WO2010015188A1 - Method, device and system for accessing mobile core network of access points - Google Patents

Method, device and system for accessing mobile core network of access points Download PDF

Info

Publication number
WO2010015188A1
WO2010015188A1 PCT/CN2009/073068 CN2009073068W WO2010015188A1 WO 2010015188 A1 WO2010015188 A1 WO 2010015188A1 CN 2009073068 W CN2009073068 W CN 2009073068W WO 2010015188 A1 WO2010015188 A1 WO 2010015188A1
Authority
WO
WIPO (PCT)
Prior art keywords
access point
access
gateway
core network
mobile core
Prior art date
Application number
PCT/CN2009/073068
Other languages
French (fr)
Chinese (zh)
Inventor
曹文利
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2010015188A1 publication Critical patent/WO2010015188A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W92/00Interfaces specially adapted for wireless communication networks
    • H04W92/04Interfaces between hierarchically different network devices
    • H04W92/14Interfaces between hierarchically different network devices between access point controllers and backbone network device

Definitions

  • the present invention relates to the field of network communication technologies, and in particular, to a method, device and system for an access point to access a mobile core network.
  • Access Point is a network device that provides wireless access services for home, small office and home office (SOHO) based on the fixed Internet (IP, Internet Protocol) transmission network. .
  • IP Internet Protocol
  • FIG. 1 is a block diagram of an AP applied to a home network.
  • the user equipment accesses the AP through the air interface, and the AP accesses the IP transmission network through the home gateway (HGW, Home Gateway), and then connects to the security gateway (SeGW, Security Gateway) in the mobile core network through the IP transmission network. , then connect to the access gateway (AG, Access Gateway).
  • HGW home gateway
  • SeGW Security Gateway
  • A Access Gateway
  • the HGW can be integrated on the AP
  • SeGW can be integrated on the AG.
  • the AP has a Subscriber Identity Module (SIM) card or a Universal Mobile Telecommunications System Subscriber Identity Module (USIM) card.
  • SIM Subscriber Identity Module
  • USIM Universal Mobile Telecommunications System Subscriber Identity Module
  • IPSec Internet Security Protocol
  • the AP and AG can be a Universal Mobile Telecommunications System (UMTS), a Global System for Mobile Communications (GSM), or a Code Division Multiple Access (CDMA). .
  • UMTS Universal Mobile Telecommunications System
  • GSM Global System for Mobile Communications
  • CDMA Code Division Multiple Access
  • the AP can also be applied to a corporate or school network. See Figure 2, which is a block diagram of an AP applied to a corporate network or a school network.
  • the first user equipment UE, the second user equipment UE, and the third user equipment UE respectively access the first access Point AP, second access point AP and third access point AP.
  • Each AP needs to establish an IPSec tunnel through the enterprise gateway or the campus gateway and the SeGW.
  • multiple IPSec tunnels exist between the enterprise gateway or the campus gateway and the SeGW, which wastes the egress bandwidth of the enterprise gateway or campus gateway.
  • Local calls and local data interaction between multiple APs or APs and other devices must be implemented by AG transfer, which wastes the bandwidth of the mobile core network and requires the use of mobile core network resources, so such local calls and local calls Data interaction is not free.
  • the enterprise network or the campus network needs the AP network to provide a large range of continuous coverage, and the handover function between the APs is implemented by the AG, which wastes the mobile core network resources. Since each AP has a SIM card or a USIM card, and multiple APs are distributed in the enterprise or school building, it is easy to cause the SIM card or the USIM card to be stolen, and there is no guarantee for security.
  • Embodiments of the present invention provide a method, device, and system for an access point to access a mobile core network, which saves resources of a mobile core network.
  • An embodiment of the present invention provides a method for an access point to access a mobile core network, including: an access point aggregation entity establishes an IP network security protocol tunnel between the security gateway and an IP gateway; and the access point aggregates The entity accesses the access gateway of the mobile core network by using the IP address of the access gateway through the foregoing IP network security protocol tunnel; the access point aggregation entity receives access of at least one access point; the access point convergence entity Transferring the access point to an access gateway of the mobile core network.
  • the embodiment of the present invention further provides an access point aggregation device, including: an establishing unit, configured to establish an IP network security protocol tunnel between the security gateway and the security gateway by using an IP address of the security gateway; The IP network security protocol tunnel established by the unit, the access gateway of the mobile core network is accessed by the IP address of the access gateway; the receiving unit is configured to receive the access of the access point, and the access point has at least one; a unit, configured to transfer the access point to an access gateway of the mobile core network.
  • the embodiment of the present invention further provides a system for an access point to access a mobile core network, including: an access point, a security gateway, an access gateway, and an access point aggregation device provided by the foregoing embodiment; Providing a wireless access service for the user equipment to access the mobile core network; the security gateway is configured to protect the mobile core network side entity; and the access gateway is configured to provide an interface for the user equipment to access the mobile core network.
  • an IPSec tunnel is established between the AP aggregation entity and the SeGW, and the AG of the mobile core network is accessed through the IPSec tunnel.
  • the AP aggregation entity receives access of multiple APs, and transfers the AP to the AG of the mobile core network. Since the AP aggregation entity is added, an IPSec tunnel is established between each AP and the SeGW, and the egress bandwidth of the local area network (such as an enterprise gateway or a campus gateway) is saved.
  • Figure 10 is a schematic view of a second embodiment of the apparatus based on the present invention.
  • FIG. 11 is a structural diagram of a first embodiment of the system based on the present invention.
  • Figure 12 is a structural view of a second embodiment of the system based on the present invention.
  • Figure 13 is a block diagram showing a third embodiment of the system based on the present invention.
  • a method for accessing a mobile core network by using an access point is described in the first embodiment of the present invention, including:
  • the access point aggregation entity establishes an IP network security protocol tunnel between the security gateway and the security gateway.
  • the access point aggregation entity accesses the mobile core network through the IP network security protocol tunnel of the access gateway.
  • An access gateway; an access point aggregation entity receives access of at least one access point; and an access point aggregation entity transfers the access point to an access gateway of the mobile core network.
  • FIG. 3 a flow chart of a method based on a first embodiment of the present invention.
  • This example uses an AP as an example to describe the process for an AP to access an AG through an AP aggregation entity.
  • the AP aggregation entity establishes an IPSec tunnel with the SeGW by the IP address of the SeGW.
  • the AP aggregation entity may have the IP address of the SeGW, so that the IPSec tunnel between the SeGW and the SeGW can be directly established by the IP address of the SeGW.
  • the AP aggregation entity can resolve the IP address corresponding to the Fully Qualified Domain Name (FQDN) of the SeGW through the Domain Name System (DNS) server on the IP transport network.
  • FQDN Fully Qualified Domain Name
  • DNS Domain Name System
  • the IPSec tunnel between the AP aggregation entity and the SeGW can be one or two.
  • the IPSec tunnel is one, the IPSec tunnel is used for voice and data services.
  • two IPSec tunnels are used, one IPSec tunnel can be used for voice services.
  • One IPSec tunnel is used for data services.
  • the AP aggregation entity carries a SIM card or a USIM card.
  • the SeGW can authenticate the AP aggregation entity through the SIM card or the USIM card, and check whether the AP aggregation entity is legal.
  • the EAP-SIM uses the Extensible Authentication Protocol (EAP-SIM), and the Extensible Authentication ID is correct.
  • the AP aggregation entity is legal.
  • the AP aggregation entity carries the USIM card, it is used.
  • the Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AK) protocol checks whether the user ID carried by the USIM card is correct. If it is correct, the AP aggregation entity is legal.
  • EAP-AK Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement
  • the AP aggregation entity may have the IP address of the AG so that the AG can be directly accessed by the AG's IP address.
  • the AP aggregation entity can resolve the IP address corresponding to the FQDN of the AG through the DNS server on the mobile core network.
  • the AP aggregation entity receives the access of the AP.
  • step 103 may be between step 101 or 102, or between step 101 and step 102.
  • AP can be configured through dynamic host configuration (DHCP, Dynamic Host Configuration) Protocol) Access to the AP aggregation entity.
  • DHCP Dynamic Host Configuration
  • the AP aggregation entity can check the media access control (MAC, Media Access Control) address, access link identifier, or device identifier and the configured MAC address in the AP packet, and the AP does not carry the SIM card or the USIM card. If the inbound link ID or the device ID is the same, the AP is legal and the AP is allowed to access.
  • MAC media access control
  • the AP aggregation entity transfers the AP to the AG of the mobile core network.
  • the AP can configure the software version, AP wireless parameters, mobile core network parameters, AG address, and AP signing service parameters through the ACS (Automatic Configuration Server).
  • ACS Automatic Configuration Server
  • the AP aggregation entity may temporarily store the software version, the AP radio parameters, the mobile core network parameters, the AG address, and the AP-signed service parameters to the user, and then the AP configures the software version, the AP wireless parameters, and the mobile through the AP aggregation entity.
  • the AP aggregation entity transfers the AP to the AG of the mobile core network through the proprietary connection link.
  • the proprietary connection link is a virtual local area network (VLAN, Virtual Local Area).
  • VLAN virtual local area network
  • Virtual Local Area Virtual Local Area
  • the AP convergence entity transfers the AP to the AG of the mobile core network through the VLAN.
  • an IPSec tunnel can be established between the AP and the AP aggregation entity.
  • the AP aggregation entity transfers the AP to the AG of the mobile core network through the IPSec tunnel.
  • An AP aggregation entity can aggregate multiple APs.
  • the SeGW may be integrated on the AG or may be an independent physical entity.
  • the method in the first embodiment of the method achieves the purpose of accessing the AG of the mobile core network by adding an AP aggregation entity. Since one or two IPSec tunnels are established between the AP aggregation entity and the SeGW, the egress bandwidth of the LAN gateway (such as an enterprise gateway or a campus gateway) is saved. At the same time, because the AP aggregation entity carries the SIM card or the USIM card, the SeGW can directly authenticate the AP aggregation entity, and the AP aggregation entity can be located in the same equipment room as the LAN gateway (such as the enterprise gateway or the campus gateway), thereby avoiding the AP carrying. Security issues when using a SIM card or USIM card.
  • Method Embodiment 2 is a method that uses a SIM card or USIM card.
  • the AP aggregation entity does not have the IP addresses of the SeGW and the AG, and the AP and the AP. There are no proprietary connection links between the aggregation entities.
  • the AP aggregation entity parses the IP address of the SeGW.
  • the AP aggregation entity can resolve the IP address corresponding to the FQDN of the SeGW through the DNS server on the IP transmission network.
  • the AP aggregation entity establishes an IPSec tunnel with the SeGW.
  • the IPSec tunnel between the AP aggregation entity and the SeGW can be one or two.
  • the IPSec tunnel is used for voice and data services.
  • An IPSec tunnel is used for voice services when an IPSec tunnel is used.
  • An IPSec tunnel is used for data services.
  • the AP aggregation entity carries a SIM card or a USIM card.
  • the SeGW can authenticate the AP aggregation entity through the SIM card or the USIM card to check whether the AP aggregation entity is legal.
  • the AP aggregation entity carries the SIM card, check whether the user ID carried by the SIM card is correct by using the EAP-SIM protocol. If the AP aggregation entity is correct, the AP aggregation entity is legal.
  • the EAP-AKA protocol checks whether the user ID carried by the USIM card is correct. If the AP aggregation entity is correct, the AP aggregation entity is legal.
  • the SeGW can also authenticate the AP aggregation entity by using a pre-shared key or a digital certificate, and check whether the AP aggregation entity is legal.
  • the AP aggregation entity parses the IP address of the AG.
  • the AP aggregation entity has the FQDN of the AG, or the AP aggregation entity can derive the AG's
  • the AP aggregation entity can resolve the IP address corresponding to the FQDN of the AG through the DNS server on the mobile network.
  • the AP aggregation entity accesses the AG of the mobile core network by the IP address of the AG.
  • the AP aggregation entity is configured through the ACS.
  • the AP aggregation entity mainly configures mobile core network parameters and software versions.
  • the step 206 of the second embodiment is similar to the step 103 of the first embodiment, and is not described here.
  • the AP establishes an IPSec tunnel with the AP aggregation entity.
  • the AP performs self-configuration through the AP aggregation entity.
  • the configuration content is software version, AP wireless parameters, mobile core network parameters, AG address, and AP signing service parameters.
  • the AP aggregation entity transfers the AP to the AG of the mobile core network.
  • the AP aggregation entity transfers the AP to the AG of the mobile core network through the IPSec tunnel established in step 207.
  • step 208 may also be:
  • the AP performs self-configuration (automatic configuration) through the ACS.
  • the AP aggregation entity aggregates multiple AP access points, and controls the access of the AP by checking the MAC address, the access link identifier, or the device identifier of the AP.
  • the AP aggregation entity has an AP local call and local data interaction. Switching function between the AP and the AP. The process of receiving AP access by the AP aggregation entity is described in detail below with reference to FIG.
  • FIG. 5 a flow chart of receiving AP access by an AP aggregation entity according to the present invention.
  • the AP sends a DHCP discovery message to the AP aggregation entity.
  • the AP aggregation entity checks whether the AP is legal. If it is legal, go to step 303.
  • An AP aggregation entity can check the legality of an AP in the following three ways:
  • the AP aggregation entity checks whether the MAC address of the AP is legal through the source MAC address of the DHCP discovery message.
  • the AP aggregation entity sends a DHCP providing message to the AP.
  • the AP sends a DHCP request message to the AP aggregation entity.
  • step 306 is performed.
  • the AP aggregation entity sends a DHCP acknowledgement message to the AP.
  • the AP aggregation entity can receive the access of multiple APs at the same time, and the process of accessing each AP is the same as the access procedure described in Embodiment 3 of the method.
  • the AP aggregation entity has the function of inter-AP handover. The following describes in detail how the AP aggregation entity implements inter-AP handover, and the UMTS AP is taken as an example for description.
  • FIG. 6 a flow chart of implementing inter-AP handover based on the AP aggregation entity of the present invention.
  • the source AP determines that the UE needs to initiate a handover, the source AP sends a packet switch (PS,
  • the RANAP Radio Access Network Application Part
  • the RANAP relocates the Relocation Required message to the AP aggregation entity for migration.
  • the AP aggregation entity After receiving the relocation request message, the AP aggregation entity sends a Relocation Request message to the destination AP according to the destination cell identifier, and requests the destination AP to allocate resources.
  • the AP After receiving the relocation request message, the AP allocates related resources and establishes a radio link. 406 and 407. The destination AP returns a Relocation Request Ack message to the AP aggregation entity.
  • the AP aggregation entity After receiving the relocation request response message, the AP aggregation entity sends a Relocation Command message to the source AP.
  • the source AP After receiving the relocation command message, the source AP stops sending data to the UE, and sends a radio bearer (RB, Radio Bear) reconfiguration message to the UE.
  • RB Radio Bear
  • the UE performs the air interface layer 1 synchronization with the destination AP.
  • the destination AP After the 412 and 413 are synchronized with the air interface layer 1, the destination AP sends a Relocation Detect message to the AP aggregation entity.
  • the UE sends a radio bearer configuration completion (RB Reconfiguration Complete) message to the destination AP.
  • RB Reconfiguration Complete radio bearer configuration completion
  • the destination AP After receiving the radio bearer reconfiguration complete message, the destination AP starts to send and receive data, and sends a Relocation Complete message to the AP aggregation entity, and the AP aggregation entity starts to send data to the destination AP.
  • the AP aggregation entity sends an Iu Release Command (Release Command) message to the source AP, and releases the interface Iu resource between the AP and the AG.
  • Iu Release Command Release Command
  • the source AP releases the UE related resources.
  • the source AP sends an Iu Release Complete message to the AP aggregation. Entity, complete the switching process.
  • the AP aggregation entity implements the inter-AP handover, which is performed in the AP aggregation entity, and moves the UE context from the source AP to the destination AP. This process does not go through the mobile core network.
  • the handover between the APs depends on the AG, which wastes the resources of the mobile core network.
  • the AP aggregation entity directly implements the handover between the APs, and does not pass through the mobile core network, thereby saving the resources of the mobile core network.
  • the AP is described as an example.
  • an AP aggregation entity implements an AP local call flow chart according to an embodiment of the present invention.
  • the AP aggregation entity integrates the mobile switching center (MSC, Mobile Switching).
  • MSC mobile switching center
  • RRC radio resource control
  • the calling UE sends an RRC initial direct transmission message to the AP, where the message has a service request of the calling UE.
  • the AP sends an initial UE message to the AP aggregation entity.
  • the calling UE sends a Setup message to the AP, where the message has the called number information.
  • the AP forwards the setup message of the calling UE to the AP convergence entity.
  • the AP aggregation entity determines, according to the called number information in the setup message, whether the current call is a local call, and if it is a local loopback call, enters a local call procedure.
  • the AP aggregation entity initiates a paging request to the called UE.
  • the called UE responds to a paging request of the AP aggregation entity.
  • the AP aggregation entity sends a setup message to the AP.
  • the AP forwards the setup message to the UE. 513.
  • the called UE sends a Call Confirmed message to the AP.
  • the AP forwards the call confirmation message to the AP convergence entity.
  • RAB radio access bearer
  • the called UE sends an alerting message to the AP.
  • the AP forwards the ringing message to the AP aggregation entity.
  • the called UE sends a Connect message to the AP.
  • the AP forwards the connection message to the AP aggregation entity.
  • the AP aggregation entity sends a Connect Ack message to the AP.
  • the AP forwards a connection response message to the called UE.
  • the local call must be implemented by the interaction between the AP and the AG, so that not only the mobile core network bandwidth is wasted, but also the local call between the APs is charged due to the use of the mobile core network resources. of.
  • the local call between the APs is completed by the AP aggregation entity, and does not need to go through the AG, which not only saves the core network resources, but also makes the local call of the AP free.
  • the following describes in detail how the AP aggregation entity implements AP local data processing in conjunction with FIG. 8 and uses the UMTS AP as an example for description.
  • an AP aggregation entity based on the present invention implements a flow chart of AP local data processing.
  • the AP aggregation entity integrates the functions of the GPRS (General Packet Radio Service) support node (SGSN).
  • GPRS General Packet Radio Service
  • the UE When the UE has a data service to be initiated, the UE sends a PDP (Packet Data Protocol) context request message to the AP aggregation entity.
  • PDP Packet Data Protocol
  • the AP aggregation entity identifies an access point name (APN, Access Point Name) in the activated PDP context request message, and if it is the same as the local data processing, performs a local data processing procedure.
  • APN Access Point Name
  • the AP aggregation entity allocates a local address to the UE.
  • the AP aggregation entity sends an activation PDP context accept message to the UE, where the message has a local address assigned to the UE.
  • the UE performs data transmission, and the AP aggregation entity determines that the source address of the packet is a local address, and performs local data processing.
  • the AP aggregation entity implements AP local data processing, and the process does not pass through the mobile core network.
  • the local data processing of the AP relies on the AG, which wastes the resources of the mobile core network.
  • the AP aggregation entity is directly used to implement the local data processing of the AP, and the mobile core network resources are saved without going through the mobile core network.
  • the embodiments of the present invention provide a device for accessing a mobile core network, such as an access point convergence device.
  • FIG. 9 a schematic diagram of a first embodiment of the apparatus based on the present invention.
  • the device in the embodiment of the present invention includes: an establishing unit 901, an access unit 902, a receiving unit 903, and a switching unit 904.
  • the establishing unit 901 establishes an IP network security protocol tunnel with the security gateway by the IP address of the security gateway.
  • the access unit 902 accesses the access gateway of the mobile core network by using the IP address of the access gateway through the IP network security protocol tunnel established by the establishing unit 901.
  • the receiving unit 903 receives the access of the access point, and the access point has at least one.
  • the switching unit 904 transfers the access point to the access gateway of the mobile core network.
  • the device forwards the AP to the AG through an IPSec tunnel.
  • the AP aggregation entity transfers the access point to the access gateway of the mobile core network through the proprietary connection link.
  • the proprietary connection link is a virtual local area network (VLAN, Virtual Local Area). Network ).
  • VLAN Virtual Local Area Network
  • Network Virtual Local Area Network
  • FIG. 10 a schematic diagram of a second embodiment of the apparatus based on the present invention.
  • the difference between the device embodiment 2 and the device embodiment 1 is that the AP aggregation entity does not have the IP addresses of the SeGW and the AG, so the first obtaining unit and the second obtaining unit are added. In order to enable a legitimate AP to access the AG, an inspection unit is set up.
  • the first obtaining unit 1001 parses the IP address corresponding to the fully qualified domain name of the security gateway by using the domain name naming system on the IP transmission network.
  • the first obtaining unit 1001 is connected to the establishing unit 1002.
  • the second obtaining unit 1003 parses the IP address corresponding to the fully qualified domain name of the access gateway by using the domain name naming system on the mobile core network.
  • the second obtaining unit 1003 is connected to the access unit 1004.
  • the checking unit 1005 determines whether the access point is legal by checking the MAC address, access link identifier or device identifier of each access point.
  • the checking unit 1005 is connected to the receiving unit 1006.
  • the device carries a SIM or USIM
  • the device performs authentication between the SIM and the security gateway; or
  • the invention also provides a system for an access point to access a mobile core network.
  • the system includes the access point aggregation device described in the above embodiments.
  • FIG. 11 a block diagram of a first embodiment of the system based on the present invention.
  • the system in the embodiment of the present invention includes: an access point 1101, an access point aggregation device 1102, a security gateway 1103, and an access gateway 1104.
  • the access point 1101 provides a wireless access service for the user equipment to access the mobile core network; the security gateway 1103 protects the mobile core network side entity and establishes an IPSec tunnel with the access point 1101;
  • the access gateway 1104 provides an interface for the user equipment to access the mobile core network;
  • the access point aggregation device 1102 establishes an IPSec tunnel with the SeGW; accesses the AG of the mobile core network by the IP address of the AG through the IPSec tunnel; receives the access of the AP, and transfers the AP to Said AG.
  • the AP can access the AP aggregation device through the Dynamic Host Configuration Protocol (DHCP).
  • DHCP Dynamic Host Configuration Protocol
  • the AP does not carry the SIM card or the USIM card.
  • the AP aggregation device can check whether the MAC address, access link identifier, or device ID of the AP packet is the same as the configured MAC address, access link identifier, or device ID. When the packets are consistent, the AP is legal and the AP is allowed to access.
  • DHCP Dynamic Host Configuration Protocol
  • the AP aggregation device transfers the access point to the access gateway of the mobile core network through the proprietary connection link.
  • the proprietary connection link is a VLAN.
  • an IPSec tunnel can be established between the AP and the AP aggregation device.
  • the AP aggregation device transfers the access point to the mobile core network through the IPSec tunnel. Into the gateway.
  • the security gateway 1103 can be integrated on the access gateway 1104.
  • the system embodiment 1 achieves the purpose of accessing the AG1104 of the mobile core network by adding the AP aggregation device 1102. Since the AP aggregation device 1102 establishes one or two IPSec tunnels with the AG1104 of the mobile core network, the egress bandwidth of the LAN gateway (such as an enterprise gateway or a campus gateway) is saved. At the same time, the AP aggregation device 1102 is configured to carry the SIM card or the USIM card to avoid the authentication of the API 101. The AP aggregation device 1102 can be located in the same equipment room as the enterprise gateway or the campus gateway, ensuring that each AP aggregation device 1102 carries the SIM card. Or security issues when using a USIM card.
  • the AP aggregation device 1102. Since the AP aggregation device 1102 establishes one or two IPSec tunnels with the AG1104 of the mobile core network, the egress bandwidth of the LAN gateway (such as an enterprise gateway or a campus gateway) is saved
  • the SeGW can also authenticate the AP aggregation entity 1102 by using a pre-shared key or a digital certificate, so that the AP aggregation device 1102 does not need to carry a SIM card or a USIM card, thereby avoiding the security problem of the SIM card or the USIM card.
  • System Embodiment 2 :
  • FIG. 12 a block diagram of a second embodiment of the system based on the present invention.
  • the difference between the system embodiment 2 and the system embodiment 1 is: the AP aggregation device does not have the IP addresses of the SeGW and the AG, and the system embodiment 2 adds the IP transport network domain name naming system 1203 and the mobile core network.
  • the domain name naming system 1205 also adds an auto-configuration server 1207.
  • the access point aggregation device 1202 parses the IP address corresponding to the fully qualified domain name of the security gateway 1204 through the IP transport network domain name naming system 1203.
  • the access point aggregation device 1202 parses the IP address corresponding to the fully qualified domain name of the access gateway 1206 by using the domain name naming system of the mobile core network.
  • the access point aggregation device 1202 performs configuration of mobile core network parameters and software versions and the like through the automatic configuration server 1207.
  • the access point 1201 performs configuration of a software version, an AP radio parameter, a mobile core network parameter, an AG address, and an AP-signed service parameter through the access point aggregation device 1202 or the automatic configuration server 1203.
  • System Embodiment 3 System Embodiment 3:
  • FIG. 13 a block diagram of a third embodiment of the system based on the present invention.
  • the third embodiment of the present invention is a scenario in which the AP aggregation device of the present invention is applied to an enterprise network, and can of course be applied to a campus network or other local area network.
  • An AP aggregation device can aggregate multiple APs.
  • three APs access the AP aggregation entity through an IPSec tunnel or a dedicated connection link.
  • Each UE accesses the corresponding AP through an air interface.
  • the AP aggregation device accesses the IP transport network through the enterprise gateway, and then establishes one or two IPSec tunnels with the mobile core network SeGW through the IP transport network, connects to the SeGW through the IPSec tunnel, and accesses the mobile core network through the SeGW. AG.
  • the AP aggregation device transfers the AP to the AG to implement the AP access to the AG.
  • the AP aggregation device carries a SIM card or a USIM card. Each AP does not carry a SIM card or USIM.
  • the AP aggregation device is secure.
  • the SIM card or USIM card is secure.
  • the SeGW can also authenticate the AP aggregation device 1102 by using a pre-shared key or a digital certificate, so that the AP aggregation device 1102 does not need to carry a SIM card or a USIM card, thereby avoiding the security problem of the SIM card or the USIM card.
  • a minimum of one IPSec tunnel can be established between the AP aggregation device and the SeGW to save the egress bandwidth of the enterprise gateway.
  • the program can be executed by instructing related hardware, and the program can be stored in a computer readable storage medium, and when executed, the program can include the contents of various embodiments of the foregoing communication method.
  • the storage medium referred to herein is, for example, a ROM/RAM, a magnetic disk, an optical disk, or the like.
  • an access point accesses a mobile core network
  • an IPSec tunnel is established between the AP aggregation entity and the SeGW, and the AG of the mobile core network is accessed through the IPSec tunnel.
  • the AP aggregation entity receives access of multiple APs, and transfers the AP to the AG of the mobile core network. Since the AP aggregation entity is added, it is avoided that each AP establishes an IPSec tunnel with the SeGW, thereby saving the egress bandwidth of the enterprise gateway or the campus gateway.
  • the AP aggregation entity is located in the same equipment room as the enterprise gateway or campus gateway.
  • the method includes the following steps: establishing an IP network security protocol tunnel between the security gateway and the security gateway by using the IP address of the security gateway; accessing the access gateway of the mobile core network by using the IP address of the access gateway; Receiving access to at least one access point; and transferring the access point to an access gateway of the mobile core network.

Abstract

A method for accessing a mobile core network of access points is provided. The method includes the following steps: IP security protocol tunnels are established toward a security gateway through IP address of the security gateway; an access gateway of the mobile core network is accessed through IP address of the access gateway on the IP security protocol tunnels; the access of at least one access point is received; the access points are forwarded to the access gateway of the mobile core network. An assembling entity of the access points is further provided.

Description

接入点接入移动核心网的方法、 设备及系统 本申请要求于 2008年 8月 4日提交中国专利局、 申请号为 200810041477.9、 发明名称为 "一种接入点接入移动核心网的方法、设备及系统"的中国专利申请 的优先权, 其全部内容通过引用结合在本申请中。  Method, device and system for access point accessing mobile core network. The present application claims to be submitted to Chinese Patent Office on August 4, 2008, application number is 200810041477.9, and the invention name is "an access point access mobile core network method" The priority of the Chinese Patent Application, the entire disclosure of which is incorporated herein by reference.
技术领域 Technical field
本发明涉及网络通信技术领域,特别涉及一种接入点接入移动核心网的方 法、 设备及系统。  The present invention relates to the field of network communication technologies, and in particular, to a method, device and system for an access point to access a mobile core network.
背景技术 Background technique
接入点( AP, Access Point )是基于固定互联网十办议 ( IP, Internet Protocol ) 传输网,为家庭、小办公室和家庭办公室( SOHO, Small Office and Home Office ) 提供无线接入服务的网络设备。  Access Point (AP, Access Point) is a network device that provides wireless access services for home, small office and home office (SOHO) based on the fixed Internet (IP, Internet Protocol) transmission network. .
参见图 1 , 该图为 AP应用于家庭网络的结构图。  See Figure 1, which is a block diagram of an AP applied to a home network.
用户设备( UE, User Equipment )通过空口接入 AP , AP通过家庭网关 ( HGW, Home Gateway )接入 IP传输网, 然后通过 IP传输网连接到移动核心 网中的安全网关( SeGW, Security Gateway ) ,再连接到接入网关( AG, Access Gateway ) 。 所述 HGW可以集成在 AP上, 所述 SeGW可以集成在 AG上。  The user equipment (UE, User Equipment) accesses the AP through the air interface, and the AP accesses the IP transmission network through the home gateway (HGW, Home Gateway), and then connects to the security gateway (SeGW, Security Gateway) in the mobile core network through the IP transmission network. , then connect to the access gateway (AG, Access Gateway). The HGW can be integrated on the AP, and the SeGW can be integrated on the AG.
AP带有用户标识模块 ( SIM, Subscriber Identity Module )卡或通用移动通 讯系统用户标识模块 ( USIM, Universal Mobile Telecommunications System Subscriber Identity Module )卡。 AP与 SeGW建立互联网网络安全协议 ( IPSec , IP Security Protocol ) 隧道时, 需要通过 SIM或 USIM对 AP进行鉴权, 保证只有 合法的 AP才可以接入移动移动核心网, 同时 IPSec隧道也保证了 AP信息通过公 共的 IP传输网进行传输时的安全。 所述 AP和 AG的制式可以为通用移动通讯系 统 ( UMTS, Universal Mobile Telecommunications System ) 、 全球移动通信系 统( GSM , Global System for Mobile communications )或码分多址接入 ( CDMA, Code Division Multiple Access ) 。  The AP has a Subscriber Identity Module (SIM) card or a Universal Mobile Telecommunications System Subscriber Identity Module (USIM) card. When the AP and SeGW establish an Internet Security Protocol (IPSec) protocol, the AP needs to authenticate the AP through the SIM or USIM to ensure that only the legal AP can access the mobile mobile core network. The IPSec tunnel also ensures the AP. The security of information transmitted over a public IP transport network. The AP and AG can be a Universal Mobile Telecommunications System (UMTS), a Global System for Mobile Communications (GSM), or a Code Division Multiple Access (CDMA). .
AP除了应用在家庭网络以外, 还可以应用在企业或学校的网络中。 参见 图 2 , 该图为 AP应用于企业网络或学校网络的结构图。  In addition to being applied to the home network, the AP can also be applied to a corporate or school network. See Figure 2, which is a block diagram of an AP applied to a corporate network or a school network.
第一用户设备 UE、第二用户设备 UE和第三用户设备 UE分别接入第一接入 点 AP、第二接入点 AP和第三接入点 AP。每个 AP都要经过企业网关或校园网关 和 SeGW建立 IPSec隧道, 这样导致企业网关或校园网关和 SeGW之间存在多条 IPSec隧道, 浪费企业网关或校园网关的出口带宽。 多个 AP之间或 AP与其他设 备之间进行本地呼叫和本地数据交互, 都要通过 AG转接才能实现, 这样浪费 移动核心网带宽, 而且需要使用移动核心网资源, 所以这样的本地呼叫和本地 数据交互不是免费的。 另外企业网络或校园网络需要 AP组网提供较大范围的 连续覆盖, AP间的切换功能由 AG实现, 这样浪费移动核心网资源。 由于每个 AP都带有 SIM卡或 USIM卡, 并且多个 AP分布在企业或学校的楼内, 容易造成 SIM卡或 USIM卡被人窃取, 安全上没有保证。 The first user equipment UE, the second user equipment UE, and the third user equipment UE respectively access the first access Point AP, second access point AP and third access point AP. Each AP needs to establish an IPSec tunnel through the enterprise gateway or the campus gateway and the SeGW. As a result, multiple IPSec tunnels exist between the enterprise gateway or the campus gateway and the SeGW, which wastes the egress bandwidth of the enterprise gateway or campus gateway. Local calls and local data interaction between multiple APs or APs and other devices must be implemented by AG transfer, which wastes the bandwidth of the mobile core network and requires the use of mobile core network resources, so such local calls and local calls Data interaction is not free. In addition, the enterprise network or the campus network needs the AP network to provide a large range of continuous coverage, and the handover function between the APs is implemented by the AG, which wastes the mobile core network resources. Since each AP has a SIM card or a USIM card, and multiple APs are distributed in the enterprise or school building, it is easy to cause the SIM card or the USIM card to be stolen, and there is no guarantee for security.
由此可见, 企业或校园的多个 AP通过企业网关或校园网关接入移动核心 网时, 不仅浪费移动核心网资源, 而且每个 AP带有的 SIM卡或 USIM卡也存在 安全问题。  It can be seen that when multiple APs of an enterprise or campus access the mobile core network through the enterprise gateway or the campus gateway, not only the mobile core network resources are wasted, but also the SIM card or the USIM card carried by each AP also has security problems.
发明内容 Summary of the invention
本发明实施例提供一种接入点接入移动核心网的方法、设备及系统, 节省 移动核心网资源。  Embodiments of the present invention provide a method, device, and system for an access point to access a mobile core network, which saves resources of a mobile core network.
本发明实施例提供一种接入点接入移动核心网的方法, 包括: 接入点汇聚 实体由安全网关的 IP地址建立与安全网关之间的 IP网络安全协议隧道; 所述 接入点汇聚实体通过上述 IP网络安全协议隧道, 由接入网关的 IP地址接入移 动核心网的接入网关; 所述接入点汇聚实体接收至少一个接入点的接入; 所述 接入点汇聚实体转接所述接入点至所述移动核心网的接入网关。  An embodiment of the present invention provides a method for an access point to access a mobile core network, including: an access point aggregation entity establishes an IP network security protocol tunnel between the security gateway and an IP gateway; and the access point aggregates The entity accesses the access gateway of the mobile core network by using the IP address of the access gateway through the foregoing IP network security protocol tunnel; the access point aggregation entity receives access of at least one access point; the access point convergence entity Transferring the access point to an access gateway of the mobile core network.
本发明实施例还提供一种接入点汇聚设备, 包括: 建立单元, 用于由安全 网关的 IP地址建立与安全网关之间的 IP网络安全协议隧道; 接入单元, 用于 通过所述建立单元建立的 IP网络安全协议隧道, 由接入网关的 IP地址接入移 动核心网的接入网关; 接收单元, 用于接收接入点的接入, 所述接入点至少有 一个; 转接单元, 用于转接所述接入点至所述移动核心网的接入网关。  The embodiment of the present invention further provides an access point aggregation device, including: an establishing unit, configured to establish an IP network security protocol tunnel between the security gateway and the security gateway by using an IP address of the security gateway; The IP network security protocol tunnel established by the unit, the access gateway of the mobile core network is accessed by the IP address of the access gateway; the receiving unit is configured to receive the access of the access point, and the access point has at least one; a unit, configured to transfer the access point to an access gateway of the mobile core network.
本发明实施例还提供一种接入点接入移动核心网的系统, 包括: 接入点、 安全网关、接入网关和上述实施例提供的接入点汇聚设备; 所述接入点, 用于 为用户设备接入移动核心网提供无线接入服务; 所述安全网关, 用于保护移动 核心网侧实体; 所述接入网关, 用于提供用户设备接入移动核心网的接口。 以上技术方案, AP汇聚实体与 SeGW之间建立一条 IPSec隧道, 通过上 述 IPSec隧道, 接入移动核心网的 AG。 同时所述 AP汇聚实体接收多个 AP 的接入, 转接所述 AP至所述移动核心网的 AG。 由于增加了 AP汇聚实体, 所以避免了每个 AP都要与所述 SeGW之间建立 IPSec隧道, 节省局域网 (如 企业网关或校园网关) 的出口带宽。 The embodiment of the present invention further provides a system for an access point to access a mobile core network, including: an access point, a security gateway, an access gateway, and an access point aggregation device provided by the foregoing embodiment; Providing a wireless access service for the user equipment to access the mobile core network; the security gateway is configured to protect the mobile core network side entity; and the access gateway is configured to provide an interface for the user equipment to access the mobile core network. In the above technical solution, an IPSec tunnel is established between the AP aggregation entity and the SeGW, and the AG of the mobile core network is accessed through the IPSec tunnel. At the same time, the AP aggregation entity receives access of multiple APs, and transfers the AP to the AG of the mobile core network. Since the AP aggregation entity is added, an IPSec tunnel is established between each AP and the SeGW, and the egress bandwidth of the local area network (such as an enterprise gateway or a campus gateway) is saved.
附图说明  DRAWINGS
Figure imgf000005_0001
Figure imgf000005_0001
图 10是基于本发明设备第二实施例示意图;  Figure 10 is a schematic view of a second embodiment of the apparatus based on the present invention;
是 11是基于本发明系统第一实施例结构图;  11 is a structural diagram of a first embodiment of the system based on the present invention;
图 12是基于本发明系统第二实施例结构图;  Figure 12 is a structural view of a second embodiment of the system based on the present invention;
图 13是基于本发明系统第三实施例结构图。  Figure 13 is a block diagram showing a third embodiment of the system based on the present invention.
具体实施方式  detailed description
首先对本发明实施例实现一种接入点接入移动核心网的方法进行说明, 包 括:  A method for accessing a mobile core network by using an access point is described in the first embodiment of the present invention, including:
接入点汇聚实体由安全网关的 IP地址建立与安全网关之间的 IP网络安全 协议隧道; 接入点汇聚实体通过上述 IP网络安全协议隧道, 由接入网关的 IP 地址接入移动核心网的接入网关; 接入点汇聚实体接收至少一个接入点的接 入; 接入点汇聚实体转接所述接入点至所述移动核心网的接入网关。  The access point aggregation entity establishes an IP network security protocol tunnel between the security gateway and the security gateway. The access point aggregation entity accesses the mobile core network through the IP network security protocol tunnel of the access gateway. An access gateway; an access point aggregation entity receives access of at least one access point; and an access point aggregation entity transfers the access point to an access gateway of the mobile core network.
下面结合附图, 对本发明的实施例进行详细描述。  The embodiments of the present invention are described in detail below with reference to the accompanying drawings.
方法实施例一:  Method embodiment one:
参见图 3 , 基于本发明第一实施例方法流程图。 本实施例以一个 AP为例来说明 AP通过 AP汇聚实体接入 AG的流程。Referring to Figure 3, a flow chart of a method based on a first embodiment of the present invention. This example uses an AP as an example to describe the process for an AP to access an AG through an AP aggregation entity.
101、 AP汇聚实体由 SeGW的 IP地址建立与 SeGW之间的 IPSec隧道。 AP汇聚实体可能具有 SeGW的 IP地址, 这样就可以由 SeGW的 IP地址 直接建立与 SeGW之间的 IPSec隧道。 101. The AP aggregation entity establishes an IPSec tunnel with the SeGW by the IP address of the SeGW. The AP aggregation entity may have the IP address of the SeGW, so that the IPSec tunnel between the SeGW and the SeGW can be directly established by the IP address of the SeGW.
当 AP汇聚实体没有 SeGW的 IP地址时, AP汇聚实体可通过 IP传输网 上的域名命名系统( DNS, Domain Name System )服务器解析出 SeGW的完 全合格域名 ( FQDN, Fully Qualified Domain Name )对应的 IP地址。  When the AP aggregation entity does not have the IP address of the SeGW, the AP aggregation entity can resolve the IP address corresponding to the Fully Qualified Domain Name (FQDN) of the SeGW through the Domain Name System (DNS) server on the IP transport network. .
AP汇聚实体与 SeGW之间的 IPSec隧道可以为一条, 也可以为两条。 当 IPSec隧道为一条时, IPSec隧道用于语音业务和数据业务。 当 IPSec隧道为 两条时, 可以一条 IPSec隧道用于语音业务; 一条 IPSec隧道用于数据业务。  The IPSec tunnel between the AP aggregation entity and the SeGW can be one or two. When the IPSec tunnel is one, the IPSec tunnel is used for voice and data services. When two IPSec tunnels are used, one IPSec tunnel can be used for voice services. One IPSec tunnel is used for data services.
由于本实施例中 AP汇聚实体携带一个 SIM卡或 USIM卡,所以在建立与 SeGW之间的 IPSec隧道时, SeGW可以通过 SIM卡或 USIM卡对 AP汇聚 实体进行鉴权, 检查 AP汇聚实体是否合法。 当 AP汇聚实体携带 SIM卡时, 通过用于 GSM SIM的可扩展认证协议( EAP-SIM, Extensible Authentication 标识是否正确,正确则证明 AP汇聚实体合法。 当 AP汇聚实体携带 USIM卡 时, 通过用于 3G认证和密钥协商的可扩展认证协议(EAP-AKA, Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement )协议检查 USIM卡携带的用户标识是否正确, 正确则证明 AP汇 聚实体合法。  In this embodiment, the AP aggregation entity carries a SIM card or a USIM card. When establishing an IPSec tunnel with the SeGW, the SeGW can authenticate the AP aggregation entity through the SIM card or the USIM card, and check whether the AP aggregation entity is legal. . When the AP aggregation entity carries the SIM card, the EAP-SIM uses the Extensible Authentication Protocol (EAP-SIM), and the Extensible Authentication ID is correct. The AP aggregation entity is legal. When the AP aggregation entity carries the USIM card, it is used. The Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AK) protocol checks whether the user ID carried by the USIM card is correct. If it is correct, the AP aggregation entity is legal.
102、 通过上述 IPSec隧道, 由 AG的 IP地址接入移动核心网的 AG。 102. Access the AG of the mobile core network by using the IP address of the AG through the IPSec tunnel.
AP汇聚实体可能具有 AG的 IP地址, 这样就可以由 AG的 IP地址直接 接入 AG。 The AP aggregation entity may have the IP address of the AG so that the AG can be directly accessed by the AG's IP address.
当 AP汇聚实体没有 AG的 IP地址时, AP汇聚实体可通过移动核心网上 的 DNS服务器解析出 AG的 FQDN对应的 IP地址。  When the AP aggregation entity does not have an IP address of the AG, the AP aggregation entity can resolve the IP address corresponding to the FQDN of the AG through the DNS server on the mobile core network.
103、 AP汇聚实体接收 AP的接入。  103. The AP aggregation entity receives the access of the AP.
需要说明的是, 步骤 103与步骤 101和 102之间没有时间顺序, 步骤 103 可以在步骤 101或 102之前, 或步骤 101和步骤 102之间。  It should be noted that there is no chronological order between step 103 and steps 101 and 102, and step 103 may be between step 101 or 102, or between step 101 and step 102.
AP 可以通过动态主机配置十办议 ( DHCP , Dynamic Host Configuration Protocol )接入 AP汇聚实体。 由于 AP不携带 SIM卡或 USIM卡, 所以 AP 汇聚实体可以通过检查 AP报文中的介质访问控制 (MAC, Media Access Control )地址、 接入链路标识或设备标识与设定的 MAC地址、 接入链路标 识或设备标识是否一致, 当一致时, 说明 AP合法, 允许 AP接入。 AP can be configured through dynamic host configuration (DHCP, Dynamic Host Configuration) Protocol) Access to the AP aggregation entity. The AP aggregation entity can check the media access control (MAC, Media Access Control) address, access link identifier, or device identifier and the configured MAC address in the AP packet, and the AP does not carry the SIM card or the USIM card. If the inbound link ID or the device ID is the same, the AP is legal and the AP is allowed to access.
104、 AP汇聚实体转接 AP至所述移动核心网的 AG。  104. The AP aggregation entity transfers the AP to the AG of the mobile core network.
AP可以通过自动配置服务器(ACS, Automatic Configuration Server ) 配 置软件版本、 AP无线参数、 移动核心网参数、 AG地址及 AP签定业务参数等。  The AP can configure the software version, AP wireless parameters, mobile core network parameters, AG address, and AP signing service parameters through the ACS (Automatic Configuration Server).
或者, AP汇聚实体也可以先将软件版本、 AP无线参数、移动核心网参数、 AG地址及 AP签定业务参数等暂存到自身, 然后 AP通过 AP汇聚实体配置软件 版本、 AP无线参数、 移动核心网参数、 AG地址及 AP签定业务参数等。  Alternatively, the AP aggregation entity may temporarily store the software version, the AP radio parameters, the mobile core network parameters, the AG address, and the AP-signed service parameters to the user, and then the AP configures the software version, the AP wireless parameters, and the mobile through the AP aggregation entity. Core network parameters, AG address, and AP signing business parameters.
如果 AP与 AP汇聚实体之间有专有连接链路,则 AP汇聚实体通过所述专有 连接链路转接 AP至所述移动核心网的 AG。  If there is a proprietary connection link between the AP and the AP aggregation entity, the AP aggregation entity transfers the AP to the AG of the mobile core network through the proprietary connection link.
例如所述专有连接链路为虚拟局域网 (VLAN, Virtual Local Area  For example, the proprietary connection link is a virtual local area network (VLAN, Virtual Local Area).
Network ), AP汇聚实体通过所述 VLAN转接 AP至所述移动核心网的 AG。 Network), the AP convergence entity transfers the AP to the AG of the mobile core network through the VLAN.
如果 AP与 AP汇聚实体之间没有专有连接链路, 则 AP与 AP汇聚实体之间 可以建立一条 IPSec隧道, AP汇聚实体通过所述 IPSec隧道转接 AP至所述移动 核心网的 AG。  If there is no proprietary connection between the AP and the AP aggregation entity, an IPSec tunnel can be established between the AP and the AP aggregation entity. The AP aggregation entity transfers the AP to the AG of the mobile core network through the IPSec tunnel.
AP汇聚实体可以汇聚多个 AP。  An AP aggregation entity can aggregate multiple APs.
所述 SeGW可以集成在所述 AG上, 也可以为独立的物理实体。  The SeGW may be integrated on the AG or may be an independent physical entity.
方法实施例一所述方法通过增加 AP汇聚实体, 实现 AP接入移动核心网 的 AG的目的。 由于 AP汇聚实体与 SeGW之间建立一条或两条 IPSec隧道, 所以节省了局域网网关(如企业网关或校园网关)的出口带宽。 同时由于 AP 汇聚实体携带 SIM卡或 USIM卡, SeGW直接对 AP汇聚实体进行鉴权即可, 同时 AP汇聚实体可以与局域网网关 (如企业网关或校园网关)位于同一个 机房内, 避免了 AP携带 SIM卡或 USIM卡时的安全问题。 方法实施例二:  The method in the first embodiment of the method achieves the purpose of accessing the AG of the mobile core network by adding an AP aggregation entity. Since one or two IPSec tunnels are established between the AP aggregation entity and the SeGW, the egress bandwidth of the LAN gateway (such as an enterprise gateway or a campus gateway) is saved. At the same time, because the AP aggregation entity carries the SIM card or the USIM card, the SeGW can directly authenticate the AP aggregation entity, and the AP aggregation entity can be located in the same equipment room as the LAN gateway (such as the enterprise gateway or the campus gateway), thereby avoiding the AP carrying. Security issues when using a SIM card or USIM card. Method Embodiment 2:
参见图 4, 基于本发明第二实施例方法流程图。  Referring to Figure 4, a flow chart of a method based on a second embodiment of the present invention.
实施例二中,假设: AP汇聚实体没有 SeGW和 AG的 IP地址, AP与 AP 汇聚实体之间没有专有连接链路。 In the second embodiment, it is assumed that the AP aggregation entity does not have the IP addresses of the SeGW and the AG, and the AP and the AP. There are no proprietary connection links between the aggregation entities.
201、 AP汇聚实体解析 SeGW的 IP地址。  201. The AP aggregation entity parses the IP address of the SeGW.
如果 AP汇聚实体具有 SeGW的 FQDN,或者 AP汇聚实体能推导出 SeGW 的 FQDN, AP汇聚实体可通过 IP传输网上的 DNS服务器解析出 SeGW的 FQDN对应的 IP地址。  If the AP aggregation entity has the FQDN of the SeGW, or the AP aggregation entity can derive the FQDN of the SeGW, the AP aggregation entity can resolve the IP address corresponding to the FQDN of the SeGW through the DNS server on the IP transmission network.
202、 AP汇聚实体建立与 SeGW之间的 IPSec隧道。  202. The AP aggregation entity establishes an IPSec tunnel with the SeGW.
AP汇聚实体与 SeGW之间的 IPSec隧道可以为一条, 也可以为两条。 当 IPSec隧道为一条时, IPSec隧道用于语音业务和数据业务。 当 IPSec隧道为 两条时, 一条 IPSec隧道用于语音业务; 一条 IPSec隧道用于数据业务。  The IPSec tunnel between the AP aggregation entity and the SeGW can be one or two. When the IPSec tunnel is one, the IPSec tunnel is used for voice and data services. An IPSec tunnel is used for voice services when an IPSec tunnel is used. An IPSec tunnel is used for data services.
由于 AP汇聚实体携带一个 SIM卡或 USIM卡, 所以在建立与 SeGW之 间的 IPSec隧道时, SeGW可以通过 SIM卡或 USIM卡对 AP汇聚实体进行 鉴权, 检查 AP 汇聚实体是否合法。 当 AP汇聚实体携带 SIM卡时, 通过 EAP-SIM协议检查 SIM卡携带的用户标识是否正确,正确则证明 AP汇聚实 体合法。 当 AP汇聚实体携带 USIM卡时,通过 EAP-AKA协议检查 USIM卡 携带的用户标识是否正确, 正确则证明 AP汇聚实体合法。  The AP aggregation entity carries a SIM card or a USIM card. When establishing an IPSec tunnel with the SeGW, the SeGW can authenticate the AP aggregation entity through the SIM card or the USIM card to check whether the AP aggregation entity is legal. When the AP aggregation entity carries the SIM card, check whether the user ID carried by the SIM card is correct by using the EAP-SIM protocol. If the AP aggregation entity is correct, the AP aggregation entity is legal. When the AP aggregation entity carries the USIM card, the EAP-AKA protocol checks whether the user ID carried by the USIM card is correct. If the AP aggregation entity is correct, the AP aggregation entity is legal.
另夕卜, AP汇聚实体在建立与 SeGW之间的 IPSec隧道时, SeGW还可以 通过预共享密钥或者数字证书对 AP汇聚实体进行鉴权,检查 AP汇聚实体是 否合法。  In addition, when the AP aggregation entity establishes an IPSec tunnel with the SeGW, the SeGW can also authenticate the AP aggregation entity by using a pre-shared key or a digital certificate, and check whether the AP aggregation entity is legal.
203、 AP汇聚实体解析出 AG的 IP地址。  203. The AP aggregation entity parses the IP address of the AG.
如果 AP汇聚实体具有 AG的 FQDN, 或者 AP汇聚实体能推导出 AG的 If the AP aggregation entity has the FQDN of the AG, or the AP aggregation entity can derive the AG's
FQDN, AP汇聚实体可通过移动网上的 DNS服务器解析出 AG的 FQDN对 应的 IP地址。 FQDN, the AP aggregation entity can resolve the IP address corresponding to the FQDN of the AG through the DNS server on the mobile network.
204、 AP汇聚实体由 AG的 IP地址接入移动核心网的 AG。  204. The AP aggregation entity accesses the AG of the mobile core network by the IP address of the AG.
205、 AP汇聚实体通过 ACS进行配置。  205. The AP aggregation entity is configured through the ACS.
AP汇聚实体主要配置移动核心网参数和软件版本等。  The AP aggregation entity mainly configures mobile core network parameters and software versions.
实施例二的步骤 206 为 AP汇聚实体接收 AP的接入, 该步骤与实施例一 的步骤 103类似, 在此不再赘述。  The step 206 of the second embodiment is similar to the step 103 of the first embodiment, and is not described here.
207、 AP建立与 AP汇聚实体之间的 IPSec隧道。  207. The AP establishes an IPSec tunnel with the AP aggregation entity.
208、 AP通过 AP汇聚实体进行自配置。 配置内容为软件版本、 AP无线参数、 移动核心网参数、 AG地址及 AP签定 业务参数等。 208. The AP performs self-configuration through the AP aggregation entity. The configuration content is software version, AP wireless parameters, mobile core network parameters, AG address, and AP signing service parameters.
209、 AP汇聚实体转接 AP至所述移动核心网的 AG。  209. The AP aggregation entity transfers the AP to the AG of the mobile core network.
AP汇聚实体通过步骤 207建立的 IPSec隧道转接 AP至所述移动核心网 的 AG。  The AP aggregation entity transfers the AP to the AG of the mobile core network through the IPSec tunnel established in step 207.
需要说明的是,步骤 208也可以为: AP通过 ACS进行自配置(自动配置)。 本发明实施例所述 AP汇聚实体汇聚多个 AP接入点,通过检查 AP的 MAC 地址、 接入链路标识或设备标识来控制 AP的接入, AP汇聚实体具有 AP本 地呼叫、 本地数据交互和 AP间的切换功能。 下面结合图 5详细说明 AP汇聚实体接收 AP接入的流程。  It should be noted that step 208 may also be: The AP performs self-configuration (automatic configuration) through the ACS. In the embodiment of the present invention, the AP aggregation entity aggregates multiple AP access points, and controls the access of the AP by checking the MAC address, the access link identifier, or the device identifier of the AP. The AP aggregation entity has an AP local call and local data interaction. Switching function between the AP and the AP. The process of receiving AP access by the AP aggregation entity is described in detail below with reference to FIG.
方法实施例三:  Method embodiment three:
参见图 5 , 基于本发明 AP汇聚实体接收 AP接入的流程图。  Referring to FIG. 5, a flow chart of receiving AP access by an AP aggregation entity according to the present invention.
301、 AP向 AP汇聚实体发送 DHCP发现消息。  301. The AP sends a DHCP discovery message to the AP aggregation entity.
302、 AP汇聚实体检查 AP是否合法性, 如果合法, 则执行步骤 303。 302. The AP aggregation entity checks whether the AP is legal. If it is legal, go to step 303.
AP汇聚实体可以通过下面 3种方式检查 AP的合法性: An AP aggregation entity can check the legality of an AP in the following three ways:
1 ) AP汇聚实体通过 DHCP发现消息的源 MAC地址来检查 AP的 MAC 地址是否合法;  1) The AP aggregation entity checks whether the MAC address of the AP is legal through the source MAC address of the DHCP discovery message.
2 )通过接收到 DHCP发现消息的链路所对应的接入链路标识来检查 AP 是否从配置的链路上接入;  2) checking whether the AP is accessed from the configured link by using the access link identifier corresponding to the link that receives the DHCP discovery message;
3 )通过 DHCP发现消息中带有的设备标识, 检查 AP是否合法。  3) Check the device ID in the message through DHCP to check whether the AP is legal.
303、 AP汇聚实体向 AP发送 DHCP提供消息。  303. The AP aggregation entity sends a DHCP providing message to the AP.
304、 AP向 AP汇聚实体发送 DHCP请求消息。  304. The AP sends a DHCP request message to the AP aggregation entity.
305与步骤 302类似, AP汇聚实体检查 AP的合法性, 如果合法, 则执行 步骤 306。  305 is similar to step 302. The AP aggregation entity checks the legality of the AP. If it is legal, step 306 is performed.
306、 AP汇聚实体向 AP发送 DHCP确认消息。  306. The AP aggregation entity sends a DHCP acknowledgement message to the AP.
需要说明的是, AP汇聚实体可以同时接收多个 AP的接入,每个 AP接入 的流程与方法实施例三描述的接入流程相同。 AP汇聚实体具有 AP间切换的功能,下面结合图 6详细说明 AP汇聚实体 怎样实现 AP间切换的, 并以 UMTS AP为例进行说明。 It should be noted that the AP aggregation entity can receive the access of multiple APs at the same time, and the process of accessing each AP is the same as the access procedure described in Embodiment 3 of the method. The AP aggregation entity has the function of inter-AP handover. The following describes in detail how the AP aggregation entity implements inter-AP handover, and the UMTS AP is taken as an example for description.
方法实施例四:  Method Embodiment 4:
参见图 6, 基于本发明 AP汇聚实体实现 AP间切换的流程图。  Referring to FIG. 6, a flow chart of implementing inter-AP handover based on the AP aggregation entity of the present invention.
401和 402、当源 AP决定 UE需要发起切换时,源 AP发送分组交换( PS, 401 and 402. When the source AP determines that the UE needs to initiate a handover, the source AP sends a packet switch (PS,
Packet Switched )域和电路交换 ( CS, Circuit Switched )域的 RANAP ( Radio Access Network Application Part , 无线接入网络应用部分) 重定位需求 ( Relocation Required ) 消息至 AP汇聚实体, 请求迁移。 Packet Switched) The RANAP (Radio Access Network Application Part) of the CS and Circuit Switched domain relocates the Relocation Required message to the AP aggregation entity for migration.
403和 404、 AP汇聚实体收到重定位需求消息后, 根据目的小区标识, 发 送重定位请求( Relocation Request )消息至目的 AP,请求目的 AP分配资源。  403 and 404. After receiving the relocation request message, the AP aggregation entity sends a Relocation Request message to the destination AP according to the destination cell identifier, and requests the destination AP to allocate resources.
405、 目的 AP收到重定位请求消息后, 分配相关资源并建立无线链路。 406和 407、 目的 AP返回重定位请求应答 ( Relocation Request Ack )消息 至 AP汇聚实体。  405. After receiving the relocation request message, the AP allocates related resources and establishes a radio link. 406 and 407. The destination AP returns a Relocation Request Ack message to the AP aggregation entity.
408和 409、 AP汇聚实体收到重定位请求应答消息后, 发送重定位命令 ( Relocation Command ) 消息至源 AP。  408 and 409. After receiving the relocation request response message, the AP aggregation entity sends a Relocation Command message to the source AP.
410、 源 AP收到重定位命令消息后,停止向 UE发送数据,发送无线承载 ( RB, Radio Bear ) 重配置消息至 UE。  410. After receiving the relocation command message, the source AP stops sending data to the UE, and sends a radio bearer (RB, Radio Bear) reconfiguration message to the UE.
411、 UE同目的 AP进行空口层 1同步。  411. The UE performs the air interface layer 1 synchronization with the destination AP.
412和 413、空口层 1同步后,目的 AP发送重定位检测( Relocation Detect ) 消息至 AP汇聚实体。  After the 412 and 413 are synchronized with the air interface layer 1, the destination AP sends a Relocation Detect message to the AP aggregation entity.
414、 UE发送无线 载重配置完成(RB Reconfiguration Complete ) 消息 至目的 AP。  414. The UE sends a radio bearer configuration completion (RB Reconfiguration Complete) message to the destination AP.
415和 416、 目的 AP收到无线承载重配置完成消息后, 开始收发数据, 并发送重定位完成(Relocation Complete ) 消息至 AP汇聚实体, AP汇聚实 体开始下发数据至目的 AP。  415 and 416. After receiving the radio bearer reconfiguration complete message, the destination AP starts to send and receive data, and sends a Relocation Complete message to the AP aggregation entity, and the AP aggregation entity starts to send data to the destination AP.
417和 418、 AP汇聚实体发送 Iu释放命令( Release Command )消息至源 AP, 释放 AP和 AG之间的接口 Iu资源。  417 and 418, the AP aggregation entity sends an Iu Release Command (Release Command) message to the source AP, and releases the interface Iu resource between the AP and the AG.
419、 源 AP释放 UE相关资源。  419. The source AP releases the UE related resources.
420和 421、 源 AP发送 Iu释放完成( Release Complete ) 消息至 AP汇聚 实体, 完成切换流程。 420 and 421, the source AP sends an Iu Release Complete message to the AP aggregation. Entity, complete the switching process.
需要说明的是, AP汇聚实体实现 AP间切换是在 AP汇聚实体内部完成 的, 将 UE上下文从源 AP搬移到目的 AP, 此过程不经过移动核心网。 现有 技术中, AP之间的切换依赖于 AG, 浪费了移动核心网的资源, 而现在直接 用 AP汇聚实体实现 AP间的切换, 不经过移动核心网, 节省了移动核心网的 资源。 下面结合图 7详细说明 AP汇聚实体怎样实现 AP本地呼叫, 并以 UMTS It should be noted that the AP aggregation entity implements the inter-AP handover, which is performed in the AP aggregation entity, and moves the UE context from the source AP to the destination AP. This process does not go through the mobile core network. In the prior art, the handover between the APs depends on the AG, which wastes the resources of the mobile core network. Now, the AP aggregation entity directly implements the handover between the APs, and does not pass through the mobile core network, thereby saving the resources of the mobile core network. The following describes in detail how the AP aggregation entity implements the AP local call in conjunction with Figure 7, and uses UMTS.
AP为例进行说明。 The AP is described as an example.
方法实施例五:  Method Embodiment 5:
参见图 7, 基于本发明实施例的 AP汇聚实体实现 AP本地呼叫流程图。 本实施例中 AP汇聚实体集成了移动交换中心 (MSC, Mobile Switching Referring to FIG. 7, an AP aggregation entity implements an AP local call flow chart according to an embodiment of the present invention. In this embodiment, the AP aggregation entity integrates the mobile switching center (MSC, Mobile Switching).
Center ) 的功能。 Center) features.
501、主叫 UE和 AP之间建立无线资源控制( RRC, Radio Resource Control ) 连接。  501. Establish a radio resource control (RRC) connection between the calling UE and the AP.
502、 主叫 UE向 AP发送 RRC 初始直传消息, 消息中带有主叫 UE的业 务请求。  502. The calling UE sends an RRC initial direct transmission message to the AP, where the message has a service request of the calling UE.
503、 AP向 AP汇聚实体发送初始 UE消息。  503. The AP sends an initial UE message to the AP aggregation entity.
504、 主叫 UE和 AP汇聚实体之间进行鉴权和安全模式控制过程。  504. Perform an authentication and security mode control process between the calling UE and the AP aggregation entity.
505、 主叫 UE向 AP发送建立(Setup )消息, 消息中带有被叫号码信息。 505. The calling UE sends a Setup message to the AP, where the message has the called number information.
506、 AP转发主叫 UE的建立消息到 AP汇聚实体。 506. The AP forwards the setup message of the calling UE to the AP convergence entity.
507、 AP汇聚实体根据建立消息中的被叫号码信息,判断本次呼叫是否是 本地呼叫, 如果是本地环回呼叫则进入本地呼叫过程。  507. The AP aggregation entity determines, according to the called number information in the setup message, whether the current call is a local call, and if it is a local loopback call, enters a local call procedure.
本地呼叫过程:  Local call process:
508、 AP汇聚实体向被叫 UE发起寻呼请求。  508. The AP aggregation entity initiates a paging request to the called UE.
509、 被叫 UE响应 AP汇聚实体的寻呼请求。  509. The called UE responds to a paging request of the AP aggregation entity.
510、 被叫 UE和 AP汇聚实体之间进行鉴权和安全模式控制过程。  510. Perform an authentication and security mode control process between the called UE and the AP aggregation entity.
511、 AP汇聚实体向 AP发送建立消息。  511. The AP aggregation entity sends a setup message to the AP.
512、 AP转发建立消息给 UE。 513、 被叫 UE向 AP发送呼叫确认( Call Confirmed ) 消息。 512. The AP forwards the setup message to the UE. 513. The called UE sends a Call Confirmed message to the AP.
514、 AP转发呼叫确认消息给 AP汇聚实体。  514. The AP forwards the call confirmation message to the AP convergence entity.
515、 AP汇聚实体和被叫 UE之间建立无线接入承载(RAB , Radio Access Bearer )。  515. Establish a radio access bearer (RAB) between the AP aggregation entity and the called UE.
516、 被叫 UE向 AP发送振铃( Alerting ) 消息。  516. The called UE sends an alerting message to the AP.
517、 AP转发振铃消息给 AP汇聚实体。  517. The AP forwards the ringing message to the AP aggregation entity.
518、 被叫 UE向 AP发送连接(Connect ) 消息。  518. The called UE sends a Connect message to the AP.
519、 AP转发连接消息给 AP汇聚实体。  519. The AP forwards the connection message to the AP aggregation entity.
520、 AP汇聚实体向 AP发送连接应答( Connect Ack ) 消息。  520. The AP aggregation entity sends a Connect Ack message to the AP.
521、 AP转发连接应答消息给被叫 UE。  521. The AP forwards a connection response message to the called UE.
522、 主叫 UE和被叫 UE之间开始进行语音通话。  522. Start a voice call between the calling UE and the called UE.
需要说明的是, 现有技术中, 实现本地呼叫必须要 AP和 AG之间交互信 令才能实现, 这样不仅浪费移动核心网带宽, 而且由于使用移动核心网资源, AP之间进行本地呼叫是收费的。 本发明实施例所述方法, AP之间进行本地 呼叫由 AP汇聚实体来完成, 不需要经过 AG, 这样不仅节省了核心网资源, 而且 AP进行本地呼叫是免费的。 下面结合图 8详细说明 AP汇聚实体怎样实现 AP本地数据处理的, 并以 UMTS AP为例进行说明。  It should be noted that, in the prior art, the local call must be implemented by the interaction between the AP and the AG, so that not only the mobile core network bandwidth is wasted, but also the local call between the APs is charged due to the use of the mobile core network resources. of. In the method of the embodiment of the present invention, the local call between the APs is completed by the AP aggregation entity, and does not need to go through the AG, which not only saves the core network resources, but also makes the local call of the AP free. The following describes in detail how the AP aggregation entity implements AP local data processing in conjunction with FIG. 8 and uses the UMTS AP as an example for description.
方法实施例六:  Method Embodiment 6:
参见图 8, 基于本发明的 AP汇聚实体实现 AP本地数据处理流程图。 本实施例中 AP汇聚实体集成了服务通用分组无线业务(GPRS , General Packet Radio Service ) 支持节点 ( SGSN, Serving GPRS Support Node ) 的功 Referring to FIG. 8, an AP aggregation entity based on the present invention implements a flow chart of AP local data processing. In this embodiment, the AP aggregation entity integrates the functions of the GPRS (General Packet Radio Service) support node (SGSN).
6 f]匕 6 f]匕
匕。  dagger.
601、 当 UE有数据业务要发起时, UE向 AP汇聚实体发送激活分组数据 协议(PDP, Packet Data Protocol )上下文请求消息。  601. When the UE has a data service to be initiated, the UE sends a PDP (Packet Data Protocol) context request message to the AP aggregation entity.
602、 AP 汇聚实体识别所述激活 PDP 上下文请求消息中的接入点名称 ( APN, Access Point Name ) , 如果与用于本地数据处理的 ΑΡΝ相同, 则进 行本地数据处理流程。 本地数据处理流程: 602. The AP aggregation entity identifies an access point name (APN, Access Point Name) in the activated PDP context request message, and if it is the same as the local data processing, performs a local data processing procedure. Local data processing flow:
603、 AP汇聚实体为 UE分配本地地址。  603. The AP aggregation entity allocates a local address to the UE.
604、 AP汇聚实体和 UE之间建立 RAB , 该步骤是可选的。  604. Establish an RAB between the AP aggregation entity and the UE. This step is optional.
605、 AP汇聚实体向 UE发送激活 PDP上下文接受消息, 消息中带有分 配给 UE的本地地址。  605. The AP aggregation entity sends an activation PDP context accept message to the UE, where the message has a local address assigned to the UE.
606、 UE进行数据传输, AP汇聚实体判断报文的源地址为本地地址, 则 进行本地数据处理。  606. The UE performs data transmission, and the AP aggregation entity determines that the source address of the packet is a local address, and performs local data processing.
需要说明的是, AP汇聚实体实现 AP本地数据处理, 此过程不经过移动 核心网。 现有技术中, AP进行本地数据处理依赖于 AG, 浪费了移动核心网 的资源, 而现在直接用 AP汇聚实体实现 AP的本地数据处理, 不经过移动核 心网, 节省了移动核心网的资源。 本发明实施例提供一种接入点接入移动核心网的设备, 比如,接入点汇聚 设备。  It should be noted that the AP aggregation entity implements AP local data processing, and the process does not pass through the mobile core network. In the prior art, the local data processing of the AP relies on the AG, which wastes the resources of the mobile core network. Now, the AP aggregation entity is directly used to implement the local data processing of the AP, and the mobile core network resources are saved without going through the mobile core network. The embodiments of the present invention provide a device for accessing a mobile core network, such as an access point convergence device.
设备实施例一:  Equipment embodiment 1:
参见图 9, 基于本发明设备第一实施例示意图。  Referring to Figure 9, a schematic diagram of a first embodiment of the apparatus based on the present invention.
本发明实施例所述设备包括:建立单元 901、接入单元 902、接收单元 903、 转接单元 904。  The device in the embodiment of the present invention includes: an establishing unit 901, an access unit 902, a receiving unit 903, and a switching unit 904.
所述建立单元 901 , 由安全网关的 IP地址建立与安全网关之间的 IP网络 安全协议隧道。  The establishing unit 901 establishes an IP network security protocol tunnel with the security gateway by the IP address of the security gateway.
所述接入单元 902, 通过所述建立单元 901建立的 IP网络安全协议隧道, 由接入网关的 IP地址接入移动核心网的接入网关。  The access unit 902 accesses the access gateway of the mobile core network by using the IP address of the access gateway through the IP network security protocol tunnel established by the establishing unit 901.
所述接收单元 903 , 接收接入点的接入, 接入点至少有一个。  The receiving unit 903 receives the access of the access point, and the access point has at least one.
所述转接单元 904, 转接接入点至所述移动核心网的接入网关。  The switching unit 904 transfers the access point to the access gateway of the mobile core network.
AP与 AP汇聚实体之间没有专有连接链路。 所述设备通过 IPSec隧道转 接 AP至 AG。  There is no proprietary connection link between the AP and the AP aggregation entity. The device forwards the AP to the AG through an IPSec tunnel.
如果 AP与 AP汇聚实体之间有专有连接链路,则 AP汇聚实体通过所述专有 连接链路转接接入点至所述移动核心网的接入网关。  If there is a proprietary connection link between the AP and the AP aggregation entity, the AP aggregation entity transfers the access point to the access gateway of the mobile core network through the proprietary connection link.
例如所述专有连接链路为虚拟局域网 (VLAN, Virtual Local Area Network )。 For example, the proprietary connection link is a virtual local area network (VLAN, Virtual Local Area). Network ).
设备实施例二:  Equipment Embodiment 2:
参见图 10, 基于本发明设备第二实施例示意图。  Referring to Figure 10, a schematic diagram of a second embodiment of the apparatus based on the present invention.
设备实施例二与设备实施例一的区别是: AP汇聚实体没有 SeGW和 AG 的 IP地址, 所以增加了第一获得单元和第二获得单元。 为了使合法的 AP接 入 AG, 设置了检查单元。  The difference between the device embodiment 2 and the device embodiment 1 is that the AP aggregation entity does not have the IP addresses of the SeGW and the AG, so the first obtaining unit and the second obtaining unit are added. In order to enable a legitimate AP to access the AG, an inspection unit is set up.
第一获得单元 1001 , 通过 IP传输网上的域名命名系统解析出安全网关的 完全合格域名对应的 IP地址。所述第一获得单元 1001与建立单元 1002连接。  The first obtaining unit 1001 parses the IP address corresponding to the fully qualified domain name of the security gateway by using the domain name naming system on the IP transmission network. The first obtaining unit 1001 is connected to the establishing unit 1002.
第二获得单元 1003 , 通过移动核心网上的域名命名系统解析出接入网关 的完全合格域名对应的 IP地址。 所述第二获得单元 1003与接入单元 1004连 接。  The second obtaining unit 1003 parses the IP address corresponding to the fully qualified domain name of the access gateway by using the domain name naming system on the mobile core network. The second obtaining unit 1003 is connected to the access unit 1004.
检查单元 1005 ,通过检查每个接入点的 MAC地址、接入链路标识或设备 标识, 判断接入点是否合法。 所述检查单元 1005与接收单元 1006连接。  The checking unit 1005 determines whether the access point is legal by checking the MAC address, access link identifier or device identifier of each access point. The checking unit 1005 is connected to the receiving unit 1006.
所述设备携带 SIM或 USIM;  The device carries a SIM or USIM;
所述设备通过 SIM与所述安全网关之间进行鉴权; 或,  The device performs authentication between the SIM and the security gateway; or
通过 USIM与所述安全网关之间进行鉴权; 或,  Authenticating between the USIM and the security gateway; or,
通过预共享密钥与所述安全网关之间进行鉴权; 或,  Authenticating with the security gateway through a pre-shared key; or,
通过数字证书与所述安全网关之间进行鉴权。 本发明还提供了一种接入点接入移动核心网的系统。系统包括上述实施例 所述的接入点汇聚设备。  Authentication is performed between the security gateway and the digital gateway. The invention also provides a system for an access point to access a mobile core network. The system includes the access point aggregation device described in the above embodiments.
系统实施例一:  System embodiment one:
参见图 11 , 基于本发明系统第一实施例结构图。  Referring to Figure 11, a block diagram of a first embodiment of the system based on the present invention.
本发明实施例所述系统包括: 接入点 1101、 接入点汇聚设备 1102、 安全 网关 1103、 接入网关 1104。  The system in the embodiment of the present invention includes: an access point 1101, an access point aggregation device 1102, a security gateway 1103, and an access gateway 1104.
所述接入点 1101 , 为用户设备接入移动核心网提供无线接入服务; 所述安全网关 1103 , 保护移动核心网侧实体, 并建立与接入点 1101之间 的 IPSec隧道;  The access point 1101 provides a wireless access service for the user equipment to access the mobile core network; the security gateway 1103 protects the mobile core network side entity and establishes an IPSec tunnel with the access point 1101;
所述接入网关 1104, 提供用户设备接入移动核心网的接口; 所述接入点汇聚设备 1102, 建立与 SeGW之间的 IPSec隧道; 通过上述 IPSec隧道, 由 AG的 IP地址接入移动核心网的 AG; 接收所述 AP的接入, 转接所述 AP至所述 AG。 The access gateway 1104 provides an interface for the user equipment to access the mobile core network; The access point aggregation device 1102 establishes an IPSec tunnel with the SeGW; accesses the AG of the mobile core network by the IP address of the AG through the IPSec tunnel; receives the access of the AP, and transfers the AP to Said AG.
AP 可以通过动态主机配置十办议 ( DHCP , Dynamic Host Configuration Protocol )接入 AP汇聚设备。 由于 AP不携带 SIM卡或 USIM卡, 所以 AP 汇聚设备可以通过检查 AP报文中的 MAC地址、接入链路标识或设备标识与 设定的 MAC地址、 接入链路标识或设备标识是否一致, 当一致时, 说明 AP 合法, 允许 AP接入。  The AP can access the AP aggregation device through the Dynamic Host Configuration Protocol (DHCP). The AP does not carry the SIM card or the USIM card. The AP aggregation device can check whether the MAC address, access link identifier, or device ID of the AP packet is the same as the configured MAC address, access link identifier, or device ID. When the packets are consistent, the AP is legal and the AP is allowed to access.
如果 AP与 AP汇聚设备之间有专有连接链路,则 AP汇聚设备通过所述专有 连接链路转接接入点至所述移动核心网的接入网关。例如所述专有连接链路为 VLAN。  If there is a proprietary connection link between the AP and the AP aggregation device, the AP aggregation device transfers the access point to the access gateway of the mobile core network through the proprietary connection link. For example, the proprietary connection link is a VLAN.
如果 AP与 AP汇聚设备之间没有专有连接链路, 则 AP与 AP汇聚设备之间 可以建立一条 IPSec隧道, AP汇聚设备通过所述 IPSec隧道转接接入点至所述移 动核心网的接入网关。  If there is no proprietary link between the AP and the AP aggregation device, an IPSec tunnel can be established between the AP and the AP aggregation device. The AP aggregation device transfers the access point to the mobile core network through the IPSec tunnel. Into the gateway.
所述安全网关 1103可以集成在所述接入网关 1104上。  The security gateway 1103 can be integrated on the access gateway 1104.
系统实施例一通过增加 AP汇聚设备 1102, 实现 AP1101接入移动核心网 的 AG1104的目的。 由于 AP汇聚设备 1102与移动核心网的 AG1104之间建 立一条或两条 IPSec隧道, 所以节省了局域网网关(如企业网关或校园网关) 的出口带宽。 同时由于 AP汇聚设备 1102携带 SIM卡或 USIM卡, 避免对 API 101进行鉴权, 同时 AP汇聚设备 1102可以与企业网关或校园网关位于 同一个机房内,保证了每个 AP汇聚设备 1102携带 SIM卡或 USIM卡时的安 全问题。 另外, SeGW还可以通过预共享密钥或者数字证书对 AP汇聚实体 1102进行鉴权, 这样不需要 AP汇聚设备 1102携带 SIM卡或 USIM卡, 避 免了 SIM卡或 USIM卡的安全问题。 系统实施例二:  The system embodiment 1 achieves the purpose of accessing the AG1104 of the mobile core network by adding the AP aggregation device 1102. Since the AP aggregation device 1102 establishes one or two IPSec tunnels with the AG1104 of the mobile core network, the egress bandwidth of the LAN gateway (such as an enterprise gateway or a campus gateway) is saved. At the same time, the AP aggregation device 1102 is configured to carry the SIM card or the USIM card to avoid the authentication of the API 101. The AP aggregation device 1102 can be located in the same equipment room as the enterprise gateway or the campus gateway, ensuring that each AP aggregation device 1102 carries the SIM card. Or security issues when using a USIM card. In addition, the SeGW can also authenticate the AP aggregation entity 1102 by using a pre-shared key or a digital certificate, so that the AP aggregation device 1102 does not need to carry a SIM card or a USIM card, thereby avoiding the security problem of the SIM card or the USIM card. System Embodiment 2:
参见图 12, 基于本发明系统第二实施例结构图。  Referring to Figure 12, a block diagram of a second embodiment of the system based on the present invention.
系统实施例二与系统实施例一的区别是: AP汇聚设备没有 SeGW和 AG 的 IP地址, 系统实施例二增加了 IP传输网域名命名系统 1203和移动核心网 域名命名系统 1205 , 还增加了自动配置服务器 1207。 The difference between the system embodiment 2 and the system embodiment 1 is: the AP aggregation device does not have the IP addresses of the SeGW and the AG, and the system embodiment 2 adds the IP transport network domain name naming system 1203 and the mobile core network. The domain name naming system 1205 also adds an auto-configuration server 1207.
所述接入点汇聚设备 1202通过 IP传输网域名命名系统 1203解析出安全 网关 1204的完全合格域名对应的 IP地址。  The access point aggregation device 1202 parses the IP address corresponding to the fully qualified domain name of the security gateway 1204 through the IP transport network domain name naming system 1203.
所述接入点汇聚设备 1202通过移动核心网的域名命名系统解析出接入网 关 1206的完全合格域名对应的 IP地址。  The access point aggregation device 1202 parses the IP address corresponding to the fully qualified domain name of the access gateway 1206 by using the domain name naming system of the mobile core network.
所述接入点汇聚设备 1202通过所述自动配置服务器 1207进行移动核心网 参数和软件版本等的配置。  The access point aggregation device 1202 performs configuration of mobile core network parameters and software versions and the like through the automatic configuration server 1207.
所述接入点 1201通过所述接入点汇聚设备 1202或所述自动配置服务器 1203进行软件版本、 AP无线参数、 移动核心网参数、 AG地址及 AP签定业 务参数等的配置。 系统实施例三:  The access point 1201 performs configuration of a software version, an AP radio parameter, a mobile core network parameter, an AG address, and an AP-signed service parameter through the access point aggregation device 1202 or the automatic configuration server 1203. System Embodiment 3:
参见图 13 , 基于本发明系统第三实施例结构图。  Referring to Figure 13, a block diagram of a third embodiment of the system based on the present invention.
系统实施例三是本发明所述 AP汇聚设备应用于企业网络中的情景, 当然 也可以应用于校园网络或者其他局域网络中。  The third embodiment of the present invention is a scenario in which the AP aggregation device of the present invention is applied to an enterprise network, and can of course be applied to a campus network or other local area network.
AP汇聚设备可以汇聚多个 AP。 参见图 13 , 三个 AP通过 IPSec隧道或专 有连接链路接入 AP汇聚实体。 每个 UE通过空口接入对应的 AP。  An AP aggregation device can aggregate multiple APs. Referring to Figure 13, three APs access the AP aggregation entity through an IPSec tunnel or a dedicated connection link. Each UE accesses the corresponding AP through an air interface.
AP汇聚设备通过企业网关接入 IP传输网, 然后通过 IP传输网建立与移 动核心网 SeGW之间的一条或两条 IPSec隧道, 通过上述 IPSec隧道与 SeGW 连接, 再通过 SeGW接入移动核心网中的 AG。  The AP aggregation device accesses the IP transport network through the enterprise gateway, and then establishes one or two IPSec tunnels with the mobile core network SeGW through the IP transport network, connects to the SeGW through the IPSec tunnel, and accesses the mobile core network through the SeGW. AG.
由于 AP已经接入 AP汇聚设备, AP汇聚设备已经接入 AG, 所以 AP汇 聚设备转接 AP至 AG , 实现了 AP接入 AG。  Since the AP has access to the AP aggregation device and the AP aggregation device has access to the AG, the AP aggregation device transfers the AP to the AG to implement the AP access to the AG.
AP汇聚设备携带 SIM卡或 USIM卡, 每个 AP不携带 SIM卡或 USIM, 由于 AP汇聚设备位于安全位置,所以保证了 SIM卡或 USIM卡的安全。 另外 SeGW还可以通过预共享密钥或者数字证书对 AP汇聚设备 1102进行鉴权, 这样不需要 AP汇聚设备 1102携带 SIM卡或 USIM卡,避免了 SIM卡或 USIM 卡的安全问题。 AP汇聚设备与 SeGW之间最少可以建立一条 IPSec隧道, 节 省了企业网关的出口带宽。  The AP aggregation device carries a SIM card or a USIM card. Each AP does not carry a SIM card or USIM. The AP aggregation device is secure. The SIM card or USIM card is secure. In addition, the SeGW can also authenticate the AP aggregation device 1102 by using a pre-shared key or a digital certificate, so that the AP aggregation device 1102 does not need to carry a SIM card or a USIM card, thereby avoiding the security problem of the SIM card or the USIM card. A minimum of one IPSec tunnel can be established between the AP aggregation device and the SeGW to save the egress bandwidth of the enterprise gateway.
本领域普通技术人员可以理解实现上述方法实施方式中的全部或部分步 骤是可以通过程序来指令相关的硬件来完成, 所述的程序可以存储于计算机 可读取存储介质中, 该程序在执行时, 可以包括前述的通信方法各个实施方 式的内容。 这里所称得的存储介质, 如: ROM/RAM、 磁碟、 光盘等。 One of ordinary skill in the art can understand all or part of the steps in implementing the above method embodiments. The program can be executed by instructing related hardware, and the program can be stored in a computer readable storage medium, and when executed, the program can include the contents of various embodiments of the foregoing communication method. The storage medium referred to herein is, for example, a ROM/RAM, a magnetic disk, an optical disk, or the like.
综上所述, 本发明实施例所提供的一种接入点接入移动核心网的方法, AP汇聚实体与 SeGW之间建立一条 IPSec隧道, 通过上述 IPSec隧道, 接入 移动核心网的 AG。 同时所述 AP汇聚实体接收多个 AP的接入, 转接所述 AP 至所述移动核心网的 AG。 由于增加了 AP汇聚实体, 所以避免了每个 AP都 要与所述 SeGW之间建立 IPSec隧道, 节省企业网关或校园网关的出口带宽。 同时 AP汇聚实体与企业网关或校园网关位于同一个机房内, 避免了每个 AP 分布在企业或学校的楼内, 容易造成 SIM卡或 USIM卡被人窃取的问题。 本领域普通技术人员可以理解实现上述实施例方法中的全部或部分步骤是可 以通过程序来指令相关的硬件来完成,所述的程序可以存储于一计算机可读取 存储介质中, 该程序在执行时, 包括如下步骤: 由安全网关的 IP地址建立与 安全网关之间的 IP网络安全协议隧道; 通过上述 IP网络安全协议隧道, 由接 入网关的 IP地址接入移动核心网的接入网关; 接收至少一个接入点的接入; 转接所述接入点至所述移动核心网的接入网关。  In summary, in an embodiment of the present invention, an access point accesses a mobile core network, and an IPSec tunnel is established between the AP aggregation entity and the SeGW, and the AG of the mobile core network is accessed through the IPSec tunnel. At the same time, the AP aggregation entity receives access of multiple APs, and transfers the AP to the AG of the mobile core network. Since the AP aggregation entity is added, it is avoided that each AP establishes an IPSec tunnel with the SeGW, thereby saving the egress bandwidth of the enterprise gateway or the campus gateway. At the same time, the AP aggregation entity is located in the same equipment room as the enterprise gateway or campus gateway. This avoids the problem that each AP is distributed in the enterprise or school building, which may cause the SIM card or USIM card to be stolen. A person skilled in the art can understand that all or part of the steps of implementing the above embodiments can be completed by a program to instruct related hardware, and the program can be stored in a computer readable storage medium, and the program is executed. The method includes the following steps: establishing an IP network security protocol tunnel between the security gateway and the security gateway by using the IP address of the security gateway; accessing the access gateway of the mobile core network by using the IP address of the access gateway; Receiving access to at least one access point; and transferring the access point to an access gateway of the mobile core network.

Claims

权 利 要 求 Rights request
1、 一种接入点接入移动核心网的方法, 其特征在于, 包括:  A method for an access point to access a mobile core network, the method comprising:
接入点汇聚实体由安全网关的 IP地址建立与安全网关之间的 IP网络安全 协议隧道;  The access point aggregation entity establishes an IP network security protocol tunnel between the security gateway and the security gateway;
所述接入点汇聚实体通过所述 IP网络安全协议隧道, 由接入网关的 IP地 址接入移动核心网的接入网关;  The access point aggregation entity accesses the access gateway of the mobile core network by using the IP network security protocol tunnel and the IP address of the access gateway;
所述接入点汇聚实体接收接入点的接入, 所述接入点至少有一个; 所述接入点汇聚实体转接所述接入点至所述移动核心网的接入网关。 The access point aggregation entity receives the access of the access point, and the access point has at least one; the access point aggregation entity transfers the access point to the access gateway of the mobile core network.
2、 根据权利要求 1所述的方法, 其特征在于, 所述接收接入点的接入包 括: 2. The method according to claim 1, wherein the receiving the access point comprises:
接收接入点的动态主机配置协议 DHCP发现消息;  Receive a dynamic host configuration protocol DHCP discovery message of the access point;
根据所述 DHCP发现消息判断接入点合法时, 发送 DHCP提供消息至接 入点;  Sending a DHCP providing message to the access point when determining that the access point is legal according to the DHCP discovery message;
接收接入点的 DHCP请求消息;  Receiving a DHCP request message of the access point;
根据所述 DHCP请求消息判断接入点合法时, 发送动态主机配置协议确 认消息至接入点。  When it is determined that the access point is legal according to the DHCP request message, the dynamic host configuration protocol acknowledgement message is sent to the access point.
3、 根据权利要求 1或 2所述的方法, 其特征在于, 由安全网关的 IP地址 建立与安全网关之间的 IP网络安全协议隧道之前, 还包括获得安全网关的 IP 地址, 具体为: 通过 IP传输网上的域名命名系统解析出安全网关的完全合格 i或名对应的 IP地址。  The method according to claim 1 or 2, wherein before the IP network security protocol tunnel between the security gateway and the security gateway is established, the IP address of the security gateway is obtained, specifically: The domain name naming system on the IP transport network resolves the IP address corresponding to the fully qualified i or name of the security gateway.
4、 根据权利要求 1或 2所述的方法, 其特征在于, 由接入网关的 IP地址 接入移动核心网的接入网关之前, 还包括获得接入网关的 IP地址, 具体为: 通过移动核心网上的域名命名系统解析出接入网关的完全合格域名对应的 IP 地址。  The method of claim 1 or 2, wherein before accessing the access gateway of the mobile core network by the IP address of the access gateway, the method further includes obtaining an IP address of the access gateway, specifically: The domain name naming system on the core network resolves the IP address corresponding to the fully qualified domain name of the access gateway.
5、 根据权利要求 1或 2所述的方法, 其特征在于,  5. A method according to claim 1 or 2, characterized in that
所述 IP网络安全协议隧道为一条时, 所述 IP网络安全协议隧道用于语音 业务和数据业务; 或,  When the IP network security protocol tunnel is one, the IP network security protocol tunnel is used for voice services and data services; or
所述 IP网络安全协议隧道为两条时, 一条用于语音业务, 另一条用于数 据业务。 When the IP network security protocol tunnel is two, one is used for voice services and the other is used for data services.
6、 根据权利要求 1或 2所述的方法, 其特征在于, 还包括: 通过用户标识模块卡与所述安全网关之间进行鉴权; 或, The method according to claim 1 or 2, further comprising: authenticating between the security gateway by using a subscriber identity module card; or
通过通用移动通讯系统用户标识模块卡与所述安全网关之间进行鉴权; 或,  Authentication between the universal mobile communication system subscriber identity module card and the security gateway; or
通过预共享密钥与所述安全网关之间进行鉴权; 或,  Authenticating with the security gateway through a pre-shared key; or,
通过数字证书与所述安全网关之间进行鉴权。  Authentication is performed between the security gateway and the digital gateway.
7、 根据权利要求 1至 6任一项所述的方法, 其特征在于, 还包括接入点 汇聚实体实现接入点之间的切换, 包括:  The method according to any one of claims 1 to 6, further comprising: an access point convergence entity to implement switching between access points, comprising:
接入点汇聚实体接收源接入点发送的重定位需求信息后,发送重定位请求 信息至目的接入点, 请求目的接入点分配资源;  After receiving the relocation requirement information sent by the source access point, the access point aggregation entity sends the relocation request information to the destination access point, and requests the destination access point to allocate resources;
接入点汇聚实体接收目的接入点发送的重定位请求应答消息后,发送重定 位命令消息至源接入点;  After receiving the relocation request response message sent by the destination access point, the access point aggregation entity sends a relocation command message to the source access point;
接入点汇聚实体接收目的接入点的重定位完成消息,向目的接入点下发数 据。  The access point aggregation entity receives the relocation complete message of the destination access point, and delivers the data to the destination access point.
8、 根据权利要求 1至 6任一项所述的方法, 其特征在于, 还包括接入点 汇聚实体实现接入点的本地呼叫, 包括:  The method according to any one of claims 1 to 6, further comprising: an access point aggregation entity to implement a local call of the access point, comprising:
接入点汇聚实体接收接入点转发的主叫用户设备的建立消息,所述建立消 息中带有被叫用户设备的号码信息;  The access point aggregation entity receives a setup message of the calling user equipment forwarded by the access point, where the establishment message carries the number information of the called user equipment;
接入点汇聚实体根据所述建立消息中的被叫号码信息,判断本次呼叫是否 是本地呼叫, 如果是则进入本地呼叫过程。  The access point aggregation entity determines whether the current call is a local call according to the called number information in the setup message, and if yes, enters the local call process.
9、 根据权利要求 1至 6任一项所述的方法, 其特征在于, 还包括接入点 汇聚实体实现本地数据处理, 包括:  The method according to any one of claims 1 to 6, further comprising: an access point convergence entity for implementing local data processing, comprising:
接入点汇聚实体识别用户设备发送的激活分组数据协议 PDP的上下文请 求消息中的接入点名称 APN是否与本地数据处理的接入点名称相同,如果是, 则进行本地数据处理。  The access point aggregation entity identifies the access point name in the context request message sent by the user equipment. The access point name in the PDP is the same as the access point name of the local data processing. If yes, local data processing is performed.
10、 一种接入点汇聚设备, 其特征在于, 包括:  10. An access point convergence device, which is characterized by:
建立单元, 用于由安全网关的 IP地址建立与安全网关之间的 IP网络安全 协议隧道;  Establishing a unit, configured to establish an IP network security protocol tunnel between the security gateway and the security gateway by using an IP address of the security gateway;
接入单元, 用于通过所述建立单元建立的 IP网络安全协议隧道, 由接入 网关的 IP地址接入移动核心网的接入网关; An access unit, configured to access an IP network security protocol tunnel established by the establishing unit, by access The IP address of the gateway accesses the access gateway of the mobile core network;
接收单元, 用于接收接入点的接入, 所述接入点至少有一个;  a receiving unit, configured to receive access of an access point, where the access point has at least one;
转接单元, 用于转接所述接入点至所述移动核心网的接入网关。  And a switching unit, configured to transfer the access point to an access gateway of the mobile core network.
11、 根据权利要求 10所述的接入点汇聚设备, 其特征在于, 所述设备还 包括与建立单元连接的第一获得单元, 用于通过 IP传输网上的域名命名系统 解析出安全网关的完全合格域名对应的 IP地址。  The access point aggregation device according to claim 10, wherein the device further comprises a first obtaining unit connected to the establishing unit, configured to parse out the complete security gateway by using a domain name naming system on the IP transmission network. The IP address corresponding to the qualified domain name.
12、 根据权利要求 10或 11所述的接入点汇聚设备, 其特征在于, 所述设 备还包括与接入单元连接的第二获得单元,用于通过移动核心网上的域名命名 系统解析出接入网关的完全合格域名对应的 IP地址。  The access point aggregation device according to claim 10 or 11, wherein the device further includes a second obtaining unit connected to the access unit, configured to parse and connect through a domain name naming system on the mobile core network. The IP address corresponding to the fully qualified domain name of the gateway.
13、 根据权利要求 10或 11所述的接入点汇聚设备, 其特征在于, 所述设 备还包括与接收单元连接的检查单元,用于通过检查每个接入点的 MAC地址、 接入链路标识或设备标识, 判断接入点是否合法。  The access point aggregation device according to claim 10 or 11, wherein the device further comprises an inspection unit connected to the receiving unit, configured to check a MAC address and an access chain of each access point. The road identifier or device identifier determines whether the access point is legal.
14、 根据权利要求 10或 11所述的接入点汇聚设备, 其特征在于, 所述设 备携带用户标识模块卡或通用移动通讯系统用户标识模块卡,  The access point aggregation device according to claim 10 or 11, wherein the device carries a subscriber identity module card or a universal mobile communication system subscriber identity module card,
所述接入点汇聚设备通过用户标识模块卡与所述安全网关之间进行鉴权; 或,  The access point aggregation device performs authentication between the security gateway through the user identity module card; or
通过通用移动通讯系统用户标识模块卡与所述安全网关之间进行鉴权; 或,  Authentication between the universal mobile communication system subscriber identity module card and the security gateway; or
通过预共享密钥与所述安全网关之间进行鉴权; 或,  Authenticating with the security gateway through a pre-shared key; or,
通过数字证书与所述安全网关之间进行鉴权。  Authentication is performed between the security gateway and the digital gateway.
15、 一种接入点接入移动核心网的系统, 其特征在于, 包括: 接入点、 安 全网关、 接入网关, 以及如权利要求 10至 14任一项所述的接入点汇聚设备; 其中,  A system for accessing a mobile core network by an access point, comprising: an access point, a security gateway, an access gateway, and the access point aggregation device according to any one of claims 10 to 14. ; among them,
所述接入点, 用于为用户设备接入移动核心网提供无线接入服务; 所述安全网关, 用于保护移动核心网侧实体;  The access point is configured to provide a radio access service for the user equipment to access the mobile core network; the security gateway is configured to protect the mobile core network side entity;
所述接入网关, 用于提供用户设备接入移动核心网的接口。  The access gateway is configured to provide an interface for the user equipment to access the mobile core network.
16、 根据权利要求 15所述的系统, 其特征在于, 所述系统还包括自动配 置服务器,所述接入点汇聚设备通过所述自动配置服务器进行移动核心网参数 和软件版本的配置。 The system according to claim 15, wherein the system further comprises an automatic configuration server, and the access point aggregation device performs configuration of the mobile core network parameter and the software version by using the automatic configuration server.
17、 根据权利要求 16所述的系统, 其特征在于, 所述接入点通过所述接 入点汇聚设备或所述自动配置服务器进行软件版本、 AP无线参数、 AP签定业 The system according to claim 16, wherein the access point performs software version, AP wireless parameter, and AP signing through the access point aggregation device or the automatic configuration server.
PCT/CN2009/073068 2008-08-04 2009-08-04 Method, device and system for accessing mobile core network of access points WO2010015188A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810041477.9 2008-08-04
CN2008100414779A CN101645814B (en) 2008-08-04 2008-08-04 Method, equipment and system for enabling access points to access mobile core network

Publications (1)

Publication Number Publication Date
WO2010015188A1 true WO2010015188A1 (en) 2010-02-11

Family

ID=41657539

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/073068 WO2010015188A1 (en) 2008-08-04 2009-08-04 Method, device and system for accessing mobile core network of access points

Country Status (2)

Country Link
CN (1) CN101645814B (en)
WO (1) WO2010015188A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111147273A (en) * 2018-11-06 2020-05-12 中兴通讯股份有限公司 Data security realization method and related equipment

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102215154B (en) * 2010-04-06 2016-05-25 中兴通讯股份有限公司 The access control method of Network and terminal
US9668199B2 (en) 2010-11-08 2017-05-30 Google Technology Holdings LLC Wireless communication system, method of routing data in a wireless communication system, and method of handing over a wireless communication device, having an established data connection to a local network
WO2012061870A1 (en) * 2010-11-08 2012-05-18 Monash University Method and system for catalysis
WO2015003393A1 (en) * 2013-07-12 2015-01-15 华为技术有限公司 Message processing method and device
CN105530633B (en) * 2014-09-30 2018-11-30 中国电信股份有限公司 Realize method, system and the equipment of WiFi access service
CN110036658B (en) * 2016-11-02 2023-01-10 苹果公司 LWIP user plane interface
CN106982427B (en) * 2017-04-14 2020-08-18 北京佰才邦技术有限公司 Connection establishment method and device
CN109688580A (en) * 2017-10-18 2019-04-26 华为技术有限公司 Access device matches connection method and access device
CN110798437B (en) * 2018-08-03 2023-02-21 中兴通讯股份有限公司 Data protection method and device and computer storage medium
CN115102987B (en) * 2022-06-16 2023-10-13 平安银行股份有限公司 Edge equipment management system for banking outlets

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1784072A (en) * 2004-12-02 2006-06-07 华为技术有限公司 Broad band mobile cut-in net system and its method
CN101142830A (en) * 2004-12-09 2008-03-12 美商内数位科技公司 Method and system for interworking of cellular networks and wireless local area networks

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1784072A (en) * 2004-12-02 2006-06-07 华为技术有限公司 Broad band mobile cut-in net system and its method
CN101142830A (en) * 2004-12-09 2008-03-12 美商内数位科技公司 Method and system for interworking of cellular networks and wireless local area networks

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111147273A (en) * 2018-11-06 2020-05-12 中兴通讯股份有限公司 Data security realization method and related equipment
WO2020093834A1 (en) * 2018-11-06 2020-05-14 中兴通讯股份有限公司 Data security implementation method relevant apparatus

Also Published As

Publication number Publication date
CN101645814B (en) 2012-05-23
CN101645814A (en) 2010-02-10

Similar Documents

Publication Publication Date Title
WO2010015188A1 (en) Method, device and system for accessing mobile core network of access points
US8989149B2 (en) Apparatus and method for removing path management
EP2658301B1 (en) Non-mobile authentication for mobile network gateway connectivity
EP2276286B1 (en) WLAN radio access network to UMTS radio access network handover with network requested packet data protocol context activation
US8594628B1 (en) Credential generation for automatic authentication on wireless access network
JP5972290B2 (en) Mobile router in EPS
EP1221820A2 (en) Arranging packet data connections in office system
JP2010213357A (en) Method of interfacing two wireless networks
WO2010031351A1 (en) Network attachment for ims systems for legacy cs ue with home node b access
WO2011075884A1 (en) Method and device for providing network service to a mobile user equipment
US9148776B1 (en) Network address preservation in mobile networks
WO2011134434A1 (en) Data transmission device, method and communication system
CN106470465B (en) WIFI voice service initiating method, LTE communication equipment, terminal and communication system
WO2012130133A1 (en) Access point and terminal access method
WO2012116623A1 (en) Mobile communication system and networking method
WO2011011945A1 (en) Message-sending method and serving gprs support node
WO2004051930A1 (en) A communication system and method of authentication therefor
WO2008095433A1 (en) Method, device and system for providing emergency service
KR101727557B1 (en) Method and apparatus for supporting local breakout service in wireless communication system
WO2012051892A1 (en) Method and system for data routing control
TW202234940A (en) Authentication and authorization associated with layer 3 wireless-transmit/receive-unit-to-network
WO2009025252A1 (en) METHOD FOR PROCESSING OF EMERGENCY SERVICE OF IP-BASED IN WiMAX
WO2010091589A1 (en) Security authentication method
EP1692902B1 (en) System and method providing secure access and roaming support for mobile subscribers in a semi-connected mode
WO2012022212A1 (en) Method, apparatus and system for user equipment access

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09804488

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09804488

Country of ref document: EP

Kind code of ref document: A1