The provision of mobile broadband services requires the tight integration of radio access technologies based on third generation Partnership Project (3GPP) standards and on IEEE standards. 3GPP radio access and core network architecture considers IEEE radio access technologies, in particular the so called Wi-Fi based on IEEE 802.11, as non-3GPP technologies, whose integration with the 3GPP architecture requires a connection to the core network that is different to that of the 3GPP's radio access network nodes. This IEEE radio access nodes special connection to the core demands the inclusion of additional network nodes and the implementation of special methods for procedures like authentication, handover or session continuity, increasing the complexity of the network. Besides, the interconnection between networks at core level entails a processing delay than prevents or hinders the introduction of common Radio Resource Control (RRC) procedures, with an associated loss in overall spectrum efficiency.
3GPP comprises the base stations, which are called eNB's, the mobile terminals, which are called User Equipment (UE), and the radio interface between the UE's and the eNB's, which is called Uu. 3GPP RAN is connected to the mobile network core, which is called Evolved Packet Core (EPC), to two specific nodes called Mobility Management Element (MME) and Serving Gateway (SGW).
The basic procedures defined in 3GPP for the inter-working of 3GPP networks and non-3GPP networks are described in TS 23.234 [1]. This specification defines procedures in the 3GPP system for WLAN Access, Authentication and Authorisation (AAA), which provide for access to the WLAN and a locally connected IP network (e.g. Internet) to be authenticated and authorised through the 3GPP System. Access to a locally connected IP network from the WLAN is referred to as WLAN Direct IP Access. This specification also defines procedures for WLAN 3GPP IP Access, which allows WLAN UE's to establish connectivity with external IP networks, such as 3G operator networks, corporate Intranets or the Internet via the 3GPP system.
FIG. 1 illustrates a general inter-working architecture specified in TS 23.234. In this architecture, a non-trusted Wi-Fi Access Point (AP) can provide service to a UE through the so-called Ww interface, and this AP is connected to the 3GPP's core network through a so-called Wireless Access Gateway (WAG), which implements firewall security and tunnel termination procedures. The WAG is connected to 3GPP's Packet Data Gateway (PDG). In the case of a trusted Wi-Fi AP, it is directly connected to the PDG at the Wu reference point. In both cases, the connection to the 3GPP core is done in the PDG, and not to the nodes that are used by 3GPP's radio access network (RAN), the Mobility Management Entity (MME) and the Serving Gateway (SGW).
On the other hand, TS 23.402 describes some architecture enhancements for non-3GPP accesses that include an Access Network Discovery and Selection Function (ANDSF) [2]. The ANDSF is an entity in 3GPP's core network, whose objective is to assist the UE to discover non-3GPP access networks such as IEEE 802.11 and to provide the UE with rules policing the connection to these networks. The ANDSF contains data management and control functionality necessary to provide network discovery and selection assistance data based on network operators' policy. The ANDSF responds to UE requests for access network discovery information and may be able to initiate data transfer to the UE, based on network triggers or as a result of previous communication with the UE.
3GPP has also approved a “WLAN/3GPP Radio Interworking” study item (SI) whose current output is captured in TR 37.834 [3]. This document studies procedures to improve 3GPP and non-3GPP interworking at the RAN level, and proposes some solutions for Access Network Selection and Traffic Steering. This solution is focused on the 3GPP RAN providing assistance to the UE for the selection of the best radio access network, complementary to the solutions based on ANDSF.
In the side of the non-3GPP radio access networks specifications, the Wi-Fi Alliance has standardized its own procedures for simplifying UE connectivity to an Access Point (AP), the so-called Hot Spot 2.0 [4], which is a set of protocols that facilitate Wi-Fi AP operation, including Wi-Fi AP discovery, selection and authentication. In its latest release 2 it includes the possibility to set some operator's policies regarding which AP to connect to, which are similar to the procedures proposed by 3GPP with the ANDSF. IEEE 802.11 radio access makes use of the layered OSI protocol stack. The lower layer is the Physical Layer (PHY) which is particular for every specific version of the IEEE 802.11 radio access version. On top of the PHY layer is the Media Access Control (MAC), which provides radio access control services to the different terminals served by an AP, along with error correction procedures. On top of the MAC layer is the Logical Link Control (LLC) layer, which provides multiplexing services for interfacing with the upper Network Layer. In IEEE 802.11 radio access, the LLC layer follows the IEEE 802.2 standard [5] and the MAC and PHY layers are specified in [6]. On top of the LLC layer is the network layer, typically based on the Internet Protocol (IP), which is not part of the IEEE 802.11 specification.
FIG. 2 illustrates the control plane protocol stack for the case of the 3GPP radio access network (RAN) and the evolved packet core (EPC), and FIG. 3 illustrates the user plane protocol stack for the case of the 3GPP radio access network (RAN) and the evolved packet core (EPC).
3GPP radio access interface between the eNB and the user equipment (UE) is called Uu interface. The control plane interface between the eNB and the MME is called S1-MME, and the user plane interface between the eNB and the SGW is called S1-U. The protocol stack for the Uu interface is divided in a user plane protocol stack and a control plane protocol stack, as it is described in [7][7].
The control plane Uu interface protocol stack includes the Non-access Stratum (NAS) control protocol (terminated in the mobility management entity, MME, on the network side), which performs among other things: Evolved Packet System (EPS) bearer management, authentication, mobility handling, paging origination and security control.
The non-access stratum (NAS) is the highest layer of the control plane between the UE and the MME. The main functions of the protocols that are part of the NAS are the support of mobility of the user equipment (UE); and the support of session management procedures to establish and maintain IP connectivity between the UE and a packet data network gateway (PDN GW). NAS security is an additional function of the NAS providing services to the NAS protocols, e.g. integrity protection and ciphering of NAS signalling messages. NAS protocol is described in [8] describing the modes of operation of a UE connected to the Evolved Packet System (EPS). A UE attached for EPS services shall operate in one of the following operation modes:                PS mode 1 of operation: the UE registers only to EPS services, and UE's usage setting is “voice centric”;        PS mode 2 of operation: the UE registers only to EPS services, and UE's usage setting is “data centric”;        CS/PS mode 1 of operation: the UE registers to both EPS and non-EPS services, and UE's usage setting is “voice centric”; and        CS/PS mode 2 of operation: the UE registers to both EPS and non-EPS services, and UE's usage setting is “data centric”.        
The NAS protocol includes a set of mobility management messages between the UE and the MME, including UE identity request and UE identity response messages. The Identity request message is sent by the MME to the UE to request the UE to provide its identity.
The Identity response message is sent by the UE to the network in response to an IDENTITY REQUEST message and provides the requested identity. The message content is summarized in table 1.
TABLE 1IDENTITY RESPONSE message contentIEIInformation ElementType/ReferenceProtocol discriminatorProtocol discriminatorSecurity header typeSecurity header typeIdentity response messageMessage typeMobile identityMobile identity9.9.2.3
The mobile identity reported in the IDENTITY RESPONSE message follows the specification described in 3GPP TS 24.008 [9][9] and specifies that the purpose of the Mobile Identity information element is to provide, among others, either the international mobile subscriber identity, IMSI, the temporary mobile subscriber identity, TMSI, or the international mobile equipment identity, IMEI. The Mobile Identity information element is coded as shown in table 2, with a minimum length of 3 octets and 11 octets length maximal.
TABLE 2Mobile Identity information element87654321Mobile Identity IEIoctet 1Length of mobile identity contentsoctet 2Identity digit 1odd/evenType of identityoctet 3indicIdentity digit p + 1Identity digit p octet 4*
The contents of every octet in the Mobile Identity information element are as described in table 3:
TABLE 3Mobile Identity information element contentType of identity (octet 3)Bits321001IMSI010IMEI011IMEISV100TMSI/P-TMSI/M-TMSI101TMGI and optional MBMS Session Identity000No Identity (note 1)All other values are reserved.Odd/even indication (octet 3)Bit40even number of identity digits and also when the TMSI/P-TMSI or TMGI and optional MBMSSession Identity is used1odd number of identity digitsIdentity digits (octet 3 etc)For the IMSI, IMEI and IMEISV this field is coded using BCD coding. If the number of identity digits is eventhen bits 5 to 8 of the last octet shall be filled with an end mark coded as “1111”.For Type of identity “No Identity”, the Identity digit bits shall be encoded with all 0s and the Length ofmobile identity contents parameter shall be set to one of the following values:“1” if the identification procedure is used (see subclause 9.2.11);“3” if the GMM identification procedure is used (see subclause 9.4.13)“3” if the EMM identification procedure is used (see 3GPP TS 24.301 [120])If the mobile identity is the TMSI/P-TMSI/M-TMSI then bits 5 to 8 of octet 3 are coded as “1111” and bit 8of octet4 is the most significant bit and bit 1 of the last octet the least significant bit. The coding of theTMSI/P-TMSI is left open for each administration.For type of identity “TMGI and optional MBMS Session Identity” the coding of octet 3 etc is as follows:MCC/MNC indication (octet 3)Bit50MCC/MNC is not present1MCC/MNC is presentMBMS Session Identity indication (octet 3)Bit60MBMS Session Identity is not present1MBMS Session Identity is presentMBMS Service ID (octet 4, 5 and 6)The contents of the MBMS Service ID field are coded as octets 3 to 5 of the Temporary Mobile GroupIdentity IE in FIG. 10.5.154/3GPP TS 24.008. Therefore, bit 8 of octet 4 is the most significant bit and bit1 of octet 6 the least significant bit. The coding of the MBMS Service ID is the responsibility of eachadministration. Coding using full hexadecimal representation may be used. The MBMS Service ID consistsof 3 octets.MCC, Mobile country code (octet 6a, octet 6b bits 1 to 4)The MCC field is coded as in ITU-T Rec. E.212 [46], Annex A.MNC, Mobile network code (octet 6b bits 5 to 8, octet 6c)The coding of this field is the responsibility of each administration but BCD coding shall be used. The MNCshall consist of 2 or 3 digits. If a network operator decides to use only two digits in the MNC, bits 5 to 8 ofoctet 6b shall be coded as “1111”.The contents of the MCC and MNC digits are coded as octets 6 to 8 of the Temporary Mobile GroupIdentity IE in FIG. 10.5.154/3GPP TS 24.008.MBMS Session Identity (octet 7)The MBMS Session Identity field is encoded as the value part of the MBMS Session Identity IE asspecified in 3GPP TS 48.018 [86].
The S1 interface transports the S1 application protocol (S1AP) [10], on top of a stream control transmission protocol (SCTP) layer, an internet protocol (IP) layer, and any OSI's L2 and L1 layers. S1AP provides the signalling service between E-UTRAN and the evolved packet core (EPC) that is required to fulfill, among others, the following S1AP functions:                UE Capability Info Indication function: This functionality is used to provide the UE Capability Info, when received from the UE, to the MME.        Non-access stratum (NAS) signalling transport function between the UE and the MME is used to transfer NAS signalling related information and to establish the S1 UE context in the eNB.        RAN Information Management (RIM) function: This functionality allows the request and transfer of RAN information between two RAN nodes via the core network.        Configuration Transfer function: This functionality allows the request and transfer of RAN configuration information (e.g., SON information) between two RAN nodes via the core network.        
S1AP services are divided into two groups: non UE-associated services, which are related to the whole S1 interface instance between the eNB and MME utilizing a non UE-associated signalling connection, and UE-associated services, which are related to one UE. S1AP consists of Elementary Procedures (EP's). An Elementary Procedure is a unit of interaction between an eNB and the evolved packet core (EPC). These Elementary Procedures are defined separately and are intended to be used to build up complete sequences in a flexible manner.
An EP consists of an initiating message and possibly a response message. Two kinds of EP's are used:                Class 1: Elementary Procedures with response (success and/or failure), which includes, among others, S1 SETUP REQUEST and S1 SETUP RESPONSE messages        Class 2: Elementary Procedures without response, which includes, among others, UE CAPABILITY INFO INDICATION and eNB DIRECT INFORMATION TRANSFER messages.        
Every EP involves an exchange of messages between an eNB and the EPC, and every message consists of a set of information elements (IE). S1AP messages and IE's are described in [10].
Some relevant messages are as follows:
UE CAPABILITY INFO INDICATION message: This message is sent by the eNB to provide UE Radio Capability information to the MME. This message includes the following IE's:
IE/Group NameMessage TypeMME UE S1AP IDeNB UE S1AP IDUE Radio Capability
The UE Radio Capability IE is defined as follows
IE Type andIE/Group NameReferenceSemantics DescriptionUE RadioOCTETIncludes theCapabilitySTRINGUERadioAccessCapabilityInformationmessage
The UE Radio Access Capability Information message is a RRC message. This message is used to transfer UE radio access capability information, from/to the eNB to/from EPC.
UERadioAccessCapabilityInformation field descriptionsue-RadioAccessCapabilityInfoIncluding E-UTRA, GERAN, and CDMA2000-1xRTT Bandclass radioaccess capabilities (separated). UTRA radio access capabilities arenot included.
eNB DIRECT INFORMATION TRANSFER message: This message is sent by the eNB to the MME in order to transfer specific information. This message includes the following IE's:
IE/Group NameMessage TypeInter-system InformationTransfer Type
The Inter-system Information Transfer Type IE indicates the type of information that the eNB requests to transfer, and it is defined as follows
IE/Group NameInter-system InformationTransfer Type >RIM  >>RIM Transfer
The RIM Transfer IE is a NAS IE, and it contains the RAN Information Management (RIM Information. The RIM Transfer IE is defined as follows:
IE/Group NameRIM Transfer >RIM Information >RIM Routing Address
The RIM Information IE is defined as follows:
IE type andIE/Group NamereferenceSemantics descriptionRIM Information  >RIM InformationOCTETContains the baseSTRINGstation subsystemGPRS Protocol(BSSGP) RIM packetdata unit (PDU).
RIM procedures support the exchange of information, via the core network, between peer application entities located in a GERAN, in a UTRAN or in an E-UTRAN access network [11].
S1 SETUP REQUEST MESSAGE: This message is sent by the eNB to the MME to transfer information for a Transport Network Layer (TNL) association. This message includes the following IE's:
IE/Group NameMessage TypeGlobal eNB IDeNB NameSupported TrackingAreas (TA)  >Tracking Area  codeTAC >Broadcast PLMNs  >>PLMN IdentityDefault paging DRXCSG Id List >CSG Id
This Global eNB ID information element is used to globally identify an eNB, and it is specified as follows.
IE type andIE/Group NamereferenceSemantics descriptionPLMN IdentityeNB ID  >Macro eNB ID    >>Macro eNB IDBITEqual to the 20STRINGleftmost bits of the Cell Identity(20)IE contained in the E-UTRANCGI IE of each cellserved by the eNB.  >Home eNB ID    >>Home eNB IDBITEqual to the Cell Identity IESTRINGcontained in the E-UTRAN CGI(28)IE of the cell served bythe eNB.
The E-UTRAN CGI information element is used to globally identify a cell, and it is specified as follows.
IE type andIE/Group NamereferenceSemantics descriptionPLMN IdentityCell IdentityBITThe leftmost bits of the CellSTRINGIdentity correspond to the(28)eNB ID
On the other hand, the Generic Access Network (GAN) is a system that extends a 3GPP mobile terminal access to the 3GPP core network by making use of non-3GPP radio access technologies like IEEE 802.11. Under the GAN system, when the 3GPP-compliant mobile terminal detects an IEEE 802.11 radio interface, it establishes a secure IP connection to a server called a GAN Controller (GANC) on the operator's network. The GANC presents the 3GPP-compliant mobile terminal to the mobile core network as if it were connected to a standard 3GPP base station. Thus, when the 3GPP-compliant mobile terminal moves from a GSM/UMTS access network to an 802.11 network, it appears to the core network as if it is simply on a different base station.
GAN lu mode supports an extension of UMTS mobile services that is achieved by tunnelling Non Access Stratum (NAS) protocols between the 3GPP-compliant mobile terminal and the Core Network over an IP network and the lu-cs and lu-ps interfaces to the MSC and SGSN, respectively, as it is described in [12].
The Generic Access Network lu mode functional architecture is illustrated in FIG. 4. A generic IP access network, which can be Wi-Fi AP that provides a IEEE 802.11 radio interface, provides connectivity between the 3GPP-compliant mobile terminal (mobile station, MS) and the GANC. The IP transport connection extends from the GANC to the MS.
FIG. 5 illustrates the GAN lu mode architecture in support of the packet-switched (PS) domain Control Plane and FIG. 6 illustrates the GAN lu mode architecture for the PS domain User Plane.
3GPP specification [12] specifically states in its section 6.4.1.1 “PS Domain-Control Plane—GAN Architecture” that NAS protocols are carried transparently between the MS and SGSN. Therefore, the GAN system cannot provide service to mobile terminals not compliant with 3GPP specifications, which do not support a NAS protocol with the core network. On the other hand, 3GPP defines [13][13] non-3GPP access authentication as the process that is used for access control i.e. to permit or deny a subscriber to attach to and use the resources of a non-3GPP IP access which is interworked with the EPC network. Non-3GPP access authentication signalling is executed between the UE and the 3GPP AAA server/HSS. One example is the Extensible Authentication Protocol (EAP) as specified in RFC 3748.
For the identification of a mobile subscriber a unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system [14], which is stored in the mobile terminal SIM card. The IMSI number is composed of three parts:                1) Mobile Country Code (MCC) consisting of three digits. The MCC identifies uniquely the country of domicile of the mobile subscriber.        2) Mobile Network Code (MNC) consisting of two or three digits. The MNC identifies the home PLMN of the mobile subscriber.        3) Mobile Subscriber Identification Number (MSIN) consisting of up to nine digits identifying the mobile subscriber within a PLMN.        
[14] also describes a temporal subscriber identifiers, namely the Temporary Mobile Subscriber Identity TMSI.
The description of the S1AP protocol in [10] also includes a set of UE identities that are used in NAS related Information Elements, namely MME UE S1AP ID, eNB UE S1AP ID, UE Identity Index value, and UE Paging Identity.
Regarding security and ciphering procedures, [15] specifies the security architecture, i.e., the security features and the security mechanisms for the Evolved Packet System and the Evolved Packet Core, and the security procedures performed within the evolved Packet System (EPS) including the Evolved Packet Core (EPC) and the Evolved UTRAN. This document describes the authentication and ciphering procedures performed between the USIM card in a 3GPP-compliant mobile terminal and the MME/HSS. EPS AKA is the authentication and key agreement procedure that is used over E-UTRAN.
The problem with current 3GPP standards is that they consider IEEE radio access technologies; in particular Wi-Fi based on IEEE 802.11, as non-3GPP technologies, whose integration with the 3GPP architecture requires a connection to the core network that is different to that of the 3GPP's radio access network nodes.
The 3GPP standard does not foresee the connection of a base station that does not support a 3GPP radio interface to the same nodes that standard 3GPP base stations are connected to. Therefore, an IEEE 802.11 Access Point cannot be connected to the SGSN or to the MME/SGW.
This IEEE radio access nodes special connection to the core demands the inclusion of additional network nodes and the implementation of special methods for procedures like paging, handover or session continuity, increasing the complexity of the network. Besides, the connection at core level prevents the introduction of common Radio Resource Control management procedures.
On the other hand, GAN procedures cannot provide connectivity to the mobile core network to mobile terminal not compliant with 3GPP specifications, as they cannot support a NAS protocol communication with the core network.