In recent years, the convergence of communication systems and subsystems has attracted an increasing attention in communication technology. In this context, different systems in terms of communication technology, protocols, and/or principles as well as different subsystems thereof (e.g. access networks, core networks, or the like) are to be converged into an overall system framework. However, there are several issues in converging different systems and/or subsystems into a common overall system framework, and the operation of thus converged overall system frameworks.
One issue in the context of communication system convergence resides in the interworking between access networks and core networks. In such a system configuration, security issues may arise, for example the question of trustworthiness of an access network from the point of view of a core network or a user's home network or a user's visited network (in case of roaming).
In the following, a system configuration will exemplary be addressed, in which a core network and/or home network and/or a visited network (in case of roaming) comply with a specific standard specification, for example a 3GPP (Third Generation Partnership Project) specification, but at least one access network via which a user equipment connects to the 3GPP core/home/visited network does not comply with a 3GPP standard specification. Such an access network is called a non-3GPP access network. It may comply with other standards, e.g. the HRPD standard defined by 3GPP2 or the WiMAX standard defined by the WiMAX Forum. It is to be noted that such a system configuration is taken as a non-limiting example, while similar system configurations are equally applicable as well.
As a non-limiting example for the following description, it is assumed that a user equipment is connected to a 3GPP evolved packet system (EPS) via a non-3GPP (e.g. HRPD (High Rate Packet Data) or WiMAX (Worldwide Interoperability for Microwave Access)) access network. Communication connectivity, e.g. Internet Protocol (IP) connectivity, is provided to the user equipment connecting to the EPC via the non-3GPP access networks in accordance with 3GPP standard specifications, such as 3GPP TS23.402 and 3GPP TS24.302. The security requirements and the requested authentication methods for trusted and untrusted non-3GPP access networks, as well as AAA (authentication, authorization and accounting) interfaces and procedures for the non-3GPP access network are also in accordance with 3GPP standard specifications, such as 3GPP TS33.402 and 3GPP TS29.273. Known authentication mechanisms such as EAP methods, e.g. EAP-AKA and EAP-AKA′ (EAP: Extensible Authentication Protocol, AKA: Authentication and Key Agreement) are applicable in accordance with 3GPP standard specifications. In the present non-limiting example, it is also assumed that the user equipment is roaming, i.e. is connected to its home network via a non-3GPP access network, which is attached to a visited 3GPP-compliant network.
During initial attach or handover to a non-3GPP access network, a decision as to whether the access network is trusted or untrusted is to be made in the user's home network, for example by an AAA server residing in the HPLMN (home public land mobile network). This decision shall take into account business/administrative conditions (e.g. direct roaming agreement with the operator of the access network) and technical conditions. Necessary or relevant technical conditions are dependent on the underlying network scenario and/or utilized protocols.
For example, according to current standard specifications, the following technical conditions are applicable for the S2a interface (between an access network and a packet data network gateway) using network-based mobility, i.e. Proxy Mobile IP (PMIP) as IP mobility management protocol. The MAG (Mobile Access Gateway) shall be trusted by the LMA (Local Mobility Anchor) to register only those Mobile Nodes that are attached. Security for PMIP messages between MAG and LMA shall be provided either by a chain of security associations in a hop-by-hop fashion (for each hop in such a chain, one security association per direction shall be used for all PMIP messages relating to any user), or by one security association per direction for all PMIP messages relating to any user in an end-to-end fashion for the intra-domain case. PMIP shall be used only in conjunction with EAP-AKA-based access authentication.
For example, according to current standard specifications, the following technical conditions are applicable for the S2c interface (between a user equipment and a packet data network gateway) using host-based mobility, i.e. Dual Stack Mobile IPv6 (DSMIPv6) as IP mobility management protocol. An access network needs to fulfill several security requirements to be trusted when host-based mobility is used. The trusted access will authenticate the user equipment and provide a secure link for the data to be transferred from the user equipment to the trusted access. The trusted access protects against source IP address spoofing. The trusted access and the packet data network gateway (PDN GW) will have a secure link between them to transfer the user's data across. The trusted access and the evolved packet core (EPC) need to co-ordinate when the user equipment detaches from the trusted access in order to ensure that the IP address that was assigned to the user equipment is not be used by another user equipment without EPC being aware of the change (i.e. enable the PDN GW to remove the CoA (care-of-address) binding for the old user equipment).
These sets of conditions, which are specified according to current standard specifications, are quite general, however, and additional information may be required to determine whether an access network is trusted or not. At present, it is up to each operator to determine a full set of business (administrative) and technical conditions which need to be met for an access network to be trusted.
Therefore, in order that the making of a correct decision on the trustworthiness of an access network is feasible at the user's home network, all relevant information (for example, current data for all relevant conditions) need to be available at the home network. However, this will be particularly difficult to be ensured in a roaming case.
In this regard, it is to be noted that a packet data network gateway (PDN GW) may be dynamically allocated during an authentication procedure. Therefore, for example in terms of a condition of a secure IP link between a non-3GPP access gateway and the PDN GW, the IP link in question can be between the non-3GPP access network and the home network (in case home routing is selected, i.e. the PDN GW is located in the home network) or between the non-3GPP access network and the visited network (in case local breakout is selected, i.e. the PDN GW is located in the visited network).
Considering that the IP routing is made directly between the two networks (i.e. the access network and the home or visited network), the IP link may use different routes and different IP transport providers (e.g. network operators) for the cases of home routing and local breakout (LBO) case. Consequently, the security aspects concerning the respective IP links may also be different, thus hampering the availability of proper information for decision making at the home network.
According to current standard specifications, there is no mechanism as to how the home network could obtain all the relevant information needed to make its decision on the trust status (i.e. trustworthiness) of the access network, for example about the security of the IP link between the non-3GPP access network and the PDN GW that resides in the visited network, if local breakout is selected. Considering that there may be several hundred roaming partners e.g. for a GSM (Global System for Mobile Communication) and/or UTRAN (Universal Terrestrial Radio Access Network) network operator, which are scattered all over the world, and the number of non-3GPP accesses may be even higher, it is not feasible that the home network has up-to-date information about all IP links between all of the access networks and the potential visited networks, as required especially in roaming cases.
Therefore, the home network may make a wrong decision, not correctly taking into account all relevant conditions, e.g. the security of the link to be used. If the home network decides for the access network being untrusted, even though this would not be required, this will lead to unnecessary resource consumption and/or time delay. For example, an evolved packet data gateway (ePDG) may be unnecessarily involved in the communication path, and a tunnel setup procedure between user equipment and ePDG may be unnecessarily executed. In case the home network decides for the access network being trusted, even though there is e.g. no secure IP link between the access network and the visited network, this will lead to a break of confidentiality requirements, and thus e.g. eavesdropping may become possible.
Accordingly, there does not exist any feasible solution for ensuring secure and efficient access procedures based on the availability of information relating to the trustworthiness of access networks within a packet data system.