WO2012059137A1 - Session establishment with policy control - Google Patents

Session establishment with policy control Download PDF

Info

Publication number
WO2012059137A1
WO2012059137A1 PCT/EP2010/066945 EP2010066945W WO2012059137A1 WO 2012059137 A1 WO2012059137 A1 WO 2012059137A1 EP 2010066945 W EP2010066945 W EP 2010066945W WO 2012059137 A1 WO2012059137 A1 WO 2012059137A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
network
control
controller
destination
Prior art date
Application number
PCT/EP2010/066945
Other languages
French (fr)
Inventor
Juha Antero Rasanen
Original Assignee
Nokia Siemens Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Siemens Networks Oy filed Critical Nokia Siemens Networks Oy
Priority to PCT/EP2010/066945 priority Critical patent/WO2012059137A1/en
Publication of WO2012059137A1 publication Critical patent/WO2012059137A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/20Traffic policing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/142Managing session states for stateless protocols; Signalling session states; State transitions; Keeping-state mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/04Registration at HLR or HSS [Home Subscriber Server]

Definitions

  • the present invention relates to an apparatus, a method, a system, and a computer program product related to session establishment. More particularly, the present invention relates to an apparatus, a method, a system, and a computer program product for a session control with policy control interwork- ing.
  • 3GPP 3 rd generation partnership project
  • TR 3GPP technical report
  • the forthcoming "Building Block 3" of TR 23.839 is assumed to support a scenario / scenarios where a UE connected to a 3GPP access uses services that are offered by the BBF network, i.e. the user traffic is routed from the 3GPP access to the BBF packet core network.
  • both the 3GPP and BBF network are assumed to have policy con ⁇ trol and enforcement functions on the user plane.
  • An example of the architecture is shown e.g. in 3GPP TR
  • TR 23.839 vO.3.0 in figure 5.1.2-1.
  • the traffic channel is IP tunnelled through the broadband access to a mo ⁇ bile network gateway, e.g. in figure 5.1.2-1 of TR 23.839 to the evolved packet data gateway (ePDG) .
  • ePDG evolved packet data gateway
  • the PEP may be a broadband network gateway (BNG)
  • the PDP may be a broadband network policy control function (BPCF) .
  • the BBF access can be aware of a 3GPP terminal connecting via BBF access and of the user and operator identity by means of network address identifier (NAI) and this would allow the PEP/BNG to initiate a control session towards the PDP/BPCF for the UE .
  • NAI network address identifier
  • the broadband access does not support 3GPP access authentication, the traffic channel is internet protocol (IP) tunnelled through the broadband access to a mobile network gateway, the BBF access is not aware of a connecting 3GPP terminal, and consequently the PDP/BPCF should initiate the control session between the PDP/BPCF and PEP/BNG.
  • IP internet protocol
  • the BPCF can initiate a control session towards the PCRF (triggered by the control session establishment from the PEP/BNG to PDP/BPCF) .
  • the PCRF should initiate control session towards the BPCF.
  • the control sessions may be S9* sessions based on the Diameter protocol.
  • the PEP/BNG would be a client and the PDP/BPCF would be a server, and in other cases the PDP/BPCF would be a client and the PEP/BNG would be a server. And similarly, in some cases the PDP/BPCF would be a client and the PCRF would be a server, and in other cases the PCRF would be a client and the PDP/BPCF would be a server.
  • H-PCRF home-PCRF
  • V-PCRF visited PCRF
  • a further scenario creating similar conditions is the Femto architecture (refer to 3GPP TR 23.839 / subclause 5.1.3.2).
  • IP security
  • HNB Home NodeB
  • SC Gateway via/through a broadband access network.
  • the change of roles means more standardization and implemen- tation work on the interface between the BNG and BPCF and on the interface between BPCF and PCRF, and possibly more sig ⁇ nalling steps between the functions to handle the issue.
  • a method comprising detecting a data packet trans ⁇ ferred between an origin and a destination and passing through an apparatus performing the method; identifying one of a destination network and an originating network based on an address of the destination and an address of the origin of the data packet, respectively; meeting a positive decision if one of the identified originating network and the identified destination network corresponds to a controller network whose identification is known by the apparatus, wherein an address of the one of the originating network and the destination network, or an address realm of the one of the originating network and the terminating network is determined as a trans ⁇ ferred address; and requesting, if the positive decision is met, a control of a session to be associated to the data packet from an access control means, wherein the request com ⁇ prises the transferred address.
  • the method may be a method of enforcing.
  • the request may comprise additionally the ad ⁇ dress or the address realm of the other one of the origin and the destination whose address or address realm is not deter ⁇ mined as the transferred address.
  • the identifying may be further adapted to identify at least one of an apparatus, a user, and a sub ⁇ scriber, and the request may comprise an identity of the at least one of the apparatus, the user, and the subscriber.
  • the identity may be obtained by deep packet inspection of the data packet transferred between the origin and the destination and passing through the apparatus.
  • the data packets may be internet protocol tun ⁇ nel establishment packets or internet protocol tunnel packets between the origin and the destination.
  • the data packet may be an internet protocol data packet, and wherein the address of the destination and/or the address of the origin may be obtained by inspec ⁇ tion of the data packet, and/or wherein the destination address and/or the originating address may be received from an ⁇ other apparatus .
  • the detecting may be further adapted to de ⁇ tect the data packet only if it does not have an association to a session established on the apparatus.
  • the request for the control may comprise an address indication of a controller control means belonging to the network based on which the positive decision is met.
  • the apparatus may belong to a fixed broadband network or a mobile network.
  • the controller network may be a mobile network or a fixed broadband network.
  • a method comprising resolving a controller address of a controller control means based on a transferred address re ⁇ ceived in a request for a session control from an enforcement means; requesting an instruction for the session control from the controller control means, wherein the request for in ⁇ struction comprises a comprised address which is based on the received transferred address; and providing the session con ⁇ trol to the enforcement means, wherein the session control is based on the instruction received from the controller control means .
  • the method may be a method of control.
  • the resolving may be further adapted to re ⁇ solve the controller address based on an at least one address indication additionally received in the request.
  • a method comprising deciding whether a gateway source address received in a request for a controller session con- trol from a gateway network element matches a transferred ad ⁇ dress received in a request for instruction from an access control network element different from the gateway network element; providing the controller session control to the gateway network element if it is decided that the gateway source address matches the transferred address; and providing the instruction to the access control network element if it is decided that the gateway source address matches the trans ⁇ ferred address, wherein the controller session control corre ⁇ sponds to the instruction.
  • the method may be a method of control.
  • an apparatus comprising detection means for detecting a data packet transferred between an origin and a destination and passing through the apparatus; identifying means for identifying one of a destination network and an originating network based on an address of the destination and an address of the origin of the data packet, respectively; network de- ciding means for meeting a positive decision if one of the originating network and the destination network identified by the identifying means corresponds to a controller network whose identification is known by the apparatus, wherein an address of the one of the originating network and the desti ⁇ nation network, or an address realm of the one of the origi- nating network and the terminating network is determined as a transferred address; and access control requesting means for requesting, if the network deciding means meets the positive decision, a control of a session to be associated to the data packet from an access control means, wherein the request com- prises the transferred address.
  • the request may comprise additionally the address or the address realm of the other one of the origin and the destination whose address or address realm is not de- termined as the transferred address.
  • the identifying means may be further adapted to identify at least one of an apparatus, a user, and a subscriber, and the request may comprise an identity of the at least one of the apparatus, the user, and the subscriber.
  • the identity may be obtained by deep packet inspection of the data packet transferred between the origin and the destination and passing through the apparatus.
  • the data packets may be internet protocol tunnel establishment packets or internet protocol tunnel packets between the origin and the destination.
  • the data packet may be an internet protocol data packet, and the address of the destination and/or the address of the origin may be obtained by inspection of the data packet, and/or the destination address and/or the originating address may be received from another apparatus.
  • the detection means may be further adapted to detect the data packet only if it does not have an asso ⁇ ciation to a session established on the apparatus.
  • the request for the control may comprise an address indication of a controller control means belonging to the network based on which the positive decision is met.
  • an apparatus comprising detection processor for detecting a data packet transferred between an origin and a destination and passing through the apparatus; identifying processor for identifying one of a destination network and an originating network based on an address of the destination and an address of the origin of the data packet, respec ⁇ tively; network deciding processor for meeting a positive decision if one of the originating network and the destination network identified by the identifying processor corresponds to a controller network whose identification is known by the apparatus, wherein an address of the one of the originating network and the destination network, or an address realm of the one of the originating network and the terminating network is determined as a transferred address; and access con ⁇ trol requesting processor for requesting, if the network de- ciding processor meets the positive decision, a control of a session to be associated to the data packet from an access control device, wherein the request comprises the transferred address .
  • the request may comprise additionally the address or the address realm of the other one of
  • the identifying processor may be further adapted to identify at least one of an apparatus, a user, a subscriber, and the request may comprise an identity of the at least one of the apparatus, the user, and the subscriber.
  • the identity may be obtained by deep packet inspection of the data packet transferred between the origin and the destination and passing through the apparatus.
  • the data packets may be internet protocol tunnel establishment packets or internet protocol tunnel packets between the origin and the destination.
  • the data packet may be an internet protocol data packet, and the address of the destination and/or the address of the origin may be obtained by inspection of the data packet, and/or the destination address and/or the originating address may be received from another apparatus.
  • the detection processor may be further adapted to detect the data packet only if it does not have an association to a session established on the apparatus.
  • the request for the control may comprise an address indication of a controller control device belonging to the network based on which the positive decision is met.
  • the apparatus of the fourth or fifth aspect may belong to a fixed broadband network or a mobile network.
  • control- ler network may be a mobile network or a fixed broadband net ⁇ work .
  • a broadband network gateway comprising an apparatus ac- cording to the fourth or fifth aspect.
  • an apparatus comprising resolving means for resolving a controller address of a controller control means based on a transferred address received in a request for a session con- trol from an enforcement means; instruction requesting means for requesting an instruction for the session control from the controller control means, wherein the request for in ⁇ struction comprises a comprised address which is based on the received transferred address; and providing means for provid- ing the session control to the enforcement means, wherein the session control is based on the instruction received from the controller control means.
  • the resolving means may be further adapted to resolve the controller address based on at least one ad ⁇ dress indication additionally received in the request.
  • an apparatus comprising resolving processor for re- solving a controller address of a controller control device based on a transferred address received in a request for a session control from an enforcement device; instruction re ⁇ questing processor for requesting an instruction for the session control from the controller control device, wherein the request for instruction comprises a comprised address which is based on the received transferred address; and providing processor for providing the session control to the enforcement device, wherein the session control is based on the in ⁇ struction received from the controller control device.
  • the resolving processor may be further adapted to resolve the controller address based on at least one address indication additionally received in the request.
  • an apparatus comprising match deciding means for deciding whether a gateway source address received in a request for a controller session control from a gateway network element matches a transferred address received in a request for instruction from an access control network element different from the gateway network element; session control providing means for providing the controller session control to the gateway network element if the match checking means decides that the gateway source address matches the transferred ad- dress; and instruction providing means for providing the instruction to the access control network element if the match checking means decides that the gateway source address matches the transferred address, wherein the controller ses ⁇ sion control corresponds to the instruction.
  • an apparatus comprising match deciding processor for deciding whether a gateway source address received in a request for a controller session control from a gateway net- work element matches a transferred address received in a re ⁇ quest for instruction from an access control network element different from the gateway network element; session control providing processor for providing the controller session control to the gateway network element if the match checking processor decides that the gateway source address matches the transferred address; and instruction providing processor for providing the instruction to the access control network element if the match checking processor decides that the gateway source address matches the transferred address, wherein the controller session control corresponds to the instruction.
  • a policy and charging rule function comprising an apparatus according to the tenth or eleventh aspect.
  • a system comprising an enforcing apparatus according to the fourth aspect; an access control apparatus accord ⁇ ing to the seventh aspect; wherein the access control means of the enforcing apparatus comprises the access control appa- ratus; the enforcement means of the access control apparatus comprises the enforcing apparatus; the request of the access control requesting means corresponds to the received request of the resolving means, wherein the transferred address of the access control requesting means correspond to the trans- ferred address of the resolving means; and the access control apparatus belongs to a same network as the enforcing appara ⁇ tus .
  • the system may further comprise a controller control appara- tus according to the tenth aspect; a controller gateway appa ⁇ ratus; wherein the controller gateway apparatus comprises the gateway network element of the controller control apparatus; wherein the controller control means of the access control apparatus comprises the controller control apparatus; the gateway source address of the match deciding means is the ad ⁇ dress of the gateway network element; the request for in ⁇ struction of the instruction requesting means corresponds to the request for instruction of the match deciding means, wherein the transferred address of the match deciding means corresponds to the comprised address of the instruction re ⁇ questing means; and the controller control apparatus and the controller gateway apparatus belong to the controller network which is different from the network the access control appa ⁇ ratus and the enforcing apparatus belong to.
  • a fourteenth aspect of the invention there is provided a system, comprising an enforcing apparatus according to the fifth aspect; an access control apparatus accord ⁇ ing to the eighth aspect; wherein the access control device of the enforcing apparatus comprises the access control appa ⁇ ratus; the enforcement device of the access control apparatus comprises the enforcing apparatus; the request of the access control requesting processor corresponds to the received re ⁇ quest of the resolving processor, wherein the transferred ad- dress of the access control requesting processor correspond to the transferred address of the resolving processor; and the access control apparatus belongs to a same network as the enforcing apparatus .
  • the system may further comprise a controller control appara ⁇ tus according to the eleventh aspect; and a controller gateway apparatus; wherein the controller gateway apparatus com ⁇ prises the gateway network element of the controller control apparatus; wherein the controller control device of the ac- cess control apparatus comprises the controller control appa ⁇ ratus; the gateway source address of the match deciding proc ⁇ essor is the address of the gateway network element; the re ⁇ quest for instruction of the instruction requesting processor corresponds to the request for instruction of the match de- ciding processor, wherein the transferred address of the match deciding processor corresponds to the comprised address of the instruction requesting processor; and the controller control apparatus and the controller gateway apparatus belong to the controller network which is different from the network the access control apparatus and the enforcing apparatus be ⁇ long to.
  • a computer program product comprising computer- executable components which perform, when the program is run on a computer, the execution of which result in operations of the method according to any of the methods according to the first to third aspects.
  • the computer program product may be embodied as a computer- readable storage medium.
  • PEP and PDP are the same independent from whether the mobile control session and access authentication may be applied to the broadband access. Accordingly, imple- mentation work on the interfaces PEP - PDP and also PDP - PCRF is saved.
  • FIG. 1 shows a system according to an embodiment of the in ⁇ vention ;
  • Fig. 2 shows another system according to an embodiment of the invention
  • Fig. 3 shows an apparatus according to an embodiment of the invention ;
  • Fig. 4 shows a method according to an embodiment of the in ⁇ vention ;
  • Fig. 5 shows an apparatus according to an embodiment of the invention
  • Fig. 6 shows a method according to an embodiment of the in ⁇ vention ;
  • Fig. 7 shows an apparatus according to an embodiment of the invention ;
  • Fig. 8 shows a method according to an embodiment of the in ⁇ vention
  • Fig. 9 shows a message flow according to an embodiment of the invention.
  • Fig. 10 shows a message flow according to an embodiment of the invention.
  • Fig. 1 shows a system according to an embodiment of the invention.
  • the system comprises the broadband network access element BNG 100 and and control element BPCF 200.
  • the BPCF controls the policy enforced by the BNG.
  • the broadband network gateway provides an interface on the broadband network side between the broadband network and a mobile network.
  • the enforcement function and the gateway function of the BNG may be embodied in dif ⁇ ferent entities.
  • Fig. 2 shows another system according to an embodiment of the invention.
  • the system comprises a system of a broadband net ⁇ work 2 as that shown in Fig. 1, and in addition a mobile network gateway 400 and a policy and charging rules function (PCRF) 300 of a mobile network 3 different from the broadband network 2.
  • the mobile network gateway 400 provides the inter ⁇ face on the mobile network side between the broadband network 2 and the mobile network 3, and is operatively connected to the BNG 100. Traffic between the mobile network 3 and the broadband network 2 is routed through the BNG 100 and the mo- bile network gateway 400.
  • the PCRF 300 is responsible for providing a policy and charg ⁇ ing rules function of the mobile network 3.
  • the policy and charging rules may be enforced by the mobile network gateway 400.
  • the enforcement function and the gateway function of the mobile network gateway 400 may be em ⁇ bodied in different entities.
  • the PCRF 300 of the mobile network 3 is operatively connected with the BPCF 200 of the broadband network 2 to exchange con ⁇ trol commands.
  • the protocol between these entities may be a Diameter protocol.
  • the traffic channel from a user equip ⁇ ment (UE) or a Home NodeB (HNB) attached to the broadband network 2 may be IP tunneled through the broadband network gateway 100 to the mobile network gateway 400, if the user equipment uses services of the mobile network 3.
  • the BNG 100 may monitor the access to detect packet transfer between the UE attached to the broadband network 2 and known mobile net ⁇ work (s) such as mobile network 3.
  • the BNG may initiate a con ⁇ trol session to the broadband network policy control function BPCF 200, when a UE establishes a session via the broadband access through the BNG to a mobile network.
  • the BPCF 200 may be enabled to find the realm and/or contact address of the PCRF 300 of the mobile network 3 from which the UE requests a service and to initiate a related control session to the PCRF 300.
  • the PCRF 300 may accept the control session initiated by the BPCF 200 and a further control session from the mobile net ⁇ work gateway (GW) 400.
  • the PCRF 300 may bind the control ses- sions from the BPCF 200 and GW 400, based on an address re ⁇ ceived with the requests for control, e.g. one or more IP ad ⁇ dress (es) of the tunnel endpoint(s) .
  • the PCRF 300 may provide corresponding control commands/instructions to the mobile network gateway 400 and to the BPCF 200.
  • the BPCF 200 may control the BNG 100 based on the instructions received from the PCRF 300.
  • Fig. 3 shows an apparatus 100 according to an embodiment of the invention.
  • Fig. 4 shows a method according to an embodiment of the invention which may be performed by an apparatus according to Fig. 3.
  • the apparatus 100 may be a BNG. It may comprise a detection means 110, an identifying means 120, a network deciding means 130, and an access control requesting means 140.
  • the detection means 110 may detect a data packet from an ori ⁇ gin through the apparatus to a destination (S110) .
  • the detection means 110 may detect a data packet tun ⁇ neled through the apparatus, and/or it may detect data pack ⁇ ets for IP tunnel establishment.
  • the de ⁇ tection means may detect only data packets not having an as ⁇ sociation to a session established on the apparatus 100.
  • network identifications may be determined corresponding to step S120.
  • at least one of a destination network to which the destination of an IP tunnel belongs and an originating network to which the origin of the IP tunnel belongs may be determined, wherein the destination network is identified based on a destination address or address realm of the destination, and the originating network is identified based on an originating address or address realm of the origin.
  • the destination address and/or the originating address may be obtained from an IP packet or from deep packet inspection (DPI) of the tunneled traffic.
  • the iden ⁇ tifications and/or addresses may be received from the access point of the UE, e.g a DSLAM.
  • step S130 which may be performed by network deciding means 130, a positive decision is met if the destination net ⁇ work or the originating network identified by the identifying means corresponds to a known controller network, such as the mobile network 3.
  • the originating address or destination address or their respective address realm, based on which the positive decision is met is designated as
  • the BNG 100 may "know" a controller network e.g. because it stores identifications of controller networks with which IP tunneling is allowed/possible (e.g. in a roaming table), and/or it may request corresponding information from another network element where such information is available.
  • the known controller networks may be preferably different from the network the BNG belongs to.
  • step S130 If a positive decision is met in step S130, the method pro ⁇ ceeds to step S140, otherwise it is terminated (S150).
  • step 140 which may be performed by access control re ⁇ questing means 140, a control (e.g. QoS rules or parameters) of a session to be associated to the packet data stream from an access control means is requested, wherein the request may comprise the transferred address.
  • the request may comprise one or more of the other of the obtained origin and destination addresses or address realms, a user identification, an apparatus identification (e.g. a UE or HNB identity) and a separate parameter or indi- cation for the BPCF to contact a relevant controller network controller, such as a PCRF.
  • Fig. 5 shows an apparatus 200 according to an embodiment of the invention.
  • Fig. 6 shows a method according to an embodi- ment of the invention which may be performed by an apparatus according to Fig. 5.
  • the apparatus 200 may be a BPCF. It may comprise a resolving means 210, an instruction requesting means 220, and a provid ⁇ ing means 230.
  • the resolving means 210 may resolve a controller address of a controller control means based on a transferred address or address realm received in a request for an access session control from an enforcement means. This corresponds to step S210.
  • the controller control means may be a control function of a controller network, such as a PCRF of a mobile network.
  • the received request may comprise not only the transferred address, but e.g. a user identification, or an apparatus identification, or the other of the destina ⁇ tion and originating address. In some of these embodiments, these identifications may be additionally used to resolve the controller address.
  • the request may also comprise an indica- tion of the controller address.
  • step S220 which may be performed by instruction requesting means 220, an instruction for the access session control may be requested from the controller control means.
  • the request for instruction may comprise the transferred ad ⁇ dress or a address or address realm obtained based on it.
  • the request for instruction may addi ⁇ tionally comprise one or more of the other of the obtained origin and destination addresses or address realms, a user identification, an apparatus identification (e.g. a UE or HNB identity) .
  • step S230 which may be performed by providing means 230, the access session control may be provided to the enforcement means.
  • the access session control may be based on the instruction received from the controller control means.
  • Fig. 7 shows an apparatus 300 according to an embodiment of the invention.
  • Fig. 8 shows a method according to an embodi ⁇ ment of the invention which may be performed by an apparatus according to Fig. 7.
  • the apparatus 300 may be a PCRF. It may comprise a match de- ciding means 310, a session control providing means 320, and an instruction providing means 330.
  • the match deciding means 310 evaluates two received requests: a request for a controller session control from a gateway network element, and a request for instruction from an access control network element different from the gateway network element.
  • the access control network element may be a control function of a network the apparatus 300 does not belong to, such as a BPCF of a broadband network.
  • the match decid- ing means 310 may decide whether a transferred address re ⁇ ceived in the request for a controller session control matches a transferred address received in the request for in ⁇ struction (step S310) .
  • Matching may mean that the addresses are the same or that the addresses correspond unambiguously to each other. In some embodiments, the matching may also be based on user or apparatus (e.g.
  • controller session control may be provided to the gateway network element.
  • the instruction providing means 330 may perform step S330, wherein the instruction may be provided to the access control network element.
  • the con ⁇ troller session control may correspond to the instruction.
  • the controller session control may comprise pol ⁇ icy and charging control (PCC) rules, and the instruction may comprise the corresponding quality of service (QoS) rules or parameters .
  • PCC pol ⁇ icy and charging control
  • QoS quality of service
  • the sequence of the messages may be different, be ⁇ cause there are two branches in the operation: (1) the BNG detects a service start and causes control sessions being es- tablished to the BPCF and PCRF, and (2) the UE establishing a PDN session to the mobile network and causing a control ses ⁇ sion being established between the GW and PCRF.
  • the PCRF may for example send QoS rules to the BPCF in a separate push operation (message 14 in Fig. 9) or in a re- sponse message (message 13 in Fig. 10) .
  • the embodiment of methods supported by BNG described below with reference to Figs. 9 and 10 is easier than the method described for an ⁇ other embodiment hereinafter.
  • a broadband network access may detect possible establishment of a user session on the access by detecting IP packets re ⁇ ceived from a source address that has no association to any session established earlier. According to the present embodi ⁇ ment, this mechanism is further refined to detect a user ses- sion establishment towards a mobile network and to use the information for initiating a control session to a policy control function BPCF.
  • the following description is related to an embodiment where a data packet from a UE or a Home NodeB attached to the broad ⁇ band network is directed to a mobile network. However, it may be correspondingly applied to embodiments where a data packet is directed from the mobile network to the UE or a Home NodeB attached to the broad ⁇ band network. However, it may be correspondingly applied to embodiments where a data packet is directed from the mobile network to the UE or a Home NodeB attached to the broad ⁇ band network is directed to a mobile network. However, it may be correspondingly applied to embodiments where a data packet is directed from the mobile network to the UE or a Home NodeB attached to the broad ⁇ band network is directed to a mobile network. However, it may be correspondingly applied to embodiments where a data packet is directed from the mobile network to the UE or a Home NodeB attached to the broad ⁇ band network is directed to a mobile network. However, it may be correspondingly applied to embodiments where a data packet is directed from
  • NodeB taking into account that the source and destination addresses change place in such a case.
  • the BNG monitors the access to detect whether there is any IP packet transfer from the UE . In particular, in some embodiments, it is detected if IP packets re ⁇ ceived from a source address have no association to an established session. By restricting to these packet data, the load on the BNG is reduced.
  • the BNG If the BNG recognizes a packet from the UE, the BNG checks the destination address of the packet.
  • the BNG assumes that this is an in- terworking case of BBF access and mobile network.
  • the BNG establishes a control session to the BPCF and sends the source and destination and/or tunnel end- point addresses to the BPCF (Fig. 9, step 5; Fig. 10, step 9) .
  • the BNG may also include a separate indica ⁇ tion for the BPCF to contact a relevant mobile network PCRF.
  • the BPCF deduces, from the parameters received from the BNG during the control session establishment, a need to establish an S9* control session to a PCRF of the mobile network identified from the destination ad ⁇ dress parameter or the separate indication.
  • the BPCF resolves the contact address of the PCRF, ei ⁇ ther internally e.g. from preconfigured information or through an external enquiry, based on the destination and/or tunnel end-point address parameters or the separate indication (Fig. 9, step 7; Fig. 10, step 11) .
  • the BPCF establishes a control session to the PCRF and sends the source and destination addresses to the PCRF
  • the UE establishes a PDN connection, tunnelled through the BBF access, to the mobile network GW (Fig. 9, step 10; Fig. 10, step 5) .
  • the GW establishes a Gx control session to the PCRF and sends (also) the source and destination ad ⁇ dresses of the tunnelled transfer to the PCRF (Fig. 9, step 11; Fig. 10, step 6) .
  • the PCRF binds the control session from the BPCF and the control session from the GW together based on the source address.
  • the PCRF sends PCC rules to the GW (Fig. 9, step 12;
  • Fig. 10, step 7 and corresponding QoS rules to the BPCF (Fig. 9, step 14; Fig. 10, step 13) .
  • a more complicated packet inspection operation may be sup ⁇ ported by some embodiments of a BNG.
  • DPI deep packet inspec ⁇ tion
  • this mechanism is further refined to detect a user session establishment or a Home NodeB attach ⁇ ment to a mobile network by detecting an IP tunnel establishment through the broadband access towards the mobile network, and to use the information for initiating a control session to a policy control function BPCF.
  • the method of this embodiment may be applied correspondingly to packet data originating from the UE or Home NodeB and/or directed to the UE or Home NodeB, taking into account that the source and destination addresses change place in such a case.
  • the BNG monitors the access to detect whether there is any packet transfer from the UE . If the BNG recognizes a packet from the UE, the BNG checks the destination address of the packet.
  • the BNG assumes that this is an in- terworking case of BBF access and mobile network.
  • the BNG may directly check further de ⁇ tails, e.g. the BNG may apply deep packet inspection to the packet, e.g. may inspect/detect further infor ⁇ mation like:
  • the type of the packet e.g. whether it is a tun ⁇ nel establishment packet
  • IP addresses e.g. the tunnel end-point addresses in a tunnel establishment packet
  • the BNG establishes a control session to the BPCF and sends relevant available parameters like the tunnel end-point and/or source and destination addresses, the user and/or UE ID, Home NodeB identifier, requested QoS etc. to the BPCF.
  • the BNG may also include a sepa ⁇ rate indication for the BPCF to contact a relevant mo ⁇ bile network PCRF.
  • the BPCF deduces, from the parameters received from the BNG during the control session establishment, a need to establish an S9* control session to a PCRF of the mobile network identified from the destination and/or tunnel end-point address parameters or the separate indication.
  • the BPCF resolves the contact address of the PCRF, ei ⁇ ther internally e.g. from preconfigured information or through an external enquiry, based on the destination and/or tunnel end-point address parameters.
  • the BPCF establishes a control session to the PCRF and sends relevant available parameters like the tunnel end-point and/or source and destination addresses, the user and/or UE ID, the Home NodeB ID, requested QoS etc to the PCRF.
  • the UE establishes a PDN connection, tunnelled through the BBF access, to the mobile network GW.
  • the GW establishes a Gx control session to the PCRF and sends (also) the source and destination addresses of the tunnelled transfer and possible user / UE / Home NodeB (HNB) IDs to the PCRF.
  • HNB Home NodeB
  • the PCRF binds the control session from the BPCF and the control session from the GW together based on the user and/or UE ID and/or HNB and/or on the IP address (es) .
  • the PCRF sends PCC rules to the GW and corresponding QoS rules to the BPCF.
  • tunnel is estab ⁇ lished through a broadband network element to a mobile net ⁇ work element and wherein the control of the broadband network element may be effected at least partly by a controller net- work element of the mobile network element.
  • a controller function of the broadband network may control at least partly a mobile network element.
  • An example of such a case is when services offered by a broadband core network are accessed via a mobile access network.
  • the tunnel ends at a gateway of the broadband network.
  • the tunnel may be originated in the broadband network.
  • both the origin and the destination of the tunnel through a gateway of the broadband network may be out ⁇ side the same.
  • the gateway may define based on a predefined rule whether the control should be performed by the mobile network of the origin or the destination. For example, the control may be always performed based on the mo ⁇ bile network of one of the origin and the destination, or some mobile networks may be preferred to other mobile net- works .
  • Embodiments are described with respect to an LTE networks and a broadband network.
  • other networks with a control function and an enforcement function on the user plane such as a global packet radio system (GPRS) network, a universal mobile tele ⁇ communication system (UMTS) network, an asynchronous transfer mode (ATM) network etc.
  • GPRS global packet radio system
  • UMTS universal mobile tele ⁇ communication system
  • ATM asynchronous transfer mode
  • the role of the BNG as described herein ⁇ above may be split between a BNG apparatus and a digital sub ⁇ scriber line access multiplexer (DSLAM) to which a user equipment is attached.
  • DSLAM digital sub ⁇ scriber line access multiplexer
  • the BPCF may control the corresponding functions of the DSLAM.
  • the DSLAM may perform deep packet inspection directly at the subscriber line interface and send the inspection results (e.g. User/UE Id or HNB Id) to the BNG apparatus through a control protocol between the BNG and DSLAM.
  • the inspection results e.g. User/UE Id or HNB Id
  • DPI for the BNG may be eas ⁇ ier and the BNG may be less loaded.
  • the detecting of a data packet or its inspection may be performed by a separate standalone monitoring / traffic detection entity.
  • policy and charging control in some embodiments only policy control or only charging control may be employed.
  • exemplary embodiments of the present invention pro- vide, for example a network gateway such as a broadband net ⁇ work gateway, or a component thereof, an apparatus embodying the same, a method for controlling and/or operating the same, and computer program (s) controlling and/or operating the same as well as mediums carrying such computer program (s) and forming computer program product (s) .
  • exemplary embodiments of the present invention provide, for example a policy control function such as a broadband network policy control function, or a component thereof, an apparatus em ⁇ bodying the same, a method for controlling and/or operating the same, and computer program(s) controlling and/or operat ⁇ ing the same as well as mediums carrying such computer pro- gram(s) and forming computer program product (s) controlling and/or operating the same as well as mediums carrying such computer program(s) and forming computer program product (s).
  • a policy control function such as a broadband network policy control function, or a component thereof
  • an apparatus em ⁇ bodying the same a method for controlling and/or operating the same, and computer program(s) controlling and/or operat ⁇ ing the same as well as mediums carrying such computer pro- gram(s) and forming computer program product (s) controlling and/or operating the same as well as mediums carrying such computer program(s) and forming computer program product (s).
  • Still further exemplary embodiments of the present invention provide, for example a rules function such as a policy and charging rules function, or a component thereof, an apparatus embodying the same, a method for controlling and/or operating the same, and computer program (s) controlling and/or operat- ing the same as well as mediums carrying such computer pro- gram(s) and forming computer program product (s) controlling and/or operating the same as well as mediums carrying such computer program(s) and forming computer program product (s).
  • a rules function such as a policy and charging rules function, or a component thereof
  • an apparatus embodying the same a method for controlling and/or operating the same, and computer program (s) controlling and/or operat- ing the same as well as mediums carrying such computer pro- gram(s) and forming computer program product (s) controlling and/or operating the same as well as mediums carrying such computer program(s) and forming computer program product (s).
  • Implementations of any of the above described blocks, appara ⁇ tuses, systems, techniques or methods include, as non limit ⁇ ing examples, implementations as hardware, software, firm ⁇ ware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

It is provided a method, comprising detecting a data packet transferred between an origin and a destination (S110) and passing through an apparatus (100) performing the method; identifying one of a destination network and an originating network based on an address of the destination and an address of the origin of the data packet (S120), respectively; meeting a positive decision if one of the identified originating network and the identified destination network corresponds to a controller network whose identification is known by the apparatus (S130), wherein an address of the one of the originating network and the destination network, or an address realm of the one of the originating network and the terminating network is determined as a transferred address; and requesting, if the positive decision is met, a control of a session to be associated to the data packet from an access control means (200), wherein the request comprises the transferred address (S140).

Description

Session establishment with policy control
Field of the invention The present invention relates to an apparatus, a method, a system, and a computer program product related to session establishment. More particularly, the present invention relates to an apparatus, a method, a system, and a computer program product for a session control with policy control interwork- ing.
Background of the invention
The 3rd generation partnership project (3GPP) is studying and standardizing interworking between 3GPP mobile networks and fixed broadband networks, refer to 3GPP technical report (TR) 23.839. Policy and charging and control is an important and integral part of the interworking.
In section "Building Block 1" of TR 23.839, various scenarios are contained, where a user equipment (UE) connected to a broadband forum (BBF) access uses services that are offered by the 3GPP network, i.e. the user traffic is routed from the BBF access to the 3GPP evolved packet core network (EPC) . In these scenarios both the BBF and 3GPP network have policy control and enforcement functions on the user plane (refer to various scenarios and figures in 3GPP TR 23.839) .
The forthcoming "Building Block 3" of TR 23.839 is assumed to support a scenario / scenarios where a UE connected to a 3GPP access uses services that are offered by the BBF network, i.e. the user traffic is routed from the 3GPP access to the BBF packet core network. In this scenario / these scenarios both the 3GPP and BBF network are assumed to have policy con¬ trol and enforcement functions on the user plane. An example of the architecture is shown e.g. in 3GPP TR
23.839 vO.3.0 in figure 5.1.2-1. Typical to the BBF inter- working cases described in TR 23.839 is that the traffic channel is IP tunnelled through the broadband access to a mo¬ bile network gateway, e.g. in figure 5.1.2-1 of TR 23.839 to the evolved packet data gateway (ePDG) .
According to the prior art, it is assumed that the current 3GPP standardized way of establishing a control session be¬ tween policy enforcement point (PEP) and a policy decision point (PDP) can be applied to the broadband access (= BBF ac¬ cess) functions/elements policy enforcement point (PEP) and policy decision point (PDP) only if the broadband access sup- ports 3GPP access authentication. The PEP may be a broadband network gateway (BNG) , and the PDP may be a broadband network policy control function (BPCF) . In such a case the BBF access can be aware of a 3GPP terminal connecting via BBF access and of the user and operator identity by means of network address identifier (NAI) and this would allow the PEP/BNG to initiate a control session towards the PDP/BPCF for the UE . But if the broadband access does not support 3GPP access authentication, the traffic channel is internet protocol (IP) tunnelled through the broadband access to a mobile network gateway, the BBF access is not aware of a connecting 3GPP terminal, and consequently the PDP/BPCF should initiate the control session between the PDP/BPCF and PEP/BNG.
As a consequence, if the broadband access supports 3GPP ac- cess authentication (and consequently the PEP/BNG initiates a control session towards the PDP/BPCF) , the BPCF can initiate a control session towards the PCRF (triggered by the control session establishment from the PEP/BNG to PDP/BPCF) . But if the broadband access does not support 3GPP access authentica- tion, the PCRF should initiate control session towards the BPCF. The control sessions may be S9* sessions based on the Diameter protocol. The current assumption in the prior art breaks the architec¬ tural principles of the roles of 3GPP policy control func¬ tions. In some cases the PEP/BNG would be a client and the PDP/BPCF would be a server, and in other cases the PDP/BPCF would be a client and the PEP/BNG would be a server. And similarly, in some cases the PDP/BPCF would be a client and the PCRF would be a server, and in other cases the PCRF would be a client and the PDP/BPCF would be a server.
Similarly, in a roaming, home routed, untrustred case (refer to 3GPP TR 23.839 / figure 5.1.2-6) the home-PCRF (H-PCRF) would have to initiate the S9 session towards the visited PCRF (V-PCRF), which would mean a swap of client/server roles of H-PCRF and V-PCRF and related parameter, message and pro¬ cedural alignments in the S9 protocol. Consequently, some- times the H-PCRF would be a Diameter server and the V-PCRF a Diameter client, and vice versa.
A further scenario creating similar conditions is the Femto architecture (refer to 3GPP TR 23.839 / subclause 5.1.3.2). In this case an IP (security) tunnel is established between the Home NodeB (HNB) and the Security Gateway via/through a broadband access network.
The change of roles means more standardization and implemen- tation work on the interface between the BNG and BPCF and on the interface between BPCF and PCRF, and possibly more sig¬ nalling steps between the functions to handle the issue.
Summary of the invention It is an object of the present invention to improve the prior art . According to a first aspect of the invention, there is pro¬ vided a method, comprising detecting a data packet trans¬ ferred between an origin and a destination and passing through an apparatus performing the method; identifying one of a destination network and an originating network based on an address of the destination and an address of the origin of the data packet, respectively; meeting a positive decision if one of the identified originating network and the identified destination network corresponds to a controller network whose identification is known by the apparatus, wherein an address of the one of the originating network and the destination network, or an address realm of the one of the originating network and the terminating network is determined as a trans¬ ferred address; and requesting, if the positive decision is met, a control of a session to be associated to the data packet from an access control means, wherein the request com¬ prises the transferred address.
The method may be a method of enforcing. In the method, the request may comprise additionally the ad¬ dress or the address realm of the other one of the origin and the destination whose address or address realm is not deter¬ mined as the transferred address. In the method, the identifying may be further adapted to identify at least one of an apparatus, a user, and a sub¬ scriber, and the request may comprise an identity of the at least one of the apparatus, the user, and the subscriber. In the method, the identity may be obtained by deep packet inspection of the data packet transferred between the origin and the destination and passing through the apparatus. In the method, the data packets may be internet protocol tun¬ nel establishment packets or internet protocol tunnel packets between the origin and the destination.
In the method, the data packet may be an internet protocol data packet, and wherein the address of the destination and/or the address of the origin may be obtained by inspec¬ tion of the data packet, and/or wherein the destination address and/or the originating address may be received from an¬ other apparatus .
In the apparatus, the detecting may be further adapted to de¬ tect the data packet only if it does not have an association to a session established on the apparatus. In the apparatus, the request for the control may comprise an address indication of a controller control means belonging to the network based on which the positive decision is met.
In the method, the apparatus may belong to a fixed broadband network or a mobile network.
In the method, the controller network may be a mobile network or a fixed broadband network. According to a second aspect of the invention, there is pro¬ vided a method, comprising resolving a controller address of a controller control means based on a transferred address re¬ ceived in a request for a session control from an enforcement means; requesting an instruction for the session control from the controller control means, wherein the request for in¬ struction comprises a comprised address which is based on the received transferred address; and providing the session con¬ trol to the enforcement means, wherein the session control is based on the instruction received from the controller control means .
The method may be a method of control.
In the method, the resolving may be further adapted to re¬ solve the controller address based on an at least one address indication additionally received in the request.
According to a third aspect of the invention, there is pro¬ vided a method, comprising deciding whether a gateway source address received in a request for a controller session con- trol from a gateway network element matches a transferred ad¬ dress received in a request for instruction from an access control network element different from the gateway network element; providing the controller session control to the gateway network element if it is decided that the gateway source address matches the transferred address; and providing the instruction to the access control network element if it is decided that the gateway source address matches the trans¬ ferred address, wherein the controller session control corre¬ sponds to the instruction.
The method may be a method of control.
According to a fourth aspect of the invention, there is pro¬ vided an apparatus, comprising detection means for detecting a data packet transferred between an origin and a destination and passing through the apparatus; identifying means for identifying one of a destination network and an originating network based on an address of the destination and an address of the origin of the data packet, respectively; network de- ciding means for meeting a positive decision if one of the originating network and the destination network identified by the identifying means corresponds to a controller network whose identification is known by the apparatus, wherein an address of the one of the originating network and the desti¬ nation network, or an address realm of the one of the origi- nating network and the terminating network is determined as a transferred address; and access control requesting means for requesting, if the network deciding means meets the positive decision, a control of a session to be associated to the data packet from an access control means, wherein the request com- prises the transferred address.
In the apparatus, the request may comprise additionally the address or the address realm of the other one of the origin and the destination whose address or address realm is not de- termined as the transferred address.
In the apparatus, the identifying means may be further adapted to identify at least one of an apparatus, a user, and a subscriber, and the request may comprise an identity of the at least one of the apparatus, the user, and the subscriber.
In the apparatus, the identity may be obtained by deep packet inspection of the data packet transferred between the origin and the destination and passing through the apparatus.
In the apparatus, the data packets may be internet protocol tunnel establishment packets or internet protocol tunnel packets between the origin and the destination. In the apparatus, the data packet may be an internet protocol data packet, and the address of the destination and/or the address of the origin may be obtained by inspection of the data packet, and/or the destination address and/or the originating address may be received from another apparatus. In the apparatus, the detection means may be further adapted to detect the data packet only if it does not have an asso¬ ciation to a session established on the apparatus. In the apparatus, the request for the control may comprise an address indication of a controller control means belonging to the network based on which the positive decision is met.
According to a fifth aspect of the invention, there is pro- vided an apparatus, comprising detection processor for detecting a data packet transferred between an origin and a destination and passing through the apparatus; identifying processor for identifying one of a destination network and an originating network based on an address of the destination and an address of the origin of the data packet, respec¬ tively; network deciding processor for meeting a positive decision if one of the originating network and the destination network identified by the identifying processor corresponds to a controller network whose identification is known by the apparatus, wherein an address of the one of the originating network and the destination network, or an address realm of the one of the originating network and the terminating network is determined as a transferred address; and access con¬ trol requesting processor for requesting, if the network de- ciding processor meets the positive decision, a control of a session to be associated to the data packet from an access control device, wherein the request comprises the transferred address . In the apparatus, the request may comprise additionally the address or the address realm of the other one of the origin and the destination whose address or address realm is not de¬ termined as the transferred address.
In the apparatus, the identifying processor may be further adapted to identify at least one of an apparatus, a user, a subscriber, and the request may comprise an identity of the at least one of the apparatus, the user, and the subscriber.
In the apparatus, the identity may be obtained by deep packet inspection of the data packet transferred between the origin and the destination and passing through the apparatus.
In the apparatus, the data packets may be internet protocol tunnel establishment packets or internet protocol tunnel packets between the origin and the destination.
In the apparatus, the data packet may be an internet protocol data packet, and the address of the destination and/or the address of the origin may be obtained by inspection of the data packet, and/or the destination address and/or the originating address may be received from another apparatus.
In the apparatus, the detection processor may be further adapted to detect the data packet only if it does not have an association to a session established on the apparatus.
In the apparatus, the request for the control may comprise an address indication of a controller control device belonging to the network based on which the positive decision is met.
The apparatus of the fourth or fifth aspect may belong to a fixed broadband network or a mobile network.
In the apparatus of the fourth or fifth aspect, the control- ler network may be a mobile network or a fixed broadband net¬ work .
According to a sixth aspect of the invention, there is pro¬ vided a broadband network gateway comprising an apparatus ac- cording to the fourth or fifth aspect. According to a seventh aspect of the invention, there is provided an apparatus, comprising resolving means for resolving a controller address of a controller control means based on a transferred address received in a request for a session con- trol from an enforcement means; instruction requesting means for requesting an instruction for the session control from the controller control means, wherein the request for in¬ struction comprises a comprised address which is based on the received transferred address; and providing means for provid- ing the session control to the enforcement means, wherein the session control is based on the instruction received from the controller control means.
In the apparatus, the resolving means may be further adapted to resolve the controller address based on at least one ad¬ dress indication additionally received in the request.
According to an eighth aspect of the invention, there is provided an apparatus, comprising resolving processor for re- solving a controller address of a controller control device based on a transferred address received in a request for a session control from an enforcement device; instruction re¬ questing processor for requesting an instruction for the session control from the controller control device, wherein the request for instruction comprises a comprised address which is based on the received transferred address; and providing processor for providing the session control to the enforcement device, wherein the session control is based on the in¬ struction received from the controller control device.
In the apparatus, the resolving processor may be further adapted to resolve the controller address based on at least one address indication additionally received in the request. According to a ninth aspect of the invention, there is pro¬ vided a broadband network policy control function comprising an apparatus according to the seventh or eighth aspect. According to a tenth aspect of the invention, there is pro¬ vided an apparatus, comprising match deciding means for deciding whether a gateway source address received in a request for a controller session control from a gateway network element matches a transferred address received in a request for instruction from an access control network element different from the gateway network element; session control providing means for providing the controller session control to the gateway network element if the match checking means decides that the gateway source address matches the transferred ad- dress; and instruction providing means for providing the instruction to the access control network element if the match checking means decides that the gateway source address matches the transferred address, wherein the controller ses¬ sion control corresponds to the instruction.
According to an eleventh aspect of the invention, there is provided an apparatus, comprising match deciding processor for deciding whether a gateway source address received in a request for a controller session control from a gateway net- work element matches a transferred address received in a re¬ quest for instruction from an access control network element different from the gateway network element; session control providing processor for providing the controller session control to the gateway network element if the match checking processor decides that the gateway source address matches the transferred address; and instruction providing processor for providing the instruction to the access control network element if the match checking processor decides that the gateway source address matches the transferred address, wherein the controller session control corresponds to the instruction. According to a twelfth aspect of the invention, there is provided a policy and charging rule function comprising an apparatus according to the tenth or eleventh aspect. According to a thirteenth aspect of the invention, there is provided a system, comprising an enforcing apparatus according to the fourth aspect; an access control apparatus accord¬ ing to the seventh aspect; wherein the access control means of the enforcing apparatus comprises the access control appa- ratus; the enforcement means of the access control apparatus comprises the enforcing apparatus; the request of the access control requesting means corresponds to the received request of the resolving means, wherein the transferred address of the access control requesting means correspond to the trans- ferred address of the resolving means; and the access control apparatus belongs to a same network as the enforcing appara¬ tus .
The system may further comprise a controller control appara- tus according to the tenth aspect; a controller gateway appa¬ ratus; wherein the controller gateway apparatus comprises the gateway network element of the controller control apparatus; wherein the controller control means of the access control apparatus comprises the controller control apparatus; the gateway source address of the match deciding means is the ad¬ dress of the gateway network element; the request for in¬ struction of the instruction requesting means corresponds to the request for instruction of the match deciding means, wherein the transferred address of the match deciding means corresponds to the comprised address of the instruction re¬ questing means; and the controller control apparatus and the controller gateway apparatus belong to the controller network which is different from the network the access control appa¬ ratus and the enforcing apparatus belong to. According to a fourteenth aspect of the invention, there is provided a system, comprising an enforcing apparatus according to the fifth aspect; an access control apparatus accord¬ ing to the eighth aspect; wherein the access control device of the enforcing apparatus comprises the access control appa¬ ratus; the enforcement device of the access control apparatus comprises the enforcing apparatus; the request of the access control requesting processor corresponds to the received re¬ quest of the resolving processor, wherein the transferred ad- dress of the access control requesting processor correspond to the transferred address of the resolving processor; and the access control apparatus belongs to a same network as the enforcing apparatus . The system may further comprise a controller control appara¬ tus according to the eleventh aspect; and a controller gateway apparatus; wherein the controller gateway apparatus com¬ prises the gateway network element of the controller control apparatus; wherein the controller control device of the ac- cess control apparatus comprises the controller control appa¬ ratus; the gateway source address of the match deciding proc¬ essor is the address of the gateway network element; the re¬ quest for instruction of the instruction requesting processor corresponds to the request for instruction of the match de- ciding processor, wherein the transferred address of the match deciding processor corresponds to the comprised address of the instruction requesting processor; and the controller control apparatus and the controller gateway apparatus belong to the controller network which is different from the network the access control apparatus and the enforcing apparatus be¬ long to.
According to a fifteenth aspect of the invention, there is provided a computer program product comprising computer- executable components which perform, when the program is run on a computer, the execution of which result in operations of the method according to any of the methods according to the first to third aspects.
The computer program product may be embodied as a computer- readable storage medium.
Thus, the role of PEP and PDP is the same independent from whether the mobile control session and access authentication may be applied to the broadband access. Accordingly, imple- mentation work on the interfaces PEP - PDP and also PDP - PCRF is saved.
It is to be understood that any of the above modifications can be applied singly or in combination to the respective as- pects to which they refer, unless they are explicitly stated as excluding alternatives.
Brief description of the drawings Further details, features, objects, and advantages are appar¬ ent from the following detailed description of the preferred embodiments of the present invention which is to be taken in conjunction with the appended drawings, wherein Fig. 1 shows a system according to an embodiment of the in¬ vention ;
Fig. 2 shows another system according to an embodiment of the invention ;
Fig. 3 shows an apparatus according to an embodiment of the invention ; Fig. 4 shows a method according to an embodiment of the in¬ vention ;
Fig. 5 shows an apparatus according to an embodiment of the invention;
Fig. 6 shows a method according to an embodiment of the in¬ vention ; Fig. 7 shows an apparatus according to an embodiment of the invention ;
Fig. 8 shows a method according to an embodiment of the in¬ vention ;
Fig. 9 shows a message flow according to an embodiment of the invention; and
Fig. 10 shows a message flow according to an embodiment of the invention.
Detailed description of certain embodiments
Herein below, certain embodiments of the present invention are described in detail with reference to the accompanying drawings, wherein the features of the embodiments can be freely combined with each other unless otherwise described. However, it is to be expressly understood that the descrip¬ tion of certain embodiments is given for by way of example only, and that it is by no way intended to be understood as limiting the invention to the disclosed details. Moreover, it is to be understood that the apparatus is con¬ figured to perform the corresponding method, although in some cases only the apparatus or only the method are described. Fig. 1 shows a system according to an embodiment of the invention. The system comprises the broadband network access element BNG 100 and and control element BPCF 200. The BPCF controls the policy enforced by the BNG. In addition, the broadband network gateway (BNG) provides an interface on the broadband network side between the broadband network and a mobile network. In some embodiments, the enforcement function and the gateway function of the BNG may be embodied in dif¬ ferent entities. Fig. 2 shows another system according to an embodiment of the invention. The system comprises a system of a broadband net¬ work 2 as that shown in Fig. 1, and in addition a mobile network gateway 400 and a policy and charging rules function (PCRF) 300 of a mobile network 3 different from the broadband network 2. The mobile network gateway 400 provides the inter¬ face on the mobile network side between the broadband network 2 and the mobile network 3, and is operatively connected to the BNG 100. Traffic between the mobile network 3 and the broadband network 2 is routed through the BNG 100 and the mo- bile network gateway 400.
The PCRF 300 is responsible for providing a policy and charg¬ ing rules function of the mobile network 3. The policy and charging rules may be enforced by the mobile network gateway 400. In some embodiments, the enforcement function and the gateway function of the mobile network gateway 400 may be em¬ bodied in different entities. The PCRF 300 of the mobile network 3 is operatively connected with the BPCF 200 of the broadband network 2 to exchange con¬ trol commands. The protocol between these entities may be a Diameter protocol.
In some embodiments, the traffic channel from a user equip¬ ment (UE) or a Home NodeB (HNB) attached to the broadband network 2 may be IP tunneled through the broadband network gateway 100 to the mobile network gateway 400, if the user equipment uses services of the mobile network 3. The BNG 100 may monitor the access to detect packet transfer between the UE attached to the broadband network 2 and known mobile net¬ work (s) such as mobile network 3. The BNG may initiate a con¬ trol session to the broadband network policy control function BPCF 200, when a UE establishes a session via the broadband access through the BNG to a mobile network. Through the initiation of the control session, the BPCF 200 may be enabled to find the realm and/or contact address of the PCRF 300 of the mobile network 3 from which the UE requests a service and to initiate a related control session to the PCRF 300.
The PCRF 300 may accept the control session initiated by the BPCF 200 and a further control session from the mobile net¬ work gateway (GW) 400. The PCRF 300 may bind the control ses- sions from the BPCF 200 and GW 400, based on an address re¬ ceived with the requests for control, e.g. one or more IP ad¬ dress (es) of the tunnel endpoint(s) . Thus, the PCRF 300 may provide corresponding control commands/instructions to the mobile network gateway 400 and to the BPCF 200. The BPCF 200 may control the BNG 100 based on the instructions received from the PCRF 300.
Details of the apparatuses and methods of a BNG 100, a BPCF 200, and a PCRF 300 according to some embodiments of the in- vention are explained with respect to Figs. 3 to 8, respec¬ tively.
Fig. 3 shows an apparatus 100 according to an embodiment of the invention. Fig. 4 shows a method according to an embodiment of the invention which may be performed by an apparatus according to Fig. 3.
The apparatus 100 may be a BNG. It may comprise a detection means 110, an identifying means 120, a network deciding means 130, and an access control requesting means 140.
The detection means 110 may detect a data packet from an ori¬ gin through the apparatus to a destination (S110) . For exam- pie, the detection means 110 may detect a data packet tun¬ neled through the apparatus, and/or it may detect data pack¬ ets for IP tunnel establishment. In some embodiments, the de¬ tection means may detect only data packets not having an as¬ sociation to a session established on the apparatus 100.
In the identifying means 120, network identifications may be determined corresponding to step S120. In particular, at least one of a destination network to which the destination of an IP tunnel belongs and an originating network to which the origin of the IP tunnel belongs may be determined, wherein the destination network is identified based on a destination address or address realm of the destination, and the originating network is identified based on an originating address or address realm of the origin.
The destination address and/or the originating address may be obtained from an IP packet or from deep packet inspection (DPI) of the tunneled traffic. In some embodiments, the iden¬ tifications and/or addresses may be received from the access point of the UE, e.g a DSLAM. In step S130, which may be performed by network deciding means 130, a positive decision is met if the destination net¬ work or the originating network identified by the identifying means corresponds to a known controller network, such as the mobile network 3. Hereinafter, the originating address or destination address or their respective address realm, based on which the positive decision is met, is designated as
"transferred address". The BNG 100 may "know" a controller network e.g. because it stores identifications of controller networks with which IP tunneling is allowed/possible (e.g. in a roaming table), and/or it may request corresponding information from another network element where such information is available. The known controller networks may be preferably different from the network the BNG belongs to.
If a positive decision is met in step S130, the method pro¬ ceeds to step S140, otherwise it is terminated (S150).
In step 140, which may be performed by access control re¬ questing means 140, a control (e.g. QoS rules or parameters) of a session to be associated to the packet data stream from an access control means is requested, wherein the request may comprise the transferred address. In addition, in some em¬ bodiments, the request may comprise one or more of the other of the obtained origin and destination addresses or address realms, a user identification, an apparatus identification (e.g. a UE or HNB identity) and a separate parameter or indi- cation for the BPCF to contact a relevant controller network controller, such as a PCRF.
Fig. 5 shows an apparatus 200 according to an embodiment of the invention. Fig. 6 shows a method according to an embodi- ment of the invention which may be performed by an apparatus according to Fig. 5. The apparatus 200 may be a BPCF. It may comprise a resolving means 210, an instruction requesting means 220, and a provid¬ ing means 230.
The resolving means 210 may resolve a controller address of a controller control means based on a transferred address or address realm received in a request for an access session control from an enforcement means. This corresponds to step S210. The controller control means may be a control function of a controller network, such as a PCRF of a mobile network.
In some embodiments, the received request may comprise not only the transferred address, but e.g. a user identification, or an apparatus identification, or the other of the destina¬ tion and originating address. In some of these embodiments, these identifications may be additionally used to resolve the controller address.
In some embodiments, the request may also comprise an indica- tion of the controller address.
According to step S220, which may be performed by instruction requesting means 220, an instruction for the access session control may be requested from the controller control means. The request for instruction may comprise the transferred ad¬ dress or a address or address realm obtained based on it.
In some embodiments, the request for instruction may addi¬ tionally comprise one or more of the other of the obtained origin and destination addresses or address realms, a user identification, an apparatus identification (e.g. a UE or HNB identity) .
According to step S230, which may be performed by providing means 230, the access session control may be provided to the enforcement means. The access session control may be based on the instruction received from the controller control means.
Fig. 7 shows an apparatus 300 according to an embodiment of the invention. Fig. 8 shows a method according to an embodi¬ ment of the invention which may be performed by an apparatus according to Fig. 7.
The apparatus 300 may be a PCRF. It may comprise a match de- ciding means 310, a session control providing means 320, and an instruction providing means 330.
The match deciding means 310 evaluates two received requests: a request for a controller session control from a gateway network element, and a request for instruction from an access control network element different from the gateway network element. The access control network element may be a control function of a network the apparatus 300 does not belong to, such as a BPCF of a broadband network. Thus, the match decid- ing means 310 may decide whether a transferred address re¬ ceived in the request for a controller session control matches a transferred address received in the request for in¬ struction (step S310) . Matching may mean that the addresses are the same or that the addresses correspond unambiguously to each other. In some embodiments, the matching may also be based on user or apparatus (e.g. on UE or Home NodeB) identi¬ fications received from the gateway and from the access net¬ work control element. If there is no match, the method is terminated (S340) . Other¬ wise, if there is a match of the transferred addresses, two steps S320 and S330 may be performed simultaneously or con¬ secutively, wherein the sequence of these steps is arbitrary. The session control providing means 320 may perform step
S320, wherein the controller session control may be provided to the gateway network element. The instruction providing means 330 may perform step S330, wherein the instruction may be provided to the access control network element. The con¬ troller session control may correspond to the instruction. For example, the controller session control may comprise pol¬ icy and charging control (PCC) rules, and the instruction may comprise the corresponding quality of service (QoS) rules or parameters . In the following, message exchange sequences of some embodi¬ ments are described at greater detail with reference to Figs. 9 and 10. The sequence of the messages may be different, be¬ cause there are two branches in the operation: (1) the BNG detects a service start and causes control sessions being es- tablished to the BPCF and PCRF, and (2) the UE establishing a PDN session to the mobile network and causing a control ses¬ sion being established between the GW and PCRF. Accordingly, the PCRF may for example send QoS rules to the BPCF in a separate push operation (message 14 in Fig. 9) or in a re- sponse message (message 13 in Fig. 10) . The embodiment of methods supported by BNG described below with reference to Figs. 9 and 10 is easier than the method described for an¬ other embodiment hereinafter. A broadband network access may detect possible establishment of a user session on the access by detecting IP packets re¬ ceived from a source address that has no association to any session established earlier. According to the present embodi¬ ment, this mechanism is further refined to detect a user ses- sion establishment towards a mobile network and to use the information for initiating a control session to a policy control function BPCF.
The following description is related to an embodiment where a data packet from a UE or a Home NodeB attached to the broad¬ band network is directed to a mobile network. However, it may be correspondingly applied to embodiments where a data packet is directed from the mobile network to the UE or a Home
NodeB, taking into account that the source and destination addresses change place in such a case.
• The BNG monitors the access to detect whether there is any IP packet transfer from the UE . In particular, in some embodiments, it is detected if IP packets re¬ ceived from a source address have no association to an established session. By restricting to these packet data, the load on the BNG is reduced.
• If the BNG recognizes a packet from the UE, the BNG checks the destination address of the packet.
• If the destination of the packet is a mobile network known by the BNG, the BNG assumes that this is an in- terworking case of BBF access and mobile network. The BNG establishes a control session to the BPCF and sends the source and destination and/or tunnel end- point addresses to the BPCF (Fig. 9, step 5; Fig. 10, step 9) . The BNG may also include a separate indica¬ tion for the BPCF to contact a relevant mobile network PCRF.
• The BPCF deduces, from the parameters received from the BNG during the control session establishment, a need to establish an S9* control session to a PCRF of the mobile network identified from the destination ad¬ dress parameter or the separate indication.
• The BPCF resolves the contact address of the PCRF, ei¬ ther internally e.g. from preconfigured information or through an external enquiry, based on the destination and/or tunnel end-point address parameters or the separate indication (Fig. 9, step 7; Fig. 10, step 11) .
• The BPCF establishes a control session to the PCRF and sends the source and destination addresses to the PCRF
(Fig. 9, step 8; Fig. 10, step 12) . • Parallel to the above described, the UE establishes a PDN connection, tunnelled through the BBF access, to the mobile network GW (Fig. 9, step 10; Fig. 10, step 5) . The GW establishes a Gx control session to the PCRF and sends (also) the source and destination ad¬ dresses of the tunnelled transfer to the PCRF (Fig. 9, step 11; Fig. 10, step 6) .
• The PCRF binds the control session from the BPCF and the control session from the GW together based on the source address.
• The PCRF sends PCC rules to the GW (Fig. 9, step 12;
Fig. 10, step 7) and corresponding QoS rules to the BPCF (Fig. 9, step 14; Fig. 10, step 13) . A more complicated packet inspection operation may be sup¬ ported by some embodiments of a BNG.
In addition to IP packet detection, also deep packet inspec¬ tion (DPI) may be supported by the broadband access. Accord- ing to some embodiments, this mechanism is further refined to detect a user session establishment or a Home NodeB attach¬ ment to a mobile network by detecting an IP tunnel establishment through the broadband access towards the mobile network, and to use the information for initiating a control session to a policy control function BPCF.
As with the description of the simpler packet inspection operation described hereinabove, the method of this embodiment may be applied correspondingly to packet data originating from the UE or Home NodeB and/or directed to the UE or Home NodeB, taking into account that the source and destination addresses change place in such a case.
• The BNG monitors the access to detect whether there is any packet transfer from the UE . If the BNG recognizes a packet from the UE, the BNG checks the destination address of the packet.
If the destination of the packet is a mobile network known by the BNG, the BNG assumes that this is an in- terworking case of BBF access and mobile network. Alternatively the BNG may directly check further de¬ tails, e.g. the BNG may apply deep packet inspection to the packet, e.g. may inspect/detect further infor¬ mation like:
o The type of the packet, e.g. whether it is a tun¬ nel establishment packet,
o IP addresses, e.g. the tunnel end-point addresses in a tunnel establishment packet,
o User and/or UE identifiers,
o Home NodeB identifier,
o QoS information, etc.
The BNG establishes a control session to the BPCF and sends relevant available parameters like the tunnel end-point and/or source and destination addresses, the user and/or UE ID, Home NodeB identifier, requested QoS etc. to the BPCF. The BNG may also include a sepa¬ rate indication for the BPCF to contact a relevant mo¬ bile network PCRF.
The BPCF deduces, from the parameters received from the BNG during the control session establishment, a need to establish an S9* control session to a PCRF of the mobile network identified from the destination and/or tunnel end-point address parameters or the separate indication.
The BPCF resolves the contact address of the PCRF, ei¬ ther internally e.g. from preconfigured information or through an external enquiry, based on the destination and/or tunnel end-point address parameters.
The BPCF establishes a control session to the PCRF and sends relevant available parameters like the tunnel end-point and/or source and destination addresses, the user and/or UE ID, the Home NodeB ID, requested QoS etc to the PCRF.
• Parallel to the above described, the UE establishes a PDN connection, tunnelled through the BBF access, to the mobile network GW. The GW establishes a Gx control session to the PCRF and sends (also) the source and destination addresses of the tunnelled transfer and possible user / UE / Home NodeB (HNB) IDs to the PCRF.
• The PCRF binds the control session from the BPCF and the control session from the GW together based on the user and/or UE ID and/or HNB and/or on the IP address (es) .
• The PCRF sends PCC rules to the GW and corresponding QoS rules to the BPCF.
Some embodiments are described wherein the tunnel is estab¬ lished through a broadband network element to a mobile net¬ work element and wherein the control of the broadband network element may be effected at least partly by a controller net- work element of the mobile network element.
In other embodiments, the roles of mobile network and broad¬ band network with respect to the control may be interchanged. That is, a controller function of the broadband network may control at least partly a mobile network element. An example of such a case is when services offered by a broadband core network are accessed via a mobile access network.
Some embodiments are described where the tunnel ends at a gateway of the broadband network. In other embodiments, the tunnel may be originated in the broadband network. In still some embodiments, both the origin and the destination of the tunnel through a gateway of the broadband network may be out¬ side the same. In this case, the gateway may define based on a predefined rule whether the control should be performed by the mobile network of the origin or the destination. For example, the control may be always performed based on the mo¬ bile network of one of the origin and the destination, or some mobile networks may be preferred to other mobile net- works .
Embodiments are described with respect to an LTE networks and a broadband network. However, in some embodiments, instead of these networks, other networks with a control function and an enforcement function on the user plane such as a global packet radio system (GPRS) network, a universal mobile tele¬ communication system (UMTS) network, an asynchronous transfer mode (ATM) network etc. may be employed. In some embodiments, the role of the BNG as described herein¬ above may be split between a BNG apparatus and a digital sub¬ scriber line access multiplexer (DSLAM) to which a user equipment is attached. The BPCF may control the corresponding functions of the DSLAM. For example, not limiting, the DSLAM may perform deep packet inspection directly at the subscriber line interface and send the inspection results (e.g. User/UE Id or HNB Id) to the BNG apparatus through a control protocol between the BNG and DSLAM. Thus, DPI for the BNG may be eas¬ ier and the BNG may be less loaded.
Also, in some embodiments, the detecting of a data packet or its inspection may be performed by a separate standalone monitoring / traffic detection entity. Instead of policy and charging control, in some embodiments only policy control or only charging control may be employed.
If not otherwise stated or otherwise made clear from the con¬ text, the statement that two entities are different means that they are differently addressed in the communication net¬ work. It does not necessarily mean that they are based on different hardware. That is, each of the entities described in the present description may be based on a different hard- ware, or some or all of the entities may be based on the same hardware .
According to the above description, it should thus be apparent that exemplary embodiments of the present invention pro- vide, for example a network gateway such as a broadband net¬ work gateway, or a component thereof, an apparatus embodying the same, a method for controlling and/or operating the same, and computer program (s) controlling and/or operating the same as well as mediums carrying such computer program (s) and forming computer program product (s) . Further exemplary embodiments of the present invention provide, for example a policy control function such as a broadband network policy control function, or a component thereof, an apparatus em¬ bodying the same, a method for controlling and/or operating the same, and computer program(s) controlling and/or operat¬ ing the same as well as mediums carrying such computer pro- gram(s) and forming computer program product (s) controlling and/or operating the same as well as mediums carrying such computer program(s) and forming computer program product (s). Still further exemplary embodiments of the present invention provide, for example a rules function such as a policy and charging rules function, or a component thereof, an apparatus embodying the same, a method for controlling and/or operating the same, and computer program (s) controlling and/or operat- ing the same as well as mediums carrying such computer pro- gram(s) and forming computer program product (s) controlling and/or operating the same as well as mediums carrying such computer program(s) and forming computer program product (s). Implementations of any of the above described blocks, appara¬ tuses, systems, techniques or methods include, as non limit¬ ing examples, implementations as hardware, software, firm¬ ware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
It is to be understood that what is described above is what is presently considered the preferred embodiments of the pre- sent invention. However, it should be noted that the descrip¬ tion of the preferred embodiments is given by way of example only and that various modifications may be made without de¬ parting from the scope of the invention as defined by the ap¬ pended claims.

Claims

Claims
1. A method, comprising
detecting a data packet transferred between an origin and a destination and passing through an apparatus performing the method;
identifying one of a destination network and an originating network based on an address of the destination and an address of the origin of the data packet, respectively;
meeting a positive decision if one of the identified originating network and the identified destination network corresponds to a controller network whose identification is known by the apparatus, wherein an address of the one of the originating network and the destination network, or an ad- dress realm of the one of the originating network and the terminating network is determined as a transferred address; and
requesting, if the positive decision is met, a control of a session to be associated to the data packet from an ac- cess control means, wherein the request comprises the trans¬ ferred address.
2. The method according to claim 1, wherein the request comprises additionally the address or the address realm of the other one of the origin and the destination whose address or address realm is not determined as the transferred address.
3. The method according to any of claims 1 to 2, wherein the identifying is further adapted to identify at least one of an apparatus, a user, and a subscriber, and the request com¬ prises an identity of the at least one of the apparatus, the user, and the subscriber.
4. The method according to claim 3, wherein the identity is obtained by deep packet inspection of the data packet trans- ferred between the origin and the destination and passing through the apparatus .
5. The method according to any of claims 1 to 4, wherein the data packets are internet protocol tunnel establishment pack¬ ets or internet protocol tunnel packets between the origin and the destination.
6. The method according to any of claims 1 to 5, wherein the data packet is an internet protocol data packet, and wherein the address of the destination and/or the address of the ori¬ gin are obtained by inspection of the data packet, and/or wherein the destination address and/or the originating address are received from another apparatus.
7. The apparatus according to any of claims 1 to 6, wherein the detecting is further adapted to detect the data packet only if it does not have an association to a session established on the apparatus.
8. The apparatus according to any of claims 1 to 7, wherein the request for the control comprises an address indication of a controller control means belonging to the network based on which the positive decision is met.
9. The method according to any of claims 1 to 8, wherein the apparatus belongs to a fixed broadband network or a mobile network .
10. The method according to any of claims 1 to 9, wherein the controller network is a mobile network or a fixed broadband network .
11. A method, comprising resolving a controller address of a controller control means based on a transferred address received in a request for a session control from an enforcement means;
requesting an instruction for the session control from the controller control means, wherein the request for in¬ struction comprises a comprised address which is based on the received transferred address; and
providing the session control to the enforcement means, wherein the session control is based on the instruction re- ceived from the controller control means.
12. The method according to claim 11, wherein the resolving is further adapted to resolve the controller address based on an at least one address indication additionally received in the request.
13. A method, comprising
deciding whether a gateway source address received in a request for a controller session control from a gateway net- work element matches a transferred address received in a re¬ quest for instruction from an access control network element different from the gateway network element;
providing the controller session control to the gateway network element if it is decided that the gateway source ad- dress matches the transferred address; and
providing the instruction to the access control network element if it is decided that the gateway source address matches the transferred address, wherein
the controller session control corresponds to the in- struction.
14. An apparatus, comprising
detection means for detecting a data packet transferred between an origin and a destination and passing through the apparatus; identifying means for identifying one of a destination network and an originating network based on an address of the destination and an address of the origin of the data packet, respectively;
network deciding means for meeting a positive decision if one of the originating network and the destination network identified by the identifying means corresponds to a control¬ ler network whose identification is known by the apparatus, wherein an address of the one of the originating network and the destination network, or an address realm of the one of the originating network and the terminating network is determined as a transferred address; and
access control requesting means for requesting, if the network deciding means meets the positive decision, a control of a session to be associated to the data packet from an ac¬ cess control means, wherein the request comprises the trans¬ ferred address.
15. The apparatus according to claim 14, wherein the request comprises additionally the address or the address realm of the other one of the origin and the destination whose address or address realm is not determined as the transferred ad¬ dress .
16. The apparatus according to any of claims 14 to 15, wherein the identifying means is further adapted to identify at least one of an apparatus, a user, and a subscriber, and the request comprises an identity of the at least one of the apparatus, the user, and the subscriber.
17. The apparatus according to claim 16, wherein the identity is obtained by deep packet inspection of the data packet transferred between the origin and the destination and pass¬ ing through the apparatus .
18. The apparatus according to any of claims 14 to 17, wherein the data packets are internet protocol tunnel estab¬ lishment packets or internet protocol tunnel packets between the origin and the destination.
19. The apparatus according to any of claims 14 to 18, wherein the data packet is an internet protocol data packet, and wherein the address of the destination and/or the address of the origin are obtained by inspection of the data packet, and/or wherein the destination address and/or the originating address are received from another apparatus.
20. The apparatus according to any of claims 14 to 19, wherein the detection means is further adapted to detect the data packet only if it does not have an association to a ses¬ sion established on the apparatus.
21. The apparatus according to any of claims 14 to 20, wherein the request for the control comprises an address in- dication of a controller control means belonging to the network based on which the positive decision is met.
22. The apparatus according to any of claims 14 to 21, be¬ longing to a fixed broadband network or a mobile network.
23. The apparatus according to any of claims 14 to 22, wherein the controller network is a mobile network or a fixed broadband network.
24. A broadband network gateway comprising an apparatus ac¬ cording to any of claims 14 to 23.
25. An apparatus, comprising
resolving means for resolving a controller address of a controller control means based on a transferred address re- ceived in a request for a session control from an enforcement means ;
instruction requesting means for requesting an instruction for the session control from the controller control means, wherein the request for instruction comprises a com¬ prised address which is based on the received transferred ad¬ dress; and
providing means for providing the session control to the enforcement means, wherein the session control is based on the instruction received from the controller control means.
26. The apparatus according to claim 25, wherein the resolving means is further adapted to resolve the controller ad¬ dress based on at least one address indication additionally received in the request.
27. A broadband network policy control function comprising an apparatus according to any of claims 25 to 26.
28. An apparatus, comprising
match deciding means for deciding whether a gateway source address received in a request for a controller session control from a gateway network element matches a transferred address received in a request for instruction from an access control network element different from the gateway network element ;
session control providing means for providing the controller session control to the gateway network element if the match checking means decides that the gateway source address matches the transferred address; and
instruction providing means for providing the instruction to the access control network element if the match checking means decides that the gateway source address matches the transferred address, wherein
the controller session control corresponds to the in¬ struction .
29. A policy and charging rule function comprising an apparatus according to claim 28.
30. A system, comprising
an enforcing apparatus according to any of claims 14 to
23;
an access control apparatus according to any of claims 25 and 26; wherein
the access control means of the enforcing apparatus com¬ prises the access control apparatus;
the enforcement means of the access control apparatus comprises the enforcing apparatus;
the request of the access control requesting means cor- responds to the received request of the resolving means, wherein the transferred address of the access control re¬ questing means correspond to the transferred address of the resolving means; and
the access control apparatus belongs to a same network as the enforcing apparatus.
31. A system according to claim 30, further comprising
a controller control apparatus according to claim 28; a controller gateway apparatus;
wherein the controller gateway apparatus comprises the gateway network element of the controller control apparatus; wherein
the controller control means of the access control appa¬ ratus comprises the controller control apparatus;
the gateway source address of the match deciding means is the address of the gateway network element;
the request for instruction of the instruction requesting means corresponds to the request for instruction of the match deciding means, wherein the transferred address of the match deciding means corresponds to the comprised address of the instruction requesting means; and the controller control apparatus and the controller gateway apparatus belong to the controller network which is different from the network the access control apparatus and the enforcing apparatus belong to.
32. Computer program product comprising computer-executable components which perform, when the program is run on a computer, the execution of which result in operations of the method according to any of method claims 1 to 13.
33. The computer program product according to claim 32, embodied as a computer-readable storage medium.
PCT/EP2010/066945 2010-11-05 2010-11-05 Session establishment with policy control WO2012059137A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2010/066945 WO2012059137A1 (en) 2010-11-05 2010-11-05 Session establishment with policy control

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2010/066945 WO2012059137A1 (en) 2010-11-05 2010-11-05 Session establishment with policy control

Publications (1)

Publication Number Publication Date
WO2012059137A1 true WO2012059137A1 (en) 2012-05-10

Family

ID=43333510

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2010/066945 WO2012059137A1 (en) 2010-11-05 2010-11-05 Session establishment with policy control

Country Status (1)

Country Link
WO (1) WO2012059137A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2626084C2 (en) * 2012-10-12 2017-07-21 ЗетТиИ Корпорейшн Method, device and system for establishing a session
WO2017142171A1 (en) * 2016-02-17 2017-08-24 엘지전자 주식회사 Method and terminal for creating, modifying, releasing session in next-generation mobile communication

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090169005A1 (en) * 2007-12-26 2009-07-02 Christopher Meyer Selectively loading security enforcement points wth security association information

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090169005A1 (en) * 2007-12-26 2009-07-02 Christopher Meyer Selectively loading security enforcement points wth security association information

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Policy and Charging Control (PCC) over S9 reference point; Stage 3 (Release 9)", 3GPP STANDARD; 3GPP TS 29.215, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, no. V9.4.0, 1 October 2010 (2010-10-01), pages 1 - 36, XP050442426 *
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Policy and charging control architecture (Release 10)", 3GPP STANDARD; 3GPP TS 23.203, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, no. V10.0.0, 10 June 2010 (2010-06-10), pages 1 - 126, XP050441553 *
"3rd Generation Partnership Project; Technical Specification Group services and System Aspects; Study on Support of BBF Access Interworking (Release 11)", 3GPP STANDARD; 3GPP TR 23.839, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, no. V0.3.0, 26 October 2010 (2010-10-26), pages 1 - 117, XP002615396, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/Specs/html-info/23839.htm> [retrieved on 20101227] *
ERICSSON ET AL: "S9* gap analysis", 3GPP DRAFT; S2-102462_S9_GAP_ANALYSIS, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Kyoto; 20100510, 4 May 2010 (2010-05-04), XP050434613 *
ZTE: "Procedures for PCRF initiated S9* session establishment and procedures for WLAN as untrusted access interworking: attach, detach, handover", 3GPP DRAFT; S2-104387_WAS 4331 WAS 4190 WAS 3414 3GPP BBF WLAN CALL FLOWS FOR S2B AND S2C, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Brunstad; 20100903, 3 September 2010 (2010-09-03), XP050459259 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU2626084C2 (en) * 2012-10-12 2017-07-21 ЗетТиИ Корпорейшн Method, device and system for establishing a session
WO2017142171A1 (en) * 2016-02-17 2017-08-24 엘지전자 주식회사 Method and terminal for creating, modifying, releasing session in next-generation mobile communication
US10827536B2 (en) 2016-02-17 2020-11-03 Lg Electronics Inc. Method and terminal for creating, modifying, releasing session in next-generation mobile communication

Similar Documents

Publication Publication Date Title
JP7009519B2 (en) Internet of Things Service Architecture
EP3286935B1 (en) Small data usage enablement in 3gpp networks
EP3289826B1 (en) Adaptive peer status check over wireless local area networks
US20160065456A1 (en) System and method providing service chaining in a mobile network
US10244032B2 (en) Reducing application detection notification traffic
US9191985B2 (en) Connecting to an evolved packet data gateway
CN101399749A (en) Method, system and device for packet filtering
WO2013170897A1 (en) Routing of traffic in a multi-domain network
US10116694B2 (en) Network signaling interface and method with enhanced traffic management during signaling storms
US20120259985A1 (en) Method and apparatus for enabling wireless connectivity
US20150163813A1 (en) Bandwidth control method, device, and system
US9820183B2 (en) User plane congestion control
KR20150082903A (en) Method and apparatus for application detection
US11388287B2 (en) IMS emergency session handling
WO2012059137A1 (en) Session establishment with policy control
CN107566418B (en) Security management method and access device
US20160157280A1 (en) Signalling reduction for ip traffic in wireless networks
CN105578441A (en) Network quality of service (QoS) parameter updating method and apparatus thereof
EP3235314A1 (en) Controlling wireless local area network access
US10674362B2 (en) Notifying the HSS of failure of connectivity request for a packet data session
US10320791B2 (en) Method and apparatus for facilitating access to a communication network
KR102084773B1 (en) Method and Apparatus for Providing Data Service Based on Location
WO2016206387A1 (en) Authentication method and system for accessing isolated network
KR102055820B1 (en) Method and Apparatus for Supporting Shared resources Billing
WO2012137173A2 (en) Method and apparatus for enabling wireless connectivity

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10774215

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10774215

Country of ref document: EP

Kind code of ref document: A1