The 3GPP (3:rd Generation Partnership Project) is in the process of defining an extended standard for data packet forwarding called EPS (Evolved Packet System). In the EPS, besides the native 3GPP-access technologies such as WCDMA (Wideband Code Division Multiple Access, LTE (Long Term Evolution), there will also be support for access to data communication services and/or Internet services via a non-3GPP access, including in particular access through a home network such as an HPLMN (Home Public Land Mobile Network) via non-3GPP access methods/technologies/networks/standards, e.g. WiMAX according to the standard IEEE 802.16, a WLAN (Wireless Local Area Network), e.g. according to the standard IEEE 802.11g/n, xDSL (Digital Subscriber Line), etc. For the purpose of the discussion herein, “home network” should be understood as the entity with which an end user has a business agreement, often in form of a subscription, for network access or service access and thus comprises both conventional telecom operator networks, as well as virtual operators, etc. The access network may be operated and/or administrated by another entity than the home network in which case a business agreement between the two networks usually exists.
The non-3GPP access methods can be fitted into one of two categories:
Trusted non-3GPP access, and
Non-trusted non-3GPP access, also called entrusted non-3GPP access.
The two categories of non-3GPP access are illustrated in FIG. 1a which is an overview of an “evolved packet system” as defined in the standard document 3GPP TS23.402, “Architecture enhancement for non-3GPP accesses”.
The exact definition of the terms “trusted” and “non-trusted” for an EPS access is being currently discussed. The discussion is complicated due to the fact that both technical aspects apply—consider e.g. the question: Is the access secure/trusted due to sufficient technical protection means?—as well as business aspects—consider e.g. the question: Has the home operator, i.e. the operator of the home network, a sufficiently strong “agreement” with the operator of the access network, thereby making, as seen from the home operator, the access network trusted? There are thus both subscriber interest (e.g. privacy) as well as operator interest (e.g. business) to ascertain whether a certain access is trusted or not.
What is clear is that Trusted and Untrusted Non-3GPP Access Networks generally are IP (Internet Protocol) access networks that use access technology, the specification of which is outside the scope of 3GPP. An “assumption” recently taken by the 3GPP SA2 for working purposes in this respect is that whether a Non-3GPP IP Access Network is trusted or untrusted is not a characteristic of the access network itself. In a non-roaming scenario it is the decision of the operator of the HPLMN. i.e. the home operator, if a specific Non-3GPP IP Access Network is used as a Trusted or an Untrusted Non-3GPP Access Network and it is up to the operator to implement appropriate security measures in the respective case, e.g. according to the discussion below in the background description.
It is obvious that the different types of non-3GPP accesses will use different protection means between the home network and the terminal/UE, for example:
In establishing connectivity in a non-trusted access an IPsec (Internet Protocol Security) tunnel between the terminal and a “gateway” node “above” the access. i.e. an ePDG (evolved Packet Data Gateway), as illustrated in FIG. 1a, will probably be set up. “Connectivity is herein taken to mean “the state or a state of being connected”. The setting-up of the IPsec tunnel is furthermore made by a procedure executed according to the IKE (Internet Key Exchange) protocol, specifically version 2 thereof. This will make the security more or less independent of the security features of the access network used. A trusted access will however not have or need this feature.
In establishing connectivity in a trusted access the EAP (Extensible Authentication Protocol) is likely to be used and it can include, but not necessarily, the EAP AKA (Authentication and Key Agreement) method for the access authentication, whereas a non-trusted access may use or may not use the EAP.
Accesses established according to different methods may use different mobility solutions, e.g. client MIP (Mobile IP) or PMIP (Proxy MIP).
Consider a UE that is about to establish connectivity, e.g. for the purpose of attaching to some service or services through a Non-3GPP Access Network. A priori, the UE does in general not know whether the access is considered “trusted” or not by the home network. The question is then whether the UE should set up an IPsec tunnel to an ePDG or not, this being a procedure requiring relatively large resources/costs/time that should be avoided if possible. In particular, if the UE attempts to use the IKE/IPsec, but it is not actually supported by the network, signaling is wasted and/or error-cases will occur.
While the UE could be statically preconfigured with suitable information, there are no generally used methods of dynamically signalling to the UE whether the access is considered trusted or not. In general, the UE can deduce some “technical” aspects from the very technology used, e.g. WIMAX or WLAN, but the UE cannot get information and understand all technical aspects, for example the presence of an ePDG or which mobility protocol that is to be used. On a higher level, the UE cannot know about the “business” driven aspects. For instance, consider a given non-3GPP access network, e.g. a WiMAX network provided by a party or operator A. Two different home network operators. B and C, could have different opinions on whether the party A and the network provided thereby is trusted or not due to their security policies and business arrangements. Thus, a UE using a subscription at the operator B should perhaps consider the party A and its access network trusted, whereas a UE using a subscription at the other operator C should consider the party A and its access network non-trusted. The situation is made even more complicated if “legacy” accesses through 3GPP networks, e.g. an I-WLAN (Interworking Wireless Local Area Network) according to the standard document 3GPP TS 33.234, are considered. In an access through an I-WLAN access network a gateway in the form of a PDG (Packet Data Gateway, a gateway according to the general or older 3GPP standard to be distinguished from the special ePDG mentioned above) can be used to terminate the IPsec tunnel to/from the UE and thus this WLAN network will be considered “non-trusted”. However, access through a WLAN connected to an EPS could, in the future, perhaps be trusted, e.g. due to the use of security enhancements according to the standard IEEE 802.11i, and would thus not use or have the IPsec/PDG. This shows (again) that a given access technology may or may not be considered trusted and use different security means towards the UE depending on the situation.
In summary, there may be a need for a way to notify the UE on at least some “property” of the access network, such a property involving whether the access is trusted or not, which type of mobility and security functions should be used, etc. Moreover, a method for making such a notification should be sufficiently secure in order to avoid attacks and it should of course also provide robustness in general.