WO2016202406A1 - Redirection locale vers une passerelle évoluée de données par paquets (epdg) - Google Patents

Redirection locale vers une passerelle évoluée de données par paquets (epdg) Download PDF

Info

Publication number
WO2016202406A1
WO2016202406A1 PCT/EP2015/063851 EP2015063851W WO2016202406A1 WO 2016202406 A1 WO2016202406 A1 WO 2016202406A1 EP 2015063851 W EP2015063851 W EP 2015063851W WO 2016202406 A1 WO2016202406 A1 WO 2016202406A1
Authority
WO
WIPO (PCT)
Prior art keywords
gateway device
address
tunnel
request
identity
Prior art date
Application number
PCT/EP2015/063851
Other languages
English (en)
Inventor
Gabor Ungvari
Gyorgy Tamas Wolfner
Jari Pekka Mustajarvi
Original Assignee
Nokia Solutions And Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Solutions And Networks Oy filed Critical Nokia Solutions And Networks Oy
Priority to PCT/EP2015/063851 priority Critical patent/WO2016202406A1/fr
Publication of WO2016202406A1 publication Critical patent/WO2016202406A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/18Selecting a network or a communication service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/16Gateway arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/20Manipulation of established connections

Definitions

  • the present invention relates to an apparatus, a method, and a computer program product related to non-3GPP access. More particularly, the present invention relates to an apparatus, a method, and a computer program product related to ePDG home redirect.
  • WiFi Wireless Fidelity also named WLAN
  • 3GPP specifies two types of non-3GPP access to the EPC: trusted and untrusted (see details in 3GPP TS 23.402). Whether a non-3GPP access network (such as a WLAN network) is trusted or untrusted is not a characteristic of the non-3GPP access network but decided by the respective 3GPP operator. I.e., a non-3GPP network may be trusted for one 3GPP operator and untrusted for another 3GPP operator.
  • a non-3GPP access network such as a WLAN network
  • the PDN-GW is the user plane anchor for mobility between 3GPP access and trusted non- 3GPP access.
  • ePDG serves as a tunnel endpoint for the Swu interface to the UE via an IPSec tunnel through the untrusted non-3GPP network, i.e., the UE may establish an IPSec tunnel to an ePDG in order to access EPC via a WLAN.
  • ePDG may be responsible for handling the local and remote IP addresses, routing of packets from/to PDN GW to/from UE, as e.g. according to 3GPP TS 23.402.
  • ePDG belongs to the domain of a 3GPP operator, which may be the operator of the HPLMN or an operator of a another 3GPP network (VPLMN).
  • 3GPP TS 23.402 defines two options for ePDG selection by the UE: static and dynamic.
  • static configuration the home operator may configure the UE to select an ePDG in the HPLMN. This is not a flexible solution as in this case the UE always selects an ePDG in the HPLMN. E.g., it is not possible to configure that the UE selects ePDG in the HPLMN only when it roams in specific VPLMNs.
  • dynamic ePDG selection is applied then the UE first tries to find an ePDG in the VPLMN. It only selects an ePDG in the HPLMN if no ePDG has been found in the VPLMN.
  • 3GPP SA2 and CT1 working groups received a request to enable the home operator to set preference for roaming UE to connect to an ePDG in the HPLMN instead of connecting to an ePDG in the VPLMN. This request was related to the Voice over Wifi profile definition.
  • an apparatus comprising deciding means adapted to decide if a terminal using an identity is to be redirected from a first gateway device to a second gateway device comprised in a set of one or more gateway devices, wherein the identity is received in an identity request from the first gateway device for at least one of an authentication and an authorization of the identity, wherein at least one of the one or more gateway devices of the set is different from the first gateway device; providing means adapted to provide, if the terminal is to be redirected, an address of the set.
  • the providing means may be adapted to provide the address of the set to the first gateway device.
  • the providing means may be adapted to provide the address of the set to the terminal in a challenge request, and the challenge request may belongs to a procedure for the respective at least one of the authentication and the authorization of the identity.
  • the apparatus may further comprise monitoring means adapted to monitor if the first gateway device belongs to a home network to which the apparatus belongs; inhibiting means adapted to inhibit the deciding means from deciding that the terminal is to be redirected if the first gateway device belongs to the home network.
  • the deciding means may be adapted to decide based on at least one of a predetermined policy, an identification of the first gateway device, the identity, subscription data related to the identity, a timing of the first request, a location of the terminal, a load on the second gateway device, a load on the first gateway device, and an emergency indication received in the identity request.
  • the apparatus may further comprise indicating means adapted to indicate if the terminal should store that it is to be redirected from the first gateway device to the second gateway device.
  • the set may consist of the second gateway device and the address of the set may be the address of the second gateway device.
  • an apparatus comprising checking means adapted to check if a response comprises an address of a set of one or more gateway devices, wherein the response is received in response to an identity request for at least one of an authentication and an authorization of an identity, and the identity is used to identify a terminal in a received tunnel request to set up a tunnel to the terminal; redirecting means adapted to redirect the terminal to request setting up the tunnel to one gateway device of the set of gateway devices if the address is received.
  • the redirecting means may be adapted to redirect the terminal using a redirect mechanism of internet key exchange version 2.
  • the apparatus may further comprise emergency monitoring means adapted to monitor if the tunnel request comprises an emergency indication indicating that the tunnel is for an emergency call; emergency forwarding means adapted to forward the emergency indication with the identity request.
  • the set may consist of the one gateway device and the address of the set may be the address of the one gateway device.
  • an apparatus comprising monitoring means adapted to monitor if a tunnel request to set up a first tunnel between the apparatus and a first gateway device is redirected to a second gateway device different from the first gateway device, wherein the second gateway device is comprised in a set of one or more gateway devices; storing means adapted to store a pair of an address of the set and an address of the first gateway device, if the tunnel request is redirected; supervising means adapted to supervise if a second tunnel between the apparatus and the first gateway device is intended to be set up; determining means adapted to determine, if the second tunnel is intended to be set up, whether the pair comprising the address of the first gateway device is stored by the storing means; retrieving means adapted to retrieve the address of the set from the pair if the address of the first gateway device is stored in the pair; tunnel requesting means adapted to request to set up the second tunnel between the apparatus and a third gateway device if the address of the first gateway device is stored in the pair,
  • the apparatus may further comprise inhibiting means adapted to inhibit the tunnel requesting means from requesting to set up the second tunnel between the apparatus and the first gateway device if the address of the first gateway device is comprised in the pair stored by the storing means.
  • an apparatus comprising checking means adapted to check, if a challenge request comprises an address of a set of one or more gateway devices, wherein the challenge request is received from a first gateway device after a tunnel request requesting to set up a first tunnel between the apparatus and the first gateway device was sent to the first gateway device, the apparatus is identified by an identity in the tunnel request, and the challenge request belongs to a procedure for at least one of an authentication and an authorization of the identity; requesting means adapted to request to set up a second tunnel between the apparatus and a second gateway device if the challenge request comprises the address, wherein the second gateway device belongs to the set.
  • the apparatus may further comprise abandoning means adapted to abandon the setting up of the first tunnel if the challenge request comprises the address.
  • the apparatus may further comprise storing means adapted to store a pair of the address of the set and an address of the first gateway device; determining means adapted to determine if an address of the first gateway device is comprised in the pair stored by the storing means; retrieving means adapted to retrieve the address of the set from the pair; tunnel requesting means adapted to request to set up a third tunnel between the apparatus and a third gateway device if the address of the first gateway device is comprised in the pair stored by the storing means, wherein the third gateway device belongs to the set.
  • the apparatus may further comprise inhibiting means adapted to inhibit the tunnel requesting means from requesting to set up the third tunnel between the apparatus and the first gateway device if the address of the first gateway device is comprised in the pair stored by the storing means.
  • the apparatus may further comprise monitoring means adapted to monitor if the challenge request comprises a store indication; inhibiting means adapted to inhibit the storing means from storing the pair of the address of the set and the address of the first gateway device if the challenge request does not comprise the store indication.
  • the set may consist of the second gateway device and the address of the set may be the address of the second gateway device.
  • an apparatus comprising deciding circuitry configured to decide if a terminal using an identity is to be redirected from a first gateway device to a second gateway device comprised in a set of one or more gateway devices, wherein the identity is received in an identity request from the first gateway device for at least one of an authentication and an authorization of the identity, wherein at least one of the one or more gateway devices of the set is different from the first gateway device; providing circuitry configured to provide, if the terminal is to be redirected, an address of the set.
  • the providing circuitry may be configured to provide the address of the set to the first gateway device.
  • the providing circuitry may be configured to provide the address of the set to the terminal in a challenge request, and the challenge request may belongs to a procedure for the respective at least one of the authentication and the authorization of the identity.
  • the apparatus may further comprise monitoring circuitry configured to monitor if the first gateway device belongs to a home network to which the apparatus belongs; inhibiting circuitry configured to inhibit the deciding circuitry from deciding that the terminal is to be redirected if the first gateway device belongs to the home network.
  • the deciding circuitry may be configured to decide based on at least one of a predetermined policy, an identification of the first gateway device, the identity, subscription data related to the identity, a timing of the first request, a location of the terminal, a load on the second gateway device, a load on the first gateway device, and an emergency indication received in the identity request.
  • the apparatus may further comprise indicating circuitry configured to indicate if the terminal should store that it is to be redirected from the first gateway device to the second gateway device.
  • the set may consist of the second gateway device and the address of the set may be the address of the second gateway device.
  • an apparatus comprising checking circuitry configured to check if a response comprises an address of a set of one or more gateway devices, wherein the response is received in response to an identity request for at least one of an authentication and an authorization of an identity, and the identity is used to identify a terminal in a received tunnel request to set up a tunnel to the terminal; redirecting circuitry configured to redirect the terminal to request setting up the tunnel to one gateway device of the set of gateway devices if the address is received.
  • the redirecting circuitry may be configured to redirect the terminal using a redirect mechanism of internet key exchange version 2.
  • the apparatus may further comprise emergency monitoring circuitry configured to monitor if the tunnel request comprises an emergency indication indicating that the tunnel is for an emergency call; emergency forwarding circuitry configured to forward the emergency indication with the identity request.
  • an apparatus comprising monitoring circuitry configured to monitor if a tunnel request to set up a first tunnel between the apparatus and a first gateway device is redirected to a second gateway device different from the first gateway device, wherein the second gateway device is comprised in a set of one or more gateway devices; storing circuitry configured to store a pair of an address of the set and an address of the first gateway device, if the tunnel request is redirected; supervising circuitry configured to supervise if a second tunnel between the apparatus and the first gateway device is intended to be set up; determining circuitry configured to determine, if the second tunnel is intended to be set up, whether the pair comprising the address of the first gateway device is stored by the storing circuitry; retrieving circuitry configured to retrieve the address of the set from the pair if the address of the first gateway device is stored in the pair; tunnel requesting circuitry configured to request to set up the
  • the apparatus may further comprise inhibiting circuitry configured to inhibit the tunnel requesting circuitry from requesting to set up the second tunnel between the apparatus and the first gateway device if the address of the first gateway device is comprised in the pair stored by the storing circuitry.
  • an apparatus comprising checking circuitry configured to check, if a challenge request comprises an address of a set of one or more gateway devices, wherein the challenge request is received from a first gateway device after a tunnel request requesting to set up a first tunnel between the apparatus and the first gateway device was sent to the first gateway device, the apparatus is identified by an identity in the tunnel request, and the challenge request belongs to a procedure for at least one of an authentication and an authorization of the identity; requesting circuitry configured to request to set up a second tunnel between the apparatus and a second gateway device if the challenge request comprises the address, wherein the second gateway device belongs to the set.
  • the apparatus may further comprise abandoning circuitry configured to abandon the setting up of the first tunnel if the challenge request comprises the address.
  • the apparatus may further comprise storing circuitry configured to store a pair of the address of the set and an address of the first gateway device; determining circuitry configured to determine if an address of the first gateway device is comprised in the pair stored by the storing circuitry; retrieving circuitry configured to retrieve the address of the set from the pair; tunnel requesting circuitry configured to request to set up a third tunnel between the apparatus and a third gateway device if the address of the first gateway device is comprised in the pair stored by the storing circuitry, wherein the third gateway device belongs to the set.
  • the apparatus may further comprise inhibiting circuitry configured to inhibit the tunnel requesting circuitry from requesting to set up the third tunnel between the apparatus and the first gateway device if the address of the first gateway device is comprised in the pair stored by the storing circuitry.
  • the apparatus may further comprise monitoring circuitry configured to monitor if the challenge request comprises a store indication; inhibiting circuitry configured to inhibit the storing circuitry from storing the pair of the address of the set and the address of the first gateway device if the challenge request does not comprise the store indication.
  • the set may consist of the second gateway device and the address of the set may be the address of the second gateway device.
  • a method comprising deciding if a terminal using an identity is to be redirected from a first gateway device to a second gateway device comprised in a set of one or more gateway devices, wherein the identity is received in an identity request from the first gateway device for at least one of an authentication and an authorization of the identity, wherein at least one of the one or more gateway devices of the set is different from the first gateway device; providing, if the terminal is to be redirected, an address of the set.
  • the address of the set may be provided to the first gateway device.
  • the address of the set may be provided to the terminal in a challenge request, and the challenge request may belong to a procedure for the respective at least one of the authentication and the authorization of the identity.
  • the method may further comprise monitoring if the first gateway device belongs to a home network to which an apparatus performing the method belongs; inhibiting the deciding that the terminal is to be redirected if the first gateway device belongs to the home network.
  • the deciding may be based on at least one of a predetermined policy, an identification of the first gateway device, the identity, subscription data related to the identity, a timing of the first request, a location of the terminal, a load on the second gateway device, a load on the first gateway device, and an emergency indication received in the identity request.
  • the method may further comprise indicating if the terminal should store that it is to be redirected from the first gateway device to the second gateway device.
  • the set may consist of the second gateway device and the address of the set may be the address of the second gateway device.
  • a method comprising checking if a response comprises an address of a set of one or more gateway devices, wherein the response is received in response to an identity request for at least one of an authentication and an authorization of an identity, and the identity is used to identify a terminal in a received tunnel request to set up a tunnel to the terminal; redirecting the terminal to request setting up the tunnel to one gateway device of the set of gateway devices if the address is received.
  • the redirecting of the terminal may use a redirect mechanism of internet key exchange version 2.
  • the method may further comprise monitoring if the tunnel request comprises an emergency indication indicating that the tunnel is for an emergency call; forwarding the emergency indication with the identity request.
  • the set may consist of the one gateway device and the address of the set may be the address of the one gateway device.
  • a method comprising monitoring if a tunnel request to set up a first tunnel between an apparatus performing the method and a first gateway device is redirected to a second gateway device different from the first gateway device, wherein the second gateway device is comprised in a set of one or more gateway devices; storing a pair of an address of the set and an address of the first gateway device, if the tunnel request is redirected; supervising if a second tunnel between the apparatus and the first gateway device is intended to be set up; determining, if the second tunnel is intended to be set up, whether the pair comprising the address of the first gateway device is stored; retrieving the address of the set from the pair if the address of the first gateway device is stored in the pair; requesting to set up the second tunnel between the apparatus and a third gateway device if the address of the first gateway device is stored in the pair, wherein the third gateway device is comprised in the set.
  • the method may further comprise inhibiting the requesting to set up the second tunnel between the apparatus and the first gateway device if the address of the first gateway device is comprised in the stored pair.
  • a method comprising checking, if a challenge request comprises an address of a set of one or more gateway devices, wherein the challenge request is received from a first gateway device after a tunnel request requesting to set up a first tunnel between an apparatus performing the method and the first gateway device was sent to the first gateway device, the apparatus is identified by an identity in the tunnel request, and the challenge request belongs to a procedure for at least one of an authentication and an authorization of the identity; requesting to set up a second tunnel between the apparatus and a second gateway device if the challenge request comprises the address, wherein the second gateway device belongs to the set.
  • the method may further comprise abandoning the setting up of the first tunnel if the challenge request comprises the address.
  • the method may further comprise storing a pair of the address of the set and an address of the first gateway device; determining if an address of the first gateway device is comprised in the stored pair; retrieving the address of the set from the pair; requesting to set up a third tunnel between the apparatus and a third gateway device if the address of the first gateway device is comprised in the stored pair, wherein the third gateway device belongs to the set.
  • the method may further comprise inhibiting the requesting to set up the third tunnel between the apparatus and the first gateway device if the address of the first gateway device is comprised in the stored pair.
  • the method may further comprise monitoring if the challenge request comprises a store indication; inhibiting the storing of the pair of the address of the set and the address of the first gateway device if the challenge request does not comprise the store indication.
  • the set may consist of the second gateway device and the address of the set may be the address of the second gateway device.
  • the method of any of the ninth to twelfth aspects may be a method of redirecting.
  • a computer program product comprising a set of instructions which, when executed on an apparatus, is configured to cause the apparatus to carry out the method according to any of the ninth to twelfth aspects.
  • the computer program product may be embodied as a computer-readable medium or directly loadable into a computer.
  • the HPLMN operator has full control of ePDG selection in a fully dynamic way.
  • FIG. 1 shows a message flow according to some embodiments of the invention
  • Fig. 2 shows an apparatus according to an embodiment of the invention
  • Fig. 3 shows a method according to an embodiment of the invention
  • Fig. 4 shows an apparatus according to an embodiment of the invention
  • Fig. 5 shows a method according to an embodiment of the invention
  • Fig. 6 shows an apparatus according to an embodiment of the invention
  • Fig. 7 shows a method according to an embodiment of the invention
  • Fig. 8 shows an apparatus according to an embodiment of the invention
  • Fig. 9 shows a method according to an embodiment of the invention.
  • Fig. 10 shows an apparatus according to an embodiment of the invention.
  • the apparatus is configured to perform the corresponding method, although in some cases only the apparatus or only the method are described.
  • the 3GPP AAA server which is in the HPLMN, provides an FQDN or an IP address of ePDG(s) in the home network where the UE should be redirected during initial authentication and authorization procedure towards the ePDG in roaming network.
  • the ePDG in the roaming network redirects the UE using the IKEv2 redirect mechanism towards ePDG in the HPLMN using the IP address or FQDN received from the 3GPP AAA server.
  • the decision whether or not ePDG in HPLMN is to be used may depend on one or more of the following criteria: a local policy configured in the AAA server, a VPLMN identifier of the ePDG, a user identity, subscription data related to the user identity etc. Other potential criteria may be the time of the day or the weekday (in low traffic times, ePDG in HPLMN may be preferred). Also, the AAA server may be made aware of the current load on the ePDGs of the HPLMN and decide on the current load whether ePDG in HPLMN or ePDG in VPLMN is to be used. Some or all of these criteria may be combined by logical OR and/or logical AND. E.g., the 3GPP AAA server may only redirect UEs to an ePDG in the HPLMN when they have IMS subscription and local break-out to IMS in the given VPLMN is not supported.
  • the UE in case of emergency sessions the UE indicates at the initial tunnel setup request that the session is for an emergency call.
  • the ePDG forwards this indication to the 3GPP AAA server and thus, the 3GPP AAA server may take into account the emergency indication as a further criterion when it decides if ePDG in the visited or in the home network should be used. For example, 3GPP AAA server may decide not to redirect the UE to the ePDG in the HPLMN in case of an emergency call, regardless of all other criteria.
  • the 3GPP AAA server may also take into account the location of the UE (e.g. the 3GPP AAA server may know the current location of the UE in cellular access) during the redirection; i.e. the ePDG identifier sent to the UE may depend on the UE's location. Note that the redirection between ePDGs in the same PLMN is also possible in order to find the ePDG that is the most appropriate based on the UE's location.
  • redirecting a UE terminal
  • redirecting a request means, that a request from the UE to a first addressee is redirected to a second addressee different from the first addressee. More precisely, it may mean that the request to the first addressee is cancelled and, instead, a new, corresponding, request to the second addressee is issued.
  • redirecting a request means that a request to the first addressee is now directed to the second addressee.
  • the request to the first addressee is cancelled and, instead, a new, corresponding, request to the second addressee is issued.
  • the request to the first addressee may not be cancelled and the request to the second addressee may be additionally issued.
  • Fig. 1 shows a message flow according to some embodiments of the invention.
  • Fig. 1 shows an UE 1001 , non-3GPP IP access 1002, a roaming ePDG 1003 (ePDG in VPLMN), a home ePDG 1004 (ePDG in HPLMN), and a 3GPP AAA server 1006.
  • the 3GPP AAA server may be combined with HSS or separated therefrom.
  • the 3GPP AAA server 1006 is in the HPLMN of the UE 1001 . Communication with the 3GPP AAA server 1006 may be performed via an AAA proxy (not shown) or directly with the 3GPP AAA server 1006.
  • UE 1001 contacts ePDG 1003 in the VPLMN by non-3GPP IP access 1002 (e.g.
  • WLAN to request setup of a tunnel (e.g. IPSec tunnel) through the non-3GPP IP access 1002.
  • a tunnel e.g. IPSec tunnel
  • This step may be done according the ePDG selection mechanism as currently specified, or it may be done by a modified procedure.
  • UE 1001 provides its identity (e.g. IMSI) to ePDG 1003.
  • ePDG 1003 performs an initial Authentication and Authorization procedure.
  • This step may be done according to the currently specified procedures or according to a modified procedure.
  • the 3GPP AAA server 1006 receiving the initial Authentication and Authorization request from the ePDG 1003 in the VPLMN may decide that the UE shall be redirected to ePDG 1004 in the HPLMN. This decision may be based on one or more of the criteria described above. If the 3GPP AAA server 1006 decides to redirect the UE 1001 to ePDG 1004 in the HPLMN, the 3GPP AAA server 1006 indicates to the ePDG 1003 in the VPLMN, in response to the request for authentication and authorization of message 2), that the UE 1001 shall be redirected to ePDG 1004 in the HPLMN and sends an address of the ePDG 1004 in the HPLMN (e.g.
  • the address of the ePDG 1004 in the HPLMN may be included in a portion of the response, which ePDG 1003 in the VPLMN is expected to evaluate.
  • the ePDG 1003 in the VPLMN has to check whether the response from the 3GPP AAA server 1006 contains an address of the ePDG 1004 in the HPLMN.
  • the address of the ePDG 1004 in the HPLMN may be comprised in an additional field in the response from the 3GPP AAA server 1006, or an existing field in the response may be re-interpreted as comprising the address.
  • the ePDG 1003 in the VPLMN When the ePDG 1003 in the VPLMN receives the address of the ePDG 1004 in the HPLM in the response from the 3GPP AAA server 1006, the ePDG 1003 in the VPLMN triggers redirection. For the redirection, it may use e.g. the IKEv2 REDIRECT mechanism as defined in the RFC 5685.
  • ePDG 1003 in the VPLMN may add REDIRECT payload in the IKE AUTH response with the address of the ePDG 1004 in the HPLMN, Note that this IKEv2 mechanism may also be used if a PDN-GW is reallocated during attach procedure over S2c interface, as defined in 3GPP TS 23.402 and in 3GPP TS 24.303.
  • the UE 1001 contacts ePDG 1004 in the HPLMN based on the redirect information received from the ePDG 1003 in the VPLMN. That is, it requests to set up a tunnel through non-3PGG access to the ePDG 1004 in the HPLMN.
  • the UE 1001 performs authentication and authorization at 3GPP AAA server 1006, via ePDG 1004 in the HPLMN for setting up the tunnel between ePDG 1004 in the HPLMN and the UE 1001 .
  • the address of the ePDG in the HPLMN is included in a message to the UE which is encapsulated in the message from 3GPP AAA server and not evaluated by ePDG in VPLMN.
  • the 3GPP AAA Server may initiate an authentication challenge.
  • 3GPP AAA server may include the address of the ePDG in the HPLMN in the EAP of the authentication challenge.
  • the address of the ePDG in the HPLMN may be comprised in an additional field in the EAP, or an existing field may be re-interpreted as comprising the address.
  • the information may be ciphered and secured if it is included for example into the AT_ENCR_DATA attribute in EAP AKA authentication.
  • UE If UE receives the authentication challenge (challenge message) including the address of the ePDG in the HPLMN, it knows that it is to be redirected to the ePDG in the HPLMN and performs accordingly. For example, it will request to set up a tunnel to the ePDG in the HPLMN. In addition, typically, it may abandon the setup procedure of the tunnel to the ePDG in the VPLMN.
  • the authentication challenge including the address of the ePDG in the HPLMN
  • UE may store indication whether it was redirected to a ePDG in HPLMN. In these cases, if the same ePDG in VPLMN is selected again, UE may skip the attempt to set up a tunnel to this ePDG and immediately attempt to set up a tunnel to the ePDG in the HPLMN.
  • 3GPP AAA server may indicate to UE, whether or not it should store the redirection. For example, if the decision depends on the timing of the request, UE should not remember the redirection, but if it depends on the VPLMN, it should remember the redirection.
  • 3GPP AAA server if it receives the request for authentication and authorization from ePDG, may check if the ePDG is in a foreign (roaming) network (VPLMN) or in the home network (HPLMN). If it is an ePDG in the home network, it may not decide on redirection but disrupt the method.
  • VPN foreign (roaming) network
  • HPLMN home network
  • 3GPP AAA server may decide if and where the redirection should take place, even if the request for authentication and authorization is received from an ePDG in the HPLMN.
  • operator may further influence the traffic even in the home network.
  • operator may improve load balancing among ePDGs of the home network.
  • 3GPP AAA server may not check if the requesting ePDG is in the roaming network, or the deciding may take place even if the result of the checking is that the requesting ePDG is in the HPLMN.
  • ePDG may decide to redirect the terminal not to an ePDG in the HPLMN but to another ePDG in the same of another VPLMN.
  • the home operator may have a corresponding agreement with an operator of another VPLMN which is geographically more suitable to provide the ePDG function than the ePDG(s) of the HPLMN.
  • the home operator may have an agreement with the visited operator that a certain ePDG in the VPLMN has to be used by all users of the home operator roaming in the VPLMN.
  • the 3GPP AAA server redirects the UE from an ePDG in the HPLMN to an ePDG in the VPLMN.
  • the home operator configures the UE with an identifier (IP address or FQDN) of an ePDG in the HPLMN and the 3GPP AAA server makes a redirection decision depending on the UE location or Registered PLMN (Registered PLMN is the PLMN that is used by the UE to access 3GPP RAN).
  • Registered PLMN is the PLMN that is used by the UE to access 3GPP RAN.
  • the 3GPP AAA server may redirect the terminal (directly or via the first ePDG, i.e. the ePDG to which the first request to set up a tunnel is directed) from any ePDG ("first gateway device") in any network including the HPLMN to any ePDG ("second gateway device”) in any network including the HPLMN, and the terms "home gateway device” and “roaming gateway device” are not necessarily restricted to an ePDG in the HPLMN and an ePDG in a VPLMN.
  • the ePDG in the VPLMN corresponds to the "first gateway device”
  • the ePDG in the HPLMN home ePDG
  • the second gateway device corresponds to the "second gateway device”.
  • the AAA server may provide a FQDN as a redirection address.
  • the provided address may point to a set of ePDGs (e.g. ePDGs in the HPLMN). Then the UE may select one of the ePDGs whose IP address can be fetched from the DNS using the provided FQDN.
  • the AAA server may provide either an address of a single ePDG or an address of a set of ePDGs.
  • the address of the single ePDG may be considered as a special case of an address of a set, wherein the set consists of one ePDG.
  • Fig. 2 shows an apparatus according to an embodiment of the invention.
  • the apparatus may be a server for authentication and/or authorization of a 3GPP network such as a 3GPP AAA server or an element thereof.
  • Fig. 3 shows a method according to an embodiment of the invention.
  • the apparatus according to Fig. 2 may perform the method of Fig. 3 but is not limited to this method.
  • the method of Fig. 3 may be performed by the apparatus of Fig. 2 but is not limited to being performed by this apparatus.
  • the apparatus comprises deciding means 10 and providing means 20.
  • the deciding means 10 and providing means 20 may be a deciding circuitry and a providing circuitry, respectively.
  • the deciding means 10 decides if a terminal using an identity is to be redirected from a first gateway device to a second gateway device (S10).
  • the identity is received in an identity request from the first gateway device.
  • the identity request is for at least one of an authentication and an authorization of the identity.
  • the first gateway device may be a roaming gateway device (an ePDG in a VPLMN)
  • the second gateway device may be a home gateway device (an ePDG in the HPLMN).
  • the second gateway device is comprised in a set of one or more gateway devices. If the set consists of the second gateway device (i.e., the second gateway device is the only member of the set), the second gateway device is different from the first gateway device.
  • the address of the set may be the address of the second gateway device. If the set comprises more than one gateway devices, at least one of these gateway devices is anyway different from the first gateway device. In some embodiments of the invention, each of the gateway devices of the set is different from the first gateway device.
  • the providing means 20 provides an address of the set (S20).
  • the providing means 20 may provide the address to the first gateway device and/or to the terminal. If it provides the address to the terminal it may be comprised in a challenge request belonging to a procedure for the respective at least one of the authentication and the authorization of the identity.
  • Fig. 4 shows an apparatus according to an embodiment of the invention.
  • the apparatus may be a gateway (gateway device) to a 3GPP network such as an ePDG or an element thereof.
  • Fig. 5 shows a method according to an embodiment of the invention.
  • the apparatus according to Fig. 4 may perform the method of Fig. 5 but is not limited to this method.
  • the method of Fig. 5 may be performed by the apparatus of Fig. 4 but is not limited to being performed by this apparatus.
  • the apparatus comprises checking means 1 10 and redirecting means 20.
  • the checking means 1 10 and redirecting means 120 may be a checking circuitry and a redirecting circuitry, respectively.
  • the checking means 1 10 checks if a response comprises an address of a set of one or more gateway devices (S120). The response is received in response to an identity request for at least one of an authentication and an authorization of an identity. The identity is used to identify a terminal in a received tunnel request to set up a tunnel to the terminal.
  • the redirecting means 120 redirects the terminal to request setting up the tunnel to one of the gateway devices of the set of gateway devices (S120).
  • Fig. 6 shows an apparatus according to an embodiment of the invention.
  • the apparatus may be a terminal such as an UE or an element thereof.
  • Fig. 7 shows a method according to an embodiment of the invention.
  • the apparatus according to Fig. 6 may perform the method of Fig. 7 but is not limited to this method.
  • the method of Fig. 7 may be performed by the apparatus of Fig. 6 but is not limited to being performed by this apparatus.
  • the apparatus comprises monitoring means 210, storing means 220, supervising means 230, determining means 240, retrieving means 250, and tunnel requesting means 260.
  • the monitoring means 210, storing means 220, supervising means 230, determining means 240, retrieving means 250, and tunnel requesting means 260 may be a monitoring circuitry, storing circuitry, supervising circuitry, determining circuitry, retrieving circuitry, and tunnel requesting circuitry, respectively.
  • the monitoring means 210 monitors if a first tunnel request is redirected to a second gateway device different from the first gateway device (S210). By the first tunnel request, it is requested to set up a first tunnel between the apparatus and the first gateway device.
  • the second gateway device is comprised in a set of one or more gateway devices.
  • the supervising means 230 supervises if it is intended to set up a second tunnel between the apparatus and the first gateway device (S230). E.g., such an intention may be based on conventional ePDG selection. For example, the request to set up a second tunnel may be issued some time before or after the first tunnel request was redirected.
  • the tunnel requesting means (260) requests to set up the second tunnel between the apparatus and a third gateway device (S260).
  • the third gateway device is comprised in the set.
  • the third gateway device may be the same as the second gateway device or different from the second gateway device.
  • Fig. 8 shows an apparatus according to an embodiment of the invention.
  • the apparatus may be a terminal such as an UE or an element thereof.
  • Fig. 9 shows a method according to an embodiment of the invention.
  • the apparatus according to Fig. 8 may perform the method of Fig. 9 but is not limited to this method.
  • the method of Fig. 9 may be performed by the apparatus of Fig. 8 but is not limited to being performed by this apparatus.
  • the apparatus comprises checking means 310 and requesting means 320.
  • the checking means 310 and requesting means 320 may be a checking circuitry and a requesting circuitry, respectively.
  • the checking means 310 checks if a challenge request comprises an address of a set of one or more gateway devices (S310).
  • the challenge request is received from a first gateway device after a tunnel request was sent to the first gateway device.
  • the tunnel request requests to set up a first tunnel between the apparatus and the first gateway device.
  • the apparatus is identified by an identity in the tunnel request.
  • the challenge request belongs to a procedure for at least one of an authentication and an authorization of the identity.
  • the requesting means 320 requests to set up a second tunnel between the apparatus and a second gateway device (S320).
  • the second gateway device belongs to the set of one or more gateway devices.
  • the first tunnel between the apparatus and the first gateway device is not set up.
  • Fig. 10 shows an apparatus according to an embodiment of the invention.
  • the apparatus comprises at least one processor 410, at least one memory 420 including computer program code, and the at least one processor 410, with the at least one memory 420 and the computer program code, being arranged to cause the apparatus to at least perform at least one of the methods according to Figs. 3, 5, 7, and 9.
  • the UE via a respective ePDG requests authentication and authorization from the 3GPP AAA server.
  • the UE may request only authentication or only authorization from the 3GPP AAA server.
  • the AAA server may be replaced by an AA server, or it may be a server providing only one of an authentication function and an authorization function, as long as the function of the server corresponds to the request from UE (via ePDG).
  • Embodiments of the invention may be employed in a LTE-A network as 3GPP network. They may be employed also in other mobile networks such as CDMA, EDGE, LTE, UTRAN networks, etc.
  • the non-3GPP network may be a WiFi, WLAN network, fixed broadband access or a network of another access technology or any combination thereof, e.g. WLAN connected via fixed broadband access.
  • a terminal may be a user equipment such as a mobile phone, a smart phone, a PDA, a laptop, a tablet PC, a wearable, a machine-to-machine device, or any other device which may be connected to the respective 3GPP network and non-3GPP network.
  • a user equipment such as a mobile phone, a smart phone, a PDA, a laptop, a tablet PC, a wearable, a machine-to-machine device, or any other device which may be connected to the respective 3GPP network and non-3GPP network.
  • a gateway device may be a ePDG or a corresponding function in a network of another technology.
  • One piece of information may be transmitted in one or plural messages from one entity to another entity. Each of these messages may comprise further (different) pieces of information.
  • Names of network elements, protocols, and methods are based on current standards. In other versions or other technologies, the names of these network elements and/or protocols and/or methods may be different, as long as they provide a corresponding functionality.
  • each of the entities described in the present description may be based on a different hardware, or some or all of the entities may be based on the same hardware. It does not necessarily mean that they are based on different software. That is, each of the entities described in the present description may be based on different software, or some or all of the entities may be based on the same software.
  • example embodiments of the present invention provide, for example a gateway such as a ePDG, or a component thereof, an apparatus embodying the same, a method for controlling and/or operating the same, and computer program(s) controlling and/or operating the same as well as mediums carrying such computer program(s) and forming computer program product(s).
  • a gateway such as a ePDG
  • example embodiments of the present invention provide, for example an AA server or an AAA server, or a component thereof, an apparatus embodying the same, a method for controlling and/or operating the same, and computer program(s) controlling and/or operating the same as well as mediums carrying such computer program(s) and forming computer program product(s).
  • example embodiments of the present invention provide, for example a terminal such as a UE, or a component thereof, an apparatus embodying the same, a method for controlling and/or operating the same, and computer program(s) controlling and/or operating the same as well as mediums carrying such computer program(s) and forming computer program product(s).
  • Implementations of any of the above described blocks, apparatuses, systems, techniques or methods include, as non limiting examples, implementations as hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un procédé consistant à décider (3) si un terminal (1001) utilisant une identité doit être redirigé d'un premier dispositif de passerelle (1003) vers un second dispositif de passerelle (1004) inclus dans un ensemble d'un ou de plusieurs dispositifs de passerelle, l'identité étant reçue dans une demande d'identité provenant du premier dispositif de passerelle (1003) pour une authentification et/ou une autorisation de l'identité, au moins un des un ou plusieurs dispositifs de passerelle (1004) de l'ensemble étant différent du premier dispositif de passerelle ; à fournir, si le terminal (1001) doit être redirigé, une adresse de l'ensemble.
PCT/EP2015/063851 2015-06-19 2015-06-19 Redirection locale vers une passerelle évoluée de données par paquets (epdg) WO2016202406A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2015/063851 WO2016202406A1 (fr) 2015-06-19 2015-06-19 Redirection locale vers une passerelle évoluée de données par paquets (epdg)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2015/063851 WO2016202406A1 (fr) 2015-06-19 2015-06-19 Redirection locale vers une passerelle évoluée de données par paquets (epdg)

Publications (1)

Publication Number Publication Date
WO2016202406A1 true WO2016202406A1 (fr) 2016-12-22

Family

ID=53491497

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2015/063851 WO2016202406A1 (fr) 2015-06-19 2015-06-19 Redirection locale vers une passerelle évoluée de données par paquets (epdg)

Country Status (1)

Country Link
WO (1) WO2016202406A1 (fr)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100054222A1 (en) * 2006-11-16 2010-03-04 Johan Rune Gateway Selection Mechanism
EP2312888A1 (fr) * 2009-10-15 2011-04-20 France Telecom Procédé d'itinérance dans un réseau d'accès non numérique via un réseau cellulaire visité et système et passerelles correspondants

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100054222A1 (en) * 2006-11-16 2010-03-04 Johan Rune Gateway Selection Mechanism
EP2312888A1 (fr) * 2009-10-15 2011-04-20 France Telecom Procédé d'itinérance dans un réseau d'accès non numérique via un réseau cellulaire visité et système et passerelles correspondants

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
NOKIA NETWORKS ET AL: "Enhancement of ePDG Selection", vol. SA WG2, no. Dubrovnik, Croatia; 20150706 - 20150710, 6 July 2015 (2015-07-06), XP050987073, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/Meetings_3GPP_SYNC/SA2/Docs> [retrieved on 20150707] *
NORTEL: "ePDG selection", 3GPP DRAFT; S2-071975 EPDG SELECTION, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Beijing; 20070418, 18 April 2007 (2007-04-18), XP050259709 *
ZTE: "3GPP AAA Server solution for ePDG selection", 3GPP DRAFT; S2-113370_EPDG REALLOCATION, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Naantali; 20110711, 5 July 2011 (2011-07-05), XP050548645 *

Similar Documents

Publication Publication Date Title
EP3576471B1 (fr) Procédé et appareil de traitement de connexion dans un scénario à accès multiple
US9949118B2 (en) Access through non-3GPP access networks
JP5793812B2 (ja) データオフロードをトリガするための方法、ネットワーク側デバイス、ユーザ機器、およびネットワークシステム
US10064058B2 (en) Node selection using a combination of subscription entitlement and nodal characteristics
US9420001B2 (en) Securing data communications in a communications network
EP3113524B1 (fr) Procédés et appareil permettant de prendre en charge des demandes de connectivité de services d&#39;urgence par l&#39;intermédiaire de réseaux sans fil non sécurisés
CN106031105B (zh) 针对epc的受信任wlan访问的过载控制
US9191985B2 (en) Connecting to an evolved packet data gateway
US9392000B2 (en) Re-authentication timer for user equipment
TWI627870B (zh) 通訊系統中閘道器節點之選擇
WO2011015001A1 (fr) Procédé et système pour accéder, via un réseau local sans fil, à un réseau d’accès
US20170086162A1 (en) Location Information in Managed Access Networks
US20150304908A1 (en) Method, apparatus, and system for selecting pdn gateway
US10897791B2 (en) Methods and devices for configuring and acquiring emergency number
US11290926B2 (en) Discovering handover capabilities of a mobile communication network
US11019486B2 (en) Location information for untrusted access
EP3972142B1 (fr) Repli d&#39;une fonction de contrôle de politique
KR102103320B1 (ko) 이동 단말기, 네트워크 노드 서버, 방법 및 컴퓨터 프로그램
WO2016202406A1 (fr) Redirection locale vers une passerelle évoluée de données par paquets (epdg)
US20230362862A1 (en) Multi-usim device accessing services of a second cellular network through a first cellular network via a gateway

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15732190

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15732190

Country of ref document: EP

Kind code of ref document: A1