WO2009030282A1 - Method and apparatuses for allowing a nomadic terminal to access a home network on layer 2 level - Google Patents

Method and apparatuses for allowing a nomadic terminal to access a home network on layer 2 level Download PDF

Info

Publication number
WO2009030282A1
WO2009030282A1 PCT/EP2007/059430 EP2007059430W WO2009030282A1 WO 2009030282 A1 WO2009030282 A1 WO 2009030282A1 EP 2007059430 W EP2007059430 W EP 2007059430W WO 2009030282 A1 WO2009030282 A1 WO 2009030282A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
layer
tunnel
home
remote access
Prior art date
Application number
PCT/EP2007/059430
Other languages
French (fr)
Inventor
Andras Csaszar
János HARMATOS
Attila MIHÁLY
Oktavian Papp
Lars Westberg
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to PCT/EP2007/059430 priority Critical patent/WO2009030282A1/en
Priority to JP2010523283A priority patent/JP5281644B2/en
Priority to US12/676,663 priority patent/US9225548B2/en
Priority to EP07820081A priority patent/EP2198568A1/en
Publication of WO2009030282A1 publication Critical patent/WO2009030282A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling

Definitions

  • the present invention relates to a method and apparatus for facilitating network interconnectivity.
  • the invention relates to the interconnection of LANs.
  • the inter-connection of private, e.g. house and office, networks across intervening broadband networks is possible using already standardised solutions (or solutions under standardisation).
  • IETF Internet Engineering Task Force
  • MPLS Multiprotocol Label Switching
  • Work carried out by the IEEE deals with LAN interconnection solutions, where the intermediate operator-provided network is also itself an Ethernet network.
  • Ethernet is an example of a Layer 2 (L2) networking protocol.
  • L2 tunnels and L2VPN solutions are required.
  • One such solution is that known as "EtherIP” [IETF RFC3378], which encapsulates Ethernet packet at a sending side LAN with an IP header, and sends the packets to an access router (AR) of the receiving side LAN which decapsulates the packets and bridges the Ethernet frame as if it was a L2 node (switch, bridge).
  • L2TPv3 RRC4719, "Transport of Ethernet Frames over Layer 2 Tunnelling Protocol Version 3 (L2TPv3)"] to transport Ethernet frames in an IP/UDP packet.
  • L2TP Layer 2 tunnelling protocol
  • VPLS Virtual Private LAN Service
  • IP/MPLS networks [IETF WG Layer 2 Virtual Private Networks (12vpn), http://ietf.org/html.charters/12vpn-charter.html].
  • VPLS is also referred to as Transparent LAN Service and Virtual Private Switched Network service. It incorporates MAC address learning, flooding, and forwarding functions in the context of pseudo-wires that connect individual LANs across a packet switched network. Implementations of VPLS in an IP/MPLS router often refer to the virtual bridge functionality as VSI (Virtual Switch Instance).
  • 802. lad One possible application of 802. lad is to use the S-VLAN tag for identification of a service. It is important to note that, in the case of 802. lad, the customer and provider network are not separate, so both networks appear as a large domain, causing for example an STP action in a customer network to impact on the provider network.
  • 802.1 ah MAC-in-MAC provides for the encapsulation of an entire Ethernet frame and a new MAC header is generated by the edge switch on the border of an 802.1 ah domain.
  • Ethernet frame is transmitted transparently, with all switching and forwarding decisions in the intermediate switches being based upon the destination MAC address and VLAN tag(s) in the outer MAC header.
  • the main benefit of 802.1 ah is its scalability to large Ethernet networks, and in addition the clear separation that it provides between the provider and customer Ethernet networks.
  • L2VPN solutions rely on static configuration and assume fixed locations for customer sites. Mobile users are therefore restricted to using only pre-configured customer sites.
  • L3 mobility solutions such as MobileIP (MIP) potentially offer unrestricted access, they do not offer L2 transparency. This means that if a terminal uses L2 specific protocols (e.g. protocols relying on broadcast L2 frames), the L3 solution will not work.
  • L3 mobility solutions do not allow overlapping addresses for mobile hosts. Although a terminal may reside in a remote subnet with its home IP address, this home IP address must be unique. Thus for example two mobile terminals cannot have the same home IP address in the same access network. Unfortunately, home users often use private address spaces which may very easily be overlapping.
  • L3 mobility solutions require the implementation of dedicated protocols in terminals, and which are often not available (e.g., MIP is not available in WindowsTM). L3 solutions are to some extent dependent on the version of IP. However, if mobility is transparent at layer 2, then the terminal may use either IPv4 or IPv6 in its home LAN.
  • a method of allowing a nomadic terminal to access a home network on the Layer 2 level comprising: connecting said terminal to a remote access network via an access point, the remote access network being connected to an operator's backbone network via a remote access router; exchanging signalling between the access point and an authentication server within the backbone network in order to authenticate the terminal to the authentication server; and following successful authentication, establishing a Layer 2 tunnel extending across the backbone network for the purpose of connecting said nomadic terminal to the home network.
  • the invention thus provides for triggering of the Layer 2 tunnel establishment upon successful authentication of the nomadic terminal to the backbone network.
  • the process of establishing the tunnel is transparent, and no modifications to the terminal are necessary.
  • a key aspect to the implementation of the invention is the introduction of functionality into the backbone network which detects authentication and triggers tunnel establishment by configuring access routers and/or access points as appropriate.
  • the invention is applicable in particular to networks which implement the Layer 2 using Ethernet, in which case said step of establishing an Ethernet Layer 2 tunnel may use one of: EtherIP, Ethernet over Point-to -Point Protocol (PPP), L2TPv3, and VPLS.
  • EtherIP Ethernet over Point-to -Point Protocol
  • PPP Point-to -Point Protocol
  • L2TPv3 L2TPv3
  • VPLS VPLS
  • the invention encompasses embodiments where the access router is an endpoint of the Layer 2 tunnel, as well as embodiments where the access point is the tunnel endpoint.
  • the key functionality of the invention may be implemented as a new node within the backbone network referred to here as a Mobility Manager function.
  • the method comprises informing the Mobility Manager function within the operator's backbone network of a successful authentication, the Mobility Manager function configuring one or both of said remote access router and said remote access point to establish said Layer 2 tunnel.
  • the Mobility Manager function may further configure said home access router to establish said Layer 2 tunnel.
  • the Mobility Manager function may cooperate with a peer Mobility Manager function associated with the home network in order to establish said Layer 2 tunnel. This arrangement allows nomadic terminals to access their home networks even when their network operator has an agreement with an own backbone network operator which is different from the backbone network to which the remote access network is attached, providing that an agreement exists between the two backbone network operators.
  • apparatus for providing mobility management within a communication system the apparatus being arranged in use to: receive authentication related signalling in respect of a nomadic terminal connected to an access point of a remote access network and as a result to establish a Layer 2 tunnel extending across a backbone network for the purpose of connecting said nomadic terminal to the home network.
  • this apparatus may be implemented as a Mobility Manager function.
  • the apparatus may be standalone, or may be collocated with an authentication server.
  • apparatus for providing an access point for a nomadic terminal to a remote access network, the apparatus having an interface for connection to a mobility manager within an operator's backbone network, the apparatus being configurable via said interface to establish a Layer 2 tunnel between itself and home network of the nomadic terminal.
  • apparatus for providing an access router to interconnect an access network to an operator's backbone network, the apparatus being configured to provide Layer 2 switching and having an interface towards a mobility manager within the operator's backbone network, the apparatus being further configurable via said interface to establish a Layer 2 tunnel towards a nomadic terminal or towards a home network of a nomadic terminal.
  • Figure 1 illustrates schematically two L2 access networks interconnected via a L3 operator network using a L2 tunnel extending from home access router to remote access point;
  • Figure 2 illustrates the creation of a virtual bridge within the access point of Figure 1;
  • Figure 3 illustrates the creation of a pseudo-wire within the access point of Figure 1;
  • Figure 4 illustrates schematically two L2 access networks interconnected via a L3 operator network using a L2 tunnel extending from home access router to remote access router;
  • Figure 5 illustrates the establishment of multiple bridged L2 tunnels extending from a remote access network to respective home networks
  • Figure 6 illustrates the mapping of VLAN tags to home networks used by a remote access network
  • Figure 7 illustrates the bridging of VLAN virtual interfaces with the corresponding L2 tunnels leading to the home networks associated with VLAN tags
  • FIG. 8 illustrates the connection of VLAN virtual interfaces with the corresponding
  • Figure 9 is a flow diagram illustrating a procedure for establishing a L2 tunnel between a remote access network and a home network
  • Figure 10 is a flow diagram illustrating a procedure for tearing down a L2 tunnel established between a remote access network and a home network;
  • Figure 11 illustrates a bridging and Mac-in-Mac tunnelling structure
  • Figure 12 illustrates schematically a system architecture which provides a pre- established L2 tunnel between Pols in respective operator networks
  • Figure 13 illustrates schematically a system architecture which provides for the establishment of a L2 tunnel between Pols in respective operator networks, following a negotiation between the provider networks;
  • Figure 14 illustrates a system architecture adapted to the case where a home LAN accesses the operator network through a wholesale service
  • Figure 15 illustrates a system architecture where a home LAN is behind an xDSL home router
  • Figure 16 illustrates schematically the configuring of an xDSL router as a home access router to directly tunnel Ethernet frames to a remote access router
  • Figure 17 illustrates schematically a system architecture in which a home DSL router has a statically configured L2 interface towards a BRAS
  • Figure 18 illustrates schematically the binding of Mac-in-Mac or Q-in-Q capable interfaces along with the VPLS pseudo-wires to VPLS Virtual Switch Instances
  • Figure 19 illustrates a hub and spoke layout in which Ethernet services are provided though a central node.
  • FIG 1 illustrates schematically an operator network 1 comprising a Layer 3 (L3) backbone, e.g. IP or MPLS.
  • a corporate LAN 2 the "home” LAN, is connected to the operator network via an Access Router (AR) 3.
  • the home LAN is assumed to be an Ethernet network.
  • Figure 1 illustrates further a remote access network 4, which is an Ethernet network connecting WLAN hotspots or public Ethernet "jacks". It is assumed here that the operator network and the remote access network are owned by the same operator, or at least have established a trust relationship.
  • a user connects to the remote access network 4 via an access point 5.
  • the remote access network is connected to the operator network via an AR 6.
  • a Layer 2 (L2) tunnel 7 is established between the home AR 3 and the remote access point AP 5 as described below.
  • L2 Layer 2
  • the access point 5 uses an authentication or AAA server 9 within the operator network 1 to authenticate the terminal 8, using for example the RADIUS or
  • AAA server is standard functionality, and the address of the AAA server 9 is preconfigured in the remote access point.
  • a new Mobility Manager is required.
  • MM 10 implements functions to use the AAA trigger for remote setup of connectivity to the home network.
  • the MM may reside in the same physical node as the AAA server or at any other location suitable for receiving authentication messages sent to the AAA server.
  • One possible implementation of the MM is as a proxy to the AAA server. In this case, AAA messages are forwarded from the access point 5 to the MM 10, which forwards them to the real AAA server 9.
  • the MM 10 determines that the terminal 8 is allowed to access the remote access network 4, it will determine the home network and the corresponding access router, for example by mapping a MAC address of the terminal or a username/password combination to a home network address. It must also identify the serving access point, for example by examining the source address of the authentication message (e.g. from the header's source field). The MM will then remotely configure the home network AR 3 and the remote access point 5 to establish a L2 tunnel between them. L2 tunnels may be built using, for example, EtherIP, Ethernet over Point-to-Point Protocol (PPP), L2TPv3 or any similar present or future protocol supporting L2 tunnelling.
  • PPP Point-to-Point Protocol
  • the remote AR 6 in this case functions in a standard manner, forwarding packets based upon L3, i.e. IP addresses. In this way, frames from the terminal are transported undisturbed to the home access router, which in turn will forward (bridge) the frame into the home network.
  • the next task is to configure the home AR 3 to bridge the interface leading to the home network with the newly established virtual interface, so that Ethernet frames are bridged between the two interfaces.
  • the MM 10 sets up the remote serving access point 5 to create a similar virtual bridge as illustrated in Figure 2.
  • it may directly bind the L2 tunnel as a pseudo-wire to the interface leading to the terminal as illustrated in Figure 3.
  • the remote access point is a wired Ethernet switch
  • the terminal's interface can be learnt from, for example, the CallingStationID in the AAA request.
  • the wireless interface of a WiFi access point is a medium shared among multiple terminals. Nonetheless, by applying 802.
  • the access point is capable of differentiating hosts (allow, not allow), and may even setup an encrypted connection to the host, so it would be relatively straightforward to achieve a logical interface for a specific terminal. Specifically, this could be implemented via firmware or a software update in the wireless access points.
  • the embodiment illustrated in Figure 1 assumes that the remote access point 5 contains the required L2 tunnelling functionality, e.g. EtherIP or a suitable alternative. If this is not the case, according to an alternative embodiment, the remote AR 6 may terminate the L2 tunnel. This is illustrated in Figure 4. In this case, the MM 10 must remotely configure the home and the remote ARs 3,6 to establish the L2 tunnel, and the MM will assign a specific VLAN tag to the terminal 8 in the access point 5. This way, frames from the terminal 8 are transported undisturbed to the remote network AR 6, which will in turn forward (bridge) the frames through the L2 tunnel.
  • L2 tunnelling functionality e.g. EtherIP or a suitable alternative.
  • the MM could configure the remote access network access router and the home access router to establish a L2 tunnel between each other, without tunnelling below the routers.
  • the L2 tunnel may again be built using EtherIP,
  • the next task would be to configure the access router to bridge the interface leading to the access network with the newly established virtual interface, so that Ethernet frames are bridged between the two interfaces. This is illustrated in Figure
  • an advantageous embodiment should map terminals in the remote network to home network VLAN tags as illustrated in Figure 6. This should be done in such a way that terminals from the same home network are mapped to the same VLAN tag to enable local communication and to decrease the number of required VLAN identifiers.
  • the MM should configure the access point of the terminal to assign the selected VLAN tag to every frame it receives from the terminal. If the access point is an Ethernet switch, this can be done on a per-interface basis as described in the proposed 802. lad standard - the so called Q-in-Q encapsulation method. Proper VLAN tagging in the access point requires the assignment of the appropriate VLAN tag to that port where the terminal is connected.
  • the port can be identified on the basis of the terminal MAC address, which can be obtained from the frame sent to the AAA server (e.g., CallingStationID in the AAA request).
  • the AAA server e.g., CallingStationID in the AAA request.
  • the MM should also configure VLAN encapsulation/decapsulation in the access router.
  • VLANs appear in the access router as virtual interfaces, which should be connected to the home access router's virtual bridge.
  • the VLAN virtual interfaces can be bridged with the corresponding L2 tunnels leading to the home network which the VLAN tag (or VLAN virtual interface) is assigned to. This is illustrated in Figure 7.
  • the virtual interface may be connected via a pseudo-wire directly with the home network's virtual bridge. This is illustrated in Figure 8.
  • FIG. 9 is a flow diagram illustrating the process carried out by the MM, i.e. on-the-fly connection of a nomadic or mobile terminal to its home network.
  • the reverse process of tearing down connectivity for superfluous remote networks i.e., remote accesses where there are no longer terminals belonging to a certain home network
  • Encapsulation can be used. Instead of configuring Q-in-Q encapsulation in the access node, the MM should configure Mac-in-Mac encapsulation from the access node up to the access router.
  • the bridging and Mac-in-Mac tunnelling structure is depicted in Figure 11.
  • This structure allows the encapsulated frames to be transported by Provider Backbone Bridges (PBBs) without their having to know the addresses of other access networks.
  • PBBs Provider Backbone Bridges
  • the access node (ANl or AN2 in Fig.l 1) has to encapsulate the L2 frame coming from a host within an external L2 MAC header.
  • This external header contains the access router's local MAC address as the destination.
  • the provider's Ethernet switches inside the access network need to know the Ethernet routes only for themselves, the access nodes and the access router, and they do not need to maintain forwarding information for each possible home network.
  • the virtual bridge in the access router bridges Before the virtual bridge in the access router bridges the received frames, it must strip the outer MAC header from the frame.
  • the Mac-in-Mac tunnels should be connected via a pseudo- wire to the home network. Note, however, that if there are multiple hosts in the remote access network at different access nodes, then each Mac-in-Mac tunnel will be connected to the home access router's bridge, leading to suboptimal network usage if the remote terminals communicate with each other.
  • the home network will be administered by an operator other than the operator of the remote access network (and the provider network).
  • the MM located within the provider network may not be able to reconfigure the access router of the home network, and in some cases it may not even be able to authenticate the newly appeared terminal.
  • any MM associated with the home network has no right to reconfigure the remote access router.
  • a fixed access operator may pre-establish L2 tunnels with partner operator networks (based on appropriate contracts) in order to provide a connectivity service even from these other operator access networks.
  • the two (home and serving) operators have pre-established points of interconnect (PoI) between which the L2 tunnels are established.
  • IPSec may be used for security reasons.
  • the task of the serving MM associated with the remote access network is to obtain the authentication messages from the terminal, to identify its home network, and to relay the authentication messages through the appropriate L2 tunnel to the home MM.
  • the "serving" MM is provided with a database that maps the authentication data to the PoI address and home MM address.
  • the MM in the home network reacts to receipt of a tunnelled authentication request by configuring the L2 tunnelling between the home AR and the PoI within the home operator network.
  • the authentication reply messages from the home MM are sent through (or caught by) the serving MM.
  • the serving MM infers from the authentication messages that authentication is successful, it configures the L2 tunnel between the PoI and the serving AR in its network or between the PoI and the serving access point.
  • the former configuration is illustrated in Figure 12, where the home MM is identified by reference numeral 11, the serving MM by reference numeral 12, the respecting Pols by 13 and 14, and the respecting ARs by 15 and 16.
  • the home network is indicated by reference numeral 17, the remote access network by 18, the remote access network access point by 19, and the nomadic terminal by 20.
  • the MM of the new network may communicate and authenticate the terminal with its home MM, and each MM can configure the access router (or access point) in its own administrative area. This is illustrated in Figure 13, where the tunnel is deployed between the access routers. [In an alternative approach, the tunnel is established between the home AR and the serving AP.] Such inter- working requires the use of a standardized and secure protocol between the two MMs.
  • the MM of the new network must provide the authentication data of the terminal and the new access router's IP address. If the home MM properly authenticates the terminal, it has to acknowledge authentication and must provide the IP address of the corresponding home access router.
  • the mechanisms described here are applicable to the case where the home LAN accesses the operator network through a wholesale service.
  • the home LAN connects to the service through an infrastructure provider.
  • the infrastructure provider sets up a L2 tunnel to the operator network. This is shown in Figure 14.
  • the AR sees a virtual interface connecting it to the home LAN.
  • the procedures performed in the MM are unchanged: it must setup a bridging between this (virtual) interface and the newly established L2 tunnel interface (also virtual) between the two ARs.
  • the home LAN is behind an xDSL home router, which has a single IP address from the operator but which provides internal addressing via DHCP, firewall and NAT to the internal LAN.
  • the xDSL router must be modified with the L2 tunnelling capabilities to support transparent access of the home LAN from remote locations. Enhanced xDSL routers may be provided for this purpose.
  • the xDSL router sends the "de-NATted" IP packets over PPP to the Broadband Remote Access Server (BRAS), which removes the PPP header and forwards the IP packet.
  • BRAS Broadband Remote Access Server
  • PPP itself may be transport over a combination of PPPoE or L2TP protocols.
  • LAC indicates a L2TP Access Concentrator.
  • one implementation involves configuring the xDSL router as a home AR to directly tunnel Ethernet frames to the remote location's access router.
  • Figure 16 (assuming implementation of xDSL as ADSL).
  • the xDSL home router must also implement the virtual bridge functions so that it is capable of bridging Ethernet frames into the L2 tunnel.
  • the MM in this case has to configure the home ADSL router (as a home access router) and the remote AR/ AP remotely.
  • An alternative implementation, illustrated in Figure 17, involves statically configuring the home xDSL router to provide a virtual L2 interface towards the BRAS, where it can tunnel L2 frames.
  • the MM At each mobility event or whenever a local device shows up at a remote access, the MM has to configure the BRAS, not the home xDSL router.
  • the BRAS takes the role of the AR having virtual bridges (or VSIs if it supports VPLS).
  • the home xDSL router may have direct Ethernet connectivity over PPP to the BRAS.
  • PPP Point-to -Point Protocol
  • BCP Bridging Control Protocol
  • the MM in this case has to remotely configure the BRAS (as a home access router) and the remote access router to dynamically establish a L2 tunnel using any L2 tunnelling technique that supports the binding of the virtual interface into virtual bridges.
  • This virtual bridge has to switch Ethernet frames decapsulated from the tunnel from the xDSL router (e.g. from the PPP session) and switch the frames to another L2 tunnel leading to the remote location.
  • Remotely configuring the above described mechanisms in the access routers and access points is possible by remotely accessing the command line interface via, for example, Telnet. Alternatively, for improved performance, a proprietary interface may be used.
  • the backbone provides Virtual Private LAN Service (VPLS) service
  • the MM has to configure VPLS pseudo-wires between the edge routers. Instead of binding to generic virtual bridges, the MM has to bind Mac-in-Mac or Q-in-Q capable interfaces along with the VPLS pseudo-wires to VPLS Virtual Switch Instances. This is illustrated in Figure 18.
  • VPLS Virtual Private LAN Service
  • the transparent Ethernet service may be provided through a central node working as the AR of multiple home networks, i.e. a hub and spoke layout.
  • This central node is denoted here as the Connectivity Services Node (CSN).
  • An intervening network may be present between the CSN and the home LAN, in which case it must be ensured that the CSN is connected via a L2 tunnel to the home network.
  • This tunnel can be setup on demand by the MM when a terminal appears at a remote location, or may be pre-conf ⁇ gured to speed up the process.
  • the CSN must implement a virtual bridge per home network.
  • the MM should configure this CSN and connect it via another L2 tunnel when a home terminal shows up at a remote location. If the CSN has no pre-conf ⁇ gured tunnel to the home network, the MM has to setup this tunnel.
  • a network operator to provide a value added connectivity service to its customers, i.e. a nomadic terminal can be transparently connected to its home LAN from any access (e.g. any hot spot) of a fixed network operator.
  • the connectivity service can be used even from these partners' access networks.
  • the internal IP addressing structure or the IP version used in the home network is not relevant: any combination will work.
  • the moving terminal in the visited network is connected transparently to the home network (here transparency means that the terminal does not recognize that it is not in the home network). This transparent layer 2 connection makes it possible to reach the home network without any dedicated client software in the terminal, as well as supporting those future applications which require Ethernet level connection.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

A method of allowing a nomadic terminal to access a home network on the Layer 2 level. The method comprises connecting said terminal to a remote access network via an access point, the remote access network being connected to an operator's backbone network via a remote access router. Signalling is exchanged between the access point and an authentication server within the backbone network in order to authenticate the terminal to the authentication server and, following successful authentication, a Layer 2 tunnel extending across the backbone network is established for the purpose of connecting said nomadic terminal to the home network.

Description

METHOD AND APPARATUSES FOR ALLOWING A NOMADIC TERMINAL TO ACCESS A HOME NETWORK ON LAYER 2 LEVEL
Technical Field
The present invention relates to a method and apparatus for facilitating network interconnectivity. In particular, though not necessarily, the invention relates to the interconnection of LANs.
Background
It is desirable to allow users of a "home" LAN to access that LAN even when they are away from the home LAN environment. In many cases, this means allowing the user to connect to a LAN in his current location, e.g. a WLAN hotspot or a public Ethernet access, and through that connection to the home LAN.
The inter-connection of private, e.g. house and office, networks across intervening broadband networks is possible using already standardised solutions (or solutions under standardisation). For example, work carried out by the Internet Engineering Task Force (IETF) deals with providing so-called "pseudo wires" between access points to an IP or Multiprotocol Label Switching (MPLS) network and which emulate Ethernet services over the IP or MPLS network. Work carried out by the IEEE deals with LAN interconnection solutions, where the intermediate operator-provided network is also itself an Ethernet network.
Ethernet is an example of a Layer 2 (L2) networking protocol. In order to enable the inter-connection of different Ethernet networks, L2 tunnels and L2VPN solutions are required. One such solution is that known as "EtherIP" [IETF RFC3378], which encapsulates Ethernet packet at a sending side LAN with an IP header, and sends the packets to an access router (AR) of the receiving side LAN which decapsulates the packets and bridges the Ethernet frame as if it was a L2 node (switch, bridge). Another currently standardised solution is to use L2TPv3 [RFC4719, "Transport of Ethernet Frames over Layer 2 Tunnelling Protocol Version 3 (L2TPv3)"] to transport Ethernet frames in an IP/UDP packet. An extension of L2TP for L2VPN usage also exists and which enables L2 tunnels to be connected to virtual bridges, so that standard Ethernet MAC forwarding can be used along with MAC learning to forward the Ethernet frames received by the virtual switch [RFC4667, "Layer 2 virtual private network (L2VPN) extensions for layer 2 tunnelling protocol (L2TP)"].
Different solutions exist for LAN inter-connect over MPLS provider networks. One solution is a pseudo-wire over MPLS as described in RFC4448, "Encapsulation Methods for Transport of Ethernet over MPLS Networks". Also, The L2VPN working group of the IETF is standardising a Virtual Private LAN Service (VPLS) to transport L2 protocol data units over IP/MPLS networks [IETF WG Layer 2 Virtual Private Networks (12vpn), http://ietf.org/html.charters/12vpn-charter.html]. VPLS is also referred to as Transparent LAN Service and Virtual Private Switched Network service. It incorporates MAC address learning, flooding, and forwarding functions in the context of pseudo-wires that connect individual LANs across a packet switched network. Implementations of VPLS in an IP/MPLS router often refer to the virtual bridge functionality as VSI (Virtual Switch Instance).
There exist solutions to inter-connect two (or more) LANs using an intervening L2 operator (provider) networks. If the provider's network is Ethernet, then the 802. lad Q- in-Q method or the 802.1 ah Mac-in-Mac method could be used. In the case of 802. lad, the original 802. IQ header has been extended with an additional virtual LAN (VLAN) tag called "S-VLAN" (Service VLAN), which makes it possible to build up a virtual network structure. Whilst the original VLAN tag defined in the 802. IQ standard is transmitted transparently by 802. lad capable switches, a virtual topology can be defined between 802. lad capable switches by configuring VLANs appropriately on the switch interfaces, and switching and forwarding based on the S-VLAN tag. The switches on the border of an 802. lad and 802. IQ segment are responsible for generating and stripping the S-VLAN tag.
One possible application of 802. lad is to use the S-VLAN tag for identification of a service. It is important to note that, in the case of 802. lad, the customer and provider network are not separate, so both networks appear as a large domain, causing for example an STP action in a customer network to impact on the provider network.
802.1 ah MAC-in-MAC provides for the encapsulation of an entire Ethernet frame and a new MAC header is generated by the edge switch on the border of an 802.1 ah domain.
Within the domain the original Ethernet frame is transmitted transparently, with all switching and forwarding decisions in the intermediate switches being based upon the destination MAC address and VLAN tag(s) in the outer MAC header. The main benefit of 802.1 ah is its scalability to large Ethernet networks, and in addition the clear separation that it provides between the provider and customer Ethernet networks.
Existing L2VPN solutions rely on static configuration and assume fixed locations for customer sites. Mobile users are therefore restricted to using only pre-configured customer sites. On the other hand, while L3 mobility solutions such as MobileIP (MIP) potentially offer unrestricted access, they do not offer L2 transparency. This means that if a terminal uses L2 specific protocols (e.g. protocols relying on broadcast L2 frames), the L3 solution will not work. Moreover, L3 mobility solutions do not allow overlapping addresses for mobile hosts. Although a terminal may reside in a remote subnet with its home IP address, this home IP address must be unique. Thus for example two mobile terminals cannot have the same home IP address in the same access network. Unfortunately, home users often use private address spaces which may very easily be overlapping.
Some L3 mobility solutions require the implementation of dedicated protocols in terminals, and which are often not available (e.g., MIP is not available in Windows™). L3 solutions are to some extent dependent on the version of IP. However, if mobility is transparent at layer 2, then the terminal may use either IPv4 or IPv6 in its home LAN.
Summary
According to a first aspect of the present invention there is provided a method of allowing a nomadic terminal to access a home network on the Layer 2 level, the method comprising: connecting said terminal to a remote access network via an access point, the remote access network being connected to an operator's backbone network via a remote access router; exchanging signalling between the access point and an authentication server within the backbone network in order to authenticate the terminal to the authentication server; and following successful authentication, establishing a Layer 2 tunnel extending across the backbone network for the purpose of connecting said nomadic terminal to the home network.
The invention thus provides for triggering of the Layer 2 tunnel establishment upon successful authentication of the nomadic terminal to the backbone network. As far as the terminal is concerned, the process of establishing the tunnel is transparent, and no modifications to the terminal are necessary. A key aspect to the implementation of the invention is the introduction of functionality into the backbone network which detects authentication and triggers tunnel establishment by configuring access routers and/or access points as appropriate.
The invention is applicable in particular to networks which implement the Layer 2 using Ethernet, in which case said step of establishing an Ethernet Layer 2 tunnel may use one of: EtherIP, Ethernet over Point-to -Point Protocol (PPP), L2TPv3, and VPLS.
The invention encompasses embodiments where the access router is an endpoint of the Layer 2 tunnel, as well as embodiments where the access point is the tunnel endpoint.
The key functionality of the invention may be implemented as a new node within the backbone network referred to here as a Mobility Manager function. The method comprises informing the Mobility Manager function within the operator's backbone network of a successful authentication, the Mobility Manager function configuring one or both of said remote access router and said remote access point to establish said Layer 2 tunnel. The Mobility Manager function may further configure said home access router to establish said Layer 2 tunnel. In some cases, the Mobility Manager function may cooperate with a peer Mobility Manager function associated with the home network in order to establish said Layer 2 tunnel. This arrangement allows nomadic terminals to access their home networks even when their network operator has an agreement with an own backbone network operator which is different from the backbone network to which the remote access network is attached, providing that an agreement exists between the two backbone network operators.
According to a second aspect of the present invention there is provided apparatus for providing mobility management within a communication system, the apparatus being arranged in use to: receive authentication related signalling in respect of a nomadic terminal connected to an access point of a remote access network and as a result to establish a Layer 2 tunnel extending across a backbone network for the purpose of connecting said nomadic terminal to the home network.
In future networks this apparatus may be implemented as a Mobility Manager function. The apparatus may be standalone, or may be collocated with an authentication server.
According to a third aspect of the present invention there is provided apparatus for providing an access point for a nomadic terminal to a remote access network, the apparatus having an interface for connection to a mobility manager within an operator's backbone network, the apparatus being configurable via said interface to establish a Layer 2 tunnel between itself and home network of the nomadic terminal.
According to a fourth aspect of the present invention there is provided apparatus for providing an access router to interconnect an access network to an operator's backbone network, the apparatus being configured to provide Layer 2 switching and having an interface towards a mobility manager within the operator's backbone network, the apparatus being further configurable via said interface to establish a Layer 2 tunnel towards a nomadic terminal or towards a home network of a nomadic terminal. Brief Description of the Drawings
Figure 1 illustrates schematically two L2 access networks interconnected via a L3 operator network using a L2 tunnel extending from home access router to remote access point;
Figure 2 illustrates the creation of a virtual bridge within the access point of Figure 1;
Figure 3 illustrates the creation of a pseudo-wire within the access point of Figure 1;
Figure 4 illustrates schematically two L2 access networks interconnected via a L3 operator network using a L2 tunnel extending from home access router to remote access router;
Figure 5 illustrates the establishment of multiple bridged L2 tunnels extending from a remote access network to respective home networks;
Figure 6 illustrates the mapping of VLAN tags to home networks used by a remote access network; Figure 7 illustrates the bridging of VLAN virtual interfaces with the corresponding L2 tunnels leading to the home networks associated with VLAN tags;
Figure 8 illustrates the connection of VLAN virtual interfaces with the corresponding
L2 tunnels leading to the home networks associated with VLAN tags via pseudo-wires;
Figure 9 is a flow diagram illustrating a procedure for establishing a L2 tunnel between a remote access network and a home network;
Figure 10 is a flow diagram illustrating a procedure for tearing down a L2 tunnel established between a remote access network and a home network;
Figure 11 illustrates a bridging and Mac-in-Mac tunnelling structure;
Figure 12 illustrates schematically a system architecture which provides a pre- established L2 tunnel between Pols in respective operator networks;
Figure 13 illustrates schematically a system architecture which provides for the establishment of a L2 tunnel between Pols in respective operator networks, following a negotiation between the provider networks;
Figure 14 illustrates a system architecture adapted to the case where a home LAN accesses the operator network through a wholesale service;
Figure 15 illustrates a system architecture where a home LAN is behind an xDSL home router; Figure 16 illustrates schematically the configuring of an xDSL router as a home access router to directly tunnel Ethernet frames to a remote access router; Figure 17 illustrates schematically a system architecture in which a home DSL router has a statically configured L2 interface towards a BRAS; Figure 18 illustrates schematically the binding of Mac-in-Mac or Q-in-Q capable interfaces along with the VPLS pseudo-wires to VPLS Virtual Switch Instances; and Figure 19 illustrates a hub and spoke layout in which Ethernet services are provided though a central node.
Detailed Description
Figure 1 illustrates schematically an operator network 1 comprising a Layer 3 (L3) backbone, e.g. IP or MPLS. A corporate LAN 2, the "home" LAN, is connected to the operator network via an Access Router (AR) 3. The home LAN is assumed to be an Ethernet network. Figure 1 illustrates further a remote access network 4, which is an Ethernet network connecting WLAN hotspots or public Ethernet "jacks". It is assumed here that the operator network and the remote access network are owned by the same operator, or at least have established a trust relationship. A user connects to the remote access network 4 via an access point 5. The remote access network is connected to the operator network via an AR 6. In order to allow the user to seamlessly attach to the home LAN via the remote access network, a Layer 2 (L2) tunnel 7 is established between the home AR 3 and the remote access point AP 5 as described below.
When a mobile terminal or "host" 8 presents itself to the remote access point 5, it must authenticate itself to obtain L2 access. This is usually done via the IEEE 802. Ix procedure. The specific application of 802. Ix for WLANs is described in the 802. Ii standard. The access point 5 uses an authentication or AAA server 9 within the operator network 1 to authenticate the terminal 8, using for example the RADIUS or
DIAMETER protocol. The AAA server is standard functionality, and the address of the AAA server 9 is preconfigured in the remote access point. A new Mobility Manager
(MM) 10 implements functions to use the AAA trigger for remote setup of connectivity to the home network. The MM may reside in the same physical node as the AAA server or at any other location suitable for receiving authentication messages sent to the AAA server. One possible implementation of the MM is as a proxy to the AAA server. In this case, AAA messages are forwarded from the access point 5 to the MM 10, which forwards them to the real AAA server 9.
If the MM 10 determines that the terminal 8 is allowed to access the remote access network 4, it will determine the home network and the corresponding access router, for example by mapping a MAC address of the terminal or a username/password combination to a home network address. It must also identify the serving access point, for example by examining the source address of the authentication message (e.g. from the header's source field). The MM will then remotely configure the home network AR 3 and the remote access point 5 to establish a L2 tunnel between them. L2 tunnels may be built using, for example, EtherIP, Ethernet over Point-to-Point Protocol (PPP), L2TPv3 or any similar present or future protocol supporting L2 tunnelling. The remote AR 6 in this case functions in a standard manner, forwarding packets based upon L3, i.e. IP addresses. In this way, frames from the terminal are transported undisturbed to the home access router, which in turn will forward (bridge) the frame into the home network.
The next task is to configure the home AR 3 to bridge the interface leading to the home network with the newly established virtual interface, so that Ethernet frames are bridged between the two interfaces. This way, the home AR 3 is able to bridge between multiple remote hosts. The MM 10 then sets up the remote serving access point 5 to create a similar virtual bridge as illustrated in Figure 2. Alternatively, it may directly bind the L2 tunnel as a pseudo-wire to the interface leading to the terminal as illustrated in Figure 3. If the remote access point is a wired Ethernet switch, the terminal's interface can be learnt from, for example, the CallingStationID in the AAA request. On the other hand, the wireless interface of a WiFi access point is a medium shared among multiple terminals. Nonetheless, by applying 802. Ii, the access point is capable of differentiating hosts (allow, not allow), and may even setup an encrypted connection to the host, so it would be relatively straightforward to achieve a logical interface for a specific terminal. Specifically, this could be implemented via firmware or a software update in the wireless access points.
The embodiment illustrated in Figure 1 assumes that the remote access point 5 contains the required L2 tunnelling functionality, e.g. EtherIP or a suitable alternative. If this is not the case, according to an alternative embodiment, the remote AR 6 may terminate the L2 tunnel. This is illustrated in Figure 4. In this case, the MM 10 must remotely configure the home and the remote ARs 3,6 to establish the L2 tunnel, and the MM will assign a specific VLAN tag to the terminal 8 in the access point 5. This way, frames from the terminal 8 are transported undisturbed to the remote network AR 6, which will in turn forward (bridge) the frames through the L2 tunnel.
Regardless of whether the approach of Figure 1 or of Figure 4 is employed, it is the authentication procedure which is used to trigger the remote configuration which in turn establishes the transparent access to the home LAN. If this triggering and the remote configuration are reasonably fast, then session continuity can be provided when changing the access (e.g. during handovers).
Considering now an alternative lightweight but possibly less secure mechanism, after processing the authentication, the MM could configure the remote access network access router and the home access router to establish a L2 tunnel between each other, without tunnelling below the routers. The L2 tunnel may again be built using EtherIP,
L2TPv3, VPLS etc. The next task would be to configure the access router to bridge the interface leading to the access network with the newly established virtual interface, so that Ethernet frames are bridged between the two interfaces. This is illustrated in Figure
5.
This solution establishes connectivity to the home network, although it has an unfortunate side-effect. If the remote access network handles multiple terminals from multiple home networks (A and B), then these different home networks will be connected on L2 due to multiple bridged L2 tunnels, as shown in Figure 5. Therefore, broadcast messages will be received by different home networks raising scalability and privacy issues.
To ensure the separation of traffic belonging to different home networks, an advantageous embodiment should map terminals in the remote network to home network VLAN tags as illustrated in Figure 6. This should be done in such a way that terminals from the same home network are mapped to the same VLAN tag to enable local communication and to decrease the number of required VLAN identifiers. To do this, the MM should configure the access point of the terminal to assign the selected VLAN tag to every frame it receives from the terminal. If the access point is an Ethernet switch, this can be done on a per-interface basis as described in the proposed 802. lad standard - the so called Q-in-Q encapsulation method. Proper VLAN tagging in the access point requires the assignment of the appropriate VLAN tag to that port where the terminal is connected. The port can be identified on the basis of the terminal MAC address, which can be obtained from the frame sent to the AAA server (e.g., CallingStationID in the AAA request). In the case of a wireless interface however, application of 802. Ii allows the access point to differentiate hosts as already described.
The MM should also configure VLAN encapsulation/decapsulation in the access router. VLANs appear in the access router as virtual interfaces, which should be connected to the home access router's virtual bridge. Depending on the L2 tunnel type, it may be possible to implement this in two ways. Firstly, the VLAN virtual interfaces can be bridged with the corresponding L2 tunnels leading to the home network which the VLAN tag (or VLAN virtual interface) is assigned to. This is illustrated in Figure 7. Secondly, the virtual interface may be connected via a pseudo-wire directly with the home network's virtual bridge. This is illustrated in Figure 8.
The interior switches of the remote access network can be configured in such a way that they can transport the frames of different VLANs, so these interior switches need not be configured each time a new VLAN is assigned to a newly arriving terminal. Only the edges, i.e. the access nodes and the access router, need on-the-fly configuration to bind them to VLAN tags. Figure 9 is a flow diagram illustrating the process carried out by the MM, i.e. on-the-fly connection of a nomadic or mobile terminal to its home network. In order to reduce complexity and reduce scalability issues, the reverse process of tearing down connectivity for superfluous remote networks (i.e., remote accesses where there are no longer terminals belonging to a certain home network) is also required. This is illustrated in the flow diagram of Figure 10.
The solutions presented above may result in scalability issues, as broadcast frames, or frames for which the direction of the destination is not yet learnt via MAC learning, are broadcast in the remote L2 network. Although the edge access nodes will filter packets based on VLAN tags, the MAC forwarding tables of the interior switches may become overloaded. To address this issue, the currently standardized 802.1 ah Mac-in-Mac
Encapsulation can be used. Instead of configuring Q-in-Q encapsulation in the access node, the MM should configure Mac-in-Mac encapsulation from the access node up to the access router.
The bridging and Mac-in-Mac tunnelling structure is depicted in Figure 11. This structure allows the encapsulated frames to be transported by Provider Backbone Bridges (PBBs) without their having to know the addresses of other access networks. The access node (ANl or AN2 in Fig.l 1) has to encapsulate the L2 frame coming from a host within an external L2 MAC header. This external header contains the access router's local MAC address as the destination. As a result, the provider's Ethernet switches inside the access network need to know the Ethernet routes only for themselves, the access nodes and the access router, and they do not need to maintain forwarding information for each possible home network. Before the virtual bridge in the access router bridges the received frames, it must strip the outer MAC header from the frame.
According to this structure, it is also possible to avoid virtual bridging in the remote access router. In this case, the Mac-in-Mac tunnels should be connected via a pseudo- wire to the home network. Note, however, that if there are multiple hosts in the remote access network at different access nodes, then each Mac-in-Mac tunnel will be connected to the home access router's bridge, leading to suboptimal network usage if the remote terminals communicate with each other.
It is possible or even likely that the home network will be administered by an operator other than the operator of the remote access network (and the provider network). In this case, the MM located within the provider network may not be able to reconfigure the access router of the home network, and in some cases it may not even be able to authenticate the newly appeared terminal. Of course, any MM associated with the home network has no right to reconfigure the remote access router.
To address this issue, a fixed access operator may pre-establish L2 tunnels with partner operator networks (based on appropriate contracts) in order to provide a connectivity service even from these other operator access networks. In this case, the two (home and serving) operators have pre-established points of interconnect (PoI) between which the L2 tunnels are established. IPSec may be used for security reasons.
The task of the serving MM associated with the remote access network is to obtain the authentication messages from the terminal, to identify its home network, and to relay the authentication messages through the appropriate L2 tunnel to the home MM. To this end, the "serving" MM is provided with a database that maps the authentication data to the PoI address and home MM address. The MM in the home network reacts to receipt of a tunnelled authentication request by configuring the L2 tunnelling between the home AR and the PoI within the home operator network. The authentication reply messages from the home MM are sent through (or caught by) the serving MM. When the serving MM infers from the authentication messages that authentication is successful, it configures the L2 tunnel between the PoI and the serving AR in its network or between the PoI and the serving access point. The former configuration is illustrated in Figure 12, where the home MM is identified by reference numeral 11, the serving MM by reference numeral 12, the respecting Pols by 13 and 14, and the respecting ARs by 15 and 16. The home network is indicated by reference numeral 17, the remote access network by 18, the remote access network access point by 19, and the nomadic terminal by 20.
If there is no pre-established tunnel between operators, the two MMs must inter-work. The MM of the new network may communicate and authenticate the terminal with its home MM, and each MM can configure the access router (or access point) in its own administrative area. This is illustrated in Figure 13, where the tunnel is deployed between the access routers. [In an alternative approach, the tunnel is established between the home AR and the serving AP.] Such inter- working requires the use of a standardized and secure protocol between the two MMs. The MM of the new network must provide the authentication data of the terminal and the new access router's IP address. If the home MM properly authenticates the terminal, it has to acknowledge authentication and must provide the IP address of the corresponding home access router.
The mechanisms described here are applicable to the case where the home LAN accesses the operator network through a wholesale service. The home LAN connects to the service through an infrastructure provider. The infrastructure provider sets up a L2 tunnel to the operator network. This is shown in Figure 14. In this case, the AR sees a virtual interface connecting it to the home LAN. However, the procedures performed in the MM are unchanged: it must setup a bridging between this (virtual) interface and the newly established L2 tunnel interface (also virtual) between the two ARs.
In the traditional xDSL service, the home LAN is behind an xDSL home router, which has a single IP address from the operator but which provides internal addressing via DHCP, firewall and NAT to the internal LAN. In this case, being the first IP hop, the xDSL router must be modified with the L2 tunnelling capabilities to support transparent access of the home LAN from remote locations. Enhanced xDSL routers may be provided for this purpose. In the case of traditional xDSL with PPP, the xDSL router sends the "de-NATted" IP packets over PPP to the Broadband Remote Access Server (BRAS), which removes the PPP header and forwards the IP packet. [PPP itself may be transport over a combination of PPPoE or L2TP protocols.] This is illustrated in Figure 15, where LAC indicates a L2TP Access Concentrator. Considering further xDSL with PPP, one implementation involves configuring the xDSL router as a home AR to directly tunnel Ethernet frames to the remote location's access router. This is illustrated in Figure 16 (assuming implementation of xDSL as ADSL). In this case, the xDSL home router must also implement the virtual bridge functions so that it is capable of bridging Ethernet frames into the L2 tunnel. The MM in this case has to configure the home ADSL router (as a home access router) and the remote AR/ AP remotely.
An alternative implementation, illustrated in Figure 17, involves statically configuring the home xDSL router to provide a virtual L2 interface towards the BRAS, where it can tunnel L2 frames. At each mobility event or whenever a local device shows up at a remote access, the MM has to configure the BRAS, not the home xDSL router. As such, the BRAS takes the role of the AR having virtual bridges (or VSIs if it supports VPLS).
The home xDSL router may have direct Ethernet connectivity over PPP to the BRAS. In contrast to traditional DSL solutions (where the PPP session from the customer equipment to the BRAS delivers IP packets), the PPP would have to transmit Ethernet frames. This makes use of the teachings in RFC3518, "Point-to -Point Protocol (PPP) Bridging Control Protocol (BCP)".
The MM in this case has to remotely configure the BRAS (as a home access router) and the remote access router to dynamically establish a L2 tunnel using any L2 tunnelling technique that supports the binding of the virtual interface into virtual bridges. This virtual bridge has to switch Ethernet frames decapsulated from the tunnel from the xDSL router (e.g. from the PPP session) and switch the frames to another L2 tunnel leading to the remote location.
Remotely configuring the above described mechanisms in the access routers and access points is possible by remotely accessing the command line interface via, for example, Telnet. Alternatively, for improved performance, a proprietary interface may be used. If the backbone provides Virtual Private LAN Service (VPLS) service, the MM has to configure VPLS pseudo-wires between the edge routers. Instead of binding to generic virtual bridges, the MM has to bind Mac-in-Mac or Q-in-Q capable interfaces along with the VPLS pseudo-wires to VPLS Virtual Switch Instances. This is illustrated in Figure 18.
In some cases, the transparent Ethernet service may be provided through a central node working as the AR of multiple home networks, i.e. a hub and spoke layout. This central node is denoted here as the Connectivity Services Node (CSN). An intervening network may be present between the CSN and the home LAN, in which case it must be ensured that the CSN is connected via a L2 tunnel to the home network. This tunnel can be setup on demand by the MM when a terminal appears at a remote location, or may be pre-confϊgured to speed up the process. Furthermore, the CSN must implement a virtual bridge per home network.
The MM should configure this CSN and connect it via another L2 tunnel when a home terminal shows up at a remote location. If the CSN has no pre-confϊgured tunnel to the home network, the MM has to setup this tunnel.
The hub and spoke layout is illustrated in Figure 19. Note that logically this scenario is not different from the previously described context if we substitute the home AR with the CSN.
The embodiments presented above allow a network operator to provide a value added connectivity service to its customers, i.e. a nomadic terminal can be transparently connected to its home LAN from any access (e.g. any hot spot) of a fixed network operator. Moreover, if proper contracts are established with partner networks, the connectivity service can be used even from these partners' access networks.
As connectivity to the home network is established on layer 2, the internal IP addressing structure or the IP version used in the home network is not relevant: any combination will work. Furthermore, the moving terminal in the visited network is connected transparently to the home network (here transparency means that the terminal does not recognize that it is not in the home network). This transparent layer 2 connection makes it possible to reach the home network without any dedicated client software in the terminal, as well as supporting those future applications which require Ethernet level connection.
It will be appreciated by the person of skill in the art that various modifications may be made to the above described embodiments without departing from the scope of the present invention.

Claims

Claims
1. A method of allowing a nomadic terminal to access a home network on the Layer 2 level, the method comprising: connecting said terminal to a remote access network via an access point, the remote access network being connected to an operator's backbone network via a remote access router; exchanging signalling between the access point and an authentication server within the backbone network in order to authenticate the terminal to the authentication server; and following successful authentication, establishing a Layer 2 tunnel extending across the backbone network for the purpose of connecting said nomadic terminal to the home network.
2. A method according to claim 1, wherein said Layer 2 is implemented as Ethernet.
3. A method according to claim 2, wherein said step of establishing an Ethernet Layer 2 tunnel uses one of: EtherIP, Ethernet over Point-to -Point Protocol (PPP), L2TPv3, and VPLS.
4. A method according to any one of the preceding claims, wherein said step of establishing a Layer 2 tunnel comprises establishing a Layer 2 tunnel extending from said access point, through said remote access router, towards said home network.
5. A method according to any one of claims 1 to 3, wherein said step of establishing a Layer 2 tunnel comprises establishing a Layer 2 tunnel having an endpoint at said remote access router and extending towards said home network.
6. A method according to claim 5 and comprising maintaining within said backbone network a mapping table between home networks and VLAN tags applicable in said remote access network, the method further configuring a virtual bridge in said remote access router to send Layer 2 Ethernet frames decapsulated from said Layer 2 tunnel to the home network mapped to the configured VLAN, and configuring said access point to forward and receive Layer 2 frames to and from the configured VLAN.
7. A method according to claim 5 and comprising using a VLAN tag to switch packets at said remote access router between said Layer 2 tunnel and the identified virtual LAN.
8. A method according to any one of the preceding claims, wherein said home network is connected to an operator's backbone network via a home access router, and said step of establishing a Layer 2 tunnel comprises extending the tunnel to said home access router.
9. A method according to claim 8, wherein the operator's backbone network to which the home network is connected is also the network to which the remote access network is connected.
10. A method according to any one of claims 1 to 8, wherein the operator's backbone network to which the home network is different from the network to which the remote access network is connected.
11. A method according to claim 10, wherein said step of establishing a Layer 2 tunnel comprises incorporating into the tunnel a pre-established Layer 2 tunnel.
12. A method according to claim 11, wherein said pre-established tunnel extends between said two operator backbone networks.
13. A method according to any one of the preceding claims and comprising informing a Mobility Manager function within the operator's backbone network of a successful authentication, the Mobility Manager function configuring one or both of said remote access router and said remote access point to establish said Layer 2 tunnel.
14. A method according to claim 13 when appended to claim 8, the Mobility Manager function further configuring said home access router to establish said Layer 2 tunnel.
15. A method according to claim 13 when appended to claim 10, the Mobility Manager function cooperating with a peer Mobility Manager function associated with the home network in order to establish said Layer 2 tunnel.
16. A method according to any one of claims 13 to 15, said first mentioned Mobility Manager function being co- located with said authentication server.
17. A method according to any one of claims 13 to 16, said first mentioned Mobility Manager function being a proxy authentication server receiving authentication signalling from said terminal.
18. A method according to claim 8, said step of establishing a Layer 2 tunnel comprising establishing a first Layer 2 tunnel between said remote access router and a Connectivity Services Node, and a second Layer 2 tunnel between said home access router and said Connectivity Services Node, said tunnels being bridged within the Connectivity Services Node.
19. Apparatus for providing mobility management within a communication system, the apparatus being arranged in use to: receive authentication related signalling in respect of a nomadic terminal connected to an access point of a remote access network and as a result to establish a Layer 2 tunnel extending across a backbone network for the purpose of connecting said nomadic terminal to the home network.
20. Apparatus according to claim 19 and being arranged to configure one or both of said remote access router and said remote access point to establish said Layer 2 tunnel.
21. Apparatus according to claim 19 and being arranged to configure a home access router coupling said home network to a backbone network to establish said Layer 2 tunnel.
22. Apparatus according to claim 19 and being arranged to configure a Broadband Remote Access Server, an L2TP Network Server, or a Connectivity Services Node to establish said Layer 2 tunnel.
23. Apparatus according to claim 19 and being arranged to negotiate with a peer apparatus located within a different backbone network to establish said Layer 2 tunnel.
24. Apparatus according to claim 19 and being arranged to configure virtual bridges in a remote access point per home network.
25. Apparatus for providing an access point for a nomadic terminal to a remote access network, the apparatus having an interface for connection to a mobility manager within an operator's backbone network, the apparatus being configurable via said interface to establish a Layer 2 tunnel between itself and home network of the nomadic terminal.
26. Apparatus according to claim 25, the apparatus providing a wireless access point to terminals including said nomadic terminal, the apparatus being configurable to create a virtual bridge bound to said Layer 2 tunnel and to an encrypted logical channel on a per terminal basis.
27. Apparatus for providing an access router to interconnect an access network to an operator's backbone network, the apparatus being configured to provide Layer 2 switching and having an interface towards a mobility manager within the operator's backbone network, the apparatus being further configurable via said interface to establish a Layer 2 tunnel towards a nomadic terminal or towards a home network of a nomadic terminal.
28. Apparatus according to claim 27 and being configured to provide Layer 2 switching based upon VLAN tags or MAC-in-MAC.
PCT/EP2007/059430 2007-09-07 2007-09-07 Method and apparatuses for allowing a nomadic terminal to access a home network on layer 2 level WO2009030282A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
PCT/EP2007/059430 WO2009030282A1 (en) 2007-09-07 2007-09-07 Method and apparatuses for allowing a nomadic terminal to access a home network on layer 2 level
JP2010523283A JP5281644B2 (en) 2007-09-07 2007-09-07 Method and apparatus for enabling a nomadic terminal to access a home network on a layer 2 level
US12/676,663 US9225548B2 (en) 2007-09-07 2007-09-07 Method and apparatuses for allowing a nomadic terminal to access a home network on layer 2 level
EP07820081A EP2198568A1 (en) 2007-09-07 2007-09-07 Method and apparatuses for allowing a nomadic terminal to access a home network on layer 2 level

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2007/059430 WO2009030282A1 (en) 2007-09-07 2007-09-07 Method and apparatuses for allowing a nomadic terminal to access a home network on layer 2 level

Publications (1)

Publication Number Publication Date
WO2009030282A1 true WO2009030282A1 (en) 2009-03-12

Family

ID=39521475

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2007/059430 WO2009030282A1 (en) 2007-09-07 2007-09-07 Method and apparatuses for allowing a nomadic terminal to access a home network on layer 2 level

Country Status (4)

Country Link
US (1) US9225548B2 (en)
EP (1) EP2198568A1 (en)
JP (1) JP5281644B2 (en)
WO (1) WO2009030282A1 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013507044A (en) * 2009-09-30 2013-02-28 アルカテル−ルーセント Scalable architecture for enterprise expansion in cloud topologies
JP2013507045A (en) * 2009-09-30 2013-02-28 アルカテル−ルーセント Enterprise layer 2 seamless site expansion in cloud computing
JP2013509117A (en) * 2010-01-13 2013-03-07 ▲ホア▼▲ウェイ▼技術有限公司 Method, apparatus, and network system for tunnel establishment
WO2013054260A1 (en) * 2011-10-11 2013-04-18 Telefonaktiebolaget L M Ericsson (Publ) Architecture for virtualized home ip service delivery
EP2720410A1 (en) * 2012-10-09 2014-04-16 Thomson Licensing System comprising a first and a second residential gateway interconnected via a broadband connection, and respective residential gateway
US8751614B2 (en) 2011-10-11 2014-06-10 Telefonaktiebolaget L M Ericsson (Publ) Providing virtualized visibility through routers
EP2747350A1 (en) * 2012-12-21 2014-06-25 Telefónica, S.A. Method and system for access to cloud network services
US9025439B2 (en) 2012-06-26 2015-05-05 Telefonaktiebolaget L M Ericsson (Publ) Method and system to enable re-routing for home networks upon connectivity failure
US9203694B2 (en) 2013-03-15 2015-12-01 Telefonaktiebolaget L M Ericsson (Publ) Network assisted UPnP remote access
WO2019067802A1 (en) 2017-09-27 2019-04-04 Ubiquiti Networks, Inc. Systems for automatic secured remote access to a local network

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2688252A1 (en) * 2008-02-27 2014-01-22 Telefonaktiebolaget L M Ericsson (Publ) Backbone edge bridge and method of operating a backbone edge bridge
US8045570B2 (en) * 2008-09-30 2011-10-25 Nortel Networks Limited Extended private LAN
DE102010007670A1 (en) * 2010-02-10 2011-08-11 Phoenix Contact GmbH & Co. KG, 32825 Method and control of a network system, network system and computer program
CN102111311A (en) * 2011-03-18 2011-06-29 杭州华三通信技术有限公司 Method for accessing and monitoring private network through layer 2 tunnel protocol and server
US8611358B2 (en) * 2011-04-06 2013-12-17 Hewlett-Packard Development Company, L.P. Mobile network traffic management
US20130086218A1 (en) * 2011-09-30 2013-04-04 Corey F. Adams Proxy Server For Home Network Access
KR101953790B1 (en) * 2012-02-27 2019-03-05 한국전자통신연구원 Apparatus and method for cloud networking
DE102012005166B4 (en) * 2012-03-16 2024-02-01 Deutsche Telekom Ag Method for transmitting data between, on the one hand, a device having an Internet protocol interface and, on the other hand, an integrated additional device, integrated access device, computer program and computer program product
WO2014003787A1 (en) * 2012-06-29 2014-01-03 Hewlett-Packard Development Company, L.P. Routing packet from edge device to home network or from home network to remote access network
CN103999538B (en) * 2012-12-14 2017-12-22 华为技术有限公司 WLAN access method, equipment and system
US10020961B2 (en) * 2013-12-27 2018-07-10 Electronics And Telecommunications Research Institute Method and apparatus for network virtualization
US10098164B2 (en) * 2014-07-17 2018-10-09 Benu Networks, Inc. System and methods for providing virtualized cloud peering emulation services
CN105703981B (en) * 2014-11-28 2019-01-01 上海诺基亚贝尔股份有限公司 The method of nomadic service is provided by virtual home gateway
US9973350B2 (en) * 2015-05-28 2018-05-15 Industrial Technology Research Institute Method for network sharing of multiple network operators and network sharing management proxy device using the same
CN106487513B (en) * 2015-09-01 2019-08-13 微软技术许可有限责任公司 Remote router request relaying
WO2017157909A1 (en) * 2016-03-14 2017-09-21 Robert Bosch Gmbh Distributed wireless intercom audio routing over ethernet with synchornization and roaming
CN108259633B (en) 2017-05-31 2020-05-12 新华三技术有限公司 Method, system and device for realizing management message three-layer communication
CN108259453B (en) * 2017-05-31 2020-03-06 新华三技术有限公司 Message forwarding method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0917318A2 (en) * 1997-10-14 1999-05-19 Lucent Technologies Inc. Point-to-point protocol encapsulation in ethernet frame
EP0986222A2 (en) * 1998-09-09 2000-03-15 Lucent Technologies Inc. A mobile point-to-point protocol
WO2003005648A2 (en) * 2001-07-06 2003-01-16 Nortel Networks Limited Metropolitan access via tunnel transports
US20040165600A1 (en) * 2003-02-21 2004-08-26 Alcatel Customer site bridged emulated LAN services via provider provisioned connections

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6151628A (en) * 1997-07-03 2000-11-21 3Com Corporation Network access methods, including direct wireless to internet access
US20050152305A1 (en) * 2002-11-25 2005-07-14 Fujitsu Limited Apparatus, method, and medium for self-organizing multi-hop wireless access networks
CN1813454B (en) * 2003-04-28 2012-09-05 钱特利网络公司 System and method for mobile unit session management across a wireless communication network
US7849217B2 (en) * 2003-04-30 2010-12-07 Cisco Technology, Inc. Mobile ethernet
JP4578917B2 (en) 2003-10-03 2010-11-10 富士通株式会社 Apparatus, method and medium for self-organizing multi-hop radio access network
JP4703238B2 (en) * 2004-12-15 2011-06-15 パナソニック株式会社 Wireless network control device, wireless LAN relay device, wireless communication system, and communication method of wireless communication system
US20070153799A1 (en) * 2006-01-03 2007-07-05 Alcatel Providing services over hybrid networks

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0917318A2 (en) * 1997-10-14 1999-05-19 Lucent Technologies Inc. Point-to-point protocol encapsulation in ethernet frame
EP0986222A2 (en) * 1998-09-09 2000-03-15 Lucent Technologies Inc. A mobile point-to-point protocol
WO2003005648A2 (en) * 2001-07-06 2003-01-16 Nortel Networks Limited Metropolitan access via tunnel transports
US20040165600A1 (en) * 2003-02-21 2004-08-26 Alcatel Customer site bridged emulated LAN services via provider provisioned connections

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CHUAH M C ET AL: "MOBILE VIRTUAL PRIVATE DIAL-UP SERVICES", BELL LABS TECHNICAL JOURNAL, WILEY, CA, US, vol. 4, no. 3, 1 July 1999 (1999-07-01), pages 51 - 72, XP000878197, ISSN: 1089-7089 *

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013507044A (en) * 2009-09-30 2013-02-28 アルカテル−ルーセント Scalable architecture for enterprise expansion in cloud topologies
JP2013507045A (en) * 2009-09-30 2013-02-28 アルカテル−ルーセント Enterprise layer 2 seamless site expansion in cloud computing
US9277575B2 (en) 2010-01-13 2016-03-01 Huawei Technologies Co., Ltd. Method, device and network system of establishing a tunnel
US9468030B2 (en) 2010-01-13 2016-10-11 Huawei Technologies Co., Ltd. Method, device, and network system of establishing a tunnel
US8929214B2 (en) 2010-01-13 2015-01-06 Huawei Technologies Co., Ltd. Method, device, and network system of establishing a tunnel
JP2013509117A (en) * 2010-01-13 2013-03-07 ▲ホア▼▲ウェイ▼技術有限公司 Method, apparatus, and network system for tunnel establishment
US8751614B2 (en) 2011-10-11 2014-06-10 Telefonaktiebolaget L M Ericsson (Publ) Providing virtualized visibility through routers
US8812670B2 (en) 2011-10-11 2014-08-19 Telefonaktiebolaget L M Ericsson (Publ) Architecture for virtualized home IP service delivery
US9154378B2 (en) 2011-10-11 2015-10-06 Telefonaktiebolaget L M Ericsson (Publ) Architecture for virtualized home IP service delivery
WO2013054260A1 (en) * 2011-10-11 2013-04-18 Telefonaktiebolaget L M Ericsson (Publ) Architecture for virtualized home ip service delivery
US9025439B2 (en) 2012-06-26 2015-05-05 Telefonaktiebolaget L M Ericsson (Publ) Method and system to enable re-routing for home networks upon connectivity failure
EP2720410A1 (en) * 2012-10-09 2014-04-16 Thomson Licensing System comprising a first and a second residential gateway interconnected via a broadband connection, and respective residential gateway
EP2747350A1 (en) * 2012-12-21 2014-06-25 Telefónica, S.A. Method and system for access to cloud network services
US9203694B2 (en) 2013-03-15 2015-12-01 Telefonaktiebolaget L M Ericsson (Publ) Network assisted UPnP remote access
WO2019067802A1 (en) 2017-09-27 2019-04-04 Ubiquiti Networks, Inc. Systems for automatic secured remote access to a local network
KR20200047734A (en) * 2017-09-27 2020-05-07 유비퀴티 인코포레이티드 System for automatic secure remote access to the local network
EP3688960A4 (en) * 2017-09-27 2021-06-02 Ubiquiti Inc. Systems for automatic secured remote access to a local network
US11258764B2 (en) 2017-09-27 2022-02-22 Ubiquiti Inc. Systems for automatic secured remote access to a local network
KR102466983B1 (en) 2017-09-27 2022-11-11 유비퀴티 인코포레이티드 System for automatic secure remote access to local networks

Also Published As

Publication number Publication date
EP2198568A1 (en) 2010-06-23
JP2010538554A (en) 2010-12-09
US20100309894A1 (en) 2010-12-09
JP5281644B2 (en) 2013-09-04
US9225548B2 (en) 2015-12-29

Similar Documents

Publication Publication Date Title
US9225548B2 (en) Method and apparatuses for allowing a nomadic terminal to access a home network on layer 2 level
US6970459B1 (en) Mobile virtual network system and method
KR100826736B1 (en) A method of dynamically connecting a client node to a serving network, a method of connecting a client node to multiple internet service providers, and a method of connecting a client node to a serving network
EP1618709B1 (en) Mobile ethernet
JP4527721B2 (en) Apparatus and method for improving remote LAN connectivity using tunneling
US7961725B2 (en) Enterprise network architecture for implementing a virtual private network for wireless users by mapping wireless LANs to IP tunnels
EP2087656B1 (en) Methods and arrangements for lan emulation in mobile networks
CN108028793B (en) Apparatus, system and method for local bridging communications in a cellular access network
US8553663B2 (en) Method and apparatus for use in a communications network
EP2377363B1 (en) PROXY MOBILE IPv6 SUPPORT IN RESIDENTIAL NETWORKS
US20090129386A1 (en) Operator Shop Selection
CN103748926A (en) Support of IP connections over trusted non-3GPP access
US8295289B2 (en) Method and system for simultaneous local and EPC connectivity
US20060182120A1 (en) IP to VPLS interworking
WO2003007561A1 (en) Method for forming a secured network
JP5425821B2 (en) Radio relay apparatus and radio relay method
JP2004260238A (en) Apparatus and method of connecting lan-atm network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07820081

Country of ref document: EP

Kind code of ref document: A1

DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
ENP Entry into the national phase

Ref document number: 2010523283

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2007820081

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 12676663

Country of ref document: US