Whereas conventional 2G mobile networks, such as those conforming to the Global System for Mobile Communications (GSM) standards, have provided circuit-switched voice and data services to user's mobile stations (MSs), there is great momentum in the mobile telecommunications industry to deploy packet-switched mobile networks. Packet-switched mobile networks have significant advantages in terms of network and radio resource efficiency and also enable the provision of more advanced user services. With the convergence of fixed and mobile telecommunications networks, the Internet Protocol (IP), widespread in fixed networks, is the natural choice as the packet routing mechanism for mobile packet networks. Currently IP version 4 (IPv4) is in widespread use in the fixed network domain. However, it is expected gradually to migrate to IP version 6 (IPv6) which offers well-recognised benefits over IPv4, notably in terms of greatly increased address space, more efficient routing, greater scalability, improved security, Quality of Service (QoS) integration, support for multicasting and other features.
Particular examples of mobile packet-switched services currently being deployed include the General Packet Radio Service (GPRS) as implemented in both 2G GSM networks and in 3G Universal Mobile Telecommunications System (UMTS) networks (hereinafter referred to as GPRS networks). It is also expected that non-GPRS wireless access technologies, such as wireless Local Area Network (wLAN), will provide a flexible and cost-effective complement to GPRS for local broadband service access in some areas such as hotspots (conference centres, airports, exhibition centres, etc). Consequently mobile network operators will want to support roaming of mobile stations between GPRS and non-GPRS networks or subnetworks.
The reader is referred to the GPRS Service Description (release 1999) Technical Specification, referred to as 3G TS 23.060 v3.12.0 (2002-06) and available from the 3GPP website at http://www.3gpp.org/ftp/specs/2002-06/R1999/23_series/, which provides a detailed service description for 2G (GPRS/GSM) and 3G (GPRS/UMTS) mobile packet networks. The functionality of GPRS networks is also generally well-known, although further aspects will be described in detail below.
In order to access GPRS packet-switched services, a MS first performs a GPRS attach procedure with an SGSN (either a 2G GSM GPRS attach or a 3G UMTS GPRS attach). Authentication, and location updating procedures are performed, and, if successful, the GPRS attach procedure makes the MS available for paging via the SGSN and notification of incoming packet data. However, to actually send and receive packet data, the MS must have an allocated Packet Data Protocol (PDP) address (eg an IP address) and must activate at least one PDP context for use with that PDP address. Each PDP address for a MS may have one or more PDP contexts associated with it and data defining the PDP contexts is stored in the MS, the SGSN, and the GGSN. The process of PDP context activation makes the MS known not only to the SGSN, but also to the corresponding GGSN and inter-working with external data networks can commence.
While GPRS networks, having been designed from the start as mobile networks, have built-in mobility management (for MSs within the GPRS network) and roaming functionality (for MSs roaming between GPRS networks), work has also taken place in the Internet Engineering Task Force (IETF) to support mobility of IP user terminals in general. To this end, the IETF have developed the Mobile IP (MIP) protocols. MIP is designed to support mobility when mobile stations (or mobile nodes (MNs) in MIP terminology) move between IP networks with different subnet prefixes (macro-mobility). For example, MIP may be used to support mobility between a GPRS network and a non-GPRS network such as a wLAN network. Mobile IP is not expected to be used for mobility management within a network or subnetwork (micro-mobility) which is typically managed by access technology specific layer 2 mechanisms such as WCDMA softer/soft handover.
There are two versions of MIP to correspond to the two versions of IP. MIP version 4 (MIPv4) is designed to provide IP address mobility for IP version 4 (IPv4) addresses, whereas the newer MIP version 6 (MIPv6) MIP is designed to provide IP address mobility for IP version 6 (IPv6) addresses. MIPv4 is described in the IETF Request For Comment (RFC) 2002 available at the IETF website http://www.ietf.org/rfc/rfc2002.txt?number=2002. Internet draft MIPv6 is described in the IETF Internet draft “Mobility Support in IPv6” available at the time of writing on the IETF website at http://www.ietf.org.internet-drafts/drafts-ietf-mobileip-ipv6-19.txt and referenced as draft-ietf-mobileip-ipv6-19.txt, dated 29 Oct. 2002.
A scenario involving MIP roaming with routing optimisation is illustrated in FIG. 1. A MN is allocated a home IP address (HAddr) in its Home Network (HN). Routing procedures in the HN ensure that wherever the MN is within the HN, an IP packet sent from a Correspondent Node (CN) over an IP network will reach the MN. When the MN roams to a foreign network (FN), the MN is assigned a Care of Address (CoA) within the FN to which IP packets will need to be routed. However, the movement of the MN must be transparent to the IP layer and the upper layers (e.g. the transport layer and the application layer) during a session, so that packets created by the IP layer of the CN will continue to carry the HAddr as the destination address.
Under the MIPv6 routing optimisation protocol, the MN sends a binding update to the CN when roaming into the FN, to inform the CN of the CoA. The MIP layer of the CN then sets the destination address of subsequent packets in the session to the CoA, and places the MN's HAddr in a Routing Header Type 2 as the extension header of the packet. At the MN MIP layer, the HAddr is retrieved from the Routing Header Type 2 field and used as the destination address in the corresponding packet passed to the IP layer of the MN.
In this scenario, the CN is located in a GPRS network (GN) interfaced to the IP network via a General Packet Radio Service Gateway Support Node (GGSN), with functions as defined in the document 3GPP TS 23.207 V5.3.0 (March 2002), clause 5.2.1. The GGSN includes a Service-Based Local Policy (SBLP) enforcement point, which applies policy-based admission control to packets passing through the GGSN. Policy enforcement for an individual session is defined by a ‘gate’, with gates defined independently for upstream and downstream traffic. Each gate includes a packet classifier and actions to be taken for packets matching the packet classifier. The packet classifier includes source IP address, destination IP address, source port, destination port and protocol. The packet classifier source and destination IP addresses may include wildcards so as to define a range of addresses. Packets which do not match the packet classifier of the corresponding gate are blocked.
To set up an IP session through the GGSN, the CN sends to the GGSN an authorisation request specifying the source IP address, destination IP address (i.e. the HAddr), source port, destination port and protocol; An SBLP decision point within the GGSN (the local decision point), as defined in clause 5.2.3 of the document 3GPP TS 23.207 V5.3.0 (March 2002), or a Policy Control Function (PCF) outside the GGSN, determines whether to authorize the IP session. If the session is authorized, a gate is set up for each direction of the session at the SBLP enforcement point and an authorization token is transmitted to the CN. The authorization token conforms to the IETF Specification on SIP Extensions for Media Authorization.
An uplink SBLP may be used to prevent access by the CN (or other nodes within the GN) to specified destination IP addresses. Hence, a gate may only be authorised if the requested destination IP address is acceptable under the SBLP. However, such a gate will interfere with the MIPv6 routing optimisation protocol described above, because the destination address, as seen by the GGSN, changes from the HAddr to the CoA in mid session. Packets addressed to the CoA do not match the packet classifier of the uplink gate corresponding to the session, and may be blocked.
Route optimisation is mandatory in MIPv6, but optional in MIPv4. An alternative route without route optimisation is shown in FIG. 2. An IP session is set up between the CN and the MN in its HN. The MN roams into the FN during the session, and sends a binding update to inform a Home Agent (HA) in the HN of the CoA in the FN. In this example, the FN is a GPRS network connected to the IPN through a GGSN.
In response to the binding update, the HA sets up an IP tunnel to the CoA by intercepting any subsequent packets with the HAddr as the destination address and encapsulating them in packets with the IP address of the HA set as the source address and the CoA of the MN set as the destination address. The MIP layer of the MN decapsulates the packets and passes them to the IP layer so that the roaming is transparent to the IP layer and the upper layers. This tunnelling may be achieved using MIPv6 Generic Packet Tunnelling Mechanism described in ETF RFC 2473.
In the uplink direction, the MN may not need to change the source and destination address of its packets after roaming into the FN, because the IP address of the CN has not changed. However, the GGSN may apply an egress filter to outgoing packets, so that any packets with a source address not within the FN are blocked. This may be implemented by a SBLP gate with a packet classifier source address set to match any IP address within the GGSN. As a result, packets from the MN, bearing the HAddr as the source address, would be blocked.
To address this problem, the MIPv4 and MIPv6 standards include a reverse tunnelling protocol in which the MN sets up a tunnel in the uplink direction between its CoA and the HA address. Since the uplink packets are encapsulated in packets carrying the CoA as the source address, and the CoA is within the FN, the egress filter will allow the encapsulated packets to pass. The HA decapsulates the packets and forwards them to the CN. MIPv6 reverse tunnelling is described for example in the IETF Mobile IP Working Group Draft ‘Mobility Support in IPv6’, 29 Oct. 2002, located at the time of writing at http://www.ietf.org/internet-drafts/draft-ietf-mobileip-ipv6-19.txt
However, this solution gives rise to a problem where the GGSN in the FN has implemented an SBLP gate for the uplink packets. When the MN enters the FN, it must send an authorization request to the GGSN to allow the IP session with the CN to be routed through the GGSN. This is not a problem in itself, because the authorization protocol allows for authorization in mid session, even when the session has begun outside the GGSN local network. However, the authorization request originated from the Application layer (e.g. SIP session Layer) will specify the HA address as the destination address, and the HA address does not identify the end destination address because the MN's mobility management (e.g. the use of COA) is transparent to the Application layer. To authorize an uplink SBLP gate on the basis of the HA address would defeat the object of the SBLP gate, as the SBLP enforcement point would then have no control over the final destination of the outgoing packets. Moreover, the GGSN is not permitted to examine the payload of the encapsulated packets to discover the final destination address, and may not even be able to do so if the payload is encrypted, for example using IPSec.