This invention relates to wireless communication.
A General Packet Radio Service (GPRS) network can provide mobile computing and telephony users with packet-switched connections to data networks. A subscriber with a mobile station can connect to other mobile stations or packet data networks to send and receive information. The information sent over the GPRS network is broken up into packets. A packet includes a header and a payload. The header can include instructions and information, such as error checking information, and source and destination addresses. The payload includes data that is to be delivered to the destination.
As shown in FIG. 1, a conventional GPRS network 100 can be used to connect one or more mobile stations 115 to a packet data network, such as the Internet 173. A mobile station 115 can connect to a Serving GPRS Support Node (SGSN) 123, typically through a base station subsystem (not shown). A conventional base station subsystem is used to authenticate and track the mobile stations and manage connections. A public land mobile network (PLMN) can have multiple mobile stations and multiple SGSNs within its network. Packets can be transferred transparently between the mobile station and the Internet through GPRS network tunnels (i.e., GTP tunnels). A GTP tunnel is dynamically created between supporting nodes (e.g., SGSN and GGSN) in the GPRS network. As shown in FIG. 1, one or more GTP tunnels can be used to provide connection paths between a SGSN 123 and Gateway GPRS Support Node (GGSN) 152. Typically, one GTP tunnel is created per GPRS user at any time. GTP tunnels are identified by an associated GPRS user's IP address and each provides a given active GPRS user a path for communicating with zero to many hosts (i.e., servers) on the packet data network (e.g., the Internet). Encapsulation adds additional address and control information to packets received at the entrance to a GTP tunnel, allowing the packets to be routed from the GTP tunnel start point to the GTP tunnel endpoint without intermediary systems having to inspect the data contained in the pre-encapsulated packet. The encapsulated packet can be decapsulated once the packet reaches the GTP tunnel endpoint system (e.g., GGSN 152). In a conventional GPRS system, packets received from a mobile station at an SGSN 123 are encapsulated and pass through a GTP tunnel to the GGSN 152. Any number of routing/network components (not shown) can be interposed between the SGSNs and the GGSN.
A generic network firewall is a device that separates yet bridges networks. Network firewalls filter network traffic, forwarding legitimate traffic while otherwise processing suspect traffic (e.g., dropping suspect traffic). A GTP firewall is a generic network firewall that supports the GTP protocol. In the GPRS network, one or more GTP firewalls may be provided at the Gn or Gp interfaces in the network. For example in FIG. 1, between the SGSN 123 and the GGSN 152 is a Gn interface. A GTP firewall 141 (e.g., Gn firewall) at the Gn interface can be used to filter packets that are sent to and received by the SGSN 123. The GTP Firewall 141 can be used to ensure that the base station subsystems and other system components beyond the SGSN are not vulnerable in the event of compromise of the GGSN 152. The GTP firewall 141 can inspect packets sent through the interface and apply policies to support the security of the SGSN. The GTP Firewall 141 can be configured to inspect tunnel traffic. Further, because of its position at the SGSN interface, GTP Firewall 141 has visibility to the creation and tear down of GTP tunnels.
GGSN 152 sends packets to and receives packets from the packet data network through an interface (Gi), on which a firewall 161 (Gi firewall) can be supported. The Gi firewall 161 can filter packets sent to/from the Internet before allowing the packets to continue on to the GGSN 152. The Gi firewall 161 therefore can provide some protection for the GGSN 152 against unsolicited traffic and attacks.
As noted above, mobile stations 115 can access information from the Internet 173 in addition to contacting other mobile stations. To receive packets from an Internet site, a mobile station 115 typically needs an IP address to inform the sender where to route the packets. Not all mobile stations within a PLMN access the Internet 173 at one time, allowing for each PLMN to use a small pool of IP addresses, often fewer IP addresses than mobile stations in the network. Individual mobile stations are dynamically assigned PLMN's IP addresses as necessary to support requested communications. After communications are complete, the assigned IP addresses can be reused by other subscribers (e.g., other mobile stations). When a subscriber wishes to access the Internet 173, the subscriber uses a mobile station 115 to contact the SGSN 123 and is assigned one of the IP addresses from the pool. The assigned IP address is identified with the particular mobile station and used in the pre-encapsulated packet header for all packets associated with the given user. A GTP tunnel is created from an associated SGSN 123 to the GGSN 152 to allow the communication of packets from the mobile station to the external network. Encapsulation of packets occurs and data can pass from/to the mobile stations to/from the external network (e.g., the Internet 173). Once the mobile station 115 ends its connection, a GTP tunnel disconnect event occurs. The IP address associated with the mobile station can be returned to the IP address pool where the address can be reassigned to another mobile station 115.
In conventional GPRS networks, the GGSN 152 can track the GPRS usage or Internet 173 access for each mobile station 115. Typically the GPRS usage is tracked according to incoming and outgoing packet traffic rather than time spent on the network. The incoming and outgoing packets can be assigned to the IP address in the packet header that corresponds to the mobile station 115 using the IP address at the time of transmission. If the network continues routing packets to an IP address even after a mobile station 115 has disconnected from the network, the packet traffic may be attributed to the mobile station 115 that last used the IP address and is no longer accessing network. This can result in unacceptable charges on the mobile station subscriber's bill.
Another problem related arises due to reuse of the IP addresses. Typically the pool includes a finite number of addresses that can be discovered innocently or maliciously. The problem can be illustrated by an example. A first mobile station 115a attaches to the network and is assigned an IP address. After sending and receiving packets from the Internet 173 by way of a GTP tunnel 135, the first mobile station 115a disconnects. The GTP tunnel 135a is torn down and the IP address is returned to the pool of IP addresses. A second mobile station 115b attaches to the system and is assigned the IP address that the first mobile station 115a had been using. A new GTP tunnel 135b is constructed for the second mobile station 115b. Packets initiated from the Internet 173 with the IP address are routed through the new GTP tunnel 135b to the second mobile station 115b, regardless of whether the second mobile station 115b requested the incoming packets. This is because the second mobile station is now associated with the IP address. The packets could have been requested by the first mobile station 115a or initiated by a server on the Internet 173 that knows the IP address, and is maliciously sending messages. The GPRS usage is billed to the account associated with the second mobile station 115b, again resulting in unacceptable charges.
Malicious servers 175 on the Internet 173 can discover IP addresses from the pool of IP addresses and send packets to the IP addresses, regardless of receiving requests for packets. In conventional GPRS systems, the Gi firewall 161 does not clear firewall sessions in response to a GTP tunnel tear down. This can lead to a firewall session list not accurately reflecting active firewall sessions. This allows a server to continue to send packets through the Gi firewall 161 and potentially cause GPRS usage to be assigned to mobile station 115 even when the mobile station 115 is not requesting the downloaded packets. In addition to the billing problems noted above, unsolicited packets to a mobile station 115 can bottleneck a mobile station's receiving line, thereby slowing down desired transmissions or preventing the mobile station 115 from receiving desired packets.