Field of the Invention
The present invention relates to a security gateway connection in a cellular communication network and in particular to a method and a system for facilitating participation of an intermediary network device in a security gateway communication between at least one base station and a core network portion in a cellular communication network.
Description of Related Art
Common cellular communications networks provide convenient wireless communications services. These services include, for example, cellular telephone services, paging, Internet access, and data transfer services, among others.
Such a common cellular communication network includes a core element and a Radio Access Network (RAN). The core element comprises at least a connectivity gateway and a mobility management function. The Radio Access Network further comprises base stations and respective mobile stations, the client devices. Each of the client devices is typically connected to one of the base stations. This connection needs management of backhaul and core network connectivity, which is usually facilitated by the core element.
Therein, it is in many situations desirable to encrypt communications sent over the network. For example, various government regulations require the use of encryption, even on private networks. Thus, security is a dominant concern in cellular communication networks. Conventional configurations typically employ a hub-and-spoke security implementation whereby the base stations and/or the client devices establish a long-lived IP Security (IPSec) tunnel to the core network portion over which all communications including signaling, voice communications, and data communications are sent. A security gateway may be provided to authenticate users, encrypt communications, and perform other relevant conventional security features, for example by using respective keys.
Common cellular communication networks usually further include intermediary network devices, which perform various types of processing, for example applying various policies, on transmitted messages. Unfortunately, some of this processing may not be possible unless the transmitted messages are decrypted prior to being processed. However, if the intermediary network devices are unable to decrypt encrypted messages, the intermediary network devices may not be able to perform the desired processing. Absent the ability to process the encrypted messages, these intermediary network devices will only be able to apply very basic policies to encrypted messages, which may in turn negatively affect overall network performance or even prevent the effective communication of encrypted messages within the cellular communication method.
US 2011/0231659 A1 discloses a method for out-of-band session key exchange, wherein a source device that plans to participate in one or more encrypted communication sessions with a destination device sends a discovery message towards the destination device. An intermediary device that processes this discovery message requests a master key from the source device. The source verifies that the intermediary device is a trusted device and then sends the intermediary device the requested master key. Prior to transmitting encrypted messages to the destination device, the source device sends session key information, encrypted using the master key, to the intermediary device. The intermediary device uses this session key information to decrypt and process encrypted messages sent as part of the encrypted communication session between the source device and the destination device.
There are further intermediary network devices known, which can inject traffic in a cellular communication network, for example network devices which are designed to improve mobile user experience and optimize resource utilization by performing content caching in order to accelerate downloading of content such as video streams and high-resolution images from the Internet. However, these devices usually cannot be placed near the base stations when an IPsec tunnel is established between the base stations and the core network portion, since the intermediary network device does not see traffic inside the IPsec tunnel and does not possess the respective keys, and, therefore, cannot perform content caching.
Therefore, methods for facilitating participation of a such an intermediary network device in a security gateway communication between at least one base station and a core network portion in a cellular communication network are desirable.