1. Field of the Invention
The present invention relates to a method and system for providing improved security for bearer authorization in a wireless communication network such as a Universal Mobile Telecommunications System (UMTS) network.
2. Description of the Prior Art
Data services of the Global System for Mobile communications (GSM) have launched a new era of mobile communications. The early analog cellular modems had become unattractive to the market as they were slow and unreliable. Now the market for data is moving onwards (more bursty) and upwards (more traffic), and the standardization institutes are working towards higher data rates but more significantly also towards packet data services. This will certainly broaden the appeal to end users because data is routed more efficiently through the network and hence at lower costs, and also access times are reduced.
As the general trend in data applications is to generate increasingly bursty data streams, this makes for inefficient use of a circuit switched connection. Moreover, fixed networks have seen an enormous growth in data traffic, not at least because of the rise of Internet access demand, such that mobile networks will spread as technology and customer expectations evolve. The current GSM switch network is based on narrow band ISDN (Integrated Services Digital Network) circuits, so that the reason for rate limitations moves from the access network to the core network.
The new General Packet Radio Services (GPRS) network offers operators the ability to charge by the packet, and support data transfer across a high speed network at up to eight times slot radio interface capacity. GPRS introduces two new nodes into the GMS network, a Serving GPRS Support Node (SGSN) and a Gateway GPRS Support Node (GGSN). The SGSN keeps track of the location of the mobile terminal within its service area and sends and receives packets to/from the mobile terminal, passing them on to the RNC (Radio Network Controller) or to the GGSN. The GGSN receives the packets from an external network, passing them on to the SGSN, or receives the packets from the SGSN, passing them on to the external network.
The UMTS (Universal Mobile Telecommunications System) delivers advanced information directly to people and provide them with access to new and innovative services. It offers mobile personalized communications to the mass market regardless of location, network or terminal used.
In the general packet domain architecture and transmission mechanism according to 3GPP (3rd Generation Partnership Project) Release '99, as defined in the 3GPP specification TS 23 060, a telecommunications network providing mobile cellular services, such as a Public Land Mobile Network (PLMN), has access points, reference points and interfaces used for mobile access and origination or reception of messages. In addition, network interworking is required whenever a packet switched PLMN and any other network, such as a network based on the Internet Protocol (IP), are involved in the execution of a service request.
The term application layer is used to designate an IP subsystem, for example an IP Multimedia Subsystem, where a P-CSCF (Proxy Call State Control Function) and PCFs (Policy Control Functions) are located. The IP based mobile network architecture includes an application layer and a transport layer. The transport layer protocols and mechanisms are usually optimized for the specific type of access whereas the application layer is normally generic, this is independent of the type of access. In setting up a session in the application layer, the underlying transport layer has to set up transport bearers over the radio interface and in the transport network.
Among the network and interworking control functions necessary in such network architectures are authentication and authorization functions performing the identification and authentification of a service requester and the validation of the service request type to ensure that the service requester is authorized to use the particular network services.
A particular need in this context is the need for bearer authorization, as quality of service required for an application needs special authorization for better than “best-effort” service. IP multimedia is an example of such an application.
In 3GPP, related policy control is going to be specified for IP multimedia bearer authorization in such a way that a Packet Data Protocol (PDP) context is authorized against an ongoing multimedia session. Meanwhile, an interface between GGSN and PCF has been approved for that purpose.
In order to map a PDP context to an IP multimedia session, it has been proposed to use an Authorization Token (AUTN) as a binding information. Currently, this AUTN is intended to be a Session Initiation Protocol (SIP) parameter to be specified within an authorization scheme extension to SIP by the Internet Engineering Task Force (IETF).
In 3GPP, it is currently considered to co-locate the PCF in the Proxy Call State Control Function (P-CSCF), as is the case in the 3GPP UMTS Release 5 specifications. However, if in future releases of this specification the PCF is implemented as a separate entity, correct PCF determination may be problematic when multiple PCFs exist in an external network.
In order to address this problem, it has further been proposed to allocate the PCF address as part of the AUTN sent to a User Equipment (UE). Sending the PCF address to a UE may, however, represent a security risk, especially in cases in which the SIP application resides in a Terminal Equipment (TE) such as for example a laptop. In particular, a misbehaving UE may then block the PCF by sending authorization requests again and again to it.