WO2017007122A1 - Method and system for providing private network service - Google Patents

Method and system for providing private network service Download PDF

Info

Publication number
WO2017007122A1
WO2017007122A1 PCT/KR2016/005172 KR2016005172W WO2017007122A1 WO 2017007122 A1 WO2017007122 A1 WO 2017007122A1 KR 2016005172 W KR2016005172 W KR 2016005172W WO 2017007122 A1 WO2017007122 A1 WO 2017007122A1
Authority
WO
WIPO (PCT)
Prior art keywords
mobile communication
communication terminal
authentication
private network
private
Prior art date
Application number
PCT/KR2016/005172
Other languages
French (fr)
Korean (ko)
Inventor
김세훈
김달우
류구현
박병창
우상우
이일영
진성일
Original Assignee
주식회사 케이티
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 케이티 filed Critical 주식회사 케이티
Publication of WO2017007122A1 publication Critical patent/WO2017007122A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/065Continuous authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/02Access restriction performed under specific conditions
    • H04W48/04Access restriction performed under specific conditions based on user or terminal location or mobility data, e.g. moving direction, speed
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/20Selecting an access point
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks

Definitions

  • the present application relates to a method and a system for providing a private network, and more particularly, to a method and a system for providing a private network that can block access to a private network in an unauthorized terminal and an unauthorized region.
  • the LTE communication system includes an Evolved Packet Core (EPC) network including a mobility management entity (MME), a serving gateway (SGW), and a packet data network gateway (PGW), and provides services to users using the EPC.
  • EPC Evolved Packet Core
  • MME mobility management entity
  • SGW serving gateway
  • PGW packet data network gateway
  • the present application is to provide a method and system for providing a private network service that can block access to private networks in unauthorized terminals and unauthorized regions.
  • a method for providing a private network service comprising: a receiving step of receiving, by a private gateway, a connection request of a mobile communication terminal; An authentication step of authenticating, by the private gateway, whether the mobile communication terminal satisfies a preset private network access permission condition; And connecting, by the private gateway, a communication session with the private network to the mobile communication terminal in which the authentication is successful.
  • the private gateway may receive the access request from the mobile communication terminal.
  • the authentication step may include: a location authentication step of performing, by the private gateway, the location authentication by comparing the location information of the mobile communication terminal received from the mobile communication terminal with a preset private network service area list; And a subscription authentication step in which the private gateway inquires whether the mobile communication terminal is a terminal subscribed to the private network service using a preset authentication device, and performs the subscription authentication.
  • the authentication step may further include an access time authentication step of performing a connection time authentication for the mobile communication terminal by comparing the time at which the private gateway receives the connection request with a connection allowable time preset in the mobile communication terminal. It may include.
  • the location authentication may be performed by using a private network service area list in which private network service areas allowed for each mobile communication terminal are set differently.
  • the private gateway may receive a Target Area Identifier (TAI) or an E-UTRAN Cell Global Identifier (ECGI) as the location information of the mobile communication terminal.
  • TAI Target Area Identifier
  • ECGI E-UTRAN Cell Global Identifier
  • the private gateway may transmit a RADIUS (Remote Authentication Dial-In User Service) message including user information of the mobile communication terminal to the authentication device.
  • RADIUS Remote Authentication Dial-In User Service
  • the private gateway may receive an authentication success message from the authentication device.
  • the phone number information is extracted from the source IP of the packet transmitted for authentication and connected to the mobile communication terminal. You can send a text message to the sender to send a no-access message.
  • the private gateway may transmit a mobile station international ISDN number (IMSIS) or an international mobile station identity (IMSI) of the mobile communication terminal to the user information.
  • IMSIS mobile station international ISDN number
  • IMSI international mobile station identity
  • the private gateway when the mobile communication terminal is separated from the private network service area, the departure block step of blocking the communication session between the mobile communication terminal and the private network. It may further include.
  • the private gateway compares the changed location information with a preset private network service area list to determine whether the mobile communication terminal is out of the private network service area. have.
  • the private gateway when it is determined that the mobile communication terminal has left the private network service area, the private gateway changes the destination IP of the user traffic transmitted by the mobile communication terminal to the IP of the authentication apparatus. The private network connection of the mobile communication terminal can be blocked.
  • the mobile communication terminal extracts telephone number information from a source IP of a packet transmitted for authentication. You can send a text message to the server to send a message that is not accessible.
  • the private gateway may query the authentication apparatus whether the mobile communication terminal is a terminal located in the private network service area and whether the mobile communication terminal is a terminal subscribed to the private network service.
  • the private gateway may further query the authentication apparatus whether the mobile communication terminal has made a connection request at a preset access allowance time.
  • the private gateway may transmit, to the authentication device, a RADIUS (Remote Authentication Dial-In User Service) message including user information and location information of the mobile communication terminal.
  • RADIUS Remote Authentication Dial-In User Service
  • the private gateway may receive an authentication success message from the authentication device.
  • the private gateway includes the mobile station International ISDN Number (MSISDN) or International Mobile Station Identity (IMSI) of the mobile communication terminal in the user information, the location information TAI ( Target Area Identifier) or ECGI (E-UTRAN Cell Global Identifier) may be transmitted.
  • MSISDN mobile station International ISDN Number
  • IMSI International Mobile Station Identity
  • TAI Target Area Identifier
  • ECGI E-UTRAN Cell Global Identifier
  • a detachment blocking step of blocking a communication session between the mobile communication terminal and the private network by the private gateway may further include.
  • the private gateway when receiving a TAU (Tracking Area Update) message corresponding to the movement of the location of the mobile communication terminal, the private gateway transmits the location information of the mobile communication terminal to the authentication device, and the mobile communication terminal. It may query whether the private network service area of the departure.
  • TAU Track Area Update
  • the private gateway may block the transmission of traffic between the mobile communication terminal and the private network.
  • the detachment blocking step if the authentication apparatus determines that the changed location information is not included in the preset private network area list, the phone number information is extracted from the source IP of the packet transmitted for authentication, and the mobile communication terminal is extracted. You can send a text message transmission server to send a disconnect message.
  • the method of providing a private network service may be a method of providing a private network service in an LTE network according to TR23.829 of 3GPP Release 10, wherein the local gateway receives a private network connection request of a mobile communication terminal.
  • the local gateway may receive the access request from the mobile communication terminal.
  • the authentication step may include: a location authentication step of performing a location authentication by a local gateway by comparing the location information of the mobile communication terminal received from the mobile communication terminal with a preset private network service area list; And a registration authentication step of performing, by the local gateway, whether the mobile communication terminal is a terminal subscribed to the private network service to a preset authentication device, and performing the subscription authentication.
  • the authentication step may further include an access time authentication step of performing a connection time authentication for the mobile communication terminal by comparing a time at which the local gateway receives the connection request with a connection allowable time preset in the mobile communication terminal. It may include.
  • the location authentication may be performed by using a private network service area list in which private network service areas allowed for each mobile communication terminal are set differently.
  • the local gateway may receive a Target Area Identifier (TAI) or an E-UTRAN Cell Global Identifier (ECGI) as the location information of the mobile communication terminal.
  • TAI Target Area Identifier
  • ECGI E-UTRAN Cell Global Identifier
  • the local gateway may transmit a RADIUS (Remote Authentication Dial-In User Service) message including user information of the mobile communication terminal to the authentication device.
  • RADIUS Remote Authentication Dial-In User Service
  • the local gateway may receive an authentication success message from the authentication device.
  • the local gateway may transmit a mobile station international ISDN number (IMSIS) or an international mobile station identity (IMSI) of the mobile communication terminal to the user information.
  • IMSIS mobile station international ISDN number
  • IMSI international mobile station identity
  • the local gateway when the mobile communication terminal is separated from the private network service area, the exit block step of blocking the communication session between the mobile communication terminal and the private network. It may further include.
  • the detachment blocking step when the location information of the mobile communication terminal is changed, it is possible to determine whether the mobile communication terminal is out of the private network service area by comparing the location information whose local gateway is changed with a preset private network service area list. have.
  • the local gateway changes the destination IP of the user traffic transmitted by the mobile communication terminal to the IP of the authentication apparatus.
  • the private network connection of the mobile communication terminal can be blocked.
  • the private network service system checks whether a connection request is made to a private network using an access point name (APN) transmitted by a mobile communication terminal, and if the connection request is made to the private network, it corresponds to the APN.
  • a mobility management entity (MME) for transmitting a bearer setup message for transmitting user traffic to a private gateway; Upon receiving the bearer setup message, perform location authentication on whether the mobile communication terminal is located in a preset private network service area, and perform subscription authentication on whether the mobile communication terminal joins the private network service with a preset authentication device.
  • a private gateway for requesting to establish a communication session between the mobile communication terminal and a private network in response to the bearer setup message if the subscription authentication and location authentication for the mobile communication terminal are successful; And upon request of the private gateway, determine whether the mobile communication terminal is included in a terminal list subscribed to a preset private network service, generate a subscription authentication result, and transmit the generated subscription authentication result to the private gateway. It may include a device.
  • the private network service system checks whether the access request is for a private network using an access point name (APN) transmitted by a mobile communication terminal, and if the access request is for the private network, the private network service system corresponds to the APN.
  • APN access point name
  • a mobility management entity for transmitting a bearer setup message for transmitting user traffic to a private gateway;
  • MME mobility management entity
  • a private gateway forming a communication session between the mobile communication terminal and the private network; And whether the user information of the mobile communication terminal is included in a preset subscriber list and whether the location information of the mobile communication terminal is included in a preset private network service area list to correspond to the location authentication and subscriber authentication request.
  • the server may include an authentication server for generating a response message and transmitting the response message to the private gateway.
  • the private network service system may be a private network service system according to TR23.829 of 3GPP Release 10, and is a request for access to a private network using an APN (Access Point Name) transmitted by a mobile communication terminal.
  • a mobility management device MME: Mobility Management Entity
  • MME Mobility Management Entity
  • a mobility management device for transmitting a bearer setup message for transmitting user traffic to a local gateway corresponding to the APN if the connection request is made to the private network;
  • MME Mobility Management Entity
  • Upon receiving the bearer setup message Upon receiving the bearer setup message, perform location authentication on whether the mobile communication terminal is located in a preset private network service area, and perform subscription authentication on whether the mobile communication terminal joins the private network service with a preset authentication device.
  • a local gateway for requesting and establishing a communication session between the mobile communication terminal and a private network in response to the bearer setup message if the registration authentication and location authentication for the mobile communication terminal are successful; And determining whether the mobile communication terminal is included in a terminal list subscribed to a preset private network service according to a request of the local gateway, generating a subscription authentication result, and transmitting the generated subscription authentication result to the local gateway. It may include a device.
  • the method and system for providing a private network service it is possible to block private network access in an unauthorized terminal and an unauthorized region.
  • the method and system for providing a private network service is also applicable to an intranet access method in an LTE network promoted by 3GPP Release 10.
  • the private network connection in an unauthorized mobile communication terminal or an unauthorized region is performed in conjunction with an authentication device or the like. You can block.
  • FIG. 1 is a block diagram illustrating a private network service system according to an embodiment of the present invention.
  • FIGS. 2 and 6 are timing diagrams illustrating a private network connection blocking method for an unregistered mobile communication terminal in a private network service system according to an embodiment of the present invention.
  • 3A, 3B, 7A, and 7B are timing diagrams illustrating a method for disconnecting a private network for a mobile communication terminal leaving a private network service area in a private network service system according to an embodiment of the present invention.
  • FIG. 4 is a table showing session information according to an embodiment of the present invention.
  • FIG. 5 is a timing diagram illustrating a method of changing a connection to a public network by a mobile communication terminal connected to a private network in a private network service system according to an embodiment of the present invention.
  • FIG. 8 is a block diagram illustrating a private network service system according to another embodiment of the present invention.
  • FIG. 9 is a timing diagram illustrating a private network access blocking method for an unregistered mobile communication terminal in a private network service system according to another embodiment of the present invention.
  • FIGS. 10A and 10B are timing diagrams illustrating a private network access blocking method for a mobile communication terminal leaving a private network service area in a private network service system according to another embodiment of the present invention.
  • FIG. 1 is a block diagram illustrating a private network service system according to an embodiment of the present invention.
  • a private network service system includes a mobile communication terminal 1, a mobility management entity (hereinafter referred to as an MME) 20, and a serving gateway ( Serving Gateway (hereinafter referred to as 'SGW') 30, Public Gateway (hereinafter referred to as 'public PGW') 40, Private Gateway (hereinafter referred to as 'private PGW') (50) And an authentication device 60.
  • MME mobility management entity
  • 'SGW' Serving Gateway
  • 'public PGW' Public Gateway
  • 'private PGW' Private Gateway
  • the mobile communication terminal 1 may be a communication device that provides or receives a voice call or data communication, and according to an embodiment, a user equipment (UE), a mobile station (MS), a user terminal (UT), and a subscriber station (SS) may be used. Or other terms).
  • the mobile communication terminal 1 includes a conventional mobile phone such as a cellular phone, a PCS phone, a GSM phone, a CDMA-2000 phone, a WCDMA phone, a smart phone, a tablet PC, a mobile phone using a 4G network, and the like, which are actively used recently. Can be.
  • the mobile communication terminal 1 may transmit and receive data using the mobile communication access network 200.
  • the mobile communication access network 200 may include an Evolved Universal Terrestrial Radio Access Network (E-UTRAN), a Universal Terrestrial Radio Access Network (UTRAN), a GSM EDGE Radio Access Network (GERAN), a WiFi network, and the like.
  • E-UTRAN Evolved Universal Terrestrial Radio Access Network
  • UTRAN Universal Terrestrial Radio Access Network
  • GERAN GSM EDGE Radio Access Network
  • WiFi network a wireless local area network
  • the APN list in which the access point name (APN) and the public APN are recorded may be stored in the mobile communication terminal 1, and the user of the mobile communication terminal 1 accesses any one APN.
  • the communication service can be provided from a public network such as the Internet N1 or a private network such as an intranet N2.
  • the MME 20 is a control plane entity in the E-UTRAN 210, and may provide mobility management and session management functions for the mobile communication terminal 1 through non-access stratum (NAS) signaling. have.
  • the mobile communication terminal 1 may transmit an Attach Request message to the MME 20 in order to access a public network or a private network, and the public communication terminal 1 is intended to connect to the access request message.
  • APN corresponding to the network or private network may be included.
  • the mobile communication terminal 1 transmits a connection request message including a private network APN (for example, private.lte.com) to request the MME 20 to access a private network, or a public network APN (for example, the connection request message including public.lte.com) may be transmitted to request the MME 20 to access the public network.
  • the MME 20 may select the respective SGW 30, PGW (40, 50) for access to the public or private network requested by the mobile communication terminal 1, and move to the corresponding public or private network.
  • a bearer establishment message (Create Session request) for transmitting user traffic of the communication terminal 1 may be transmitted.
  • the SGW 30 may manage mobility of the mobile communication terminal 1 between the eNB included in the E-UTRAN 210 and another base station, between the 3GPP network and the EUTRAN, and payload traffic according to the established session. It can perform session control function to process. That is, the SGW 30 may operate as an anchoring point during handover between base stations and handover between 3GPP systems.
  • the common PGW 40 may connect the mobile communication terminal 1 with a public network such as the Internet N1, provide IP routing and forwarding functions, and provide packet filtering.
  • the common PGW 40 may assign an IP address of the mobile communication terminal 1, and when handover between the SGW 30 or between the LTE communication system and a non-3GPP network (for example, WiMax, etc.) It can operate as a mobility anchoring point.
  • the private PGW 50 may be a gateway for connecting the mobile communication terminal 1 to a private network such as an intranet N2.
  • a private network such as an intranet N2.
  • the mobile communication terminal 1 A communication session can be established with 1) to allow access to the intranet (N2).
  • the private PGW 50 may authenticate whether or not the mobile communication terminal 1 satisfies a preset private network connection permission condition before establishing a communication session between the mobile communication terminal 1 and the intranet N2. Only when the authentication succeeds, a communication session can be established.
  • the authentication performed by the private PGW 50 may include subscription authentication, location authentication, access time authentication, and the like.
  • the private PGW 50 may store a preset private network service area list, and the private PGW 50 may include location information of the mobile communication terminal 1 provided by the mobile communication terminal 1. You can compare private network service area lists.
  • the private PGW 50 may perform location authentication on the mobile communication terminal 1 by checking whether the location information of the mobile communication terminal 1 is included in the private network service area.
  • the private PGW 50 may receive a Target Area Identifier (TAI) or an E-UTRAN Cell Global Identifier (ECGI) as the location information of the mobile communication terminal 1, and the stored private network service area list may also be TAI or It may be stored based on ECGI.
  • TAI Target Area Identifier
  • ECGI E-UTRAN Cell Global Identifier
  • the private PGW 50 compares the received TAI or ECGI of the mobile communication terminal 1 with the private network service area list, and if the TAI or ECGI of the mobile communication terminal 1 is included in the private network service area list, It can be determined that the mobile communication terminal 1 is located in the private network service area.
  • the location information of the mobile communication terminal 1 may be included in a bearer setting message received from the MME 20. According to the embodiment, it is possible to set the private network service area differently for each mobile communication terminal. For example, when different mobile communication terminals exist in the same location, there may be an embodiment in which location authentication is successful for only some mobile communication terminals.
  • the private PGW 50 may also perform subscriber authentication for the mobile communication terminal 1 to access the private network. That is, since the private network service can be provided only to the mobile communication terminal 1 registered in advance to use the private network service, whether the mobile communication terminal 1 requesting access corresponds to the mobile communication terminal 1 subscribed to the private network service. It is necessary to check whether or not.
  • the private PGW 50 may query the authentication apparatus 60 to determine whether the mobile communication terminal 1 corresponds to a terminal subscribed to a private network service, for the subscriber authentication of the mobile communication terminal 1. At this time, the private PGW 50 may provide the user information received from the mobile communication terminal 1 to the authentication device 60, and then the mobile communication terminal 1 according to the authentication result transmitted by the authentication device 60.
  • the private PGW 50 is a user information of the mobile communication terminal 1, the MSISDN (Mobile Station International ISDN Number) or IMSI (International Mobile Station Identity) of the mobile communication terminal 1, the authentication device ( 60). Subsequently, if it is determined that the user information of the mobile communication terminal 1 exists in the stored subscriber list, the authentication device 60 may transmit an authentication success message to the private PGW 50, and receive the authentication success message. The PGW 50 may determine that the subscriber authentication for the mobile communication terminal 1 is successful.
  • the private PGW 50 inquires both the subscription authentication and the location authentication to the authentication device 60, and the mobile communication terminal 1 according to the authentication result transmitted by the authentication device 60. It is also possible to determine the success of the subscription authentication and location authentication for.
  • the mobile PGW 60 compares the time when the connection request is received from the mobile communication terminal 1 with the connection allowance time preset in each mobile communication terminal 1, and performs the mobile communication. It is also possible to perform access time authentication for the terminal 1. That is, even if both the subscription authentication and the location authentication for the mobile communication terminal 1 succeed, the mobile communication terminal 1 may not allow the connection when the mobile communication terminal 1 attempts to access the private network at a time other than the preset access allowance time. have.
  • the private time PGW 60 performs the connection time authentication, but according to the embodiment, the connection time authentication is queried to the authentication device 60, and authentication is successfully performed according to the authentication result transmitted by the authentication device 60. It is also possible to determine.
  • the private PGW 50 may establish a communication session with the mobile communication terminal 1 only if all of the subscriber authentication, location authentication, and access time authentication are successful, and the mobile communication terminal 1 is located in the private network service area. If the mobile communication terminal 1 is not located, or the mobile communication terminal 1 is not subscribed to the private network service or the connection communication time allowed for the mobile communication terminal 1 is not allowed, the formation of the communication session can be refused. When the communication session is established, the private PGW 50 may assign an IP address commonly used in the private network to the mobile communication terminal 1.
  • the private PGW 50 may periodically check the position of the mobile communication terminal 1. Therefore, when it is determined that the mobile communication terminal 1 has left the private network service area, the private PGW 50 may release the session with the mobile communication terminal 1.
  • a bearer change message (Modify Bearer Request) may be received in the private PGW 50, the bearer change message
  • the changed location information of the mobile communication terminal 1 may be stored in the terminal. Therefore, the private PGW 50 may compare the stored private network service area list with the changed location information.
  • the private PGW 50 changes the destination IP of the user traffic transmitted by the mobile communication terminal 1 to the IP of the authentication device 60 so as to transmit the user traffic to the authentication device 60. By doing so, it is possible to block the connection to the private network.
  • the private PGW 50 may include an access permission table, and according to the access permission table, each subscription authentication, location authentication, access time authentication, or the like may be performed.
  • each subscription authentication, location authentication, access time authentication, or the like may be performed.
  • Table 1 shows that both mobile communication terminal A and mobile communication terminal B are private network subscribers, but mobile communication terminal B is not allowed to access a private network at the "la" position.
  • the connection allowable time is 13:00 to 18:00
  • access to the private network may not be permitted even when the location is in the "e" position from 09:00 to 13:00. . That is, it is possible to set a connection permission condition for a private network according to various conditions set in the connection permission condition table.
  • the authentication device 60 may perform subscription authentication, access time authentication, or location authentication for the mobile communication terminal 1 at the request of the private PGW 50.
  • the authentication device 60 includes a subscriber list corresponding to user information of the mobile communication terminal 1 subscribing to the private network service, a private network service area list corresponding to the location information accessible to the private network, and a connection allowable time for the individual mobile communication terminal.
  • the list may be stored, and by using the subscriber list, the access allowance time list, and the private network service area list, subscriber authentication, access allowance time authentication, or location authentication may be performed for the mobile communication terminal 1.
  • the authentication device 60 may transmit a notification message indicating the access to the private network to the mobile communication terminal 1, and the mobile communication terminal 1 moves to a position.
  • the mobile communication terminal 1 may transmit a notification message indicating that the private network service area.
  • the notification message may be a Short Message Servcie (SMS) message, a Multimedia Messagae Service (MMS) message, or an instant message.
  • SMS Short Message Servcie
  • MMS Multimedia Messagae Service
  • the authentication device 60 may directly transmit the notification message or transmit the notification message by requesting the transmission of the notification message to a separate text message transmission server.
  • FIG. 2 is a timing diagram illustrating a private network access blocking method for an unregistered mobile communication terminal in a private network service system according to an embodiment of the present invention.
  • a private network service area list corresponding to location information accessible to a private network may be stored in the private PGW 50 (S201), and the authentication device 60 may include a mobile communication terminal subscribed to a private network service ( The subscriber list corresponding to the user information of 1) may be stored (S202).
  • the mobile communication terminal 1 may transmit a connection request message for setting up a private APN to the MME 20 through the eNB 211 included in the E-URAN 210 for accessing the private network N2 ( S203, S204).
  • the MME 20 may allow access to the private PGW 50 only when a private APN requested by the mobile communication terminal 1 is predefined, but according to an embodiment, the MME 20 may allow access to the private PGW 50. It may be to apply a "Wild Card APN" that allows all the APN delivered by the mobile communication terminal (1).
  • a message (Creat Session Request) may be transmitted (S205 and S206).
  • the private PGW 50 may check whether the location information of the mobile communication terminal 1 included in the received bearer establishment message is included in the previously stored private network service area list. In this case, when the location information is included in the private network service area list, the private PGW 50 may determine that the location authentication is successful and proceed to subscriber authentication. On the other hand, when the location information of the mobile communication terminal 1 is not included in the private network service area list, the private PGW 50 may refuse to establish a session.
  • the subscriber authentication is performed after determining that the location authentication is successful, but is not necessarily limited to this order, it is also possible to proceed with the location authentication after the subscriber authentication according to the embodiment. .
  • the private PGW 50 may request subscriber authentication to the authentication device 60, in which case the private PGW 50 sends the user information (eg, MSISDN, IMSI, etc.) to the authentication device 60. ) Can be transmitted (S207).
  • the private PGW 50 may request the authentication of the subscriber by using the RADIUS (Remote Authentication Dial-In User Service) message.
  • RADIUS Remote Authentication Dial-In User Service
  • the authentication apparatus 60 may determine whether the mobile communication terminal 1 corresponds to a terminal subscribed to a private network service by comparing the received user information with a pre-stored subscriber list. If it is determined that the user information is not included in the subscriber list (S208), the authentication apparatus 60 may transmit an authentication failure message (Access-Reject) to the private PGW 50 (S209). That is, if any of the received MSISDS and IMSI do not match, it is determined that subscriber authentication has failed, and the authentication failure message can be transmitted.
  • an authentication failure message Access-Reject
  • the private PGW 50 may block a connection to the private network of the unregistered mobile communication terminal 1 by sending a bearer setup stop message (Create Seesion Response-User Authentication failed) to stop the setup of the bearer. (S210, S211, S212).
  • a bearer setup stop message Create Seesion Response-User Authentication failed
  • the authentication device 60 may transmit a notification message to the unregistered mobile communication terminal 1 indicating that the connection to the private network is not permitted because the private network service is not subscribed.
  • the authentication device 60 may transmit the notification message by requesting the transmission of the notification message to the separate text message transmission server 61 (S213 and S214). That is, if it is determined that the user information is not included in the subscriber list, the authentication device 60 extracts telephone number information from the source IP of the packet transmitted for authentication, and sends a message indicating that the mobile communication terminal 1 cannot access.
  • the text message transmission server 61 may be transmitted.
  • 3A and 3B are timing diagrams illustrating a private network access blocking method for a mobile communication terminal leaving a private network service area in a private network service system according to an embodiment of the present invention.
  • a private network service area list may be stored in the private PGW 50 (S301), and a subscriber list may be stored in the authentication device 60 (S302).
  • the mobile communication terminal 1 may transmit an attach request message for setting a private APN to the MME 20 (S303 and S304).
  • the MME 20 may transmit a bearer setup message for creating user traffic to the SGW 30 and the private PGW 50 corresponding to the private APN (S305 and S306).
  • the private PGW 50 checks whether the location information of the mobile communication terminal 1 included in the received bearer setting message is included in the previously stored private network service area list, and if so, determines that the location authentication is successful. Proceed with subscriber authentication.
  • the private PGW 50 may request (access-request) subscriber authentication to the authentication device 60. At this time, the private PGW 50 may transmit user information (for example, to the authentication device 60). For example, MSISDN, IMSI, etc.) may be transmitted (S307).
  • the authentication apparatus 60 may determine whether the mobile communication terminal 1 corresponds to a terminal subscribed to a private network service by comparing the received user information with a pre-stored subscriber list. If it is determined that the user information is included in the subscriber list, the authentication device 60 may transmit an access success message (Access-Accept) to the private PGW 50 (S308).
  • Access-Accept access success message
  • the private PGW 50 may allocate an IP address of the mobile communication terminal 1 connected to the private network (S309), and the accounting apparatus including the assigned IP address to the authentication device 60.
  • the authentication device 60 -Send a Reqeust (start) message (S310)
  • the authentication device 60 generates and stores session information based on the received Accounting-Reqeust (start) message (S315), and stores the result in a private PGW (50).
  • the mobile communication terminal 1 may be connected to a private network (S312, S313, S314).
  • the stored session information may be as shown in FIG.
  • the authentication device 60 may transmit a text message indicating the successful connection to the private network to the mobile communication terminal 1 through the text message transmission server 61 (S316, S317, S318). Thereafter, the mobile communication terminal 1 may be provided with a communication service by accessing a private network and transmitting user traffic normally.
  • the mobile communication terminal 1 when the mobile communication terminal 1 performs the position movement (S320), the location information of the mobile communication terminal 1 can be changed, TAU (Tracking Area) for the changed position Update) request may be sent to the MME 20 (S321). Accordingly, the private PGW 50 may receive a modify bearer request through the MME 20 and the SGW 30 (S322 and S323) and by using the changed location information included in the bearer change message. In operation S327, the mobile communication terminal 1 may determine whether it leaves the preset private network service area.
  • the private PGW 50 determines that the private PGW is out of the private network service area and determines the destination IP of the user traffic of the authentication apparatus 60. Can be changed to the IP (S328).
  • the authentication apparatus 60 since user traffic of the mobile communication terminal 1 is not input to the private network, access to the private network of the mobile communication terminal 1 is blocked, and the authentication apparatus 60 stores the source IP extracted from the user traffic and the stored session. IP of the mobile communication terminal 1 included in the information can be compared. Subsequently, when both IPs match, the authentication device 60 may send the text message transmission server 61 a text message indicating that it has left the private network service area to the mobile communication terminal 1 (S329, S330). , S331).
  • Fig. 5 is a timing diagram showing how the mobile communication terminal 1 connecting to the private network changes the connection from the private network to the public network.
  • the mobile communication terminal 1 may first transmit a Detach request including a common APN to the MME 20 (S501 and S502), and the MME 20 may request a connection termination request.
  • the Delete Session Request message may be transmitted to the private PGW 50 through the SGW 30 (S503 and S504).
  • the private PGW 50 may transmit an Accounting-Request (stop) message to the authentication device 60 in response to the Delete Session Request (S506), and the authentication device 60 may delete a communication session for the stored private network.
  • the session may be terminated (S507).
  • the authentication device 60 may transmit a response message to the private PGW 50 to notify that the session termination is completed (S508).
  • FIG. 6 is a timing diagram illustrating a private network connection blocking method for an unregistered mobile communication terminal according to another embodiment of the present invention.
  • the authentication apparatus 60 may store a private network service area list and a subscriber list (S601).
  • the mobile communication terminal 1 may transmit a connection request message for setting up a private APN to the MME 20 through the eNB 211 for private network access (S603 and S604).
  • the MME 20 may transmit a bearer establishment message (Creat Session Request) for transmitting user traffic to the SGW 30 and the private PGW 50 in response to the access request message (S605 and S606).
  • the private PGW 50 may transmit user information and location information included in the received bearer setting message to the authentication device 60 to request subscriber authentication and location authentication for the mobile communication terminal 1 (S607).
  • the private PGW 50 may request the authentication and location authentication from the authentication device 60 using a RADIUS (Remote Authentication Dial-In User Service) message.
  • the authentication device 60 may compare the received user information and the location information with the subscriber list and the private network service area list, respectively. That is, it is determined whether the location information and the user information of the mobile communication terminal 1 are included in each private network service area list and the subscriber list, and when all are included, it can be determined that the location authentication and the subscriber authentication are successful. have. On the other hand, if any of the location information or user information of the mobile communication terminal 1 is not included in the private network service area list or the subscriber list, either the location authentication or the subscriber authentication has failed, and thus refuses to establish a session. can do. For example, if it is determined that the user information is not included in the subscriber list (S608), the authentication device 60 may transmit an authentication failure message (Access-Reject) to the private PGW 50 (S609).
  • Access-Reject authentication failure message
  • the private PGW 50 may block a connection to the private network of the unregistered mobile communication terminal 1 by sending a bearer setup stop message (Create Seesion Response-User Authentication failed) to stop the setup of the bearer. (S610, S611, S612).
  • a bearer setup stop message Create Seesion Response-User Authentication failed
  • the authentication device 60 may transmit a notification message to the unregistered mobile communication terminal 1, indicating that access to the private network is not allowed because the private network service is not subscribed to the unregistered mobile communication terminal 1.
  • the authentication device 60 may transmit the notification message by requesting the transmission of the notification message to the separate text message transmission server 61 (S613 and S614). That is, if it is determined that the user information is not included in the subscriber list, the authentication device 60 extracts telephone number information from the source IP of the packet transmitted for authentication, and sends a message indicating that the mobile communication terminal 1 cannot access.
  • the text message transmission server 61 may be transmitted.
  • FIGS. 7A and 7B are timing diagrams illustrating a method for disconnecting a private network for a mobile communication terminal leaving a private network service area according to another embodiment of the present invention.
  • a private network service area list and a subscriber list may be stored in the authentication device 60 (S701). Thereafter, the mobile communication terminal 1 may transmit an Attach Request message for setting the private APN to the MME 20 (S703 and S704). The MME 20 may send a bearer setup message for creating user traffic to the SGW 30 and the private PGW 50 corresponding to the private APN (S705 and S706).
  • the private PGW 50 may query the authentication apparatus 60 for location authentication and subscriber authentication for the mobile communication terminal 1 requesting access to the private network (S707). In this case, the private PGW 50 may transmit user information (eg, MSISDN, IMSI, etc.) and location information (eg, TAI, ECGI, etc.) to the authentication device 60.
  • user information eg, MSISDN, IMSI, etc.
  • location information eg, TAI, ECGI, etc.
  • the authentication device 60 compares the received user information and location information with a pre-stored subscriber list and a private network service area list to determine whether the mobile communication terminal 1 corresponds to a terminal subscribed to a private network service and a preset private network service area. It can be determined whether or not located within. Here, if it is determined that the user information is included in the subscriber list and the location information is included in the private network service area list, the authentication device 60 may transmit the authentication success message to the private PGW 50 (S708).
  • the private PGW 50 may allocate an IP address of the mobile communication terminal 1 connected to the private network (S709) and transmit an Accounting-Reqeust (start) message to the authentication device 60.
  • the authentication apparatus 60 may store the formed session information based on the received Accounting-Reqeust (start) message (S715), and transmit the result to the private PGW 50 (S711). Thereafter, the mobile communication terminal 1 may be connected to a private network (S712, S713, S714).
  • the authentication device 60 may transmit a text message indicating the successful connection to the private network to the mobile communication terminal 1 through the text message transmission server 61 (S716, S717, S718). Thereafter, the mobile communication terminal 1 may be provided with a communication service by accessing a private network and transmitting user traffic normally.
  • the private PGW 50 may receive a modify bearer request through the MME 20 and the SGW 30 (S722 and S723) and by using the changed location information included in the bearer change message.
  • the authentication device 60 may query whether the mobile communication terminal 1 leaves the preset private network service area.
  • the private PGW 50 may transmit an Accounting-Request (interim) message including 3GPP-User-Location-Info to the authentication device 60.
  • the authentication device 60 may compare the 3GPP-User-Location-Info included in the Accounting-Request (interim) message with a preset private network service area list. Here, if the changed location information of the mobile communication terminal 1 is not included in the private network service area list, the authentication device 60 may determine that the mobile communication terminal 1 is out of the private network service area. In this case, the authentication device 60 may transmit a disconnect-request message (Disconnect-Request) for disconnecting the private network connection to the mobile communication terminal 1 to the private PGW 50 (S732).
  • Disconnect-Request disconnect-request for disconnecting the private network connection to the mobile communication terminal 1 to the private PGW 50
  • the private PGW 50 may return an ACK message in response to the access blocking message (S733), and in order to stop transmission of user traffic, a bearer deletion message to the SGW 30 and the MME 20 (Delete Bearer Request). It may transmit (S734, S735). After receiving the bearer deletion message, the MME 20 may transmit a detach request to the mobile communication terminal 1 to block access to the private network of the mobile communication terminal 1 (S736). Thereafter, when a Delete Bearer Response message is received (S739), the private PGW 60 may transmit an Accounting-Request to the authentication device 60 (S740), and the authentication device 60 may be connected to the mobile communication terminal 1 and the private network. It is possible to terminate the session between (S741).
  • the authentication device 60 when the mobile communication terminal 1 is out of the private network service area, a notification message for notifying that the connection to the private network due to the location of the mobile communication terminal 1, the mobile communication terminal (1) ) Can be sent. That is, the authentication device 60 may request the text message transmission server 61 to transmit the notification message (S729, S730, and S731).
  • FIG. 8 is a block diagram showing a private network service system according to another embodiment of the present invention.
  • the mobile communication terminal 1 can directly connect to the private network through the HeNB 212 and the local gateway 70 without having to go through a separate wireless core network.
  • the mobile communication terminal 1 may set an APN to access the private network, and the mobile communication terminal 1 may transmit an Attach Request including the set APN to the MME 20.
  • the MME 20 may set the bearer by selecting the SGW 30, the local gateway 70, and the like for accessing the private network corresponding to the received APN, and may transmit user traffic.
  • the local gateway 70 may perform authentication, such as subscription authentication, location authentication, access time authentication, etc. for the mobile communication terminal 1, similar to the private PGW 50 of FIG. Only when all succeed, the mobile communication terminal 1 can be connected to the private network. Since specific authentication methods and the like have been described above, a detailed description thereof will be omitted.
  • the mobile communication terminal 1 sends an attach request message for establishing a private APN to the MME 20 through the HeNB 212 for the private network connection. It can transmit (S901, S902).
  • the MME 20 may transmit a bearer setup message (Creat Session Request) for transmitting user traffic to the SGW 30 and the local gateway 70 corresponding to the private APN (S903 and S904).
  • the local gateway 70 may store a private network service area list corresponding to location information accessible to the private network, and the user of the mobile communication terminals 1 subscribed to the private network service in the authentication device 60.
  • the subscriber list corresponding to the information may be stored.
  • the local gateway 70 checks whether the location information of the mobile communication terminal 1 included in the received bearer setting message is included in the previously stored private network service area list. Judgment can proceed to subscriber authentication. On the other hand, if the location information of the mobile communication terminal 1 is not included in the private network service area list, the session establishment can be rejected.
  • the local gateway 70 may request subscriber authentication to the authentication device 60, in which case the local gateway 70 transmits user information (eg, MSISDN, IMSI, etc.) to the authentication device 60. ) Can be transmitted (S905).
  • user information eg, MSISDN, IMSI, etc.
  • the authentication apparatus 60 may compare the received user information with a pre-stored subscriber list, and determine whether the mobile communication terminal 1 corresponds to a terminal subscribed to a private network service (S906). If it is determined that the user information is not included in the subscriber list, the authentication device 60 may transmit an authentication failure message (Access-Reject) to the local gateway 70 (S907). That is, if any of the received MSISDS and IMSI do not match, it is determined that subscriber authentication has failed, and the authentication failure message can be transmitted.
  • an authentication failure message Access-Reject
  • the local gateway 70 Upon receiving the authentication failure message, the local gateway 70 transmits a Create Seesion Response-User Authentication failed message to stop setting up the bearer, thereby blocking access to the private network of the unregistered mobile communication terminal 1. It may be (S908, S909, S910).
  • a local network service area list may be stored in the local gateway 70 (S1001), and a subscriber list may be stored in the authentication device 60.
  • the mobile communication terminal 1 may transmit an attach request message for setting a private APN to the MME 20 (S1002 and S1003).
  • the MME 20 may transmit a bearer setup message for creating user traffic to the SGW 30 and the local gateway 70 corresponding to the private APN (S1004 and S1005).
  • the local gateway 70 checks whether the location information of the mobile communication terminal 1 included in the received bearer setting message is included in the previously stored private network service area list, and if it is included, determines that the location authentication is successful. Proceed with subscriber authentication.
  • the local gateway 70 may request subscriber authentication to the authentication device 60, in which case the local gateway 70 transmits user information (eg, MSISDN, IMSI, etc.) to the authentication device 60. ) Can be transmitted (S1006).
  • user information eg, MSISDN, IMSI, etc.
  • the authentication apparatus 60 may determine whether the mobile communication terminal 1 corresponds to a terminal subscribed to a private network service by comparing the received user information with a pre-stored subscriber list. Here, if it is determined that the user information is included in the subscriber list, the authentication device 60 may transmit an authentication success message to the local gateway 70 (S1007).
  • the local gateway 70 may allocate an IP address of the mobile communication terminal 1 accessing the private network, and transmit an Accounting-Reqeust (start) message to the authentication device 60 ( S1008), the authentication apparatus 60 may store the formed session information based on the received Accounting-Reqeust (start) message (S1013), and transmit the result to the local gateway 70 (S1009). Thereafter, the mobile communication terminal 1 may be connected to a private network (S1010, S1011, S1012).
  • the authentication device 60 may transmit a text message informing the mobile communication terminal 1 of the successful connection to the private network (S1014). Thereafter, the mobile communication terminal 1 may be provided with a communication service by accessing a private network and transmitting user traffic normally.
  • the mobile communication terminal 1 performs the position movement (S1015), the location information of the mobile communication terminal 1 can be changed, the TAU (Tracking Area Update) request for the changed position is MME (20) It may be transmitted to (S1016). Accordingly, the local gateway 70 may receive a modify bearer request through the MME 20 and the SGW 30 (S1017 and S1018) and by using the changed location information included in the bearer change message. In operation S1019, it may be determined whether the mobile communication terminal 1 leaves the preset private network service area.
  • the TAU Track Area Update
  • the local gateway 70 determines that the private gateway is out of the private network service area, and determines the destination IP of the user traffic of the authentication device 60. Can be changed to IP (S1022). In this case, since user traffic of the mobile communication terminal 1 is not input to the private network, access to the private network of the mobile communication terminal 1 may be blocked (S1023). Thereafter, the mobile communication terminal 1 may transmit a text message indicating that it has left the private network service area (S1024).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The present application relates to a private network service system and method. A method for providing a private network service according to an embodiment of the present invention may comprise: a reception step for receiving, by a private gateway, an access request from a mobile communication terminal; an authentication step for authenticating, by the private gateway, whether the mobile communication terminal satisfies a predetermined condition for granting access to a private network; and a connection step for establishing, by the private gateway, a communication session between the mobile communication terminal which has been successfully authenticated and the private network.

Description

사설망 서비스 제공방법 및 시스템Method and system for providing private network service
본 출원은 2015년 07월 03일에 출원된 한국 특허출원 제10-2015-0095294호, 2015년 07월 06일에 출원된 한국 특허출원 제10-2015-0095998호, 및 2015년 09월 18일에 출원된 한국 특허출원 제10-2015-0132088호를 기초로 한 우선권 주장을 수반하며, 해당 특허출원들의 명세서 및 도면에 개시된 모든 내용은 본 출원에 원용된다.This application is subject to Korean Patent Application No. 10-2015-0095294, filed on July 03, 2015, Korean Patent Application No. 10-2015-0095998, filed on July 06, 2015, and September 18, 2015. It is accompanied by a priority claim based on Korean Patent Application No. 10-2015-0132088 filed in, all the contents disclosed in the specification and drawings of the patent application is incorporated in this application.
본 출원은 사설망 서비스 제공방법 및 시스템에 관한 것으로서, 특히 비인가단말 및 비인가 지역에서의 사설망 접속을 차단할 수 있는 사설망 서비스 제공방법 및 시스템에 관한 것이다.The present application relates to a method and a system for providing a private network, and more particularly, to a method and a system for providing a private network that can block access to a private network in an unauthorized terminal and an unauthorized region.
오늘날 이동통신 시스템의 발전으로 인하여 차세대 이동통신기술인 LTE(Long Term Evolution) 통신 시스템을 기반으로 한 통신 서비스가 진행되고 있다. 상기 LTE 통신 시스템은 MME(Mobility Management Entity), SGW(Serving Gateway), PGW(Packet data network Gateway)를 포함하는 EPC(Evolved Packet Core) 네트워크를 포함하고 있으며, 이 EPC를 이용하여 사용자들에게 서비스를 제공하고 있다. 한국 등록특허공보 제10-1216542호는 EPC망의 PDN-GW에 대해서 개시하고 있다.Due to the development of mobile communication systems, communication services based on the LTE (Long Term Evolution) communication system, which is a next generation mobile communication technology, are being developed. The LTE communication system includes an Evolved Packet Core (EPC) network including a mobility management entity (MME), a serving gateway (SGW), and a packet data network gateway (PGW), and provides services to users using the EPC. Providing. Korean Patent Publication No. 10-1216542 discloses PDN-GW of an EPC network.
이러한 광대역 이동통신 시장이 활성화되고 스마트폰 등이 보급됨에 따라, 광대역 이동통신과 스마트폰을 기업 서비스에 활용하고자 하는 요구가 증가하고 있다.As the broadband mobile communication market is activated and smart phones and the like are spreading, demand for utilizing broadband mobile communication and smartphones for corporate services is increasing.
본 출원은, 비인가단말 및 비인가 지역에서의 사설망 접속을 차단할 수 있는 사설망 서비스 제공방법 및 시스템을 제공하고자 한다.The present application is to provide a method and system for providing a private network service that can block access to private networks in unauthorized terminals and unauthorized regions.
본 발명의 일 실시예에 의한 사설망 서비스 제공방법은, 위치 기반의 사설망 서비스를 제공하는 방법으로서, 사설 게이트웨이가, 이동통신단말의 접속요청을 수신하는 수신단계; 사설 게이트웨이가, 상기 이동통신단말이 기 설정된 사설망 접속허용 조건을 만족하는지 여부를 인증하는 인증단계; 및 사설 게이트웨이가, 상기 인증이 성공한 이동통신단말에 대하여, 상기 사설망과의 통신세션을 형성하는 연결단계를 포함할 수 있다.According to an aspect of the present invention, there is provided a method for providing a private network service, comprising: a receiving step of receiving, by a private gateway, a connection request of a mobile communication terminal; An authentication step of authenticating, by the private gateway, whether the mobile communication terminal satisfies a preset private network access permission condition; And connecting, by the private gateway, a communication session with the private network to the mobile communication terminal in which the authentication is successful.
여기서 상기 수신단계는, 상기 이동통신단말에서 상기 사설망 서비스와 관련된 APN(Access Point Name)이 선택됨에 따라, 사설 게이트웨이가 상기 이동통신단말로부터 상기 접속요청을 수신할 수 있다.In the receiving step, as the APN (Access Point Name) associated with the private network service is selected in the mobile communication terminal, the private gateway may receive the access request from the mobile communication terminal.
여기서 상기 인증단계는, 사설 게이트웨이가, 상기 이동통신단말로부터 수신한 상기 이동통신단말의 위치정보를 기 설정된 사설망 서비스 지역 리스트와 비교하여, 상기 위치인증을 수행하는 위치인증단계; 및 사설게이트웨이가, 기 설정된 인증장치로 상기 이동통신단말이 상기 사설망 서비스에 가입한 단말인지 여부를 질의하여, 상기 가입인증을 수행하는 가입인증단계를 포함할 수 있다. The authentication step may include: a location authentication step of performing, by the private gateway, the location authentication by comparing the location information of the mobile communication terminal received from the mobile communication terminal with a preset private network service area list; And a subscription authentication step in which the private gateway inquires whether the mobile communication terminal is a terminal subscribed to the private network service using a preset authentication device, and performs the subscription authentication.
여기서 상기 인증단계는, 사설 게이트웨이가, 상기 접속요청을 수신한 시간과 상기 이동통신단말에 기 설정된 접속허용시간을 비교하여, 상기 이동통신단말에 대한 접속시간인증을 수행하는 접속시간인증단계를 더 포함할 수 있다.The authentication step may further include an access time authentication step of performing a connection time authentication for the mobile communication terminal by comparing the time at which the private gateway receives the connection request with a connection allowable time preset in the mobile communication terminal. It may include.
여기서 상기 위치인증단계는, 상기 이동통신단말별로 허용되는 사설망 서비스 지역이 상이하게 설정된 사설망 서비스 지역 리스트를 이용하여, 상기 위치인증을 수행할 수 있다.In the location authentication step, the location authentication may be performed by using a private network service area list in which private network service areas allowed for each mobile communication terminal are set differently.
여기서 상기 위치인증단계는, 사설 게이트웨이가, 상기 이동통신단말의 위치정보로 TAI(Target Area Identifier) 또는 ECGI(E-UTRAN Cell Global Identifier)를 수신할 수 있다.In the location authentication step, the private gateway may receive a Target Area Identifier (TAI) or an E-UTRAN Cell Global Identifier (ECGI) as the location information of the mobile communication terminal.
여기서 상기 가입인증단계는, 사설 게이트웨이가, 상기 인증장치로 상기 이동통신단말의 사용자 정보를 포함하는 RADIUS(Remote Authentication Dial-In User Service) 메시지를 전송할 수 있다.Here, in the subscription authentication step, the private gateway may transmit a RADIUS (Remote Authentication Dial-In User Service) message including user information of the mobile communication terminal to the authentication device.
여기서 상기 가입인증단계는, 상기 인증장치가 기 설정된 가입자 리스트 내에 상기 사용자 정보가 포함되는 것으로 판별하면, 사설 게이트웨이가 상기 인증장치로부터 인증성공 메시지를 수신할 수 있다.Here, in the subscription authentication step, when the authentication device determines that the user information is included in a preset subscriber list, the private gateway may receive an authentication success message from the authentication device.
여기서, 상기 가입인증단계는, 상기 인증장치가 기 설정된 가입자 리스트 내에 상기 사용자 정보가 포함되는 않는 것으로 판별하면, 인증을 위해 전송된 패킷의 source IP에서 전화번호 정보를 추출하여 상기 이동통신단말에 접속 불가 메시지를 보내도록 문자메시지 전송서버에 전송할 수 있다.Here, in the subscription authentication step, if the authentication device determines that the user information is not included in the preset subscriber list, the phone number information is extracted from the source IP of the packet transmitted for authentication and connected to the mobile communication terminal. You can send a text message to the sender to send a no-access message.
여기서 상기 가입인증단계는, 사설 게이트웨이가, 상기 이동통신단말의 MSISDN(Mobile Station International ISDN Number) 또는 IMSI(International Mobile Station Identity)를 상기 사용자 정보에 포함하여 전송할 수 있다.Here, in the subscription authentication step, the private gateway may transmit a mobile station international ISDN number (IMSIS) or an international mobile station identity (IMSI) of the mobile communication terminal to the user information.
여기서, 본 발명의 일 실시예에 의한 사설망 서비스 제공방법은, 사설 게이트웨이가, 상기 이동통신단말이 상기 사설망 서비스 지역에서 이탈하면, 상기 이동통신단말과 상기 사설망 사이의 통신세션을 차단하는 이탈차단단계를 더 포함할 수 있다.Here, the private network service providing method according to an embodiment of the present invention, the private gateway, when the mobile communication terminal is separated from the private network service area, the departure block step of blocking the communication session between the mobile communication terminal and the private network. It may further include.
여기서 상기 이탈차단단계는, 상기 이동통신단말의 위치정보가 변경되면, 사설 게이트웨이가 변경된 위치정보를 기 설정된 사설망 서비스 지역 리스트와 비교하여, 상기 이동통신단말의 상기 사설망 서비스 지역 이탈여부를 판별할 수 있다.Here, in the detachment blocking step, when the location information of the mobile communication terminal is changed, the private gateway compares the changed location information with a preset private network service area list to determine whether the mobile communication terminal is out of the private network service area. have.
여기서 상기 이탈차단단계는, 상기 이동통신단말이 상기 사설망 서비스 지역을 이탈한 것으로 판별되면, 사설 게이트웨이가, 상기 이동통신단말이 전송하는 사용자 트래픽의 목적지 IP를 상기 인증장치의 IP로 변경하여, 상기 이동통신단말의 상기 사설망 접속을 차단할 수 있다.Here, in the departure blocking step, when it is determined that the mobile communication terminal has left the private network service area, the private gateway changes the destination IP of the user traffic transmitted by the mobile communication terminal to the IP of the authentication apparatus. The private network connection of the mobile communication terminal can be blocked.
여기서, 상기 이탈차단단계는, 상기 인증장치가 기 설정된 사설망 지역 리스트 내에 변경된 위치정보가 포함되지 않은 것으로 판별하면, 인증을 위해 전송된 패킷의 source IP에서 전화번호 정보를 추출하여, 상기 이동통신단말에 접속 불가 메시지를 보내도록 문자메시지 전송서버에 전송할 수 있다.Here, in the detachment blocking step, if the authentication apparatus determines that the changed location information is not included in the preset private network area list, the mobile communication terminal extracts telephone number information from a source IP of a packet transmitted for authentication. You can send a text message to the server to send a message that is not accessible.
여기서 상기 인증단계는, 사설 게이트웨이가, 인증장치로, 상기 이동통신단말이 상기 사설망 서비스 지역 내에 위치하는 단말인지 여부 및 상기 이동통신단말이 상기 사설망 서비스에 가입한 단말인지 여부를 질의할 수 있다.Here, in the authentication step, the private gateway may query the authentication apparatus whether the mobile communication terminal is a terminal located in the private network service area and whether the mobile communication terminal is a terminal subscribed to the private network service.
여기서 상기 인증단계는, 사설 게이트웨이가, 인증장치로 상기 이동통신단말이 기 설정된 접속허용시간에 접속요청을 수행하였는지 여부를, 더 질의할 수 있다.Here, in the authentication step, the private gateway may further query the authentication apparatus whether the mobile communication terminal has made a connection request at a preset access allowance time.
여기서 상기 인증단계는, 사설 게이트웨이가, 상기 인증장치로, 상기 이동통신단말의 사용자 정보 및 위치정보를 포함하는 RADIUS(Remote Authentication Dial-In User Service) 메시지를 전송할 수 있다.Here, in the authentication step, the private gateway may transmit, to the authentication device, a RADIUS (Remote Authentication Dial-In User Service) message including user information and location information of the mobile communication terminal.
여기서 상기 인증단계는, 상기 인증장치가 기 설정된 가입자 리스트 및 사설망 서비스 지역 리스트 내에 각각 상기 사용자 정보 및 위치정보가 포함되는 것으로 판별하면, 사설 게이트웨이가 상기 인증장치로부터 인증성공 메시지를 수신할 수 있다.Here, in the authentication step, if the authentication device determines that the user information and the location information are included in a preset subscriber list and a private network service area list, the private gateway may receive an authentication success message from the authentication device.
여기서 상기 인증단계는, 사설 게이트웨이가, 상기 사용자 정보에 상기 이동통신단말의 MSISDN(Mobile Station International ISDN Number) 또는 IMSI(International Mobile Station Identity)를 포함하고, 상기 위치정보에 상기 이동통신단말의 TAI(Target Area Identifier) 또는 ECGI(E-UTRAN Cell Global Identifier)를 포함하여 전송할 수 있다.Here, the authentication step, the private gateway includes the mobile station International ISDN Number (MSISDN) or International Mobile Station Identity (IMSI) of the mobile communication terminal in the user information, the location information TAI ( Target Area Identifier) or ECGI (E-UTRAN Cell Global Identifier) may be transmitted.
여기서, 본 발명의 일 실시예에 의한 사설망 서비스 제공방법은, 상기 이동통신단말이 상기 사설망 서비스 지역에서 이탈하면, 사설 게이트웨이가, 상기 이동통신단말과 상기 사설망 사이의 통신세션을 차단하는 이탈차단단계를 더 포함할 수 있다.Here, in the private network service providing method according to an embodiment of the present invention, when the mobile communication terminal is separated from the private network service area, a detachment blocking step of blocking a communication session between the mobile communication terminal and the private network by the private gateway. It may further include.
여기서 상기 이탈차단단계는, 상기 이동통신단말의 위치이동에 대응하는 TAU(Tracking Area Update) 메시지를 수신하면, 사설 게이트웨이가 상기 이동통신단말의 위치정보를 상기 인증장치로 전송하여, 상기 이동통신단말의 상기 사설망 서비스 지역 이탈여부를 질의할 수 있다.Here, in the detachment blocking step, when receiving a TAU (Tracking Area Update) message corresponding to the movement of the location of the mobile communication terminal, the private gateway transmits the location information of the mobile communication terminal to the authentication device, and the mobile communication terminal. It may query whether the private network service area of the departure.
여기서 상기 이탈차단단계는, 상기 인증장치로부터 상기 이동통신단말의 상기 사설망 서비스 지역 이탈에 대응하는 이탈확인메시지를 수신받으면, 사설 게이트웨이가 상기 이동통신단말과 사설망 사이의 트래픽 전송을 차단할 수 있다. Here, in the departure blocking step, when the departure confirmation message corresponding to the departure from the private network service area of the mobile communication terminal is received from the authentication device, the private gateway may block the transmission of traffic between the mobile communication terminal and the private network.
여기서 상기 이탈차단단계는, 상기 인증장치가 기 설정된 사설망 지역 리스트 내에 변경된 위치정보가 포함되지 않은 것으로 판별하면, 인증을 위해 전송된 패킷의 source IP에서 전화번호 정보를 추출하여, 상기 이동통신단말에 접속 불가 메시지를 보내도록 문자메시지 전송서버에 전송할 수 있다.Here, in the detachment blocking step, if the authentication apparatus determines that the changed location information is not included in the preset private network area list, the phone number information is extracted from the source IP of the packet transmitted for authentication, and the mobile communication terminal is extracted. You can send a text message transmission server to send a disconnect message.
본 발명의 일 실시예에 의한 사설망 서비스 제공방법은, 3GPP Release 10의 TR23.829에 따른 LTE 망에서의 사설망 서비스를 제공하는 방법일 수 있으며, 로컬 게이트웨이가, 이동통신단말의 사설망 접속요청을 수신하는 수신단계; 로컬 게이트웨이가, 상기 이동통신단말이 기 설정된 사설망 접속허용 조건을 만족하는지 여부를 인증하는 인증단계; 및 로컬 게이트웨이가, 상기 인증이 성공한 이동통신단말에 대하여, 상기 사설망과의 통신세션을 형성하는 연결단계를 포함할 수 있다.The method of providing a private network service according to an embodiment of the present invention may be a method of providing a private network service in an LTE network according to TR23.829 of 3GPP Release 10, wherein the local gateway receives a private network connection request of a mobile communication terminal. Receiving step; An authentication step of authenticating, by the local gateway, whether the mobile communication terminal satisfies a preset private network access permission condition; And establishing, by the local gateway, a communication session with the private network with respect to the mobile communication terminal in which the authentication is successful.
여기서 상기 수신단계는, 상기 이동통신단말에서 상기 사설망 서비스와 관련된 APN(Access Point Name)이 선택됨에 따라, 로컬 게이트웨이가 상기 이동통신단말로부터 상기 접속요청을 수신할 수 있다.In the receiving step, as the APN (Access Point Name) related to the private network service is selected in the mobile communication terminal, the local gateway may receive the access request from the mobile communication terminal.
여기서 상기 인증단계는, 로컬 게이트웨이가, 상기 이동통신단말로부터 수신한 상기 이동통신단말의 위치정보를 기 설정된 사설망 서비스 지역 리스트와 비교하여, 상기 위치인증을 수행하는 위치인증단계; 및 로컬 게이트웨이가, 기 설정된 인증장치로 상기 이동통신단말이 상기 사설망 서비스에 가입한 단말인지 여부를 질의하여, 상기 가입인증을 수행하는 가입인증단계를 포함할 수 있다.The authentication step may include: a location authentication step of performing a location authentication by a local gateway by comparing the location information of the mobile communication terminal received from the mobile communication terminal with a preset private network service area list; And a registration authentication step of performing, by the local gateway, whether the mobile communication terminal is a terminal subscribed to the private network service to a preset authentication device, and performing the subscription authentication.
여기서 상기 인증단계는, 로컬 게이트웨이가, 상기 접속요청을 수신한 시간과 상기 이동통신단말에 기 설정된 접속허용시간을 비교하여, 상기 이동통신단말에 대한 접속시간인증을 수행하는 접속시간인증단계를 더 포함할 수 있다.The authentication step may further include an access time authentication step of performing a connection time authentication for the mobile communication terminal by comparing a time at which the local gateway receives the connection request with a connection allowable time preset in the mobile communication terminal. It may include.
여기서 상기 위치인증단계는, 상기 이동통신단말별로 허용되는 사설망 서비스 지역이 상이하게 설정된 사설망 서비스 지역 리스트를 이용하여, 상기 위치인증을 수행할 수 있다.In the location authentication step, the location authentication may be performed by using a private network service area list in which private network service areas allowed for each mobile communication terminal are set differently.
여기서 상기 위치인증단계는, 로컬 게이트웨이가, 상기 이동통신단말의 위치정보로 TAI(Target Area Identifier) 또는 ECGI(E-UTRAN Cell Global Identifier)를 수신할 수 있다.In the location authentication step, the local gateway may receive a Target Area Identifier (TAI) or an E-UTRAN Cell Global Identifier (ECGI) as the location information of the mobile communication terminal.
여기서 상기 가입인증단계는, 로컬 게이트웨이가, 상기 인증장치로 상기 이동통신단말의 사용자 정보를 포함하는 RADIUS(Remote Authentication Dial-In User Service) 메시지를 전송할 수 있다.Here, in the subscription authentication step, the local gateway may transmit a RADIUS (Remote Authentication Dial-In User Service) message including user information of the mobile communication terminal to the authentication device.
여기서 상기 가입인증단계는, 상기 인증장치가 기 설정된 가입자 리스트 내에 상기 사용자 정보가 포함되는 것으로 판별하면, 로컬 게이트웨이가 상기 인증장치로부터 인증성공 메시지를 수신할 수 있다.Here, in the subscription authentication step, if the authentication device determines that the user information is included in a preset subscriber list, the local gateway may receive an authentication success message from the authentication device.
여기서 상기 가입인증단계는, 로컬 게이트웨이가, 상기 이동통신단말의 MSISDN(Mobile Station International ISDN Number) 또는 IMSI(International Mobile Station Identity)를 상기 사용자 정보에 포함하여 전송할 수 있다.Here, in the subscription authentication step, the local gateway may transmit a mobile station international ISDN number (IMSIS) or an international mobile station identity (IMSI) of the mobile communication terminal to the user information.
여기서, 본 발명의 일 실시예에 의한 사설망 서비스 제공방법은, 로컬 게이트웨이가, 상기 이동통신단말이 상기 사설망 서비스 지역에서 이탈하면, 상기 이동통신단말과 상기 사설망 사이의 통신세션을 차단하는 이탈차단단계를 더 포함할 수 있다.Here, the private network service providing method according to an embodiment of the present invention, the local gateway, when the mobile communication terminal is separated from the private network service area, the exit block step of blocking the communication session between the mobile communication terminal and the private network. It may further include.
여기서 상기 이탈차단단계는, 상기 이동통신단말의 위치정보가 변경되면, 로컬 게이트웨이가 변경된 위치정보를 기 설정된 사설망 서비스 지역 리스트와 비교하여, 상기 이동통신단말의 상기 사설망 서비스 지역 이탈여부를 판별할 수 있다.Here, in the detachment blocking step, when the location information of the mobile communication terminal is changed, it is possible to determine whether the mobile communication terminal is out of the private network service area by comparing the location information whose local gateway is changed with a preset private network service area list. have.
여기서 상기 이탈차단단계는, 상기 이동통신단말이 상기 사설망 서비스 지역을 이탈한 것으로 판별되면, 로컬 게이트웨이가, 상기 이동통신단말이 전송하는 사용자 트래픽의 목적지 IP를 상기 인증장치의 IP로 변경하여, 상기 이동통신단말의 상기 사설망 접속을 차단할 수 있다.Here, in the departure blocking step, if it is determined that the mobile communication terminal has left the private network service area, the local gateway changes the destination IP of the user traffic transmitted by the mobile communication terminal to the IP of the authentication apparatus. The private network connection of the mobile communication terminal can be blocked.
본 발명의 일 실시예에 의한 사설망 서비스 시스템은, 이동통신단말이 전송하는 APN(Access Point Name)을 이용하여 사설망에 대한 접속요청인지 여부를 확인하고, 상기 사설망에 대한 접속요청이면 상기 APN에 대응하는 사설 게이트웨이로 사용자 트래픽을 전송하기 위한 베어러 설정 메시지를 전송하는 이동성 관리 장치(MME: Mobility Management Entity); 상기 베어러 설정 메시지를 수신하면, 상기 이동통신단말이 기 설정된 사설망 서비스 지역 내 위치하는지 여부에 대한 위치인증을 수행하고, 기 설정된 인증장치로 상기 이동통신단말의 상기 사설망 서비스 가입여부에 대한 가입인증을 요청하며, 상기 이동통신단말에 대한 가입인증 및 위치인증이 성공하면, 상기 베어러 설정 메시지에 대응하여 상기 이동통신단말과 사설망 사이의 통신세션을 형성하는 사설 게이트웨이; 및 상기 사설 게이트웨이의 요청에 따라, 상기 이동통신단말이 기 설정된 사설망 서비스에 가입된 단말 리스트에 포함되는지 여부를 판별하여 가입인증결과를 생성하고, 생성한 가입인증결과를 상기 사설 게이트웨이로 전송하는 인증장치를 포함할 수 있다.The private network service system according to an embodiment of the present invention checks whether a connection request is made to a private network using an access point name (APN) transmitted by a mobile communication terminal, and if the connection request is made to the private network, it corresponds to the APN. A mobility management entity (MME) for transmitting a bearer setup message for transmitting user traffic to a private gateway; Upon receiving the bearer setup message, perform location authentication on whether the mobile communication terminal is located in a preset private network service area, and perform subscription authentication on whether the mobile communication terminal joins the private network service with a preset authentication device. A private gateway for requesting to establish a communication session between the mobile communication terminal and a private network in response to the bearer setup message if the subscription authentication and location authentication for the mobile communication terminal are successful; And upon request of the private gateway, determine whether the mobile communication terminal is included in a terminal list subscribed to a preset private network service, generate a subscription authentication result, and transmit the generated subscription authentication result to the private gateway. It may include a device.
본 발명의 다른 실시예에 의한 사설망 서비스 시스템은, 이동통신단말이 전송하는 APN(Access Point Name)을 이용하여 사설망에 대한 접속요청인지 여부를 확인하고, 상기 사설망에 대한 접속요청이면 상기 APN에 대응하는 사설 게이트웨이로 사용자 트래픽을 전송하기 위한 베어러 설정 메시지를 전송하는 이동성 관리 장치(MME: Mobility Management Entity); 상기 베어러 설정 메시지를 수신하면, 기 설정된 인증장치로 상기 이동통신단말의 위치인증 및 가입자 인증을 요청하고, 상기 이동통신단말에 대한 위치인증 및 가입자 인증이 성공하면, 상기 베어러 설정 메시지에 대응하여 상기 이동통신단말과 사설망 사이의 통신세션을 형성하는 사설 게이트웨이; 및 상기 이동통신단말의 사용자 정보가 기 설정된 가입자 리스트에 포함되는지 여부 및 상기 이동통신단말의 위치정보가 기 설정된 사설망 서비스 지역 리스트에 포함되는지 여부를 확인하여, 상기 위치인증 및 가입자 인증 요청에 대응하는 응답메시지를 생성하고, 상기 응답메시지를 상기 사설 게이트웨이로 전송하는 인증서버를 포함할 수 있다.The private network service system according to another embodiment of the present invention checks whether the access request is for a private network using an access point name (APN) transmitted by a mobile communication terminal, and if the access request is for the private network, the private network service system corresponds to the APN. A mobility management entity (MME) for transmitting a bearer setup message for transmitting user traffic to a private gateway; When receiving the bearer setup message, requesting the location authentication and subscriber authentication of the mobile communication terminal to a predetermined authentication device, and if the location authentication and subscriber authentication for the mobile communication terminal is successful, in response to the bearer setup message A private gateway forming a communication session between the mobile communication terminal and the private network; And whether the user information of the mobile communication terminal is included in a preset subscriber list and whether the location information of the mobile communication terminal is included in a preset private network service area list to correspond to the location authentication and subscriber authentication request. The server may include an authentication server for generating a response message and transmitting the response message to the private gateway.
본 발명의 다른 실시예에 의한 사설망 서비스 시스템은, 3GPP Release 10의 TR23.829에 따른 사설망 서비스 시스템일 수 있으며, 이동통신단말이 전송하는 APN(Access Point Name)을 이용하여 사설망에 대한 접속요청인지 여부를 확인하고, 상기 사설망에 대한 접속요청이면 상기 APN에 대응하는 로컬 게이트웨이로 사용자 트래픽을 전송하기 위한 베어러 설정 메시지를 전송하는 이동성 관리 장치(MME: Mobility Management Entity); 상기 베어러 설정 메시지를 수신하면, 상기 이동통신단말이 기 설정된 사설망 서비스 지역 내 위치하는지 여부에 대한 위치인증을 수행하고, 기 설정된 인증장치로 상기 이동통신단말의 상기 사설망 서비스 가입여부에 대한 가입인증을 요청하며, 상기 이동통신단말에 대한 가입인증 및 위치인증이 성공하면, 상기 베어러 설정 메시지에 대응하여 상기 이동통신단말과 사설망 사이의 통신세션을 형성하는 로컬 게이트웨이; 및 상기 로컬 게이트웨이의 요청에 따라, 상기 이동통신단말이 기 설정된 사설망 서비스에 가입된 단말 리스트에 포함되는지 여부를 판별하여 가입인증결과를 생성하고, 생성한 가입인증결과를 상기 로컬 게이트웨이로 전송하는 인증장치를 포함할 수 있다.The private network service system according to another embodiment of the present invention may be a private network service system according to TR23.829 of 3GPP Release 10, and is a request for access to a private network using an APN (Access Point Name) transmitted by a mobile communication terminal. A mobility management device (MME: Mobility Management Entity) for transmitting a bearer setup message for transmitting user traffic to a local gateway corresponding to the APN if the connection request is made to the private network; Upon receiving the bearer setup message, perform location authentication on whether the mobile communication terminal is located in a preset private network service area, and perform subscription authentication on whether the mobile communication terminal joins the private network service with a preset authentication device. A local gateway for requesting and establishing a communication session between the mobile communication terminal and a private network in response to the bearer setup message if the registration authentication and location authentication for the mobile communication terminal are successful; And determining whether the mobile communication terminal is included in a terminal list subscribed to a preset private network service according to a request of the local gateway, generating a subscription authentication result, and transmitting the generated subscription authentication result to the local gateway. It may include a device.
덧붙여 상기한 과제의 해결수단은, 본 발명의 특징을 모두 열거한 것이 아니다. 본 발명의 다양한 특징과 그에 따른 장점과 효과는 아래의 구체적인 실시형태를 참조하여 보다 상세하게 이해될 수 있을 것이다.In addition, the solution of the said subject does not enumerate all the characteristics of this invention. Various features of the present invention and the advantages and effects thereof may be understood in more detail with reference to the following specific embodiments.
본 발명의 일 실시예에 의한 사설망 서비스 제공방법 및 시스템에 의하면, 비인가단말 및 비인가 지역에서의 사설망 접속을 차단하는 것이 가능하다. 특히, 별도의 인증장치와 연동하여, 허가되지 않는 이동통신단말의 접속이나, 허가되지 않은 지역에서의 사설망 접속 시도를 차단하는 것이 가능하다.According to the method and system for providing a private network service according to an embodiment of the present invention, it is possible to block private network access in an unauthorized terminal and an unauthorized region. In particular, in connection with a separate authentication device, it is possible to block connection of unauthorized mobile communication terminals or attempts to connect to a private network in unauthorized regions.
본 발명의 일 실시예에 의한 사설망 서비스 제공방법 및 시스템에 의하면, 3GPP Release 10에서 추진하고 있는 LTE 망에서의 인트라넷(intranet) 접속 방식에도 적용가능하다. 즉, HeNB와 로컬 게이트웨이를 통하여, 이동통신 사업자의 무선 코어망을 거치지 않고, 직접 사설망으로 접속하는 경우에도, 인증 장치 등과 연동하여, 허가되지 않은 이동통신단말이나 허가되지 않은 지역에서의 사설망 접속을 차단할 수 있다.According to the method and system for providing a private network service according to an embodiment of the present invention, it is also applicable to an intranet access method in an LTE network promoted by 3GPP Release 10. In other words, even when directly accessing a private network through the HeNB and the local gateway without going through the wireless core network of the mobile communication provider, the private network connection in an unauthorized mobile communication terminal or an unauthorized region is performed in conjunction with an authentication device or the like. You can block.
도1은 본 발명의 일 실시예에 의한 사설망 서비스 시스템을 나타내는 블록도이다.1 is a block diagram illustrating a private network service system according to an embodiment of the present invention.
도2 및 도6은 본 발명의 일 실시예에 의한 사설망 서비스 시스템에서, 미등록 이동통신단말에 대한 사설망 접속 차단 방법을 나타내는 타이밍도이다.2 and 6 are timing diagrams illustrating a private network connection blocking method for an unregistered mobile communication terminal in a private network service system according to an embodiment of the present invention.
도3a, 도3b 및 도7a, 도7b은 본 발명의 일 실시예에 의한 사설망 서비스 시스템에서, 사설망 서비스 지역을 이탈한 이동통신단말에 대한 사설망 접속 차단 방법을 나타내는 타이밍도이다.3A, 3B, 7A, and 7B are timing diagrams illustrating a method for disconnecting a private network for a mobile communication terminal leaving a private network service area in a private network service system according to an embodiment of the present invention.
도4는 본 발명의 일 실시예에 의한 세션정보를 나타내는 표이다.4 is a table showing session information according to an embodiment of the present invention.
도5는 본 발명의 일 실시예에 의한 사설망 서비스 시스템에서, 사설망에 접속 중인 이동통신단말이, 공중망으로 접속변경하는 방법을 나타내는 타이밍도이다.5 is a timing diagram illustrating a method of changing a connection to a public network by a mobile communication terminal connected to a private network in a private network service system according to an embodiment of the present invention.
도8은 본 발명의 다른 실시예에 의한 사설망 서비스 시스템을 나타내는 블록도이다.8 is a block diagram illustrating a private network service system according to another embodiment of the present invention.
도9는 본 발명의 다른 실시예에 의한 사설망 서비스 시스템에서, 미등록 이동통신단말에 대한 사설망 접속 차단 방법을 나타내는 타이밍도이다.9 is a timing diagram illustrating a private network access blocking method for an unregistered mobile communication terminal in a private network service system according to another embodiment of the present invention.
도10a 및 도10b는 본 발명의 다른 실시예에 의한 사설망 서비스 시스템에서, 사설망 서비스 지역을 이탈한 이동통신단말에 대한 사설망 접속 차단 방법을 나타내는 타이밍도이다.10A and 10B are timing diagrams illustrating a private network access blocking method for a mobile communication terminal leaving a private network service area in a private network service system according to another embodiment of the present invention.
이하, 첨부된 도면을 참조하여 본 발명이 속하는 기술분야에서 통상의 지식을 가진 자가 본 발명을 용이하게 실시할 수 있도록 바람직한 실시예를 상세히 설명한다. 다만, 본 발명의 바람직한 실시예를 상세하게 설명함에 있어, 관련된 공지 기능 또는 구성에 대한 구체적인 설명이 본 발명의 요지를 불필요하게 흐릴 수 있다고 판단되는 경우에는 그 상세한 설명을 생략한다. 또한, 유사한 기능 및 작용을 하는 부분에 대해서는 도면 전체에 걸쳐 동일한 부호를 사용한다.Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art may easily implement the present invention. However, in describing the preferred embodiment of the present invention in detail, if it is determined that the detailed description of the related known function or configuration may unnecessarily obscure the subject matter of the present invention, the detailed description thereof will be omitted. In addition, the same reference numerals are used throughout the drawings for parts having similar functions and functions.
덧붙여, 명세서 전체에서, 어떤 부분이 다른 부분과 '연결'되어 있다고 할 때, 이는 '직접적으로 연결'되어 있는 경우뿐만 아니라, 그 중간에 다른 소자를 사이에 두고 '간접적으로 연결'되어 있는 경우도 포함한다. 또한, 어떤 구성요소를 '포함'한다는 것은, 특별히 반대되는 기재가 없는 한 다른 구성요소를 제외하는 것이 아니라 다른 구성요소를 더 포함할 수 있다는 것을 의미한다. 또한, 명세서에 기재된 "...부", "모듈" 등의 용어는 적어도 하나의 기능이나 동작을 처리하는 단위를 의미하며, 이는 하드웨어 또는 소프트웨어로 구현되거나 하드웨어와 소프트웨어의 결합으로 구현될 수 있다.In addition, throughout the specification, when a part is 'connected' to another part, it is not only 'directly connected' but also 'indirectly connected' with another element in between. Include. In addition, the term 'comprising' of an element means that the element may further include other elements, not to exclude other elements unless specifically stated otherwise. In addition, the terms "... unit", "module", etc. described in the specification mean a unit for processing at least one function or operation, which may be implemented in hardware or software or a combination of hardware and software. .
도 1은 본 발명의 일 실시예에 의한 사설망 서비스 시스템을 나타내는 블록도이다.1 is a block diagram illustrating a private network service system according to an embodiment of the present invention.
도 1에 도시한 바와 같이, 본 발명의 일 실시예에 의한 사설망 서비스 시스템은, 이동통신단말(1), 이동성 관리 장치(Mobility Management Entity, 이하 'MME'로 지칭함)(20), 서빙 게이트웨이(Serving Gateway, 이하 'SGW'로 지칭함)(30), 공용 게이트웨이(public PDN Gateway, 이하 '공용 PGW'로 지칭함)(40), 사설 게이트웨이(private PDN gateway, 이하 '사설 PGW'로 지칭함)(50) 및 인증장치(60)를 포함할 수 있다.As shown in FIG. 1, a private network service system according to an embodiment of the present invention includes a mobile communication terminal 1, a mobility management entity (hereinafter referred to as an MME) 20, and a serving gateway ( Serving Gateway (hereinafter referred to as 'SGW') 30, Public Gateway (hereinafter referred to as 'public PGW') 40, Private Gateway (hereinafter referred to as 'private PGW') (50) And an authentication device 60.
이하, 도1을 참조하여 본 발명의 일 실시예에 의한 사설망 서비스 시스템을 설명한다.Hereinafter, a private network service system according to an embodiment of the present invention will be described with reference to FIG. 1.
이동통신단말(1)은 음성 통화 또는 데이터 통신을 제공하거나 제공받는 통신 장치일 수 있으며, 실시예에 따라서는 UE(User Equipment), MS(Mobile Station), UT(User Terminal), SS(Subscriber Station) 등 다른 용어로 불릴 수 있다. 이동통신단말(1)에는, 셀룰러 폰, PCS 폰, GSM 폰, CDMA-2000폰, WCDMA폰 등 종래의 이동 전화기와, 최근 활발히 사용되는 스마트폰과 태블릿 PC 및 4G망을 이용하는 이동 전화기 등이 포함될 수 있다.The mobile communication terminal 1 may be a communication device that provides or receives a voice call or data communication, and according to an embodiment, a user equipment (UE), a mobile station (MS), a user terminal (UT), and a subscriber station (SS) may be used. Or other terms). The mobile communication terminal 1 includes a conventional mobile phone such as a cellular phone, a PCS phone, a GSM phone, a CDMA-2000 phone, a WCDMA phone, a smart phone, a tablet PC, a mobile phone using a 4G network, and the like, which are actively used recently. Can be.
이동통신단말(1)은 이동통신 엑세스(access)망(200)을 이용하여, 데이터를 송수신할 수 있다. 상기 이동통신 엑세스망(200)에는 E-UTRAN(Evolved Universal Terrestrial Radio Access Network), UTRAN(Universal Terrestrial Radio Access Network), GERAN(GSM EDGE Radio Access Network), WiFi망 등이 포함될 수 있다.The mobile communication terminal 1 may transmit and receive data using the mobile communication access network 200. The mobile communication access network 200 may include an Evolved Universal Terrestrial Radio Access Network (E-UTRAN), a Universal Terrestrial Radio Access Network (UTRAN), a GSM EDGE Radio Access Network (GERAN), a WiFi network, and the like.
실시예에 따라서는, 이동통신단말(1)에 사설 APN(Access Point Name)과 공용 APN이 기록된 APN 목록이 저장되어 있을 수 있으며, 이동통신단말(1)의 사용자는 어느 하나의 APN으로 접속을 시도하여, 인터넷(N1) 등의 공용망 또는 인트라넷(N2) 등의 사설망으로부터 통신 서비스를 제공받을 수 있다.According to an embodiment, the APN list in which the access point name (APN) and the public APN are recorded may be stored in the mobile communication terminal 1, and the user of the mobile communication terminal 1 accesses any one APN. By attempting this, the communication service can be provided from a public network such as the Internet N1 or a private network such as an intranet N2.
MME(20)는 E-UTRAN(210)에서의 제어 평면 엔터티(entity)로, NAS(Non Access Stratum) 시그널링을 통하여, 이동통신단말(1)에 대한 이동성 관리 및 세션 관리 기능 등을 제공할 수 있다. 이동통신단말(1)은 공용망 또는 사설망에 접속을 하기 위하여, 접속요청 메시지(Attach Request)를 MME(20)로 전송할 수 있으며, 상기 접속요청 메시지에는 이동통신단말(1)이 접속하고자 하는 공용망 또는 사설망에 대응하는 APN이 포함되어 있을 수 있다. 즉, 이동통신단말(1)은 사설망 APN(예를들어, private.lte.com)을 포함하는 접속요청 메시지를 전송하여 MME(20)에게 사설망에 대한 접속을 요청하거나, 공용망 APN(예를들어, public.lte.com)을 포함하는 접속요청 메시지를 전송하여 MME(20)에게 공용망에 대한 접속을 요청할 수 있다. 이 경우, MME(20)는 이동통신단말(1)이 요청한 공용망 또는 사설망에 대한 접속을 위한 각각의 SGW(30), PGW(40, 50)를 선택할 수 있으며, 해당 공용망 또는 사설망으로 이동통신단말(1)의 사용자 트래픽을 전송하기 위한, 베어러 설정 메시지(Create Session request)를 전송할 수 있다.The MME 20 is a control plane entity in the E-UTRAN 210, and may provide mobility management and session management functions for the mobile communication terminal 1 through non-access stratum (NAS) signaling. have. The mobile communication terminal 1 may transmit an Attach Request message to the MME 20 in order to access a public network or a private network, and the public communication terminal 1 is intended to connect to the access request message. APN corresponding to the network or private network may be included. That is, the mobile communication terminal 1 transmits a connection request message including a private network APN (for example, private.lte.com) to request the MME 20 to access a private network, or a public network APN (for example, For example, the connection request message including public.lte.com) may be transmitted to request the MME 20 to access the public network. In this case, the MME 20 may select the respective SGW 30, PGW (40, 50) for access to the public or private network requested by the mobile communication terminal 1, and move to the corresponding public or private network. A bearer establishment message (Create Session request) for transmitting user traffic of the communication terminal 1 may be transmitted.
SGW(30)는 E-UTRAN(210)에 포함된 eNB와 다른 기지국 간, 3GPP 네트워크와 EUTRAN 간에 이동통신단말(1)의 이동성을 관리할 수 있으며, 설정된 세션에 따라 페이로드 트래픽(payload traffic)을 처리하는 세션 제어 기능을 수행할 수 있다. 즉, SGW(30)는 기지국 간 핸드오버 및 3GPP 시스템 간 핸드 오버시 앵커 지점(anchoring point)으로서 동작할 수 있다.The SGW 30 may manage mobility of the mobile communication terminal 1 between the eNB included in the E-UTRAN 210 and another base station, between the 3GPP network and the EUTRAN, and payload traffic according to the established session. It can perform session control function to process. That is, the SGW 30 may operate as an anchoring point during handover between base stations and handover between 3GPP systems.
공용 PGW(40)는 이동통신단말(1)을 인터넷(N1)과 같은 공용망과 연결해주고 IP 라우팅 및 포워딩 기능을 제공할 수 있으며, 패킷 필터링을 제공할 수 있다. 나아가, 공용 PGW(40)는 이동통신단말(1)의 IP 주소를 할당할 수 있으며, SGW(30) 간 핸드오버시 또는 LTE 통신 시스템과 non-3GPP 네트워크(예를 들어 WiMax 등) 간 핸드오버시 이동성 앵커 지점(mobility anchoring point)으로 동작할 수 있다.The common PGW 40 may connect the mobile communication terminal 1 with a public network such as the Internet N1, provide IP routing and forwarding functions, and provide packet filtering. In addition, the common PGW 40 may assign an IP address of the mobile communication terminal 1, and when handover between the SGW 30 or between the LTE communication system and a non-3GPP network (for example, WiMax, etc.) It can operate as a mobility anchoring point.
사설 PGW(50)는 이동통신단말(1)을 인트라넷(N2)과 같은 사설망에 접속시키기 위한 게이트웨이일 수 있으며, 이동통신단말(1)이 사설 APN을 이용하여 접속한 경우에, 이동통신단말(1)과 통신세션을 형성하여 인트라넷(N2)으로의 접근을 허용할 수 있다. 여기서, 사설 PGW(50)는 이동통신단말(1)과 인트라넷(N2) 사이의 통신세션을 형성하기 전에, 이동통신단말(1)이 기 설정된 사설망 접속허용조건을 만족하는지 여부를 인증할 수 있으며, 인증이 성공한 경우에 한하여, 통신세션을 형성할 수 있다. 여기서, 사설 PGW(50)가 수행하는 인증에는, 가입인증, 위치인증, 접속시간 인증 등이 포함될 수 있다.The private PGW 50 may be a gateway for connecting the mobile communication terminal 1 to a private network such as an intranet N2. When the mobile communication terminal 1 connects using a private APN, the mobile communication terminal 1 A communication session can be established with 1) to allow access to the intranet (N2). Here, the private PGW 50 may authenticate whether or not the mobile communication terminal 1 satisfies a preset private network connection permission condition before establishing a communication session between the mobile communication terminal 1 and the intranet N2. Only when the authentication succeeds, a communication session can be established. Here, the authentication performed by the private PGW 50 may include subscription authentication, location authentication, access time authentication, and the like.
일 실시예에 의하면, 사설 PGW(50)에는 기 설정된 사설망 서비스 지역 리스트가 저장되어 있을 수 있으며, 사설 PGW(50)는 이동통신단말(1)이 제공하는 이동통신단말(1)의 위치정보와 사설망 서비스 지역 리스트를 비교할 수 있다. 여기서, 사설 PGW(50)는 이동통신단말(1)의 위치정보가 상기 사설망 서비스 지역 내에 포함되는지 여부를 확인하는 방식으로, 이동통신단말(1)에 대한 위치인증을 수행할 수 있다. 구체적으로, 사설 PGW(50)는, 이동통신단말(1)의 위치정보로 TAI(Target Area Identifier) 또는 ECGI(E-UTRAN Cell Global Identifier)를 수신할 수 있으며, 저장된 사설망 서비스 지역 리스트도 TAI 또는 ECGI에 기반하여 저장되어 있을 수 있다. 따라서, 사설 PGW(50)는 수신한 이동통신단말(1)의 TAI 또는 ECGI를 사설망 서비스 지역 리스트와 비교한 후, 이동통신단말(1)의 TAI 또는 ECGI가 사설망 서비스 지역 리스트 내에 포함되어 있으면, 이동통신단말(1)이 사설망 서비스 지역 내에 위치하는 것으로 판별할 수 있다. 여기서, 상기 이동통신단말(1)의 위치정보는 MME(20)로부터 수신하는 베어러 설정메시지에 포함되어 있을 수 있다. 실시예에 따라서는, 각각의 이동통신단말별로 사설망 서비스 지역을 상이하게 설정하는 것도 가능하다. 예를들어, 동일한 위치에 서로 다른 이동통신단말이 존재하는 경우, 일부 이동통신단말에 대하여만 위치인증에 성공하는 실시예가 있을 수 있다.According to an embodiment, the private PGW 50 may store a preset private network service area list, and the private PGW 50 may include location information of the mobile communication terminal 1 provided by the mobile communication terminal 1. You can compare private network service area lists. Here, the private PGW 50 may perform location authentication on the mobile communication terminal 1 by checking whether the location information of the mobile communication terminal 1 is included in the private network service area. Specifically, the private PGW 50 may receive a Target Area Identifier (TAI) or an E-UTRAN Cell Global Identifier (ECGI) as the location information of the mobile communication terminal 1, and the stored private network service area list may also be TAI or It may be stored based on ECGI. Therefore, the private PGW 50 compares the received TAI or ECGI of the mobile communication terminal 1 with the private network service area list, and if the TAI or ECGI of the mobile communication terminal 1 is included in the private network service area list, It can be determined that the mobile communication terminal 1 is located in the private network service area. Here, the location information of the mobile communication terminal 1 may be included in a bearer setting message received from the MME 20. According to the embodiment, it is possible to set the private network service area differently for each mobile communication terminal. For example, when different mobile communication terminals exist in the same location, there may be an embodiment in which location authentication is successful for only some mobile communication terminals.
한편, 사설 PGW(50)는, 사설망에 접속하고자 하는 이동통신단말(1)에 대한 가입자 인증도 수행할 수 있다. 즉, 사설망 서비스는, 미리 사설망 서비스를 사용할 것으로 등록한 이동통신단말(1)에 한하여 제공될 수 있으므로, 접속을 요청한 이동통신단말(1)이 사설망 서비스에 가입된 이동통신단말(1)에 해당하는지 여부를 확인할 필요가 있다. 여기서, 사설 PGW(50)는 이동통신단말(1)에 대한 가입자 인증을 위하여, 인증장치(60)로 이동통신단말(1)이 사설망 서비스에 가입한 단말에 해당하는지 여부를 질의할 수 있다. 이때, 사설 PGW(50)는 이동통신단말(1)로부터 수신한 사용자 정보를 인증장치(60)로 제공할 수 있으며, 이후 인증장치(60)가 전송하는 인증결과에 따라 상기 이동통신단말(1)에 대한 가입인증의 성공여부를 판별할 수 있다. 구체적으로, 사설 PGW(50)는, 이동통신단말(1)의 사용자 정보로, 이동통신단말(1)의 MSISDN(Mobile Station International ISDN Number) 또는 IMSI(International Mobile Station Identity)를, 상기 인증장치(60)로 제공할 수 있다. 이후, 인증장치(60)는 저장된 가입자 리스트 내에 상기 이동통신단말(1)의 사용자 정보가 있는 것으로 판단되면, 사설 PGW(50)로 인증성공 메시지를 전송할 수 있으며, 상기 인증성공 메시지를 수신한 사설 PGW(50)는 상기 이동통신단말(1)에 대한 가입자 인증이 성공한 것으로 판별할 수 있다. 여기서, 다른 실시예에 의하면, 사설 PGW(50)가 가입인증 및 위치인증을 인증장치(60)로 모두 질의하고, 인증장치(60)가 전송하는 인증결과에 따라 상기 이동통신단말(1)에 대한 가입인증 및 위치인증의 성공여부를 판별하는 것도 가능하다.On the other hand, the private PGW 50 may also perform subscriber authentication for the mobile communication terminal 1 to access the private network. That is, since the private network service can be provided only to the mobile communication terminal 1 registered in advance to use the private network service, whether the mobile communication terminal 1 requesting access corresponds to the mobile communication terminal 1 subscribed to the private network service. It is necessary to check whether or not. Here, the private PGW 50 may query the authentication apparatus 60 to determine whether the mobile communication terminal 1 corresponds to a terminal subscribed to a private network service, for the subscriber authentication of the mobile communication terminal 1. At this time, the private PGW 50 may provide the user information received from the mobile communication terminal 1 to the authentication device 60, and then the mobile communication terminal 1 according to the authentication result transmitted by the authentication device 60. ), It is possible to determine whether or not the authentication for the subscription is successful. Specifically, the private PGW 50 is a user information of the mobile communication terminal 1, the MSISDN (Mobile Station International ISDN Number) or IMSI (International Mobile Station Identity) of the mobile communication terminal 1, the authentication device ( 60). Subsequently, if it is determined that the user information of the mobile communication terminal 1 exists in the stored subscriber list, the authentication device 60 may transmit an authentication success message to the private PGW 50, and receive the authentication success message. The PGW 50 may determine that the subscriber authentication for the mobile communication terminal 1 is successful. Here, according to another embodiment, the private PGW 50 inquires both the subscription authentication and the location authentication to the authentication device 60, and the mobile communication terminal 1 according to the authentication result transmitted by the authentication device 60. It is also possible to determine the success of the subscription authentication and location authentication for.
추가적으로, 실시예에 따라서는, 사설 PGW(60)가 이동통신단말(1)로부터 접속요청을 수신한 시간과, 각각의 이동통신단말(1)에 미리 설정된 접속허용시간을 비교하여, 상기 이동통신단말(1)에 대한 접속시간인증을 수행하는 것도 가능하다. 즉, 이동통신단말(1)에 대한 가입인증 및 위치인증이 모두 성공한 경우라도, 이동통신단말(1)이 미리 설정된 접속허용시간 이외의 시간에 사설망에 접속하고자 하는 경우에는 접속을 허용하지 않을 수 있다. 여기서는 접속시간인증을 사설 PGW(60)가 수행하는 것으로 기술하였으나, 실시예에 따라서는 접속시간인증을 인증장치(60)로 질의하고, 인증장치(60)가 전송하는 인증결과에 따라 인증성공여부를 판별하는 것도 가능하다.In addition, according to the embodiment, the mobile PGW 60 compares the time when the connection request is received from the mobile communication terminal 1 with the connection allowance time preset in each mobile communication terminal 1, and performs the mobile communication. It is also possible to perform access time authentication for the terminal 1. That is, even if both the subscription authentication and the location authentication for the mobile communication terminal 1 succeed, the mobile communication terminal 1 may not allow the connection when the mobile communication terminal 1 attempts to access the private network at a time other than the preset access allowance time. have. Herein, it is described that the private time PGW 60 performs the connection time authentication, but according to the embodiment, the connection time authentication is queried to the authentication device 60, and authentication is successfully performed according to the authentication result transmitted by the authentication device 60. It is also possible to determine.
사설 PGW(50)는, 가입자 인증, 위치인증 및 접속시간인증이 모두 성공한 경우에 한하여, 이동통신단말(1)과의 통신세션을 형성할 수 있으며, 이동통신단말(1)이 사설망 서비스 지역에 위치하지 않거나, 이동통신단말(1)이 사설망 서비스에 가입되어 있지 않은 단말이거나, 이동통신단말(1)에 허용된 접속허용시간이 아닌 경우에는, 통신 세션의 형성을 거절할 수 있다. 통신세션이 형성되면, 사설 PGW(50)는 사설망에서 통용되는 IP 주소를 이동통신단말(1)에게 할당할 수 있다.The private PGW 50 may establish a communication session with the mobile communication terminal 1 only if all of the subscriber authentication, location authentication, and access time authentication are successful, and the mobile communication terminal 1 is located in the private network service area. If the mobile communication terminal 1 is not located, or the mobile communication terminal 1 is not subscribed to the private network service or the connection communication time allowed for the mobile communication terminal 1 is not allowed, the formation of the communication session can be refused. When the communication session is established, the private PGW 50 may assign an IP address commonly used in the private network to the mobile communication terminal 1.
또한, 사설 PGW(50)는 이동통신단말(1)과 세션을 형성하면, 이동통신단말(1)의 위치를 주기적으로 확인할 수 있다. 따라서, 사설 PGW(50)는 이동통신단말(1)이 사설망 서비스 지역에서 이탈한 것으로 확인되면, 이동통신단말(1)과의 세션을 해제할 수 있다. 한편, 실시예에 따라서는, 이동통신단말(1)이 위치이동을 수행하여 위치정보가 변경되면, 사설 PGW(50)에는 베어러 변경 메시지(Modify Bearer Request)가 수신될 수 있으며, 상기 베어러 변경 메시지 내에 이동통신단말(1)의 변경된 위치정보가 저장되어 있을 수 있다. 따라서, 사설 PGW(50)는 저장된 사설망 서비스 지역 리스트와 변경된 위치정보를 비교할 수 있으며, 상기 변경된 위치정보가 상기 사설망 서비스 지역 리스트 내에 포함되지 않은 경우에는, 이동통신단말(1)과 사설망 사이의 세션을 해제할 수 있다. 실시예에 따라서는, 사설 PGW(50)가, 이동통신단말(1)이 전송하는 사용자 트래픽의 목적지 IP를 인증장치(60)의 IP로 변경하여, 사용자 트래픽을 인증장치(60)로 전송하도록 함으로써, 사설망에 대한 접속을 차단하는 것도 가능하다.In addition, when the private PGW 50 establishes a session with the mobile communication terminal 1, the private PGW 50 may periodically check the position of the mobile communication terminal 1. Therefore, when it is determined that the mobile communication terminal 1 has left the private network service area, the private PGW 50 may release the session with the mobile communication terminal 1. On the other hand, according to an embodiment, when the mobile communication terminal 1 performs the location movement and the location information is changed, a bearer change message (Modify Bearer Request) may be received in the private PGW 50, the bearer change message The changed location information of the mobile communication terminal 1 may be stored in the terminal. Therefore, the private PGW 50 may compare the stored private network service area list with the changed location information. When the changed location information is not included in the private network service area list, the session between the mobile communication terminal 1 and the private network is performed. Can be released. According to the embodiment, the private PGW 50 changes the destination IP of the user traffic transmitted by the mobile communication terminal 1 to the IP of the authentication device 60 so as to transmit the user traffic to the authentication device 60. By doing so, it is possible to block the connection to the private network.
실시예에 따라서는, 사설 PGW(50)가 접속허용조건 테이블을 포함할 수 있으며, 상기 접속허용조건 테이블에 따라, 각각의 가입인증, 위치인증, 접속시간 인증 등을 수행할 수 있다. 예를들어, 아래 표1에 나타난 바와 같이, 이동통신단말 A와 이동통신단말 B는 모두 사설망 가입자이지만, 이동통신단말 B는 "라" 위치에서의 사설망 접속이 허용되지 않는다. 또한, 이동통신단말 D의 경우에는, 접속허용시간이 13:00~18:00이므로, 09:00~13:00까지는, "마" 위치에 있는 경우에도 사설망으로의 접속이 허용되지 않을 수 있다. 즉, 접속허용조건 테이블에 설정된 다양한 조건에 따라 사설망에 대한 접속허용 조건을 설정하는 것이 가능하다.According to an embodiment, the private PGW 50 may include an access permission table, and according to the access permission table, each subscription authentication, location authentication, access time authentication, or the like may be performed. For example, as shown in Table 1 below, both mobile communication terminal A and mobile communication terminal B are private network subscribers, but mobile communication terminal B is not allowed to access a private network at the "la" position. In addition, in the case of the mobile communication terminal D, since the connection allowable time is 13:00 to 18:00, access to the private network may not be permitted even when the location is in the "e" position from 09:00 to 13:00. . That is, it is possible to set a connection permission condition for a private network according to various conditions set in the connection permission condition table.
이동통신단말Mobile communication terminal 가입자 구분Subscriber Category 사설망 서비스 지역Private network service area 접속허용시간Connection time
A (010-xxxx-xxxx)A (010-xxxx-xxxx) 사설editorial 가, 나, 다, 라Go, me, da, la 09:00~18:0009: 00 ~ 18: 00
B (010-xxxx-xxxx)B (010-xxxx-xxxx) 사설editorial 가, 나, 다ABC 09:00~18:0009: 00 ~ 18: 00
C (010-xxxx-xxxx)C (010-xxxx-xxxx) 사설editorial 마, 바Do, bar 09:00~18:0009: 00 ~ 18: 00
D (010-xxxx-xxxx)D (010-xxxx-xxxx) 사설editorial hemp 13:00~18:0013: 00 ~ 18: 00
E (010-xxxx-xxxx)E (010-xxxx-xxxx) 일반Normal -- --
인증장치(60)는, 사설 PGW(50)의 요청에 따라, 이동통신단말(1)에 대한 가입인증, 접속시간 인증 또는 위치인증을 수행할 수 있다. 인증장치(60)에는 사설망 서비스에 가입한 이동통신단말(1)의 사용자 정보에 대응하는 가입자 리스트와, 사설망에 접속가능한 위치정보에 대응하는 사설망 서비스 지역 리스트, 개별 이동통신단말에 대한 접속허용시간 리스트 등이 저장되어 있을 수 있으며, 상기 가입자 리스트, 접속허용시간 리스트 및 사설망 서비스 지역 리스트를 이용하여, 이동통신단말(1)에 대한 가입자인증, 접속허용시간인증 또는 위치인증을 수행할 수 있다. 또한, 인증장치(60)는 이동통신단말(1)이 사설망 접속에 성공하면, 사설망 접속을 알리는 알림 메시지를 이동통신단말(1)로 전송할 수 있으며, 이동통신단말(1)이 위치이동하여 상기 사설망 서비스 지역을 벗어나는 경우에는, 이동통신단말(1)에게 사설망 서비스 지역을 벗어났음을 알리는 알림 메시지를 전송할 수 있다. 여기서, 알림메시지는 SMS(Short Message Servcie) 메시지, MMS(Multimedia Messagae Service) 메시지 또는 인스턴트 메시지(instant message)일 수 있다. 인증장치(60)는 직접 알림메시지를 전송하거나 또는 별도의 문자메시지 전송서버로 상기 알림 메시지의 전송을 요청하는 방식으로 상기 알림메시지를 전송할 수 있다.The authentication device 60 may perform subscription authentication, access time authentication, or location authentication for the mobile communication terminal 1 at the request of the private PGW 50. The authentication device 60 includes a subscriber list corresponding to user information of the mobile communication terminal 1 subscribing to the private network service, a private network service area list corresponding to the location information accessible to the private network, and a connection allowable time for the individual mobile communication terminal. The list may be stored, and by using the subscriber list, the access allowance time list, and the private network service area list, subscriber authentication, access allowance time authentication, or location authentication may be performed for the mobile communication terminal 1. In addition, when the mobile communication terminal 1 succeeds in accessing the private network, the authentication device 60 may transmit a notification message indicating the access to the private network to the mobile communication terminal 1, and the mobile communication terminal 1 moves to a position. When leaving the private network service area, the mobile communication terminal 1 may transmit a notification message indicating that the private network service area. Here, the notification message may be a Short Message Servcie (SMS) message, a Multimedia Messagae Service (MMS) message, or an instant message. The authentication device 60 may directly transmit the notification message or transmit the notification message by requesting the transmission of the notification message to a separate text message transmission server.
도2는 본 발명의 일 실시예에 의한 사설망 서비스 시스템에서, 미등록 이동통신단말에 대한 사설망 접속 차단 방법을 나타내는 타이밍도이다.2 is a timing diagram illustrating a private network access blocking method for an unregistered mobile communication terminal in a private network service system according to an embodiment of the present invention.
도2를 참조하면, 먼저 사설 PGW(50)에는 사설망에 접속가능한 위치정보에 대응하는 사설망 서비스 지역 리스트가 저장될 수 있으며(S201), 인증장치(60)에는 사설망 서비스에 가입된 이동통신단말(1)들의 사용자 정보에 대응하는 가입자 리스트가 저장될 수 있다(S202).Referring to FIG. 2, first, a private network service area list corresponding to location information accessible to a private network may be stored in the private PGW 50 (S201), and the authentication device 60 may include a mobile communication terminal subscribed to a private network service ( The subscriber list corresponding to the user information of 1) may be stored (S202).
이후, 이동통신단말(1)은 사설망(N2) 접속을 위하여, 사설 APN을 설정한 접속요청 메시지를 E-URAN(210)에 포함된 eNB(211)를 통하여 MME(20)로 전송할 수 있다(S203, S204). 여기서, MME(20)는 이동통신단말(1)이 요청하는 사설 APN이 미리 정의된 경우에 한하여, 상기 사설 PGW(50)로의 접근을 허락할 수 있으나, 실시예에 따라서는 MME(20)가 이동통신단말(1)이 전달하는 모든 APN을 허락하는 "Wild Card APN"을 적용하는 것일 수 있다. 이 경우, MME(20)에 APN이 미리 정의되지 않은 경우에도 사용을 허락할 수 있으며, 상기 사설 APN에 대응하는 SGW(30) 및 사설 PGW(50)에게 사용자 트래픽 전송을 위한 베어러(bearer) 설정메시지(Creat Session Request)를 전송할 수 있다(S205, S206).Thereafter, the mobile communication terminal 1 may transmit a connection request message for setting up a private APN to the MME 20 through the eNB 211 included in the E-URAN 210 for accessing the private network N2 ( S203, S204). Here, the MME 20 may allow access to the private PGW 50 only when a private APN requested by the mobile communication terminal 1 is predefined, but according to an embodiment, the MME 20 may allow access to the private PGW 50. It may be to apply a "Wild Card APN" that allows all the APN delivered by the mobile communication terminal (1). In this case, even if the APN is not defined in advance in the MME 20, the use may be allowed, and a bearer may be set for transmitting user traffic to the SGW 30 and the private PGW 50 corresponding to the private APN. A message (Creat Session Request) may be transmitted (S205 and S206).
사설 PGW(50)는 수신한 베어러 설정메시지에 포함된 이동통신단말(1)의 위치정보가 미리 저장된 사설망 서비스 지역 리스트에 포함되어 있는지 여부를 확인할 수 있다. 여기서, 위치정보가 사설망 서비스 지역 리스트에 포함되면, 사설 PGW(50)는 위치인증에 성공한 것으로 판단하여 가입자 인증으로 진행할 수 있다. 반면에, 이동통신단말(1)의 위치정보가 사설망 서비스 지역 리스트에 포함되지 않은 경우에는, 사설 PGW(50)가 세션 형성을 거절할 수 있다.The private PGW 50 may check whether the location information of the mobile communication terminal 1 included in the received bearer establishment message is included in the previously stored private network service area list. In this case, when the location information is included in the private network service area list, the private PGW 50 may determine that the location authentication is successful and proceed to subscriber authentication. On the other hand, when the location information of the mobile communication terminal 1 is not included in the private network service area list, the private PGW 50 may refuse to establish a session.
또한, 본 실시예에서는, 위치인증에 성공한 것으로 판단한 후, 가입자 인증을 진행하는 것으로 설명하였으나, 반드시 이러한 순서에 한정되는 것은 아니며 실시예에 따라 가입자 인증을 실행한 후에 위치인증을 진행하는 것도 가능하다.In addition, in the present embodiment, it is described that the subscriber authentication is performed after determining that the location authentication is successful, but is not necessarily limited to this order, it is also possible to proceed with the location authentication after the subscriber authentication according to the embodiment. .
위치인증에 성공한 경우에는, 사설 PGW(50)가 인증장치(60)로 가입자 인증을 요청할 수 있으며, 이때 사설 PGW(50)는 인증장치(60)로 사용자정보(예를들어, MSISDN, IMSI 등)를 전송할 수 있다(S207). 여기서, 사설 PGW(50)는 인증장치(60)에게 RADIUS(Remote Authentication Dial-In User Service) 메시지를 이용하여 상기 가입자 인증을 요청할 수 있다. 예를들어, RADIUS 메시지는, User-name = MSISDN, 3GPP-IMSI = IMSI을 포함하여 사용자 정보를 전송할 수 있다.If the location authentication is successful, the private PGW 50 may request subscriber authentication to the authentication device 60, in which case the private PGW 50 sends the user information (eg, MSISDN, IMSI, etc.) to the authentication device 60. ) Can be transmitted (S207). Here, the private PGW 50 may request the authentication of the subscriber by using the RADIUS (Remote Authentication Dial-In User Service) message. For example, a RADIUS message may send user information including User-name = MSISDN, 3GPP-IMSI = IMSI.
인증장치(60)에서는 수신한 사용자 정보를 미리 저장된 가입자 리스트와 비교하여, 이동통신단말(1)이 사설망 서비스에 가입된 단말에 해당하는지 여부를 판별할 수 있다. 여기서, 사용자 정보가 가입자 리스트에 포함되지 않은 것으로 판별되면(S208), 인증장치(60)가 인증실패메시지(Access-Reject)를 사설 PGW(50)로 전송할 수 있다(S209). 즉, 수신한 MSISDS, IMSI 중 어느 하나라도 일치하지 않으면, 가입자 인증에 실패한 것으로 판단하여, 인증실패 메시지를 전송할 수 있다.The authentication apparatus 60 may determine whether the mobile communication terminal 1 corresponds to a terminal subscribed to a private network service by comparing the received user information with a pre-stored subscriber list. If it is determined that the user information is not included in the subscriber list (S208), the authentication apparatus 60 may transmit an authentication failure message (Access-Reject) to the private PGW 50 (S209). That is, if any of the received MSISDS and IMSI do not match, it is determined that subscriber authentication has failed, and the authentication failure message can be transmitted.
인증실패 메시지를 수신한 사설 PGW(50)는, 베어러의 설정을 중지하는 베어러설정중단 메시지(Create Seesion Response-User Authentication failed)를 전송하여, 미등록 이동통신단말(1)의 사설망 접속을 차단할 수 있다(S210, S211, S212).Upon receiving the authentication failure message, the private PGW 50 may block a connection to the private network of the unregistered mobile communication terminal 1 by sending a bearer setup stop message (Create Seesion Response-User Authentication failed) to stop the setup of the bearer. (S210, S211, S212).
이후, 인증장치(60)는, 사설망 서비스에 가입되어 있지 않으므로 사설망에 대한 접속이 허용되지 않음을 알리는 알림메시지를, 미등록 이동통신단말(1)에게 전송할 수 있다. 이때, 인증장치(60)는 별도의 문자메시지 전송서버(61)에게 알림 메시지의 전송을 요청하는 방식으로, 알림메시지를 전송할 수 있다(S213, S214). 즉, 인증장치(60)는 사용자 정보가 가입자 리스트에 포함되지 않은 것으로 판별되면, 인증을 위해 전송된 패킷의 source IP에서 전화번호 정보를 추출하여 이동통신단말(1)에 접속 불가 메시지를 보내도록 문자메시지 전송서버(61)에 전송할 수 있다.Thereafter, the authentication device 60 may transmit a notification message to the unregistered mobile communication terminal 1 indicating that the connection to the private network is not permitted because the private network service is not subscribed. In this case, the authentication device 60 may transmit the notification message by requesting the transmission of the notification message to the separate text message transmission server 61 (S213 and S214). That is, if it is determined that the user information is not included in the subscriber list, the authentication device 60 extracts telephone number information from the source IP of the packet transmitted for authentication, and sends a message indicating that the mobile communication terminal 1 cannot access. The text message transmission server 61 may be transmitted.
도3a 및 도3b는 본 발명의 일 실시예에 의한 사설망 서비스 시스템에서, 사설망 서비스 지역을 이탈한 이동통신단말에 대한, 사설망 접속 차단 방법을 나타내는 타이밍도이다.3A and 3B are timing diagrams illustrating a private network access blocking method for a mobile communication terminal leaving a private network service area in a private network service system according to an embodiment of the present invention.
도3a을 참조하면, 먼저 사설 PGW(50)에는 사설망 서비스 지역 리스트가 저장되고(S301), 인증장치(60)에는 가입자 리스트가 저장될 수 있다(S302).Referring to FIG. 3A, first, a private network service area list may be stored in the private PGW 50 (S301), and a subscriber list may be stored in the authentication device 60 (S302).
이후, 이동통신단말(1)은 사설 APN을 설정한 접속요청 메시지(Attach Request)를 MME(20)로 전송할 수 있다(S303, S304). MME(20)는 상기 사설 APN에 대응하는 SGW(30) 및 사설 PGW(50)에게 사용자 트래픽 전송을 위한 베어러(bearer) 설정메시지(create Seesion Request)를 전송할 수 있다(S305, S306).Thereafter, the mobile communication terminal 1 may transmit an attach request message for setting a private APN to the MME 20 (S303 and S304). The MME 20 may transmit a bearer setup message for creating user traffic to the SGW 30 and the private PGW 50 corresponding to the private APN (S305 and S306).
사설 PGW(50)는 수신한 베어러 설정메시지에 포함된 이동통신단말(1)의 위치정보가 미리 저장된 사설망 서비스 지역 리스트에 포함되어 있는지 여부를 확인하고, 포함된 경우에는 위치인증에 성공한 것으로 판단하여 가입자 인증으로 진행할 수 있다.The private PGW 50 checks whether the location information of the mobile communication terminal 1 included in the received bearer setting message is included in the previously stored private network service area list, and if so, determines that the location authentication is successful. Proceed with subscriber authentication.
위치인증에 성공한 경우에는, 사설 PGW(50)가 인증장치(60)로 가입자 인증을 요청(Access-Request)할 수 있으며, 이때 사설 PGW(50)는 인증장치(60)로 사용자정보(예를들어, MSISDN, IMSI 등)를 전송할 수 있다(S307).If the location authentication is successful, the private PGW 50 may request (access-request) subscriber authentication to the authentication device 60. At this time, the private PGW 50 may transmit user information (for example, to the authentication device 60). For example, MSISDN, IMSI, etc.) may be transmitted (S307).
인증장치(60)에서는 수신한 사용자 정보를 미리 저장된 가입자 리스트와 비교하여, 이동통신단말(1)이 사설망 서비스에 가입된 단말에 해당하는지 여부를 판별할 수 있다. 여기서, 사용자 정보가 가입자 리스트에 포함된 것으로 판별되면, 인증장치(60)는 인증성공메시지(Access-Accept)를 사설 PGW(50)로 전송할 수 있다(S308).The authentication apparatus 60 may determine whether the mobile communication terminal 1 corresponds to a terminal subscribed to a private network service by comparing the received user information with a pre-stored subscriber list. If it is determined that the user information is included in the subscriber list, the authentication device 60 may transmit an access success message (Access-Accept) to the private PGW 50 (S308).
인증성공 메시지를 수신한 사설 PGW(50)는, 사설망에 접속하는 이동통신단말(1)의 IP 주소를 할당할 수 있으며(S309), 인증장치(60)로 상기 할당된 IP 주소를 포함하는 Accounting-Reqeust(start) 메시지를 전송하고(S310), 인증장치(60)는 수신한 Accounting-Reqeust(start) 메시지를 기초로, 세션정보를 생성하여 저장하고(S315), 결과를 사설 PGW(50)로 전송할 수 있다(S311). 이후, 이동통신단말(1)은 사설망에 연결될 수 있다(S312, S313, S314). 여기서, 저장된 세션정보는 도4와 같을 수 있다.Upon receiving the successful authentication message, the private PGW 50 may allocate an IP address of the mobile communication terminal 1 connected to the private network (S309), and the accounting apparatus including the assigned IP address to the authentication device 60. -Send a Reqeust (start) message (S310), the authentication device 60 generates and stores session information based on the received Accounting-Reqeust (start) message (S315), and stores the result in a private PGW (50). Can be transmitted to (S311). Thereafter, the mobile communication terminal 1 may be connected to a private network (S312, S313, S314). Here, the stored session information may be as shown in FIG.
또한, 인증장치(60)는 문자메시지 전송서버(61)를 통하여, 이동통신단말(1)에게 사설망에 대한 접속성공을 알리는 문자메시지를 전송할 수 있다(S316, S317, S318). 이후, 이동통신단말(1)은 사설망에 접속하여 정상적으로 사용자 트래픽을 전송하는 등 통신서비스를 제공받을 수 있다.In addition, the authentication device 60 may transmit a text message indicating the successful connection to the private network to the mobile communication terminal 1 through the text message transmission server 61 (S316, S317, S318). Thereafter, the mobile communication terminal 1 may be provided with a communication service by accessing a private network and transmitting user traffic normally.
한편, 도3b에 도시한 바와 같이, 이동통신단말(1)이 위치이동을 수행하게 되면(S320), 이동통신단말(1)의 위치정보가 변경될 수 있으며, 변경된 위치에 대한 TAU(Tracking Area Update) 요청이 MME(20)로 전송될 수 있다(S321). 따라서, 사설 PGW(50)는 MME(20), SGW(30)를 통하여 베어러 변경 메시지(modify bearer request)를 수신할 수 있으며(S322, S323), 베어러 변경 메시지에 포함된 변경된 위치정보를 이용하여, 이동통신단말(1)이 기 설정된 사설망 서비스 지역을 벗어났는지 여부를 판별할 수 있다(S327).On the other hand, as shown in Figure 3b, when the mobile communication terminal 1 performs the position movement (S320), the location information of the mobile communication terminal 1 can be changed, TAU (Tracking Area) for the changed position Update) request may be sent to the MME 20 (S321). Accordingly, the private PGW 50 may receive a modify bearer request through the MME 20 and the SGW 30 (S322 and S323) and by using the changed location information included in the bearer change message. In operation S327, the mobile communication terminal 1 may determine whether it leaves the preset private network service area.
이후, 사설 PGW(50)는, 이동통신단말(1)의 변경된 위치정보가 사설망 서비스 지역 리스트에 포함되지 않으면, 사설망 서비스 지역을 벗어난 것으로 판별하고, 사용자 트래픽의 목적지 IP를 인증장치(60)의 IP로 변경할 수 있다(S328). 이 경우, 이동통신단말(1)의 사용자 트래픽이 사설망으로 입력되지 않으므로, 이동통신단말(1)의 사설망에 대한 접속이 차단되며, 인증장치(60)는 사용자 트래픽에서 추출한 source IP와, 저장된 세션 정보에 포함된 이동통신단말(1)의 IP를 비교할 수 있다. 이후, 양자의 IP가 일치하면, 인증장치(60)는 문자 메시지 전송서버(61)에게 이동통신단말(1)로 사설망 서비스 지역을 벗어났음을 알리는 문자메시지를 전송하도록 할 수 있다(S329, S330, S331).Thereafter, if the changed location information of the mobile communication terminal 1 is not included in the private network service area list, the private PGW 50 determines that the private PGW is out of the private network service area and determines the destination IP of the user traffic of the authentication apparatus 60. Can be changed to the IP (S328). In this case, since user traffic of the mobile communication terminal 1 is not input to the private network, access to the private network of the mobile communication terminal 1 is blocked, and the authentication apparatus 60 stores the source IP extracted from the user traffic and the stored session. IP of the mobile communication terminal 1 included in the information can be compared. Subsequently, when both IPs match, the authentication device 60 may send the text message transmission server 61 a text message indicating that it has left the private network service area to the mobile communication terminal 1 (S329, S330). , S331).
도5는, 사설망에 접속 중인 이동통신단말(1)이 사설망에서 공중망으로 접속을 변경하는 방법을 나타내는 타이밍도이다.Fig. 5 is a timing diagram showing how the mobile communication terminal 1 connecting to the private network changes the connection from the private network to the public network.
도5를 참조하면, 이동통신단말(1)은 먼저 공용 APN을 포함하는 접속중단 요청(Detach request)를 MME(20)로 전송할 수 있으며(S501, S502), MME(20)는 접속중단요청에 대응하여 Delete Session Request 메시지를 SGW(30)를 통하여 사설 PGW(50)로 전송할 수 있다(S503, S504). 이후 사설 PGW(50)는 Delete Session Request에 대응하여 Accounting-Request(stop) 메시지를 인증장치(60)로 전송할 수 있으며(S506), 인증장치(60)는 저장된 사설망에 대한 통신세션을 삭제하는 등 세션을 해지할 수 있다(S507). 인증장치(60)는 세션 해지가 완료되면 응답메시지를 사설 PGW(50)로 전송하여 세션 해지가 완료되었음을 알릴 수 있다(S508).Referring to FIG. 5, the mobile communication terminal 1 may first transmit a Detach request including a common APN to the MME 20 (S501 and S502), and the MME 20 may request a connection termination request. In response, the Delete Session Request message may be transmitted to the private PGW 50 through the SGW 30 (S503 and S504). Thereafter, the private PGW 50 may transmit an Accounting-Request (stop) message to the authentication device 60 in response to the Delete Session Request (S506), and the authentication device 60 may delete a communication session for the stored private network. The session may be terminated (S507). When the session termination is completed, the authentication device 60 may transmit a response message to the private PGW 50 to notify that the session termination is completed (S508).
도6은 본 발명의 다른 실시예에 의한, 미등록 이동통신단말에 대한 사설망 접속 차단 방법을 나타내는 타이밍도이다.6 is a timing diagram illustrating a private network connection blocking method for an unregistered mobile communication terminal according to another embodiment of the present invention.
도6을 참조하면, 인증장치(60)에는 사설망 서비스 지역 리스트 및 가입자 리스트가 저장될 수 있다(S601). 이동통신단말(1)은 사설망 접속을 위하여, 사설 APN을 설정한 접속요청 메시지를 eNB(211)을 통하여 MME(20)로 전송할 수 있다(S603, S604). MME(20)는 접속요청 메시지에 대응하여, SGW(30) 및 사설 PGW(50)로 사용자 트래픽 전송을 위한 베어러 설정메시지(Creat Session Request)를 전송할 수 있다(S605, S606).Referring to FIG. 6, the authentication apparatus 60 may store a private network service area list and a subscriber list (S601). The mobile communication terminal 1 may transmit a connection request message for setting up a private APN to the MME 20 through the eNB 211 for private network access (S603 and S604). The MME 20 may transmit a bearer establishment message (Creat Session Request) for transmitting user traffic to the SGW 30 and the private PGW 50 in response to the access request message (S605 and S606).
사설 PGW(50)는 수신한 베어러 설정메시지에 포함된 사용자 정보 및 위치정보를 인증장치(60)로 전송하여, 이동통신단말(1)에 대한 가입자 인증 및 위치인증을 요청할 수 있다(S607). 여기서, 사설 PGW(50)는 인증장치(60)에게 RADIUS(Remote Authentication Dial-In User Service) 메시지를 이용하여 상기 가입자 인증 및 위치인증을 요청할 수 있다. 예를들어, RADIUS 메시지는, User-name = MSISDN, 3GPP-IMSI = IMSI, 3GPP-User-Location-Info=ECGI and/or TAI의 형식으로, 사용자 정보 및 위치정보를 전송할 수 있다.The private PGW 50 may transmit user information and location information included in the received bearer setting message to the authentication device 60 to request subscriber authentication and location authentication for the mobile communication terminal 1 (S607). Here, the private PGW 50 may request the authentication and location authentication from the authentication device 60 using a RADIUS (Remote Authentication Dial-In User Service) message. For example, the RADIUS message may transmit user information and location information in the form of User-name = MSISDN, 3GPP-IMSI = IMSI, 3GPP-User-Location-Info = ECGI and / or TAI.
인증장치(60)는 수신한 사용자 정보 및 위치정보를 각각 가입자 리스트 및 사설망 서비스 지역 리스트와 비교할 수 있다. 즉, 이동통신단말(1)의 위치정보 및 사용자 정보가, 각각의 사설망 서비스 지역 리스트와 가입자 리스트에 포함되어 있는지 여부를 확인하고, 모두 포함하는 경우에는 위치인증 및 가입자 인증에 성공한 것으로 판단할 수 있다. 반면에, 이동통신단말(1)의 위치정보 또는 사용자정보 중 어느 하나가, 사설망 서비스 지역 리스트 또는 가입자 리스트에 포함되지 않은 경우에는, 위치인증 또는 가입자 인증 중 어느 하나가 실패한 것이므로, 세션 형성을 거절할 수 있다. 예를들어, 사용자 정보가 가입자 리스트에 포함되지 않은 것으로 판별되면(S608), 인증장치(60)가 인증실패메시지(Access-Reject)를 사설 PGW(50)로 전송할 수 있다(S609).The authentication device 60 may compare the received user information and the location information with the subscriber list and the private network service area list, respectively. That is, it is determined whether the location information and the user information of the mobile communication terminal 1 are included in each private network service area list and the subscriber list, and when all are included, it can be determined that the location authentication and the subscriber authentication are successful. have. On the other hand, if any of the location information or user information of the mobile communication terminal 1 is not included in the private network service area list or the subscriber list, either the location authentication or the subscriber authentication has failed, and thus refuses to establish a session. can do. For example, if it is determined that the user information is not included in the subscriber list (S608), the authentication device 60 may transmit an authentication failure message (Access-Reject) to the private PGW 50 (S609).
인증실패 메시지를 수신한 사설 PGW(50)는, 베어러의 설정을 중지하는 베어러설정중단 메시지(Create Seesion Response-User Authentication failed)를 전송하여, 미등록 이동통신단말(1)의 사설망 접속을 차단할 수 있다(S610, S611, S612).Upon receiving the authentication failure message, the private PGW 50 may block a connection to the private network of the unregistered mobile communication terminal 1 by sending a bearer setup stop message (Create Seesion Response-User Authentication failed) to stop the setup of the bearer. (S610, S611, S612).
이후, 인증장치(60)는, 미등록 이동통신단말(1)에 대하여, 사설망 서비스에 가입되어 있지 않으므로 사설망에 대한 접속이 허용되지 않음을 알리는 알림메시지를 전송할 수 있다. 이때, 인증장치(60)는 별도의 문자메시지 전송서버(61)에게 알림 메시지의 전송을 요청하는 방식으로, 알림메시지를 전송할 수 있다(S613, S614). 즉, 인증장치(60)는 사용자 정보가 가입자 리스트에 포함되지 않은 것으로 판별되면, 인증을 위해 전송된 패킷의 source IP에서 전화번호 정보를 추출하여 이동통신단말(1)에 접속 불가 메시지를 보내도록 문자메시지 전송서버(61)에 전송할 수 있다.Thereafter, the authentication device 60 may transmit a notification message to the unregistered mobile communication terminal 1, indicating that access to the private network is not allowed because the private network service is not subscribed to the unregistered mobile communication terminal 1. In this case, the authentication device 60 may transmit the notification message by requesting the transmission of the notification message to the separate text message transmission server 61 (S613 and S614). That is, if it is determined that the user information is not included in the subscriber list, the authentication device 60 extracts telephone number information from the source IP of the packet transmitted for authentication, and sends a message indicating that the mobile communication terminal 1 cannot access. The text message transmission server 61 may be transmitted.
도7a 및 도7b는 본 발명의 다른 실시예에 의한, 사설망 서비스 지역을 이탈한 이동통신단말에 대한 사설망 접속 차단 방법을 나타내는 타이밍도이다.7A and 7B are timing diagrams illustrating a method for disconnecting a private network for a mobile communication terminal leaving a private network service area according to another embodiment of the present invention.
도7a를 참조하면, 먼저 인증장치(60)에는 사설망 서비스 지역 리스트 및 가입자 리스트가 저장될 수 있다(S701). 이후, 이동통신단말(1)은 사설 APN을 설정한 접속요청 메시지(Attach Request)를 MME(20)로 전송할 수 있다(S703, S704). MME(20)는 상기 사설 APN에 대응하는 SGW(30) 및 사설 PGW(50)에게 사용자 트래픽 전송을 위한 베어러(bearer) 설정메시지(create Seesion Request)를 전송할 수 있다(S705, S706).Referring to FIG. 7A, first, a private network service area list and a subscriber list may be stored in the authentication device 60 (S701). Thereafter, the mobile communication terminal 1 may transmit an Attach Request message for setting the private APN to the MME 20 (S703 and S704). The MME 20 may send a bearer setup message for creating user traffic to the SGW 30 and the private PGW 50 corresponding to the private APN (S705 and S706).
사설 PGW(50)는 사설망에 대한 접속을 요청한 이동통신단말(1)에 대한 위치인증 및 가입자 인증을 위하여, 인증장치(60)에게 질의할 수 있다(S707). 이때 사설 PGW(50)는 인증장치(60)로 사용자정보(예를들어, MSISDN, IMSI 등) 및 위치정보(예를들어, TAI, ECGI 등)를 전송할 수 있다.The private PGW 50 may query the authentication apparatus 60 for location authentication and subscriber authentication for the mobile communication terminal 1 requesting access to the private network (S707). In this case, the private PGW 50 may transmit user information (eg, MSISDN, IMSI, etc.) and location information (eg, TAI, ECGI, etc.) to the authentication device 60.
인증장치(60)에서는 수신한 사용자 정보 및 위치정보를 미리 저장된 가입자 리스트 및 사설망 서비스 지역 리스트와 비교하여, 이동통신단말(1)이 사설망 서비스에 가입된 단말에 해당하는지 여부 및 기 설정된 사설망 서비스 지역 내에 위치하는지 여부를 판별할 수 있다. 여기서, 사용자 정보가 가입자 리스트에 포함되고 위치정보가 사설망 서비스 지역 리스트 내에 포함된 것으로 판별되면, 인증장치(60)는 인증성공메시지를 사설 PGW(50)로 전송할 수 있다(S708).The authentication device 60 compares the received user information and location information with a pre-stored subscriber list and a private network service area list to determine whether the mobile communication terminal 1 corresponds to a terminal subscribed to a private network service and a preset private network service area. It can be determined whether or not located within. Here, if it is determined that the user information is included in the subscriber list and the location information is included in the private network service area list, the authentication device 60 may transmit the authentication success message to the private PGW 50 (S708).
인증성공 메시지를 수신한 사설 PGW(50)는, 사설망에 접속하는 이동통신단말(1)의 IP 주소를 할당할 수 있으며(S709), 인증장치(60)로 Accounting-Reqeust(start) 메시지를 전송할 수 있으며(S710), 인증장치(60)는 수신한 Accounting-Reqeust(start) 메시지를 기초로, 형성된 세션정보를 저장하고(S715), 결과를 사설 PGW(50)로 전송할 수 있다(S711). 이후, 이동통신단말(1)은 사설망에 연결될 수 있다(S712, S713, S714).Upon receiving the successful authentication message, the private PGW 50 may allocate an IP address of the mobile communication terminal 1 connected to the private network (S709) and transmit an Accounting-Reqeust (start) message to the authentication device 60. In operation S710, the authentication apparatus 60 may store the formed session information based on the received Accounting-Reqeust (start) message (S715), and transmit the result to the private PGW 50 (S711). Thereafter, the mobile communication terminal 1 may be connected to a private network (S712, S713, S714).
또한, 인증장치(60)는 문자메시지 전송서버(61)를 통하여, 이동통신단말(1)에게 사설망에 대한 접속성공을 알리는 문자메시지를 전송할 수 있다(S716, S717, S718). 이후, 이동통신단말(1)은 사설망에 접속하여 정상적으로 사용자 트래픽을 전송하는 등 통신서비스를 제공받을 수 있다.In addition, the authentication device 60 may transmit a text message indicating the successful connection to the private network to the mobile communication terminal 1 through the text message transmission server 61 (S716, S717, S718). Thereafter, the mobile communication terminal 1 may be provided with a communication service by accessing a private network and transmitting user traffic normally.
한편, 도7b에 도시한 바와 같이, 이동통신단말(1)이 위치이동을 수행하게 되면(S720), 이동통신단말(1)의 위치정보가 변경될 수 있으며, 변경된 위치에 대한 TAU(Tracking Area Update) 요청이 MME(20)로 전송될 수 있다(S721). 따라서, 사설 PGW(50)는 MME(20), SGW(30)를 통하여 베어러 변경 메시지(modify bearer request)를 수신할 수 있으며(S722, S723), 베어러 변경 메시지에 포함된 변경된 위치정보를 이용하여, 인증장치(60)로 이동통신단말(1)이 기 설정된 사설망 서비스 지역을 벗어났는지 여부를 질의할 수 있다(S724). 이때, 사설 PGW(50)는, 3GPP-User-Location-Info를 포함하는 Accounting-Request(interim)메시지를 인증장치(60)로 전송할 수 있다.On the other hand, as shown in Figure 7b, when the mobile communication terminal 1 performs the position movement (S720), the location information of the mobile communication terminal 1 can be changed, TAU (Tracking Area) for the changed position Update) request may be sent to the MME 20 (S721). Accordingly, the private PGW 50 may receive a modify bearer request through the MME 20 and the SGW 30 (S722 and S723) and by using the changed location information included in the bearer change message. In operation S724, the authentication device 60 may query whether the mobile communication terminal 1 leaves the preset private network service area. At this time, the private PGW 50 may transmit an Accounting-Request (interim) message including 3GPP-User-Location-Info to the authentication device 60.
인증장치(60)는, Accounting-Request(interim)메시지에 포함된 3GPP-User-Location-Info를 기 설정된 사설망 서비스 지역 리스트와 비교할 수 있다. 여기서, 상기 사설망 서비스 지역 리스트 내에 이동통신단말(1)의 변경된 위치정보가 포함되어 있지 않으면, 인증장치(60)는 이동통신단말(1)이 사설망 서비스 지역을 벗어난 것으로 판별할 수 있다. 이 경우, 인증장치(60)는 이동통신단말(1)에 대한 사설망 접속을 차단하기 위한 접속차단 메시지(Disconnect-Request)를 사설 PGW(50)로 전송할 수 있다(S732).The authentication device 60 may compare the 3GPP-User-Location-Info included in the Accounting-Request (interim) message with a preset private network service area list. Here, if the changed location information of the mobile communication terminal 1 is not included in the private network service area list, the authentication device 60 may determine that the mobile communication terminal 1 is out of the private network service area. In this case, the authentication device 60 may transmit a disconnect-request message (Disconnect-Request) for disconnecting the private network connection to the mobile communication terminal 1 to the private PGW 50 (S732).
사설 PGW(50)는 접속차단 메시지에 대응하여 ACK 메시지를 회신할 수 있으며(S733), 사용자 트래픽의 전송을 중지하기 위하여, SGW(30) 및 MME(20)로 베어러 삭제 메시지(Delete Bearer Request)를 전송할 수 있다(S734, S735). 베어러 삭제 메시지를 수신한 MME(20)는 이동통신단말(1)로 접속중단요청(detach request)를 전송하여, 이동통신단말(1)의 사설망에 대한 접속을 차단시킬 수 있다(S736). 이후, Delete Bearer Response 메시지가 수신되면(S739), 사설 PGW(60)는 인증장치(60)로 Accounting-Request를 전송할 수 있으며 (S740), 인증장치(60)는 이동통신단말(1)과 사설망 사이의 세션을 해지할 수 있다(S741).The private PGW 50 may return an ACK message in response to the access blocking message (S733), and in order to stop transmission of user traffic, a bearer deletion message to the SGW 30 and the MME 20 (Delete Bearer Request). It may transmit (S734, S735). After receiving the bearer deletion message, the MME 20 may transmit a detach request to the mobile communication terminal 1 to block access to the private network of the mobile communication terminal 1 (S736). Thereafter, when a Delete Bearer Response message is received (S739), the private PGW 60 may transmit an Accounting-Request to the authentication device 60 (S740), and the authentication device 60 may be connected to the mobile communication terminal 1 and the private network. It is possible to terminate the session between (S741).
한편, 인증장치(60)는, 이동통신단말(1)이 사설망 서비스 지역을 벗어난 경우, 이동통신단말(1)의 위치이탈로 인하여 사설망 접속을 중단함을 알리는 알림메시지를, 이동통신단말(1)에게 전송할 수 있다. 즉, 인증장치(60)는, 문자메시지 전송서버(61)에게 상기 알림메시지의 전송을 요청할 수 있다(S729, S730, S731).On the other hand, the authentication device 60, when the mobile communication terminal 1 is out of the private network service area, a notification message for notifying that the connection to the private network due to the location of the mobile communication terminal 1, the mobile communication terminal (1) ) Can be sent. That is, the authentication device 60 may request the text message transmission server 61 to transmit the notification message (S729, S730, and S731).
도8은, 본 발명의 다른 실시예에 의한 사설망 서비스 시스템을 나타내는 블록도이다.8 is a block diagram showing a private network service system according to another embodiment of the present invention.
도8은, 3GPP Release 10의 TR23.829에서 추진하고 있는 사설망 접속 구조를 나타낸다. 즉, 도8의 사설망 서비스 시스템에 의하면, 이동통신단말(1)은, 별도의 무선 코어망을 거칠 필요없이, HeNB(212)와 로컬 게이트웨이(Local Gateway)(70)를 통하여 직접 사설망으로 접속할 수 있다. 여기서, 이동통신단말(1)은 사설망에 접속하기 위하여 APN을 설정할 수 있으며, 이동통신단말(1)은 설정한 APN을 포함하는 접속요청메시지(Attach Request)를 MME(20)로 전송할 수 있다. 이 경우, MME(20)는 수신한 APN에 대응하는 사설망에 접속하기 위한 SGW(30), 로컬 게이트웨이(70) 등을 선택하여 베어러 등을 설정할 수 있으며, 이를 통하여 사용자 트래픽을 전송하도록 할 수 있다. 여기서, 로컬 게이트웨이(70)는, 도1의 사설 PGW(50)와 유사하게, 이동통신단말(1)에 대한 가입인증, 위치인증, 접속시간 인증 등의 인증을 수행할 수 있으며, 상기 인증에 모두 성공하는 경우에 한하여, 상기 이동통신단말(1)을 사설망에 접속시킬 수 있다. 구체적인 인증방법 등은 앞서 설명하였으므로, 여기서는 자세한 설명을 생략한다.8 shows a private network connection structure being promoted in TR23.829 of 3GPP Release 10. That is, according to the private network service system of FIG. 8, the mobile communication terminal 1 can directly connect to the private network through the HeNB 212 and the local gateway 70 without having to go through a separate wireless core network. have. Here, the mobile communication terminal 1 may set an APN to access the private network, and the mobile communication terminal 1 may transmit an Attach Request including the set APN to the MME 20. In this case, the MME 20 may set the bearer by selecting the SGW 30, the local gateway 70, and the like for accessing the private network corresponding to the received APN, and may transmit user traffic. . Here, the local gateway 70 may perform authentication, such as subscription authentication, location authentication, access time authentication, etc. for the mobile communication terminal 1, similar to the private PGW 50 of FIG. Only when all succeed, the mobile communication terminal 1 can be connected to the private network. Since specific authentication methods and the like have been described above, a detailed description thereof will be omitted.
실시예에 따라서는, 도9에 도시한 바와 같이, 이동통신단말(1)이 사설망 접속을 위하여, 사설 APN을 설정한 접속요청 메시지(attach Request)를 HeNB(212)을 통하여 MME(20)로 전송할 수 있다(S901, S902). MME(20)는 사설 APN에 대응하는 SGW(30) 및 로컬 게이트웨이(70)에게 사용자 트래픽 전송을 위한 베어러 설정메시지(Creat Session Request)를 전송할 수 있다(S903, S904).According to the embodiment, as shown in Fig. 9, the mobile communication terminal 1 sends an attach request message for establishing a private APN to the MME 20 through the HeNB 212 for the private network connection. It can transmit (S901, S902). The MME 20 may transmit a bearer setup message (Creat Session Request) for transmitting user traffic to the SGW 30 and the local gateway 70 corresponding to the private APN (S903 and S904).
한편, 도시하지는 않았으나, 로컬 게이트웨이(70)에는 사설망에 접속가능한 위치정보에 대응하는 사설망 서비스 지역 리스트가 저장될 수 있으며, 인증장치(60)에는 사설망 서비스에 가입된 이동통신단말(1)들의 사용자 정보에 대응하는 가입자 리스트가 저장될 수 있다.On the other hand, although not shown, the local gateway 70 may store a private network service area list corresponding to location information accessible to the private network, and the user of the mobile communication terminals 1 subscribed to the private network service in the authentication device 60. The subscriber list corresponding to the information may be stored.
이후, 로컬 게이트웨이(70)는 수신한 베어러 설정메시지에 포함된 이동통신단말(1)의 위치정보가 미리 저장된 사설망 서비스 지역 리스트에 포함되어 있는지 여부를 확인하고, 포함된 경우에는 위치인증에 성공한 것으로 판단하여 가입자 인증으로 진행할 수 있다. 반면에, 이동통신단말(1)의 위치정보가 사설망 서비스 지역 리스트에 포함되지 않은 경우에는, 세션 형성을 거절할 수 있다.Thereafter, the local gateway 70 checks whether the location information of the mobile communication terminal 1 included in the received bearer setting message is included in the previously stored private network service area list. Judgment can proceed to subscriber authentication. On the other hand, if the location information of the mobile communication terminal 1 is not included in the private network service area list, the session establishment can be rejected.
위치인증에 성공한 경우에는, 로컬 게이트웨이(70)가 인증장치(60)로 가입자 인증을 요청할 수 있으며, 이때 로컬 게이트웨이(70)는 인증장치(60)로 사용자정보(예를들어, MSISDN, IMSI 등)를 전송할 수 있다(S905).If the location authentication is successful, the local gateway 70 may request subscriber authentication to the authentication device 60, in which case the local gateway 70 transmits user information (eg, MSISDN, IMSI, etc.) to the authentication device 60. ) Can be transmitted (S905).
인증장치(60)에서는 수신한 사용자 정보를 미리 저장된 가입자 리스트와 비교하여, 이동통신단말(1)이 사설망 서비스에 가입된 단말에 해당하는지 여부를 판별할 수 있다(S906). 여기서, 사용자 정보가 가입자 리스트에 포함되지 않은 것으로 판별되면, 인증장치(60)가 인증실패메시지(Access-Reject)를 로컬 게이트웨이(70)로 전송할 수 있다(S907). 즉, 수신한 MSISDS, IMSI 중 어느 하나라도 일치하지 않으면, 가입자 인증에 실패한 것으로 판단하여, 인증실패 메시지를 전송할 수 있다.The authentication apparatus 60 may compare the received user information with a pre-stored subscriber list, and determine whether the mobile communication terminal 1 corresponds to a terminal subscribed to a private network service (S906). If it is determined that the user information is not included in the subscriber list, the authentication device 60 may transmit an authentication failure message (Access-Reject) to the local gateway 70 (S907). That is, if any of the received MSISDS and IMSI do not match, it is determined that subscriber authentication has failed, and the authentication failure message can be transmitted.
인증실패 메시지를 수신한 로컬 게이트웨이(70)는, 베어러의 설정을 중지하는 베어러설정중단 메시지(Create Seesion Response-User Authentication failed)를 전송하여, 등록되지 않은 이동통신단말(1)의 사설망 접속을 차단할 수 있다(S908, S909, S910).Upon receiving the authentication failure message, the local gateway 70 transmits a Create Seesion Response-User Authentication failed message to stop setting up the bearer, thereby blocking access to the private network of the unregistered mobile communication terminal 1. It may be (S908, S909, S910).
한편, 도10a 및 도10b에 도시한 바와 같이, 사설망 접속 후 이동통신단말이 사설망 서비스 지역을 벗어난 경우, 이동통신단말에 대한 사설망 접속 차단을 수행할 수 있다.Meanwhile, as shown in FIGS. 10A and 10B, when the mobile communication terminal leaves the private network service area after accessing the private network, private network access to the mobile communication terminal may be blocked.
도10a을 참조하면, 먼저 로컬 게이트웨이(70)에는 사설망 서비스 지역 리스트가 저장되고(S1001), 인증장치(60)에는 가입자 리스트가 저장될 수 있다.Referring to FIG. 10A, a local network service area list may be stored in the local gateway 70 (S1001), and a subscriber list may be stored in the authentication device 60.
이후, 이동통신단말(1)은 사설 APN을 설정한 접속요청 메시지(Attach Request)를 MME(20)로 전송할 수 있다(S1002, S1003). MME(20)는 상기 사설 APN에 대응하는 SGW(30) 및 로컬 게이트웨이(70)에게 사용자 트래픽 전송을 위한 베어러(bearer) 설정메시지(create Seesion Request)를 전송할 수 있다(S1004, S1005). Thereafter, the mobile communication terminal 1 may transmit an attach request message for setting a private APN to the MME 20 (S1002 and S1003). The MME 20 may transmit a bearer setup message for creating user traffic to the SGW 30 and the local gateway 70 corresponding to the private APN (S1004 and S1005).
로컬 게이트웨이(70)는 수신한 베어러 설정메시지에 포함된 이동통신단말(1)의 위치정보가 미리 저장된 사설망 서비스 지역 리스트에 포함되어 있는지 여부를 확인하고, 포함된 경우에는 위치인증에 성공한 것으로 판단하여 가입자 인증으로 진행할 수 있다.The local gateway 70 checks whether the location information of the mobile communication terminal 1 included in the received bearer setting message is included in the previously stored private network service area list, and if it is included, determines that the location authentication is successful. Proceed with subscriber authentication.
위치인증에 성공한 경우에는, 로컬 게이트웨이(70)가 인증장치(60)로 가입자 인증을 요청할 수 있으며, 이때 로컬 게이트웨이(70)는 인증장치(60)로 사용자정보(예를들어, MSISDN, IMSI 등)를 전송할 수 있다(S1006).If the location authentication is successful, the local gateway 70 may request subscriber authentication to the authentication device 60, in which case the local gateway 70 transmits user information (eg, MSISDN, IMSI, etc.) to the authentication device 60. ) Can be transmitted (S1006).
인증장치(60)에서는 수신한 사용자 정보를 미리 저장된 가입자 리스트와 비교하여, 이동통신단말(1)이 사설망 서비스에 가입된 단말에 해당하는지 여부를 판별할 수 있다. 여기서, 사용자 정보가 가입자 리스트에 포함된 것으로 판별되면, 인증장치(60)는 인증성공메시지를 로컬 게이트웨이(70)로 전송할 수 있다(S1007). The authentication apparatus 60 may determine whether the mobile communication terminal 1 corresponds to a terminal subscribed to a private network service by comparing the received user information with a pre-stored subscriber list. Here, if it is determined that the user information is included in the subscriber list, the authentication device 60 may transmit an authentication success message to the local gateway 70 (S1007).
인증성공 메시지를 수신한 로컬 게이트웨이(70)는, 사설망에 접속하는 이동통신단말(1)의 IP 주소를 할당할 수 있으며, 인증장치(60)로 Accounting-Reqeust(start) 메시지를 전송할 수 있으며(S1008), 인증장치(60)는 수신한 Accounting-Reqeust(start) 메시지를 기초로, 형성된 세션정보를 저장하고(S1013), 결과를 로컬 게이트웨이(70)로 전송할 수 있다(S1009). 이후, 이동통신단말(1)은 사설망에 연결될 수 있다(S1010, S1011, S1012).Upon receiving the authentication success message, the local gateway 70 may allocate an IP address of the mobile communication terminal 1 accessing the private network, and transmit an Accounting-Reqeust (start) message to the authentication device 60 ( S1008), the authentication apparatus 60 may store the formed session information based on the received Accounting-Reqeust (start) message (S1013), and transmit the result to the local gateway 70 (S1009). Thereafter, the mobile communication terminal 1 may be connected to a private network (S1010, S1011, S1012).
또한, 인증장치(60)는 이동통신단말(1)에게 사설망에 대한 접속성공을 알리는 문자메시지를 전송할 수 있다(S1014). 이후, 이동통신단말(1)은 사설망에 접속하여 정상적으로 사용자 트래픽을 전송하는 등 통신서비스를 제공받을 수 있다.In addition, the authentication device 60 may transmit a text message informing the mobile communication terminal 1 of the successful connection to the private network (S1014). Thereafter, the mobile communication terminal 1 may be provided with a communication service by accessing a private network and transmitting user traffic normally.
한편, 이동통신단말(1)이 위치이동을 수행하게 되면(S1015), 이동통신단말(1)의 위치정보가 변경될 수 있으며, 변경된 위치에 대한 TAU(Tracking Area Update) 요청이 MME(20)로 전송될 수 있다(S1016). 따라서, 로컬 게이트웨이(70)는 MME(20), SGW(30)를 통하여 베어러 변경 메시지(modify bearer request)를 수신할 수 있으며(S1017, S1018), 베어러 변경 메시지에 포함된 변경된 위치정보를 이용하여, 이동통신단말(1)이 기 설정된 사설망 서비스 지역을 벗어났는지 여부를 판별할 수 있다(S1019).On the other hand, if the mobile communication terminal 1 performs the position movement (S1015), the location information of the mobile communication terminal 1 can be changed, the TAU (Tracking Area Update) request for the changed position is MME (20) It may be transmitted to (S1016). Accordingly, the local gateway 70 may receive a modify bearer request through the MME 20 and the SGW 30 (S1017 and S1018) and by using the changed location information included in the bearer change message. In operation S1019, it may be determined whether the mobile communication terminal 1 leaves the preset private network service area.
이후, 로컬 게이트웨이(70)는, 이동통신단말(1)의 변경된 위치정보가 사설망 서비스 지역 리스트에 포함되지 않으면, 사설망 서비스 지역을 벗어난 것으로 판별하고, 사용자 트래픽의 목적지 IP를 인증장치(60)의 IP로 변경할 수 있다(S1022). 이 경우, 이동통신단말(1)의 사용자 트래픽이 사설망으로 입력되지 않으므로, 이동통신단말(1)의 사설망에 대한 접속이 차단될 수 있다(S1023). 이후, 이동통신단말(1)로 사설망 서비스 지역을 벗어났음을 알리는 문자메시지를 전송할 수 있다(S1024).Thereafter, if the changed location information of the mobile communication terminal 1 is not included in the private network service area list, the local gateway 70 determines that the private gateway is out of the private network service area, and determines the destination IP of the user traffic of the authentication device 60. Can be changed to IP (S1022). In this case, since user traffic of the mobile communication terminal 1 is not input to the private network, access to the private network of the mobile communication terminal 1 may be blocked (S1023). Thereafter, the mobile communication terminal 1 may transmit a text message indicating that it has left the private network service area (S1024).
본 발명은 전술한 실시예 및 첨부된 도면에 의해 한정되는 것이 아니다. 본 발명이 속하는 기술분야에서 통상의 지식을 가진 자에게 있어, 본 발명의 기술적 사상을 벗어나지 않는 범위 내에서 본 발명에 따른 구성요소를 치환, 변형 및 변경할 수 있다는 것이 명백할 것이다.The present invention is not limited by the above-described embodiment and the accompanying drawings. It will be apparent to those skilled in the art that the present invention may be substituted, modified, and changed in accordance with the present invention without departing from the spirit of the present invention.

Claims (38)

  1. 위치 기반의 사설망 서비스를 제공하는 방법으로서,As a method of providing a location-based private network service,
    사설 게이트웨이가, 이동통신단말의 접속요청을 수신하는 수신단계;A receiving step of receiving, by the private gateway, a connection request of the mobile communication terminal;
    사설 게이트웨이가, 상기 이동통신단말이 기 설정된 사설망 접속허용 조건을 만족하는지 여부를 인증하는 인증단계; 및An authentication step of authenticating, by the private gateway, whether the mobile communication terminal satisfies a preset private network access permission condition; And
    사설 게이트웨이가, 상기 인증이 성공한 이동통신단말에 대하여, 상기 사설망과의 통신세션을 형성하는 연결단계를 포함하는 사설망 서비스 제공방법.And a connection step of the private gateway, establishing a communication session with the private network to the mobile communication terminal in which the authentication is successful.
  2. 제1항에 있어서, 상기 수신단계는The method of claim 1, wherein the receiving step
    상기 이동통신단말에서 상기 사설망 서비스와 관련된 APN(Access Point Name)이 선택됨에 따라, 사설 게이트웨이가 상기 이동통신단말로부터 상기 접속요청을 수신하는 사설망 서비스 제공방법.And an access point name (APN) related to the private network service is selected in the mobile communication terminal, and a private gateway receives the access request from the mobile communication terminal.
  3. 제1항 또는 제2항에 있어서, 상기 인증단계는The method of claim 1 or 2, wherein the authentication step
    사설 게이트웨이가, 상기 이동통신단말로부터 수신한 상기 이동통신단말의 위치정보를 기 설정된 사설망 서비스 지역 리스트와 비교하여, 위치인증을 수행하는 위치인증단계; 및A location authentication step of performing, by the private gateway, location authentication by comparing the location information of the mobile communication terminal received from the mobile communication terminal with a preset private network service area list; And
    사설게이트웨이가, 기 설정된 인증장치로 상기 이동통신단말이 상기 사설망 서비스에 가입한 단말인지 여부를 질의하여, 가입인증을 수행하는 가입인증단계를 포함하는 사설망 서비스 제공방법.And a subscription authentication step in which the private gateway inquires whether the mobile communication terminal is a terminal subscribed to the private network service using a preset authentication device, and performs subscription authentication.
  4. 제3항에 있어서, 상기 인증단계는The method of claim 3, wherein the authentication step
    사설 게이트웨이가, 상기 접속요청을 수신한 시간과 상기 이동통신단말에 기 설정된 접속허용시간을 비교하여, 상기 이동통신단말에 대한 접속시간인증을 수행하는 접속시간인증단계를 더 포함하는 사설망 서비스 제공방법.The private gateway further comprises a connection time authentication step of performing a connection time authentication for the mobile communication terminal by comparing the time of receiving the connection request with a preset connection allowance time in the mobile communication terminal. .
  5. 제3항에 있어서, 상기 위치인증단계는The method of claim 3, wherein the location authentication step
    상기 이동통신단말별로 허용되는 사설망 서비스 지역이 상이하게 설정된 사설망 서비스 지역 리스트를 이용하여, 상기 위치인증을 수행하는 사설망 서비스 제공방법.The private network service providing method for performing the location authentication by using a private network service area list that is set differently to the private network service area allowed for each mobile communication terminal.
  6. 제3항에 있어서, 상기 위치인증단계는The method of claim 3, wherein the location authentication step
    사설 게이트웨이가, 상기 이동통신단말의 위치정보로 TAI(Target Area Identifier) 또는 ECGI(E-UTRAN Cell Global Identifier)를 수신하는 사설망 서비스 제공방법.The private gateway, the private network service providing method for receiving a Target Area Identifier (TAI) or E-UTRAN Cell Global Identifier (ECGI) as the location information of the mobile communication terminal.
  7. 제3항에 있어서, 상기 가입인증단계는The method of claim 3, wherein the subscription authentication step
    사설 게이트웨이가, 상기 인증장치로 상기 이동통신단말의 사용자 정보를 포함하는 RADIUS(Remote Authentication Dial-In User Service) 메시지를 전송하는 사설망 서비스 제공방법.The private gateway, the private network service providing method for transmitting a RADIUS (Remote Authentication Dial-In User Service) message containing the user information of the mobile communication terminal to the authentication device.
  8. 제7항에 있어서, 상기 가입인증단계는The method of claim 7, wherein the authentication step
    상기 인증장치가 기 설정된 가입자 리스트 내에 상기 사용자 정보가 포함되는 것으로 판별하면, 사설 게이트웨이가 상기 인증장치로부터 인증성공 메시지를 수신하는 사설망 서비스 제공방법.And if the authentication apparatus determines that the user information is included in a preset subscriber list, the private gateway receives a successful authentication message from the authentication apparatus.
  9. 제7항에 있어서, 상기 가입인증단계는The method of claim 7, wherein the authentication step
    상기 인증장치가 기 설정된 가입자 리스트 내에 상기 사용자 정보가 포함되지 않은 것으로 판별하면, 인증을 위해 전송된 패킷의 source IP에서 전화번호 정보를 추출하여, 상기 이동통신단말에 접속 불가 메시지를 보내도록 문자메시지 전송서버에 전송하는 사설망 서비스 제공방법.If the authentication apparatus determines that the user information is not included in the preset subscriber list, the phone number information is extracted from the source IP of the packet transmitted for authentication, and a text message is sent to the mobile communication terminal. Private network service providing method to the transmission server.
  10. 제7항에 있어서, 상기 가입인증단계는The method of claim 7, wherein the authentication step
    사설 게이트웨이가, 상기 이동통신단말의 MSISDN(Mobile Station International ISDN Number) 또는 IMSI(International Mobile Station Identity)를 상기 사용자 정보에 포함하여 전송하는 사설망 서비스 제공방법.The private gateway, the private network service providing method for transmitting a mobile station International ISDN Number (IMSIS) or International Mobile Station Identity (IMSI) of the mobile communication terminal included in the user information.
  11. 제3항에 있어서,The method of claim 3,
    상기 이동통신단말이 상기 사설망 서비스 지역에서 이탈하면, 사설 게이트웨이가 상기 이동통신단말과 상기 사설망 사이의 통신세션을 차단하는 이탈차단단계를 더 포함하는 사설망 서비스 제공방법.And a departure blocking step of blocking a communication session between the mobile communication terminal and the private network by the private gateway when the mobile communication terminal leaves the private network service area.
  12. 제11항에 있어서, 상기 이탈차단단계는The method of claim 11, wherein the separation blocking step
    상기 이동통신단말의 위치정보가 변경되면, 사설 게이트웨이가 변경된 위치정보를 기 설정된 사설망 서비스 지역 리스트와 비교하여, 상기 이동통신단말의 상기 사설망 서비스 지역 이탈여부를 판별하는 사설망 서비스 제공방법.And when the location information of the mobile communication terminal is changed, the private gateway compares the changed location information with a preset private network service area list to determine whether the mobile communication terminal is out of the private network service area.
  13. 제12항에 있어서, 상기 이탈차단단계는The method of claim 12, wherein the leaving blocking step
    상기 이동통신단말이 상기 사설망 서비스 지역을 이탈한 것으로 판별되면, 사설 게이트웨이가, 상기 이동통신단말이 전송하는 사용자 트래픽의 목적지 IP를 상기 인증장치의 IP로 변경하여, 상기 이동통신단말의 상기 사설망 접속을 차단하는 사설망 서비스 제공방법.If it is determined that the mobile communication terminal has left the private network service area, the private gateway changes the destination IP of the user traffic transmitted by the mobile communication terminal to the IP of the authentication apparatus, and accesses the private network of the mobile communication terminal. Private network service providing method to block.
  14. 제13항에 있어서, 상기 이탈차단단계는The method of claim 13, wherein the separation blocking step
    상기 인증장치가 기 설정된 사설망 지역 리스트 내에 변경된 위치정보가 포함되지 않은 것으로 판별하면, 인증을 위해 전송된 패킷의 source IP에서 전화번호 정보를 추출하여, 상기 이동통신단말에 접속 불가 메시지를 보내도록 문자메시지 전송서버에 전송하는 사설망 서비스 제공방법.If the authentication apparatus determines that the changed location information is not included in the preset private network region list, the phone number information is extracted from the source IP of the packet transmitted for authentication, and a text message is sent to the mobile communication terminal. A method of providing a private network service to a message transmission server.
  15. 제1항 또는 제2항에 있어서, 상기 인증단계는The method of claim 1 or 2, wherein the authentication step
    사설 게이트웨이가, 인증장치로, 상기 이동통신단말이 상기 사설망 서비스 지역 내에 위치하는 단말인지 여부 및 상기 이동통신단말이 상기 사설망 서비스에 가입한 단말인지 여부를 질의하는 사설망 서비스 제공방법.And a private gateway inquires whether the mobile communication terminal is a terminal located in the private network service area and whether the mobile communication terminal is a terminal subscribed to the private network service.
  16. 제15항에 있어서, 상기 인증단계는The method of claim 15, wherein the authentication step
    사설 게이트웨이가, 상기 인증장치로, 상기 이동통신단말이 기 설정된 접속허용시간에 접속요청을 수행하였는지 여부를, 더 질의하는 사설망 서비스 제공방법.And a private gateway further inquires of the authentication apparatus whether the mobile communication terminal has made an access request at a preset access allowance time.
  17. 제15항에 있어서, 상기 인증단계는The method of claim 15, wherein the authentication step
    사설 게이트웨이가, 상기 인증장치로, 상기 이동통신단말의 사용자 정보 및 위치정보를 포함하는 RADIUS(Remote Authentication Dial-In User Service) 메시지를 전송하는 사설망 서비스 제공방법.And a private gateway, to the authentication device, transmitting a RADIUS (Remote Authentication Dial-In User Service) message including user information and location information of the mobile communication terminal.
  18. 제17항에 있어서, 상기 인증단계는The method of claim 17, wherein the authentication step
    상기 인증장치가 기 설정된 가입자 리스트 및 사설망 서비스 지역 리스트 내에 각각 상기 사용자 정보 및 위치정보가 포함되는 것으로 판별하면, 사설 게이트웨이가 상기 인증장치로부터 인증성공 메시지를 수신하는 사설망 서비스 제공방법.And if the authentication apparatus determines that the user information and the location information are included in a preset subscriber list and a private network service area list, respectively, the private gateway receives the authentication success message from the authentication apparatus.
  19. 제17항에 있어서, 상기 인증단계는The method of claim 17, wherein the authentication step
    사설 게이트웨이가, 상기 사용자 정보에 상기 이동통신단말의 MSISDN(Mobile Station International ISDN Number) 또는 IMSI(International Mobile Station Identity)를 포함하고, 상기 위치정보에 상기 이동통신단말의 TAI(Target Area Identifier) 또는 ECGI(E-UTRAN Cell Global Identifier)를 포함하여 전송하는 사설망 서비스 제공방법.The private gateway includes a mobile station international ISDN number (IMSI) or an international mobile station identity (IMSI) of the mobile communication terminal in the user information, and a target area identifier (TAI) or ECGI of the mobile communication terminal in the location information. A method for providing a private network including the E-UTRAN Cell Global Identifier.
  20. 제15항에 있어서,The method of claim 15,
    상기 이동통신단말이 상기 사설망 서비스 지역에서 이탈하면, 사설 게이트웨이가, 상기 이동통신단말과 상기 사설망 사이의 통신세션을 차단하는 이탈차단단계를 더 포함하는 사설망 서비스 제공방법.And a departure-blocking step of blocking a communication session between the mobile communication terminal and the private network by the private gateway when the mobile communication terminal leaves the private network service area.
  21. 제20항에 있어서, 상기 이탈차단단계는The method of claim 20, wherein the leaving blocking step
    상기 이동통신단말의 위치이동에 대응하는 TAU(Tracking Area Update) 메시지를 수신하면, 사설 게이트웨이가 위치이동 된 상기 이동통신단말의 위치정보를 상기 인증장치로 전송하여, 상기 이동통신단말의 상기 사설망 서비스 지역 이탈여부를 질의하는 사설망 서비스 제공방법.Upon receiving a TAU (Tracking Area Update) message corresponding to the movement of the location of the mobile communication terminal, the private gateway transmits the location information of the mobile communication terminal to which the location is moved to the authentication device, and the private network service of the mobile communication terminal A method of providing a private network service that inquires whether or not to leave the area.
  22. 제21항에 있어서, 상기 이탈차단단계는The method of claim 21, wherein the leaving blocking step
    상기 인증장치로부터 상기 이동통신단말의 상기 사설망 서비스 지역 이탈에 대응하는 이탈확인메시지를 수신받으면, 사설 게이트웨이가 상기 이동통신단말과 사설망 사이의 트래픽 전송을 차단하는 사설망 서비스 제공방법.And a private gateway blocks the transmission of traffic between the mobile communication terminal and the private network when receiving the departure confirmation message corresponding to the departure of the private network service area of the mobile communication terminal from the authentication device.
  23. 제22항에 있어서, 상기 이탈차단단계는The method of claim 22, wherein the separation blocking step
    상기 인증장치가 기 설정된 사설망 지역 리스트 내에 변경된 위치정보가 포함되지 않은 것으로 판별하면, 인증을 위해 전송된 패킷의 source IP에서 전화번호 정보를 추출하여, 상기 이동통신단말에 접속 불가 메시지를 보내도록 문자메시지 전송서버에 전송하는 사설망 서비스 제공방법.If the authentication apparatus determines that the changed location information is not included in the preset private network region list, the phone number information is extracted from the source IP of the packet transmitted for authentication, and a text message is sent to the mobile communication terminal. A method of providing a private network service to a message transmission server.
  24. 3GPP Release 10의 TR23.829에 따른 LTE 망에서의 사설망 서비스를 제공하는 방법으로서,A method for providing a private network service in LTE network according to TR23.829 of 3GPP Release 10,
    로컬 게이트웨이가, 이동통신단말의 사설망 접속요청을 수신하는 수신단계;Receiving, by the local gateway, a private network connection request of the mobile communication terminal;
    로컬 게이트웨이가, 상기 이동통신단말이 기 설정된 사설망 접속허용 조건을 만족하는지 여부를 인증하는 인증단계; 및An authentication step of authenticating, by the local gateway, whether the mobile communication terminal satisfies a preset private network access permission condition; And
    로컬 게이트웨이가, 상기 인증이 성공한 이동통신단말에 대하여, 상기 사설망과의 통신세션을 형성하는 연결단계를 포함하는 사설망 서비스 제공방법.And a local gateway, establishing a communication session with the private network to the mobile communication terminal in which the authentication is successful.
  25. 제24항에 있어서, 상기 수신단계는The method of claim 24, wherein the receiving step
    상기 이동통신단말에서 상기 사설망 서비스와 관련된 APN(Access Point Name)이 선택됨에 따라, 로컬 게이트웨이가 상기 이동통신단말로부터 상기 접속요청을 수신하는 사설망 서비스 제공방법.And an access point name (APN) associated with the private network service in the mobile communication terminal, so that a local gateway receives the access request from the mobile communication terminal.
  26. 제24항에 있어서, 상기 인증단계는The method of claim 24, wherein the authentication step
    로컬 게이트웨이가, 상기 이동통신단말로부터 수신한 상기 이동통신단말의 위치정보를 기 설정된 사설망 서비스 지역 리스트와 비교하여, 위치인증을 수행하는 위치인증단계; 및A location authentication step of performing, by a local gateway, location authentication by comparing location information of the mobile communication terminal received from the mobile communication terminal with a preset private network service area list; And
    로컬 게이트웨이가, 기 설정된 인증장치로 상기 이동통신단말이 상기 사설망 서비스에 가입한 단말인지 여부를 질의하여, 가입인증을 수행하는 가입인증단계를 포함하는 사설망 서비스 제공방법.And a local authentication, a subscription authentication step of performing a subscription authentication by querying a preset authentication device whether the mobile communication terminal is a terminal subscribed to the private network service.
  27. 제26항에 있어서, 상기 인증단계는The method of claim 26, wherein the authentication step
    로컬 게이트웨이가, 상기 접속요청을 수신한 시간과 상기 이동통신단말에 기 설정된 접속허용시간을 비교하여, 상기 이동통신단말에 대한 접속시간인증을 수행하는 접속시간인증단계를 더 포함하는 사설망 서비스 제공방법.The local gateway further comprises a connection time authentication step of performing a connection time authentication for the mobile communication terminal by comparing the time of receiving the connection request with the connection allowable time preset in the mobile communication terminal. .
  28. 제26항에 있어서, 상기 위치인증단계는The method of claim 26, wherein the location authentication step
    상기 이동통신단말별로 허용되는 사설망 서비스 지역이 상이하게 설정된 사설망 서비스 지역 리스트를 이용하여, 상기 위치인증을 수행하는 사설망 서비스 제공방법.The private network service providing method for performing the location authentication by using a private network service area list that is set differently to the private network service area allowed for each mobile communication terminal.
  29. 제26항에 있어서, 상기 위치인증단계는The method of claim 26, wherein the location authentication step
    로컬 게이트웨이가, 상기 이동통신단말의 위치정보로 TAI(Target Area Identifier) 또는 ECGI(E-UTRAN Cell Global Identifier)를 수신하는 사설망 서비스 제공방법.And a local gateway receiving a target area identifier (TAI) or an E-UTRAN cell global identifier (ECGI) as location information of the mobile communication terminal.
  30. 제26항에 있어서, 상기 가입인증단계는The method of claim 26, wherein the subscription authentication step
    로컬 게이트웨이가, 상기 인증장치로 상기 이동통신단말의 사용자 정보를 포함하는 RADIUS(Remote Authentication Dial-In User Service) 메시지를 전송하는 사설망 서비스 제공방법.And a local gateway transmitting a remote authentication dial-in user service (RADIUS) message including user information of the mobile communication terminal to the authentication device.
  31. 제30항에 있어서, 상기 가입인증단계는The method of claim 30, wherein the subscription authentication step
    상기 인증장치가 기 설정된 가입자 리스트 내에 상기 사용자 정보가 포함되는 것으로 판별하면, 로컬 게이트웨이가 상기 인증장치로부터 인증성공 메시지를 수신하는 사설망 서비스 제공방법.And if the authentication apparatus determines that the user information is included in a preset subscriber list, the local gateway receives the authentication success message from the authentication apparatus.
  32. 제30항에 있어서, 상기 가입인증단계는The method of claim 30, wherein the subscription authentication step
    로컬 게이트웨이가, 상기 이동통신단말의 MSISDN(Mobile Station International ISDN Number) 또는 IMSI(International Mobile Station Identity)를 상기 사용자 정보에 포함하여 전송하는 사설망 서비스 제공방법.And a local gateway transmitting a mobile station international ISDN number (IMSIS) or an international mobile station identity (IMSI) of the mobile communication terminal in the user information.
  33. 제26항에 있어서,The method of claim 26,
    상기 이동통신단말이 상기 사설망 서비스 지역에서 이탈하면, 로컬 게이트웨이가, 상기 이동통신단말과 상기 사설망 사이의 통신세션을 차단하는 이탈차단단계를 더 포함하는 사설망 서비스 제공방법.And a departure-blocking step of blocking a communication session between the mobile communication terminal and the private network by the local gateway when the mobile communication terminal leaves the private network service area.
  34. 제33항에 있어서, 상기 이탈차단단계는The method of claim 33, wherein the leaving blocking step
    상기 이동통신단말의 위치정보가 변경되면, 로컬 게이트웨이가 변경된 위치정보를 기 설정된 사설망 서비스 지역 리스트와 비교하여, 상기 이동통신단말의 상기 사설망 서비스 지역 이탈여부를 판별하는 사설망 서비스 제공방법.If the location information of the mobile communication terminal is changed, the private network service providing method for determining whether the departure of the private network service area of the mobile communication terminal by comparing the location information changed by the local gateway with a preset private network service area list.
  35. 제34항에 있어서, 상기 이탈차단단계는35. The method of claim 34, wherein the leaving blocking step
    상기 이동통신단말이 상기 사설망 서비스 지역을 이탈한 것으로 판별되면, 로컬 게이트웨이가, 상기 이동통신단말이 전송하는 사용자 트래픽의 목적지 IP를 상기 인증장치의 IP로 변경하여, 상기 이동통신단말의 상기 사설망 접속을 차단하는 사설망 서비스 제공방법.If it is determined that the mobile communication terminal has left the private network service area, the local gateway changes the destination IP of the user traffic transmitted by the mobile communication terminal to the IP of the authentication apparatus, and accesses the private network of the mobile communication terminal. Private network service providing method to block.
  36. 이동통신단말이 전송하는 APN(Access Point Name)을 이용하여 사설망에 대한 접속요청인지 여부를 확인하고, 상기 사설망에 대한 접속요청이면 상기 APN에 대응하는 사설 게이트웨이로 사용자 트래픽을 전송하기 위한 베어러 설정 메시지를 전송하는 이동성 관리 장치(MME: Mobility Management Entity);A bearer setup message for checking whether the access request is to a private network using an access point name (APN) transmitted by a mobile communication terminal, and transmitting user traffic to a private gateway corresponding to the APN if the access request is to the private network. A mobility management entity (MME) for transmitting a message;
    상기 베어러 설정 메시지를 수신하면, 상기 이동통신단말이 기 설정된 사설망 서비스 지역 내 위치하는지 여부에 대한 위치인증을 수행하고, 기 설정된 인증장치로 상기 이동통신단말의 상기 사설망 서비스 가입여부에 대한 가입인증을 요청하며, 상기 이동통신단말에 대한 가입인증 및 위치인증이 성공하면, 상기 베어러 설정 메시지에 대응하여 상기 이동통신단말과 사설망 사이의 통신세션을 형성하는 사설 게이트웨이; 및Upon receiving the bearer setup message, perform location authentication on whether the mobile communication terminal is located in a preset private network service area, and perform subscription authentication on whether the mobile communication terminal joins the private network service with a preset authentication device. A private gateway for requesting to establish a communication session between the mobile communication terminal and a private network in response to the bearer setup message if the subscription authentication and location authentication for the mobile communication terminal are successful; And
    상기 사설 게이트웨이의 요청에 따라, 상기 이동통신단말이 기 설정된 사설망 서비스에 가입된 가입자 리스트에 포함되는지 여부를 판별하여 가입인증결과를 생성하고, 생성한 가입인증결과를 상기 사설 게이트웨이로 전송하는 인증장치를 포함하는 사설망 서비스 시스템.At the request of the private gateway, an authentication device for determining whether the mobile communication terminal is included in the subscriber list subscribed to a preset private network service, generating a subscription authentication result, and transmitting the generated subscription authentication result to the private gateway. Private network service system comprising a.
  37. 이동통신단말이 전송하는 APN(Access Point Name)을 이용하여 사설망에 대한 접속요청인지 여부를 확인하고, 상기 사설망에 대한 접속요청이면 상기 APN에 대응하는 사설 게이트웨이로 사용자 트래픽을 전송하기 위한 베어러 설정 메시지를 전송하는 이동성 관리 장치(MME: Mobility Management Entity);A bearer setup message for checking whether the access request is to a private network using an access point name (APN) transmitted by a mobile communication terminal, and transmitting user traffic to a private gateway corresponding to the APN if the access request is to the private network. A mobility management entity (MME) for transmitting a message;
    상기 베어러 설정 메시지를 수신하면, 기 설정된 인증장치로 상기 이동통신단말의 위치인증 및 가입자 인증을 요청하고, 상기 이동통신단말에 대한 위치인증 및 가입자 인증이 성공하면, 상기 베어러 설정 메시지에 대응하여 상기 이동통신단말과 사설망 사이의 통신세션을 형성하는 사설 게이트웨이; 및When receiving the bearer setup message, requesting the location authentication and subscriber authentication of the mobile communication terminal to a predetermined authentication device, and if the location authentication and subscriber authentication for the mobile communication terminal is successful, in response to the bearer setup message A private gateway forming a communication session between the mobile communication terminal and the private network; And
    상기 이동통신단말의 사용자 정보가 기 설정된 가입자 리스트에 포함되는지 여부 및 상기 이동통신단말의 위치정보가 기 설정된 사설망 서비스 지역 리스트에 포함되는지 여부를 확인하여, 상기 위치인증 및 가입자 인증 요청에 대응하는 응답메시지를 생성하고, 상기 응답메시지를 상기 사설 게이트웨이로 전송하는 인증서버를 포함하는 사설망 서비스 시스템.A response corresponding to the location authentication and subscriber authentication request by checking whether the user information of the mobile communication terminal is included in a preset subscriber list and whether the location information of the mobile communication terminal is included in a preset private network service area list. And a server for generating a message and transmitting the response message to the private gateway.
  38. 3GPP Release 10의 TR23.829에 따른 사설망 서비스 시스템으로서,A private network service system according to TR23.829 of 3GPP Release 10,
    이동통신단말이 전송하는 APN(Access Point Name)을 이용하여 사설망에 대한 접속요청인지 여부를 확인하고, 상기 사설망에 대한 접속요청이면 상기 APN에 대응하는 로컬 게이트웨이로 사용자 트래픽을 전송하기 위한 베어러 설정 메시지를 전송하는 이동성 관리 장치(MME: Mobility Management Entity);A bearer setup message for confirming whether the access request is to a private network using an access point name (APN) transmitted by a mobile communication terminal, and for transmitting user traffic to a local gateway corresponding to the APN if the access request is to the private network. A mobility management entity (MME) for transmitting a message;
    상기 베어러 설정 메시지를 수신하면, 상기 이동통신단말이 기 설정된 사설망 서비스 지역 내 위치하는지 여부에 대한 위치인증을 수행하고, 기 설정된 인증장치로 상기 이동통신단말의 상기 사설망 서비스 가입여부에 대한 가입인증을 요청하며, 상기 이동통신단말에 대한 가입인증 및 위치인증이 성공하면, 상기 베어러 설정 메시지에 대응하여 상기 이동통신단말과 사설망 사이의 통신세션을 형성하는 로컬 게이트웨이; 및Upon receiving the bearer setup message, perform location authentication on whether the mobile communication terminal is located in a preset private network service area, and perform subscription authentication on whether the mobile communication terminal joins the private network service with a preset authentication device. A local gateway for requesting and establishing a communication session between the mobile communication terminal and a private network in response to the bearer setup message if the registration authentication and location authentication for the mobile communication terminal are successful; And
    상기 로컬 게이트웨이의 요청에 따라, 상기 이동통신단말이 기 설정된 사설망 서비스에 가입된 가입자 리스트에 포함되는지 여부를 판별하여 가입인증결과를 생성하고, 생성한 가입인증결과를 상기 로컬 게이트웨이로 전송하는 인증장치를 포함하는 사설망 서비스 시스템.The authentication device determines whether the mobile communication terminal is included in a subscriber list subscribed to a preset private network service according to a request of the local gateway, generates a subscription authentication result, and transmits the generated subscription authentication result to the local gateway. Private network service system comprising a.
PCT/KR2016/005172 2015-07-03 2016-05-16 Method and system for providing private network service WO2017007122A1 (en)

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
KR10-2015-0095294 2015-07-03
KR20150095294 2015-07-03
KR20150095998 2015-07-06
KR10-2015-0095998 2015-07-06
KR1020150132088A KR101629006B1 (en) 2015-07-03 2015-09-18 Method and system for private network service
KR10-2015-0132088 2015-09-18

Publications (1)

Publication Number Publication Date
WO2017007122A1 true WO2017007122A1 (en) 2017-01-12

Family

ID=56191365

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2016/005172 WO2017007122A1 (en) 2015-07-03 2016-05-16 Method and system for providing private network service

Country Status (2)

Country Link
KR (2) KR101629006B1 (en)
WO (1) WO2017007122A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021155859A1 (en) * 2020-02-07 2021-08-12 维沃移动通信有限公司 Access control method and device
WO2023129800A1 (en) * 2021-12-29 2023-07-06 Motorola Solutions, Inc. Mobility and access control across tenant boundaries in a multitenant private communication system

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101830225B1 (en) * 2016-08-12 2018-02-20 주식회사 엘지유플러스 Method of providing closed type dedicated network service in a wireless access system
KR102553168B1 (en) * 2017-02-08 2023-07-06 주식회사 케이티 System and method for automatic network switching
KR102000717B1 (en) * 2017-06-27 2019-07-16 주식회사 케이티 System and method for controlling access of a user terminal accesing a private network through the untrusted network access point
WO2020036401A1 (en) * 2018-08-13 2020-02-20 삼성전자 주식회사 Apparatus and method for registration on network in wireless communication system
KR102528728B1 (en) * 2018-08-13 2023-05-08 삼성전자주식회사 Apparatus and method for registering network in wireless communication system
KR102343132B1 (en) * 2019-10-24 2021-12-24 주식회사 엘지유플러스 Apparatus and method for providing zone-based data communication service

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20050063188A (en) * 2003-12-22 2005-06-28 삼성전자주식회사 System for authenticating of 1x evolution-data only service subscriber station using cave algorithm in a code division multiple access mobile communication system and method thereof
KR20130006378A (en) * 2011-07-08 2013-01-16 삼성전자주식회사 Method and apparatus for supporting mobility of user equipment
KR20130036875A (en) * 2011-10-05 2013-04-15 에스케이텔레콤 주식회사 Method and inter working function for roaming gateway service in a mobile communication system
KR20140055562A (en) * 2012-10-31 2014-05-09 (주)나무소프트 Apparatus and method for managing an acess to an private network
KR20150021261A (en) * 2013-08-20 2015-03-02 에스케이텔레콤 주식회사 Method and apparatus for acquiring location information of user equipment based on radio unit

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101216542B1 (en) 2011-08-31 2013-01-02 에스케이텔레콤 주식회사 Pdn-gw for epc network and method generation of charging data therefor

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20050063188A (en) * 2003-12-22 2005-06-28 삼성전자주식회사 System for authenticating of 1x evolution-data only service subscriber station using cave algorithm in a code division multiple access mobile communication system and method thereof
KR20130006378A (en) * 2011-07-08 2013-01-16 삼성전자주식회사 Method and apparatus for supporting mobility of user equipment
KR20130036875A (en) * 2011-10-05 2013-04-15 에스케이텔레콤 주식회사 Method and inter working function for roaming gateway service in a mobile communication system
KR20140055562A (en) * 2012-10-31 2014-05-09 (주)나무소프트 Apparatus and method for managing an acess to an private network
KR20150021261A (en) * 2013-08-20 2015-03-02 에스케이텔레콤 주식회사 Method and apparatus for acquiring location information of user equipment based on radio unit

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021155859A1 (en) * 2020-02-07 2021-08-12 维沃移动通信有限公司 Access control method and device
WO2023129800A1 (en) * 2021-12-29 2023-07-06 Motorola Solutions, Inc. Mobility and access control across tenant boundaries in a multitenant private communication system
US11863986B2 (en) 2021-12-29 2024-01-02 Motorola Solutions, Inc. Mobility and access control across tenant boundaries in a multitenant private communication system

Also Published As

Publication number Publication date
KR101629006B1 (en) 2016-06-13
KR101796297B1 (en) 2017-11-10
KR20170004835A (en) 2017-01-11

Similar Documents

Publication Publication Date Title
WO2017007122A1 (en) Method and system for providing private network service
US10455489B2 (en) Method for supporting PDN GW selection
WO2020251309A1 (en) Method and apparatus for providing service in wireless communication system
WO2012177023A1 (en) Traffic offload via local network
WO2016208960A1 (en) Method and apparatus for subscribing electronic device in mobile communication system
WO2011021875A2 (en) Server for control plane at mobile communication network and method for controlling local ip access service
WO2018021861A1 (en) Method and apparatus for performing cell specification procedure for network slice-based nr in wireless communication system
WO2018038503A1 (en) Method and apparatus for operating wireless communication system having separated mobility management and session management
WO2016175479A1 (en) Private network service providing method and system
WO2017086647A1 (en) Method and apparatus for selecting core network in mobile communication system
WO2011043571A2 (en) Area-based access control method for terminals which carry out m2m communications in a wireless communication system
WO2010128773A2 (en) Server for control plane at mobile communication network and method for controlling establishment of connection thereof
WO2011056046A2 (en) Method and system to support single radio video call continuity during handover
US10104603B2 (en) Apparatus, system and method for dedicated core network
WO2016085292A1 (en) Method and apparatus for providing sponsoring service between user equipments
WO2011052995A2 (en) Method and system for managing security in mobile communication system
WO2014069925A1 (en) Method and apparatus for managing packet data network connection on basis of local area in wireless communication system
WO2013109082A1 (en) Method and device for setting priority of data transmission
WO2019245344A1 (en) Method and system for hplmn-based traffic control when ue is registered on different plmns
WO2010128786A2 (en) Method for providing connection type information and method for controlling radio resource of home (e)nodeb
WO2010035971A2 (en) Method for supporting context management by home node-b
WO2019194536A1 (en) Method and apparatus for providing local area data network service based on non-subscription model in wireless communication system
WO2022025666A1 (en) Method and device for simultaneously using network slices
WO2021201648A1 (en) Method and apparatus for managing cag related procedure in wireless communication network
WO2021010661A1 (en) Edge computing management device and operating method of edge computing management device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16821528

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE