WO2008090184A2 - Gestion de configuration pour une station d'abonné dans un réseau wimax - Google Patents

Gestion de configuration pour une station d'abonné dans un réseau wimax Download PDF

Info

Publication number
WO2008090184A2
WO2008090184A2 PCT/EP2008/050776 EP2008050776W WO2008090184A2 WO 2008090184 A2 WO2008090184 A2 WO 2008090184A2 EP 2008050776 W EP2008050776 W EP 2008050776W WO 2008090184 A2 WO2008090184 A2 WO 2008090184A2
Authority
WO
WIPO (PCT)
Prior art keywords
network
sender
settings
specific information
information
Prior art date
Application number
PCT/EP2008/050776
Other languages
English (en)
Other versions
WO2008090184A3 (fr
Inventor
Ilkka Oksanen
Jukka Ala-Vannesluoma
Mikko Tasa
Jani HIRSIMÄKI
Tommi Rantanen
Original Assignee
Nokia Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Corporation filed Critical Nokia Corporation
Publication of WO2008090184A2 publication Critical patent/WO2008090184A2/fr
Publication of WO2008090184A3 publication Critical patent/WO2008090184A3/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/35Protecting application or service provisioning, e.g. securing SIM application provisioning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/50Service provisioning or reconfiguring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the present invention relates to a method or procedure for management of setting of a subscriber station in a WiMAX
  • the present invention is directed to a method or procedure usable for a WiMAX MAC (Medium Access Control) layer settings management, for WiMAX settings provisioning in a non- agreement use case, and for WiMAX settings handling in roaming cases.
  • WiMAX MAC Medium Access Control
  • WiMAX system lends itself as a lightweight Internet access technology. It is built on top of 802.16 standard family MAC+PHY (Medium Access Control + Physical layer) standard from IEEE (certified by WiMAX) . The system standard (higher layers and network) is standardized and certified by WiMAX Forum.
  • the WiMAX Forum is an industry-led, non-profit organization formed to develop technical specifications and promote and certify compatibility and interoperability of broadband wireless products using the IEEE 802.16 suite of standards and ETSI (European Telecommunications Standards Institute) / HiperMAN (High Performance Radio Metropolitan Area Network) wireless MAN specifications.
  • ETSI European Telecommunications Standards Institute
  • HiperMAN High Performance Radio Metropolitan Area Network
  • the NWG specifications supports standalone WiMAX network deployments as well as Interworking scenarios with incumbent networks such as 3GPP2 networks .
  • WiMAX Forum release includes certain specified set of features which are mandatory and optional for both SS and network.
  • Open Mobile Alliance is a standardization forum. Its aim is to facilitate global user adoption of mobile data services by specifying market driven mobile service enablers that ensure service interoperability across devices, geographies, service providers, operators, and networks, while allowing businesses to compete through innovation and differentiation. For example it has produced specifications for the device management using SyncML (Synchronization Markup Language) (OMA DM (Device Management) ) , data synchronization using SyncML (OMA DS (Data Synchronization)), multimedia messages (MMS) and device rights management (DRM) features. It is planned to specify XML (extended Markup Language) format for WiMAX specific settings.
  • SyncML Synchronization Markup Language
  • MMS multimedia messages
  • DRM device rights management
  • the system structure of a WiMAX network is such that one party, e.g. a subscriber station SS (it is to be noted that in the following for simplicity reason it is referred to SS only while the description and in particular the present invention is related any kind of mobile or fixed user equipment or mobile station MS, such as a mobile phone, a fixed phone, a personal computer (PC) , a laptop, a personal digital assistant (PDA) or the like) is connected via transceivers and interfaces, such as an air interface or the like, to an access network subsystem.
  • the access network subsystem controls the communication connection to and from the subscriber station and is connected via an interface to a corresponding network service provider.
  • the network service provider may be either the terminating point of the connection or may switch the data transmitted via the connection to another destination party, such as another communication equipment, a service provider
  • the network service provider may be connected to a plurality of access network subsystems.
  • WiMAX capable subscriber station needs provisioned settings to function in an optimal way.
  • These settings may include but are not limited to: - IEEE 802.16 MAC layer settings - IEEE 802.16 PHY layer settings
  • IP Internet Protocol
  • Connectivity settings - Non-WiMAX settings: WWW browser, e-mail application etc.
  • OTA provisioning is not only way to handle settings management. It is also possible that settings are configured through UI (user interface) or transferred to the SS by using a SIM (Subscriber Identity Module) card. However, it is not a mandatory requirement in WiMAX to include SIM cards in all user terminals. Configuration over local bearer is also possible (such as Bluetooth, IrDA (Infrared Data Association)) but this requires additional hardware and software at the SS side. Thus OTA provisioning is deemed to be the preferred method for WiMAX settings management in many cases.
  • SIM Subscriber Identity Module
  • OMA DM Open Mobile Alliance
  • XML based data transfer protocol which can be used to manage a diverse set of settings in the mobile devices.
  • a device which settings are being managed is called a client and the entity that is responsible for maintaining one or more devices is called a server.
  • OMA DM works over HTTP (HyperText Transfer Protocol) which relies on TCP (Transport Control Protocol) .
  • TCP Transmission Control Protocol
  • DHCP Dynamic Host Control Protocol
  • MIP Mobile IP
  • the Home CSN and serving CSNs coordinate their policies. For example, if a serving CSN mandates user authentication but the home CSN does not, the SS may be provisioned with the right credentials to perform SS or user authentication with the serving CSN. This relies on the roaming agreements and appropriate provisioning schemes. However, there are presently known no concrete mechanisms for performing this.
  • Settings (e.g. credentials) should be sent in secure manner to the SS.
  • Service flows should not be terminated during handovers. There should not be any extra delays in handover. - There should not be any breaks in real time service flows .
  • the network entry to the target access point or target base station (BS) is performed, for example, in the following way:
  • SS should perform authentication and registration to the target network.
  • methods and devices are provided for performing settings provisioning to a subscriber station from a network element in case the subscriber station does not have settings data or the settings data are to be updated.
  • an apparatus comprising a sender configured to send a specific information to a network for making a network entry in a provisioning mode, a receiver configured to receive settings information for obtaining a network access, a processor configured to execute an authentication procedure for obtaining network access.
  • a method comprising sending a specific information to a network for making a network entry in a provisioning mode, receiving settings information for obtaining a network access, executing an authentication procedure for obtaining network access .
  • the above defined apparatus and method may be associated with a subscriber station.
  • an apparatus comprising a receiver configured to receive a specific information from a sender for making a network entry in a provisioning mode, a forwarder configured to forward the specific information to a server, a receiver configured to receive settings information, a forwarder configured to forward the settings information to the sender for obtaining a network access.
  • a method comprising receiving a specific information from a sender for making a network entry in a provisioning mode, forwarding the specific information to a server, receiving settings information, forwarding the settings information to the sender for obtaining a network access.
  • the above defined apparatus and method may be associated with a network access provider apparatus, such as a base station, an access point and the like.
  • an apparatus comprising a receiver configured to receive a specific information from a sender for making a network entry in a provisioning mode, a processor configured to process the specific information, a provider configured to provide settings information for obtaining a network access.
  • a method comprising receiving a specific information from a sender for making a network entry in a provisioning mode, processing the specific information, providing settings information for obtaining a network access.
  • the above defined apparatus and method may be associated with a network service provider apparatus, such as a server and the like.
  • an apparatus comprising a receiver configured to receive messages tunneled or redirected from a sender having an initial network access, a transmitter configured to transmit information and queries to the sender, a processor configured to execute an authentication procedure for obtaining network access.
  • a method comprising receiving messages tunneled or redirected from a sender having an initial network access, transmitting information and queries to the sender, executing an authentication procedure for obtaining network access.
  • the above defined apparatus and method may be associated with a network service provider apparatus, such as a login web server or the like.
  • an apparatus comprising sending means for sending a specific information to a network for making a network entry in a provisioning mode, receiving means for receiving settings information for obtaining a network access, processing means for executing an authentication procedure for obtaining network access.
  • an apparatus comprising receiving means for receiving a specific information from a sender for making a network entry in a provisioning mode, forwarding means for forwarding the specific information to a server, receiving means for receiving settings information, forwarding means for forwarding the settings information to the sender for obtaining an initial network access and providing a secure transaction with the network.
  • an apparatus comprising receiving means for receiving a specific information from a sender for making a network entry in a provisioning mode, processing means for processing the specific information, providing means for providing settings information for obtaining an initial network access in order to provide a secure transaction with the network
  • the above defined apparatus and method may comprise at least one of the following supplements:
  • - MAC messages may be received or transmitted when executing the authentication procedure for obtaining network access; - the specific information may be transmitted to the network for making a network entry in a provisioning mode by taking into account whether or not a device certificate is present and whether or not a prearranged relationship with a network operator exists; - as the specific information to the network for making a network entry in a provisioning mode, one of a decorated network access identifier or a special network access identifier providing temporary authentication may be transmitted, in order to indicate lacking of provisioned settings and/or that a normal authentication can not be supported;
  • a MAC address of the sender may be transmitted when a prearranged relationship with a network operator exists;
  • a ranging request including a specific information element for indicating a request for network access in a provisioning mode may be transmitted;
  • a registration code entered into the sender apparatus may be transmitted for getting network access, wherein the registration code may be provided during a purchasing phase of the apparatus; - in connection with the specific information to the network for making a network entry in a provisioning mode, an information may be transmitted that a normal authentication can not be supported;
  • a device certificate may be transmitted to the network
  • - messages may be transmitted to the network and tunneled or redirected to a server when executing the authentication procedure for obtaining network access, information and queries may be exchanged between the sender and the server, reply messages for queries from the server may be exchanged, and address information for fetching settings data from the network may be exchanged;
  • settings data may be requested from the network by using a connection based on received information for an initial network entry
  • - a device certificate may be preset during a production of the sender apparatus; - an acknowledgement message may be transmitted to the network.
  • an apparatus comprising a receiver configured to receive a setup indicating message from a network, a transmitter configured to send a setup requesting message in response to the receipt of the setup indicating message for requesting settings data from the network, a receiver configured to receive a responding message comprising settings data from the network, and a processor configured to process the settings data received.
  • a method comprising receiving, in a subscriber station, a setup indicating message from a network, sending a setup requesting message in response to the receipt of the setup indicating message for requesting settings data from the network, receiving a responding message comprising settings data from the network, and processing the settings data received.
  • the above defined apparatus and method may comprise at least one of the following supplements: - MAC messages may be transmitted and received when executing the setup procedure and transmission of settings data;
  • the above defined apparatus and method may be associated with a subscriber station.
  • an apparatus comprising a receiver configured to receive an instruction for sending a setup indicating message to a subscriber station, a generator configured to generate the setup indicating message, a forwarder configured to forward the setup indicating message to the subscriber station, a receiver configured to receive a requesting message for requesting settings data from the network, a transmitter configured to send a query to a network element for requesting user settings on the basis of the received requesting message, a receiver configured to receive a response to the query, and a transmitter configured to send a responding message to the subscriber station for answering the requesting message.
  • a method comprising receiving, in a network access provider, an instruction for sending a setup indicating message to a subscriber station, generating the setup indicating message, forwarding the setup indicating message to the subscriber station, receiving a requesting message for requesting settings data from the network, sending a query to a network element for requesting user settings on the basis of the received requesting message, receiving a response to the query, and creating and sending a responding message to the subscriber station for answering the requesting message.
  • the above defined apparatus and method may comprise at least one of the following supplements:
  • - MAC messages may be transmitted and received when executing the setup procedure and transmission of settings data
  • the above defined apparatus and method may be associated with a network access provider apparatus.
  • an apparatus comprising a requestor configured to request a handover from a current network to a target network, a checker configured to check whether settings present in the apparatus are suitable for the target network, a requestor configured to request settings data related to the target network, a receiver configured to receive a responding message comprising the requested settings data from the network before the handover is initiated, and a transmitter configured to send an indicating message to the network for indicating that the handover can be started.
  • a method comprising requesting, in a subscriber station, a handover from a current network to a target network, checking whether settings present in the subscriber station are suitable for the target network, requesting settings data related to the target network, receiving a responding message comprising the requested settings data from the network before the handover is initiated, sending an indicating message to the network for indicating that the handover can be started.
  • the above defined apparatus and method may comprise at least one of the following supplements:
  • - MAC messages may be transmitted and received by using an existing service flow with the current network, when executing the handover procedure;
  • the above defined apparatus and method may be associated with a subscriber station.
  • an apparatus comprising a receiver configured to receive a request for a handover of a subscriber station from a current network to a target network, a checker configured to check settings of the target network, a transmitter configured to send a responding message to the subscriber station comprising an information that authentication is required, a receiver configured to receive a request for settings data related to the target network, a sender configured to send a responding message comprising the requested settings data to the subscriber station before the handover is initiated, and a receiver configured to receive an indicating message which indicates that the handover can be started.
  • a method comprising receiving, in a network element, a request for a handover of a subscriber station from a current network to a target network, checking settings of the target network, sending a responding message to the subscriber station comprising an information that authentication is required, receiving a request for settings data related to the target network, sending a responding message comprising the requested settings data to the subscriber station before the handover is initiated, and receiving an indicating message which indicates that the handover can be started.
  • the above defined apparatus and method may comprise at least one of the following supplements:
  • - MAC messages may be transmitted and received by using an existing service flow with the current network, when executing the handover procedure; - the above defined apparatus and method may be associated with a network node.
  • Settings can be provisioned to a client, such as a subscriber station SS in WiMAX network, with minimal user interaction. Furthermore, it is possible that settings can be provisioned to a SS lacking all settings without any prearranged relationship with a network provider, such as a network service provider (NSP) .
  • NSP network service provider
  • handovers can be accelerated and there are no delays or breaks in real time service flows. Moreover, service flows are not terminated because authentication fails.
  • settings can be provisioned to the SS by using an existing service flow. This provides a secure way to forward settings to the SS.
  • Fig. 1 shows a signaling diagram illustrating a provision of settings data according to a first embodiment of the invention
  • Fig. 2 shows a signaling diagram illustrating a provision of settings data according to a second embodiment of the invention
  • Fig. 3 shows a signaling diagram illustrating a provision of settings data according to a third embodiment of the invention
  • Fig. 4 shows a signaling diagram illustrating a provision of settings data according to a fourth embodiment of the invention.
  • Fig. 5 shows a signaling diagram illustrating a provision of settings data according to a fifth embodiment of the invention .
  • a respective signaling diagram comprising basic network elements such as a subscriber station SS, a Network Access Provider NAP providing base stations BS for access of a SS to the network, Network Service Provider NSP providing services accessible for a SS, a H-AAA element (Home authentication, authorization and accounting) for authentication, authorization and accounting of a subscriber and the like is shown.
  • the structure of the network represented by these network elements according to Figs. 1 to 5 represents only a simplified example of an architecture of a network environment in which the present invention is applicable.
  • network elements and their functions described herein may be implemented by software, e.g. by a computer program product for a computer, or by hardware.
  • correspondingly used devices such as a subscriber station, a base station, a server and the like comprise several means and components (not shown) which are required for control, processing and communication/signaling functionality.
  • Such means may comprise, for example, a processor unit for executing instructions, programs and for processing data, memory means for storing instructions, programs and data, for serving as a work area of the processor and the like (e.g. ROM, RAM, EEPROM, and the like) , input means for inputting data and instructions by software (e.g.
  • user interface means for providing monitor and manipulation possibilities to a user (e.g. a screen, a keyboard and the like)
  • interface means for establishing links and/or connections under the control of the processor unit e.g. wired and wireless interface means, an antenna, etc.
  • new MAC layer messages are used for settings provisioning.
  • the new MAC layer messages allow transfer of settings data (for example OMA specified XML documents) from home CSN to the SS and vice versa.
  • settings data for example OMA specified XML documents
  • Existing network entry procedures are also modified by the first embodiment so that initial network entry is possible with or without help of device certificates.
  • a network such as a WiMAX network
  • user details with SS ID (MAC address) of the SS are stored to the operator database.
  • initial provisioning where the SS shifts from an un-provisioned state (i.e. no provisioned settings are present in the SS) to a provisioned state (i.e. settings have been transferred to the SS) is to be effected.
  • a NSP that he/she has made contract with
  • the SS tries to reach that NSP (step S2) .
  • any available NAP within the range of the SS is contacted one by one in order to reach the selected NSP via one of these NAPs, or alternatively, further developed contact mechanisms are used.
  • the SS does authentication by sending a corresponding information, such as its device certificate.
  • a corresponding information such as its device certificate.
  • another information sent in the contact message such as SS ID (MAC address) associated with the certificate may work as user credential.
  • the SS might use a well known decorated NAI (Network Access Identifier) to indicate that it is lacking provisioned settings if needed.
  • NAI Network Access Identifier
  • step S3 after receiving the contacting message of the SS, the NSP, which is the NSP selected by the user in step Sl, checks a database for an entry matching to the information used by the SS for authentication and certificate. When a matching entry exists, when service agreement with matching SS ID is found from the customer database, the NSP accepts the network entry. This is transmitted to the requesting SS in step S4 via the NAP connected to the SS. It is to be noted that the network does not provide IP connectivity at this stage.
  • settings data can be requested and transmitted.
  • the SS can query user settings. This is executed by using new message types of a MAC message group using basic connection, such as SET- REQ for requesting settings data, SET-RSP for responding to the SET-REQ message, and SET-ACK for acknowledging the receipt of settings data, for example.
  • the SS sends the request message SET-REQ message to the NAP.
  • the request message may include, for example, SS manufacturer name and model or other settings request data as payload which could be for example a SyncML DM message.
  • the base station BS of the NAP involved receives this message. Then, in step S6, the BS queries current settings from an authentication network element, such as the H-AAA or Device Management Server (DMS) of the SS, by using a suitable protocol, such as OMA DM over HTTP. As a further option, the BS can also just forward the MAC message payload to the H-AAA or the DMS by using TCP/UDP protocol (Transmission Control Protocol/User Datagram Protocol) .
  • the query message in step S6 may also comprise device information received from the SS as well as a MAC address of the SS.
  • step S7 the H-AAA sends the settings data stored therein and selected for the requesting SS to the BS.
  • the settings data which may be considered in this context as a single string of text, for example, the BS creates the SET- RSP message and copies received string into it.
  • the SET-RSP message may further comprise a CRC (cyclic redundancy check) checksum field to prevent data corruption.
  • the SETRSP message created by the BS is then sent to the SS (step S8) .
  • the SS processes the settings data received in the SET-RSP message (step S9) . It is to be noted that the SS may also send additional SET-REQ messages (not shown) which are processed in the same manner than that described in steps S5 to S9, if needed. After SS has received the final SET-
  • the SS may send a SET-ACK message (step SlO) to the network (NAP, NSP, for example) in order to confirm receipt of (current) settings data from the network.
  • step SlO With the SET-ACK message received in step SlO, the network is able to keep track or to recognize which devices (i.e. SS) are successfully updated in the network. This can be stored, for example, in a corresponding database (step SIl) .
  • the settings data queried from the network does not fit into one SET-RSP message due to their size or other reasons (transmission capacity limitation or the like) .
  • the settings data may be split into several SET-RSP messages subsequently sent to the SS.
  • the plural messages can be separated, for example, by using a transaction number and a bit indicating the last SET-RSP message.
  • the SS is able to make a full normal network entry with received settings (step S12) .
  • SET-ACK message makes it further possible for the network to keep track of success or failure in transaction.
  • a second embodiment of the invention is shown. Similar to the first embodiment, in the second embodiment, new MAC layer messages are used for settings provisioning.
  • the new MAC layer messages allow transfer of settings data (for example OMA specified XML documents) from home CSN to the SS and vice versa.
  • Settings data for example OMA specified XML documents
  • Existing network entry procedures are also modified by the second embodiment so that initial network entry is possible with or without help of device certificates.
  • an end user has a prearranged relationship with the operator of a network, such as a WiMAX network, and user details with SS ID (MAC address) of the SS are stored to the operator database.
  • initial provisioning where the SS shifts from an un-provisioned state (i.e. no provisioned settings are present in the SS) to a provisioned state (i.e. settings have been transferred to the SS) is to be effected.
  • step S21 the user of the SS has to select manually a NSP that he/she has made contract with. Then, the SS tries to reach that NSP (step S22) .
  • any available NAP within the range of the SS is contacted one by one in order to reach the selected NSP via one of these NAPs, or alternatively, further developed contact mechanisms are used.
  • the SS has to inform that it is unprovisioned and is not able to support normal authentication procedures.
  • the NSP selected is contacted via a corresponding NAP, there are several options for the further processing in the NSP (step S23) and the provision of network access by a corresponding message to the SS (step S24) :
  • Ranging (representing the preferred alternative): the SS indicates in the ranging by means of a RNG-REQ message (not shown in Fig. 2), for example, that it wishes to enter the network into provisioning mode by using a new TLV (Type Length Value) .
  • a NSP ID is included in the message also in case it is known.
  • the RNG-REQ message may also include a MAC address of the SS which is used as user credential to identify the SS. It is to be noted that IP layer packets from the SS will be dropped as this connection is only used for MAC layer provisioning data fetching.
  • the SS gives a well know decorated NAI to request provisioning mode.
  • NAI For example OTAPROV ! user@myhomensp . example may be used.
  • network does not provide an IP connectivity, but only restricted connection to fetch provisioning settings.
  • the SS provides a special NAI to request the provisioning mode.
  • the end user is further provided with a random information, such as a text string, during the purchasing phase of the SS called registration code.
  • This string works as a password and is used in the user part of the NAI.
  • FGHTvJccw3geg@myhomensp example may be used here.
  • the MAC address of the SS is not used as credential and end user must type registration string to his/her device in a corresponding entering procedure (not shown on Fig 2) .
  • steps S25 to S32 follow which are equivalent to steps S5 to S12 of Fig. 1, so that a description thereof is omitted here for the sake of simplicity.
  • a third embodiment of the invention is shown. Similar to the first embodiment, in the third embodiment, new MAC layer messages are used for settings provisioning.
  • the new MAC layer messages allow transfer of settings data (for example OMA specified XML documents) from home CSN to the SS and vice versa.
  • an end user has a prearranged relationship with the operator of a network, such as a WiMAX network, and user details with SS ID (MAC address) of the SS are stored to the operator database.
  • a network such as a WiMAX network
  • SS ID MAC address
  • the third embodiment is related to a case where a SS has already normally entered the network, such as a WiMAX network, and a subsequent settings update is to be performed.
  • step S41 a corresponding network element, such as the authentication network element H-AAA, to instruct (step S42) the corresponding BS of the NAP connected with the SS to send a corresponding message to the SS (step S43) , for example, a new SET-UPD-IND message for indicating that a settings update is to be performed.
  • This SET-UPD-IND message may be part of a MAC message group as indicated above.
  • the indication message may be sent with basic connection such as the MAC messages described in the first and second embodiments, but also other connections are possible, for example a primary management connection.
  • the SS After receiving the SET-UPD-IND message, the SS preferably immediately sends a requesting message, such as a SET-REQ message (MAC message type) in step S44 to the network (the connected NAP, for example) .
  • the NAP receiving the SET-REQ message from the SS queries in step S45 user settings from a corresponding network element, such as the H-AAA or DMS. This network element sends a corresponding response to the query for user settings and transmits in step S46 the new settings to the NAP.
  • the NAP sends the received user settings (similar to step S7 and S8 of the first embodiment) to the SS in a SET-RSP message created in the NAP (step S47) .
  • the SS processes in step S48 the new settings received in the SET-RSP message and take them into effect, for example. After the SS has received the last
  • SET-RSP message one or more messages, as described above
  • it sends a SET-ACK message (similar to step SlO of Fig. 1, for example) to the network for indicating that settings are received correctly.
  • the SET- UPD-IND message in step S43 itself includes at least a part of the settings that have to be changed.
  • a further option is to mandate a network re-entry of the SS (not shown in Fig. 3) .
  • the settings message from the network may also include specific information how and when new settings are taken into use.
  • a settings update procedure according to Fig. 3 is executed when the SS is in a normal state, i.e. not, for example, when emergency services are used, in order to avoid disturbances or interruptions, for example.
  • FIG. 4 A fourth embodiment of the invention is shown in Fig. 4.
  • a new anonymous network entry procedure is performed.
  • authentication is bypassed and a restricted or limited IP connectivity is provided.
  • This IP connection can be then used to query billing information from end user and after that to bootstrap OMA SyncML DM connection to a DM server.
  • step S51 the user of the SS has to select manually a NSP that he/she wants to use. Then, the SS tries to reach that NSP (step S52) .
  • NSP the SS tries to reach that NSP.
  • any available NAP within the range of the SS is contacted one by one in order to reach the selected NSP via one of these NAPs, or alternatively, further developed contact mechanisms are used.
  • the SS has to inform that it is unprovisioned and is not able to support normal authentication procedures.
  • the NSP selected is contacted via a corresponding NAP, there are several options for the further processing in the NSP (step S53) and the provision of network access by a corresponding message to the SS (step S54) :
  • Ranging (representing the preferred alternative) : the SS indicates in the ranging by means of a RNG-REQ message (not shown in Fig. 2), for example, that it wishes to enter the network into provisioning mode by using a new TLV (Type Length Value) .
  • a NSP ID is included in the message also in case it is known.
  • network has to skip authorization and allow the SS to enter into the WiMAX network.
  • Authentication SS gives a well known decorated NAI to request provisioning mode. For example, OTAPROV ! user@myhomensp . example or OTAPROV !ms- id@myhomensp . example may be used.
  • step S55 When the login web server receives the tunneled or redirected HTTP requests, usually this causes that a front page of the login web server is displayed to the end user on the SS right after he/she has started a web browser or the like since the web browser tries to download a default home page at that stage.
  • ASN-GW Access Service Network Gateway
  • the login web server can then transmit service agreement information and price list information or the like to the SS so as to display them to the end user if the network access is not free.
  • Information from the login web server to the SS are transmitted in step S56 and displayed to the end user in step S57.
  • the user accepts the service agreement offered by the login web server so that the SS sends a corresponding message in step S58.
  • the login web server can query further information necessary for the connection, such as billing details (e.g. credit card information) from the end user (step S59) .
  • billing details e.g. credit card information
  • the query is answered by the SS in step S60 after the user has entered corresponding information or permission or the like.
  • the login web server sends in step S61 a SyncML DM bootstrap file to the SS.
  • This file includes most importantly an IP address and a port of a DM server.
  • the SS then launches a
  • SyncML DM client and provides the received file as input to it.
  • step S64 the SyncML DM client contacts the DM server and fetches all settings data, which are provided by the DM server, necessary for the connection to the network. Then, in step S64, a normal network entry is preferably to be executed after receipt of the settings data so that normal operation mode of the SS can start.
  • settings can be provisioned to a client, such as a subscriber station SS in WiMAX network, with minimal user interaction. Furthermore, it is possible that that settings can be provisioned to a SS lacking all settings without any prearranged relationship with a network provider, such as a network service provider (NSP) .
  • NSP network service provider
  • a fifth embodiment of the invention is shown.
  • a handover for a SS is to be performed and the settings of the target network to which the handover is intended to be done are provisioned to the SS by using existing service flows before handover is made.
  • the elements shown in Fig. 5 are representing merely a simplified structure of an environment where the fifth embodiment is implementable .
  • the network elements belonging to the NAP, NSP, CSN and the like are combined in the term "network" of Fig. 5. It is clear for a person skilled in the art in which way the respective elements which are combined in network in Fig. 5 are interrelated.
  • Fig. 5 shows a case where the SS initiates the handover (roaming) .
  • the SS decides that a handover is to be performed, for example on the basis of service quality detection results or the like.
  • the SS sends a MOB_BSHO-REQ MAC message to the network, i.e. to a servicing BS with which the SS is currently connected to initiate the handover procedure.
  • step S73 the network performs a network handled DP pre- registration .
  • step S74 the network checks the policy of the target network from a corresponding AAA, for example it checks roaming agreements with NSPs and NAPs or the like .
  • the servicing BS informs the SS by a MOB_BSHO-RSP message that authentication to the new NSP is required by means of a new TLV.
  • the SS checks if it has needed settings to the target network. For example, the SS may check the NAP / NSP relationship from a SII-ADV message.
  • SII-ADV is a MAC message that comprises information to which NSPs can be connected from the connected BS/NAP. The same information can be queried from the network using SBC-REQ message the network responses with SBC-RSP message.
  • the SS may ask it from the network to check if there is a direct connection from the target BS to the home network.
  • new settings may be downloaded from the visited network using a suitable OTA method (for example, OTA Provisioning, OTA DS 1.2, etc.) or another L2 or L3 solution for fetching the needed settings from the network (step S77) or a mechanism as described in connection with one of the preceding embodiments.
  • a suitable OTA method for example, OTA Provisioning, OTA DS 1.2, etc.
  • another L2 or L3 solution for fetching the needed settings from the network step S77
  • SS or BS can start a settings downloading to the SS.
  • the SS sends in step S78 an indication message, such as a MOB_HO-IND message, to the network for indicating that handover and network re-entry process to the target BS can started.
  • step S79 network entry to the new network is executed by corresponding synchronization, ranging, re-authentication, registration etc. processings between the SS and the network. It is to be noted that the SS should use new credentials settings received in S77 to authenticate to the new network.
  • the servicing BS can initiate a handover by sending a MOB_BSHO-REQ MAC message comprising the new TLV as described above.
  • the SS may send the MOB_HO-IND MAC message to the servicing BS to confirm the handover request.
  • a handover is to be made, by means of the mechanism to provide settings data of the target network, handovers can be accelerated and there are no delays or breaks in real time service flows. Moreover, service flows are not terminated because authentication fails. In addition, settings can be provisioned to the SS by using an existing service flow. This provides a secure way to forward settings to the SS.
  • a subscriber station may for example be any device by means of which a user may access a communication network; this implies mobile as well as non-mobile devices and networks, independent of the technology platform on which they are based; as an example, it is noted that communication equipments operated according to principles standardized for WiMAX are particularly suitable for being used in connection with the present invention;
  • any method step is suitable to be implemented as software or by hardware without changing the idea of the present invention
  • - devices or means can be implemented as individual devices or means, but this does not exclude that they are implemented in a distributed fashion throughout the system, as long as the functionality of the device is preserved.
  • a subscriber station comprises a device for contacting a network for achieving an initial network access, wherein an authentication of the subscriber station is transmitted.
  • the subscriber station further comprises a device for receiving an initial network entry acceptance.
  • the subscriber station further comprises a device for sending a requesting message for requesting settings data from the network, and a device for receiving a responding message to the requesting message.
  • the subscriber station further comprises a device for sending an acknowledgement message to the network.
  • the requesting message, the receiving message and the acknowledgement message may be MAC messages transmitted by using a basic connection.
  • a network access provider apparatus comprises a device for receiving a contacting message of a network by a subscriber station for achieving an initial network access and a device for forwarding the contacting message to a service provider.
  • the network access provider apparatus further comprises a device for receiving an initial network entry acceptance and for forwarding the initial network entry acceptance to the subscriber station.
  • the network access provider apparatus further comprises a device for receiving a requesting message for requesting settings data from the network, and a device for sending a query to a network element for requesting user settings on the basis of the received requesting message.
  • the network access provider apparatus further comprises a device for receiving a response to the query and a device for creating and sending a responding message to the subscriber station for answering the requesting message.
  • the network access provider apparatus further comprises a device for receiving an acknowledgement message from the subscriber station.
  • the requesting message, the responding message and the acknowledgement message may be MAC messages transmitted by using a basic connection.
  • a subscriber station comprises a device for contacting a network for achieving an initial network access, wherein an information that a normal authentication can not be supported is transmitted.
  • the subscriber station further comprises a device for receiving an initial network entry acceptance.
  • the subscriber station further comprises a device for sending a requesting message for requesting settings data from the network, and a device for receiving a responding message to the requesting message.
  • the subscriber station further comprises a device for sending an acknowledgement message to the network.
  • the requesting message, the responding message and the acknowledgement message may be MAC messages transmitted by using a basic connection .
  • a network access provider apparatus comprises a device for receiving a contacting message of a network by a subscriber station for achieving an initial network access and a device for forwarding the contacting message to a service provider.
  • the network access provider apparatus further comprises a device for receiving an initial network entry acceptance and for forwarding the initial network entry acceptance to the subscriber station.
  • the network access provider apparatus further comprises a device for receiving a requesting message for requesting settings data from the network, and a device for sending a query to a network element for requesting user settings on the basis of the received requesting message.
  • the network access provider apparatus further comprises a device for receiving a response to the query and a device for creating and sending a responding message to the subscriber station for answering the requesting message.
  • the network access provider apparatus further comprises a device for receiving an acknowledgement message from the subscriber station.
  • the requesting message, the responding message and the acknowledgement message may be MAC messages transmitted by using a basic connection.
  • a subscriber station comprises a device for receiving a setup indicating message from a network.
  • the subscriber station further comprises a device for sending a setup requesting message in response to the receipt of the setup indicating message for requesting settings data from the network.
  • the subscriber station further comprises a device for receiving a responding message comprising settings data from the network, and a device for processing the settings data received.
  • the indicating message, the requesting message and the responding message may be MAC messages.
  • a network access provider apparatus comprises a device for receiving an instruction for sending a setup indicating message to a subscriber station.
  • the network access provider apparatus further comprises a device for generating the setup indicating message and a device for forwarding the setup indicating message to the subscriber station.
  • the network access provider apparatus further comprises a device for receiving a requesting message for requesting settings data from the network, and a device for sending a query to a network element for requesting user settings on the basis of the received requesting message.
  • the network access provider apparatus further comprises a device for receiving a response to the query and a device for creating and sending a responding message to the subscriber station for answering the requesting message.
  • the indicating message, the requesting message and the responding message may be MAC messages.
  • a subscriber station comprises a device for contacting a network for achieving an initial network access, wherein an information that a normal authentication can not be supported is transmitted.
  • the subscriber station further comprises a device for receiving an initial network entry acceptance.
  • the subscriber station further comprises a device for tunneling or redirecting messages to a login server of the network and a device for receiving information and queries from the login server.
  • the subscriber station further comprises a device for sending an acceptance message to the login server.
  • the subscriber station further comprises a device for receiving address information from the login server and a data management client for fetching settings data from the network
  • a login server network element comprises a device for receiving messages tunneled or redirected from a subscriber station and a device for transmitting information and queries to the subscriber station.
  • the login server network element further comprises a device for receiving an acceptance message from the subscriber station.
  • the login server network element further comprises a device for sending address information of another server network element to the subscriber station.
  • a subscriber station comprises a device for requesting a handover from a current network to a target network and a device for checking whether settings present in the subscriber station are suitable for the target network.
  • the subscriber station further comprises a device for requesting settings data related to the target network, and a device for receiving a responding message comprising the requested settings data from the network before the handover is initiated.
  • the subscriber station further comprises a device for sending an indicating message to the network for indicating that the handover can be started.
  • the requesting messages, the responding message and the indicating message may be MAC messages transmitted by using an existing service flow with the current network.
  • a network element comprises a device for receiving a request for a handover of a subscriber station from a current network to a target network and a device for checking settings of the target network. Furthermore, the network element comprises a device for sending a responding message to the subscriber station comprising an information that authentication is required. The network element further comprises a device for receiving a request for settings data related to the target network, and a device for sending a responding message comprising the requested settings data to the subscriber station before the handover is initiated. Moreover, the network element comprises a device for receiving an indicating message which indicates that the handover can be started.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Selon l'invention, pour obtenir un accès à un réseau, des informations spécifiques, par exemple un identifiant d'accès réseau (NAI) déterminé, sont transmises depuis une station d'abonné vers le réseau pour indiquer le souhait de réaliser une entrée de réseau en mode de dimensionnement. Les informations de configuration pour obtenir un accès au réseau sont transmises à la station d'abonné, et une procédure d'authentification pour obtenir un accès au réseau est exécutée.
PCT/EP2008/050776 2007-01-23 2008-01-23 Gestion de configuration pour une station d'abonné dans un réseau wimax WO2008090184A2 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US88182807P 2007-01-23 2007-01-23
US60/881,828 2007-01-23

Publications (2)

Publication Number Publication Date
WO2008090184A2 true WO2008090184A2 (fr) 2008-07-31
WO2008090184A3 WO2008090184A3 (fr) 2008-11-27

Family

ID=39133814

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2008/050776 WO2008090184A2 (fr) 2007-01-23 2008-01-23 Gestion de configuration pour une station d'abonné dans un réseau wimax

Country Status (1)

Country Link
WO (1) WO2008090184A2 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101867912A (zh) * 2010-06-07 2010-10-20 华为终端有限公司 一种接入网络的认证方法及终端
CN101925015A (zh) * 2009-06-17 2010-12-22 大唐移动通信设备有限公司 一种允许封闭用户组列表信息的同步更新方法和设备

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030051041A1 (en) * 2001-08-07 2003-03-13 Tatara Systems, Inc. Method and apparatus for integrating billing and authentication functions in local area and wide area wireless data networks
US20050147249A1 (en) * 2002-03-08 2005-07-07 Carl Gustavsson Security protection for data communication
US20050163078A1 (en) * 2004-01-22 2005-07-28 Toshiba America Research, Inc. Mobility architecture using pre-authentication, pre-configuration and/or virtual soft-handoff
US20060039564A1 (en) * 2000-11-17 2006-02-23 Bindu Rama Rao Security for device management and firmware updates in an operator network
US20060095954A1 (en) * 2004-11-02 2006-05-04 Research In Motion Limited Generic access network (GAN) controller selection in PLMN environment
US20060221901A1 (en) * 2005-04-01 2006-10-05 Toshiba America Research, Inc. Autonomous and heterogeneous network discovery and reuse
US20060242305A1 (en) * 2005-04-25 2006-10-26 Telefonaktiebolaget L M Ericsson (Publ) VPN Proxy Management Object

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060039564A1 (en) * 2000-11-17 2006-02-23 Bindu Rama Rao Security for device management and firmware updates in an operator network
US20030051041A1 (en) * 2001-08-07 2003-03-13 Tatara Systems, Inc. Method and apparatus for integrating billing and authentication functions in local area and wide area wireless data networks
US20050147249A1 (en) * 2002-03-08 2005-07-07 Carl Gustavsson Security protection for data communication
US20050163078A1 (en) * 2004-01-22 2005-07-28 Toshiba America Research, Inc. Mobility architecture using pre-authentication, pre-configuration and/or virtual soft-handoff
US20060095954A1 (en) * 2004-11-02 2006-05-04 Research In Motion Limited Generic access network (GAN) controller selection in PLMN environment
US20060221901A1 (en) * 2005-04-01 2006-10-05 Toshiba America Research, Inc. Autonomous and heterogeneous network discovery and reuse
US20060242305A1 (en) * 2005-04-25 2006-10-26 Telefonaktiebolaget L M Ericsson (Publ) VPN Proxy Management Object

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ABOBA MICROSOFT M BEADLES SMARTPIPES J ARKKO ERICSSON P ERONEN NOKIA B: "The Network Access Identifier; draft-ietf-radext-rfc2486bis-00.txt;" IETF STANDARD-WORKING-DRAFT, INTERNET ENGINEERING TASK FORCE, IETF, CH, vol. radext, 30 September 2004 (2004-09-30), XP015026089 ISSN: 0000-0004 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101925015A (zh) * 2009-06-17 2010-12-22 大唐移动通信设备有限公司 一种允许封闭用户组列表信息的同步更新方法和设备
CN101867912A (zh) * 2010-06-07 2010-10-20 华为终端有限公司 一种接入网络的认证方法及终端

Also Published As

Publication number Publication date
WO2008090184A3 (fr) 2008-11-27

Similar Documents

Publication Publication Date Title
US9992671B2 (en) On-line signup server for provisioning of certificate credentials to wireless devices
CN102474839B (zh) 在无线网络环境中向外部网络注册的方法和装置
EP2039110B1 (fr) Procédé et système pour contrôler l'accès aux réseaux
KR101556046B1 (ko) 통신 핸드오프 시나리오를 위한 인증 및 보안 채널 설정
US8438616B2 (en) Method for terminal configuration and management and terminal device
US7299039B2 (en) Method and system for providing data service in interworking wireless public and private networks
US9686669B2 (en) Method of configuring a mobile node
US9113332B2 (en) Method and device for managing authentication of a user
CN102938890B (zh) 无线通信网络中的用户概况、策略、及pmip密钥分发
EP1552646B1 (fr) Procédé et appareil de réauthentification dans un système de communication cellulaire
US9787683B2 (en) Seamless wi-fi subscription remediation
EP2103078B1 (fr) Authentification bootstrapping dans des réseaux de communication
US8621572B2 (en) Method, apparatus and system for updating authentication, authorization and accounting session
CN102783218B (zh) 用于重定向数据业务的方法和装置
EP2415226A1 (fr) Mécanisme d'authentification et d'autorisation pour accès à un réseau et à un service
US20070192838A1 (en) Management of user data
US9288674B2 (en) Convenient WiFi network access using unique identifier value
US9137661B2 (en) Authentication method and apparatus for user equipment and LIPA network entities
WO2009087006A1 (fr) Mécanisme pour une authentification et une autorisation pour un accès à un réseau et à un service
WO2008090184A2 (fr) Gestion de configuration pour une station d'abonné dans un réseau wimax
JP6153622B2 (ja) インターネットプロトコルマルチメディアサブシステム端末のネットワークへのアクセス方法及び装置
EP1843541B1 (fr) Procédé de sécurisation des communications entre un réseau d'accès et un réseau central

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08701653

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08701653

Country of ref document: EP

Kind code of ref document: A2