JP2007129774A - Method for bearer permission and system in radio communication network - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To achieve a method and a system for bearer permission, which provide security protection with improved service access permission. <P>SOLUTION: The method and system include the steps of: generating permission coupling information (AUTN) in a control function (PCF) of an application layer of a radio communication network; allotting a control function identifier which represents a real address of the control function and incorporating the identifier into the permission coupling information; transmitting the permission coupling information thus generated to a terminal unit (UE) of the network; acquiring a real address of the control function in which the permission coupling information has been generated; and giving bearer permission from the terminal unit through a transport layer of the network. Thus, risk in security protection involved in transmission of the real control function address to the terminal unit can be eliminated and the magnitude of the permission coupling information can be reduced. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a method and system for providing improved security for bearer authorization in a wireless communication system such as a universal mobile communication system (UMTS) network.

  Pan-European Mobile Communication System (GSM) data services have entered a new era of mobile communications. Early analog cellular modems were slow and unreliable, making them unattractive for the market. Now the data market is moving forward (more bursty) and upward (further information), the standards association is working towards higher data rates, but more noteworthy is working towards packet data services It is being done. This ensures that the appeal is spread to the end user, since the data is sent more efficiently over the network, and therefore at a lower cost, and the access time is reduced.

  Since the general trend of data applications is to generate increasingly bursty data streams, this facilitates inefficient use of circuit switched connections. In addition, fixed networks are experiencing enormous increases in data traffic, not only because of increased demand for Internet access, but also because mobile networks are expected to become more prevalent as technology and customer expectations grow. Because current GSM switched networks are based on narrowband ISDN (Integrated Services Digital Network), the reason for rate limiting moves from the access network to the core network.

  The new General Packet Radio Service (GPRS) provides operators with the ability to charge per packet and supports high-speed network-wide data transfer with a radio interface capacity of up to eight times the slot. GPRS introduces two new nodes into the GSM network: a serving GPRS support node (SGSN) and a gateway GPRS support node (GGSN). The SGSN tracks the location of the mobile terminal within its service area, sends / receives packets to / from the mobile terminal and conveys it to the RNC (Radio Network Controller) or GGSN. The GGSN receives a packet from the external network and transmits it to the SGSN, or receives a packet from the SGSN and transmits it to the external network.

  UMTS (Universal Mobile Telecommunication System) delivers advanced information directly to people and provides people with access to new and innovative services. It provides personalized mobile communications to the mass market regardless of location, network or terminal used.

  As defined in the 3GPP specification TS 23 060, the general packet domain architecture and transmission mechanism according to the 3GPP (3rd Generation Partnership Project) '99 release version uses a mobile cellular network such as a public land mobile network (PLMN). The communication network providing the service has access points, reference points and interfaces used for mobile access and sending or receiving messages. Further, network interconnection is required whenever any other network, such as a network based on packet-switched PLMN and Internet Protocol (IP), is included in the execution of a service request.

  In the following, the term application layer refers to a single IP subsystem, such as an IP multimedia subsystem, where a P-CSCF (proxy call state control function) and multiple PCFs (policy control functions) are located. . A mobile network architecture based on IP includes an application layer and a transport layer. Transport layer protocols and structures are usually optimized for a particular access type, whereas the application layer is usually common, which is independent of the access type. When setting up a session at the application layer, the underlying transport layer must set up a transfer bearer in the transfer network via the radio interface.

  Network control functions and inter-network interconnection control functions required for such network architecture include service requester identification and authentication and services to ensure that the service requester is authorized and uses a specific network service. There is an authentication and authorization function that performs validation of the request format.

  A special request in this situation is a request for bearer permission, since the quality of service required for the application requires a special permission for the service better than “best effort”. IP multimedia is an example of such an application.

  In 3GPP, the associated policy controls will be defined for IP multimedia bearer authorization in such a way that a packet data protocol (PDP) context is granted for an ongoing multimedia session. On the other hand, the interface between GGSN and PCF is approved for that purpose.

It has been proposed to use an authorization token (AUTN) as binding information to map a PDP context to an IP multimedia session. At present, this AUTN is defined for the Session Initiation Protocol (SIP) parameters by the Internet Engineering Task Force (IETF) within the scope of extension of the authorization scheme to SIP.
3GPP Specification TS 23 060 3GPP UMTS published 5 specifications

  In 3GPP, as in the case of 3GPP UMTS public 5 specification, at present, it is considered that PCFs are co-located in the proxy call state control function (P-CSCF). However, if the PCF is implemented as a separate entity at the time of future publication of this specification, determining the correct PCF can be a problem if multiple PCFs exist on the external network.

  In order to cope with this problem, it has further been proposed to allocate the PCF as part of the AUTN sent to the user equipment (UE). However, sending the PCF address to the UE represents a security risk, especially if the SIP application is in a terminal equipment (TE) such as a laptop. UEs that are not particularly working properly block the PCF by repeatedly sending permission requests to it.

  Accordingly, it is an object of the present invention to provide a bearer authorization method and system that provides improved security of service access authorization.

  According to the invention, this object is achieved by a method according to claim 1 and a system according to claim 7.

  Preferred further developments of the invention are the subject of the dependent claims.

Therefore, the bearer permission of a wireless network with application layer and transport layer is
a) Provided in the application layer control function, for example, in one policy control function from among a plurality of policy control functions, or in one server / proxy in a plurality of servers / proxys, for example, in the wireless communication network Generating authorized binding information in the P-CSCF
b) assigning a control function identifier representing an actual address of the control function of the wireless communication network and incorporating the identifier into the authorization binding information;
c) transmitting the authorization binding information thus generated to a terminal device, for example a user device having access to the wireless communication network;
d) The transport layer of the wireless communication network by obtaining an actual address of the control function that is a generation source of the permitted connection information in the wireless communication network based on the control function identifier included in the permitted connection information Performing bearer authorization of the terminal device via
Is executed.

  Preferably, the identifier is configured to take an integer value selected from a predetermined range of values.

  The permitted connection information may be sent from the terminal device to the node in the transport layer. The node may be a serving GPRS support node, in which case authorization binding information is sent from the serving GPRS support node to the gateway GPRS support node at the transport layer. The node is configured to obtain an actual control function address in the wireless communication network from the control function identifier incorporated in the authorization binding information. Further, the node is configured to request permission (au_req) from the control function having the actual address obtained.

  More preferably, the authorization binding information is an authorization token, and its generation is to send the authorization information from an application server / proxy at the application layer of the wireless communication network to one of a plurality of policy control functions within the wireless communication network. Is started.

  In a preferred configuration, the generated authorization token is sent back to the application server / proxy, forwarded to the terminal device by the application server / proxy, and serving by the terminal device in the transport layer of the wireless communication network, eg, serving GPRS support within the transport layer Sent to the node (SGSN) and from the serving GPRS support node inside the transport layer to the gateway GPRS support node.

  Thereby, the transport layer of the wireless communication network, for example the gateway GPRS support node, also obtains the actual control function address in the wireless communication network from the control function identifier contained in the authorization token and has the obtained actual address It is configured to request permission from the control function.

  Particularly preferably, the address acquisition is performed by the gateway GPRS support node using an address corresponding to the access point designation table of the policy control function identifier.

  The bearer authorization system in a wireless communication network according to the present invention preferably includes the same components and thus provides the same advantages and benefits. Hereinafter, the present invention will be described in detail according to preferred embodiments of the present invention and the accompanying drawings.

  FIG. 1 schematically shows a partial block diagram of a public packet mobile domain (PLMN) general packet switched domain architecture, in which multiple individual broadband radio access networks are UMTS base cores of multiple radio technology user equipment (UE). For example, it includes a UMTS-based radio access system that is introduced as an alternative or additional radio access technology to provide access to the network.

  In the preferred embodiment, the transport layer consists of a GPRS system and the bearer for the IMS session is provided by a PDP (Packet Data Protocol) context. Therefore, the connection information (AUTN) combines the transport layer bearer and the IMS session.

  An inter-network connection is necessary whenever any other network, such as a packet switched domain PLMN and an Internet Protocol (IP) based network, is involved in performing a service request. Such an inter-network connection is established via a PLMN to the fixed network reference point Gi and a Gp interface that is an inter-PLMN interface that connects two separate PLMNs.

  Common packet switched domain core network provides packet switched service (PS), and the efficiency of non real time traffic such as intermittent and bursty data transfer or occasional transmission of large amount of data and real time traffic such as voice and video It is designed to support several quality of service levels to enable automatic transfer.

  The Serving GPRS Support Node (SGSN) basically forms a connection point of an individual mobile station (MS) consisting of a terminal equipment (TE) and a mobile terminal (MT), tracks its location and provides security functions. Perform access control. The SGSN is connected to the UMTS Terrestrial Radio Access Network (UTRAN) via the Iu interface and to the Gateway GPRS Support Node (GGSN) via the IP-based intra-PLMN backbone network (Gn interface). The SGSN establishes the PDP context to be used for routing purposes with the GGSN and the UTRAN, ie, the radio network controller (RNC) in the UTRAN, that the subscriber will be using when the PDP context is activated. The GGSN then provides an interconnection with the external packet switched network. A GGSN may be connected to multiple SGSNs within a PLMN or via an inter-PLMN backbone network.

  As mentioned above, in order to access the PS service, i.e. to send and receive PS data, the MS should have the appropriate PDP context to make the GGSN aware of the MS itself before the interconnection with the external data network is initiated. Start up. Applicable PDP context related operations are also defined in 3GPP specification TS 23 060. Throughout the interconnection, user data is transferred transparently between the MS and the external data network, ie GGSN or MS, with PS-specific protocol information in the data packets and by transferring the data packets by encapsulation and tunneling. Is done.

  Thus, an initial grant negotiation for preparing the interconnection is performed between the GGSN and the P-CSCF to it.

  A preferred embodiment of the present invention will now be described with reference to FIG.

  FIG. 2 schematically shows the configuration of the general packet switching domain architecture of FIG. 1 in which a policy control function (PCF) is added or co-located in the P-CSCF. The direction of the signaling flow is indicated by a corresponding arrow within the dashed line.

  According to FIG. 2, a plurality of PCFs are provided to at least one external network and configured to communicate with the P-CSCF and the GGSN in the packet switched core network. Further, signaling communication is established between P-CSCF and UE, between UE and SGSN, and between SGSN and GGSN.

  Working with multiple PCFs present in the external network, the P-CSCF sends authorization information (au-inf) to one of those PCFs. In response to this, an authorization token (AUTN) is generated at the application layer by the destination PCF to which the authorization request is sent based on the authorization information transferred by the P-CSCF, and then sent back to the P-CSCF for authorization. Information is sent to the UE.

  By the way, if the PCF address is assigned as part of the AUTN, and therefore included in the AUTN, as in the current configuration, sending the AUTN to the UE will send the PCF address to the UE, and the inherent security described above. This results in risk.

  According to a preferred embodiment, a PCF identifier is assigned to each PCF in the external network. The PCF identifier is an integer value such as 1, 2, 3. When the PCF generates the AUTN, the PCF assigns this PCF identifier as part of the AUTN instead of the PCF address and sends the AUTN to the P-CSCF, which now sends it to the UE.

  Preferably, using a PCF identifier instead of a full PCF address (or IP address) also reduces the token size, thus providing improved operational efficiency by reducing transmission load or the same size. Further information can be incorporated into the token.

  Since the information given to the UE only includes the value of the PCF identifier, the UE cannot determine the current PCF address from the received ATUN, thus eliminating the security risks inherent in sending the PCF address to the UE. To do.

  The correct address is reproduced as follows. After receiving the AUTN, the UE routes it to the SGSN via the transport layer transport channel used for data transfer when establishing the bearer or bearers for the IP multimedia session. The SGSN then forwards the AUTN to the GGSN communicating with the external network.

  According to the present invention, the GGSN has an access point designation table of PCF addresses corresponding to valid PCF identifiers. Upon receipt of the AUTN including the PCF identifier, the GGSN can obtain the correct PCF address from the PCF identifier, and thus send an authorization request (au-req) to the correct PCF, ie, the PCF that previously sent the ATUN.

  Of course, the present invention does not necessarily require the use of SIP, but an application used to set up an application session by an external (IP) network capable of transmitting the respective message content in signaling messages. Applicable to any signaling protocol in the layer.

  The present invention is not limited to the preferred embodiment described above, but implemented in any network that provides a mechanism for joining bearers to application sessions to set up connections for which call processing network components and authorization binding information are allowed. I will also mention what I can do.

FIG. 2 schematically illustrates a partial block diagram of a possible general packet switched domain architecture of the present invention. FIG. 3 is a simplified diagram illustrating the principle of IP multimedia bearer authorization using an authorization token according to a preferred embodiment of the present invention.

Explanation of symbols

AUTN permission binding information PCF control function P-CSCF proxy call state control function au-inf permission information au-req permission request

Claims (17)

A bearer authorization method in a wireless communication network having an application layer and a transport layer,
a) generating permission binding information with the control function of the application layer;
b) allocating a control function identifier representative of the actual address of the control function in a wireless communication network and incorporating the identifier in the authorization binding information;
c) transmitting the permitted binding information generated as described above to a terminal device having access to the wireless communication network;
d) obtaining an actual address of the control function that is a generation source of the permission combination information in the wireless communication network based on the control function identifier included in the permission combination information; Performing the bearer authorization of the terminal device via a port layer;
Having a method.   The method of claim 1, wherein the identifier is configured to take an integer value selected from a predetermined range of values.   The permission binding information includes a permission token, and generation thereof transmits permission information from a proxy call state control function (P-CSCF) in the wireless communication network to one of a plurality of policy control functions in the wireless communication network. 3. The method according to claim 1 or 2, wherein the method is initiated by:   The method according to claim 3, wherein the generated authorization token is sent to the proxy call state control function and then transferred to the terminal device by the proxy call state control function.   5. The method according to claim 1, wherein the permission combination information is sent from the terminal device to the transport layer node.   6. The method of claim 5, wherein the node is a serving GPRS support node and the grant binding information is further transmitted from the serving GPRS support node of the transport layer to a gateway GPRS support node.   The method according to claim 5, wherein the node obtains the actual control function address in the wireless communication network from the control function identifier incorporated in the permission combination information.   8. The method of claim 7, wherein the node is adapted to request permission from a control function having the actual address obtained.   The method according to claim 7, wherein the address acquisition is performed by the node using an access point specification table of an address corresponding to the control function identifier.   The gateway GPRS support node obtains the actual policy control function address in the wireless communication network from the policy control function identifier included in the authorization token, and grants permission from the policy control function having the actual address. The method of claim 6, wherein the method is adapted to require.   The method of claim 10, wherein the address acquisition is performed by the gateway GPRS support node using an access point specification table for an address corresponding to the policy control function identifier. A bearer permission system in a wireless communication network,
a) means for generating permission binding information with a control function (PCF) provided in an application layer of the wireless communication network;
b) means for allocating in the wireless communication network a control function identifier representative of the actual address of the control function; and means for incorporating the identifier into the permission binding information;
c) means for transmitting the permitted binding information generated as described above to a terminal device having access to the wireless communication network;
d) transporting the wireless communication network by obtaining an actual address of the control function that is a generation source of the permission combination information in the wireless communication network based on the control function identifier included in the permission combination information Means for performing the bearer authorization of the terminal device through a layer;
Having a system.   The system of claim 12, wherein the identifier is an integer value selected from a predetermined range of values.   The permission binding information includes a permission token, and generation thereof is started by a proxy call state control function (P-CSCF) in the core network by transmitting permission information to one of a plurality of policy control functions in the wireless communication network. 14. A system according to claim 12 or 13, wherein:   The policy control function is configured to send the generated authorization token back to the proxy call state control function, and the proxy call state control function is configured to transfer the token to the terminal device; Is configured to transmit the token to a serving GPRS support node in the core network, and the serving GPRS support node (SGSN) transmits the token to a gateway GPRS support node (GGSN) in the core network. 15. The system according to claim 14, wherein the system is configured as follows.   The gateway GPRS support node obtains the actual policy control function address in the wireless communication network from the policy control function identifier included in the authorization token, and the policy control function having the obtained actual address 16. The system of claim 15, configured to request permission from (au-req).   The system of claim 15, wherein the gateway GPRS support node is configured to perform the address acquisition using an access point specification table of addresses corresponding to the policy control function identifier.

Images