WO2010015188A1 - Procédé, dispositif et système pour accéder à un cœur de réseau mobile de points d'accès - Google Patents

Procédé, dispositif et système pour accéder à un cœur de réseau mobile de points d'accès Download PDF

Info

Publication number
WO2010015188A1
WO2010015188A1 PCT/CN2009/073068 CN2009073068W WO2010015188A1 WO 2010015188 A1 WO2010015188 A1 WO 2010015188A1 CN 2009073068 W CN2009073068 W CN 2009073068W WO 2010015188 A1 WO2010015188 A1 WO 2010015188A1
Authority
WO
WIPO (PCT)
Prior art keywords
access point
access
gateway
core network
mobile core
Prior art date
Application number
PCT/CN2009/073068
Other languages
English (en)
Chinese (zh)
Inventor
曹文利
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2010015188A1 publication Critical patent/WO2010015188A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W92/00Interfaces specially adapted for wireless communication networks
    • H04W92/04Interfaces between hierarchically different network devices
    • H04W92/14Interfaces between hierarchically different network devices between access point controllers and backbone network device

Definitions

  • the present invention relates to the field of network communication technologies, and in particular, to a method, device and system for an access point to access a mobile core network.
  • Access Point is a network device that provides wireless access services for home, small office and home office (SOHO) based on the fixed Internet (IP, Internet Protocol) transmission network. .
  • IP Internet Protocol
  • FIG. 1 is a block diagram of an AP applied to a home network.
  • the user equipment accesses the AP through the air interface, and the AP accesses the IP transmission network through the home gateway (HGW, Home Gateway), and then connects to the security gateway (SeGW, Security Gateway) in the mobile core network through the IP transmission network. , then connect to the access gateway (AG, Access Gateway).
  • HGW home gateway
  • SeGW Security Gateway
  • A Access Gateway
  • the HGW can be integrated on the AP
  • SeGW can be integrated on the AG.
  • the AP has a Subscriber Identity Module (SIM) card or a Universal Mobile Telecommunications System Subscriber Identity Module (USIM) card.
  • SIM Subscriber Identity Module
  • USIM Universal Mobile Telecommunications System Subscriber Identity Module
  • IPSec Internet Security Protocol
  • the AP and AG can be a Universal Mobile Telecommunications System (UMTS), a Global System for Mobile Communications (GSM), or a Code Division Multiple Access (CDMA). .
  • UMTS Universal Mobile Telecommunications System
  • GSM Global System for Mobile Communications
  • CDMA Code Division Multiple Access
  • the AP can also be applied to a corporate or school network. See Figure 2, which is a block diagram of an AP applied to a corporate network or a school network.
  • the first user equipment UE, the second user equipment UE, and the third user equipment UE respectively access the first access Point AP, second access point AP and third access point AP.
  • Each AP needs to establish an IPSec tunnel through the enterprise gateway or the campus gateway and the SeGW.
  • multiple IPSec tunnels exist between the enterprise gateway or the campus gateway and the SeGW, which wastes the egress bandwidth of the enterprise gateway or campus gateway.
  • Local calls and local data interaction between multiple APs or APs and other devices must be implemented by AG transfer, which wastes the bandwidth of the mobile core network and requires the use of mobile core network resources, so such local calls and local calls Data interaction is not free.
  • the enterprise network or the campus network needs the AP network to provide a large range of continuous coverage, and the handover function between the APs is implemented by the AG, which wastes the mobile core network resources. Since each AP has a SIM card or a USIM card, and multiple APs are distributed in the enterprise or school building, it is easy to cause the SIM card or the USIM card to be stolen, and there is no guarantee for security.
  • Embodiments of the present invention provide a method, device, and system for an access point to access a mobile core network, which saves resources of a mobile core network.
  • An embodiment of the present invention provides a method for an access point to access a mobile core network, including: an access point aggregation entity establishes an IP network security protocol tunnel between the security gateway and an IP gateway; and the access point aggregates The entity accesses the access gateway of the mobile core network by using the IP address of the access gateway through the foregoing IP network security protocol tunnel; the access point aggregation entity receives access of at least one access point; the access point convergence entity Transferring the access point to an access gateway of the mobile core network.
  • the embodiment of the present invention further provides an access point aggregation device, including: an establishing unit, configured to establish an IP network security protocol tunnel between the security gateway and the security gateway by using an IP address of the security gateway; The IP network security protocol tunnel established by the unit, the access gateway of the mobile core network is accessed by the IP address of the access gateway; the receiving unit is configured to receive the access of the access point, and the access point has at least one; a unit, configured to transfer the access point to an access gateway of the mobile core network.
  • the embodiment of the present invention further provides a system for an access point to access a mobile core network, including: an access point, a security gateway, an access gateway, and an access point aggregation device provided by the foregoing embodiment; Providing a wireless access service for the user equipment to access the mobile core network; the security gateway is configured to protect the mobile core network side entity; and the access gateway is configured to provide an interface for the user equipment to access the mobile core network.
  • an IPSec tunnel is established between the AP aggregation entity and the SeGW, and the AG of the mobile core network is accessed through the IPSec tunnel.
  • the AP aggregation entity receives access of multiple APs, and transfers the AP to the AG of the mobile core network. Since the AP aggregation entity is added, an IPSec tunnel is established between each AP and the SeGW, and the egress bandwidth of the local area network (such as an enterprise gateway or a campus gateway) is saved.
  • Figure 10 is a schematic view of a second embodiment of the apparatus based on the present invention.
  • FIG. 11 is a structural diagram of a first embodiment of the system based on the present invention.
  • Figure 12 is a structural view of a second embodiment of the system based on the present invention.
  • Figure 13 is a block diagram showing a third embodiment of the system based on the present invention.
  • a method for accessing a mobile core network by using an access point is described in the first embodiment of the present invention, including:
  • the access point aggregation entity establishes an IP network security protocol tunnel between the security gateway and the security gateway.
  • the access point aggregation entity accesses the mobile core network through the IP network security protocol tunnel of the access gateway.
  • An access gateway; an access point aggregation entity receives access of at least one access point; and an access point aggregation entity transfers the access point to an access gateway of the mobile core network.
  • FIG. 3 a flow chart of a method based on a first embodiment of the present invention.
  • This example uses an AP as an example to describe the process for an AP to access an AG through an AP aggregation entity.
  • the AP aggregation entity establishes an IPSec tunnel with the SeGW by the IP address of the SeGW.
  • the AP aggregation entity may have the IP address of the SeGW, so that the IPSec tunnel between the SeGW and the SeGW can be directly established by the IP address of the SeGW.
  • the AP aggregation entity can resolve the IP address corresponding to the Fully Qualified Domain Name (FQDN) of the SeGW through the Domain Name System (DNS) server on the IP transport network.
  • FQDN Fully Qualified Domain Name
  • DNS Domain Name System
  • the IPSec tunnel between the AP aggregation entity and the SeGW can be one or two.
  • the IPSec tunnel is one, the IPSec tunnel is used for voice and data services.
  • two IPSec tunnels are used, one IPSec tunnel can be used for voice services.
  • One IPSec tunnel is used for data services.
  • the AP aggregation entity carries a SIM card or a USIM card.
  • the SeGW can authenticate the AP aggregation entity through the SIM card or the USIM card, and check whether the AP aggregation entity is legal.
  • the EAP-SIM uses the Extensible Authentication Protocol (EAP-SIM), and the Extensible Authentication ID is correct.
  • the AP aggregation entity is legal.
  • the AP aggregation entity carries the USIM card, it is used.
  • the Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AK) protocol checks whether the user ID carried by the USIM card is correct. If it is correct, the AP aggregation entity is legal.
  • EAP-AK Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement
  • the AP aggregation entity may have the IP address of the AG so that the AG can be directly accessed by the AG's IP address.
  • the AP aggregation entity can resolve the IP address corresponding to the FQDN of the AG through the DNS server on the mobile core network.
  • the AP aggregation entity receives the access of the AP.
  • step 103 may be between step 101 or 102, or between step 101 and step 102.
  • AP can be configured through dynamic host configuration (DHCP, Dynamic Host Configuration) Protocol) Access to the AP aggregation entity.
  • DHCP Dynamic Host Configuration
  • the AP aggregation entity can check the media access control (MAC, Media Access Control) address, access link identifier, or device identifier and the configured MAC address in the AP packet, and the AP does not carry the SIM card or the USIM card. If the inbound link ID or the device ID is the same, the AP is legal and the AP is allowed to access.
  • MAC media access control
  • the AP aggregation entity transfers the AP to the AG of the mobile core network.
  • the AP can configure the software version, AP wireless parameters, mobile core network parameters, AG address, and AP signing service parameters through the ACS (Automatic Configuration Server).
  • ACS Automatic Configuration Server
  • the AP aggregation entity may temporarily store the software version, the AP radio parameters, the mobile core network parameters, the AG address, and the AP-signed service parameters to the user, and then the AP configures the software version, the AP wireless parameters, and the mobile through the AP aggregation entity.
  • the AP aggregation entity transfers the AP to the AG of the mobile core network through the proprietary connection link.
  • the proprietary connection link is a virtual local area network (VLAN, Virtual Local Area).
  • VLAN virtual local area network
  • Virtual Local Area Virtual Local Area
  • the AP convergence entity transfers the AP to the AG of the mobile core network through the VLAN.
  • an IPSec tunnel can be established between the AP and the AP aggregation entity.
  • the AP aggregation entity transfers the AP to the AG of the mobile core network through the IPSec tunnel.
  • An AP aggregation entity can aggregate multiple APs.
  • the SeGW may be integrated on the AG or may be an independent physical entity.
  • the method in the first embodiment of the method achieves the purpose of accessing the AG of the mobile core network by adding an AP aggregation entity. Since one or two IPSec tunnels are established between the AP aggregation entity and the SeGW, the egress bandwidth of the LAN gateway (such as an enterprise gateway or a campus gateway) is saved. At the same time, because the AP aggregation entity carries the SIM card or the USIM card, the SeGW can directly authenticate the AP aggregation entity, and the AP aggregation entity can be located in the same equipment room as the LAN gateway (such as the enterprise gateway or the campus gateway), thereby avoiding the AP carrying. Security issues when using a SIM card or USIM card.
  • Method Embodiment 2 is a method that uses a SIM card or USIM card.
  • the AP aggregation entity does not have the IP addresses of the SeGW and the AG, and the AP and the AP. There are no proprietary connection links between the aggregation entities.
  • the AP aggregation entity parses the IP address of the SeGW.
  • the AP aggregation entity can resolve the IP address corresponding to the FQDN of the SeGW through the DNS server on the IP transmission network.
  • the AP aggregation entity establishes an IPSec tunnel with the SeGW.
  • the IPSec tunnel between the AP aggregation entity and the SeGW can be one or two.
  • the IPSec tunnel is used for voice and data services.
  • An IPSec tunnel is used for voice services when an IPSec tunnel is used.
  • An IPSec tunnel is used for data services.
  • the AP aggregation entity carries a SIM card or a USIM card.
  • the SeGW can authenticate the AP aggregation entity through the SIM card or the USIM card to check whether the AP aggregation entity is legal.
  • the AP aggregation entity carries the SIM card, check whether the user ID carried by the SIM card is correct by using the EAP-SIM protocol. If the AP aggregation entity is correct, the AP aggregation entity is legal.
  • the EAP-AKA protocol checks whether the user ID carried by the USIM card is correct. If the AP aggregation entity is correct, the AP aggregation entity is legal.
  • the SeGW can also authenticate the AP aggregation entity by using a pre-shared key or a digital certificate, and check whether the AP aggregation entity is legal.
  • the AP aggregation entity parses the IP address of the AG.
  • the AP aggregation entity has the FQDN of the AG, or the AP aggregation entity can derive the AG's
  • the AP aggregation entity can resolve the IP address corresponding to the FQDN of the AG through the DNS server on the mobile network.
  • the AP aggregation entity accesses the AG of the mobile core network by the IP address of the AG.
  • the AP aggregation entity is configured through the ACS.
  • the AP aggregation entity mainly configures mobile core network parameters and software versions.
  • the step 206 of the second embodiment is similar to the step 103 of the first embodiment, and is not described here.
  • the AP establishes an IPSec tunnel with the AP aggregation entity.
  • the AP performs self-configuration through the AP aggregation entity.
  • the configuration content is software version, AP wireless parameters, mobile core network parameters, AG address, and AP signing service parameters.
  • the AP aggregation entity transfers the AP to the AG of the mobile core network.
  • the AP aggregation entity transfers the AP to the AG of the mobile core network through the IPSec tunnel established in step 207.
  • step 208 may also be:
  • the AP performs self-configuration (automatic configuration) through the ACS.
  • the AP aggregation entity aggregates multiple AP access points, and controls the access of the AP by checking the MAC address, the access link identifier, or the device identifier of the AP.
  • the AP aggregation entity has an AP local call and local data interaction. Switching function between the AP and the AP. The process of receiving AP access by the AP aggregation entity is described in detail below with reference to FIG.
  • FIG. 5 a flow chart of receiving AP access by an AP aggregation entity according to the present invention.
  • the AP sends a DHCP discovery message to the AP aggregation entity.
  • the AP aggregation entity checks whether the AP is legal. If it is legal, go to step 303.
  • An AP aggregation entity can check the legality of an AP in the following three ways:
  • the AP aggregation entity checks whether the MAC address of the AP is legal through the source MAC address of the DHCP discovery message.
  • the AP aggregation entity sends a DHCP providing message to the AP.
  • the AP sends a DHCP request message to the AP aggregation entity.
  • step 306 is performed.
  • the AP aggregation entity sends a DHCP acknowledgement message to the AP.
  • the AP aggregation entity can receive the access of multiple APs at the same time, and the process of accessing each AP is the same as the access procedure described in Embodiment 3 of the method.
  • the AP aggregation entity has the function of inter-AP handover. The following describes in detail how the AP aggregation entity implements inter-AP handover, and the UMTS AP is taken as an example for description.
  • FIG. 6 a flow chart of implementing inter-AP handover based on the AP aggregation entity of the present invention.
  • the source AP determines that the UE needs to initiate a handover, the source AP sends a packet switch (PS,
  • the RANAP Radio Access Network Application Part
  • the RANAP relocates the Relocation Required message to the AP aggregation entity for migration.
  • the AP aggregation entity After receiving the relocation request message, the AP aggregation entity sends a Relocation Request message to the destination AP according to the destination cell identifier, and requests the destination AP to allocate resources.
  • the AP After receiving the relocation request message, the AP allocates related resources and establishes a radio link. 406 and 407. The destination AP returns a Relocation Request Ack message to the AP aggregation entity.
  • the AP aggregation entity After receiving the relocation request response message, the AP aggregation entity sends a Relocation Command message to the source AP.
  • the source AP After receiving the relocation command message, the source AP stops sending data to the UE, and sends a radio bearer (RB, Radio Bear) reconfiguration message to the UE.
  • RB Radio Bear
  • the UE performs the air interface layer 1 synchronization with the destination AP.
  • the destination AP After the 412 and 413 are synchronized with the air interface layer 1, the destination AP sends a Relocation Detect message to the AP aggregation entity.
  • the UE sends a radio bearer configuration completion (RB Reconfiguration Complete) message to the destination AP.
  • RB Reconfiguration Complete radio bearer configuration completion
  • the destination AP After receiving the radio bearer reconfiguration complete message, the destination AP starts to send and receive data, and sends a Relocation Complete message to the AP aggregation entity, and the AP aggregation entity starts to send data to the destination AP.
  • the AP aggregation entity sends an Iu Release Command (Release Command) message to the source AP, and releases the interface Iu resource between the AP and the AG.
  • Iu Release Command Release Command
  • the source AP releases the UE related resources.
  • the source AP sends an Iu Release Complete message to the AP aggregation. Entity, complete the switching process.
  • the AP aggregation entity implements the inter-AP handover, which is performed in the AP aggregation entity, and moves the UE context from the source AP to the destination AP. This process does not go through the mobile core network.
  • the handover between the APs depends on the AG, which wastes the resources of the mobile core network.
  • the AP aggregation entity directly implements the handover between the APs, and does not pass through the mobile core network, thereby saving the resources of the mobile core network.
  • the AP is described as an example.
  • an AP aggregation entity implements an AP local call flow chart according to an embodiment of the present invention.
  • the AP aggregation entity integrates the mobile switching center (MSC, Mobile Switching).
  • MSC mobile switching center
  • RRC radio resource control
  • the calling UE sends an RRC initial direct transmission message to the AP, where the message has a service request of the calling UE.
  • the AP sends an initial UE message to the AP aggregation entity.
  • the calling UE sends a Setup message to the AP, where the message has the called number information.
  • the AP forwards the setup message of the calling UE to the AP convergence entity.
  • the AP aggregation entity determines, according to the called number information in the setup message, whether the current call is a local call, and if it is a local loopback call, enters a local call procedure.
  • the AP aggregation entity initiates a paging request to the called UE.
  • the called UE responds to a paging request of the AP aggregation entity.
  • the AP aggregation entity sends a setup message to the AP.
  • the AP forwards the setup message to the UE. 513.
  • the called UE sends a Call Confirmed message to the AP.
  • the AP forwards the call confirmation message to the AP convergence entity.
  • RAB radio access bearer
  • the called UE sends an alerting message to the AP.
  • the AP forwards the ringing message to the AP aggregation entity.
  • the called UE sends a Connect message to the AP.
  • the AP forwards the connection message to the AP aggregation entity.
  • the AP aggregation entity sends a Connect Ack message to the AP.
  • the AP forwards a connection response message to the called UE.
  • the local call must be implemented by the interaction between the AP and the AG, so that not only the mobile core network bandwidth is wasted, but also the local call between the APs is charged due to the use of the mobile core network resources. of.
  • the local call between the APs is completed by the AP aggregation entity, and does not need to go through the AG, which not only saves the core network resources, but also makes the local call of the AP free.
  • the following describes in detail how the AP aggregation entity implements AP local data processing in conjunction with FIG. 8 and uses the UMTS AP as an example for description.
  • an AP aggregation entity based on the present invention implements a flow chart of AP local data processing.
  • the AP aggregation entity integrates the functions of the GPRS (General Packet Radio Service) support node (SGSN).
  • GPRS General Packet Radio Service
  • the UE When the UE has a data service to be initiated, the UE sends a PDP (Packet Data Protocol) context request message to the AP aggregation entity.
  • PDP Packet Data Protocol
  • the AP aggregation entity identifies an access point name (APN, Access Point Name) in the activated PDP context request message, and if it is the same as the local data processing, performs a local data processing procedure.
  • APN Access Point Name
  • the AP aggregation entity allocates a local address to the UE.
  • the AP aggregation entity sends an activation PDP context accept message to the UE, where the message has a local address assigned to the UE.
  • the UE performs data transmission, and the AP aggregation entity determines that the source address of the packet is a local address, and performs local data processing.
  • the AP aggregation entity implements AP local data processing, and the process does not pass through the mobile core network.
  • the local data processing of the AP relies on the AG, which wastes the resources of the mobile core network.
  • the AP aggregation entity is directly used to implement the local data processing of the AP, and the mobile core network resources are saved without going through the mobile core network.
  • the embodiments of the present invention provide a device for accessing a mobile core network, such as an access point convergence device.
  • FIG. 9 a schematic diagram of a first embodiment of the apparatus based on the present invention.
  • the device in the embodiment of the present invention includes: an establishing unit 901, an access unit 902, a receiving unit 903, and a switching unit 904.
  • the establishing unit 901 establishes an IP network security protocol tunnel with the security gateway by the IP address of the security gateway.
  • the access unit 902 accesses the access gateway of the mobile core network by using the IP address of the access gateway through the IP network security protocol tunnel established by the establishing unit 901.
  • the receiving unit 903 receives the access of the access point, and the access point has at least one.
  • the switching unit 904 transfers the access point to the access gateway of the mobile core network.
  • the device forwards the AP to the AG through an IPSec tunnel.
  • the AP aggregation entity transfers the access point to the access gateway of the mobile core network through the proprietary connection link.
  • the proprietary connection link is a virtual local area network (VLAN, Virtual Local Area). Network ).
  • VLAN Virtual Local Area Network
  • Network Virtual Local Area Network
  • FIG. 10 a schematic diagram of a second embodiment of the apparatus based on the present invention.
  • the difference between the device embodiment 2 and the device embodiment 1 is that the AP aggregation entity does not have the IP addresses of the SeGW and the AG, so the first obtaining unit and the second obtaining unit are added. In order to enable a legitimate AP to access the AG, an inspection unit is set up.
  • the first obtaining unit 1001 parses the IP address corresponding to the fully qualified domain name of the security gateway by using the domain name naming system on the IP transmission network.
  • the first obtaining unit 1001 is connected to the establishing unit 1002.
  • the second obtaining unit 1003 parses the IP address corresponding to the fully qualified domain name of the access gateway by using the domain name naming system on the mobile core network.
  • the second obtaining unit 1003 is connected to the access unit 1004.
  • the checking unit 1005 determines whether the access point is legal by checking the MAC address, access link identifier or device identifier of each access point.
  • the checking unit 1005 is connected to the receiving unit 1006.
  • the device carries a SIM or USIM
  • the device performs authentication between the SIM and the security gateway; or
  • the invention also provides a system for an access point to access a mobile core network.
  • the system includes the access point aggregation device described in the above embodiments.
  • FIG. 11 a block diagram of a first embodiment of the system based on the present invention.
  • the system in the embodiment of the present invention includes: an access point 1101, an access point aggregation device 1102, a security gateway 1103, and an access gateway 1104.
  • the access point 1101 provides a wireless access service for the user equipment to access the mobile core network; the security gateway 1103 protects the mobile core network side entity and establishes an IPSec tunnel with the access point 1101;
  • the access gateway 1104 provides an interface for the user equipment to access the mobile core network;
  • the access point aggregation device 1102 establishes an IPSec tunnel with the SeGW; accesses the AG of the mobile core network by the IP address of the AG through the IPSec tunnel; receives the access of the AP, and transfers the AP to Said AG.
  • the AP can access the AP aggregation device through the Dynamic Host Configuration Protocol (DHCP).
  • DHCP Dynamic Host Configuration Protocol
  • the AP does not carry the SIM card or the USIM card.
  • the AP aggregation device can check whether the MAC address, access link identifier, or device ID of the AP packet is the same as the configured MAC address, access link identifier, or device ID. When the packets are consistent, the AP is legal and the AP is allowed to access.
  • DHCP Dynamic Host Configuration Protocol
  • the AP aggregation device transfers the access point to the access gateway of the mobile core network through the proprietary connection link.
  • the proprietary connection link is a VLAN.
  • an IPSec tunnel can be established between the AP and the AP aggregation device.
  • the AP aggregation device transfers the access point to the mobile core network through the IPSec tunnel. Into the gateway.
  • the security gateway 1103 can be integrated on the access gateway 1104.
  • the system embodiment 1 achieves the purpose of accessing the AG1104 of the mobile core network by adding the AP aggregation device 1102. Since the AP aggregation device 1102 establishes one or two IPSec tunnels with the AG1104 of the mobile core network, the egress bandwidth of the LAN gateway (such as an enterprise gateway or a campus gateway) is saved. At the same time, the AP aggregation device 1102 is configured to carry the SIM card or the USIM card to avoid the authentication of the API 101. The AP aggregation device 1102 can be located in the same equipment room as the enterprise gateway or the campus gateway, ensuring that each AP aggregation device 1102 carries the SIM card. Or security issues when using a USIM card.
  • the AP aggregation device 1102. Since the AP aggregation device 1102 establishes one or two IPSec tunnels with the AG1104 of the mobile core network, the egress bandwidth of the LAN gateway (such as an enterprise gateway or a campus gateway) is saved
  • the SeGW can also authenticate the AP aggregation entity 1102 by using a pre-shared key or a digital certificate, so that the AP aggregation device 1102 does not need to carry a SIM card or a USIM card, thereby avoiding the security problem of the SIM card or the USIM card.
  • System Embodiment 2 :
  • FIG. 12 a block diagram of a second embodiment of the system based on the present invention.
  • the difference between the system embodiment 2 and the system embodiment 1 is: the AP aggregation device does not have the IP addresses of the SeGW and the AG, and the system embodiment 2 adds the IP transport network domain name naming system 1203 and the mobile core network.
  • the domain name naming system 1205 also adds an auto-configuration server 1207.
  • the access point aggregation device 1202 parses the IP address corresponding to the fully qualified domain name of the security gateway 1204 through the IP transport network domain name naming system 1203.
  • the access point aggregation device 1202 parses the IP address corresponding to the fully qualified domain name of the access gateway 1206 by using the domain name naming system of the mobile core network.
  • the access point aggregation device 1202 performs configuration of mobile core network parameters and software versions and the like through the automatic configuration server 1207.
  • the access point 1201 performs configuration of a software version, an AP radio parameter, a mobile core network parameter, an AG address, and an AP-signed service parameter through the access point aggregation device 1202 or the automatic configuration server 1203.
  • System Embodiment 3 System Embodiment 3:
  • FIG. 13 a block diagram of a third embodiment of the system based on the present invention.
  • the third embodiment of the present invention is a scenario in which the AP aggregation device of the present invention is applied to an enterprise network, and can of course be applied to a campus network or other local area network.
  • An AP aggregation device can aggregate multiple APs.
  • three APs access the AP aggregation entity through an IPSec tunnel or a dedicated connection link.
  • Each UE accesses the corresponding AP through an air interface.
  • the AP aggregation device accesses the IP transport network through the enterprise gateway, and then establishes one or two IPSec tunnels with the mobile core network SeGW through the IP transport network, connects to the SeGW through the IPSec tunnel, and accesses the mobile core network through the SeGW. AG.
  • the AP aggregation device transfers the AP to the AG to implement the AP access to the AG.
  • the AP aggregation device carries a SIM card or a USIM card. Each AP does not carry a SIM card or USIM.
  • the AP aggregation device is secure.
  • the SIM card or USIM card is secure.
  • the SeGW can also authenticate the AP aggregation device 1102 by using a pre-shared key or a digital certificate, so that the AP aggregation device 1102 does not need to carry a SIM card or a USIM card, thereby avoiding the security problem of the SIM card or the USIM card.
  • a minimum of one IPSec tunnel can be established between the AP aggregation device and the SeGW to save the egress bandwidth of the enterprise gateway.
  • the program can be executed by instructing related hardware, and the program can be stored in a computer readable storage medium, and when executed, the program can include the contents of various embodiments of the foregoing communication method.
  • the storage medium referred to herein is, for example, a ROM/RAM, a magnetic disk, an optical disk, or the like.
  • an access point accesses a mobile core network
  • an IPSec tunnel is established between the AP aggregation entity and the SeGW, and the AG of the mobile core network is accessed through the IPSec tunnel.
  • the AP aggregation entity receives access of multiple APs, and transfers the AP to the AG of the mobile core network. Since the AP aggregation entity is added, it is avoided that each AP establishes an IPSec tunnel with the SeGW, thereby saving the egress bandwidth of the enterprise gateway or the campus gateway.
  • the AP aggregation entity is located in the same equipment room as the enterprise gateway or campus gateway.
  • the method includes the following steps: establishing an IP network security protocol tunnel between the security gateway and the security gateway by using the IP address of the security gateway; accessing the access gateway of the mobile core network by using the IP address of the access gateway; Receiving access to at least one access point; and transferring the access point to an access gateway of the mobile core network.

Abstract

La présente invention porte sur un procédé d'accès à un cœur de réseau mobile de points d'accès. Le procédé comprend les étapes suivantes : des tunnels de protocole de sécurité IP sont établis vers une passerelle de sécurité par des adresses IP de la passerelle de sécurité; une passerelle d'accès du cœur de réseau mobile est accédée par une adresse IP de la passerelle d'accès sur les tunnels de protocole de sécurité IP; l'accès d'au moins un point d'accès est reçu; les points d'accès sont transférés à la passerelle d'accès du cœur de réseau mobile. L'invention porte en outre sur une unité d'assemblage des points d'accès.
PCT/CN2009/073068 2008-08-04 2009-08-04 Procédé, dispositif et système pour accéder à un cœur de réseau mobile de points d'accès WO2010015188A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810041477.9 2008-08-04
CN2008100414779A CN101645814B (zh) 2008-08-04 2008-08-04 一种接入点接入移动核心网的方法、设备及系统

Publications (1)

Publication Number Publication Date
WO2010015188A1 true WO2010015188A1 (fr) 2010-02-11

Family

ID=41657539

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/073068 WO2010015188A1 (fr) 2008-08-04 2009-08-04 Procédé, dispositif et système pour accéder à un cœur de réseau mobile de points d'accès

Country Status (2)

Country Link
CN (1) CN101645814B (fr)
WO (1) WO2010015188A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111147273A (zh) * 2018-11-06 2020-05-12 中兴通讯股份有限公司 一种数据安全的实现方法及相关设备

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102215154B (zh) * 2010-04-06 2016-05-25 中兴通讯股份有限公司 网络业务的访问控制方法及终端
WO2012061967A1 (fr) * 2010-11-08 2012-05-18 Motorola Mobility, Inc. Système de communication sans fil, procédé de routage de données dans un système de communication sans fil et procédé de transfert intercellulaire d'un dispositif de communication sans fil, ayant une connexion de données établie avec un réseau local
US20130220822A1 (en) * 2010-11-08 2013-08-29 Bjorn Winther-Jensen Method and system for catalysis
EP3487150A1 (fr) * 2013-07-12 2019-05-22 Huawei Technologies Co., Ltd. Procédé et dispositif de traitement de paquets
CN105530633B (zh) * 2014-09-30 2018-11-30 中国电信股份有限公司 实现WiFi接入服务的方法、系统和设备
WO2018085290A1 (fr) * 2016-11-02 2018-05-11 Intel IP Corporation Interface de plan d'utilisateur lwip
CN106982427B (zh) * 2017-04-14 2020-08-18 北京佰才邦技术有限公司 连接建立方法及装置
CN109688580A (zh) * 2017-10-18 2019-04-26 华为技术有限公司 接入设备配对连接方法及接入设备
CN110798437B (zh) * 2018-08-03 2023-02-21 中兴通讯股份有限公司 一种数据保护方法、装置及计算机存储介质
CN115102987B (zh) * 2022-06-16 2023-10-13 平安银行股份有限公司 银行网点的边缘设备管理系统

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1784072A (zh) * 2004-12-02 2006-06-07 华为技术有限公司 宽带移动接入网系统及其方法
CN101142830A (zh) * 2004-12-09 2008-03-12 美商内数位科技公司 蜂巢式网络及无线区域网络互连方法及系统

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1784072A (zh) * 2004-12-02 2006-06-07 华为技术有限公司 宽带移动接入网系统及其方法
CN101142830A (zh) * 2004-12-09 2008-03-12 美商内数位科技公司 蜂巢式网络及无线区域网络互连方法及系统

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111147273A (zh) * 2018-11-06 2020-05-12 中兴通讯股份有限公司 一种数据安全的实现方法及相关设备
WO2020093834A1 (fr) * 2018-11-06 2020-05-14 中兴通讯股份有限公司 Procédé de mise en œuvre d'une sécurité de données et appareil associé

Also Published As

Publication number Publication date
CN101645814B (zh) 2012-05-23
CN101645814A (zh) 2010-02-10

Similar Documents

Publication Publication Date Title
WO2010015188A1 (fr) Procédé, dispositif et système pour accéder à un cœur de réseau mobile de points d'accès
US8989149B2 (en) Apparatus and method for removing path management
EP2658301B1 (fr) Authentification non-mobile pour connectivité de passerelle de réseau mobile
EP2276286B1 (fr) Transfert d'un réseau de radiocommunication WLAN vers un réseau de radiocommunication UMTS avec activation demandée par le réseau d'un contexte de protocol de données par paquets
US8594628B1 (en) Credential generation for automatic authentication on wireless access network
JP5972290B2 (ja) Epsにおけるモバイルルータ
EP1221820A2 (fr) Agencement de connexions de données par paquèts dans un système bureautique
JP2010213357A (ja) 2つの無線ネットワークのインターフェースを確立する方法
WO2010031351A1 (fr) Rattachement à un réseau pour systèmes ims pour équipement utilisateur à commutation de circuits patrimonial avec accès par nœud b domestique
WO2011075884A1 (fr) Procédé et dispositif permettant d'offrir un service de réseau à un équipement utilisateur mobile
US9148776B1 (en) Network address preservation in mobile networks
WO2011134434A1 (fr) Dispositif de transmission de données, procédé et système de communication
CN106470465B (zh) Wifi语音业务发起方法、lte通信设备、终端及通信系统
WO2012130133A1 (fr) Point d'accès et procédé d'accès par un terminal
WO2012116623A1 (fr) Système de communication mobile et procédé de réseautage
WO2011011945A1 (fr) Procédé d'envoi de message et nœud de support gprs de desserte
WO2004051930A1 (fr) Systeme de communication et procede d'authentification connexe
WO2008095433A1 (fr) Procédé, dispositif et système assurant un service d'urgence
KR101727557B1 (ko) 무선통신시스템에서 엘비오 서비스를 제공하기 위한 방법 및 장치
WO2012051892A1 (fr) Procédé et système pour la commande de routage de données
TW202234940A (zh) 與第三層無線傳輸/接收單元到網路相關認證及授權
WO2009025252A1 (fr) PROCÉDÉ DE TRAITEMENT DE SERVICE D'URGENCE BASÉ SUR IP EN WiMAX
WO2010091589A1 (fr) Procédé d'authentification de sécurité
EP1692902B1 (fr) Systeme et procede de fourniture d'un acces securise et un support d'itinerance aux abonnes mobiles en mode semi-connecte
WO2012022212A1 (fr) Procédé, appareil et système permettant un accès d'équipement utilisateur

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09804488

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09804488

Country of ref document: EP

Kind code of ref document: A1