Within a network environment, IP-based applications are increasingly running on User Equipment (UE) such as mobile devices, Home Gateway solutions, as defined in ETSI Technical Specification 185 003 “TISPAN CNG Architecture and Interfaces”, etc., particularly with the emergence of Voice over IP (VoIP) and related internet telephony services. Some such applications could also perform sensitive IP-based access protocols such as, SSH (Secure SHell), FTP (File Transfer Protocol) and SIP (Session Initiation Protocol) sessions, on a public access network and could receive a variety of different formats of IP (Internet Protocol) traffic.
Also, with improving device performance, it is foreseen that a mobile terminal could be interconnected through a private local IP link to embedded internal devices, and/or to external terminal equipment such as by way of a WiFi private network. In the field of the Home Gateway (HG) technology, the HG can also be connected through a private local IP link.
In all such situations, the local IP sub-network is effectively “hidden” behind the UE acting as a border gateway and router to provide connectivity to the IP based services that can be offered by wireless operators. However the UE is often seen as a single device on the public access network, and in some configurations (IPv4, IPv6 stateful autoconfiguration mode) only a single routable, IP address will be allocated. To take account of such configurations, a Network Address Translation (NAT, defined in RFC 3022 “Traditional IP Network Address Translator”) based solution is required for management of the addressing of the local sub-network elements in order to map internal/private addresses, i.e. the local-link addresses, to the single routable IP address allocated by the public access network. Filtering functions required for address translation can also be extended to cover firewall type capabilities which can assist in the control of IP traffic, the local IP network security and also protect access to the public network.
Additionally, Session Initiation Protocol (SIP, as defined in RFC3261)/IP Multimedia Subsystem (IMS, as defined by the 3rd Generation Partnership Project in Technical Specification 23.228 that specifies the IMS stage 2) applications including network information such as the IP address, and port number at application layer, in addition to network layer, can also employ Application Level Gateway (ALG, as defined in RFC2663) translations at the border gateway element of the telecommunication mobile device arranged with the local IP network.
Besides, by-passing of NAT during SIP communication, for example by way of the Simple Traversal of UDP (User Datagram Protocol) through NAT (STUN) protocol as defined in RFC3489, is possible since specific protocols transport IP level information at the application level and which are contrary to the network layer philosophy. It is also well known that firewall (whether SIM-based or not) and NAT solutions exist to enable the control and management of IP flows. Further, NAT is often accompanied by an Application Level Gateway (ALG) to monitor the payload of the packet and perform the alteration when IP level information is transported at application layer for example with the SIP protocol.
It is further foreseen that mobile devices will enable users to download a wide variety of IP-based applications requiring connection with different network services through a home operator network. While the application download may be restricted at the time of application installation, there is farther desire for security in limiting undesired access at the network level and thereby preventing a potentially malicious application from achieving network-connection. For example subsequent to installation of an IP-based application, the network operator may later notice malicious actions from that application such as the sending of undesired network/application requests are sent and so firewall application/software is then required.
Also, a network operator can enter into agreements with service providers for services such as Instant Messaging applications or VoIP applications. However since future mobile platforms are likely to be open to many IP-based applications, the user may be able to download any application of choice thereby rendering the agreement between the network operator and the service provider(s) potentially ineffective. Besides such agreement may further be limited by the time at which a user can access the IP-based service.
The degree and adaptability of network access control is therefore restricted.