DE102005055147A1 - Protected data link setting method for use in mobile communication system, involves making protected data link according to safety key for registering communication service between communication terminal and control unit over access network - Google Patents

Abstract

The method involves registering a mobile communication terminal (MKE) controlled over a connection control unit (P1) for a communication service in an Internet protocol (IP)-based service communication system. A protected data link is made according to a safety key to register the communication service between the terminal and control unit over an access network. Another data link is made for registering the terminal for the service at the communication system over another access network after changing the terminal from the former network to the latter network.

Description

The The invention relates to a method for constructing at least one protected data connection a change of the access network in a mobile communication system, which at least provides for the provision of communication services an Internet Protocol (IP) -based service communication system and to the over at least two different access networks at least one mobile communication terminal connectable is. The at least one mobile communication terminal is controlled via a first connection control unit for at least one communication service in the IP-based service communication system registered, wherein the registration of the at least one communication service between the at least one mobile communication terminal and the first connection control unit via a first access network a first protected data connection according to predetermined Safety parameters is built.

existing mobile communication systems or mobile radio systems have, for example Communication network ("Core Network "), on the above Access networks ("Access Networks ") individual mobile communication terminals are connected. At future Mobile radio systems will be in addition to one on the "General Packet Radio Service" (GPRS) access technology access network based on other access networks Access technologies such as Universal Mobile Telecommunication System "(UMTS)," Wireless Local Area Network "(WLAN) or "Worldwide Interoperability for Microwave Access "(WIMAX) be used.

to Providing multimedia communications services via the access networks is used in third-generation mobile communications systems at least one special communication system or service communication system such as the "Internet Protocol Multimedia Subsystem "(IMS) Provided service communication system. At this point are exemplary for communication or multimedia services, voice services, data services, audio services, Video services, information services and program communication services.

To the Building communication services within such an "Internet Protocol Multimedia Subsystem "or" Internet Protocol "(IP) based Service communication system assigns this a "Session Initiation Protocol" (SIP) signaling protocol on which a registration of each mobile communication terminal on the IP based service communication system (see 3GPP TS 23.228 and 24,229). To implement the SIP signaling protocol special server units are provided, the connection and service control functions, so-called "call State Control Functions "(CSCF) provide. For example, in an IP based service communication system a "serving Call Session Control Function "(S-CSCF) unit, an "interlocation Call Session Control Function "(I-CSCF) unit as well as a" Proxy Call Session Control Function "(P-CSCF) unit provided, each take over different signaling tasks. in this connection in each case at least one access network is assigned a P-CSCF unit, so that a change of the access network may also require a change of the responsible P-CSCF unit.

For example is the S-CSCF unit for the registration of a mobile communication terminal in the IP based service communication system, which serves a shortcut the address information at the SIP level (SIP URI) with the address information at the IP level (IP address), using the IMS Architecture of a registration an authentication of the respective mobile communication terminal upstream.

Independent of the authentication and registration of a mobile communication terminal on the IP based service communication system requires deployment an access in each case the allocation of an IP address by the corresponding access network, which usually when building a Communication link assigned to the mobile communication terminal becomes.

switches the user of a mobile communication terminal the access network, for example from UMTS to WLAN or from UMTS to WiMax, so is the mobile communication terminal of the User assigned a new IP address through the new access network.

One Changing the access network or the IP address requires according to the current Standardization status for the Internet Protocol Multimedia Subsystem "the Reduction of existing communication services and subsequent authentication and re-registration of the user of the mobile communication terminal under the newly assigned IP address on the IP-based service communication system. This causes delays in the data transmission for example, several seconds, especially in real-time multimedia communication services the user can not be expected.

Object of the present invention is an improved method for building a ge protected data connection after a change of the access network in an existing communication service within an IP based service communication system indicate that the resulting in the change for the user impairment of the transmission quality is almost completely eliminated and the required signaling effort is significantly reduced. The object is achieved on the basis of the features of the preamble of claim 1 by its characterizing features.

Of the essential aspect of the method according to the invention is to see that after a change of the mobile communication terminal of the first access network to another access network for renewed Registration of the mobile com munikationsendgerätes for the at least one communication service on the IP-based service communication system via the further access network a second protected Data connection is established, with reuse of the already specified for setting up the first protected data connection Security parameters. Advantageous in the method according to the invention to build the first protected Data connection envisioned security parameters, which already in the mobile communication terminal as well as in the "old" connection control unit are stored, after the change of the access network to the structure the second protected Data connection is reused, reducing the original required four signaling messages on only two signaling messages can be reduced.

Further advantageous embodiments of the method according to the invention, in particular a mobile communication system for providing communication services are the further claims refer to.

in the The invention will be explained in more detail below with reference to several exemplary embodiments and associated figures. It demonstrate:

1 Example in a schematic block diagram of a mobile communication system with different access networks,

2 by way of example, the signaling steps for re-registering a user of a communications service after a change of the access network,

3 exemplified the re-registration of a user of a communication service after a change of the access network provided signaling steps with additional change of the P-CSCF unit,

4 by way of example the signaling steps provided for exchanging the security parameters of a first protected data connection when changing the P-CSCF unit,

5 exemplifies the structure of in 4 represented signaling messages and

6 by way of example, the signaling steps provided for the establishment of a communications service after registration has taken place.

This in 1 The schematic block diagram shown exemplarily shows the network architecture of a mobile communication system KS in which at least one first and second mobile communication terminal MKE1, MKE2 are connected to a communication network CN via at least one access network "Access Network" / or another not in 1 illustrated communication terminal communication or multimedia services are built within the mobile communication system KS, maintained and degraded again.

to Provision of such communication or multimedia services in the mobile communication system KS is a service communication system IMS provided, for example, as "Internet Protocol Multimedia Subsystem "or IP-based Service communication system IMS is formed. Exemplary at this point for communication or multimedia services, voice services, data services, audio services, Video services, information services and program communication services called.

The for connecting the first and / or second communication terminal MKE1, MKE2 provided to the mobile communication system KS access networks AN can have different access technologies, for example the "General Packet Radio Service "(GPRS) Access technology, the "universal Mobile Telecommunication System "(UMTS) Access technology, the "Wireless Local Area Network "(WLAN) access technology and the "Worldwide Interoperability for Microwave Access "(WiMax) access technology.

In the present exemplary embodiment, for example, a first to third, the "Universal Mobile Telecommunication System" access technology supporting access network UMTS1 to UMTS3 are provided, which are connected via a first to third connection control unit P1 to P3 with a subscriber database unit ("Home Subscriber Server") HSS. Here is the first mobile communication terminal. MKE1 over the first Access network UMTS1 connected to the first connection control unit P1 and the second mobile communication terminal MKE3 via the third access network UMTS3 to the third connection control unit P3.

Furthermore are a fourth the "Wireless Local Area Network "access technology supportive Access network Wi-Fi and a fifth the "Worldwide Interoperability for Microwave Access "access technology supportive Access network WiMax provided, which also via the first and second connection control unit P1, P2 are connected to the subscriber database unit HSS. Consequently is for the control of the provision of communication services within of the first and fourth access networks UMTS1, WLAN, the first connection control unit P1 and within the second and fifth access networks UMTS2, WiMax the second connection control unit P2 and within the third access network UMTS3 the third connection control unit P3 responsible.

To the Establishment of communication services is provided by the IP-based service communication system IMS a "session Initiation Protocol "signaling protocol SIP ready, over which is the authentication of the respective user on the IP-based Service communication system IMS and its registration for one Communication service is done.

to Implementation of the SIP signaling protocol SIP are within the mobile communication system KS special server units provided the different connection and service control functions of the "Internet Protocol Multimedia Subsystem "service communication system IMS, called "Call State Control Functions "(CSCF) provide.

For this are those between the access networks AN and the subscriber database unit HSS provided first to third connection control units P1, P2, P3 as the first to third "proxy Call Session Control Function "unit P1, P2, P3 formed.

Further are at least a "serving Call Session Control Function "unit S-CSCF and at least one "Interlocation Call Session Control Function "unit I-CSCF provided, each with the subscriber database unit HSS via SIP signaling connections SIP are connected. To realize the different connection and service control functions within the IP-based service communication system IMS are the at least one S-CSCSF unit S-CSCF, which at least an I-CSCF unit I-CSCF preferably via the subscriber database unit HSS with the first to third proxy call session control function units P1, P2, P3 over the SIP signaling protocol SIP connected.

to Registration of, for example, the first mobile communication terminal MKE1 over the first Access network UMTS1 on the IP-based service communication system IMS is a standard first Authentication (3GPP TS 33203-670) of the user of the first mobile communication terminal MKE1 performed in the IP-based service communication system IMS. For this is at least two SIP register messages via the associated first P-CSCF unit P1 to the SIP registrar or the S-CSCF unit S-CSCF of the IP-based Service communication system IMS sent. The standardized for this purpose Authentication method is standard in 3GPP TS 33203-670 and the individual signaling steps in the standards 3GPP TS 24.229 and 3GPP TS 24.228.

in the Framework of this standardized authentication and registration process is in the first mobile communication terminal MKE1 and assigned to this first P-CSCF unit P1 a first protected Data connection SA1 according to predetermined Security agreements ("security Association "), which for protected transmission the Sig nalisierungsnachrichten between the first mobile communication terminal MKE1 and the first P-CSCF unit associated therewith P1 over the first access network UMTS1 is used. Based on the given one Safety agreement SS safety parameters are provided, which is the first protected data connection Define SA1. In particular, a first security key or "Security / Integrity Key "IK1 formed, by means of encryption the one contained in the respective SIP signaling messages Data takes place.

Advantageous becomes in the procedure according to invention when changing the access network AN, for example, from the first access network UMTS1 to the fourth access network WLAN or fifth access network WiMax im Framework of re-authentication of the user on the IP-based access network or the re-registration for a communication service, the already provided first security key IK1 used again in the new access network AN.

To explain the method according to the invention, it is assumed by way of example that the first mobile communication terminal MKE1 is connected to the mobile communication system KS via the first access network UMTS1 and the user of the first mobile communication terminal MKE1 is already registered for at least one communication service in the IP-based service communication system IMS, ie already a first ge protected data connection SA1 is constructed between the first mobile communication terminal MKE1 and the first P-CSCF unit P1 via the first access network UMTS1. In this case, the user can also simultaneously use a plurality of communication services within the IP-based service communication system IMS, for example simultaneously a video conference service and a chat communication service.

by virtue of mobility the user of the first and / or second mobile communication terminal MKE1, From time to time, MKE2 requires a change of access network AN, each assigning a new IP address to the changing mobile communication terminal MKE1, MKE2 required by the respective new access network AN.

in this connection would like to the user in the context of such a change naturally his existing communication services. According to the currently valid However, default is on a change the IP address a re-registration of the respective mobile communication terminal MKE1; MKE2 is required on the IP-based service communication system IMS, i.e. in the present embodiment are already over reduce the first access network UMTS1 established communication services and after a successful change of the access network AN after a new registration the user of the IP-based service communication system IMS again rebuild. Here are essentially two different Considered change scenarios.

in the In the first case, the user of the first mobile communication terminal MKE1 changes from the first access network UMTS1 into the adjacent fourth access network WLAN, whose connection control functions also by the first P-CSCF unit P1 can be perceived. Thus, despite a change of the access network AN no change of the first P-CSCF unit P1 required, i.e. the connection control of the in the reception area of the fourth Access network WLAN first communication terminal MKE1 * continues via the first P-CSCF unit P1.

in the second case, the user of the first mobile communication terminal MKE1 changes from the first access network UMTS1 into a neighboring fifth access network WiMax, which, however, a change of the connection control unit P1, P2, from the first P-CSCF unit P1 to the second P-CSCF unit P2, entails, i. the connection control functions regarding the in the reception area of the fifth Access network WiMax located first communication terminal MKE1 ** are performed by the second P-CSCF unit P2.

Independent of Change of responsibility of However, connection control or P-CSCF unit P1, P2 is in both cases a re-registration of the first mobile communication terminal MKE1 *, MKE1 ** IP based service communication system IMS required.

by virtue of the existing registration of the first mobile communication terminal MKE1 for one Communication service on the IP-based service communication system IMS already exists the first protected data connection SA1 between the first mobile communication terminal MKE1 and the associated first P-CSCF unit P1. Also, the first mobile communication terminal MKE1 is already assigned a first IP address ip1 by the first access network UMTS1, which in the context of the allocation process in the subscriber database unit HSS with the user identity of the user first mobile communication terminal MKE1 linked and there is stored.

The as part of the construction of the first protected data connection SA1 between the first mobile communication terminal MKE1 and the first P-CSCF unit P1 exchanged safety parameters SS are both in the first mobile communication terminal MKE1 and stored in the associated first P-CSCF unit P1. exemplary Let SS be the random challenge (RAND) parameter as security parameter SS EDGE, the "sequence number "(SQN) parameter SQN, the "authentication management field "(AMF) parameter AMF and the "security parameter index "SPI parameter spi_u, called spi_d.

The SPI parameter spi_u, spi_d forms within the IP based service communication system IMS a unique identifier to identify a protected data connection out. As a protected Data connection from a protected downstream data connection and a protected one For example, upstream data connection exists the first protected Data connection SA1 a first SPI parameter spi1_d for identification a first protected Downstream data connection and a second SPI parameter spi1_u to identify a first protected Upstream data connection provided. The first protected downstream and upstream data connection become first input port numbers p1 assigned, which by means of the first IP address ip1 a link to Enable IP layer.

The first security key IK1, possibly another security key ("cipher key") CK and a first "Message Authentication Code" MAC parameter HMAC_1 are inter alia by Off evaluation of the safety parameters RAND, SQN and AMF.

Now changes in the considered embodiment according to 1 the first mobile communication terminal MKE1 from the first access network UMTS1 into the adjacent fourth access network WLAN, the fourth access network WLAN assigns to the first mobile communication terminal MKE1 a ("new") second IP address ip2, which in turn resides in the subscriber database unit HSS with the user identity the user of the first mobile communication terminal MKE1 is linked.

At the considered embodiment is due to the shared competence of the first P-CSCF unit P1 both for the first as well as for that fourth access network UMTS1, WLAN no change of the first P-CSCF unit P1 required (first case), i. the safety parameters SS and the associated first security key IK1 are already in the first P-CSCF unit P1 and in the first mobile communication terminal MKE1 saved and can for the Building the second protected Connection SA2 between the first P-CSCF unit P1 and the now in the fourth access network WLAN mobile communication terminal MKE1 again be used. In particular, the first security key IK1 in the renewed authentication of the first mobile communication terminal MKE1 for the Communication service to be used again. This must be with this the newly assigned second IP address ip2 are linked.

According to the in 2 signaling steps shown is for re-authentication of the first mobile communication terminal MKE1 generates a re-authentication message and transmitted in addition to other parameters, the newly allocated second IP address ip2 to the first P-CSCF unit P1. An update message is generated by the first P-CSCF unit P1 and the second IP address ip2 is communicated to the S-CSCF unit S-CSCF via this.

To Reception of the second IP address ip2 is performed by the S-CSCF unit S-CSCF a check message directed to the subscriber database unit HSS the correct link the second IP address ip2 with the user identity of the user of the first mobile communication terminal MKE1 verified. At a positive verification result is through the subscriber database unit HSS the change from the first to the second IP address ip1, ip2 the S-CSCF unit S-CSCF confirmed by means of a 200-ok message. thereupon is sent by the S-CSCF unit S-CSCF by means of another 200-OK message the validity of the performed Change to the second IP address ip2 of the first P-CSCF unit P1 displayed, which this the first mobile communication terminal MKE1 means another 200-OK message confirmed.

From of the first P-CSCF unit P1 are used to identify the second protected Data connection SA2 a third and fourth SPI parameter sip2_d, sip2_u and related second input port numbers p2 for Downstream and upstream transmission direction determined and sent to the first mobile communication terminal MKE1 via the transfer the latter 200-OK message. By means of the third and fourth SPI parameters sip2_d, sip2_u and the associated second one Input port numbers p2 will then become the second protected connection SA2 between the first mobile communication terminal MKE1 and of the first P-CSCF unit P1. The second input port numbers p2 are linked to the second IP address ip2 and thus provide a new connection to the IP layer. We are the first protected data connection SA1 no longer needed, so will after deletion the first IP address ip1 also the reservation of the first input port numbers p1 repealed to transfer conflicts to avoid.

in the second case, the user of the first mobile communication terminal MKE1 changes from first access network UMTS1 into the fifth access network WiMAx, whose Connection control functions are perceived by the second P-CSCF unit P2 become. Thus, a change from the first P-CSCF unit P1 to second P-CSCF unit P2 required. For reuse according to the invention the for the structure of the first protected data connection SA1 provided safety parameters SS will be at least the first security key IK1 through the first P-CSCF unit P1 of the second P-CSCF unit P2 available so as to establish the second protected data connection SA2 between in the fifth Access network WiMax located first mobile communication terminal MKE1 and the second P-CSCF unit P2 only a reduced number of Signaling messages is required.

The required for this single signaling steps between the first mobile communication terminal MKE1, the first and second P-CSCF unit P1, P2 are in the 3 and 4 exemplified. First, after the change to the fifth access network WiMax, the first mobile communication terminal MKE1 is assigned a ("new") second IP address ip2 by the ("new") fifth access network WiMax, which is also in the subscriber database unit HSS with the user identity of the user of the first mobile communication terminal MKE1 ver is knotted. Following this, analogously to the first case, a re-authentication message is generated by the first mobile communication terminal MKE1 and the newly assigned second IP address ip2 is transmitted to the second P-CSCF unit P2 via this. In this case, the re-authorization message has additional information regarding the security agreement or the first protected data connection SA1 provided in the first P-CSCF unit P1, which are processed further in the second P-CSCF unit P2.

Subsequently, will based on the additional determined information through the second P-CSCF unit P2 a Context request message generates and on this the first security key IK1 requested by the first P-CSCF unit P1. After receiving the context request message in the first P-CSCF unit P1 becomes a context transfer message in this generated and over this the first security key IK1 transferred to the second P-CSCF unit P2.

Analogous in the first case, this is followed by the second P-CSCF unit P2 generates an update message and transmits it to the S-CSCF unit S-CSCF, via which this is the second IP address ip2 transmitted. By means of a check message is through the S-CSCF unit S-CSCF the subscriber database unit HSS for verification the assignment of the second IP address ip2 to the user identity of the user the first mobile communication terminal MKE1 checked. After verification is over a 200-OK message the S-CSCF unit S-CSCF over the Bills informed.

From The S-CSCF unit S-CSCF will be the successful change of access network AN by means of a 200-OK message from the second P-CSCF unit P2 approved. additionally be to the first mobile communication terminal MKE1 means of a through the second P-CSCF unit P2 generated the 200 OK message to be set up the second protected Data connection SA2 required SPI parameters and the associated port numbers.

To explain the in the context of in 4 The security parameters SS exchanged in the signaling steps shown in FIG 5 by way of example in a sectional representation, the structure of a re-authentication message provided for transmitting the security parameters SS 1 illustrated and explained in more detail by way of example.

In the re-authentication message 1 is next to a data field receiving the first IP address ip1 and the first port addresses p1, a data field containing the second IP address ip2 and the second port addresses p2, an array having an encapsulated security payload (ESP) parameter, and a first one An additional data field reserved for the transmission of the security parameters SS is provided for the MAC parameter HMAC_1, which is referred to below as "migrate message" MIGRATE and implementation of the method according to the invention is used.

By the first mobile communication terminal MKE1 becomes dependent on the assigned second IP address ip2 first a third SPI parameter spi2_d to identify the second downstream protected data connection protected within the second Data connection SA2 determined and in the Migrate message MIGRATE inserted. The encryption the second protected downstream data connection takes place here by means of the stored in the first mobile communication terminal MKE1 first security key IK1 the first protected Data connection SA1.

In the migrate message MIGRATE are next by the first mobile communication terminal MKE1 the third SPI parameter spi2_d inserted further parameters, the first SPI parameter spi1_d, the first and second Port numbers p1 and the first and second IP address ip1, ip2.

In 5 is an example of the structure of such a Migrate message MIGRATE and their embedding in the re-authentication message 1 shown. The Migrate message MIGRATE is packaged as the first IP data packet x using the "IP Security" (IPSec) security architecture, and the destination address given is the first IP address ip1 and the first port numbers p1, and in the first IP data packet x an ESP parameter ESP and the first MAC parameter HMAC_1 inserted.

The first IP data packet x having the Migrate message MIGRATE is placed in the re-authentication message 1 inserted and provided with the second IP address ip2 as the destination address. Furthermore, the second port numbers p2, an ESP parameter ESP and a third MAC parameter HMAC_P are also included in the re-authentication message 1 inserted so that through the re-authentication message 1 a complete second IP data packet is formed. The third MAC parameter HMAC_P is derived on the basis of the security agreements of a third protected data connection SA3 existing between the first and second P-CSCF units P1, P2, for the protected transmission of signaling messages between the first and second P-CSCF units P1, P2 is provided.

Following that will be the second one "IP data packet" trained re-authentication message 1 to the second P-CSCF unit P2. In the second P-CSCF unit P-CSCF2, the "outer" IP header of the second "IP data packet" is hidden and the first IP data packet x is uncovered. By means of the second P-CSCF unit P-CSCF2, the first IP data packet x is sent to the first P-CSCF via a third protected data connection SA3 according to the IPSec security architecture between the first and second P-CSCF units P1, P2. Unit P1 in the form of a context request message 2 transfer. The context request message 2 in this case comprises the first IP data packet x, the first and second input port numbers p1, p2, the ESP parameter ESP and the third MAC parameter HMAC_P.

In the first P-CSCF unit P1, the one in the context request message 2 evaluated third MAC parameters HMAC_P and the first MAC parameter HMAC_1 evaluated and checked for the first protected data connection SA1 and the third protected data connection SA3 security agreements. Following this, the first P-CSCF unit P1 evaluates the Migrate message MIGRATE and the first P-CSCF unit P1 evaluates a context transfer message 3 generated in the form of a third IP data packet. The context transfer message 3 has, in addition to the first and second port numbers p1, p2, the ESP parameter ESP and the third MAC parameter HMAC_P, the third SPI parameter spi2_d and the first security key IK1. The context transfer message 3 is subsequently transmitted from the first to the second P-CSCF unit P1, P2 via the third protected data connection SA3.

The second P-CSCF unit P2 uses the third MAC parameter HMAC_P to write the context transfer message 3 evaluated and in addition to the third SPI parameter spi2_d a fourth SPI parameter spi2_u for identifying the second protected upstream data connection within the second protected data connection SA2 determined. Subsequently, a structure initiated by the second P-CSCF unit P2 of the second protected data connection SA2 takes place according to the security agreements defined for this purpose, specifically in the downstream transmission direction.

Thereafter, the second P-CSCF unit P2 sends a 200-OK message 4 the fixed fourth SPI parameter spi2_u is communicated to the first mobile communication terminal MKE1. The 200-OK message 4 is also designed as an IP data packet and has the second port numbers p2, the second IP address ip2, the ESP parameter and a second MAC parameter HMAC_2. The 200-OK message 4 is protected by the first security key IK1 exchanged between the first and second P-CSCF units P-CSCF1, P-CSCF2.

in the Connection is made between the first mobile communication terminal MKE1 and the second P-CSCF unit P2, the second protected data connection SA2 below Use of the third and fourth SPI parameters spi2_d, spi2_u and the second input port numbers p2. The first protected data connection SA1 exists first further.

In order to rebuild the communication service existing before the change of the access network An between the first and second communication terminal MKE1, MKE2, according to the in 6 shown signaling diagram generated by the first mobile communication terminal MKE1 Re-Establish message and transmitted via the second P-CSCF unit P2, the S-CSCF unit S-CSCF and the third P-CSCF unit P3 to the second mobile communication terminal MKE2 , By the second mobile communication terminal MKE2 this is confirmed by means of a 200-OK message, which via the third P-CSCF unit P3, the S-CSCF unit S-CSCF and the second P-CSCF unit P2 to the first mobile communication terminal MKE1 is retransmitted. This is followed by the transmission of data via the established communication service between the first and second communication terminal.

through the method described for the migration of security agreements a first protected Data connection SA1 in the re-authentication procedure in As part of the change of the access network AN already existing security key IK1 be used again and thus the one to carry out the access network change required signaling costs are significantly reduced.

Especially are for a complete Registration instead of transfer of four signaling messages between the first mobile communication terminal MKE1 and the associated P-CSCF unit P1, P2 only two signaling messages required which over transmit the air interface Need to become.

The The invention has been described above with reference to an exemplary embodiment. It is understood that numerous changes and modifications are possible, without thereby the idea of the invention underlying the invention will leave.

1

Re-Authentication Message

2

Context Request message

3

Context transfer message

4

200 OK message

AMF

"authentication management field "parameter

AT

access networks

CK

Another security key

CN

Communication network

ESP

"Encapsulated Security Payload Parameters

HMAC_1

first MAC parameters

HMAC_2

second MAC parameters

HMAC_P

third MAC parameters

HSS

Subscriber database unit

I-CSCF

"Interlocation Call Session Control Function "unit

IK1

first security key

IMS

IP-based Service communication system

ip1

first IP address

ip2

second IP address

KS

mobile communication system

MAC

"Message Authentication Code "parameter

MIGRATE

Migrate message

MKE1, MKE1 * MKE1 ***

first mobile communication terminal

MKE2

second mobile communication terminal

p1

first port numbers

P1

first "proxy Call Session Control Function "unit

p2

second port numbers

P2

second "proxy Call Session Control Function "unit

P3

third "proxy Call Session Control Function "unit

EDGE

"random challenge" parameter

SA1

first protected Data Connection

SA2

second protected Data Connection

SA3

third protected Data Connection

S-CSCF

"serving Call Session Control Function "unit

SIP

session Initiation Protocol "signaling protocol

spi_u, spi_d

"security parameter index "parameter

spi1_d

first protected downstream data connection

spi1_u

first protected upstream data connection

spi2_d

second protected downstream data connection

spi2_u

second protected upstream data connection

SS

security parameters

SQN

"sequence number "parameter

UMTS1

first access network

UMTS2

second access network

UMTS3

third access network

WiMax

fifth access network

WIRELESS INTERNET ACCESS

fourth access network

x

first IP data packet

Claims (32)

Method for establishing at least one protected data connection (SA1, SA2) when changing the access network (AN) in a mobile communication system (KS), which has at least one Internet Protocol (IP) -based service communication system (IMS) for providing communication services and to which at least two different access networks (UMTS1, WLAN, WiMax) at least one mobile communication terminal (MKE1) can be connected, wherein the at least one mobile communication terminal (MKE1) controlled by a first connection control unit (P1) for at least one communication service in the IP-based service communication system (IMS) is registered, in which for registration of the at least one communication service between the at least one mobile communication terminal (MKE1) and the first connection control unit (P1) via a first access network (UMTS1) au a first protected data connection (SA1) according to predetermined security parameters (SS) au fbaaut, characterized in that after a change of the mobile communication terminal (MKE1) from the first access network (UMTS) to another access network (WLAN) for re-registration of the mobile communication terminal (MKE1) for the at least one communication service on the IP-based service communication system ( IMS) via the further access network (WLAN) a second protected data connection tion (SA2) is set up, with renewed use of the security parameters (SS) already specified for setting up the first protected data connection (SA). Method according to claim 1, characterized in that at least one first security key (IK1) as security parameter (SS) is provided. Method according to claim 1 or 2, characterized the safety parameters (SS) in the mobile communication terminal (MKE1) and in the first connection control unit (P1) assigned to it get saved. Method according to one of claims 1 to 3, characterized in that through the first access network (UMTS1) the mobile communication terminal (MKE1) a first IP address (ip1) is assigned. Method according to one of claims 1 to 4, characterized that through the further access network (WLAN) the mobile communication terminal (MKE1) a second IP address (ip2) is assigned. Method according to one of claims 1 to 5, characterized that the IP-based service communication system (IMS) as "Internet Protocol Multimedia subsystem "trained becomes. Method according to one of claims 1 to 6, characterized in the mobile communication system, at least one second connection control unit (P1, P2, P3) is provided. Method according to one of claims 1 to 7, characterized that the provision of communication services in the IP-based service communication system (IMS) about a "session Initiation Protocol (SIP) signaling protocol (SIP) performed becomes. Method according to claim 8, characterized in that that for providing the SIP signaling protocol (SIP) the first and second connection control units (P1, P2) as "proxy Call Session Control Function (P-CSCF) Unit (P1, P2) be formed. Method according to one of claims 7 to 9, characterized that the first and second P-CSCF unit (P1, P2) each at least an access network (UMTS1, WLAN, UMTS2, WiMAx) is assigned. Method according to claim 10, characterized in that that the one of the first or second P-CSCF unit (P1, P2) assigned Access networks (UMTS1, WLAN, UMTS2, WiMAx) different access technologies, For example, the "General Packet Radio Service "(GPRS) Access technology, the "universal Mobile Telecommunication System "(UMTS) Access technology, the "Wireless Local Area Network "(WLAN) Access technology and the "Worldwide Interoperability for Microwave Access "(WiMax) access technology support. Method according to one of claims 1 to 11, characterized that when changing from the first access network (UMTS1) in the additional access network (WiMax), with a change of P-CSCF unit (P1, P2) is connected to the safety parameters (SS) via the SIP signaling protocol (SIP) between the first and second P-CSCF unit (P1, P2) are exchanged. Method according to one of claims 1 to 12, characterized in that for re-registration by the mobile communication terminal (MKE) a RE-AUTHENTICATION message ( 1 ) and transmitted to the appropriate P-CSCF unit (P1, P2). Method according to claim 13, characterized in that in the RE-AUTHENTICATION message ( 1 ) the second IP address (ip2) allocated by the further access network (WLAN, WiMAx) is transmitted. A method according to claim 13 or 14, characterized in that when changing the P-CSCF unit (P1, P2) additionally in the RE-AUTHENTICATION message ( 1 ) a MIGRATE message (MIRGRATE) is transmitted. A method according to claim 15, characterized in that the MIGRATE message (MIGRATE) with a first IP address (ip1) of the first access network (UMTS1) and the first port numbers (p1) having IP headers a first IP data packet (x ) which is included in the RE AUTHENTICATION message ( 1 ) is inserted. Method according to claim 16, characterized in that at least individual security parameters (SS) in the MIGRATE message (MIRGRATE) the first protected Data connection (SA1) inserted and transferred become. Method according to claim 17, characterized in that that as security parameter (SS) at least one "security parameter index "(SPI) parameter (spi_u, spi_d) the first protected one Data connection (SA1) is inserted into the MIGRATE message (MIRGRATE). Method according to claim 18, characterized that for identification of the first protected data connection (SA1) a first and second SPI parameter (sip1_d, sip1_u) and associated first Port numbers (p1) for the downstream and upstream transmission direction be provided. Method according to claim 17 or 19, characterized that for marking the second protected data connection (SA2) a third and fourth SPI parameter (sip2_d, sip2_u) and associated second Port numbers (p2) for provided the downstream and upstream transmission direction become. Method according to one of claims 15 to 20, characterized that in the MIGRATE message (MIRGRATE) the first and second IP address (ip1, ip2) inserted become. Method according to one of claims 15 to 21, characterized that in the MIGRATE message (MIRGRATE) the first and second port numbers (p1, p2) inserted become. Method according to one of claims 14 to 21, characterized in that after receiving the RE-AUTHENTICATION message ( 1 ) by the competent P-CSCF unit (P1, P2) an update message is generated and by means of this at least the second IP address (ip2) to a "Serving Call Session Control Function" (S-CSCF) unit (S -CSCF). Method according to claim 23, characterized that a check message is generated by the S-CSCF unit (S-CSCF) which is provided to a in the mobile communication system (KS) Subscriber Data Base Unit (HSS) is transmitted. Method according to Claim 24, characterized upon receipt of the check message by the subscriber database unit (HSS) the link the second IP address (ip2) with a user identity the user of the mobile communication terminal (MKE1) is checked and the result of S-CSCF unit (S-CSCF) communicated by means of a 200-OK message becomes. Method according to claim 25, characterized in that that at an existing link by means of another 200 OK message through the S-CSCF unit (S-CSCF) the successful change of the access network (AN) of the competent P-CSCF unit (P1, P2) is communicated. Method according to claim 26, characterized in that that by the competent P-CSCF unit (P1, P2) the third and fourth SPI parameters (spi2_d, spi2_u) as well as the associated second port numbers (p2) for Downstream and upstream transmission direction be determined and over a further 200 OK message to the first mobile communication terminal MKE1 be transmitted. Method according to one of claims 12 to 27, characterized in that for exchanging the security parameters (SS) between the first and second P-CSCF unit (P1, P2) in the first P-CSCF unit (P1) a context request Message ( 2 ) and is transmitted to the second P-CSCF unit (P2) and after receipt of the Context Request message ( 2 ) in the second P-CSCF unit (P2) a COntext transfer message ( 3 ) and retransmitted to the first P-CSCF unit (P1). Method according to claim 27, characterized in that in the context request message ( 2 ) from the RE-AUTHENTICATION message ( 1 ) and is transferred together with the first and second port numbers (p1, p2) to the first P-CSCF unit (P1). Method according to claim 27 or 28, characterized in that in the context transfer message ( 2 ) is inserted by the first P-CSCF unit (P1), the first security key (IK1) and the third SPI parameter (sip2_d) and this is retransmitted to the second P-CSCF unit (P2). Method according to one of claims 2 to 30, characterized that over the first and / or second protected Data connection (SA1, SA2) transmitted Signaling messages using the first security key (IK1) encoded become. Mobile communication system for deployment from communications services over an IP-based service communication system (IMS) suitable for execution the method for establishing at least one protected data connection (SA1, SA2) when changing the access network (AN) according to one of the preceding Claims.