In 3GPP (3rd Generation Partnership Project), there have been discussions related to user equipment access.
Namely, 3GPP has defined (e.g. from Release 6 onwards) an ALG (application level gateway) and NAT-GW (NAT gateway) based method for traversal of uncontrolled access network NATs, refer e.g. to 3GPP TS (technical specification) 23.228, Annex G, and TS 24.229.
In case a NAT device is interposed between a UE and an IMS core network, e.g. the AF/P-CSCF (application function/proxy call session control function) is configured to determine the existence of the NAT device e.g. by comparing the IP addresses in received SIP/SDP (session initiation protocol/session description protocol) messages. The SIP/SDP fields may contain the private domain IP address of the UE, while the data packets pass the NAT device and a sender may seem to have the public IP address allocated by the NAT device. Consequently, the ALG functionality in conjunction with the AF/P-CSCF may request public addresses from the NAT-GW and may modify the SIP/SDP accordingly before sending the message forward, and further, the ALG/AF/P-CSCF may initiate proper security measures (e.g. IP Sec tunneling) for the SIP signaling to be able to traverse the NAT device.
However, for example, the ALG and NAT-GW method imposes limitations:
The UE shall send a media packet first (i.e. before the UE can receive media packets) in order to have the NAT allocate an address and to let the NAT-GW get the address and use it as a destination address for downlink media packets.
The NAT releases the allocated address, if there is no traffic. Applications may have to send keep-alive messages.
When the UE is using e.g. visited network's services, media path is looped via the home network, if/when the home network's P-CSCF is used.
Traversal of all types of NATs cannot be supported.
To overcome the above-mentioned limitations related to the ALG and NAT-GW method, 3GPP has enhanced the NAT traversal methodology e.g. in Release 7 specifications with IETF (internet engineering task force) originated STUN (simple traversal of UDP (user datagram protocol) through NATs) and STUN relay based mechanisms, refer e.g. to 3GPP TS 23.228, Annex G.
With these methods, the UE may be able to get an external/public IP address by an enquiry to a STUN server and to insert the external/public address in the SIP/SDP level, thus making the ALG and NAT-GW functionality redundant, in addition to removing e.g. NAT type related and incoming session invitation related limitations of the ALG and NAT-GW method.
For example, FIG. 1 shows a reference model for ICE (interactive connectivity establishment) and Outbound Methodology in order to provide a general overview and architecture of IMS access with a NAT.
As shown in FIG. 1, a communication system 100 comprises a UE 101, a remote UE 101′ and a network 102. The network 102 in turn comprises an optional NAT and FW (firewall) 1021, an optional remote NAT and FW 1021′, a P-CSCF 1022, a PCRF (policy and/or charging rules function) 1023, a PCEF (policy and/or charging enforcement function) 1024, a STUN relay 1025, a STUN server 1025a, an S-CSCF (serving CSCF) 1026 and an optional IMS access gateway 1027. The UE 101 and the remote UE 101′ comprise each ICE support by means of a STUN client/server. The UE 101 additionally comprises outbound support by means of a STUN client.
The STUN Function shown within the P-CSCF 1022 is a limited STUN Server for supporting so-called STUN keep-alive messages as described e.g. in TS 23.228, clause G.5.3.2.
For deployments where the IMS Access gateway 1027 (or other media manipulating functional entities, such as a MRFP (Multimedia Resource Function Processor)) is used, such functional entities shall be placed on the network side of the STUN server 1025a and STUN relay server 1025 (i.e. not between the UE 101 and the STUN server 1025a or STUN relay server 1025) as shown in FIG. 1. Otherwise, such functional entities will prevent STUN messages from reaching the STUN Relay 1025/Server 1025a e.g. outside of a session.
According to the above, a problem resides in that when a policy control is applied e.g. in the IMS network, the UE is not able to contact external servers of (or servers not advertised by) a visited network, unless the policy enforcement point (i.e. PCEF) is aware of the IP address of the server to be contacted and unless the PCEF has first set up a relevant filter (i.e. opened a gate) to pass through IP packets between the UE and the server. The UE cannot use e.g. STUN Relays/Servers external to (or not advertised by) the visited network to enable access network NAT traversal, even though the UE knows the address of the server (e.g. through pre-configuration or through other means).
Another problem resides in that the policy and/or charging enforcement function (PCEF) may not be aware that some of the filters serve for an encapsulation protocol between the UE/NAT and the external (or not advertised) (STUN Relay) server, and some of the filters serve for media streams carried inside the encapsulation protocol.
In consideration of the above, it is an object of the present invention to overcome one or more of the above drawbacks. In particular, the present invention provides methods, apparatuses, a system and a related computer program product for user equipment access.
According to the present invention, in a first aspect, this object is for example achieved by a method comprising:
holding access information relating to a terminal and a first network entity external to a currently visited network of the terminal, the access information being associated with a first network plane below a second network plane relating to network session initiation; and
signaling, based on the second network plane, the held access information to a controlling entity.
According to further refinements of the invention as defined under the above first aspect,
the signaling is performed based on utilizing an internet protocol multimedia subsystem registration phase;
the signaling is performed based on utilizing a separate session initiation protocol message exchange between the terminal and the controlling entity;
the separate session initiation protocol message is constituted by one of an options request and a register request of the session initiation protocol message;
the access information comprises at least one of network addresses of the terminal and the first network entity, network ports of the terminal and the first network entity, network address translation, a protocol used, an application offered by the first network entity, and a service offered by the first network entity;
the method according to the first aspect further comprises receiving information on network address translation;
the information on the network address translation comprises the existence of the network address translation and the address allocated by the network address translation;
the network addresses are constituted by at least one of internet protocol addresses and ports;
the network addresses are constituted by at least one of marked internet protocol addresses and ports indicating usage of an encapsulation protocol.
According to the present invention, in a second aspect, this object is for example achieved by a method comprising:
receiving signaled access information relating to a terminal and a first network entity external to a currently visited network of the terminal, the access information being associated with a first network plane below a second network plane relating to network session initiation, and the receiving being performed based on the second network plane; and
relaying, based on the second network plane, the received access information to a second network entity.
According to further refinements of the invention as defined under the above second aspect,
the access information comprises at least one of network addresses of the terminal and the first network entity, network ports of the terminal and the first network entity, network address translation, a protocol used, an application offered by the first network entity, and a service offered by the first network entity;
the method according to the second aspect further comprises sending information on network address translation;
the information on the network address translation comprises the existence of the network address translation and the address allocated by the network address translation;
the method according to the second aspect further comprises deriving the information on the network address translation from network addresses in session initiation protocol messages;
the network addresses are constituted by internet protocol addresses.
According to the present invention, in a third aspect, this object is for example achieved by a method comprising:
receiving relayed access information relating to a terminal and a first network entity external to a currently visited network of the terminal, the access information being associated with a first network plane below a second network plane relating to network session initiation, and the receiving being performed based on the second network plane; and
configuring the first network plane based on the access information.
According to further refinements of the invention as defined under the above third aspect,
the configuring further comprises establishing network traffic policy information based on the received access information and policy enforcement-based routing network traffic between the terminal and the first network entity based on the established network traffic policy information;
the established network traffic policy information comprises at least one policy and charging control rule;
the access information comprises one of information on a protocol used and information on an application defined by the at least one policy and charging control rule, and the established network traffic policy information is used for limiting the network traffic based on one of the protocol used and the application defined;
the at least one policy and charging control rule is used for limiting at least one of bandwidth, bit rate and traffic class of the network traffic;
the network traffic is one of an internet protocol data packet stream and a signaling message stream;
the network traffic is constituted by internet protocol data packets encapsulated by an encapsulation protocol, the establishing further establishes marked network traffic policy information indicating usage of the encapsulation protocol, and applying policy enforcement to encapsulated internet protocol data packets based on the marked network traffic policy information;
the first network plane is an internet protocol multimedia subsystem user plane and the second network plane is an internet protocol multimedia subsystem control plane.
According to the present invention, in a fourth aspect, this object is for example achieved by an apparatus comprising:
means for holding access information relating to the apparatus and a first network entity external to a currently visited network of the apparatus, the access information being associated with a first network plane below a second network plane relating to network session initiation; and
means for signaling, based on the second network plane, the access information held by the means for holding to a controlling entity.
According to further refinements of the invention as defined under the above fourth aspect,
the means for signaling is configured to signal based on utilizing an internet protocol multimedia subsystem registration phase;
the means for signaling is configured to signal based on utilizing a separate session initiation protocol message exchange between the terminal and the controlling entity;
the separate session initiation protocol message is constituted by one of an options request and a register request of the session initiation protocol message;
the access information comprises at least one of network addresses of the terminal and the first network entity, network ports of the terminal and the first network entity, network address translation, a protocol used, an application offered by the first network entity, and a service offered by the first network entity;
the apparatus according to the fourth aspect further comprises means for receiving information on network address translation;
the information on the network address translation comprises the existence of the network address translation and the address allocated by the network address translation;
the network addresses are constituted by at least one of internet protocol addresses and ports;
the network addresses are constituted by at least one of marked internet protocol addresses and ports indicating usage of an encapsulation protocol;
the apparatus is a terminal.
According to the present invention, in a fifth aspect, this object is for example achieved by an apparatus comprising:
means for receiving signaled access information relating to a terminal and a first network entity external to a currently visited network of the terminal, the access information being associated with a first network plane below a second network plane relating to network session initiation, and the means for receiving being configured to signal based on the second network plane; and
means for relaying, based on the second network plane, the access information received by the means for receiving to a second network entity.
According to further refinements of the invention as defined under the above fifth aspect,
the access information comprises at least one of network addresses of the terminal and the first network entity, network ports of the terminal and the first network entity, network address translation, a protocol used, an application offered by the first network entity, and a service offered by the first network entity;
the apparatus according to the fifth aspect further comprises means for sending information on network address translation;
the information on the network address translation comprises the existence of the network address translation and the address allocated by the network address translation;
the apparatus according to the fifth aspect further comprises means for deriving the information on the network address translation from network addresses in session initiation protocol messages;
the network addresses are constituted by internet protocol addresses;
the apparatus is a controlling entity.
According to the present invention, in a sixth aspect, this object is for example achieved by an apparatus comprising:
means for receiving relayed access information relating to a terminal and a first network entity external to a currently visited network of the terminal, the access information being associated with a first network plane below a second network plane relating to network session initiation, and the means for receiving being configured to receive based on the second network plane; and
means for configuring the first network plane based on the access information.
According to further refinements of the invention as defined under the above sixth aspect,
the means for configuring further comprises means for establishing network traffic policy information based on the access information received by the means for receiving and means for policy enforcement-based routing network traffic between the terminal and the first network entity based on the network traffic policy information established by the means for establishing;
the network traffic policy information established by the means for establishing comprises at least one policy and charging control rule;
the access information comprises one of information on a protocol used and information on an application defined by the at least one policy and charging control rule, and
the means for policy enforcement-based routing is further configured to use the network traffic policy information established by the means for establishing for limiting the network traffic based on one of the protocol used and the application defined;
the means for policy enforcement-based routing is configured to use the at least one policy and charging control rule for limiting one of bandwidth, bit rate and traffic class of the network traffic;
the network traffic is one of an internet protocol data packet stream and a signaling message stream;
the network traffic is constituted by internet protocol data packets encapsulated by an encapsulation protocol, the means for establishing is further configured to establish marked network traffic policy information indicating usage of the encapsulation protocol, and the means for policy enforcement-based routing is further configured to apply policy enforcement to encapsulated internet protocol data packets based on the marked network traffic policy information;
the terminal is a user equipment.
According to further refinements of the invention as defined under the above fourth to sixth aspects,
the first network entity is an external server;
the external server is a simple traversal of user datagram protocol through network address translations relay;
the second network entity is at least one of a policy and charging rules function and a policy and charging enforcement function;
the controlling entity is a proxy call session control function;
the first network plane is an internet protocol multimedia subsystem user plane and the second network plane is an internet protocol multimedia subsystem control plane;
the apparatus is implemented as a chipset or module.
According to the present invention, in a seventh aspect, this object is for example achieved by a system comprising:
an apparatus according to the above fourth aspect;
an apparatus according to the above fifth aspect; and
an apparatus according to the above sixth aspect.
According to the present invention, in an eighth aspect, this object is for example achieved by a computer program product comprising code means for performing methods steps of a method according to any one of the above first to third aspects, when run on a computer.
In this connection, it has to be pointed out that the present invention enables one or more of the following:
Enabling the UE to use e.g. STUN Relays/Servers already known by the UE e.g. through pre-configuration or through other means;
Faster rule-based UE access e.g. to the IMS network due to “pinhole” access prior to session initiation;
An efficient NAT traversal method (ICE) may be applied e.g. in a policy controlled IMS network.