The Non-3GPP access network is an IP (Internet Protocol) access network using an access technology with specifications outside a scope of 3GPP. The Non-3GPP access network includes a Wi-Fi (Wireless Fidelity) network (registered trademark: Wireless Fidelity) specified by the IEEE (Institute of Electrical and Electronics Engineers, Inc.) 802.11x standard and a wireless LAN (Wireless Local Area Network: WLAN) such as WiMAX (Worldwide Interoperability for Microwave Access) specified by the IEEE 802.16 standard. For non-3GPP access, for example, reference may be made to 3GPP TS 23.402: Architecture enhancements for non-3GPP accesses, or the like.
Wi-Fi (registered trademark)-Calling is a Voice over IP (VoIP) service provided on a Wi-Fi (registered trademark) network by a communication carrier (operator). For example, a terminal (User Equipment (UE)) into which a SIM (Subscriber Identity Module) of a communication carrier is inserted is connected to a security gateway of the communication carrier via a Wi-Fi (registered trademark) network, and when authenticated with SIM authentication by the security gateway, the terminal (User Equipment (UE)) is connected to an exchange node of a core network (Evolved Packet Core: EPC), thereby making it possible for the terminal to use a voice call service based on a telephone number and Short Message Service (SMS), etc., each provided by the communication carrier (Non-Patent Literature 1). Further, when the terminal is connected to Wi-Fi (registered trademark) and Wi-Fi (registered trademark)-Calling is set on in the terminal, the security gateway, on reception of an incoming call to the terminal calls the terminal via a Wi-Fi (registered trademark) network.
FIG. 1 is a diagram illustrating an EPS including a non-3GPP access network. A terminal (UE) 1 such as a smartphone can connect to a packet data network (PDN) 30 via a base station (evolved Node B: eNB) 10 of a communication carrier and an EPC 20, or can connect to the Internet via a wireless LAN such as a Wi-Fi (registered trademark).
An MME (Mobility Management Entity) 23 of EPC 20 performs various processing such as mobility management and authentication of the terminal 1, setting of a user data transfer route, and the like. In addition, the MME 23 performs user authentication, or the like. In cooperation with an HSS 24 (Home Subscriber Server which holds subscriber profile). The MME 23 establishes/releases a user data transfer route in a section (S1-U) from an SGW (Serving Gateway) 21 to the base station 10. The SGW 21 exchanges user data with the base station 10, for example, and establishes/releases a communication path between the SGW 21 and a PGW (Packet Data Network) PDN 22. The PGW 22 connects to a packet data network (PDN) 30 such as IMS (Internet Multimedia Subsystem) or the Internet, for example. Further, the PGW 22 performs, for example, allocation of an IP address (private IP address) to the terminal 1 and so forth. A PCRF (Policy and Charging Rules Function) 26 determines a policy control such as QoS (Quality of Service) and a charging control rule. Based on notification information from the PCRF 26, the PGW 22 and SGW 21 perform policy control, on a per packet basis, for example. In FIG. 1, a line S 11 or the like between respective nodes represents an interface, a broken line represents a control plane (C-Plane), and a solid line represents a signal (data) of a user plane (U-Plane). For details of the EPC, reference may be made to, for example, 3GPP TS 23.401: GPRS Enhancements for E-UTRAN Access or the like.
In Wi-Fi (registered trademark)-Calling, etc., a call request from the terminal 1 is forwarded, as an Un-Trusted Access (unreliable access), via a wireless LAN access point 41 and via an ePDG (evolved packet data gateway) 27 of a communication carrier to the PGW 22, and is then connected to PDN 30 (for example, IMS service).
The ePDG 27 is an IPsec gateway that terminates an IPsec (Security Architecture for Internet Protocol) connection from a mobile interface (Swu). When the terminal (UE) 1 switches to a non-3GPP access that is not trusted in security, or the terminal (UE) 1 first connects to a non-3GPP access, the terminal 1 detects an ePDG 27 and performs key exchange (IKEv2) with the ePDG 27, and establishment of an IPsec tunnel, and then establishes a PDN (Packet Data Network) connection with the PGW 22 over the established IPsec tunnel. In order for the terminal 1 to access the non-3GPP access network, it is necessary to perform authentication. The ePDG 27 relays an EAP (Extensible Authentication Protocol) message from the terminal 1 to a 3GPP AAA (Authentication Authorization Accounting) server 25. The 3GPP AAA server 25 performs EAP-SIM (Extensible Authentication Protocol-Subscriber Identity Module) Authentication, or EAP-AKA (Extensible Authentication Protocol-Authentication and Key Agreement) authentication (reference may be made to 3GPP TS 33.402: Security aspects of non-3GPP accesses, etc., for example).
The ePDG 27 sets up a tunnel (Proxy Mobile IP or GPRS (General Packet Radio System) Tunneling Protocol) toward the PGW 22 in S2b interface (reference may be made to 3GPP TR 23.834: Study on GPRS Tunneling Protocol (GTP) based S2b etc., for example).
When the non-3GPP access is compatible with PMIPv6 (Proxy Mobile IPv6), the ePDG 27 can connect to the PGW 22 via PMIPv6. In the case of using a proxy mobile IP between the PGW 22 and the ePDG 27, when an IPsec tunnel is established between the terminal 1 and the ePDG 27, the ePDG 27 transmits a proxy binding update message to the PGW 22. As a result, a transmission destination of data to the terminal 1 in the PGW 22 is switched to the ePDG 27. Note that PMIPv6 is a mobility control protocol (MAC) that establishes and releases a tunnel for data transfer (GRE (Generic Routing Encapsulation) tunnel) between a mobility anchor (LMA: Local Mobility Anchor) and a mobility access gateway (MAG: Mobility Access Gateway) (reference may be made, for example, IETF (The Internet Engineering Task Force) RFC (Request For Comments) 5213, etc.). The LMA forwards a packet to the MAG to which the terminal connects (switches a communication route and forwards the packet addressed to the terminal to a visiting area). When a terminal moves from one MAG to a different MAG, a tunnel for data forwarding is established between the LMA that has established the data forwarding tunnel before and ta MAG to which the terminal newly connects.
The 3GPP AAA server 25 provides network access authentication, authorization, and accounting services from users. Authorization of non-3GPP access is performed among terminal 1, 3GPP AAA server 25, and HSS 24. For example, when the terminal 1 establishes an IPsec tunnel with the ePDG 27, mutual authentication is performed between the terminal 1 and the network based on, for example, EAP-AKA.
When the terminal 1 moves or first connects to the trusted non-3GPP access (trusted wireless LAN access point 42 in FIG. 1), the MIP (Mobile IP) tunnel (S2a, DSMIPv 6 (Dual-Stack MIPv 6): reference may be made to IETF RFC 5555) directly to the PGW 22. As for ePDG and 3GPP AAA server, reference may be made, for example, to 3GPP TS 29.273: Evolved Packet System (EPS); 3GPP EPS AAA interfaces or the like. Whether the non-3GPP access network is a trusted access network or an untrusted access network is determined by, for example, a communication carrier (operator) of a HPLMN (Home Public Land Mobile Network) to which a subscriber is registered.
IPSec is a protocol that encrypts and authenticates packets at a network layer level. AH (Authentication Header) performs authentication of such as connection destination of a VPN (Virtual Private Network), presence or absence of tampering in a packet (reference may be made to IETF RFC 2402). ESP (Encapsulating Security Payload) performs packet encryption and authentication (connection destination/packet falsification) (reference may be made to IETF RFC 2406). For IPSec communication, there are a transport mode (IPsec between hosts on which IPsec is implemented) and a tunnel mode (IPsec between VPN apparatuses such as routers equipped with IPsec). In the transport mode, data of layer 4 or more of a packet is encrypted (see FIG. 10B), and the packet is forwarded based on an original IP header (Original IP header). In the tunnel mode, an original IP header and data part (FIG. 10A) of a packet are encrypted and a new IP header (New IP header) is added (see FIG. 10C).
An ESP packet has a format including an ESP header, a payload, an ESP trailer, and authentication data (ESP Authentication data) (see FIG. 10B and FIG. 10C).
The ESP header (ESP header) includes an SPI (Security Parameter Index: a 32-bit value uniquely identifying an SA (Security Association) for that datagram), and a sequence number (sequence number of the packet: 32 bits).
The ESP trailer includes a padding (padding field for adjusting payload length), a pad length (number of bytes of padding), a next header (Protocol after ESP: TCP (Transmission Control Protocol)/UDP (User Datagram Protocol)).
Authentication data (HMAC (Hash-based Message Authentication Code)) is a variable length field including an Integrity Check Value (ICV) calculated from an ESP packet except authentication data.
A security association (SA), which is a logical connection, is established between VPN apparatuses for performing IPsec communication. Since SA is a one-way tunnel, two SAs are provided for transmission and reception of packets. SA is established for each traffic that performs VPN communication. SA includes IPsec parameters (security information) (e.g., SPI (Security Parameter Index), mode, protocol, cryptographic algorithm, key, authentication algorithm, IP address of tunnel endpoint, etc.).
IKE (Internet Key Exchange) is a key exchange protocol for SA setting (regarding IKEv2, reference may be made, for example, to IETF RFC 4306, etc.). ISAKMP (Internet Security Association and Key Management Protocol)_SA (Security Association) is an SA for encrypting IKE control information for transmission and reception between peers.
Patent Literature 1 discloses a configuration in which a tunnel is established between a router in a user side system connecting to a data center via a communication network, and a virtual router in the data center.
Patent Literature 2 discloses a configuration in which a mobility of a terminal within a local network is supported, a continuous service provision is enabled because a terminal can access to the local network through security and authentication when the terminal moves to an external network.
[Patent Literature 1]
International Publication No. WO2013/190688A1 pamphlet
[Patent Literature 2]
Japanese Patent Kokai Publication No. JP2011-507449A
[Non-Patent Literature 1]
Next-generation Wi-Fi Calling Using IMS and 3GPP Wi-Fi Access, Internet search (searched on 26 Apr. 2015) <URL: http://www.aptilo.com/wi-fi-calling/next-generation-wi-fi-callin g-solution>