[go: up one dir, main page]

WO2001086883A2 - Method and apparatus for translating network address identifiers related to mobile stations - Google Patents

Method and apparatus for translating network address identifiers related to mobile stations Download PDF

Info

Publication number
WO2001086883A2
WO2001086883A2 PCT/US2001/014685 US0114685W WO0186883A2 WO 2001086883 A2 WO2001086883 A2 WO 2001086883A2 US 0114685 W US0114685 W US 0114685W WO 0186883 A2 WO0186883 A2 WO 0186883A2
Authority
WO
WIPO (PCT)
Prior art keywords
nai
mobile station
network
mobile
gateway router
Prior art date
Application number
PCT/US2001/014685
Other languages
French (fr)
Other versions
WO2001086883A3 (en
Inventor
Senthil Sengodan
Rajesh C. Bansal
Original Assignee
Nokia Internet Communications Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Internet Communications Inc. filed Critical Nokia Internet Communications Inc.
Priority to AU2001261239A priority Critical patent/AU2001261239A1/en
Publication of WO2001086883A2 publication Critical patent/WO2001086883A2/en
Publication of WO2001086883A3 publication Critical patent/WO2001086883A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2854Wide area networks, e.g. public data networks
    • H04L12/2856Access arrangements, e.g. Internet access
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/30Managing network names, e.g. use of aliases or nicknames
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4557Directories for hybrid networks, e.g. including telephone numbers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/58Caching of addresses or names
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/26Network addressing or numbering for mobility support
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/30Types of network names
    • H04L2101/395Internet protocol multimedia private identity [IMPI]; Internet protocol multimedia public identity [IMPU]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]

Definitions

  • This invention relates to translating identity information of a first network to identity information of a second network and, more particularly, to a method and apparatus for translating the authenticated identity provided by a mobile station for purposes of interconnect to a mobile network, to an identity used to identify at least one user on a public packet data network (PDN).
  • PDN public packet data network
  • Dialup users of data networks that use the Point-to-point Protocol make use of a unique identifier, such as a Network Address Identifier (NAI) for user identification.
  • NAI Network Address Identifier
  • the NAI is also used in situations where a user dials an Internet Service Provider, or (ISP) which connects the user to a home network.
  • ISP Internet Service Provider
  • the user dials into a Network Access Server (NAS) belonging to an ISP that is conveniently near the user, and the ISP then provides access to a home network.
  • NAS Network Access Server
  • a home network is a network that recognizes the NAI as belonging to a user who has contracted for services related to a packet data network (PDN), e.g. the internet.
  • PDN packet data network
  • the user's NAI is used in a challenge/response authentication between the user's equipment and the Remote Access Server (RAS), which operates as a gateway into the host ISP home network and as a key to accessing services provided by the home network.
  • RAS Remote Access Server
  • the user connects by modem through local loop wiring to communicate to a NAS in the vicinity of the user. Entry of an identifier and a password has been treated as a routine requirement to access the services of the home data network.
  • Such services may include, Hypertext Transport Protocol (HTTP), File Transfer Protocol (FTP), e- mail and other services associated with intranet and internet connectivity.
  • HTTP Hypertext Transport Protocol
  • FTP File Transfer Protocol
  • e- mail other services associated with intranet and internet connectivity.
  • Fig. 1 depicts the prior art way of dialing up a remote ISP via a local access point.
  • Terminal 101 uses a modem to access the dialup network 103.
  • PPP Point-to-point Tunneling Protocol
  • PAC Point-to-point Access Concentrator
  • L2TP Layer 2 Tunneling Protocol
  • the NAS 105 establishes a tunnel using nodes of a TCP/IP network 107, wherein the NAS 105 gets two-way communication to a Remote Access Server (RAS) 109.
  • RAS Remote Access Server
  • the RAS 109 may challenge the terminal for identifying information such as a user ID and a password. If the terminal provides correct identifying information, i.e. that which matches data stored by the home data network, access is granted to the home data network 11 1.
  • Cellular system users have encountered a similar problem, wherein it is desirable to give a cellular user access to cellular service while roaming distant from a network that the user has a contract for service with. Such roaming may occur state to state, or country to country.
  • Cellular systems make use of a unique identifier, e.g. International Mobile Station Identity (IMSI), or a Mobile identifier Number (MIN) to obtain access on home cellular systems and on roaming cellular systems.
  • IMSI International Mobile Station Identity
  • MIN Mobile identifier Number
  • the challenge/response typically entails the unique identifier being transmitted from cellular phone to the cellular network, wherein a centralized authentication database creates a challenge dependent on the unique identifier. If the cellular phone creates a response to match the challenge, service is provided, wherein the service is limited to telephony traffic carried over the cellular system, both radio and wired, near to the cellular phone, which is a type of mobile station.
  • ITSI Individual Tetra Subscriber Identity
  • a challenge/response method is used to determine if service is granted.
  • a system of challenges and responses has required conscious effort by the user to give a user ID, for purposes of access to a packet data network through a RAS.
  • GPRS General Packet Radio Service
  • IMSI a unique identifier is stored in the mobile station
  • IMSI an authentication mechanism for authenticating the mobile station.
  • a user of a GPRS mobile station has needed to manually trigger transmittal from the mobile station of a user ID for purposes of accessing a packet data network through a RAS.
  • GPRS General Packet Radio Service
  • GSM Global System for Mobiles
  • GPRS Internet Protocol
  • IP Internet Protocol
  • GPRS makes sparing use of network and radio resources, i.e. a GPRS mobile station uses radio resources only when there is data to be sent or received. Because GPRS uses resources only when a packet is sent, it allows end user applications to only occupy the network when a payload is being transferred, and so is well adapted to the very bursty nature of data applications.
  • Another important feature of GPRS is that it provides immediate connectivity and high throughput, once the mobile station is powered up and authenticated to the IP network provider, which may be an ISP or a corporate Virtual Private Network (VPN) among others.
  • IP network provider which may be an ISP or a corporate Virtual Private Network (VPN) among others.
  • a pool of modems has been available to receive the data calls of a itinerant laptop user.
  • the NAS is able to "tunnel", sometimes using a secure protocol, through a packet data network, like a TCP/IP network, to the RAS.
  • the analog to the NAS in a GPRS network is the Gateway GPRS Support Node (GGSN).
  • GGSN Gateway GPRS Support Node
  • the GGSN tunnels through the TCP/IP network to a RAS.
  • the RAS unless it is a free resource open to all, authenticates the originator of the communication, whether the originator be a laptop user or mobile station.
  • a wireless network is a network that can support a mobile station that communicates to the WN through a wireless link.
  • the WN has one or more fixed nodes that operate for common carriage of the mobile station's voice and data, either between subscribers, or to a land based network, such as a Public Switched Telephone Network (PSTN).
  • PSTN Public Switched Telephone Network
  • a WN may also have one or more gateways to a land based packet data network operating using, e.g. internet protocols (IP) to interconnect nodes. Such gateways may communicate to a Remote Access Server (RAS) of a host ISP of a user. Such gateways may communicate to a RAS of a corporate Virtual Private Network (VPN).
  • IP internet protocols
  • RAS Remote Access Server
  • VPN corporate Virtual Private Network
  • Both of the above networks typically are able to route to external packet- switched data networks one-way or two-way traffic flows from a mobile station.
  • such wireless networks may authenticate a mobile subscriber identity which is communicated for the mobile station to the network.
  • the mobile subscriber identity is the IMSI.
  • the mobile subscriber identity is the ITSI.
  • the data for the mobile subscriber identity may be stored in a permanent fashion in a Subscriber Identity Module (SIM) that is removable from the larger mobile station.
  • SIM Subscriber Identity Module
  • Some wireless systems under some circumstances, may provide a mobile station with a Temporary Mobile Subscriber Identity (TMSI).
  • TMSI may be stored at the mobile station, and transmitted from the mobile station to obtain various services. This is also a type of mobile subscriber identity.
  • the internet which is an example of a packet data network, has evolved separately from networks that support mobile stations, e.g. the cellular networks.
  • Internet, and other data packet networks have been geared toward connecting to terminals that are intermittently on, and seldom moved, whereas cellular networks are geared toward mobile stations that are always on, and frequently moved.
  • Internet terminals have typically been large, and equipped with fast CPUs and prodigious local data storage.
  • Cellular mobile stations are usually small, have modest CPUs and very little data storage.
  • hand entry of alphanumeric mnemonics has been the first step in any session for accessing services available over a packet data network, whereas cellular mobile station identities have historically been numeric, and embedded within the hardware of the cellular mobile station for automatic retrieval.
  • Internet identities may be fanciful, and suggest attributes a user either does not have, or aspires to have.
  • Cellular mobile station identities typically are unchanging, impersonal, and have been historically intended to thwart fraud of any kind.
  • Storage of customer records in ISPs has been in a myriad of start-up entities that own equipment, typically in a small region.
  • Storage of customer records in cellular networks has been in a limited number of state-wide, and nation-wide wireless carriers that are usually well financed. ISPs are subject to limited government control in most jurisdictions, whereas wireless carriers are subject to approval by national government bodies prior to operation.
  • a method of caching a Network Address Identifier (NAI), relating to a mobile station is disclosed.
  • a wireless network node receives a NAI encoded in a packet.
  • the wireless network node caches the NAI for retrieval in connection with mobile station data traffic.
  • the wireless network node also encapsulates the NAI for use in communication with a packet data network.
  • An embodiment of the invention discloses a GPRS system having a wireless authenticator.
  • the wireless authenticator may provide services to authenticate a mobile station to a local wireless system operator or to a remote wireless system operator.
  • the wireless authenticator may receive messages that carry the International Mobile Station Identity (IMSI) of a mobile station.
  • IMSI International Mobile Station Identity
  • the wireless authenticator looks up in a database to see if there is a matching user identifier to the IMSI.
  • the user identifier may be used to provide identity information of the mobile station to a Remote Access Server (RAS) across a packet network. If there is a user ' identifier that corresponds to the IMSI, the user identifier is transmitted from the wireless authenticator to a wireless network node that is proximal to a gateway router.
  • RAS Remote Access Server
  • a tunnel which may have security features, is formed between the gateway router, and a RAS, if the operator of the mobile station requests connectivity to the RAS.
  • the operator of the mobile station benefits in that when communications to the RAS begin, the wireless network node transparently provides sufficient identifying information to the RAS, that the RAS need only query the user for a password to completely authenticate the user for access to services of the RAS.
  • the wireless network node in this case, is proximal to the gateway router.
  • the wireless network and the RAS may be sufficient to provide access to the RAS without need to challenge a user for a password.
  • the knowledge by the RAS of the identity of the wireless network, and the user identifier provided through the wireless network may be sufficient to remove all speed-bumps between a user of a mobile subscriber, and the data services provided by the RAS.
  • the wireless authenticator may provide services to authenticate a mobile station to a local wireless system operator or to a remote wireless system operator.
  • the wireless authenticator may provide functionality of an Individual Subscriber Home Database (l-HDB).
  • the wireless authenticator may receive messages that carry the Individual TETRA Subscriber Identity (ITSI) of a mobile station.
  • the wireless authenticator looks up in a database to see if there is a matching Network Address Identity (NAI) or user identifier to the IMSI.
  • NAI Network Address Identity
  • the user identifier may be used to provide identity information of the mobile station to a Remote Access Server (RAS) across a packet network.
  • RAS Remote Access Server
  • the user identifier is transmitted from the wireless authenticator to a wireless network node that is proximal to a gateway router.
  • a tunnel which may have security features, is formed between the gateway router, and a RAS, if the operator of the mobile station requests connectivity to the RAS.
  • the operator of the mobile station benefits in that when communications to the RAS begin, the wireless network node transparently provides sufficient identifying information to the RAS, that the RAS need only query the user for a password to completely authenticate the user for access to services of the RAS. In this case, the wireless network node is proximal to the gateway router.
  • one or more of the disclosed embodiments provides a way to transmit a user ID, e.g. a Network
  • Another advantage provided by one or more embodiments of the invention is the reduction of wireless airtime devoted to establishing identity of a mobile station to the satisfaction of a Remote Access Server (RAS), as compared to what occurs when a user of a mobile station transmits identity to the RAS or other network element of the Internet Service Provider (ISP) or Virtual Private Network (VPN).
  • RAS Remote Access Server
  • ISP Internet Service Provider
  • VPN Virtual Private Network
  • Yet another advantage provided by one or more embodiments of the invention is that the loss of a mobile station does not render a user ID vulnerable to detection based on storage within the mobile station.
  • the mobile station need not store the user ID, since the invention places responsibility for storage of the user ID on a typically fixed device, typically owned by the wireless system network operator.
  • a typically fixed device typically owned by the wireless system network operator.
  • an improved level of data security is achieved since one of the keys, or prerequisites to access, resides remote from the mobile station.
  • Yet another advantage provided by one or more embodiments of the invention is that a user of a mobile station is freed from the need to remember, key in correctly, and dispatch a user identifier to become authenticated to a packet data network provider, e.g. a TCP/IP service provider.
  • Figure 1 depicts a block diagram of a dial-up connection of a roaming client to a home data network according to the prior art
  • Figure 2 depicts a block diagram according to an embodiment of the invention of a mobile station communicating to a remote access server
  • Figure 3 depicts a block diagram according to an embodiment of the invention of a mobile station communicating with a remote access server through a Terrestrial Trunked Radio (TETRA) network.
  • TETRA Terrestrial Trunked Radio
  • Fig. 2 illustrates an embodiment of the invention for a mobile station 201 equipped to operate using packet radio.
  • the mobile station 201 may use the signaling of General Packet Radio Service (GPRS) to establish connectivity to its local wireless carrier, e.g. the owner or operator of a wireless network.
  • GPRS General Packet Radio Service
  • the mobile station must be provisioned in an authentication database of the wireless carrier for which a service contract is established.
  • HLR Home Location Register
  • HLR 209 Among the functions of a HLR 209 are authenticating a communication from a mobile station bearing a unique identifier such as an International Mobile Subscriber Identity (IMSI), or a Mobile Identification Number (MIN).
  • IMSI International Mobile Subscriber Identity
  • MIN Mobile Identification Number
  • the HLR 209 stores the unique identifier for each mobile station that for which the wireless carrier has a service contract. Such information is stored in a storage device, which may be nonvolatile storage such as magnetic media.
  • the authentication database, or modified HLR 209 of the embodiment of the invention includes additional data, i.e. a relation for a IMSI to at least one unique identifier of a user for the packet data network, which may be a Network Address Identifier (NAI).
  • NAI Network Address Identifier
  • Such a NAI has many features in common with IP e-mail addresses, such as the NAI may be formed to use the domain name portion of a e-mail address of the SMTP.
  • the authentication database 209 may distribute a NAI while the mobile station 201 operates in the coverage area of the wireless carrier, sometimes called a home cellular network 221 .
  • the HLR 209 may provide the NAI while the mobile station is roaming in a distant coverage area of a second wireless carrier, sometimes called a visited cellular network 223. The timing of messages that occur in the embodiment will now be discussed.
  • the embodiment uses GPRS messages, which are prior art, except that the messages are enhanced by the embodiment to carry additional data shown in Table 1.
  • Table 1 shows the additional parameter that is new with this embodiment. Some rows for the standard GPRS parameters are omitted for clarity in Table 1.
  • the sequence of messages may be carried out in situations where the mobile has recently powered up; when handing-over to a second cell in the network of the same wireless carrier; or when handing-over to a second cell of a second wireless carrier.
  • a mobile station 201 transmits a ATTACH_REQUEST message 251 packet according to GPRS.
  • the ATTACH_REQUEST message 251 is addressed to a wireless network node known as the Serving GPRS Support Node (SGSN) 207.
  • the ATTACH_REQUEST message 251 may be received and retransmitted by several intermediary wireless network nodes, such as a Base Transceiver Station (BTS) 203, and a Base Station Controller (BSC) 205.
  • the ATTACH_REQUEST message 251 carries the mobile subscriber's International Mobile Subscriber Identity (IMSI) or other mobile subscriber identity.
  • IMSI International Mobile Subscriber Identity
  • the SGSN 207 transmits a LOCATIONJJPDATE message 252 to the Home Location Register (HLR) 209 of the wireless carrier that the mobile station 201 has a service contract with.
  • the LOCATION_UPDATE message 252 contains the unique identifier of the mobile station, in the case of this embodiment, the IMSI.
  • the embodiment of the invention uses a NAI retriever, that is an improved HLR 209, so that the HLR looks up the correspondence of the IMSI to a NAI within a storage device located nearby. If a match is found, the HLR 209 sends the NAI embedded within a INSERT_SUBSCRIBER_DATA message 253, as formatted according to Table 1. Additional parameters may be embedded in the message 253.
  • the SGSN 207 receives the message 253.
  • the storage device may be a single disk drive housed within a cabinet, or it may be several disk drives housed in modular racks in a common building with a CPU of the authentication database 209.
  • the HLR may support look-up of NAIs by storing, maintaining, retrieving and transmitting the data concerning correspondence of NAIs to unique mobile IDs.
  • a HLR configured in such a way, i.e. populated with data showing mobile IDs matched to network address identifiers, is called a NAI retriever.
  • Other wireless network nodes may operate as NAI retrievers in systems other than GPRS.
  • the NAI retriever is essentially a networked database, which is used to provide identity data for granting of service to networks beyond the wireless network.
  • the NAI retriever may be geographically remote from the mobile station. It may communicate securely to the SGSN.
  • the NAI retriever may have a transceiver such as a 10-base-T transceiver to transmit packets onto a link to the packet data network.
  • the transceiver may operate to receive packets routed to the NAI retriever.
  • the transceiver may be a transceiver to transmit and receive electrical signals.
  • the transceiver may be a transceiver to transmit and receive optical signals.
  • a CPU operates to filter inputs appearing through the transceiver so that data may be stored or retrieved from a non-volatile storage.
  • the NAI retriever's primary function is data storage and retrieval, as opposed to reception and routing of voice and data, which is the principal function of devices such as BTSs and BSCs, e.g. BTS 203, and BSC 205.
  • both wireless authentication data, and packet data network authentication data may be looked up by a single lookup in the database.
  • a responsive GPRS message from the HLR 209 may grant access for the wireless network, and operate to carry a user ID such as the NAI to a node such as the SGSN 207 for caching.
  • the SGSN 207 of the embodiment may store or cache the NAI that matches the IMSI in local storage.
  • the Gateway GPRS Support Node (GGSN) 211 may cache the NAI in a local storage device.
  • Such storage may persist until the mobile is powered off, or leaves the vicinity of BTSs that are served by the SGSN 207.
  • Storage of the NAI may be in locations of volatile memory, such as, e.g. RAM.
  • the SGSN 207 may send a ATTACH_ACCEPT 254 to the mobile station 201.
  • the SGSN 207 may forward data from the mobile station 201 to a RAS 213 via Gateway GPRS Support Node (GGSN) 211 , wherein GGSN encapsulates the data into packets that may carry the NAI to the RAS 213 across a packet data network.
  • GGSN Gateway GPRS Support Node
  • the GGSN may include a transceiver such as a 10-base-T transceiver to transmit packets onto a link to the packet data network.
  • the packet data network may receive and forward packets according to internet protocols, or X.25 standards.
  • the GGSN 211 may encapsulate by using Open
  • the GGSN 211 operates as a gateway router.
  • a gateway router has physical connections to wireless network nodes, as well as to nodes not a part of the wireless network.
  • the SGSN is proximal to the GGSN in that there are no intermediate packet routers between them. Further communications from the mobile subscriber to the packet data network, which bear the IMSI, may be converted at SGSN or GGSN by encapsulating the data with the NAI previously obtained from the HLR. This may be done for as long as the NAI is cached.
  • NAI is cached in local storage
  • the gateway router permits the gateway router to locally look up the information concerning which NAI relates to which mobile station. This eliminates the need to frequently obtain the NAI across a series of links, which would be considered a remote look up.
  • a cache of NAIs in local storage reduces the size of the local database needed to list the NAIs for mobile stations that are served by the gateway router, and which are currently, or recently active in the wireless network served by the gateway router.
  • Authentication of the mobile subscriber at the RAS may be accomplished based upon a NAI.
  • One situation in which it is desirable to encapsulate the NAI in a packet traversing the tunnel from GGSN 211 to RAS 213 would be in an authentication protocol wherein the RAS challenges the mobile station 201 for a unique identifier.
  • a RAS 213 could generate such a challenge upon receiving the first packet from the SGSN 207 that carries a NAI of the mobile subscriber 201.
  • SGSN 207 may forward such a challenge message for transmission to the mobile subscriber 201.
  • the mobile subscriber may respond with an appropriate password.
  • Completed authentication between RAS 213 and mobile station 201 may occur when the response is carried to the RAS 213 encapsulated by the GGSN 211 , and the RAS 213 or other supporting node confirms a good match with the records of the service provider e.g. a virtual private network, or a internet service provider.
  • the service provider e.g. a virtual private network, or a internet service provider.
  • the GGSN does not need to cause additional network traffic to look up the NAI. This is because according to the embodiment, the NAI is cached locally, so that the GGSN may locally look up the NAI when a packet, bound for the public data network, needs the NAI, as would occur when tunneling.
  • the embodiment of the invention provides for enhancements to the INSERT_SUBSCRIBER_DATA message 253, wherein the enhancements change the message from how it is currently specified in ETS 300 974, "Digital Cellular Telecommunications System (Phase 2+); Mobile Application Part (MAP) specification", European Telecommunications Standards Institute (ETSI), August 1998.
  • the embodiment of the invention provides for an additional payload space of Network Address Identifier (NAI).
  • NAI Network Address Identifier
  • the availability of a wireless data node, such as the HLR 209, configured to create and transmit such an enhanced message 253, and the availability of a SGSN 207 to receive and parse such a message is helpful to the implementation of the embodiment.
  • Such a reliance on a framework of messages largely specified in existing standards, reduces the need to implement additional messages, with the attendant network signaling overhead.
  • the Terrestial Trunked Radio mobile subscribers rely currently on Individual TETRA Subscriber Identity (ITSI) for authentication between mobile station and wireless network.
  • ITSI Individual TETRA Subscriber Identity
  • the TETRA-based embodiment uses an existing framework of wireless network nodes and messages.
  • the TETRA-based embodiment provides enhancements to some nodes and messages to position a cache of mobile ID to NAIs at a wireless network node proximal to a gateway router.
  • Fig. 3 shows a wireless network according to TETRA.
  • the mobile subscriber is said to be roaming. If the cell in to which the mobile subscriber has moved is on a second SwMI 313, the mobile subscriber is said to have migrated.
  • the databases of mobile IDs and NAIs may be stored in a Individual Subscriber Home Database (l-HDB).
  • the l-HDB is a part of the home SwMI 317.
  • TETRA messaging formats are specified in ETSI standards, specifically ETS 300 392 3-5: Terrestial Trunked Radio; Voice plus Data (V+D); Part 3: Interworking at Inter-System Interface (ISI); Sub-part 5: Additional Feature for Mobility Management (ANF-ISIMM).
  • the existing framework of authenticating a mobile subscriber by the wireless network comprises six messages, wherein the mobile subscriber has migrated from its home SwMI to a visited SwMI: 1 ) U-LOCATION UPDATE DEMAND PDU 301 ;
  • FIG. 3 shows the architecture of two TETRA SwMIs that support the
  • Mobile station 311 initiates communication to a visited SwMI 313 using U-LOCATION UPDATE DEMAND PDU 301.
  • Visited SwMI 313 transmits to ANF-ISIMM 315 the Migration_request primitive 302.
  • ANF-ISIMM 315 locates the Home SwMI 317, and generates a Migrationjndication primitive 303 to the Home SwMI 317.
  • the Home SwMI comprises at least one NAI retriever, wherein data is stored such as the mobile user IDs, made up of ITSIs, and corresponding NAIs where a mobile station subscribes to an ISP or VPN.
  • the SwMI dispatches a Migration_response primitive 304 that carries the NAI providing a NAI is found by the NAI retriever that matches any ITSI previously sent in the Migrationjndication primitive 303.
  • ANF-ISIMM retransmits the Migration_response primitive 304 as a Migration_confirm primitive 305, also carrying the NAI, if available from the Migration_response primitive 304.
  • the Visited SwMI 313 may store the NAI locally for the duration that the mobile station operates on the Visited SwMI network 313.
  • a wireless node in the visited SwMI 313 may cache the NAI.
  • the wireless node may then encapsulate the NAI in a communication through the packet data network 321 , and initiate a tunnel 323 to a RAS 325.
  • RAS 325 may challenge the mobile subscriber for a password, which may be based on a NAI transmitted over the tunnel.
  • Access to the home data network 327 may be granted based on the response from the mobile subscriber.
  • the NAI use in the TETRA embodiment may be used to initiate tunneling to a RAS to which the mobile station 311 subscribes, either as a ISP or VPN provided service.
  • the originating endpoint to the tunnel is on a wireless network node in the Visited SwMI.
  • the NAI is stored within the Home SwMI while the mobile station operates on it.
  • the TETRA embodiment may be operated with enhanced primitives, wherein a field, not specified by TETRA, may be added to the Migration_Response 304 and Migration_Confirm 305 primitives for the intended purpose of carrying NAI data.
  • a field not specified by TETRA
  • Migration_Confirm 305 may be added to the Migration_Response 304 and Migration_Confirm 305 primitives for the intended purpose of carrying NAI data.
  • a NAI retriever may be implemented as a stand-alone database, which may operate as a common resource to supplement one or more HLRs (in GPRS embodiment), or l-HDB (in TETRA embodiment). Queries to the NAI retriever may operate in parallel or series with a query message sent to an HLR or l-HDB.
  • Mobile stations may be large and heavy, and can be affixed to other things. Tunneling protocols may or may not implement data security functions.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A way to translate mobile subscriber identities is disclosed wherein, soon after the initialization of operation of a mobile station, or recent entry of the mobile station, to a wireless network, a message is sent to a large NAI retriever database. The NAI retriever obtains the NAI applicable to the mobile subscriber identity, and transmits the NAI to a gateway router, which serves the wireless network in the geographic area where the mobile station operates. The gateway router then stores the NAI to a comparatively smaller database, e.g. using volatile storage. The gateway router may locally looks up the NAI when the mobile station sends packets intended for the public data network. The gateway router may encapsulate said packets with the NAI for packets of the mobile station routed to the gateway router.

Description

METHOD AND APPARATUS FOR TRANSLATING NETWORK ADDRESS IDENTIFIERS RELATED TO MOBILE STATIONS
Field of the Invention This invention relates to translating identity information of a first network to identity information of a second network and, more particularly, to a method and apparatus for translating the authenticated identity provided by a mobile station for purposes of interconnect to a mobile network, to an identity used to identify at least one user on a public packet data network (PDN). Background of the Invention
Dialup users of data networks that use the Point-to-point Protocol (PPP) make use of a unique identifier, such as a Network Address Identifier (NAI) for user identification. This may be the case where a user directly dials into a modem pool of a corporate network, offered, e.g. by the employer of the user. The NAI is also used in situations where a user dials an Internet Service Provider, or (ISP) which connects the user to a home network. Thus, the user dials into a Network Access Server (NAS) belonging to an ISP that is conveniently near the user, and the ISP then provides access to a home network. A home network is a network that recognizes the NAI as belonging to a user who has contracted for services related to a packet data network (PDN), e.g. the internet. In this situation, the user's NAI is used in a challenge/response authentication between the user's equipment and the Remote Access Server (RAS), which operates as a gateway into the host ISP home network and as a key to accessing services provided by the home network. Generally, the user connects by modem through local loop wiring to communicate to a NAS in the vicinity of the user. Entry of an identifier and a password has been treated as a routine requirement to access the services of the home data network. Such services may include, Hypertext Transport Protocol (HTTP), File Transfer Protocol (FTP), e- mail and other services associated with intranet and internet connectivity.
Fig. 1 depicts the prior art way of dialing up a remote ISP via a local access point. Terminal 101 uses a modem to access the dialup network 103. Using a protocol called PPP, the terminal establishes communication with a Network Access Server 105. The NAS 105 may include a Point-to-point Tunneling Protocol (PPTP) Access Concentrator (PAC) and/or a Layer 2 Tunneling Protocol (L2TP) Access Concentrator (LAC). The NAS 105 establishes a tunnel using nodes of a TCP/IP network 107, wherein the NAS 105 gets two-way communication to a Remote Access Server (RAS) 109. At that time, the RAS 109 may challenge the terminal for identifying information such as a user ID and a password. If the terminal provides correct identifying information, i.e. that which matches data stored by the home data network, access is granted to the home data network 11 1.
Cellular system users have encountered a similar problem, wherein it is desirable to give a cellular user access to cellular service while roaming distant from a network that the user has a contract for service with. Such roaming may occur state to state, or country to country. Cellular systems make use of a unique identifier, e.g. International Mobile Station Identity (IMSI), or a Mobile identifier Number (MIN) to obtain access on home cellular systems and on roaming cellular systems. The challenge/response that operates prior to granting service typically entails the unique identifier being transmitted from cellular phone to the cellular network, wherein a centralized authentication database creates a challenge dependent on the unique identifier. If the cellular phone creates a response to match the challenge, service is provided, wherein the service is limited to telephony traffic carried over the cellular system, both radio and wired, near to the cellular phone, which is a type of mobile station.
A system exists for authenticating mobile stations on Terrestrial Trunked Radio (TETRA) based Professional Mobile Radio (PMR) networks. Such a system requires the mobile station to provide an Individual Tetra Subscriber Identity (ITSI) before the TETRA network grants service. A challenge/response method is used to determine if service is granted. To date, a system of challenges and responses has required conscious effort by the user to give a user ID, for purposes of access to a packet data network through a RAS.
Similarly, in General Packet Radio Service (GPRS) systems, a unique identifier is stored in the mobile station, sometimes called a IMSI, which is used to authenticate the mobile station in a challenge/response method to authenticating the mobile station. Like TETRA, a user of a GPRS mobile station has needed to manually trigger transmittal from the mobile station of a user ID for purposes of accessing a packet data network through a RAS.
General Packet Radio Service (GPRS) is used as a data services upgrade to any Global System for Mobiles (GSM) network. It allows GSM networks to be truly compatible with the Internet. GPRS uses a packet-mode technique to transfer bursty traffic in an efficient manner. It allows transmission bit rates from 9.6 Kbps to more than 150 Kbps per user.
The two key benefits of GPRS are a better use of radio and network resources and interconnectivity to Internet Protocol (IP) networks. GPRS makes sparing use of network and radio resources, i.e. a GPRS mobile station uses radio resources only when there is data to be sent or received. Because GPRS uses resources only when a packet is sent, it allows end user applications to only occupy the network when a payload is being transferred, and so is well adapted to the very bursty nature of data applications. Another important feature of GPRS is that it provides immediate connectivity and high throughput, once the mobile station is powered up and authenticated to the IP network provider, which may be an ISP or a corporate Virtual Private Network (VPN) among others. In the architecture of a NAS communicating to a RAS, typically a pool of modems has been available to receive the data calls of a itinerant laptop user. The NAS is able to "tunnel", sometimes using a secure protocol, through a packet data network, like a TCP/IP network, to the RAS. The analog to the NAS in a GPRS network is the Gateway GPRS Support Node (GGSN). Like the NAS, the GGSN tunnels through the TCP/IP network to a RAS. The RAS, unless it is a free resource open to all, authenticates the originator of the communication, whether the originator be a laptop user or mobile station. The case continues to be that the mobile station must provide, usually by keystrokes, some indicator of identity, even though, for purposes of the wireless network, the mobile is authenticated. Because of the history of real-time accessibility for mobile stations, e.g. the mobile phone, the need for delays incurred by boot-up, dial-up, and manual authentication is highly anomalous. In each of the above systems, GPRS and TETRA, a Wireless Network (WN) is described. A wireless network is a network that can support a mobile station that communicates to the WN through a wireless link. The WN has one or more fixed nodes that operate for common carriage of the mobile station's voice and data, either between subscribers, or to a land based network, such as a Public Switched Telephone Network (PSTN). A WN may also have one or more gateways to a land based packet data network operating using, e.g. internet protocols (IP) to interconnect nodes. Such gateways may communicate to a Remote Access Server (RAS) of a host ISP of a user. Such gateways may communicate to a RAS of a corporate Virtual Private Network (VPN).
Both of the above networks, typically are able to route to external packet- switched data networks one-way or two-way traffic flows from a mobile station. In addition such wireless networks may authenticate a mobile subscriber identity which is communicated for the mobile station to the network. In the GPRS network, the mobile subscriber identity is the IMSI. In the TETRA network, the mobile subscriber identity is the ITSI. The data for the mobile subscriber identity may be stored in a permanent fashion in a Subscriber Identity Module (SIM) that is removable from the larger mobile station. Some wireless systems, under some circumstances, may provide a mobile station with a Temporary Mobile Subscriber Identity (TMSI). The TMSI may be stored at the mobile station, and transmitted from the mobile station to obtain various services. This is also a type of mobile subscriber identity.
The internet, which is an example of a packet data network, has evolved separately from networks that support mobile stations, e.g. the cellular networks. Internet, and other data packet networks, have been geared toward connecting to terminals that are intermittently on, and seldom moved, whereas cellular networks are geared toward mobile stations that are always on, and frequently moved. Internet terminals have typically been large, and equipped with fast CPUs and prodigious local data storage. Cellular mobile stations are usually small, have modest CPUs and very little data storage. Historically, hand entry of alphanumeric mnemonics has been the first step in any session for accessing services available over a packet data network, whereas cellular mobile station identities have historically been numeric, and embedded within the hardware of the cellular mobile station for automatic retrieval. Internet identities may be fanciful, and suggest attributes a user either does not have, or aspires to have. Cellular mobile station identities typically are unchanging, impersonal, and have been historically intended to thwart fraud of any kind. Storage of customer records in ISPs has been in a myriad of start-up entities that own equipment, typically in a small region. Storage of customer records in cellular networks has been in a limited number of state-wide, and nation-wide wireless carriers that are usually well financed. ISPs are subject to limited government control in most jurisdictions, whereas wireless carriers are subject to approval by national government bodies prior to operation.
Summary of the Invention
A method of caching a Network Address Identifier (NAI), relating to a mobile station is disclosed. A wireless network node receives a NAI encoded in a packet. The wireless network node caches the NAI for retrieval in connection with mobile station data traffic. The wireless network node also encapsulates the NAI for use in communication with a packet data network.
An embodiment of the invention discloses a GPRS system having a wireless authenticator. The wireless authenticator may provide services to authenticate a mobile station to a local wireless system operator or to a remote wireless system operator. The wireless authenticator may receive messages that carry the International Mobile Station Identity (IMSI) of a mobile station. The wireless authenticator looks up in a database to see if there is a matching user identifier to the IMSI. The user identifier may be used to provide identity information of the mobile station to a Remote Access Server (RAS) across a packet network. If there is a user' identifier that corresponds to the IMSI, the user identifier is transmitted from the wireless authenticator to a wireless network node that is proximal to a gateway router. A tunnel, which may have security features, is formed between the gateway router, and a RAS, if the operator of the mobile station requests connectivity to the RAS. The operator of the mobile station benefits in that when communications to the RAS begin, the wireless network node transparently provides sufficient identifying information to the RAS, that the RAS need only query the user for a password to completely authenticate the user for access to services of the RAS. The wireless network node, in this case, is proximal to the gateway router.
Depending on the existence of a agreement between the wireless carrier and the RAS, or agreement by intermediary organizations or entities, there may be sufficient trust between the wireless network and the RAS to provide access to the RAS without need to challenge a user for a password. In such a situation, the knowledge by the RAS of the identity of the wireless network, and the user identifier provided through the wireless network, may be sufficient to remove all speed-bumps between a user of a mobile subscriber, and the data services provided by the RAS. In other words, it may be that a RAS will require neither a user identifier, nor a password from the operator of a mobile station.
Another embodiment of the invention discloses a Terrestrial Trunked Radio (TETRA) system having a wireless authenticator. The wireless authenticator may provide services to authenticate a mobile station to a local wireless system operator or to a remote wireless system operator. The wireless authenticator may provide functionality of an Individual Subscriber Home Database (l-HDB). The wireless authenticator may receive messages that carry the Individual TETRA Subscriber Identity (ITSI) of a mobile station. The wireless authenticator looks up in a database to see if there is a matching Network Address Identity (NAI) or user identifier to the IMSI. The user identifier may be used to provide identity information of the mobile station to a Remote Access Server (RAS) across a packet network. If there is a user identifier that corresponds to the IMSI, the user identifier is transmitted from the wireless authenticator to a wireless network node that is proximal to a gateway router. A tunnel, which may have security features, is formed between the gateway router, and a RAS, if the operator of the mobile station requests connectivity to the RAS. The operator of the mobile station benefits in that when communications to the RAS begin, the wireless network node transparently provides sufficient identifying information to the RAS, that the RAS need only query the user for a password to completely authenticate the user for access to services of the RAS. In this case, the wireless network node is proximal to the gateway router.
Among the many advantages of the present invention, one or more of the disclosed embodiments, provides a way to transmit a user ID, e.g. a Network
Address Identifier, of a mobile station without the day-to-day conscious transmittal by the user of the mobile station.
Another advantage provided by one or more embodiments of the invention is the reduction of wireless airtime devoted to establishing identity of a mobile station to the satisfaction of a Remote Access Server (RAS), as compared to what occurs when a user of a mobile station transmits identity to the RAS or other network element of the Internet Service Provider (ISP) or Virtual Private Network (VPN).
Yet another advantage provided by one or more embodiments of the invention is that the loss of a mobile station does not render a user ID vulnerable to detection based on storage within the mobile station. The mobile station need not store the user ID, since the invention places responsibility for storage of the user ID on a typically fixed device, typically owned by the wireless system network operator. Thus an improved level of data security is achieved since one of the keys, or prerequisites to access, resides remote from the mobile station. Yet another advantage provided by one or more embodiments of the invention is that a user of a mobile station is freed from the need to remember, key in correctly, and dispatch a user identifier to become authenticated to a packet data network provider, e.g. a TCP/IP service provider. This is in keeping with the usual service model of telephones, wherein seven keystrokes provides minimal access to the telephony network, and improved over many client-server applications that are served over the public internet under a subscription agreement. Of course, unlike the client-server application, the embodiments permit the flexibility of wireless communications integrated to the basic mobile station.
Brief Description of the Drawings The disclosed inventions will be described with reference to the accompanying drawings, which show important sample embodiments of the invention, wherein:
Figure 1 depicts a block diagram of a dial-up connection of a roaming client to a home data network according to the prior art; Figure 2 depicts a block diagram according to an embodiment of the invention of a mobile station communicating to a remote access server; and Figure 3 depicts a block diagram according to an embodiment of the invention of a mobile station communicating with a remote access server through a Terrestrial Trunked Radio (TETRA) network. Detailed Description of the Preferred Embodiments The numerous innovative teachings of the present application will be described with particular reference to the presently preferred embodiment. However, it should be understood that this class of embodiments provides only a few examples of the many advantageous uses of the innovative teachings herein. In general, statements made in the specification of the present application do not necessarily delimit any of the various claimed inventions. Moreover, some statements may apply to some inventive features but not to others.
Fig. 2 illustrates an embodiment of the invention for a mobile station 201 equipped to operate using packet radio. The mobile station 201 may use the signaling of General Packet Radio Service (GPRS) to establish connectivity to its local wireless carrier, e.g. the owner or operator of a wireless network. To operate properly, the mobile station must be provisioned in an authentication database of the wireless carrier for which a service contract is established. In the case of GPRS, such information is stored in the Home Location Register (HLR) 209. Among the functions of a HLR 209 are authenticating a communication from a mobile station bearing a unique identifier such as an International Mobile Subscriber Identity (IMSI), or a Mobile Identification Number (MIN). Consequently, the HLR 209 stores the unique identifier for each mobile station that for which the wireless carrier has a service contract. Such information is stored in a storage device, which may be nonvolatile storage such as magnetic media. The authentication database, or modified HLR 209 of the embodiment of the invention includes additional data, i.e. a relation for a IMSI to at least one unique identifier of a user for the packet data network, which may be a Network Address Identifier (NAI). Such a NAI has many features in common with IP e-mail addresses, such as the NAI may be formed to use the domain name portion of a e-mail address of the SMTP. The authentication database 209 may distribute a NAI while the mobile station 201 operates in the coverage area of the wireless carrier, sometimes called a home cellular network 221 . In addition, the HLR 209 may provide the NAI while the mobile station is roaming in a distant coverage area of a second wireless carrier, sometimes called a visited cellular network 223. The timing of messages that occur in the embodiment will now be discussed.
The embodiment uses GPRS messages, which are prior art, except that the messages are enhanced by the embodiment to carry additional data shown in Table 1. The final row of Table 1 shows the additional parameter that is new with this embodiment. Some rows for the standard GPRS parameters are omitted for clarity in Table 1. The sequence of messages may be carried out in situations where the mobile has recently powered up; when handing-over to a second cell in the network of the same wireless carrier; or when handing-over to a second cell of a second wireless carrier. In the Table 1 , 'M' indicates mandatory fields; 'C means conditional fields; 'O' is optional, at the discretion of the service provider; 'U' is optional, at the option of the service user; and '=' means the field in the previous or earlier message is copied.
Figure imgf000009_0001
TABLE 1
A mobile station 201 transmits a ATTACH_REQUEST message 251 packet according to GPRS. The ATTACH_REQUEST message 251 is addressed to a wireless network node known as the Serving GPRS Support Node (SGSN) 207. The ATTACH_REQUEST message 251 may be received and retransmitted by several intermediary wireless network nodes, such as a Base Transceiver Station (BTS) 203, and a Base Station Controller (BSC) 205. The ATTACH_REQUEST message 251 carries the mobile subscriber's International Mobile Subscriber Identity (IMSI) or other mobile subscriber identity. The SGSN 207 transmits a LOCATIONJJPDATE message 252 to the Home Location Register (HLR) 209 of the wireless carrier that the mobile station 201 has a service contract with. The LOCATION_UPDATE message 252 contains the unique identifier of the mobile station, in the case of this embodiment, the IMSI. The embodiment of the invention uses a NAI retriever, that is an improved HLR 209, so that the HLR looks up the correspondence of the IMSI to a NAI within a storage device located nearby. If a match is found, the HLR 209 sends the NAI embedded within a INSERT_SUBSCRIBER_DATA message 253, as formatted according to Table 1. Additional parameters may be embedded in the message 253. The SGSN 207 receives the message 253. The storage device may be a single disk drive housed within a cabinet, or it may be several disk drives housed in modular racks in a common building with a CPU of the authentication database 209.
The HLR, or other wireless network node, may support look-up of NAIs by storing, maintaining, retrieving and transmitting the data concerning correspondence of NAIs to unique mobile IDs. A HLR configured in such a way, i.e. populated with data showing mobile IDs matched to network address identifiers, is called a NAI retriever. Other wireless network nodes may operate as NAI retrievers in systems other than GPRS. The NAI retriever is essentially a networked database, which is used to provide identity data for granting of service to networks beyond the wireless network. The NAI retriever may be geographically remote from the mobile station. It may communicate securely to the SGSN. The NAI retriever may have a transceiver such as a 10-base-T transceiver to transmit packets onto a link to the packet data network. The transceiver may operate to receive packets routed to the NAI retriever. The transceiver may be a transceiver to transmit and receive electrical signals. The transceiver may be a transceiver to transmit and receive optical signals. A CPU operates to filter inputs appearing through the transceiver so that data may be stored or retrieved from a non-volatile storage. The NAI retriever's primary function is data storage and retrieval, as opposed to reception and routing of voice and data, which is the principal function of devices such as BTSs and BSCs, e.g. BTS 203, and BSC 205. It provides centralized storage with at least one storage device for all mobile stations for the wireless network it serves. By embedding HLR functionality and NAI retriever functionality into a single database, both wireless authentication data, and packet data network authentication data may be looked up by a single lookup in the database. Moreover, a responsive GPRS message from the HLR 209 may grant access for the wireless network, and operate to carry a user ID such as the NAI to a node such as the SGSN 207 for caching. The SGSN 207 of the embodiment may store or cache the NAI that matches the IMSI in local storage. Alternatively, the Gateway GPRS Support Node (GGSN) 211 may cache the NAI in a local storage device. Such storage may persist until the mobile is powered off, or leaves the vicinity of BTSs that are served by the SGSN 207. Storage of the NAI may be in locations of volatile memory, such as, e.g. RAM. Having stored the NAI, the SGSN 207 may send a ATTACH_ACCEPT 254 to the mobile station 201. Having stored the NAI, the SGSN 207 may forward data from the mobile station 201 to a RAS 213 via Gateway GPRS Support Node (GGSN) 211 , wherein GGSN encapsulates the data into packets that may carry the NAI to the RAS 213 across a packet data network. The GGSN may include a transceiver such as a 10-base-T transceiver to transmit packets onto a link to the packet data network. The packet data network may receive and forward packets according to internet protocols, or X.25 standards. The GGSN 211 may encapsulate by using Open
System Interconnection (OSI) layer 2 tunneling, such as, by L2TP, PPTP or by using OSI layer 3 tunneling, e.g. IP Security (IPSEC). The GGSN 211 operates as a gateway router. A gateway router has physical connections to wireless network nodes, as well as to nodes not a part of the wireless network. The SGSN is proximal to the GGSN in that there are no intermediate packet routers between them. Further communications from the mobile subscriber to the packet data network, which bear the IMSI, may be converted at SGSN or GGSN by encapsulating the data with the NAI previously obtained from the HLR. This may be done for as long as the NAI is cached. The fact that the NAI is cached in local storage, permits the gateway router to locally look up the information concerning which NAI relates to which mobile station. This eliminates the need to frequently obtain the NAI across a series of links, which would be considered a remote look up. Furthermore, such a cache of NAIs in local storage reduces the size of the local database needed to list the NAIs for mobile stations that are served by the gateway router, and which are currently, or recently active in the wireless network served by the gateway router.
Authentication of the mobile subscriber at the RAS may be accomplished based upon a NAI. One situation in which it is desirable to encapsulate the NAI in a packet traversing the tunnel from GGSN 211 to RAS 213 would be in an authentication protocol wherein the RAS challenges the mobile station 201 for a unique identifier. A RAS 213 could generate such a challenge upon receiving the first packet from the SGSN 207 that carries a NAI of the mobile subscriber 201. SGSN 207 may forward such a challenge message for transmission to the mobile subscriber 201. The mobile subscriber may respond with an appropriate password. Completed authentication between RAS 213 and mobile station 201 may occur when the response is carried to the RAS 213 encapsulated by the GGSN 211 , and the RAS 213 or other supporting node confirms a good match with the records of the service provider e.g. a virtual private network, or a internet service provider.
Because packets are encapsulated at the gateway router with a NAI, the GGSN does not need to cause additional network traffic to look up the NAI. This is because according to the embodiment, the NAI is cached locally, so that the GGSN may locally look up the NAI when a packet, bound for the public data network, needs the NAI, as would occur when tunneling.
The embodiment of the invention provides for enhancements to the INSERT_SUBSCRIBER_DATA message 253, wherein the enhancements change the message from how it is currently specified in ETS 300 974, "Digital Cellular Telecommunications System (Phase 2+); Mobile Application Part (MAP) specification", European Telecommunications Standards Institute (ETSI), August 1998. The embodiment of the invention provides for an additional payload space of Network Address Identifier (NAI). The availability of a wireless data node, such as the HLR 209, configured to create and transmit such an enhanced message 253, and the availability of a SGSN 207 to receive and parse such a message is helpful to the implementation of the embodiment. Such a reliance on a framework of messages largely specified in existing standards, reduces the need to implement additional messages, with the attendant network signaling overhead.
In an alternative mobile environment, the Terrestial Trunked Radio mobile subscribers rely currently on Individual TETRA Subscriber Identity (ITSI) for authentication between mobile station and wireless network. Like the embodiment of the GPRS network, this embodiment, the TETRA-based embodiment, uses an existing framework of wireless network nodes and messages. The TETRA-based embodiment provides enhancements to some nodes and messages to position a cache of mobile ID to NAIs at a wireless network node proximal to a gateway router.
Fig. 3 shows a wireless network according to TETRA. When a mobile subscriber transfers to another cell of a TETRA Switching and Mobility Infrastructure
(SwMI) system, the mobile subscriber is said to be roaming. If the cell in to which the mobile subscriber has moved is on a second SwMI 313, the mobile subscriber is said to have migrated. According to the embodiment, the databases of mobile IDs and NAIs may be stored in a Individual Subscriber Home Database (l-HDB). The l-HDB is a part of the home SwMI 317.
TETRA messaging formats are specified in ETSI standards, specifically ETS 300 392 3-5: Terrestial Trunked Radio; Voice plus Data (V+D); Part 3: Interworking at Inter-System Interface (ISI); Sub-part 5: Additional Feature for Mobility Management (ANF-ISIMM).
The existing framework of authenticating a mobile subscriber by the wireless network comprises six messages, wherein the mobile subscriber has migrated from its home SwMI to a visited SwMI: 1 ) U-LOCATION UPDATE DEMAND PDU 301 ;
2) Migration_request primitive 302;
3) Migration_indication primitive 303; 4) Migration_response primitive 304;
5) Migration_confirm primitive 305 or in proprietary information field Basic service profile;
6) D-LOCATION UPDATE ACCEPT PDU 306. Fig. 3 shows the architecture of two TETRA SwMIs that support the
NAI mapping of the present invention. Mobile station 311 initiates communication to a visited SwMI 313 using U-LOCATION UPDATE DEMAND PDU 301. Visited SwMI 313 transmits to ANF-ISIMM 315 the Migration_request primitive 302. ANF-ISIMM 315 locates the Home SwMI 317, and generates a Migrationjndication primitive 303 to the Home SwMI 317. The Home SwMI comprises at least one NAI retriever, wherein data is stored such as the mobile user IDs, made up of ITSIs, and corresponding NAIs where a mobile station subscribes to an ISP or VPN. The SwMI dispatches a Migration_response primitive 304 that carries the NAI providing a NAI is found by the NAI retriever that matches any ITSI previously sent in the Migrationjndication primitive 303. ANF-ISIMM retransmits the Migration_response primitive 304 as a Migration_confirm primitive 305, also carrying the NAI, if available from the Migration_response primitive 304. The Visited SwMI 313 may store the NAI locally for the duration that the mobile station operates on the Visited SwMI network 313. Upon receipt of the Migration_confirm primitive 305, a wireless node in the visited SwMI 313 may cache the NAI. The wireless node may then encapsulate the NAI in a communication through the packet data network 321 , and initiate a tunnel 323 to a RAS 325. Once the tunnel is established, RAS 325, may challenge the mobile subscriber for a password, which may be based on a NAI transmitted over the tunnel. Access to the home data network 327 may be granted based on the response from the mobile subscriber.
As with the GPRS embodiment, the NAI use in the TETRA embodiment may be used to initiate tunneling to a RAS to which the mobile station 311 subscribes, either as a ISP or VPN provided service. The originating endpoint to the tunnel is on a wireless network node in the Visited SwMI. In the case that the mobile station has not migrated to a Visited SwMI, the NAI is stored within the Home SwMI while the mobile station operates on it.
The TETRA embodiment may be operated with enhanced primitives, wherein a field, not specified by TETRA, may be added to the Migration_Response 304 and Migration_Confirm 305 primitives for the intended purpose of carrying NAI data. Alternatively, there exists a proprietary information field in the TETRA specified Migration Confirm 305 and Migration_response 304 primitives, which is large enough to carry most, if not all, conceivable NAIs.
As will be recognized by those skilled in the art, the innovative concepts described in the present application can be modified and varied over a range of applications, and accordingly the scope of patented subject matter is not limited by any of the specific exemplary teachings given. A NAI retriever may be implemented as a stand-alone database, which may operate as a common resource to supplement one or more HLRs (in GPRS embodiment), or l-HDB (in TETRA embodiment). Queries to the NAI retriever may operate in parallel or series with a query message sent to an HLR or l-HDB. Mobile stations may be large and heavy, and can be affixed to other things. Tunneling protocols may or may not implement data security functions.

Claims

Claims
What is claimed is:
1 1. A method for translating a network address identifier in a wireless network,
2 wherein said network address identifier (NAI) corresponds to at least one mobile
3 subscriber identity, comprising the steps of:
4 determining the network address identifier at a NAI retriever based on a
5 mobile subscriber identity, said NAI retriever operatively coupled with a
6 mobile station having the mobile subscriber identity;
7 sending the NAI from the NAI retriever to a gateway router operatively
8 coupled with the mobile station;
9 receiving the NAI at the gateway router; and o storing the NAI at the gateway router such that the NAI may be locally looked 1 up based on the mobile subscriber identity when a packet having the mobile 2 subscriber identity arrives at the gateway router. 3
1 2. The method for translating of claim 1 and wherein said step of determining
2 comprises the steps of:
3 receiving a packet at said NAI retriever, said NAI retriever includes a storage
4 device; and
5 looking up in said storage device the network address identifier.
1 3. The method for translating of claim 1 wherein said step of sending comprises
2 the steps of:
3 forming a packet including said at least one gateway address; and
4 transmitting the packet to said gateway router.
1 4. The method for translating of claim 1 wherein said step of storing comprises
2 the steps of:
3 encapsulating the network address identifier in at least one data packet at the
4 gateway router; and
5 transmitting the at least one data packet to a packet data network, l
1 5. A system for translating a network address identifier (NAI) in a wireless
2 network, said NAI corresponding to at least one mobile subscriber identity,
3 comprising:
4 a NAI retriever for determining the NAI based on a mobile subscriber identity,
5 said NAI retriever operatively coupled with a mobile station having the mobile 6 subscriber identity;
7 a means for sending the NAI from the NAI retriever to a gateway router
8 operatively coupled with the mobile station, said means operatively coupled to
9 the NAI retriever; o a receiver for receiving the NAI at the gateway router; 1 a first storage device for storing the NAI such the NAI may be locally looked- 2 up based on the mobile subscriber identity when a packet having the mobile 3 subscriber identity arrives at the gateway router, said first storage device 4 operatively coupled to the receiver. i 6. The system for translating of claim 5 wherein said NAI retriever comprises:
2 a receiver for receiving a packet at the NAI retriever;
3 a second storage device operatively coupled to the receiver; and
4 a means for looking up in said second storage device the network address
5 identifier.
1 7. The system for translating of claim 5 wherein said means for sending
2 comprises:
3 a means for forming a packet including the at least one gateway address; and
4 a transceiver for transmitting the packet to the gateway router, l
1 8. The system for translating of claim 5 wherein the first storage device
2 comprises:
3 a means for encapsulating the network address identifier in at least one data packet at the gateway router; and a transmitter for transmitting the at least one data packet to a packet data network .
PCT/US2001/014685 2000-05-05 2001-05-07 Method and apparatus for translating network address identifiers related to mobile stations WO2001086883A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001261239A AU2001261239A1 (en) 2000-05-05 2001-05-07 Method and apparatus for translating network address identifiers related to mobile stations

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US56589100A 2000-05-05 2000-05-05
US09/565,891 2000-05-05

Publications (2)

Publication Number Publication Date
WO2001086883A2 true WO2001086883A2 (en) 2001-11-15
WO2001086883A3 WO2001086883A3 (en) 2002-04-18

Family

ID=24260549

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2001/014685 WO2001086883A2 (en) 2000-05-05 2001-05-07 Method and apparatus for translating network address identifiers related to mobile stations

Country Status (2)

Country Link
AU (1) AU2001261239A1 (en)
WO (1) WO2001086883A2 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003081859A1 (en) * 2002-03-19 2003-10-02 Cisco Technology, Inc. Method and system for providing network services
US7209741B2 (en) * 2004-08-23 2007-04-24 Telefonaktiebolaget Lm Ericsson (Publ) Method of acquiring a mobile station identifier in a hybrid network
CN100420171C (en) * 2003-03-25 2008-09-17 华为技术有限公司 A method for user authentication using subscriber identity module information
EP1530883A4 (en) * 2002-08-13 2010-12-01 Thomson Licensing IDENTITY PROTECTION IN A UNIVERSAL LAN RADIO PHONE SYSTEM
CN102448185A (en) * 2010-09-30 2012-05-09 中国移动通信集团公司 Remote access method and equipment
CN103379592A (en) * 2012-04-28 2013-10-30 华为终端有限公司 Method and device for remotely accessing local network

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5159592A (en) * 1990-10-29 1992-10-27 International Business Machines Corporation Network address management for a wired network supporting wireless communication to a plurality of mobile users
US6822955B1 (en) * 1998-01-22 2004-11-23 Nortel Networks Limited Proxy server for TCP/IP network address portability
FI105966B (en) * 1998-07-07 2000-10-31 Nokia Networks Oy Authentication in a telecommunications network
CA2288347A1 (en) * 1998-11-06 2000-05-06 Nortel Networks Corporation System and method for mapping packet data functional entities to elements in a communication network
DE19922288A1 (en) * 1999-05-14 2000-11-23 Siemens Ag Arrangement for mobile communication

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003081859A1 (en) * 2002-03-19 2003-10-02 Cisco Technology, Inc. Method and system for providing network services
CN100405781C (en) * 2002-03-19 2008-07-23 思科技术公司 Method and system for providing network services
US8041819B1 (en) 2002-03-19 2011-10-18 Cisco Technology, Inc. Method and system for providing network services
EP1530883A4 (en) * 2002-08-13 2010-12-01 Thomson Licensing IDENTITY PROTECTION IN A UNIVERSAL LAN RADIO PHONE SYSTEM
CN100420171C (en) * 2003-03-25 2008-09-17 华为技术有限公司 A method for user authentication using subscriber identity module information
US7209741B2 (en) * 2004-08-23 2007-04-24 Telefonaktiebolaget Lm Ericsson (Publ) Method of acquiring a mobile station identifier in a hybrid network
CN102448185A (en) * 2010-09-30 2012-05-09 中国移动通信集团公司 Remote access method and equipment
CN103379592A (en) * 2012-04-28 2013-10-30 华为终端有限公司 Method and device for remotely accessing local network

Also Published As

Publication number Publication date
AU2001261239A1 (en) 2001-11-20
WO2001086883A3 (en) 2002-04-18

Similar Documents

Publication Publication Date Title
EP1693988B1 (en) A method of the subscriber terminal selecting the packet data gateway in the wireless local network
US8233934B2 (en) Method and system for providing access via a first network to a service of a second network
EP1330073B1 (en) Method and apparatus for access control of a wireless terminal device in a communications network
EP2403283B1 (en) Improved subscriber authentication for unlicensed mobile access signaling
US7542455B2 (en) Unlicensed mobile access (UMA) communications using decentralized security gateway
US7706788B2 (en) Method for network selection in communication networks, related network and computer program product therefor
JP3984993B2 (en) Method and system for establishing a connection through an access network
US7454207B2 (en) Service access control interface for an unlicensed wireless communication system
EP1842353B1 (en) Method for selecting an access point name (apn) for a mobile terminal in a packet switched telecommunications network
US20060223498A1 (en) Service access control interface for an unlicensed wireless communication system
WO2001039526A1 (en) Method and apparatus for performing bearer independent wireless application service provisioning
JP2004507973A (en) Generic WLAN architecture
EP1967032A1 (en) Prioritized network access for wireless access networks
EP1602200B1 (en) Wlan tight coupling solution
US20080132207A1 (en) Service access control interface for an unlicensed wireless communication system
WO2001086883A2 (en) Method and apparatus for translating network address identifiers related to mobile stations
US20020042820A1 (en) Method of establishing access from a terminal to a server
CN100450110C (en) System and method for short message intercommunication between IP access network and mobile network
HK1080248B (en) Method and system for providing access via a first network to a service of a second network

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
AK Designated states

Kind code of ref document: A3

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP