WO2016082872A1 - Blocking of nested connections - Google Patents

Blocking of nested connections Download PDF

Info

Publication number
WO2016082872A1
WO2016082872A1 PCT/EP2014/075621 EP2014075621W WO2016082872A1 WO 2016082872 A1 WO2016082872 A1 WO 2016082872A1 EP 2014075621 W EP2014075621 W EP 2014075621W WO 2016082872 A1 WO2016082872 A1 WO 2016082872A1
Authority
WO
WIPO (PCT)
Prior art keywords
user equipment
wireless network
connection
server
trusted
Prior art date
Application number
PCT/EP2014/075621
Other languages
French (fr)
Inventor
Anders Jan Olof Kall
Jari Pekka Mustajarvi
Gyorgy Tamas Wolfner
Gabor Ungvari
Original Assignee
Nokia Solutions And Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Solutions And Networks Oy filed Critical Nokia Solutions And Networks Oy
Priority to PCT/EP2014/075621 priority Critical patent/WO2016082872A1/en
Publication of WO2016082872A1 publication Critical patent/WO2016082872A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer

Definitions

  • the present invention relates to apparatuses, methods, systems, computer programs, computer program products and computer-readable media regarding blocking of nested connections.
  • WiFi Wireless Fidelity also named WLAN
  • the present invention is related to the 3GPP WLAN interworking solutions specified in documents [1 ] and [2].
  • Non-3GPP access network such as a WLAN network
  • untrusted is not a characteristic of the access network but decided by the respective 3GPP operator. That is, a non-3GPP network may be trusted for one 3GPP operator and untrusted for another 3GPP operator.
  • signaling between an untrusted access network and the core network and between a trusted access network and the core network are differences.
  • Fig. 1 The relevant interfaces for establishing a connection of the user equipment over a trusted or untrusted access network, as defined in document [2], are shown in Fig. 1 .
  • a user equipment In a trusted access network, a user equipment is connected to a Trusted WLAN Access Gateway (TWAG) which in turn is connected via the S2a interface with the P-GW in the EPC through a tunnel, e.g. GTP, MIP, or PMIP.
  • TWAG Trusted WLAN Access Gateway
  • GTP GTP
  • MIP MIP
  • PMIP PMIP
  • a so-called ePDG network entity is inserted between the untrusted access network and the core network. That is, the user equipment is connected to the ePDG in the EPC through a secure IPsec tunnel and the ePDG is connected via the S2b interface to the P-GW through a tunnel, e.g. GTP or PIMP.
  • a tunnel e.g. GTP or PIMP.
  • the present invention is related to the case when a UE is connected to trusted WLAN (TWAN) that provides transparent access to EPC.
  • TWAN trusted WLAN
  • TSCM Transparent Single Connection Mode
  • SCM Single-Connection Mode
  • SCM Multi-Connection Mode
  • the present invention is further related to the network scenario where the UE is connecting to a Trusted WLAN (TWAN), but the UE is configured to initiate an untrusted access or the UE is not aware that the network is trusted (i.e. the UE does not support trusted access).
  • TWAN Trusted WLAN
  • Any UE that does not support the R12 defined eSAMOG feature can select and get connected to a Trusted WLAN access Network using the so called Transparent Single Connection Mode across the S2a interface according to current 3GPP specifications.
  • the UE is not aware of the S2a interface and knows only that it has Wi-Fi connection and hence will seek to setup an untrusted connection via the ePDG.
  • the UE and ePDG may set up an S2b connection "inside" and using TWAN's S2a connection.
  • UE first connects to trusted access and receives IP address from the PGW for the default APN. Connection path is [UE - TWAN - PGW].
  • Wi-Fi UE thinks it has gained IP address from some Wi-Fi network.
  • VoIP Voice over Wi-Fi client
  • the application like Voice over Wi-Fi client (VoWiFi) wishes to setup trusted connection to IMS server. It will trigger S2b connection using this PGW provided IP address as own IP address.
  • the IPSec connection to ePDG is now routed over S2a connection in PGW to ePDG creating a nested connection within PGW.
  • ePDG allocates new IP address for the user from PGW, possibly using IMS APN, different to default APN.
  • UE sends the Voice packet it first generates IP packet using S2b provided IPSec tunnel IP address with the voice content. This is placed into an IP packet using S2a provided Wi-Fi IP address. In this way the packet is routed as follows: UEs2b/s2a - TWAN S2a - PGW S2a - ePDG S2 b - PGW S2b -> External data network, which is rather inefficient for the core network, causes double charging for the user and adds delays and congestion for the traffic
  • the 3GPP AAA Server will be involved twice, since both TWAN and ePDG will communicate with the AAA server, i.e. the TWAN is connected to the AAA server via the STa interface and the ePDG is connected to the AAA server via the SWm interface.
  • This scenario can also cause double charging, which most probably is not acceptable.
  • the deployment itself could prevent the access of the ePDG from a PDN GW at least for the case when they are in the same PLMN. Since the transparent mode generally is not allowed for roaming UEs, this deployment can also solve the situation. This might also mean the device is not able to make voice call over Wi-Fi at all if it cannot create ePDG connection.
  • a method comprising: receiving, at a server in a first wireless network, a message from a user equipment indicating connection capabilities of the user equipment to a second wireless network,
  • a method comprising: detecting, at a server in a first wireless network, that a trusted connection for traffic of the user equipment to the second wireless network is established,
  • a method comprising: determining, in a user equipment, connection capabilities of the user equipment to a second wireless network,
  • a method comprising: monitoring, by a trusted access gateway, user payload on a trusted connection of a user equipment to a second wireless network,
  • an apparatus for use in a server in a first wireless network comprising:
  • At least one memory for storing instructions to be executed by the processor, wherein the at least one memory and the instructions are configured to, with the at least one processor, cause the apparatus at least to perform:
  • an apparatus for use in a server in a first wireless network comprising:
  • At least one memory for storing instructions to be executed by the processor, wherein the at least one memory and the instructions are configured to, with the at least one processor, cause the apparatus at least to perform:
  • an apparatus for use in a user equipment comprising:
  • At least one memory for storing instructions to be executed by the processor, wherein the at least one memory and the instructions are configured to, with the at least one processor, cause the apparatus at least to perform: determining, in the user equipment, connection capabilities of the user equipment to a second wireless network,
  • an apparatus for use in a trusted access gateway comprising:
  • At least one memory for storing instructions to be executed by the processor, wherein the at least one memory and the instructions are configured to, with the at least one processor, cause the apparatus at least to perform:
  • an apparatus comprising:
  • an apparatus comprising:
  • an apparatus comprising:
  • an apparatus comprising:
  • a trusted access gateway means for monitoring, by a trusted access gateway, user payload on a trusted connection of a user equipment to a second wireless network
  • a computer program product comprising code means adapted to produce steps of any of the methods as described above when loaded into the memory of a computer.
  • a computer program product as defined above, wherein the computer program product comprises a computer- readable medium on which the software code portions are stored.
  • FIG. 1 is an overview of interfaces in an example of a scenario to which some example versions of the present application are applicable;
  • Fig. 2 is a flowchart illustrating an example of a method according to some example versions of the present invention
  • Fig. 3 is a flowchart illustrating another example of a method according to some example versions of the present invention.
  • Fig. 4 is a flowchart illustrating another example of a method according to some example versions of the present invention.
  • Fig. 5 is a flowchart illustrating another example of a method according to some example versions of the present invention.
  • Fig. 6 is block diagram illustrating an example of an apparatus according to some example versions of the present invention.
  • the basic system architecture of a communication network may comprise a commonly known architecture of one or more communication systems comprising a wired or wireless access network subsystem and a core network.
  • Such an architecture may comprise one or more communication network control elements, access network elements, radio access network elements, access service network gateways or base transceiver stations, such as a base station (BS), an access point or an eNB, which control a respective coverage area or cell and with which one or more communication elements or terminal devices such as a UE or another device having a similar function, such as a modem chipset, a chip, a module etc., which can also be part of a UE or attached as a separate element to a UE, or the like, are capable to communicate via one or more channels for transmitting several types of data.
  • core network elements such as gateway network elements, policy and charging control network elements, mobility management entities, operation and maintenance elements, and the like may be comprised.
  • the communication network is also able to communicate with other networks, such as a public switched telephone network or the Internet.
  • the communication network may also be able to support the usage of cloud services.
  • BSs and/or eNBs or their functionalities may be implemented by using any node, host, server or access node etc. entity suitable for such a usage.
  • the described network elements and communication devices such as terminal devices or user devices like UEs, communication network control elements of a cell, like a BS or an eNB, access network elements like APs and the like, network access control elements like AAA servers and the like, as well as corresponding functions as described herein may be implemented by software, e.g. by a computer program product for a computer, and/or by hardware.
  • nodes or network elements may comprise several means, modules, units, components, etc. (not shown) which are required for control, processing and/or communication/signaling functionality.
  • Such means, modules, units and components may comprise, for example, one or more processors or processor units including one or more processing portions for executing instructions and/or programs and/or for processing data, storage or memory units or means for storing instructions, programs and/or data, for serving as a work area of the processor or processing portion and the like (e.g. ROM, RAM, EEPROM, and the like), input or interface means for inputting data and instructions by software (e.g. floppy disc, CD-ROM, EEPROM, and the like), a user interface for providing monitor and manipulation possibilities to a user (e.g. a screen, a keyboard and the like), other interface or means for establishing links and/or connections under the control of the processor unit or portion (e.g.
  • radio interface means comprising e.g. an antenna unit or the like, means for forming a radio communication part etc.) and the like, wherein respective means forming an interface, such as a radio communication part, can be also located on a remote site (e.g. a radio head or a radio station etc.).
  • a remote site e.g. a radio head or a radio station etc.
  • the 3GPP AAA Server will be involved twice, since both TWAN and ePDG will communicate with the AAA server, i.e. the TWAN is connected to the AAA server via the STa interface and the ePDG is connected to the AAA server via the SWm interface, as shown in Fig. 1 .
  • This scenario can also cause double charging as same data is sent twice through a PGW, which is not acceptable.
  • the 3GPP AAA Server since the 3GPP AAA Server will be involved twice in the above situation and performs access authentication and authentication both for TWAN (via STa interface) and for the ePDG (via SWm interface), the AAA server should be able to detect the situation.
  • the trusted access shall use EAP-AKA' while untrusted access through ePDG shall use EAP-AKA. It is operators decision whether they accept EAP-AKA also for trusted access as many devices do not support EAP-AKA' at all.
  • the AAA Server should not allow that a connection via the S2b interface is established on top of an already existing connection via the S2a interface. Connection should not be denied either as this may prevent use of desired service like VoWiFi which requires IPSec connection to ePDG using untrusted access.
  • the UE could explicitly indicate support for the S2a option in the EAP authentication to AAA server. Without this, i.e. if the support for the S2a option is not indicated, the AAA server would only grant Non-Seamless WLAN Offload connection to the UE thereby connecting the UE directly to the Internet from the WLAN (without routing through the EPC).
  • a new EAP attribute is defined.
  • AAA may detect the UE is trying to connect over S2b while already connected over S2a.
  • the TWAG and ePDG shall use different DIAMETER application contexts to convey trusted and untrusted authentication messages. If AAA does detect this situation, it may not authorize ePDG access and S2b connection setup fails. This may however preclude the service from the user completely as the application may choose to function only when desired secure IPSec tunnel is established.
  • the UE could send an indication to the AAA server during the authentication procedure.
  • UE could indicate this with a new EAP Attribute 'Requested-EPC-Mode' having values such, for example, [Offload
  • a new EAP attribute is defined. In this new EAP attribute, the UE indicates the desired EPC mode, i.e. whether it is offload, trusted or untrusted, where the default setting is untrusted (i.e. if there is no indication).
  • one option is to decline trusted WLAN EPC access if UE does not indicate support for the trusted EPC concept during the EAP authentication.
  • the UE does not indicate this at all but such an indication could be added to the EAP authentication similarly as the trusted indication is conveyed to UE from the AAA using EAP AT TRUSTJND attribute.
  • the AAA will indicate to the WLAN that only Non-Seamless WLAN Offload connection is authorized. For example, a new Boolean EAP Attribute Trusted-Mode-Supported' could be added or the previously introduced 'Requested-EPC-Mode' attribute could be used also for this.
  • the AAA Server informs the TWAN that the UE shall not be connected over the S2a interface to EPC if the subscriber information in HSS/AAA indicates that the UE is configured to use ePDG. Instead Non-Seamless WLAN Offload mode is used and local IP address is provided to UE instead of EPC provided IP address.
  • the information to trigger this behavior in the TWAN/TWAG can be received from the AAA server during authentication or can be based on an indication from the UE, as set out above.
  • the AAA Server detects that the UE is establishing S2b even though S2a was already established.
  • the AAA server informs the ePDG that S2b shall not be established and the AAA Server informs the UE, with a new indication, that the UE is already connected to EPC. This however may prevent UE service altogether if application requires IPSec connection to be established with ePDG.
  • the TWAG may detect access to ePDG by monitoring user payload in S2a connection. If it detects ePDG IP address being accessed, the TWAG could route the packet to internet directly without going through PGW. This would be similar to non-seamless offload scenario except UE is now using EPC assigned source IP address instead of local IP address (which has not been assigned to UE). The TWAG would need to deploy NAT for this packets so that any responses will be delivered directly to TWAG from Internet without going through PGW.
  • Fig. 2 is a flowchart illustrating an example of a method according to example versions of the present invention.
  • the method may be implemented in a server, like an authentication server, AAA server, or the like.
  • the method comprises receiving, at a server in a first wireless network, a message from a user equipment indicating connection capabilities of the user equipment to a second wireless network in a step S21 , analyzing, by the server, the message in a step S22, and, if it is indicated in the message that the user equipment is not configured to support establishment of a trusted connection to the second wireless network, determining, by the server, that establishment of a trusted connection of the user equipment to the second wireless network is to be blocked in a step S23.
  • the establishment of the trusted connection is also blocked if it is indicated in the message that the user equipment is configured to support establishment of an untrusted connection to the second wireless network or if it is indicated in the message that the user equipment is configured to support establishment of a non-seamless offload connection to the second wireless network.
  • the method further comprises determining, by the server, that establishment of a non-seamless offload connection is to be created instead.
  • the method further comprises informing, by the server, a gateway a in a trusted access network, when the establishment of the trusted connection of the user equipment to the second wireless network is to be blocked.
  • Fig. 3 is a flowchart illustrating another example of a method according to example versions of the present invention.
  • the method may be implemented in a server, like an authentication server, AAA server, or the like.
  • the method comprises detecting, at a server in a first wireless network, that a trusted connection for traffic of the user equipment to a second wireless network is established in a step S31 , detecting, that the user equipment is establishing an untrusted connection for the same traffic to the second wireless network in a step S32, and determining, by the server, that the establishment of the untrusted connection of the user equipment to the second wireless network is to be blocked in a step S33.
  • the method further comprises informing, by the server, a packet gateway in the first wireless network, that the establishment of the untrusted connection of the user equipment to the second wireless network is to be blocked.
  • the packet gateway is an enhanced packet data network gateway, ePDG, in the first wireless network.
  • ePDG enhanced packet data network gateway
  • the method further comprises informing, by the server, the user equipment that the trusted connection of the user equipment to the second wireless network is established.
  • Fig. 4 is a flowchart illustrating another example of a method according to example versions of the present invention.
  • the method may be implemented in a user equipment, or the like.
  • the method comprises determining, in a user equipment, connection capabilities of the user equipment to a second wireless network in a step S41 , and transmitting, by the user equipment, information indicating the connection capabilities of the user equipment to a server in a first wireless network in a step S42.
  • the connection capabilities indicate, whether the user equipment is configured to support establishment of a trusted connection and/or an untrusted connection to the second wireless network.
  • the first wireless network is a network according to a third generation partnership project network type
  • the second wireless network is a network different from the third generation partnership project network type.
  • connection capabilities are included in an extensible authentication protocol, EAP, attribute.
  • the server is an authentication server in the first wireless network.
  • Fig. 5 is a flowchart illustrating another example of a method according to example versions of the present invention.
  • the method may be implemented in a trusted access gateway, line a TWAG, or the like.
  • the method comprises monitoring, by a trusted access gateway, user payload on a trusted connection of a user equipment to a second wireless network in a step S51 , detecting, at the trusted access gateway, that the trusted access gateway accesses an untrusted access gateway in a step S52, and determining, by the trusted access gateway, to establish a non-seamless offload connection from the user equipment to the second wireless network in a step S53.
  • Fig. 6 is a block diagram showing an example of an apparatus according to some example versions of the present invention.
  • a block circuit diagram illustrating a configuration of an apparatus 60 is shown, which is configured to implement the above described aspects of the invention.
  • the apparatus 60 shown in Fig. 6 may comprise several further elements or functions besides those described herein below, which are omitted herein for the sake of simplicity as they are not essential for understanding the invention.
  • the apparatus may be also another device having a similar function, such as a chipset, a chip, a module etc., which can also be part of an apparatus or attached as a separate element to the apparatus, or the like.
  • the apparatus 60 may comprise a processing function or processor 61 , such as a CPU or the like, which executes instructions given by programs or the like.
  • the processor 61 may comprise one or more processing portions dedicated to specific processing as described below, or the processing may be run in a single processor. Portions for executing such specific processing may be also provided as discrete elements or within one or further processors or processing portions, such as in one physical processor like a CPU or in several physical entities, for example.
  • Reference sign 62 denotes transceiver or input/output (I/O) units (interfaces) connected to the processor 61 .
  • the I/O units 62 may be used for communicating with one or more other network elements, entities, terminals or the like.
  • the I/O units 62 may be a combined unit comprising communication equipment towards several network elements, or may comprise a distributed structure with a plurality of different interfaces for different network elements.
  • the apparatus 60 further comprises at least one memory 63 usable, for example, for storing data and programs to be executed by the processor 61 and/or as a working storage of the processor 61.
  • the processor 61 is configured to execute processing related to the above described aspects.
  • the apparatus 60 may be implemented in or may be part of a server, like an authentication server, AAA server, or the like, and may be configured to perform a method as described in connection with Fig. 2.
  • the processor 61 is configured to perform receiving, at a server in a first wireless network, a message from a user equipment indicating connection capabilities of the user equipment to a second wireless network, analyzing, by the server, the message, if it is indicated in the message that the user equipment is not configured to support establishment of a trusted connection to the second wireless network, determining, by the server, that establishment of a trusted connection of the user equipment to the second wireless network is to be blocked.
  • the apparatus 60 may be implemented in or may be part of a server, like an authentication server, AAA server, or the like, and may be configured to perform a method as described in connection with Fig. 3.
  • the processor 61 is configured to perform detecting, at a server, that a trusted connection for traffic of the user equipment to a second wireless network is established, detecting, that the user equipment is establishing an untrusted connection for the same traffic to the second wireless network, and determining, by the server, that the establishment of the untrusted connection of the user equipment to the second wireless network is to be blocked.
  • the apparatus 60 may be implemented in or may be part of user equipment or the like, and may be configured to perform a method as described in connection with Fig. 4.
  • the processor 61 is configured to perform determining, in a user equipment, connection capabilities of the user equipment to a second wireless network, transmitting, by the user equipment, information indicating the connection capabilities of the user equipment to a server in a first wireless network.
  • the apparatus 60 may be implemented in or may be part of trusted access gateway, like a TWAG, or the like, and may be configured to perform a method as described in connection with Fig. 5.
  • the processor 61 is configured to perform monitoring, by a trusted access gateway, user payload on a trusted connection of a user equipment to a second wireless network, detecting, at the trusted access gateway, that the trusted access gateway accesses an untrusted access gateway, and determining, by the trusted access gateway, to establish a non-seamless offload connection from the user equipment to the second wireless network.
  • the apparatus for use in a server generally have the same structural components, wherein these components are configured to execute the respective functions of the register, server, mobile equipment, and subscriber identity module, respectively, as set out above.
  • the apparatus (or some other means) is configured to perform some function
  • this is to be construed to be equivalent to a description stating that a (i.e. at least one) processor or corresponding circuitry, potentially in cooperation with computer program code stored in the memory of the respective apparatus, is configured to cause the apparatus to perform at least the thus mentioned function.
  • a (i.e. at least one) processor or corresponding circuitry potentially in cooperation with computer program code stored in the memory of the respective apparatus, is configured to cause the apparatus to perform at least the thus mentioned function.
  • function is to be construed to be equivalently implementable by specifically configured circuitry or means for performing the respective function (i.e. the expression "unit configured to” is construed to be equivalent to an expression such as "means for").
  • any method step is suitable to be implemented as software or by hardware without changing the idea of the aspects/embodiments and its modification in terms of the functionality implemented;
  • CMOS Complementary MOS
  • BiMOS Bipolar MOS
  • BiCMOS Bipolar CMOS
  • ECL emitter Coupled Logic
  • TTL Transistor-Transistor Logic
  • ASIC Application Specific IC
  • FPGA Field- programmable Gate Arrays
  • CPLD Complex Programmable Logic Device
  • DSP Digital Signal Processor
  • - devices, units or means can be implemented as individual devices, units or means, but this does not exclude that they are implemented in a distributed fashion throughout the system, as long as the functionality of the device, unit or means is preserved;
  • an apparatus may be represented by a semiconductor chip, a chipset, or a (hardware) module comprising such chip or chipset; this, however, does not exclude the possibility that a functionality of an apparatus or module, instead of being hardware implemented, be implemented as software in a (software) module such as a computer program or a computer program product comprising executable software code portions for execution/being run on a processor;
  • a device may be regarded as an apparatus or as an assembly of more than one apparatus, whether functionally in cooperation with each other or functionally independently of each other but in a same device housing, for example.
  • respective functional blocks or elements according to above- described aspects can be implemented by any known means, either in hardware and/or software, respectively, if it is only adapted to perform the described functions of the respective parts.
  • the mentioned method steps can be realized in individual functional blocks or by individual devices, or one or more of the method steps can be realized in a single functional block or by a single device.
  • any method step is suitable to be implemented as software or by hardware without changing the idea of the present invention.
  • Devices and means can be implemented as individual devices, but this does not exclude that they are implemented in a distributed fashion throughout the system, as long as the functionality of the device is preserved. Such and similar principles are to be considered as known to a skilled person.
  • Software in the sense of the present description comprises software code as such comprising code means or portions or a computer program or a computer program product for performing the respective functions, as well as software (or a computer program or a computer program product) embodied on a tangible medium such as a computer-readable (storage) medium having stored thereon a respective data structure or code means/portions or embodied in a signal or in a chip, potentially during processing thereof.

Abstract

The present invention provides apparatuses, methods, computer programs, computer program products and computer-readable media regarding blocking of nested connections. The present invention comprises receiving, at a server in a first wireless network, a message from a user equipment indicating connection capabilities of the user equipment to a second wireless network, analyzing, by the server, the message, if it is indicated in the message that the user equipment is not configured to support establishment of a trusted connection to the second wireless network, determining, by the server, that establishment of a trusted connection of the user equipment to the second wireless network is to be blocked.

Description

DESCRIPTION Title
Blocking of nested connections
Field of the invention
The present invention relates to apparatuses, methods, systems, computer programs, computer program products and computer-readable media regarding blocking of nested connections.
Background of the invention
Abbreviations
3GPP 3rd Generation Partnership Project
AA Authentication, Authorization
AAA Authentication, Authorization, Accounting
AGW Access Network Gateway
AVP Attribute-Value Pair
DSMIP Dual Stack Mobile IP
EAP Extensible Authentication Protocol
EDGE Enhanced Datarate for GSM Evolution
EPC Evolved Packet Core
ePDG Evolved PDG
eSaMOG enhanced S2a Mobility Over GTP
GPRS General Packet Radio Service
GSM Global System for Mobile Communication
GTP GPRS Tunneling Protocol
HPLMN Home PLMN
HSS Home Subscriber Server
IMS IP Multimedia Subsystem
IP Internet Protocol
IPsec IP Security
LAN Local Area Network
LCS Location Services LTE Long Term Evolution
LTE-A LTE Advanced
MIP Mobile IP
OSA Open Service Architecture
PDG Packet Data Gateway
PDN Packet Data Network
PDN-GW PDN-Gateway
PDP Packet Data Protocol
PGW PDN-Gateway
PLMN Public Land Mobile Network
PIMP Proxy Mobile IP
RAT Radio Access Technology
S2a: Interface between the UE - trusted access network - PGW
S2b: Interface between the UE - untrusted access network - ePDG - PGW
S2c: DSMIPv6 interface between the UE - PGW
STa: Interface between Trusted access network - AAA Server
SWm: Interface between untrusted access network - AAA Server
TS Technical Specification
TWAG Trusted WLAN Access Gateway
TWAN Trusted WLAN Access Network
UAGW Untrusted AGW (AGW in an untrusted access network)
UE User Equipment
UMTS Universal Mobile Telecommunications System
UTRAN Universal Terrestrial Radio Access Network
VPLMN Visited PLMN
WiFi Wireless Fidelity, also named WLAN
WLAN Wireless LAN
The present invention is related to the 3GPP WLAN interworking solutions specified in documents [1 ] and [2].
Currently, there are specified two types of WLAN access to EPC: trusted and untrusted (see details in document [2]). Whether a Non-3GPP access network (such as a WLAN network) is trusted or untrusted is not a characteristic of the access network but decided by the respective 3GPP operator. That is, a non-3GPP network may be trusted for one 3GPP operator and untrusted for another 3GPP operator. There are differences in the signaling between an untrusted access network and the core network and between a trusted access network and the core network, respectively.
The relevant interfaces for establishing a connection of the user equipment over a trusted or untrusted access network, as defined in document [2], are shown in Fig. 1 .
In a trusted access network, a user equipment is connected to a Trusted WLAN Access Gateway (TWAG) which in turn is connected via the S2a interface with the P-GW in the EPC through a tunnel, e.g. GTP, MIP, or PMIP. In case of Wi-Fi, the Wi-Fi radio interface is secured using WPA2 mechanisms and security from the Wi-Fi access to EPC is provided by operator specific means.
In case of an untrusted network access, a so-called ePDG network entity is inserted between the untrusted access network and the core network. That is, the user equipment is connected to the ePDG in the EPC through a secure IPsec tunnel and the ePDG is connected via the S2b interface to the P-GW through a tunnel, e.g. GTP or PIMP.
More specifically, the present invention is related to the case when a UE is connected to trusted WLAN (TWAN) that provides transparent access to EPC. This covers the trusted WLAN solution specified in Rel-1 1 and the Transparent Single Connection Mode (TSCM) specified in Rel-12. It is also applicable in scenarios where UE is using Single-Connection Mode (SCM) and Multi-Connection Mode (SCM) of S2a access but the application like VoWi- Fi client is not aware of this and sets up S2b connection anyway to ePDG.
The present invention is further related to the network scenario where the UE is connecting to a Trusted WLAN (TWAN), but the UE is configured to initiate an untrusted access or the UE is not aware that the network is trusted (i.e. the UE does not support trusted access). Any UE that does not support the R12 defined eSAMOG feature can select and get connected to a Trusted WLAN access Network using the so called Transparent Single Connection Mode across the S2a interface according to current 3GPP specifications. However, the UE is not aware of the S2a interface and knows only that it has Wi-Fi connection and hence will seek to setup an untrusted connection via the ePDG.
Hence, in such a case, the UE and ePDG may set up an S2b connection "inside" and using TWAN's S2a connection. UE first connects to trusted access and receives IP address from the PGW for the default APN. Connection path is [UE - TWAN - PGW]. In case of Wi-Fi, UE thinks it has gained IP address from some Wi-Fi network. In the next step the application like Voice over Wi-Fi client (VoWiFi) wishes to setup trusted connection to IMS server. It will trigger S2b connection using this PGW provided IP address as own IP address. The IPSec connection to ePDG is now routed over S2a connection in PGW to ePDG creating a nested connection within PGW. ePDG allocates new IP address for the user from PGW, possibly using IMS APN, different to default APN. When UE sends the Voice packet, it first generates IP packet using S2b provided IPSec tunnel IP address with the voice content. This is placed into an IP packet using S2a provided Wi-Fi IP address. In this way the packet is routed as follows: UEs2b/s2a - TWANS2a - PGWS2a - ePDGS2b - PGWS2b -> External data network, which is rather inefficient for the core network, causes double charging for the user and adds delays and congestion for the traffic
Even though the UE is already connected to EPC using the S2a interface, there might be a case where the UE is configured to (always) use untrusted access and will establish a second nested connection (i.e. the second connection (S2b) being tunneled over the first connection (S2a)) to the EPC via ePDG for the same traffic. This will cause unnecessary resource utilization in the network besides inefficient data routing since the UE finally will use TWAN, 2*P-GW and ePDG to connect towards the external packet network.
In such a case, also the 3GPP AAA Server will be involved twice, since both TWAN and ePDG will communicate with the AAA server, i.e. the TWAN is connected to the AAA server via the STa interface and the ePDG is connected to the AAA server via the SWm interface. This scenario can also cause double charging, which most probably is not acceptable.
Another option is that the deployment itself could prevent the access of the ePDG from a PDN GW at least for the case when they are in the same PLMN. Since the transparent mode generally is not allowed for roaming UEs, this deployment can also solve the situation. This might also mean the device is not able to make voice call over Wi-Fi at all if it cannot create ePDG connection.
References:
[1 ]: 3GPP TS 23.234
[2]: 3GPP TS 23.402
Summary of the Invention It is therefore an object of the present invention to overcome the above mentioned problems and to provide apparatuses, methods, systems, computer programs, computer program products and computer-readable media regarding blocking of nested connections.
According to an aspect of the present invention there is provided a method comprising: receiving, at a server in a first wireless network, a message from a user equipment indicating connection capabilities of the user equipment to a second wireless network,
analyzing, by the server, the message,
if it is indicated in the message that the user equipment is not configured to support establishment of a trusted connection to the second wireless network,
determining, by the server, that establishment of a trusted connection of the user equipment to the second wireless network is to be blocked.
According to another aspect of the present invention there is provided a method comprising: detecting, at a server in a first wireless network, that a trusted connection for traffic of the user equipment to the second wireless network is established,
detecting, that the user equipment is establishing an untrusted connection for the same traffic to the second wireless network, and
determining, by the server, that the establishment of the untrusted connection of the user equipment to the second wireless network is to be blocked.
According to another aspect of the present invention there is provided a method comprising: determining, in a user equipment, connection capabilities of the user equipment to a second wireless network,
transmitting, by the user equipment, information indicating the connection capabilities of the user equipment to a server in a first wireless network.
According to another aspect of the present invention there is provided a method comprising: monitoring, by a trusted access gateway, user payload on a trusted connection of a user equipment to a second wireless network,
detecting, at the trusted access gateway, that the trusted access gateway accesses an untrusted access gateway, and
determining, by the trusted access gateway, to establish a non-seamless offload connection from the user equipment to the second wireless network. According to another aspect of the present invention there is provided an apparatus for use in a server in a first wireless network, comprising:
at least one processor,
and
at least one memory for storing instructions to be executed by the processor, wherein the at least one memory and the instructions are configured to, with the at least one processor, cause the apparatus at least to perform:
receiving, at the server, a message from a user equipment indicating connection capabilities of the user equipment to a second wireless network,
analyzing, by the server, the message,
if it is indicated in the message that the user equipment is not configured to support establishment of a trusted connection to the second wireless network,
determining, by the server, that establishment of a trusted connection of the user equipment to the second wireless network is to be blocked.
According to another aspect of the present invention there is provided an apparatus for use in a server in a first wireless network, comprising:
at least one processor,
and
at least one memory for storing instructions to be executed by the processor, wherein the at least one memory and the instructions are configured to, with the at least one processor, cause the apparatus at least to perform:
detecting, at the server, that a trusted connection for traffic of the user equipment to the second wireless network is established,
detecting, that the user equipment is establishing an untrusted connection for the same traffic to the second wireless network, and
determining, by the server, that the establishment of the untrusted connection of the user equipment to the second wireless network is to be blocked.
According to another aspect of the present invention there is provided an apparatus for use in a user equipment, comprising:
at least one processor,
and
at least one memory for storing instructions to be executed by the processor, wherein the at least one memory and the instructions are configured to, with the at least one processor, cause the apparatus at least to perform: determining, in the user equipment, connection capabilities of the user equipment to a second wireless network,
transmitting, by the user equipment, information indicating the connection capabilities of the user equipment to a server in a first wireless network.
According to another aspect of the present invention there is provided an apparatus for use in a trusted access gateway, comprising:
at least one processor,
and
at least one memory for storing instructions to be executed by the processor, wherein the at least one memory and the instructions are configured to, with the at least one processor, cause the apparatus at least to perform:
monitoring, by the trusted access gateway, user payload on a trusted connection of a user equipment to a second wireless network,
detecting, at the trusted access gateway, that the trusted access gateway accesses an untrusted access gateway, and
determining, by the trusted access gateway, to establish a non-seamless offload connection from the user equipment to the second wireless network.
According to another aspect of the present invention there is provided an apparatus comprising:
means for receiving, at a server in a first wireless network, a message from a user equipment indicating connection capabilities of the user equipment to a second wireless network,
means for analyzing, by the server, the message,
if it is indicated in the message that the user equipment is not configured to support establishment of a trusted connection to the second wireless network,
means for determining, by the server, that establishment of a trusted connection of the user equipment to the second wireless network is to be blocked.
According to another aspect of the present invention there is provided an apparatus comprising:
means for detecting, at a server in a first wireless network, that a trusted connection for traffic of the user equipment to the second wireless network is established,
means for detecting, that the user equipment is establishing an untrusted connection for the same traffic to the second wireless network, and means for determining, by the server, that the establishment of the untrusted connection of the user equipment to the second wireless network is to be blocked.
According to another aspect of the present invention there is provided an apparatus comprising:
means for determining, in a user equipment, connection capabilities of the user equipment to a second wireless network,
means for transmitting, by the user equipment, information indicating the connection capabilities of the user equipment to a server in a first wireless network.
According to another aspect of the present invention there is provided an apparatus comprising:
means for monitoring, by a trusted access gateway, user payload on a trusted connection of a user equipment to a second wireless network,
means for detecting, at the trusted access gateway, that the trusted access gateway accesses an untrusted access gateway, and
means for determining, by the trusted access gateway, to establish a non-seamless offload connection from the user equipment to the second wireless network.
According to another aspect of the present invention there is provided a computer program product comprising code means adapted to produce steps of any of the methods as described above when loaded into the memory of a computer.
According to a still further aspect of the invention there is provided a computer program product as defined above, wherein the computer program product comprises a computer- readable medium on which the software code portions are stored.
According to a still further aspect of the invention there is provided a computer program product as defined above, wherein the program is directly loadable into an internal memory of the processing device.
Brief Description of the Drawings
These and other objects, features, details and advantages will become more fully apparent from the following detailed description of aspects/embodiments of the present invention which is to be taken in conjunction with the appended drawings, in which: Fig. 1 is an overview of interfaces in an example of a scenario to which some example versions of the present application are applicable;
Fig. 2 is a flowchart illustrating an example of a method according to some example versions of the present invention;
Fig. 3 is a flowchart illustrating another example of a method according to some example versions of the present invention;
Fig. 4 is a flowchart illustrating another example of a method according to some example versions of the present invention;
Fig. 5 is a flowchart illustrating another example of a method according to some example versions of the present invention;
Fig. 6 is block diagram illustrating an example of an apparatus according to some example versions of the present invention.
Detailed Description
In the following, some example versions of the disclosure and embodiments of the present invention are described with reference to the drawings. For illustrating the present invention, the examples and embodiments will be described in connection with a cellular communication network based on a 3GPP based communication system, for example an LTE/LTE-A based system and a non-3GPP communication system, like WLAN for example. However, it is to be noted that the present invention is not limited to an application using such types of communication systems or communication networks, but is also applicable in other types of communication systems or communication networks, like for example 2G and 3G communication networks or other wireless communication networks and the like.
The following examples versions and embodiments are to be understood only as illustrative examples. Although the specification may refer to "an", "one", or "some" example version(s) or embodiment(s) in several locations, this does not necessarily mean that each such reference is to the same example version(s) or embodiment(s), or that the feature only applies to a single example version or embodiment. Single features of different embodiments may also be combined to provide other embodiments. Furthermore, words "comprising" and "including" should be understood as not limiting the described embodiments to consist of only those features that have been mentioned and such example versions and embodiments may also contain also features, structures, units, modules etc. that have not been specifically mentioned.
The basic system architecture of a communication network where examples of embodiments of the invention are applicable may comprise a commonly known architecture of one or more communication systems comprising a wired or wireless access network subsystem and a core network. Such an architecture may comprise one or more communication network control elements, access network elements, radio access network elements, access service network gateways or base transceiver stations, such as a base station (BS), an access point or an eNB, which control a respective coverage area or cell and with which one or more communication elements or terminal devices such as a UE or another device having a similar function, such as a modem chipset, a chip, a module etc., which can also be part of a UE or attached as a separate element to a UE, or the like, are capable to communicate via one or more channels for transmitting several types of data. Furthermore, core network elements such as gateway network elements, policy and charging control network elements, mobility management entities, operation and maintenance elements, and the like may be comprised.
The general functions and interconnections of the described elements, which also depend on the actual network type, are known to those skilled in the art and described in corresponding specifications, so that a detailed description thereof is omitted herein. However, it is to be noted that several additional network elements and signaling links may be employed for a communication to or from a communication element or terminal device like a UE and a communication network control element like a radio network controller, besides those described in detail herein below.
The communication network is also able to communicate with other networks, such as a public switched telephone network or the Internet. The communication network may also be able to support the usage of cloud services. It should be appreciated that BSs and/or eNBs or their functionalities may be implemented by using any node, host, server or access node etc. entity suitable for such a usage.
Furthermore, the described network elements and communication devices, such as terminal devices or user devices like UEs, communication network control elements of a cell, like a BS or an eNB, access network elements like APs and the like, network access control elements like AAA servers and the like, as well as corresponding functions as described herein may be implemented by software, e.g. by a computer program product for a computer, and/or by hardware. In any case, for executing their respective functions, correspondingly used devices, nodes or network elements may comprise several means, modules, units, components, etc. (not shown) which are required for control, processing and/or communication/signaling functionality. Such means, modules, units and components may comprise, for example, one or more processors or processor units including one or more processing portions for executing instructions and/or programs and/or for processing data, storage or memory units or means for storing instructions, programs and/or data, for serving as a work area of the processor or processing portion and the like (e.g. ROM, RAM, EEPROM, and the like), input or interface means for inputting data and instructions by software (e.g. floppy disc, CD-ROM, EEPROM, and the like), a user interface for providing monitor and manipulation possibilities to a user (e.g. a screen, a keyboard and the like), other interface or means for establishing links and/or connections under the control of the processor unit or portion (e.g. wired and wireless interface means, radio interface means comprising e.g. an antenna unit or the like, means for forming a radio communication part etc.) and the like, wherein respective means forming an interface, such as a radio communication part, can be also located on a remote site (e.g. a radio head or a radio station etc.). It is to be noted that in the present specification processing portions should not be only considered to represent physical portions of one or more processors, but may also be considered as a logical division of the referred processing tasks performed by one or more processors.
As described above, in a case where an UE does not support trusted access model there might appear a situation in which a second nested connection is established to the EPC via ePDG for the same data such that the UE finally will use TWAN, 2 * P-GW and ePDG to connect towards the external packet network. That means that the second connection is tunneled over the first connection and creates a nested connection within P-GW.
In such a case, also the 3GPP AAA Server will be involved twice, since both TWAN and ePDG will communicate with the AAA server, i.e. the TWAN is connected to the AAA server via the STa interface and the ePDG is connected to the AAA server via the SWm interface, as shown in Fig. 1 . This scenario can also cause double charging as same data is sent twice through a PGW, which is not acceptable. According to some example versions of the present invention, since the 3GPP AAA Server will be involved twice in the above situation and performs access authentication and authentication both for TWAN (via STa interface) and for the ePDG (via SWm interface), the AAA server should be able to detect the situation. According to 3GPP the trusted access shall use EAP-AKA' while untrusted access through ePDG shall use EAP-AKA. It is operators decision whether they accept EAP-AKA also for trusted access as many devices do not support EAP-AKA' at all.
Thus, according to some example versions of the present invention, the AAA Server should not allow that a connection via the S2b interface is established on top of an already existing connection via the S2a interface. Connection should not be denied either as this may prevent use of desired service like VoWiFi which requires IPSec connection to ePDG using untrusted access.
In order to establish S2a connection to the EPC, the UE could explicitly indicate support for the S2a option in the EAP authentication to AAA server. Without this, i.e. if the support for the S2a option is not indicated, the AAA server would only grant Non-Seamless WLAN Offload connection to the UE thereby connecting the UE directly to the Internet from the WLAN (without routing through the EPC).
For this indication, according to some example versions of the present invention, a new EAP attribute is defined.
Currently, the AAA may detect the UE is trying to connect over S2b while already connected over S2a. The TWAG and ePDG shall use different DIAMETER application contexts to convey trusted and untrusted authentication messages. If AAA does detect this situation, it may not authorize ePDG access and S2b connection setup fails. This may however preclude the service from the user completely as the application may choose to function only when desired secure IPSec tunnel is established.
According to some example versions of the present invention, the UE could send an indication to the AAA server during the authentication procedure. UE could indicate this with a new EAP Attribute 'Requested-EPC-Mode' having values such, for example, [Offload | Trusted | Untrusted] or any combination of it. That is, the UE shall indicate if it wishes to setup the S2b connection to EPC during WLAN access authentication. This would prevent AAA authorizing trusted EPC access and WLAN would create Non-Seamless WLAN Offload connection for the UE. For such an indication, according to some example versions of the present invention, a new EAP attribute is defined. In this new EAP attribute, the UE indicates the desired EPC mode, i.e. whether it is offload, trusted or untrusted, where the default setting is untrusted (i.e. if there is no indication).
According to some example versions of the present invention, one option is to decline trusted WLAN EPC access if UE does not indicate support for the trusted EPC concept during the EAP authentication. Currently, the UE does not indicate this at all but such an indication could be added to the EAP authentication similarly as the trusted indication is conveyed to UE from the AAA using EAP AT TRUSTJND attribute. If the UE does not indicate support for trusted WLAN EPC access but the user is eligible for WLAN service, the AAA will indicate to the WLAN that only Non-Seamless WLAN Offload connection is authorized. For example, a new Boolean EAP Attribute Trusted-Mode-Supported' could be added or the previously introduced 'Requested-EPC-Mode' attribute could be used also for this.
In another solution according to some example versions of the present invention, the AAA Server informs the TWAN that the UE shall not be connected over the S2a interface to EPC if the subscriber information in HSS/AAA indicates that the UE is configured to use ePDG. Instead Non-Seamless WLAN Offload mode is used and local IP address is provided to UE instead of EPC provided IP address.
The information to trigger this behavior in the TWAN/TWAG can be received from the AAA server during authentication or can be based on an indication from the UE, as set out above.
In another solution according to some example versions of the present invention, the AAA Server detects that the UE is establishing S2b even though S2a was already established. The AAA server informs the ePDG that S2b shall not be established and the AAA Server informs the UE, with a new indication, that the UE is already connected to EPC. This however may prevent UE service altogether if application requires IPSec connection to be established with ePDG.
In another solution the TWAG may detect access to ePDG by monitoring user payload in S2a connection. If it detects ePDG IP address being accessed, the TWAG could route the packet to internet directly without going through PGW. This would be similar to non-seamless offload scenario except UE is now using EPC assigned source IP address instead of local IP address (which has not been assigned to UE). The TWAG would need to deploy NAT for this packets so that any responses will be delivered directly to TWAG from Internet without going through PGW.
It is noted that each of the above described solutions according to some example versions of the present invention could be used alone and that also any suitable combination of these solutions could be used too.
In the following, a more general description of some example version of embodiments of the present invention is made with respect to Figs. 2 to 6.
Fig. 2 is a flowchart illustrating an example of a method according to example versions of the present invention.
According to example versions of the present invention, the method may be implemented in a server, like an authentication server, AAA server, or the like. The method comprises receiving, at a server in a first wireless network, a message from a user equipment indicating connection capabilities of the user equipment to a second wireless network in a step S21 , analyzing, by the server, the message in a step S22, and, if it is indicated in the message that the user equipment is not configured to support establishment of a trusted connection to the second wireless network, determining, by the server, that establishment of a trusted connection of the user equipment to the second wireless network is to be blocked in a step S23.
According to some example versions of the present invention, the establishment of the trusted connection is also blocked if it is indicated in the message that the user equipment is configured to support establishment of an untrusted connection to the second wireless network or if it is indicated in the message that the user equipment is configured to support establishment of a non-seamless offload connection to the second wireless network.
According to some example versions of the present invention, the method further comprises determining, by the server, that establishment of a non-seamless offload connection is to be created instead. According to some example versions of the present invention, the method further comprises informing, by the server, a gateway a in a trusted access network, when the establishment of the trusted connection of the user equipment to the second wireless network is to be blocked.
Fig. 3 is a flowchart illustrating another example of a method according to example versions of the present invention.
According to some example versions of the present invention, the method may be implemented in a server, like an authentication server, AAA server, or the like. The method comprises detecting, at a server in a first wireless network, that a trusted connection for traffic of the user equipment to a second wireless network is established in a step S31 , detecting, that the user equipment is establishing an untrusted connection for the same traffic to the second wireless network in a step S32, and determining, by the server, that the establishment of the untrusted connection of the user equipment to the second wireless network is to be blocked in a step S33.
According to some example versions of the present invention, the method further comprises informing, by the server, a packet gateway in the first wireless network, that the establishment of the untrusted connection of the user equipment to the second wireless network is to be blocked.
According to some example versions of the present invention, the packet gateway is an enhanced packet data network gateway, ePDG, in the first wireless network.
According to some example versions of the present invention, the method further comprises informing, by the server, the user equipment that the trusted connection of the user equipment to the second wireless network is established.
Fig. 4 is a flowchart illustrating another example of a method according to example versions of the present invention.
According to example versions of the present invention, the method may be implemented in a user equipment, or the like. The method comprises determining, in a user equipment, connection capabilities of the user equipment to a second wireless network in a step S41 , and transmitting, by the user equipment, information indicating the connection capabilities of the user equipment to a server in a first wireless network in a step S42.
According to some example versions of the present invention, the connection capabilities indicate, whether the user equipment is configured to support establishment of a trusted connection and/or an untrusted connection to the second wireless network.
According to some example versions of the present invention, the first wireless network is a network according to a third generation partnership project network type, and the second wireless network is a network different from the third generation partnership project network type.
According to some example versions of the present invention, the connection capabilities are included in an extensible authentication protocol, EAP, attribute.
According to some example versions of the present invention, the server is an authentication server in the first wireless network.
Fig. 5 is a flowchart illustrating another example of a method according to example versions of the present invention.
According to example versions of the present invention, the method may be implemented in a trusted access gateway, line a TWAG, or the like. The method comprises monitoring, by a trusted access gateway, user payload on a trusted connection of a user equipment to a second wireless network in a step S51 , detecting, at the trusted access gateway, that the trusted access gateway accesses an untrusted access gateway in a step S52, and determining, by the trusted access gateway, to establish a non-seamless offload connection from the user equipment to the second wireless network in a step S53.
Fig. 6 is a block diagram showing an example of an apparatus according to some example versions of the present invention.
In Fig. 6, a block circuit diagram illustrating a configuration of an apparatus 60 is shown, which is configured to implement the above described aspects of the invention. It is to be noted that the apparatus 60 shown in Fig. 6 may comprise several further elements or functions besides those described herein below, which are omitted herein for the sake of simplicity as they are not essential for understanding the invention. Furthermore, the apparatus may be also another device having a similar function, such as a chipset, a chip, a module etc., which can also be part of an apparatus or attached as a separate element to the apparatus, or the like.
The apparatus 60 may comprise a processing function or processor 61 , such as a CPU or the like, which executes instructions given by programs or the like. The processor 61 may comprise one or more processing portions dedicated to specific processing as described below, or the processing may be run in a single processor. Portions for executing such specific processing may be also provided as discrete elements or within one or further processors or processing portions, such as in one physical processor like a CPU or in several physical entities, for example. Reference sign 62 denotes transceiver or input/output (I/O) units (interfaces) connected to the processor 61 . The I/O units 62 may be used for communicating with one or more other network elements, entities, terminals or the like. The I/O units 62 may be a combined unit comprising communication equipment towards several network elements, or may comprise a distributed structure with a plurality of different interfaces for different network elements. The apparatus 60 further comprises at least one memory 63 usable, for example, for storing data and programs to be executed by the processor 61 and/or as a working storage of the processor 61.
The processor 61 is configured to execute processing related to the above described aspects. In particular, the apparatus 60 may be implemented in or may be part of a server, like an authentication server, AAA server, or the like, and may be configured to perform a method as described in connection with Fig. 2. Thus, the processor 61 is configured to perform receiving, at a server in a first wireless network, a message from a user equipment indicating connection capabilities of the user equipment to a second wireless network, analyzing, by the server, the message, if it is indicated in the message that the user equipment is not configured to support establishment of a trusted connection to the second wireless network, determining, by the server, that establishment of a trusted connection of the user equipment to the second wireless network is to be blocked.
According to some example versions of the present invention, the apparatus 60 may be implemented in or may be part of a server, like an authentication server, AAA server, or the like, and may be configured to perform a method as described in connection with Fig. 3. Thus, the processor 61 is configured to perform detecting, at a server, that a trusted connection for traffic of the user equipment to a second wireless network is established, detecting, that the user equipment is establishing an untrusted connection for the same traffic to the second wireless network, and determining, by the server, that the establishment of the untrusted connection of the user equipment to the second wireless network is to be blocked.
According to example versions of the present invention, the apparatus 60 may be implemented in or may be part of user equipment or the like, and may be configured to perform a method as described in connection with Fig. 4. Thus, the processor 61 is configured to perform determining, in a user equipment, connection capabilities of the user equipment to a second wireless network, transmitting, by the user equipment, information indicating the connection capabilities of the user equipment to a server in a first wireless network.
According to example versions of the present invention, the apparatus 60 may be implemented in or may be part of trusted access gateway, like a TWAG, or the like, and may be configured to perform a method as described in connection with Fig. 5. Thus, the processor 61 is configured to perform monitoring, by a trusted access gateway, user payload on a trusted connection of a user equipment to a second wireless network, detecting, at the trusted access gateway, that the trusted access gateway accesses an untrusted access gateway, and determining, by the trusted access gateway, to establish a non-seamless offload connection from the user equipment to the second wireless network.
For further details regarding the functions of the apparatus 60, reference is made to the description of the methods according to some example versions of the present invention as described in connection with Figs. 2 to 5.
Thus, it is noted that the apparatus for use in a server, the apparatus for use in a user equipment, and the apparatus for use in a trusted access gateway, generally have the same structural components, wherein these components are configured to execute the respective functions of the register, server, mobile equipment, and subscriber identity module, respectively, as set out above.
In the foregoing exemplary description of the apparatus, only the units/means that are relevant for understanding the principles of the invention have been described using functional blocks. The apparatus may comprise further units/means that are necessary for its respective operation, respectively. However, a description of these units/means is omitted in this specification. The arrangement of the functional blocks of the apparatus is not construed to limit the invention, and the functions may be performed by one block or further split into sub-blocks.
When in the foregoing description it is stated that the apparatus (or some other means) is configured to perform some function, this is to be construed to be equivalent to a description stating that a (i.e. at least one) processor or corresponding circuitry, potentially in cooperation with computer program code stored in the memory of the respective apparatus, is configured to cause the apparatus to perform at least the thus mentioned function. Also, such function is to be construed to be equivalently implementable by specifically configured circuitry or means for performing the respective function (i.e. the expression "unit configured to" is construed to be equivalent to an expression such as "means for").
For the purpose of the present invention as described herein above, it should be noted that
- method steps likely to be implemented as software code portions and being run using a processor at an apparatus (as examples of devices, apparatuses and/or modules thereof, or as examples of entities including apparatuses and/or modules therefore), are software code independent and can be specified using any known or future developed programming language as long as the functionality defined by the method steps is preserved;
- generally, any method step is suitable to be implemented as software or by hardware without changing the idea of the aspects/embodiments and its modification in terms of the functionality implemented;
- method steps and/or devices, units or means likely to be implemented as hardware components at the above-defined apparatuses, or any module(s) thereof, (e.g., devices carrying out the functions of the apparatuses according to the aspects/embodiments as described above) are hardware independent and can be implemented using any known or future developed hardware technology or any hybrids of these, such as MOS (Metal Oxide Semiconductor), CMOS (Complementary MOS), BiMOS (Bipolar MOS), BiCMOS (Bipolar CMOS), ECL (Emitter Coupled Logic), TTL (Transistor-Transistor Logic), etc., using for example ASIC (Application Specific IC (Integrated Circuit)) components, FPGA (Field- programmable Gate Arrays) components, CPLD (Complex Programmable Logic Device) components or DSP (Digital Signal Processor) components;
- devices, units or means (e.g. the above-defined apparatuses, or any one of their respective units/means) can be implemented as individual devices, units or means, but this does not exclude that they are implemented in a distributed fashion throughout the system, as long as the functionality of the device, unit or means is preserved; - an apparatus may be represented by a semiconductor chip, a chipset, or a (hardware) module comprising such chip or chipset; this, however, does not exclude the possibility that a functionality of an apparatus or module, instead of being hardware implemented, be implemented as software in a (software) module such as a computer program or a computer program product comprising executable software code portions for execution/being run on a processor;
- a device may be regarded as an apparatus or as an assembly of more than one apparatus, whether functionally in cooperation with each other or functionally independently of each other but in a same device housing, for example.
In general, it is to be noted that respective functional blocks or elements according to above- described aspects can be implemented by any known means, either in hardware and/or software, respectively, if it is only adapted to perform the described functions of the respective parts. The mentioned method steps can be realized in individual functional blocks or by individual devices, or one or more of the method steps can be realized in a single functional block or by a single device.
Generally, any method step is suitable to be implemented as software or by hardware without changing the idea of the present invention. Devices and means can be implemented as individual devices, but this does not exclude that they are implemented in a distributed fashion throughout the system, as long as the functionality of the device is preserved. Such and similar principles are to be considered as known to a skilled person.
Software in the sense of the present description comprises software code as such comprising code means or portions or a computer program or a computer program product for performing the respective functions, as well as software (or a computer program or a computer program product) embodied on a tangible medium such as a computer-readable (storage) medium having stored thereon a respective data structure or code means/portions or embodied in a signal or in a chip, potentially during processing thereof.
It is noted that the aspects/embodiments and general and specific examples described above are provided for illustrative purposes only and are in no way intended that the present invention is restricted thereto. Rather, it is the intention that all variations and modifications which fall within the scope of the appended claims are covered.

Claims

1 . A method, comprising:
receiving, at a server in a first wireless network, a message from a user equipment indicating connection capabilities of the user equipment to a second wireless network,
analyzing, by the server, the message,
if it is indicated in the message that the user equipment is not configured to support establishment of a trusted connection to the second wireless network,
determining, by the server, that establishment of a trusted connection of the user equipment to the second wireless network is to be blocked.
2. The method according to claim 1 , wherein
the establishment of the trusted connection is also blocked if it is indicated in the message that the user equipment is configured to support establishment of an untrusted connection to the second wireless network or if it is indicated in the message that the user equipment is configured to support establishment of a non-seamless offload connection to the second wireless network.
3. The method according to claim 1 or 2, further comprising
determining, by the server, that establishment of a non-seamless offload connection is to be created instead.
4. The method according to any one of claims 1 to 3, further comprising
informing, by the server, a gateway a in a trusted access network, when the establishment of the trusted connection of the user equipment to the second wireless network is to be blocked.
5. A method, comprising:
detecting, at a server, that a trusted connection for traffic of the user equipment to a second wireless network is established,
detecting, that the user equipment is establishing an untrusted connection for the same traffic to the second wireless network, and
determining, by the server, that the establishment of the untrusted connection of the user equipment to the second wireless network is to be blocked.
6. The method according to claim 5, further comprising informing, by the server, a packet gateway in the first wireless network, that the establishment of the untrusted connection of the user equipment to the second wireless network is to be blocked.
7. The method according to claim 6, wherein
the packet gateway is an enhanced packet data network gateway, ePDG, in the first wireless network.
8. The method according to any one of claims 5 to 7, further comprising
informing, by the server, the user equipment that the trusted connection of the user equipment to the second wireless network is established.
9. A method, comprising:
determining, in a user equipment, connection capabilities of the user equipment to a second wireless network,
transmitting, by the user equipment, information indicating the connection capabilities of the user equipment to a server in a first wireless network.
10. The method according to claim 9, wherein
the connection capabilities indicate, whether the user equipment is configured to support establishment of a trusted connection and/or an untrusted connection to the second wireless network.
1 1. The method according to any one of the preceding claims, wherein
the first wireless network is a network according to a third generation partnership project network type, and
the second wireless network is a network different from the third generation partnership project network type.
12. The method according to any one of the preceding claims, wherein
the connection capabilities are included in an extensible authentication protocol, EAP, attribute.
13. The method according to any one of the preceding claims, wherein
the server is an authentication server in the first wireless network.
14. A method, comprising:
monitoring, by a trusted access gateway, user payload on a trusted connection of a user equipment to a second wireless network,
detecting, at the trusted access gateway, that the trusted access gateway accesses an untrusted access gateway, and
determining, by the trusted access gateway, to establish a non-seamless offload connection from the user equipment to the second wireless network.
15. An apparatus for use in a server in a first wireless network, comprising:
at least one processor,
and
at least one memory for storing instructions to be executed by the processor, wherein the at least one memory and the instructions are configured to, with the at least one processor, cause the apparatus at least to perform:
receiving, at the server, a message from a user equipment indicating connection capabilities of the user equipment to a second wireless network,
analyzing, by the server, the message,
if it is indicated in the message that the user equipment is not configured to support establishment of a trusted connection to the second wireless network,
determining, by the server, that establishment of a trusted connection of the user equipment to the second wireless network is to be blocked.
16. The apparatus according to claim 15, wherein
the establishment of the trusted connection is also blocked if it is indicated in the message that the user equipment is configured to support establishment of an untrusted connection to the second wireless network or if it is indicated in the message that the user equipment is configured to support establishment of a non-seamless offload connection to the second wireless network.
17. The apparatus according to claim 15 or 16, wherein the at least one memory and the instructions are further configured to, with the at least one processor, cause the apparatus at least to perform:
determining, by the server, that establishment of a non-seamless offload connection is to be created instead.
18. The method according to any one of claims 15 to 17, wherein the at least one memory and the instructions are further configured to, with the at least one processor, cause the apparatus at least to perform:
informing, by the server, a gateway a in a trusted access network, when the establishment of the trusted connection of the user equipment to the second wireless network is to be blocked.
19. An apparatus for use in a server in a first wireless network, comprising:
at least one processor,
and
at least one memory for storing instructions to be executed by the processor, wherein the at least one memory and the instructions are configured to, with the at least one processor, cause the apparatus at least to perform:
detecting, at a server, that a trusted connection for traffic of the user equipment to the second wireless network is established,
detecting, that the user equipment is establishing an untrusted connection for the same traffic to the second wireless network, and
determining, by the server, that the establishment of the untrusted connection of the user equipment to the second wireless network is to be blocked.
20. The method according to claim 19, wherein the at least one memory and the instructions are further configured to, with the at least one processor, cause the apparatus at least to perform:
informing, by the server, a packet gateway in the first wireless network, that the establishment of the untrusted connection of the user equipment to the second wireless network is to be blocked.
21. The method according to claim 20, wherein
the packet gateway is an enhanced packet data network gateway, ePDG, in the first wireless network.
22. The method according to any one of claims 19 to 21 , wherein the at least one memory and the instructions are further configured to, with the at least one processor, cause the apparatus at least to perform: informing, by the server, the user equipment that the trusted connection of the user equipment to the second wireless network is established.
23. An apparatus for use in a user equipment, comprising:
at least one processor,
and
at least one memory for storing instructions to be executed by the processor, wherein the at least one memory and the instructions are configured to, with the at least one processor, cause the apparatus at least to perform:
determining, in a user equipment, connection capabilities of the user equipment to a second wireless network,
transmitting, by the user equipment, information indicating the connection capabilities of the user equipment to a server in a first wireless network.
24. The method according to claim 23, wherein
the connection capabilities indicate, whether the user equipment is configured to support establishment of a trusted connection and/or an untrusted connection to the second wireless network.
25. The method according to claims 15 to 24, wherein
the first wireless network is a network according to a third generation partnership project network type, and
the second wireless network is a network different from the third generation partnership project network type.
26. The method according to claims 15 to 25, wherein
the connection capabilities are included in an extensible authentication protocol, EAP, attribute.
27. The method according to claims 15 to 26, wherein
the server is an authentication server in the first wireless network.
28. An apparatus for use in a trusted access gateway, comprising:
at least one processor,
and at least one memory for storing instructions to be executed by the processor, wherein the at least one memory and the instructions are configured to, with the at least one processor, cause the apparatus at least to perform:
monitoring, by the trusted access gateway, user payload on a trusted connection of a user equipment to a second wireless network,
detecting, at the trusted access gateway, that the trusted access gateway accesses an untrusted access gateway, and
determining, by the trusted access gateway, to establish a non-seamless offload connection from the user equipment to the second wireless network.
29. A computer program product including a program for a processing device, comprising software code portions for performing the method of any one of claims 1 to 14 when the program is run on the processing device.
30. The computer program product according to claim 29, wherein the computer program product comprises a computer-readable medium on which the software code portions are stored.
31. The computer program product according to claim 29, wherein the program is directly loadable into an internal memory of the processing device.
32. An apparatus, comprising:
means for receiving, at a server in a first wireless network, a message from a user equipment indicating connection capabilities of the user equipment to a second wireless network,
means for analyzing, by the server, the message,
if it is indicated in the message that the user equipment is not configured to support establishment of a trusted connection to the second wireless network,
means for determining, by the server, that establishment of a trusted connection of the user equipment to the second wireless network is to be blocked.
33. An apparatus, comprising:
means for detecting, at a server in a first wireless network, that a trusted connection for traffic of the user equipment to a second wireless network is established, means for detecting, that the user equipment is establishing an untrusted connection for the same traffic to the second wireless network, and
means for determining, by the server, that the establishment of the untrusted connection of the user equipment to the second wireless network is to be blocked.
34. An apparatus, comprising:
means for determining, in a user equipment, connection capabilities of the user equipment to a second wireless network,
means for transmitting, by the user equipment, information indicating the connection capabilities of the user equipment to a server in a first wireless network.
35. An apparatus, comprising:
means for monitoring, by a trusted access gateway, user payload on a trusted connection of a user equipment to a second wireless network,
means for detecting, at the trusted access gateway, that the trusted access gateway accesses an untrusted access gateway, and
means for determining, by the trusted access gateway, to establish a non-seamless offload connection from the user equipment to the second wireless network.
PCT/EP2014/075621 2014-11-26 2014-11-26 Blocking of nested connections WO2016082872A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2014/075621 WO2016082872A1 (en) 2014-11-26 2014-11-26 Blocking of nested connections

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2014/075621 WO2016082872A1 (en) 2014-11-26 2014-11-26 Blocking of nested connections

Publications (1)

Publication Number Publication Date
WO2016082872A1 true WO2016082872A1 (en) 2016-06-02

Family

ID=52011179

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2014/075621 WO2016082872A1 (en) 2014-11-26 2014-11-26 Blocking of nested connections

Country Status (1)

Country Link
WO (1) WO2016082872A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017219673A1 (en) * 2016-06-21 2017-12-28 中兴通讯股份有限公司 Vowifi network access method and system, and terminal

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080316972A1 (en) * 2007-06-22 2008-12-25 Interdigital Technology Corporation Resource management for mobility between different wireless communications architectures
EP2611228A1 (en) * 2011-12-27 2013-07-03 Alcatel Lucent Allowing access to services delivered by a service delivery platform in a 3GPP HPLM, to an user equipment connected over a trusted non-3GPP access network
WO2013131741A1 (en) * 2012-03-07 2013-09-12 Nokia Siemens Networks Oy Access mode selection based on user equipment selected access network identity
WO2013139879A1 (en) * 2012-03-23 2013-09-26 Nokia Siemens Networks Oy Trust indication for wlan access networks
US20130265985A1 (en) * 2012-04-10 2013-10-10 Motorola Mobility, Inc. Wireless communication device, communication system and method for establishing data connectivity between a wireless communicaiton device and a first access network
US20130272163A1 (en) * 2012-04-13 2013-10-17 Zu Qiang Non-seamless offload indicator
US20140093071A1 (en) * 2012-10-02 2014-04-03 Telefonaktiebolaget L M Ericsson (Publ) Support of multiple pdn connections over a trusted wlan access

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080316972A1 (en) * 2007-06-22 2008-12-25 Interdigital Technology Corporation Resource management for mobility between different wireless communications architectures
EP2611228A1 (en) * 2011-12-27 2013-07-03 Alcatel Lucent Allowing access to services delivered by a service delivery platform in a 3GPP HPLM, to an user equipment connected over a trusted non-3GPP access network
WO2013131741A1 (en) * 2012-03-07 2013-09-12 Nokia Siemens Networks Oy Access mode selection based on user equipment selected access network identity
WO2013139879A1 (en) * 2012-03-23 2013-09-26 Nokia Siemens Networks Oy Trust indication for wlan access networks
US20130265985A1 (en) * 2012-04-10 2013-10-10 Motorola Mobility, Inc. Wireless communication device, communication system and method for establishing data connectivity between a wireless communicaiton device and a first access network
US20130272163A1 (en) * 2012-04-13 2013-10-17 Zu Qiang Non-seamless offload indicator
US20140093071A1 (en) * 2012-10-02 2014-04-03 Telefonaktiebolaget L M Ericsson (Publ) Support of multiple pdn connections over a trusted wlan access

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Architecture enhancements for non-3GPP accesses (Release 10)", 3GPP STANDARD; 3GPP TS 23.402, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, no. V10.2.0, 17 December 2010 (2010-12-17), pages 1 - 228, XP050462100 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017219673A1 (en) * 2016-06-21 2017-12-28 中兴通讯股份有限公司 Vowifi network access method and system, and terminal

Similar Documents

Publication Publication Date Title
US20210409948A1 (en) Serving gateway extensions for inter-system mobility
US20200196212A1 (en) Inter-system mobility in integrated wireless networks
US11228959B2 (en) Aggregated handover in integrated small cell and WiFi networks
US10080170B2 (en) Network handover method, apparatus, device, and system
US10263984B2 (en) Authentication failure handling for access to services through untrusted wireless networks
US10694404B2 (en) Isolated E-UTRAN operation
EP2727432B1 (en) Methods and apparatus for multiple packet data connections
US20190028933A1 (en) Terminal apparatus, mobility management entity (mme), and communication control method
US20160073450A1 (en) Transferring Information for Selection of Radio Access Technology
EP3001733A1 (en) Method, device and system for network selection
US20150003415A1 (en) System and method for seamless wi-fi to umts handover
US20220369402A1 (en) Methods and apparatus to support access to services for multiple subscriber identity modules
WO2015062643A1 (en) Keeping user equipment in a state attached to a cellular communication network during offloading of cellular data to another communication network
US11343754B2 (en) Terminal apparatus, mobility management entity (MME), and communication control method
CN106464653A (en) Emergency call method, apparatus and device
WO2016082872A1 (en) Blocking of nested connections
KR101407554B1 (en) A method of generating bearer, apparatus and system thereof
US20230362862A1 (en) Multi-usim device accessing services of a second cellular network through a first cellular network via a gateway
EP3178255B1 (en) Radio access network controlled access of user equipment to wireless communication networks
WO2016070926A1 (en) Handling of quality of service modification triggered by charging entity

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 139450140003009776

Country of ref document: IR

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14808551

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14808551

Country of ref document: EP

Kind code of ref document: A1