evolution packet data gateway to grouped data network gateway，

The described network element of-described home network includes AAA server, and/or

-described method can operate at the subscriber equipment of described user.

Exemplary third-party face according to the present invention, it is provided that a kind of method, including: by considering about credible available decision factor, it is evaluated as access network and the trusting relationship accessed between network of described user that roamer provides grouped data to access；Trusting relationship based on assessment judges the described access network credibility relative to described access network；And transmit about the described instruction judging credibility to the network element of the home network of described user.

-described decision factor includes technology determination factor, one or more in the level of security of the link between it radio access technologies including described access network and described access network and the described access network of described user,

-described the credibility that transmits indicates the attribute included in transmission certification request, and it is configured to indicate the interim credible of described access network,

-certification request includes that diameter Extensible Authentication Protocol is asked,

-described method can operate at authentication, authorization, accounting agent entity, and/or provide grouped data to access via the interface between described access network and grouped data network gateway, and/or use proxy mobile internet protocol to provide IP mobile management, and/or

-described method can operate at evolution packet data gateway, and/or provides grouped data to access via the interface between described user and grouped data network gateway, and/or uses double stack Mobile Internet Protocol version 6 to provide IP mobile management.

Exemplary fourth aspect according to the present invention, provide a kind of device, including: receptor, it is configured to from accessing the instruction that network of network element receives the interim credibility of the described access network about the most described user of the access network providing grouped data to access for roamer；Determiner, is configured to determine that local break-out or the suitability of ownership route of each subscription APN about described user；And determinant, be configured to based on the interim credible instruction received and determined by about the route suitability of each subscription APN of described user, it is determined that described access network final credible.

-described receptor is further configured to receive the attribute in certification request, and it is configured to indicate the interim credible of described access network,

-when the suitability of the local break-out that described determiner produces all subscription APNs about described user, described determinant is further configured in terms of technology determination factor accept the interim credible of described access network, and consider to manage decision factor (if present), for carrying out the final credible final judgement about described access network

-when described determiner produces the suitability of ownership route of all subscription APNs about described user, described determinant is further configured to abandon the interim credible of described access network the most described access network, and consider technology and the management (if present) decision factor of the home network of the most described user, for carrying out the final credible final judgement about described access network

-when the suitability of the described determiner generation suitability about the local break-out of some subscription APNs of described user and the ownership route of other subscription APNs about described user, described determinant is further configured to carry out those subscription APNs of the suitability about generation local break-out and the sub-judgement of those the subscription APNs about the suitability producing ownership route, and combine the son judgement carried out for these two groups of APNs, make when have determined that described access network for these two groups of APNs credible time, judge that described access network is the most credible,

-when the suitability of the described determiner generation suitability about the local break-out of some subscription APNs of described user and the ownership route of other subscription APNs about described user, described determinant is further configured to carry out those subscription APNs of the suitability about generation local break-out and the individually judgement of those the subscription APNs about the suitability producing ownership route, and inform the user described access network to judge relative to each the independent of final credibility subscribing to APN of described user

-described device can operate when being initially attached to or be switched to described access network,

-described device can operate as the AAA server in the described home network of described user.

Exemplary 5th aspect according to the present invention, provide a kind of device, including receptor, be configured to the network element of the home network from roamer receive about each of described user subscribe to APN, about the information of credible individually judgement of the access network that provides grouped data to access for described user；And requester, it is configured to the credibility according to the access network about each subscription APN received, uses each APN request packet data network to connect.

null-described requester is further configured to: can be considered the APN of believable instruction for receiving the access network about it，If use proxy mobile internet protocol，Then send packet data network connection request to non-3 gpp gateway，If or using double stack Mobile Internet Protocol version 6，Then set up security association and send packet data network connection request to grouped data network gateway，And/or the APN of incredible instruction must be considered for receiving the access network about it，If use proxy mobile internet protocol，The packet data network connection request being embedded in during secure tunnel is set up then is sent to evolution packet gateway，If and/or using double stack hierarchical mobile IP basis 6，Then set up the tunnel for evolution packet data gateway and set up security association and send packet data network connection request via the described tunnel for described evolution packet data gateway to grouped data network gateway，

-described device can operate as the subscriber equipment of described user.

Exemplary 6th aspect according to the present invention, provide a kind of device, including: evaluator, it is configured to consider the available decision factor about credible, is evaluated as access network and the trusting relationship accessed between network of described user that roamer provides grouped data to access；Determinant, is configured to trusting relationship based on assessment and judges the described access network credibility relative to described access network；And conveyer, the network element being configured to the home network to described user transmits about the described instruction judging credibility.

-described conveyer is further configured to send the attribute in certification request, and it is configured to indicate the interim credible of described access network,

-described device can operate as authentication, authorization, accounting agent entity, and/or provide grouped data to access via the interface between described access network and grouped data network gateway, and/or use proxy mobile internet protocol or double stack Mobile Internet Protocol version 6 to provide IP mobile management

-described device can operate as evolution packet data gateway, and/or provides grouped data to access via the interface between described user and grouped data network gateway, and/or uses double stack Mobile Internet Protocol version 6 to provide grouped data mobility.

Exemplary 7th aspect according to the present invention, provide a kind of computer program including program code components, the method that described program code components is arranged to when running on the processor of device perform to develop according to first aspect and/or one or more/revise.

Exemplary eighth aspect according to the present invention, provide a kind of computer program including program code components, the method that described program code components is arranged to when running on the processor of device perform to develop according to second aspect and/or one or more/revise.

Exemplary 9th aspect according to the present invention, provide a kind of computer program including program code components, the method that described program code components is arranged to when running on the processor of device perform to develop according to the third aspect and/or one or more/revise.

Exemplary embodiment by means of the present invention, provide a kind of based on the credibility with the access network in block data system, guarantee the feasible solution of safe and efficient access procedure especially with regard to the availability of the relevant information of the credibility of the non-3 GPP access network in 3GPP compatibility block data system.

Exemplary embodiment by means of the present invention, (ownership route and local break-out is included at all situations, different interfaces, etc.) in provide, home network (aaa server in such as home network) is able to determine whether to meet the condition that is trusted about access network.According to embodiments of the invention, when access network is connected to be positioned at grouped data network gateway (the PDN GW) accessed in network, this point is also achieved for roaming condition.In other words, it is provided that a kind of for all relevant informations (such as from accessing network) are sent to wherein to need to carry out the feasible solution of home network judged.

Exemplary embodiment by means of the present invention, it is provided that about the internuncial more efficient measure of IP of use non-3 GPP access network, such as, improve resource and use.

Accompanying drawing explanation

Hereinafter, it is more fully described the present invention by means of non-limiting example with reference to the accompanying drawings, in the accompanying drawings:

Fig. 1 is shown in which to apply the schematic block diagram of the network configuration in the case of the ownership route of the use S2a interface of embodiments of the invention,

Fig. 2 is shown in which to apply the schematic block diagram of the network configuration in the case of the local break-out of the use S2a interface of embodiments of the invention,

Fig. 3 is shown in which to apply the schematic block diagram of the network configuration in the case of the ownership route of the use S2c interface of embodiments of the invention,

Fig. 4 is shown in which to apply the schematic block diagram of the network configuration in the case of the local break-out of the use S2c interface of embodiments of the invention,

Fig. 5 shows the message flow diagram of the access authentication procedure in Fig. 1 to 4 of the exemplary embodiment according to the present invention in the network configuration of any one,

Fig. 6 shows the message flow diagram of the access authentication procedure in Fig. 3 or 4 of the exemplary embodiment according to the present invention in the network configuration of any one,

Fig. 7 shows the indicative flowchart of the method that can perform at attribute network entity of the exemplary embodiment according to the present invention,

Fig. 8 shows the indicative flowchart of the method that can perform at access network entity of the exemplary embodiment according to the present invention,

Fig. 9 shows the indicative flowchart of the method that can perform at subscriber equipment of the exemplary embodiment according to the present invention,

Figure 10 shows the schematic block diagram of the attribute network entity of the exemplary embodiment according to the present invention,

Figure 11 shows the schematic block diagram accessing network entity of the exemplary embodiment according to the present invention, and

Figure 12 shows the schematic block diagram of the subscriber equipment of the exemplary embodiment according to the present invention.

Detailed description of the invention

The present invention is described referring herein to specific non-limiting example.Those skilled in the art is it will be recognized that the invention is not restricted to these examples, and can be applied even more extensively.

Especially, the present invention and embodiment are described mainly for the 3GPP standard criterion being used as the non-limiting example about specific exemplary network configuration.Especially, in this, with 3GPP compatible core network (such as belong to and/or access network), i.e. the non-3 GPP access network (AN) that 3GPP evolved packet system connects is used as non-limiting example.Thus, direct relative term is specifically quoted in the description of embodiment given here.These terms only use under the background of the non-limiting example presented, and nature will not limit the present invention by any way.On the contrary, it is also possible to utilize any other network configuration or implementation, as long as it meets feature described herein.

Hereinafter, several alternative are used to describe the present invention and the various embodiments of aspect thereof and implementation.Usually, it should be noted that need and constraint according to specific, described all alternative can be provided separately or with any it is contemplated that combination (also including the combination of each feature of various alternative) provide.

At aspect most typically, according to illustrated examples outlined above, the principle of the present invention based on, access (VPLMN: access public land mobile network) network, 3GPP AAA the most therein agency or evolution packet data gateway (ePDG), assessment non-3 GPP access network is credible or insincere, and is sent to belong to (HPLMN) network, 3GPP aaa server the most therein by this result with signal form.This assumes that HPLMN trusts the information provided by VPLMN, but this trust between HPLMN and VPLMN can be assumed to be HPLMN by any way and be chosen as VPLMN roaming partner.If have selected local break-out (LBO) during certification and licensing process, then aaa server is considered as the trusted/untrusted instruction received from VPLMN.This is not meant as automatically accepting, i.e. HPLMN operator should have the right to carry out " insincere " and judge, even if VPLMN has indicated that " credible " judges and LBO is chosen.One reason may be in, HPLMN and VPLMN operator has the different judgements to the safety guaranteed by particular radio access style.

As the first alternative meeting the present invention, according to this exemplary network configuration, the interface (being referred to alternatively as STa interface) between non-3 GPP access network and 3GPP AAA agency can be used, and the interface (being referred to alternatively as SWd interface) between 3GPP AAA agency and 3GPP aaa server, realize embodiments of the invention.So-called S2a/S2b/S2c Application of Interface is in user plane communication, and wherein this is judged (noting, if trusting judgement as explained below is " insincere ", the most only use S2b interface) by IP mobility model selection.

Fig. 1 is shown in which to apply the schematic block diagram of the network configuration in the case of the ownership route of the use S2a interface of embodiments of the invention.

According to Fig. 1, non-3 GPP access network (such as, to be denoted as (potentially) credible, and is denoted as insincere) is connected to the home network HPLMN of user's (i.e. subscriber equipment) via accessing network VPLMN, and this is owing to the hypothesis of roaming condition.Roaming user equipment has been not shown, but is provided grouped data to access by any one in the non-3 GPP access network so illustrated.Owing to assuming ownership route (HR) scene in FIG, during therefore PDN Gateway is positioned at home network.The further details of the network configuration for so illustrating, with reference to 3GPP TS 23.402.

Fig. 2 is shown in which to apply the schematic block diagram of the network configuration in the case of the local break-out of the use S2a interface of embodiments of the invention.

According to Fig. 2, it is illustrated that the network configuration similar to Fig. 1, the differ in that hypothesis local break-out (LBO) scene.Therefore, during PDN Gateway is positioned at access network.

Fig. 3 is shown in which to apply the schematic block diagram of the network configuration in the case of the ownership route of the use S2c interface of embodiments of the invention.

According to Fig. 3, non-3 GPP access network (such as, to be denoted as (potentially) credible, and is denoted as insincere) is connected to the home network HPLMN of user's (i.e. subscriber equipment) via accessing network VPLMN, and this is owing to the hypothesis of roaming condition.Roaming user equipment is provided grouped data to access by any one in the non-3 GPP access network so illustrated.Owing to assuming ownership route scene in figure 3, during therefore PDN Gateway is positioned at home network.The further details of the network configuration for so illustrating, with reference to 3GPP TS 23.402.

Fig. 4 is shown in which to apply the schematic block diagram of the network configuration in the case of the local break-out of the use S2c interface of embodiments of the invention.

According to Fig. 4, it is illustrated that the network configuration similar to Fig. 3, the differ in that hypothesis local break-out (LBO) scene.Therefore, during PDN Gateway is positioned at access network.

Fig. 5 shows the message flow diagram of the access authentication procedure in Fig. 1 to 4 of the exemplary embodiment according to the present invention in the network configuration of any one.For explained below, it is illustratively assumed that the most believable non-3 GPP access network supports the EAP-AKA' certification on STa interface, this is because for being handled as the most of non-3 GPP access network by 3GPP network trust, situation should be so.

That is, Fig. 5 shows the access authentication being initially attached to non-3 GPP access network about roaming condition and the details of mandate using STa and SWd interface.Hereinafter, describe in further detail the those aspects that the access authentication so illustrated is relevant to embodiments of the invention.The further details of the action for performing about message content and each network element, with reference to the clause 6.2 of the clause 5 and 3GPP TS 32.402 of 3GPP TS 29.273.

Explained below is applied to involve the process of STa interface, and for STa interface, the use of EAP-AKA' is enforceable.(noting, the dotted line in Fig. 3 and 4 is the most uncorrelated.)

In step 1, the process (beyond the scope of this invention) specific to non-3 GPP access network is used to set up the connection (judging during this process, see below) between user equipment (UE) and " the most believable " non-3 GPP access network.It is assumed here that roaming condition, i.e. user roam in field network.Therefore, access network is connected to access the roaming partner of network VPLMN(home network HPLMN).In step 2, the authenticator in believable non-3 GPP access network sends EAP Request/identity (Request/Identity) to UE.In step 3, UE sends EAP response/identity message, and it includes network access identifier (NAI).In step 4, believable non-3 GPP access network generates the diameter certification about EAP and authorization requests (such as DER: diameter EAP Request) and includes (except other things) EAP response, access style and the identity of access network.Domain name (realm) based on NAI is partially toward suitable AAA agency (i.e. for suitable VPLMN) and route this request.In steps of 5, AAA agency should include accessing network identifier (identifying VPLMN) in DER request.

According to embodiments of the invention, 3GPP AAA agency (in VPLMN) determines the credibility of paid close attention to access network, i.e. trusting relationship between assessment non-3 GPP access network and VPLMN temporarily.For this, use hypothesis below, PDN Gateway should be dispensed in VPLMN (due to LBO scene), consider all information about access network available in VPLMN, the such as radio access technologies (RAT) in the level of security of the IP link between access network and VPLMN or access network simultaneously.A part for local policy in the AAA agency that decision factor can be configured in VPLMN.This result, the i.e. trusted/untrusted judgement about VPLMN should be added to the DER request forwarded.This can to AVP(, it can such as be denoted as " AN is credible AVP " by means of the property value of special assignment, and wherein probable value is " credible " and " insincere ") realize.DER request is subsequently based on the suitable 3GPP aaa server that the domain name part of NAI is routed in HPLMN via SWd interface.

In step 6, after 3GPP aaa server receives the DER request comprising EAP response/identity message, subscriber identity and radio access technologies (RAT) on SWd interface, it checks whether it has the untapped Ciphering Key about EAP-AKA', and if negating, then obtain new Ciphering Key set from home subscriber servers HSS.In step 7 is to 10, HSS generates Ciphering Key and sends them to 3GPP aaa server, aaa server stores these Ciphering Key (if request/reception more than one), and aaa server obtains the subscription data of user, and HSS sends this subscription data.

In a step 11,3GPP aaa server checking subscriber is authorized to use evolved packet system (EPS) and non-3 GPP access network.If user is authorized to, then (the most whether fix PDN GW to UE assignment based on the designator (from subscriber equipment and access network) received and subscription data, the PDN GW in VPLMN whether is allowed to distribute), aaa server judges the credibility of the access network discussed.

According to embodiments of the invention, the 3GPP aaa server in HPLMN judges use local break-out is still belonged to route for each subscription APN (APN) of user.It can be that (some) APNs distribute PDN GW.Further, according to embodiments of the invention, the 3GPP aaa server in HPLMN judges that access network will be handled as credible or insincere, i.e. judges that it is the most credible.

To this end, 3GPP Aaa server considers that the interim credible of VPLMN judges, the credible instruction that i.e. judges to receive from the VPLMN value of AVP (such as AN is credible).

If all APNs for user will use local break-out, then aaa server accepts the interim judgement of VPLMN in terms of technology determination factor.It still can be determined that access network " insincere ", condition is specific business relevant (i.e. management) reason (such as due to previous subscriber's complaint, limited trust etc. about VPLMN) that there is do so, but if VPLMN indicates " insincere " state, then it should not judge access network " credible ".

If for all APNs of user by use ownership route, then what aaa server should not be considered the VPLMN that receives trusts instruction (owing to relevant IP link should be between AN and HPLMN rather than between AN and VPLMN) temporarily.It is, abandon the interim judgement of VPLMN in this case, and judge independently at aaa server in the home network.

If some APNs for user allow LBO, but the APN for user asks ownership route, then there is several option.

According to the first option, aaa server is for local break-out and ownership routing condition, i.e. it is suitable for local break-out or the APN of ownership route for those, carry out sub-judgement individually, this completes for each special circumstances as described above, and is combined as them subsequently combining judgement about the single of the two group.That is, it only judges " credible " when two seeds judge all " credible ".This option result in all packet data network of the user for being discussed and connects use evolution packet data gateway (ePDG), and condition is to need so at least for some APNs.

According to the second option, aaa server, for local break-out and ownership routing condition, is i.e. suitable for local break-out or the subscription APN of ownership route for those, individually judges, this completes for each special circumstances as described above.Subsequently, if these judge difference, then aaa server indicates to user equipment (UE), and for which APN, access network will be handled as credible, and for which APN, access network will be handled as insincere.

Being judged as believable subscription APN for those access networks, UE can be to non-3 gpp gateway (if using PMIP) if or directly using DS-MIPv6 to PDN GW() send PDN connection request.In order to ask the PDN connection of any APN being judged as in those APN incredible about access network, UE should initially set up the tunnel for ePDG, and should send corresponding PDN connection request via this tunnel subsequently.

For this option, need to define new attribute, or need the grammer of expansion AT _ TRUST_IND attribute so that allowing to send the list with the respective APN trusting instruction.

Under the background of the present invention and embodiment, APN (APN) identifies the service that provided by packet data network, and independent of such access network or in the sense that the interface that access network provides independent of any access point.As the own subscription profile of storage user in hlr comprises such as the data of some services (being attached to some PDN) of authorization invocation, in any case and, LBO or ownership route will be used.

In step 12,3GPP aaa server sends diameter EAP and answers (Diameter EAP Answer) (such as DEA: diameter EPA answers) EAP-AKA' certification request (EAP Request/AKA' puts question to message) that request includes.3GPP aaa server notifies the trust state of access network in the AT_TRUST_IND attribute that EAP Request/AKA' puts question to message to include to UE.In step 13, AAA agency forwards this request to non-3 gpp AN, and it includes that AKA' puts question to.At step 14, the authenticator in access network sends EAP Request/AKA' to UE and puts question to message.In step 15, UE(USIM(universal subscriber identity module) application) certification network, calculate authentication response value and in EAP response message, send this authentication response value.In step 16, the authenticator in access network sends EAP response/AKA' to 3GPP AAA agency and puts question to packet.In step 17, AAA agency forwards this request to aaa server.In step 18, certification if compared and they are equal, is then considered as successfully by aaa server by the authentication result received and expected results (receiving in Ciphering Key).In step 19, if certification success, then user is registered in HSS by aaa server.In step 20, HSS confirms that UE is registered.In step 21, aaa server sends final DEA to AAA agency and answers (being successfully completed of instruction diameter verification process), it includes that (except other things) all relevant APN related datas are (if aaa server distributes or receives PDN GW from HSS, then it comprises PGN GW identity, if or do not send PDN GW identity, then it comprises designator, whether its instruction non-3 gpp GW can distribute the PDN GW in VPLMN, and comprises selected IP mobility pattern and EAP successful information).In step 22, DEA request is forwarded to non-3 GPP access network by AAA agency.In step 23, the authenticator in access network is successfully completed certification to UE notice.

Subsequent step after access authentication (as described above) depends on the mobility pattern received such as UE and trusts instruction.Especially, as described below, when asking PDN to connect, UE should take action according to the trusted/untrusted instruction received.

For customer service, if STa interface and EAP-AKA' authentication mechanism are for certification, then the interface for user plane can be S2a interface (when judge credible and when using PMIP) or S2b interface (insincere and when using PMIP when judging；Thus, UE is in requisition for setting up for the safe lane of ePDG) or S2c interface (when using DSMIP；In the case of credible access, packet is sent straight to PDN GW, or in the case of insincere access, packet is sent to PDN GW by ePDG).

Above-detailed is initially attached to the access authentication of access network.Similar to about the access authentication initially attached at the access authentication being switched to perform in the case of non-3 GPP access network.It practice, these differences (may distribute some PDN Gateway the most before handover, and aaa server receives these from HSS) need not any different behavior specific operation according to an embodiment of the invention.

It should be noted that, use the above-mentioned scene of STa interface to depend on hypothesis below, subscriber equipment is such as being begun setting up before PDN connects by establishment understanding whether it is connected to credible access network for the DS-MIPv6 binding of PDN Gateway.In this, it is assumed that credible access network supports EAP, and this is the prerequisite using EAP-AKA' between subscriber equipment and aaa server.

But, if meeting specific condition, then 3GPP standard allows do not supporting EAP method and the most do not supporting that EAP-AKA'(is as above it has assumed that also trusted non-3 GPP access network in the case of).Certification is not suitable for for (potentially) credible access network of the type, the most applicable Host Based mobility, and STa interface.For this certain types of non-3 GPP access network, by not to the credibility of UE notice non-3 GPP access network, and unless had about the pre-configure information by being handled as believable particular access network, insincere (at least when initial, until it obtains this information) otherwise should be regarded as.For this situation, it is impossible to use above-mentioned first alternative；Need particular solution described below.

As meeting second alternative of the present invention, as the thick dashed line in Fig. 3 and 4 is presented, it is possible to use the new route about the transmission of certification message realizes embodiments of the invention.

In the two figure, it is illustrated that scope from subscriber equipment to home network in the thick dashed line of 3GPP aaa server, it is by credible access network and accesses the 3GPP AAA agency in network and evolution packet data gateway ePDG.This thick dashed line represents specific according to an embodiment of the invention message route.That is, according to the exemplary embodiment of the special circumstances about the believable non-3 GPP access network not having EAP to support, believable non-3 GPP access network can be connected (at least temporarily with, for certification) with ePDG.

Above-mentioned special circumstances establish the basis of basis the second alternative meeting the present invention.That is, scene below depends on hypothesis below, and non-3 GPP access network is believable, but does not support EAP, and UE is not about the pre-configure information by being handled as believable access network.For this particular case, UE should begin setting up the secure tunnel for ePDG before connecting asking any PDN.It practice, UE so operates when it is attached to believable or at least " the most believable " non-3 GPP access network.Which results in the communication path represented by the thick dashed line in Fig. 3 and 4.

Fig. 6 shows the message flow diagram of the access authentication procedure in Fig. 3 and 4 of the exemplary embodiment according to the present invention when using this new communication path in the network configuration of any one.

Fig. 6 shows the details about the access authentication and mandate being initially attached to non-3 GPP access network being equally applicable to switching.Hereinafter, describe in further detail the those aspects that the access authentication so illustrated is relevant to embodiments of the invention.The further details of the action for performing about message content and each network element, with reference to the clause 8.2.2 of 3GPP TS 32.402.

In step 1, UE and ePDG exchange is referred to as the first pair of message of IKE_SA_INIT, and wherein ePDG and UE consults cryptographic algorithm, exchanges random number (nonce) and performs Diffie_Hellman exchange.In step 2, UE sends user identity and APN information in this first message in IKE_AUTH stage, and starts the negotiation of sub-security association.UE omit AUTH parameter so that indicating it to be desirable for IKEv2(internet key switch version 2 to ePDG) on EAP.User identity should comprise IMSI or assumed name with network access identifier (NAI) format compatible.UE should send configuration payload (CFG_REQUEST) to obtain remote ip address in IKE_AUTH request message.In step 3 and 4, ePDG sends to 3GPP aaa server via 3GPP AAA agency has the authentication request message of EAP AVP, and it comprises user identity, APN information, ePDG Selection parameter and (temporarily) of access network discussed is credible indicates.EPDG should include indicating the parameter being carrying out the certification about the tunnel set up with ePDG.This will help 3GPP aaa server distinguish about credible access or I-WLAN(intercommunicated wireless local area network) tunnel set up certification.

According to embodiments of the invention, in step 3, ePDG(is in VPLMN) determine the credibility of paid close attention to access network, i.e. trusting relationship between assessment non-3 GPP access network and VPLMN temporarily.For this, use hypothesis below, PDN Gateway should be dispensed in VPLMN (due to LBO scene), consider all information about access network available in VPLMN, the such as radio access technologies (RAT) in the level of security of the IP link between access network and VPLMN or access network simultaneously.A part for the local policy that decision factor can be configured in the ePDG in VPLMN.This result, the i.e. trusted/untrusted judgement about VPLMN should be added to (DER) certification request forwarded.This can to AVP(, it can such as be denoted as " AN is credible AVP " by means of the property value of special assignment, and wherein probable value is " credible " and " insincere ") realize.(DER) certification asks the domain name part being subsequently based on NAI to be routed to suitable 3GPP AAA agency, and this 3GPP AAA agency transfers it to again the 3GPP aaa server in HPLMN.

In steps of 5,3GPP aaa server should fetch user profiles and Ciphering Key (if these parameters are unavailable 3GPP aaa server) from home subscriber servers HSS and/or attaching position register HLR.The parameter that 3GPP aaa server should make the instruction received in step 4 be carrying out the certification about the tunnel set up with ePDG is included in in the request of HSS.HSS should generate subsequently to be had the Ciphering Key of AMF separation position (separation bit)=0 and they sends back 3GPP aaa server.3GPP aaa server also should fetch user profiles (if it is the most unavailable at that) and based on this user profiles, should be for each subscription APN(APN of user), judge to be dispensed in VPLMN uses ownership route or local break-out, i.e. PDN Gateway still in HPLMN.Hereafter, if aaa server receives, from ePDG, the information that access network is trusted by VPLMN, then should to judge that access network will be handled as credible or insincere for aaa server.(note, not in the case of VPLMN receives trust instruction, owing to access network is always regarded as insincere when access authentication involves ePDG, therefore need not this judgement.)

According to embodiments of the invention, the 3GPP aaa server in HPLMN judges that access network will be handled as credible or insincere, i.e. judges that it is the most credible.

To this end, 3GPP Aaa server considers that the interim credible of VPLMN judges, the credible instruction that i.e. judges to receive from the VPLMN value of AVP (such as AN is credible).Similar to the alternative of use STa interface above, distinguish three kinds of situations, i.e. will use local break-out for all APNs, for all APNs by use ownership route, and some APNs for user allow LBO, and the APN for user asks ownership route.Carry out judge with feasible option STa the most above in conjunction interface described by those are similar.Therefore to details is not repeated herein for the sake of Jian Huaing (with reference to the step 11) according to Fig. 5.

Determine that access network (this means that all APN for the first option are credible after the most credible at aaa server, or at least some subscription APN for the second option is credible), aaa server should make AT_TRUST_IND attribute be included in EAP Request/AKA put question in message (or, in the case of the second option, making new attribute be included in EAP Request/AKA and put question in message, condition is that this will be used for judging coding).

In step 6,3GPP aaa server starts certification enquirement.The most again ask user identity.Trust instruction as identified above is included in the request.In step 7,3GPP AAA agency forwards this request to ePDG.In step 8, ePDG uses its identity, certificate to respond UE, and sends AUTH parameter to protect its (in IKE_SA_INIT exchanges) to be sent to the previous message of UE.It also completes the negotiation of sub-security association.Including the EAP message (EAP Request/AKA put question to) received from 3GPP aaa server so that the EAP process started on IKEv2.In step 9, UE checks parameters for authentication and responds certification enquirement.In IKEv2 message, only payload (except header) is EAP message.

For the first option, have included AT_TRUST_IND attribute if UE receives and indicate the believable EAP Request of access network/AKA to put question to message, then UE can be determined that termination IKEv2 process.If UE terminates IKEv2 process, then UE should begin for the DS-MIPv6 binding of PDN Gateway subsequently, and does not involve ePDG.Otherwise, UE continues the standard procedure omitted from Fig. 6.

For the second option, if UE receives has included AT_TRUST_IND attribute (or relevant new attribute, if this new attribute is selected for trusting access network instruction coding) but and indicate access network to subscribe to for some APN is credible not puts question to message for all subscription believable EAP Request of APN/AKA, then UE should complete IKEv2 verification process and set up the secure tunnel for ePDG.Hereafter, UE should take specifically to take action for each APN.When UE begins setting up the PDN connection being indicated as incredible APN for access network, UE should set up the DS-MIPv6 for PDN Gateway via ePDG and bind (i.e. using secure tunnel).When UE begins setting up the PDN connection being indicated as believable APN for AN, UE can directly set up the DS-MIPv6 for PDN Gateway and bind, and do not involves ePDG.

Can be used for judging the radio access technologies whether access network should be considered in the level of security in believable source, such as the IP link between access network and VPLMN or access network it practice, ePDG can have several.Decision factor can be configured to a part for the local policy in ePDG.This with in the case of S2a interface AAA act on behalf of describe similar process, wherein ePDG here takes the role that AAA acts on behalf of.

For customer service, if STa interface and EAP-AKA' authentication mechanism are not used for certification, if final credible judgement is " credible ", then the interface for user plane can be the S2c interface being directly communicated to PDN GW, or if final credible judgement is " insincere ", then the interface for user plane can be the S2c interface leading to PDN GW via ePDG.If the APN for the APN and generation ownership route that produce local break-out individually judges, then S2c interface should have the different paths about these APN groups.

Above while the intercommunication considered especially between each entity, viewpoint for total system describes alternative and the embodiment of the present invention, and details about each method and entity is described below.

Fig. 7 shows the indicative flowchart of the method that can perform at attribute network entity of the exemplary embodiment according to the present invention.The attribute network entity of the method that execution so illustrates can be e.g. if figure 1 above is to the 3GPP aaa server as shown in 4.The method so illustrated can operate when being initially attached to or be switched to the specific access network discussed.

Method according to Fig. 7, in operation S701,3GPP aaa server is acted on behalf of via 3GPP AAA and (is used STa and SWd interface, present in Fig. 1 to 4) or use, via ePDG(, the communication path that represented by the dotted line in Fig. 3 and 4) receive about access network relative to the interim credible instruction accessing network of roamer from non-3 GPP access network, this access network provides grouped data to access for described user.This instruction can such as be included in the request of diameter Extensible Authentication Protocol.Subsequently, in operation S702, determine local break-out or the suitability of ownership route of each subscription APN about described user.In operation S703, based on the interim credible instruction received and determined by about the route suitability of each APN of the user discussed, carry out the final credible judgement about described access network.

In operation S703, when determining the suitability of the local break-out producing all subscription APNs about the user discussed, the judgement (in operation S703A) carried out accepts the interim credible of described access network in terms of further including at technology determination factor, and consider to manage decision factor (if present), for carrying out the final credible final judgement about described access network.

In operation S703, when determining the suitability of the ownership route producing all subscription APNs about the user discussed, the judgement (in operation S703B) carried out farther includes to abandon the interim credible of described access network the most described access network, and consider technology and the (if present) management decision factor of the home network of the most described user, for carrying out the final credible final judgement about described access network.

In operation S703, when determining the suitability of the local break-out producing some the subscription APNs about the user discussed and about the suitability belonging to route of other subscription APNs of the user discussed, in judgement (in operation S703C) following two options carried out.In the first option (in operation S703C'), carry out those about the suitability producing local break-out and subscribe to APN and the son judgement of those APNs about the suitability producing ownership route, and combine the son judgement carried out for these two groups of APNs, make when judging that these two groups of Access Point Names are referred to as credible, it is determined that described access network is the most credible.In the second option (at operation S703C " in), carry out those titles of access point about the suitability producing local break-out and the independent judgement of those APNs about the suitability producing ownership route.

Subsequently, the final credible judgement (in operation S704) of described access network is informed the user., it is provided that general credible information (in the case of S703A, S703B or S703C'), or provide and subscribe to the specific/single information (at S703 " in the case of) of APN about each here.If for producing the APN of the suitability of local break-out and producing the APN of ownership route and individually judge, the most such as list by means of APN informs the user final credible these about access network and individually judges.This can be such as by using the grammer correspondingly revised of AT_TRUST_IND attribute or by using the attribute specifically specified to complete.

Fig. 8 shows the indicative flowchart of the method that can perform at access network entity of the exemplary embodiment according to the present invention.The access network entity of the method that execution so illustrates can e.g. be acted on behalf of to the 3GPP AAA as shown in 4 such as figure 1 above, or the ePDG as shown in figure 3 above and 4.The method so illustrated can operate when being initially attached to or be switched to the specific access network discussed.

Method according to Fig. 8, in operation S801, in the case of the second alternative that AAA agency (in the case of the first alternative presented in Fig. 1 is to 5) or ePDG(presents in figures 3,4 and 5) by considering about credible available decision factor, it is evaluated as access network and the trusting relationship accessed between network of described user that roamer provides grouped data to access.Subsequently, in operation S802, trusting relationship based on assessment is carried out about described access network relative to the credible judgement of described access network.In operation S803, to the home network of described user responsible network element (such as, according to Fig. 1 to 4 in the 3GPP aaa server of any one) transmit and judge credible instruction about described.The transmission of this instruction can perform in diameter Extensible Authentication Protocol is asked.

Fig. 9 shows the indicative flowchart of the method that can perform at subscriber equipment of the exemplary embodiment according to the present invention.Perform the subscriber equipment of method that so illustrates can e.g. as figure 1 above, 2 implied or UE as shown in figure 3 above and 4.When determining the suitability of the local break-out of some the subscription APNs about described user and about the suitability of other ownership routes subscribing to APNs of described user, (according to the operation S703 ") of figure 7 above, the method so illustrated can operate when attribute network entity performs the second option.

Method according to Fig. 9, in operation S901, subscriber equipment is from the network element of the home network of roamer, such as 3GPP aaa server, the credible information individually judged of non-3 GPP access network that receive each independent subscription APN about the user discussed, that provide grouped data to access for described user.Subsequently, in operation S902, according to the credibility of the access network about each APN received, each APN request packet data network is used to connect.

In operation S902, request packet data network connects and includes: for the instruction believable APN of access network (in step S902A), if use proxy mobile internet protocol, then send packet data network (PDN) connection request to non-3 gpp gateway, if or used double stack Mobile Internet Protocol version 6, then would set up security association and send PDN connection request to grouped data network gateway.For the instruction incredible APN of access network (in step S902B), request packet data network connects and includes: if using PMIP, then set up the tunnel for evolution packet data gateway (ePDG) and send packet data network connection (PDN) request via the described tunnel for described evolution packet data gateway, if and/or use DSMIPv6, then set up security association and send PDN connection request (if necessary, after the tunnel for ePDG is set up) via the secure tunnel for ePDG to grouped data network gateway.

Note, in the case of DSMIP and insincere access, it is only necessary to a tunnel for ePDG, and this should set up before sending first bind request to PDN Gateway.For PMIP, create single tunnel for each PDN connection/APN.

As shown in Figure 9, can perform each operation of situation for distinguishing above-outlined clearly, such as distinguish insincere/credible, PMIP or DSMIPv6 about specific APN use (the IP mobility management protocol i.e. used) and for ePDG secure tunnel there are not/exist (needs i.e. setting up this tunnel).

Although describing embodiments of the invention referring especially to method, process and function in the preceding article, but the corresponding embodiment of the present invention also covering each device, network node, including its software and/or hardware.

Describe each exemplary embodiment of the present invention below with reference to Figure 10 to 12, for simplicity, respectively refer to the respectively method according to 5 to 9 and the detailed description of operation.

In following Figure 10 is to 12, each solid box is basically configured as performing each basic operation.All solid box are basically configured as performing method as described above and operation respectively.For Figure 10 to 12, it should be noted that each frame is intended to illustrate each functional device realizing each function, process or process respectively.These functional devices are unrelated with implementation, can realize by means of any kind of hardware or software the most respectively.Interconnecting the operation coupling that the line/arrow of each block is intended to illustrate between them, on the other hand on the one hand unrelated with implementation (the most wired or wireless) it can also include any number of unshowned intermediate function entity.

Additionally, in Figure 10 is to 12, illustrate only those functional devices of any one relating in said method, process and function.Think that those skilled in the art recognizes to there is any other the traditional function block needed for the operation that each structure is arranged, the most such as, power supply, CPU, each memorizer etc..

Figure 10 shows the schematic block diagram of the attribute network entity of the exemplary embodiment according to the present invention.The device of the attribute network entity so illustrated can such as be implemented as realizing such as figure 1 above to the 3GPP aaa server as shown in 4 or in this 3GPP aaa server.

According to the exemplary embodiment shown in Figure 10, the device of the attribute network entity so illustrated includes receptor, determiner and determinant.

It is, in general, that receptor represents the assembly for receiving the interim credible instruction about access network the most described access network from the access network of network element of user (such as AAA agency or ePDG).Determiner represents the assembly of the suitability of the local break-out (LBO) for determining each subscription APN about described user or ownership route (HR).Determinant represents for based on the interim credible instruction received from described receptor and the final credible assembly judging described access network from the route suitability about each subscription APN determined by described determiner.

The determinant of the embodiment according to Figure 10 consists essentially of three unit, i.e. about determining that local break-out is applicable to a unit of all subscription APNs of described user, about determining that ownership route is applicable to a unit of all subscription APNs of described user, and about determining that local break-out is applicable to some subscription APNs of described user and belongs to the unit that route is applicable to other subscription APNs of described user.

For the first situation being previously mentioned, determinant is configured in terms of technology determination factor accept interim credible (by means of the accepter) of described access network, and consider to manage decision factor (if present), judge (by means of considering device) for carrying out the final of the final credibility about described access network.

For the second situation being previously mentioned, determinant is configured to abandon interim credible (by means of abandoning device) of described access network the most described access network, and consider technology and the management (if present) decision factor of the home network of the most described user, judge (by means of considering device) for carrying out the final of the final credibility about described access network.

For the 3rd situation being previously mentioned, it is determined that device is configured to operate in one of two kinds of optional modes.On the one hand, determinant can be configured for those subscription APNs of the described user of the suitability about generation local break-out and the sub of those subscription APNs about the described user of the suitability producing ownership route judges (by means of (sub) determinant), and combine the son judgement carried out for these two groups of APNs, make when judging that access network is credible for these two groups of APNs, it is determined that described access network is the most credible (by means of combiner).On the other hand, it is determined that device can be configured for those subscription APNs of the described user about the suitability producing local break-out and the individually judgement (by means of (sub) determinant) of those APNs about the described user producing the suitability that ownership route.

Final credible judgement is informed the user via notifying device.If it is determined that device is configured for the APN about the suitability producing local break-out and produces the independent judgement of APN of ownership route, then notifying device such as list by means of APN can inform the user final credible these about access network and individually judge.This can be such as by using the grammer correspondingly revised of AT_TRUST_IND attribute or by using the attribute specifically specified to complete.

The device of the attribute network entity so illustrated includes for the interface accessing network entity (such as according to the network configuration of bottom, for AAA agency or for ePDG).It may further include for another attribute network entity (such as HSS, HLR, PCRF(policy charging rule function)) interface.

Figure 11 shows the schematic block diagram accessing network entity of the exemplary embodiment according to the present invention.The device accessing network entity so illustrated can such as be implemented as if figure 1 above is to the 3GPP AAA agency as shown in 4 or the ePDG as shown in figure 3 above and 4, or realizes in this 3GPP AAA agency or ePDG.

According to the exemplary embodiment shown in Figure 11, the device accessing network entity so illustrated includes evaluator, determinant and conveyer.

It is, in general, that evaluator represents for the assembly by considering to assess the trusting relationship accessed between network of access network and user about credible useful decision factor.Determinant represents for judging the described access network credible assembly relative to described access network based on the trusting relationship assessed.Conveyer represents that the network element for the home network to described user transmits about the described assembly judging credible instruction.

The device accessing network entity so illustrated includes the interface for attribute network entity (such as aaa server).It farther includes for relevant access network and/or the interface of subscriber equipment discussed.

Figure 12 shows the schematic block diagram of the subscriber equipment of the exemplary embodiment according to the present invention.The device of the subscriber equipment so illustrated can such as be implemented as figure 1 above, 2 hints or UE as shown in figure 3 above and 4, or realization in this UE.

According to the exemplary embodiment shown in Figure 12, the device of the subscriber equipment so illustrated includes receptor and requester.

It is, in general, that receptor represents the assembly for receiving the credible information individually judged about each subscription APN providing user that grouped data accesses, that discussed by described user from the network element of the home network of roamer (such as aaa server).Requester represents the assembly using each APN request packet data network to connect for the credibility according to the access network about each APN received.

The requester of the embodiment according to Figure 12 is basically configured as (by means of one or more respective transmitters), if the APN access network for being discussed is indicated as credible and proxy mobile internet protocol and is used as agreement, then send PDN connection request to non-3 gpp gateway, if and/or the APN access network for being discussed is indicated as credible and double stack Mobile Internet Protocol version 6 and is used as IP mobility management protocol, then set up security association and to grouped data network gateway (directly, the most do not involve ePDG) send PDN connection request.Requester is additionally configured to, if the APN access network for being discussed is indicated as insincere and PMIP and will be used, then set up via the new tunnel for ePDG and certification asks packet data network to connect (by means of transmitter (with optionally arranging device)), if or the APN access network for being discussed is indicated as insincere and DSMIPv6 and will be used, setting up this tunnel (by means of arranging device) in the case of the most disabled for the tunnel of ePDG and then setting up security association and send PDN connection request (by means of respective transmitter) via the described tunnel for described ePDG to grouped data network gateway.

In order to distinguish the above-mentioned situation of network trusted property, requester can include the access network detector about each APN, and it represents the credible assembly for checking the access network about each APN discussed.In order to distinguish the above-mentioned situation of used agreement, requester can include IP mobility management protocol detector, and its expression is used for checking proxy mobile internet protocol (PMIP) or double stack Mobile Internet Protocol version 6(DS-MIPv6) it is used as the assembly of agreement.It should be noted that, these agreements being previously mentioned are as non-limiting example, any other agreement can be used equally, as long as being applicable to bottom-layer network configuration.In order to distinguish the above-mentioned situation not existing/existing in the tunnel for relevant ePDG, requester can include (although not shown) tunnel detector, and it represents the assembly for checking whether the secure tunnel existing for evolution packet gateway.

The device accessing network entity so illustrated includes the interface for attribute network entity (such as aaa server).It farther includes for above-mentioned non-3 gpp gateway, PDN Gateway and the interface of at least one in the ePDG sending PDN and/or tunnel foundation request to suitable destination.

Any one in the device of above-outlined represents the autonomous entity according to each embodiment of the present invention, and their intercommunication is overall or they any it is contemplated that combination represent the system of each embodiment according to the present invention.

Generally, it should be noted that if being only adapted for carrying out the function of described various piece, then can be realized by any any means known with form with hardware and/or software respectively according to each functional device of above-mentioned aspect or element.Mentioned method step can realize in single functional device or be realized by single equipment, or one or more method step can realize in individual feature block or be realized by individual equipment.

Generally, in the case of the thought not changing the present invention, any method step is suitable to be implemented as software or realized by hardware.Equipment and assembly may be implemented as single equipment, but as long as keeping the function of equipment, this does not get rid of they distributed throughout system realizations in a distributed fashion.These and similar principle will be considered it is known to those skilled in the art that.

Here the software in the sense that description includes such software code, it includes the code components for performing each function, and storage thereon have each data structure or code section such as computer-readable recording medium tangible medium on embody, or in signal or chip, embody the software (or computer program or computer program) of (the most at which reason during).

Generally, for the purpose of invention as described above, it shall be noted that

-access technology can be that subscriber equipment can be by means of any technology of its access (such as via base station or generally via access node) access network.Any current or the technology in future, such as WLAN(WLAN can be used), WiMAX(micro-wave access global inter communication), bluetooth, infrared etc.；Although above technology major part is the wireless access technology in the most different radio-frequency spectrums, but the access technology in meaning of the present invention can also infer cable technology, the most IP-based access technology, such as cable network or fixing circuit, and can infer circuit switching access technology；Access technology can be divided at least two classification or input field, such as packet switch and circuit switching, but do not hinder more than the existence of two input fields and apply the present invention to it,

-access network can be any unit, unit or the assembly of the service that station, entity or other subscriber equipmenies can connect and/or utilize access network to provide；These services include (except other things) data and/or (audio frequency) visual communication, data download etc.；

-subscriber equipment can be that system user can pass through its any unit, unit or assembly experiencing the service from access network, such as mobile phone, personal digital assistant PDA or computer；

-be likely to be implemented as software code partition and use processor in one of entity, network element or terminal (as its unit and/or the example of module, or as including for its device and/or the example of the entity of module) method step that runs of place and function, unrelated with software code and the programming language of any of or following exploitation can be used to illustrate, the most such as, Java, C++, C and assembly program, if the function that keeping method step is limited；

-generally, in the function aspects realized in the case of the thought not changing the present invention, any method step is suitable to be implemented as software or realized by hardware；

null-it is likely to be implemented as the method step of hardware component at terminal or network element、Function and/or equipment、Device、Unit or assembly，Or its any module (multiple)，Unrelated with hardware，And the hardware technology of any of or following exploitation or any mixing of these technology can be used to realize，Such as MOS(metal-oxide semiconductor (MOS))、CMOS(complementation MOS)、The ambipolar MOS of BiMOS()、The ambipolar CMOS of BiCMOS()、ECL(emitter coupled logic (ECL))、TTL(transistor-transistor logic) etc.，Can also use such as lower component realizes: ASIC(application-specific integrated circuit (integrated circuit)) parts、FPGA(field programmable gate array) parts、CPLD(CPLD) parts or DSP(digital signal processor) parts；Furthermore, it is likely that be implemented as any method step of component software and/or equipment, unit or assembly can such as be based on such as being authenticated, authorize, keying and/or any security architecture of service protection；

-unit, unit or assembly may be implemented as single unit, unit or assembly, but this does not get rid of they distributed throughout system realizations in a distributed fashion, as long as keeping the function of these units, unit or assembly,

-device can be by semiconductor chip, chipset or include that (hardware) module of this chip or chipset represents；But, the function of this not remover or module is not hard-wired, and it is implemented as the possibility of the software in (software) module, such as include the computer program for the executable software code part of execution/operation on a processor or computer program；

-equipment can be considered device or the assembly of more than one device, with functionally intemperate with one another the most independently of one another but be such as only located at same apparatus casing in unrelated.

Present invention also contemplates that any of method sequence described above and operation it is contemplated that combination, and node described above, device, module or element any it is contemplated that combination, as long as the concept that process as described above and structure are arranged is applicable.

Although describing the present invention above according to accompanying drawing with reference to example, it will be understood that, the invention is not restricted to this.Conversely, for those skilled in the art it is evident that in the case of the scope without departing from invention thought disclosed herein, the present invention can modify in many ways.

Claims

1. for judging a final credible method, including:

Attribute network entity receives and provides the instruction relative to the interim credibility of the described access network of described user of access network that grouped data accesses about for roamer from accessing network of network element；

Described attribute network entity determines local break-out or the suitability of ownership route of each subscription APN about described user；And

Described attribute network entity based on the interim credible instruction received and determined by about the route suitability of each subscription APN of described user, it is determined that described access network final credible.

Method the most according to claim 1, wherein said reception credible instruction temporarily includes receiving the attribute in certification request, and it is configured to indicate the interim credible of described access network.

Method the most according to claim 2, wherein certification request includes that diameter Extensible Authentication Protocol is asked.

The most according to the method in any one of claims 1 to 3, the wherein said suitability determining the local break-out producing all subscription APNs about described user, described judgement farther includes:

The interim credible of described access network is accepted in terms of technology determination factor, and

Consider that management decision factor carries out the final credible final judgement about described access network.

Method the most according to claim 4, it is one or more that wherein said technology determination factor includes in the level of security of the link between the radio access technologies of described access network and described access network and the described access network of described user；And it is one or more that described management decision factor includes in the existence of the Roaming agreements between described access network and described home network, the level of trust between described access network and described home network, previous Quality of Service Experience.

The most according to the method in any one of claims 1 to 3, the wherein said suitability determining the ownership route producing at least some subscription APN about described user, described judgement farther includes:

Abandon the described access network interim credibility relative to described access network, and

Consider relative to the technology determination factor of the home network of described user and management decision factor that may be present, in order to carry out the final credible final judgement about described access network.

The most according to the method in any one of claims 1 to 3, the suitability that the wherein said suitability determining the local break-out producing some the subscription APNs about described user and other ownership subscribing to APNs about described user route, described judgement farther includes:

Carry out those subscription APNs of the suitability about generation local break-out and the sub-judgement of those the subscription APNs about the suitability producing ownership route, and

Combine for these two groups of APNs carry out son judgement so that when have determined that described access network for these two groups of APNs credible time, it is determined that described access network is the most credible.

Carry out those subscription APNs of the suitability about generation local break-out and the individually judgement of those the subscription APNs about the suitability producing ownership route, and

Inform the user access network to judge relative to each the independent of final credibility subscribing to APN of described user.

The most according to the method in any one of claims 1 to 3, the described network element of wherein said access network includes authentication, authorization, accounting agent entity, and/or

Grouped data is provided to access via the interface between described access network and grouped data network gateway, and/or

Proxy mobile internet protocol or double stack hierarchical mobile IP is used originally 6 to provide IP mobile management.

The most according to the method in any one of claims 1 to 3, the described network element of wherein said access network includes evolution packet data gateway, and/or

Grouped data is provided to access via the interface between described user and grouped data network gateway, and/or

Use double stack Mobile Internet Protocol version 6 to provide IP mobile management.

11. according to the method in any one of claims 1 to 3, and wherein said method can operate when being initially attached to or be switched to described access network.

12. according to the method in any one of claims 1 to 3, and the home network of wherein said user and described access network belong to the evolved packet system according to 3GPP specification, and described access network is non-3 gpp access network.

13. according to the method in any one of claims 1 to 3, and wherein said method can operate at the AAA server in the described home network of described user.

14. 1 kinds of methods connected for using credibility to ask, including:

Subscriber equipment from the network element of the home network of roamer receive about each of described user subscribe to APN, about the credible information individually judged of the access network providing grouped data to access for described user, wherein said independent judge credible based on about described access network relative to the interim credible instruction accessing network of described user and determined by the route suitability that route about the local break-out of each subscription APN or the ownership of described user；And

Described subscriber equipment, according to the credibility of the access network about each subscription APN received, uses each APN request packet data network to connect.

15. methods according to claim 14, described request farther includes:

The APN of believable instruction can be considered for receiving the access network about it, if use proxy mobile internet protocol, then send packet data network connection request to non-3 gpp gateway, if or use double stack Mobile Internet Protocol version 6, then set up security association and send packet data network connection request to grouped data network gateway, and/or

The APN of incredible instruction will be considered for receiving the access network about it, if use proxy mobile internet protocol, the packet data network connection request being embedded in during secure tunnel is set up then is sent to evolution packet gateway, if and/or use double stack hierarchical mobile IP this 6, then set up the tunnel for evolution packet data gateway and set up security association and send packet data network connection request via the described tunnel for described evolution packet data gateway to grouped data network gateway.

16. include AAA server according to the method described in claims 14 or 15, the described network element of wherein said home network.

17. 1 kinds of methods connected for using credibility to ask, including:

Subscriber equipment is received as the final credible judgement of the access network that roamer provides grouped data to access, wherein said final credibility is judged by home network, and be based on the interim credible instruction accessing network accessed relative to described roamer by the described access network accessing network and providing and determined by about the route suitability of local break-out of each subscription APN of described roamer；And

Described subscriber equipment asks at least one packet data network to connect according to the final credible judgement of the described access network received.

18. 1 kinds of devices that can determine that final credible attribute network entity, described device includes:

Receptor, is configured to receive about the access network providing grouped data to access for roamer relative to the instruction of the interim credibility of the described access network of described user from accessing network of network element；

Determiner, is configured to determine that local break-out or the suitability of ownership route of each subscription APN about described user；And

Determinant, be configured to based on the interim credible instruction received and determined by about the route suitability of each subscription APN of described user, it is determined that described access network final credible.

19. 1 kinds can use the credible device asked and connect, including:

Receptor, be configured to the network element of the home network from roamer receive about each of described user subscribe to APN, about the credible information individually judged of the access network providing grouped data to access for described user, wherein said independent judge credibility be based on about described access network relative to the interim credible instruction accessing network of described user and determined by about the local break-out of each subscription APN of described user or belong to the route suitability routeing；And

Requester, is configured to the credibility according to the access network about each subscription APN received, and uses each APN request packet data network to connect.

20. 1 kinds can determine that final credible equipment, including:

For allowing attribute network entity to receive about the access network providing grouped data to access for roamer relative to the device of the instruction of the interim credibility of the described access network of described user from accessing network of network element；

For allowing described attribute network entity to determine the local break-out of each subscription APN about described user or the device of the suitability of ownership route；And

For allow described attribute network entity based on the interim credible instruction received and determined by about the route suitability of each subscription APN of described user, it is determined that the final credible device of described access network.

21. 1 kinds can use credibility to ask the equipment connected, including:

For allow the network element of the subscriber equipment home network from roamer receive about each of described user subscribe to APN, about the device of the credible information individually judged of the access network providing grouped data to access for described user, wherein said independent judge credibility be based on about described access network relative to the interim credible instruction accessing network of described user and determined by about the local break-out of each subscription APN of described user or belong to the route suitability routeing；And

For allowing described subscriber equipment according to the credibility of the access network about each subscription APN received, use the device that each APN request packet data network connects.