[go: up one dir, main page]

WO2012095179A1 - External authentication support over untrusted access - Google Patents

External authentication support over untrusted access Download PDF

Info

Publication number
WO2012095179A1
WO2012095179A1 PCT/EP2011/050424 EP2011050424W WO2012095179A1 WO 2012095179 A1 WO2012095179 A1 WO 2012095179A1 EP 2011050424 W EP2011050424 W EP 2011050424W WO 2012095179 A1 WO2012095179 A1 WO 2012095179A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
user equipment
network
authenticating
packet data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/EP2011/050424
Other languages
French (fr)
Inventor
Jouni Korhonen
Anders Jan Olof Kall
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Solutions and Networks Oy
Original Assignee
Nokia Siemens Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Siemens Networks Oy filed Critical Nokia Siemens Networks Oy
Priority to PCT/EP2011/050424 priority Critical patent/WO2012095179A1/en
Publication of WO2012095179A1 publication Critical patent/WO2012095179A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4604LAN interconnection over a backbone network, e.g. Internet, Frame Relay
    • H04L12/462LAN interconnection over a bridge based backbone
    • H04L12/4625Single bridge functionality, e.g. connection of two networks over a single bridge
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0431Key distribution or pre-distribution; Key agreement
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/2803Home automation networks
    • H04L12/2823Reporting information sensed by appliance or service execution status of appliance services in a home automation network
    • H04L12/2825Reporting to a device located outside the home and the home network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices

Definitions

  • the present invention relates to an external authentication support over untrusted access. More specifically, the present invention relates supporting an authentication to an external packet data network over an untrusted access network.
  • the present specification basically relates to a scenario in which a user equipment (UE) has subscriptions to multiple networks.
  • the present specification relates to a 3GPP (Third Generation Partnership Project) Evolved Packet System (EPS) , particularly to a scenario in which a user equipment (UE) is connected to an EPC (Evolved Packet Core) as well as an external PDN (Packet Data Network) via an untrusted non-3GPP (e.g. WLAN (Wireless Local Area Network)) access network.
  • 3GPP Third Generation Partnership Project
  • EPC Evolved Packet Core
  • PDN Packet Data Network
  • WLAN Wireless Local Area Network
  • the UE When a UE has subscriptions to multiple PDNs, including so-called external PDNs (i.e. PDNs which are not providing the connectivity for the UE but e.g. a specific service), the UE needs to be authenticated by all of the subscribed PDNs such as e.g. the EPC and the external PDN.
  • PDNs which are not providing the connectivity for the UE but e.g. a specific service
  • the external authentication requires the exchange of
  • AAA Authentication, Authorization, accounting
  • authentication with external PDNs depends on the kind of access or access network via which the UE connects to the EPS .
  • authentication with external networks is specified in 3GPP TS 23.402.
  • authentication with external networks is specified in 3GPP TS 23.401.
  • Protocol Configuration Options (PCO) information elements are specified, which can be used to carry user credentials between the UE and the core network when the UE is attached to an 3GPP access network.
  • the user credentials are e.g. user name and user password within PAP or CHAP parameters (PAP: Password Authentication Protocol, CHAP: Challenge-Handshake Authentication Protocol).
  • PAP Password Authentication Protocol
  • CHAP Challenge-Handshake Authentication Protocol
  • External PDN may belong to the same operator or may be some other network.
  • the external PDN may also belong to a service provider having a Radius or Diameter AAA server, and both the authentication with the 3GPP network (e.g. the EPC) and with the external network are (U) SIM based ( (U) SIM: (Universal) Subscriber Identity Module) .
  • Cooperate access networks can have their own Radius or Diameter AAA server (and/or a L2TP (Layer 2 Tunneling Protocol) Network Server (LNS) ) , and in such case first the authentication is initiated with the 3GPP network (e.g. the EPC) and then, in parallel, there is authentication with the Cooperate AAA server.
  • L2TP Layer 2 Tunneling Protocol
  • Packet Data Gateway is the end-point of the IPSec tunnel.
  • the mechanisms in 3GPP TS 33.234 are based on RFC4739
  • user credentials i.e. the user name and/or user password, in the PAP procedure.
  • the PDG sends an EAP MD5-challenge request to the WLAN UE for the next authentication and the UE returns an EAP MD5-Challenge response to the PDG (EAP: Extensible Authentication
  • the I-WLAN case mainly differs from EPC non-3GPP access in that for I-WLAN terminals the access to the (external) PDN is provided directly by the PDG (Packet Data Gateway) but in EPS the access to the (external) PDN must go from ePDG via the PGW (PDN Gateway), i.e. the security and PDN interface functions are separated.
  • PDG Packet Data Gateway
  • PGW Packet Data Gateway
  • the ePDG in the EPC non-3GPP access case has no such connectivity to the AAA server of the (external) PDN.
  • the ePDG is not the
  • terminating node of an access point name but rather acts as an intermediate hop and, possibly, as an EAP
  • the ePDG needs to forward the authentication information (which is typically configured on an APN basis) to the PGW, and the PGW is to contact the external AAA server as it does when another type of access network is used.
  • Any APN is typically configured on an APN basis
  • Embodiments of the present invention aim at addressing at least part of the above issues and/or problems.
  • Embodiments of the present invention are made to provide for mechanisms for an external authentication support over untrusted access, i.e. for supporting an authentication to an external packet data network over an untrusted access
  • a method comprising receiving an authentication request for authenticating a user equipment towards a communication network providing connectivity for the user equipment across an unsecured access network, and authenticating the user equipment towards the communication network using authentication data for authenticating the user equipment towards the communication network, including requesting and receiving the authentication data for
  • the method further comprises, after authentication of the user equipment towards the communication network, receiving an authentication request for authenticating the user
  • authentication data for authenticating the user equipment towards the packet data network requested and received during authentication of the user equipment towards the
  • the authentication request is an authentication request according to a key information exchange mechanism used across the unsecured access network
  • the authentication of the user equipment is performed according to one of a challenge-handshake authentication protocol, a password authentication protocol, an extensible authentication protocol, and an extensible authentication protocol with authentication and key agreement,
  • authentication data for authenticating the user equipment towards the packet data network is requested and received from an authentication server of the communication network, and/or
  • the method is operable at or by an evolved packet data gateway of the communication network.
  • a method comprising receiving a request for authenticating a user equipment towards a
  • authenticating the user equipment towards the communication network together with authentication data for authenticating the user equipment towards a packet data network external to the communication network, retrieving the authentication data for authenticating the user equipment towards the
  • the retrieving comprises fetching the authentication data from a local storage and/or requesting and receiving the authentication data from a home subscription database at a home subscriber server or home location register,
  • the authentication data for authenticating the user equipment towards the packet data network is provided after authentication of the user equipment towards the
  • the authentication request is an authentication request according to one of a challenge-handshake authentication protocol, a password authentication protocol, an extensible authentication protocol, and an extensible authentication protocol with authentication and key agreement,
  • the authentication of the user equipment is performed according to one of a challenge-handshake authentication protocol, a password authentication protocol, an extensible authentication protocol, and an extensible authentication protocol with authentication and key agreement,
  • the method is operable at or by an authentication server of the communication network.
  • a method comprising storing a home subscription database including, for a user equipment, a subscription profile containing authentication data for authenticating the user equipment towards a communication network together with authentication data for authenticating the user equipment towards a packet data network external to the communication network.
  • the method further comprises receiving a request for the authentication data for authenticating the user equipment towards the communication network together with the
  • the method further comprises providing the authentication data for authenticating the user equipment towards the communication network together with the authentication data for authenticating the user equipment towards the packet data network,
  • the method is operable at or by a home subscriber server or home location register of the communication network.
  • an apparatus comprising an interface configured to receive an authentication request for authenticating a user equipment towards a communication network providing connectivity for the user equipment across an unsecured access network, and a processor configured to authenticate the user equipment towards the communication network using authentication data for authenticating the user equipment towards the communication network, wherein the processor, for authenticating the user equipment towards the communication network, is configured to request and receive, via the interface, the authentication data for authenticating the user equipment towards the communication network together with authentication data for authenticating the user
  • the interface is configured to receive an authentication request for authenticating the user
  • the processor is configured to authenticate the user equipment towards the packet data network using the authentication data for authenticating the user equipment towards the packet data network requested and received during authentication of the user equipment towards the communication network,
  • the authentication request is an authentication request according to a key information exchange mechanism used across the unsecured access network
  • the processor is configured to perform the authentication of the user equipment according to one of a challenge- handshake authentication protocol, a password authentication protocol, an extensible authentication protocol, and an extensible authentication protocol with authentication and key agreement,
  • the processor is configured to perform the authentication of the user equipment in collaboration with an authentication server of the communication network
  • the processor and/or the interface is configured to request and receive the authentication data for
  • the apparatus is operable as or at an evolved packet data gateway of the communication network.
  • an apparatus comprising an interface configured to receive a request for authenticating a user equipment towards a communication network providing connectivity for the user equipment across an unsecured access network, said request including a request for
  • authentication data for authenticating the user equipment towards a packet data network external to the communication network, and a processor configured to retrieve the
  • authentication data for authenticating the user equipment towards the packet data network and to provide, via the interface, the authentication data for authenticating the user equipment towards the communication network together with the authentication data for authenticating the user equipment towards the packet data network.
  • the processor for retrieving, is configured to fetch the authentication data from a local storage and/or request and receive, via the interface, the authentication data from a home subscription database at a home subscriber server or home location register,
  • the processor is configured to provide the authentication data for authenticating the user equipment towards the packet data network after authentication of the user equipment towards the communication network,
  • the authentication request is an authentication request according to one of a challenge-handshake authentication protocol, a password authentication protocol, an extensible authentication protocol, and an extensible authentication protocol with authentication and key agreement,
  • the processor is configured to perform the authentication of the user equipment according to one of a challenge- handshake authentication protocol, a password authentication protocol, an extensible authentication protocol, and an extensible authentication protocol with authentication and key agreement,
  • the processor is configured to perform the authentication of the user equipment in collaboration with an evolved packet data gateway of the communication network
  • the processor and/or the interface is configured to receive the request from and provide the authentication data for authenticating the user equipment towards the
  • the communication network and/or - the apparatus is operable as or at an authentication server of the communication network.
  • an apparatus comprising a memory configured to store a home subscription database including, for a user equipment, a subscription profile containing authentication data for authenticating the user equipment towards a communication network together with authentication data for authenticating the user equipment towards a packet data network external to the communication network.
  • the apparatus further comprises an interface configured to receive a request for the authentication data for
  • the apparatus further comprises a processor configured to provide, via the interface, the authentication data for authenticating the user equipment towards the communication network together with the authentication data for
  • the processor and/or the interface is configured to receive the request from and provide the authentication data for authenticating the user equipment towards the
  • the apparatus is operable as or at a home subscriber server or home location register of the communication
  • a computer program product including a program comprising software code portions being arranged, when run on a processor of an apparatus (such as e.g. according to the above fourth aspect and/or developments or modifications thereof) , to perform the method according to the above first aspect and/or developments or modifications thereof .
  • a computer program product including a program comprising software code portions being arranged, when run on a processor of an apparatus (such as e.g. according to the above fifth aspect and/or developments or modifications thereof) , to perform the method according to the above second aspect and/or developments or modifications thereof .
  • a computer program product including a program comprising software code portions being arranged, when run on a processor of an apparatus (such as e.g. according to the above sixth aspect and/or developments or modifications thereof) , to perform the method according to the above third aspect and/or developments or modifications thereof .
  • the computer program product according to the seventh, eighth or ninth aspect comprises a computer-readable medium on which the software code portions are stored, and/or the program is directly loadable into a memory of the processor.
  • authenticating the user equipment towards the packet data network include at least one of user credential data for authentication towards the packet data network, one or more supported authentication methods towards the packet data network, an order of proposed application of authentication methods when multiple authentication methods are supported, contact information for contacting an authentication server of the packet data network, and application information for applying a selected authentication method for authenticating the user equipment towards the packet data network.
  • the unsecured access network is an internet protocol and/or non-3GPP network, and/or the
  • communication network is an evolved packet core and/or 3GPP network, and/or the packet data network is an internet protocol and/or wireless local area network.
  • an evolved gateway apparatus such as an ePDG gets to know the required authentication data (such as e.g. user credential data and authentication methods) to be used when authenticating a UE ' s access to an external network via an untrusted access network.
  • this information for an authentication towards the external network is brought to the evolved gateway apparatus such as an ePDG during a first authentication towards an evolved packet core when the UE authenticates towards the EPC.
  • an evolved gateway apparatus such as an ePDG performs authentication of a UE ' s access via an untrusted access network towards an external network.
  • the evolved gateway apparatus such as an ePDG uses respective information received during a preceding authentication of the UE ' s access via an untrusted access network towards an evolved packet core.
  • Figures 1 and 2 show schematic diagrams illustrating
  • Figure 3 shows a signaling diagram illustrating an exemplary procedure according to embodiments of the present invention
  • Figures 4 and 5 show signaling diagrams illustrating
  • Figure 6 shows a block diagram illustrating exemplary devices according to embodiments of the present invention. Detailed description of embodiments of the present invention
  • the EPS context with an (internal) EPC and an external PDN being accessible by a UE via an untrusted (non-3GPP) access network is used as a non-limiting example for the applicability of thus described exemplary embodiments.
  • the EPS context with an (internal) EPC and an external PDN being accessible by a UE via an untrusted (non-3GPP) access network is used as a non-limiting example for the applicability of thus described exemplary embodiments.
  • embodiments of the present invention may be applicable for/in any kind of modern and future communication network including any conceivable mobile/wireless
  • an authentication of a user equipment (or the user thereof) towards a network is construed to be equivalent to an authentication of/for an access of the user equipment (or the user thereof) to/for the respective network e.g. EPC, PDN) .
  • FIGS. 1 and 2 show schematic diagrams illustrating
  • a user equipment such as a WLAN UE
  • a WLAN UE may be attached to an untrusted non-3GPP access network via which it is connected to an evolved packet core (EPC) and an external packet data network (PDN) .
  • EPC evolved packet core
  • PDN packet data network
  • the EPC and the external PDN (sometimes only referred to as PDN hereinafter) are linked via a PDN Gateway (PGW) .
  • PGW PDN Gateway
  • the most relevant network entities in the EPC are the ePDG, the 3GPP AAA server as well as the HSS (Home Subscriber)
  • reference points or interfaces SWm and SWx are particularly addressed in the following.
  • the ePDG of an EPS/EPC does not have any connectivity to an external AAA server of the external PDN.
  • Figure 3 shows a signaling diagram illustrating an exemplary procedure according to embodiments of the present invention.
  • optional operations are indicated by use of dashed blocks and/or dotted arrows.
  • the exemplary procedure according to Figure 3 may, for example, be performed by or at a system comprising an
  • EPC/3GPP gateway apparatus such as an ePDG
  • EPC/3GPP authentication apparatus such as an 3GPP AAA server
  • EPC/3GPP subscription apparatus such as a HSS/HLR
  • the gateway apparatus may be operative for receiving, from the user equipment, an authentication request for authenticating the user equipment towards the EPC, i.e. the communication network providing connectivity for the user equipment across an unsecured access network, and for
  • the gateway apparatus according to
  • embodiments of the present invention may be operative for requesting and receiving, from the authentication apparatus according to embodiments of the present invention, the authentication data for authenticating the user equipment towards the communication EPC together with authentication data for authenticating the user equipment towards the external PDN.
  • the gateway apparatus according to embodiments of the present invention may be operative for, after having authenticated the user equipment towards the EPC, receiving, from the user equipment, an authentication request for authenticating the user equipment towards the external PDN, and for authenticating the user equipment towards the external PDN using the relevant authentication data previously received during the authentication of the user equipment towards the EPC.
  • the authentication apparatus according to embodiments of the present invention may be operative for receiving, from the gateway apparatus according to
  • the authentication apparatus may comprise a (local) fetching thereof from a local storage at the authentication apparatus, which is applicable when the authentication data have already been made available
  • the subscription apparatus may be operative for storing a home subscription database including, for a user equipment, a subscription profile containing authentication data for authenticating the user equipment towards the EPC together with authentication data for authenticating the user equipment towards the external PDN.
  • a home subscription database including, for a user equipment, a subscription profile containing authentication data for authenticating the user equipment towards the EPC together with authentication data for authenticating the user equipment towards the external PDN.
  • the two types of authentication data relating to EPC and external PDN in the subscription profile of a corresponding user equipment
  • a gateway apparatus is enabled to use the SWm interface to request from an authentication apparatus (3GPP AAA server) the authentication data to be used for authenticating the UE ' s access to the external PDN when authenticating the UE ' s access to the 3GPP EPC.
  • the authentication apparatus (3GPP AAA server) is enabled to retrieve them and to provide the authentication data to be used for authenticating the UE ' s access to the external PDN when authenticating the UE ' s access to the 3GPP EPC.
  • a subscription apparatus HSS/HLR
  • HSS/HLR is enabled store both authentication data for authenticating the UE ' s access to the external PDN and to the 3GPP EPC along with each other and to provide them accordingly to the authentication
  • the functionality of the SWm interface and its endpoints i.e. the ePDG and the 3GPP AAA sever/HSS/HLR, is enhanced.
  • the authentication data for the UE accessing an external packet data network is stored in the HSS/HLR together/along with the authentication data for the UE accessing an (internal) communication network
  • the SWm interface is enhanced to carry such two types of authentication data between the 3GPP AAA Server/HSS/HLR together/along with each other in the context of authentication of the UE towards the (internal) communication network.
  • the gateway apparatus ePDG does not need to be e.g. preconfigured to know
  • authentication data e.g. user credentials and
  • the authentication data e.g. user credentials and
  • the authentication data for external packet data networks is added to a
  • such enhanced subscription profiles and a correspondingly enhanced home subscription database at the subscription apparatus are utilized for supporting an authentication to an external packet data network over an untrusted access network.
  • authentication data comprise user credential data and/or required/supported authentication methods for the respective authentication, i.e. towards EPC or external PDN.
  • the gateway apparatus (ePDG) in a first authentication round relating to the EPC.
  • the gateway apparatus is specifically configured to exchange of authentication protocol information between a user equipment (UE) and the gateway apparatus (ePDG) to enable authentication protocol information.
  • UE user equipment
  • ePDG gateway apparatus
  • the authentication protocol information configured to receive authentication protocol information from a user equipment, process the received authentication protocol information according to the relevant authentication protocol, and send such processed authentication protocol information to the user equipment.
  • protocol information may be PAP and/or CHAP information, and the exchange between UE and ePDG may be such as defined in 3GPP TS 33.234 between UE and PDG.
  • the authentication data relating to the external PDN i.e. the addition information elements in the home subscription database and on the SWm interface, may include one or more of the following:
  • PAP may be implemented as EAP-GTC methods and CHAP may be implemented as EAP-MD5 methods
  • PAP may be implemented as EAP-GTC methods and CHAP may be implemented as EAP-MD5 methods
  • authentication method for authenticating the user equipment towards the external PDN i.e. any information that might be needed to utilize the selected authentication method in the context of RFC4739 and/or 3GPP 33.234.
  • a gateway apparatus such as an ePDG
  • ePDG may be configured to act as described in connection with Figure 3 above and, in addition, to handle extensions to the authentication procedure between the UE and ePDG (i.e. the IKEv2 protocol), i.e. to translate PCO
  • the ePDG may act as the final network receiver of PCO information included in IKEv2 signaling, as described in the referenced PCT application, and use such PCO information together with the authentication data (e.g. user credential data and/or required/supported authentication method (s) ) received from the 3GPP AAA server, as described herein.
  • the authentication data e.g. user credential data and/or required/supported authentication method (s)
  • a gateway apparatus such as an ePDG
  • the present invention may be configured to receive an authentication request of a key information exchange mechanism used across an unsecure internet protocol network, wherein the authentication request is for authenticating a user equipment by a communications network providing connectivity for the user equipment and includes a configuration parameter for a protocol
  • the apparatus may be configured to send the binding update request to a gateway apparatus for the packet data network. Still further, the apparatus may be configured to receive a binding update response from the gateway apparatus, which includes an information element of the protocol
  • configuration option in which authentication response data according to the authentication protocol between the user equipment and the packet data network is encoded may be configured to include the information element in a configuration parameter for the protocol
  • the binding update response may include an internet protocol address allocated for the user equipment, and/or the binding update response may include an indication that an internet protocol address currently used for setting up a binding according to a mobility protocol of the user equipment is not an address allocated for the user equipment, and the apparatus may be configured to inhibit forwarding the internet protocol address to the user equipment. Still further, the apparatus may be configured to receive a further binding update
  • FIGS. 4 and 5 show signaling diagrams illustrating
  • Figure 4 illustrates an exemplary authentication and authorization procedure for a private network access using a CHAP procedure
  • Figure 5 illustrates an exemplary authentication and authorization procedure for a private network access using a CHAP procedure
  • any authentication protocol applicable in the context of EPS and UE authentication towards an external PDN via an untrusted access may be applied according to
  • EAP EAP-AKA
  • EAP-AKA' EAP-AKA'
  • the WLAN UE and the ePDG exchange a first pair of messages, known as IKE_SA_INIT, in which the ePDG and the WLAN UE negotiate cryptographic algorithms, exchange nonces and perform a Diffie_Hellman exchange.
  • IKE_SA_INIT a first pair of messages, known as IKE_SA_INIT
  • the ePDG and the WLAN UE negotiate cryptographic algorithms, exchange nonces and perform a Diffie_Hellman exchange.
  • the ePDG indicates that multiple authentications are supported.
  • the WLAN UE sends the user identity (in the Idi payload) and the W-APN information (in the Idr payload) in this first message of the IKE_AUTH phase, and begins negotiation of child security associations.
  • the UE also indicates that multiple authentications are supported.
  • the ePDG receives user credentials and supported authentication methods for second phase authentication, with the details thereof being illustrated in Figure 5.
  • the ePDG initiates the authentication of the UE for EPC access and receives
  • the ePDG may request both authentication data for authentication towards EPC and external PDN in the request for authentication towards the EPC in step 3.
  • the 3GPP AAA server fetches the user subscription profile of the WLAN UE and authentication vectors from HSS/HLR either locally or, if these parameters are not locally available, at the 3GPP HSS/HLR.
  • all checks for the UE authentication towards the EPC are successful, the 3GPP AAA server sends the authentication answer including an EAP success and the key material relating to both EPC and
  • the 3GPP AAA server also includes the supported authentication methods per APN and other required information/credentials to complete the second round authentication towards the external PDN.
  • the 3GPP AAA server may also provide information to populate User-Name and User-Password attributes/AVPs (AVP: attribute value pair) properly if those are not available depending on the authentication method used.
  • the ePDG completes the authentication of the UE for EPC access, i.e the first authentication round.
  • step 12 i.e. after successful authentication of the UE towards the EPC, the ePDG receives an authentication request for UE authentication towards the external PDN.
  • step 17 uses the previously
  • the ePDG handles the accounting for the UE ' s access to the external PDN with the 3GPP AAA server of the PGW (not shown) . This is because the ePDG lacks connectivity to the external AAA server.
  • the involvement of the 3GPP AAA server or the PGW is optional and equivalent, and may depend on deployment-specific issues between a mobile operator and an external PDN provider.
  • steps 21 to 23 according to Figure 4 are similar to known procedures, such as those known from 3GPP TS 33.234.
  • embodiments of the present invention are associated with steps 3 and 9 as well as steps 12, 17, 19 and 20. Yet, it is to be noted that such arrangement is merely for illustrative purposes, and specific features of embodiments of the present invention may equally be associated with other steps and/or in-between the steps according to Figures 4and 5. For
  • the 3GPP AAA Server may deliver the information needed for UE authentication towards the external PDN to the ePDG also in some earlier signaling message than in step 9, e.g. in step 5.
  • the solid line blocks are basically configured to perform respective operations as described above.
  • the entirety of solid line blocks are basically configured to perform the methods and operations as described above, respectively.
  • the individual blocks are meant to illustrate respective functional blocks implementing a respective function, process or procedure, respectively.
  • Such functional blocks are implementation-independent, i.e. may be
  • memories are provided for storing programs or program instructions for controlling the individual functional entities to operate as described herein.
  • Figure 6 shows a block diagram illustrating exemplary devices according to embodiments of the present invention.
  • the thus described apparatuses 10, 20 and 30 are suitable for use in practicing the exemplary embodiments of the present invention, as described herein.
  • the thus described apparatus 10 on the left hand side may represent a (part of a) gateway apparatus base such as an ePDG, as described above, and may be configured to perform a procedure and/or exhibit a functionality as described in conjunction with the gateway apparatus and/or ePDG of
  • the thus described apparatus 20 in the middle may represent a (part of an) authentication apparatus as an (internal) AAA server, as described above, and may be configured to perform a procedure and/or exhibit a functionality as described in conjunction with the authentication apparatus and/or 3GPP AAA server of according to any one of Figures 3 to 5.
  • the thus described apparatus 30 on the right hand side may represent a (part of a) subscription apparatus such as a HSS and/or HLR, as described above, and may be configured to perform a procedure and/or exhibit a functionality as described in conjunction with the subscription apparatus and/or HSS/HLR of according to any one of Figures 3 to 5. As shown in Fig.
  • a gateway apparatus 10 which may comprise an ePDG comprises a processor 11, a memory 12 and an interface 13 which are connected by a bus 14 or the like.
  • An authentication apparatus 20 which may comprise an 3GPP AAA server comprises a processor 21, a memory 22 and an interface 23 which are connected by a bus 24 or the like.
  • the subscription apparatus 30 which may comprise a HSS/HLR comprises a processor 31, a memory 32 and an interface 33 which are connected by a bus 34 or the like.
  • the gateway apparatus 10 may be connected with a user equipment through a link or connection 16 which may comprise an SWn or SWu interface, the gateway apparatus 10 may be connected with the authentication apparatus 20 through a link or connection 17 which may comprise a SWm interface, and the authentication apparatus 20 may be connected with the subscription apparatus 30 through a link or connection 18 which may comprise a SWx interface .
  • the memories 12, 22 and 32 may store respective programs assumed to include program instructions that, when executed by the associated processors 11, 21 and 31, enable the electronic device to operate in accordance with the exemplary embodiments of this invention.
  • the processors 11, 21 and 31 may also include a modem to facilitate communication over the (hardwire or wireless) links 16, 17 and 18 via the interfaces 13, 23, and 33.
  • the interfaces 13, 23 and 33 may further include a suitable transceiver coupled to one or more
  • the respective devices may represent means for performing respective operations and/or exhibiting respective functionalities, and/or the respective devices (and/or parts thereof) may have functions for performing respective operations and/or
  • the interface 13 may be configured to receive an authentication request for authenticating a user equipment towards a communication network providing connectivity for the user equipment across an unsecured access network, and the
  • processor 11 may be configured to authenticate the user equipment towards the communication network using
  • the processor 11, for authenticating the user equipment towards the communication network may be configured to request and receive, via the interface 13, the authentication data for authenticating the user equipment towards the communication network together with authentication data for authenticating the user
  • the apparatus 10 may be any suitable equipment towards a packet data network external to the communication network. Also, the apparatus 10 may be any suitable equipment towards a packet data network external to the communication network. Also, the apparatus 10 may be any suitable equipment towards a packet data network external to the communication network. Also, the apparatus 10 may be any suitable equipment towards a packet data network external to the communication network. Also, the apparatus 10 may be any suitable equipment towards a packet data network external to the communication network. Also, the apparatus 10 may be
  • the interface 13 may be configured to receive an authentication request for authenticating the user equipment towards the packet data network across the unsecured access network, and the
  • processor 11 may be configured to authenticate the user equipment towards the packet data network using the
  • authentication data for authenticating the user equipment towards the packet data network requested and received during authentication of the user equipment towards the
  • the memory 12 may be configured to store the thus received authentication data for later use.
  • the interface 23 may be configured to receive a request for authenticating a user equipment towards a communication network providing connectivity for the user equipment across an unsecured access network, said request including a request for authentication data for authenticating the user equipment towards the communication network together with
  • the processor 21 may be configured to retrieve the authentication data for authenticating the user equipment towards the communication network together with the authentication data for authenticating the user equipment towards the packet data network, and to provide, via the interface 23, the authentication data for authenticating the user equipment towards the communication network together with the authentication data for authenticating the user equipment towards the packet data network.
  • the processor 21, for retrieving may be configured to fetch the authentication data from a local storage and/or request and receive, via the interface, the authentication data from a home subscription database at a home subscriber server or home location
  • the processor 21 may be configured to provide the authentication data for
  • the memory 22 may be configured to store the respective authentication data for later use.
  • the memory 32 may be configured to store a home subscription database including, for a user equipment, a subscription profile containing authentication data for authenticating the user equipment towards a communication network together with authentication data for authenticating the user equipment towards a packet data network external to the communication network.
  • the interface 33 may be configured to receive a request for the authentication data for authenticating the user equipment towards the communication network together with the authentication data for authenticating the user equipment towards the packet data network.
  • the processor 31 may be configured to provide, via the interface 33, the authentication data for
  • the exemplary embodiments of this invention may be implemented by computer software stored in the memories 12, 22 and 32 and executable by the processors 11, 21 and 31, or by hardware, or by a combination of software and/or firmware and hardware in any or all of the devices shown.
  • the memories 12, 22 and 32 may be of any type suitable to the local technical environment and may be implemented using any suitable data storage technology, such as semiconductor based memory devices, magnetic memory devices and systems, optical memory devices and systems, fixed memory and removable memory.
  • the processors 11, 21 and 31 may be of any type suitable to the local technical environment, and may include one or more of general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on a multi core processor architecture, as non limiting examples.
  • Embodiments of the inventions may be practiced in various components such as integrated circuit modules.
  • the design of integrated circuits is by and large a highly automated process. Complex and powerful software tools are available for converting a logic level design into a semiconductor circuit design ready to be etched and formed on a
  • a system may comprise any conceivable combination of the thus depicted apparatuses (such as one or more
  • terminals and associated one or more network entities such as base stations or home base stations.
  • respective functional blocks or elements according to above-described aspects can be implemented by any known means, either in hardware and/or software, respectively, if it is only adapted to perform the described functions of the respective parts.
  • the mentioned method steps can be realized in individual functional blocks or by individual devices, or one or more of the method steps can be realized in a single functional block or by a single device .
  • any method step is suitable to be implemented as software or by hardware without changing the idea of the present invention.
  • Such software may be software code
  • Such hardware may be hardware type independent and can be implemented using any known or future developed hardware technology or any hybrids of these, such as MOS (Metal Oxide Semiconductor), CMOS (Complementary MOS) , BiMOS (Bipolar MOS), BiCMOS (Bipolar CMOS), ECL (Emitter Coupled Logic), TTL (Transistor-Transistor Logic), etc., using for example ASIC (Application Specific IC (Integrated Circuit) ) components, FPGA (Field-programmable Gate Arrays) components, CPLD (Complex Programmable Logic Device)
  • ASIC Application Specific IC
  • FPGA Field-programmable Gate Arrays
  • CPLD Complex Programmable Logic Device
  • An apparatus may be represented by a semiconductor chip, a chipset, or a (hardware) module comprising such chip or chipset; this, however, does not exclude the possibility that a functionality of an apparatus or module, instead of being hardware implemented, be implemented as software in a
  • a device may be regarded as an apparatus or as an assembly of more than one apparatus, whether functionally in cooperation with each other or functionally independently of each other but in a same device housing, for example.
  • Devices and means can be implemented as individual devices, but this does not exclude that they are implemented in a distributed fashion throughout the system, as long as the functionality of the device is preserved. Such and similar principles are to be considered as known to a skilled person.
  • Software in the sense of the present description comprises software code as such comprising code means or portions or a computer program or a computer program product for performing the respective functions, as well as software (or a computer program or a computer program product) embodied on a tangible medium such as a computer-readable (storage) medium having stored thereon a respective data structure or code
  • the present invention also covers any conceivable combination of method steps and operations described above, and any conceivable combination of nodes, apparatuses, modules or elements described above, as long as the above-described concepts of methodology and structural arrangement are applicable .
  • measures for supporting an authentication to an external packet data network over an untrusted access network exemplarily comprising requesting and/or providing
  • said measure may exemplarily comprise a subscription profile containing authentication data for authenticating the user equipment towards the communication network together with
  • the present invention and/or exemplary embodiments thereof are attractive from a network implementation point of view, especially for specifications such as e.g. 3GPP Rel-9/10 standards and beyond.
  • the present invention and/or exemplary embodiments thereof are particularly effective for external PDN (access) authentication, especially but not exclusively on the basis of the concepts according to RFC4739.
  • the present invention and/or exemplary embodiments thereof are particularly effective in a network or system environment in which both (untrusted) non-3GPP access with a corresponding ePDG and I-WLAN interworking with a corresponding PDG are implemented. In such network or system environment, the unified approach regarding authentication procedures for/at PDG and ePDG according to embodiments of the present

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

There are provided measures for supporting an authentication to an external packet data network over an untrusted access network, said measures exemplarily comprising requesting and/or providing authentication data for authenticating a user equipment towards a communication network together with authentication data for authenticating the user equipment towards a packet data network external to the communication network when the user equipment is authenticated towards the communication network providing connectivity for the user equipment across an unsecured access network. Further, said measure may exemplarily comprise a subscription profile containing authentication data for authenticating the user equipment towards the communication network together with authentication data for authenticating the user equipment towards the packet data network. Said measures may exemplarily be applied in an evolved packet system.

Description

Description
Title External authentication support over untrusted access Field of the invention
The present invention relates to an external authentication support over untrusted access. More specifically, the present invention relates supporting an authentication to an external packet data network over an untrusted access network.
Background of the invention
The present specification basically relates to a scenario in which a user equipment (UE) has subscriptions to multiple networks. Specifically, the present specification relates to a 3GPP (Third Generation Partnership Project) Evolved Packet System (EPS) , particularly to a scenario in which a user equipment (UE) is connected to an EPC (Evolved Packet Core) as well as an external PDN (Packet Data Network) via an untrusted non-3GPP (e.g. WLAN (Wireless Local Area Network)) access network.
When a UE has subscriptions to multiple PDNs, including so- called external PDNs (i.e. PDNs which are not providing the connectivity for the UE but e.g. a specific service), the UE needs to be authenticated by all of the subscribed PDNs such as e.g. the EPC and the external PDN.
The external authentication requires the exchange of
authentication information between the UE and the external AAA server, i.e. the AAA server of the external network (AAA: Authentication, Authorization, accounting) . The
authentication with external PDNs depends on the kind of access or access network via which the UE connects to the EPS . When the UE is attached to a trusted non-3GPP access network, authentication with external networks is specified in 3GPP TS 23.402. When the UE is attached to a 3GPP access network, authentication with external networks is specified in 3GPP TS 23.401.
For this purpose, Protocol Configuration Options (PCO) information elements are specified, which can be used to carry user credentials between the UE and the core network when the UE is attached to an 3GPP access network. The user credentials are e.g. user name and user password within PAP or CHAP parameters (PAP: Password Authentication Protocol, CHAP: Challenge-Handshake Authentication Protocol). The
External PDN may belong to the same operator or may be some other network. The external PDN may also belong to a service provider having a Radius or Diameter AAA server, and both the authentication with the 3GPP network (e.g. the EPC) and with the external network are (U) SIM based ( (U) SIM: (Universal) Subscriber Identity Module) . Cooperate access networks can have their own Radius or Diameter AAA server (and/or a L2TP (Layer 2 Tunneling Protocol) Network Server (LNS) ) , and in such case first the authentication is initiated with the 3GPP network (e.g. the EPC) and then, in parallel, there is authentication with the Cooperate AAA server.
These mechanisms are not applicable for UEs in the EPS, which are attached to untrusted non-3GPP access networks, as assumed in the present specification. When a UE is connected to the EPC via an untrusted non-3GPP access network, there is an IPSec tunnel between the UE and the 3GPP network to establish a secure communication. The endpoint of the IPSec tunnel at the side of the 3GPP network is the ePDG (evolved Packet Data Gateway). In 3GPP TS 33.234, it is specified that IKEv2 (Internet Key Exchange version 2) is used between the UE and the ePDG to establish the IPSec tunnel . In 3GPP TS 33.234 several mechanisms are specified how to authenticate I-WLAN ( Interworking WLAN) UEs with external networks. In I-WLAN architecture (without EPC) the PDG
(Packet Data Gateway) is the end-point of the IPSec tunnel. The mechanisms in 3GPP TS 33.234 are based on RFC4739
defining multiple authentication exchanges in the IKEv2 protocol, i.e. when setting up an IKEv2 security association, wherein backend authentication servers may belong to
different administrative domains. For example, when the PDG is used it is specified that user credentials, i.e. the user name and/or user password, in the PAP procedure, are
transported between the UE and the PDG using EAP-GTC
Request/Response, while, in the CHAP procedure, the PDG sends an EAP MD5-challenge request to the WLAN UE for the next authentication and the UE returns an EAP MD5-Challenge response to the PDG (EAP: Extensible Authentication
Protocol) .
The I-WLAN case mainly differs from EPC non-3GPP access in that for I-WLAN terminals the access to the (external) PDN is provided directly by the PDG (Packet Data Gateway) but in EPS the access to the (external) PDN must go from ePDG via the PGW (PDN Gateway), i.e. the security and PDN interface functions are separated. Stated in other words, in contrast to the PDG in the I-WLAN case which has a direct connectivity to the external AAA server, the ePDG in the EPC non-3GPP access case has no such connectivity to the AAA server of the (external) PDN. In the EPC non-3GPP access case, the ePDG is not the
terminating node of an access point name (APN) but rather acts as an intermediate hop and, possibly, as an EAP
authenticator . Accordingly, in the EPC non-3GPP access case, the ePDG needs to forward the authentication information (which is typically configured on an APN basis) to the PGW, and the PGW is to contact the external AAA server as it does when another type of access network is used. Any APN
knowledge would have to be duplicated at the ePDG in order to be able to initiate a proper authentication towards an external PDN.
Therefore, these mechanisms are not applicable for UEs in the EPS, which are attached to untrusted non-3GPP access
networks, as assumed in the present specification.
Currently, it is not standardized in 3GPP how to carry user credentials between the UE using untrusted non-3GPP access and the core network, and there is no PCO mechanism or the like defined between the UE and ePDG.
In view of the above, there are no feasible mechanisms for providing the ePDG with required authentication data to be used when authenticating a UE ' s access to an external network via an untrusted access network.
Accordingly, there is a demand for mechanisms for an external authentication support over untrusted access, i.e. for supporting an authentication to an external packet data network over an untrusted access network.
Summary of embodiments of the invention
Embodiments of the present invention aim at addressing at least part of the above issues and/or problems.
Embodiments of the present invention are made to provide for mechanisms for an external authentication support over untrusted access, i.e. for supporting an authentication to an external packet data network over an untrusted access
network . According to an exemplary first aspect of the present
invention, there is provided a method comprising receiving an authentication request for authenticating a user equipment towards a communication network providing connectivity for the user equipment across an unsecured access network, and authenticating the user equipment towards the communication network using authentication data for authenticating the user equipment towards the communication network, including requesting and receiving the authentication data for
authenticating the user equipment towards the communication network together with authentication data for authenticating the user equipment towards a packet data network external to the communication network.
According to further developments or modifications thereof, one or more of the following applies:
- the method further comprises, after authentication of the user equipment towards the communication network, receiving an authentication request for authenticating the user
equipment towards the packet data network across the
unsecured access network, and authenticating the user
equipment towards the packet data network using the
authentication data for authenticating the user equipment towards the packet data network requested and received during authentication of the user equipment towards the
communication network,
- the authentication request is an authentication request according to a key information exchange mechanism used across the unsecured access network,
- the authentication of the user equipment is performed according to one of a challenge-handshake authentication protocol, a password authentication protocol, an extensible authentication protocol, and an extensible authentication protocol with authentication and key agreement,
- the authentication of the user equipment is performed in collaboration with an authentication server of the
communication network,
- the authentication data for authenticating the user equipment towards the communication network and the
authentication data for authenticating the user equipment towards the packet data network is requested and received from an authentication server of the communication network, and/or
- the method is operable at or by an evolved packet data gateway of the communication network.
According to an exemplary second aspect of the present invention, there is provided a method comprising receiving a request for authenticating a user equipment towards a
communication network providing connectivity for the user equipment across an unsecured access network, said request including a request for authentication data for
authenticating the user equipment towards the communication network together with authentication data for authenticating the user equipment towards a packet data network external to the communication network, retrieving the authentication data for authenticating the user equipment towards the
communication network together with the authentication data for authenticating the user equipment towards the packet data network, and providing the authentication data for
authenticating the user equipment towards the communication network together with the authentication data for
authenticating the user equipment towards the packet data network . According to further developments or modifications thereof, one or more of the following applies:
- the retrieving comprises fetching the authentication data from a local storage and/or requesting and receiving the authentication data from a home subscription database at a home subscriber server or home location register,
- the authentication data for authenticating the user equipment towards the packet data network is provided after authentication of the user equipment towards the
communication network,
- the authentication request is an authentication request according to one of a challenge-handshake authentication protocol, a password authentication protocol, an extensible authentication protocol, and an extensible authentication protocol with authentication and key agreement,
- the authentication of the user equipment is performed according to one of a challenge-handshake authentication protocol, a password authentication protocol, an extensible authentication protocol, and an extensible authentication protocol with authentication and key agreement,
- the authentication of the user equipment is performed in collaboration with an evolved packet data gateway of the communication network,
- the authentication data for authenticating the user equipment towards the communication network and the
authentication data for authenticating the user equipment towards the packet data network is requested from and
provided to an evolved packet data gateway of the
communication network, and/or
- the method is operable at or by an authentication server of the communication network. According to an exemplary third aspect of the present
invention, there is provided a method comprising storing a home subscription database including, for a user equipment, a subscription profile containing authentication data for authenticating the user equipment towards a communication network together with authentication data for authenticating the user equipment towards a packet data network external to the communication network.
According to further developments or modifications thereof, one or more of the following applies:
- the method further comprises receiving a request for the authentication data for authenticating the user equipment towards the communication network together with the
authentication data for authenticating the user equipment towards the packet data network,
- the method further comprises providing the authentication data for authenticating the user equipment towards the communication network together with the authentication data for authenticating the user equipment towards the packet data network,
- the authentication data for authenticating the user equipment towards the communication network and the
authentication data for authenticating the user equipment towards the packet data network is requested from and
provided to an authentication server of the communication network, and/or
- the method is operable at or by a home subscriber server or home location register of the communication network.
According to an exemplary fourth aspect of the present invention, there is provided an apparatus comprising an interface configured to receive an authentication request for authenticating a user equipment towards a communication network providing connectivity for the user equipment across an unsecured access network, and a processor configured to authenticate the user equipment towards the communication network using authentication data for authenticating the user equipment towards the communication network, wherein the processor, for authenticating the user equipment towards the communication network, is configured to request and receive, via the interface, the authentication data for authenticating the user equipment towards the communication network together with authentication data for authenticating the user
equipment towards a packet data network external to the communication network.
According to further developments or modifications thereof, one or more of the following applies:
- after authentication of the user equipment towards the communication network, the interface is configured to receive an authentication request for authenticating the user
equipment towards the packet data network across the
unsecured access network, and the processor is configured to authenticate the user equipment towards the packet data network using the authentication data for authenticating the user equipment towards the packet data network requested and received during authentication of the user equipment towards the communication network,
- the authentication request is an authentication request according to a key information exchange mechanism used across the unsecured access network,
- the processor is configured to perform the authentication of the user equipment according to one of a challenge- handshake authentication protocol, a password authentication protocol, an extensible authentication protocol, and an extensible authentication protocol with authentication and key agreement,
- the processor is configured to perform the authentication of the user equipment in collaboration with an authentication server of the communication network,
- the processor and/or the interface is configured to request and receive the authentication data for
authenticating the user equipment towards the communication network and the authentication data for authenticating the user equipment towards the packet data network from an authentication server of the communication network, and/or
- the apparatus is operable as or at an evolved packet data gateway of the communication network.
According to an exemplary fifth aspect of the present
invention, there is provided an apparatus comprising an interface configured to receive a request for authenticating a user equipment towards a communication network providing connectivity for the user equipment across an unsecured access network, said request including a request for
authentication data for authenticating the user equipment towards the communication network together with
authentication data for authenticating the user equipment towards a packet data network external to the communication network, and a processor configured to retrieve the
authentication data for authenticating the user equipment towards the communication network together with the
authentication data for authenticating the user equipment towards the packet data network, and to provide, via the interface, the authentication data for authenticating the user equipment towards the communication network together with the authentication data for authenticating the user equipment towards the packet data network.
According to further developments or modifications thereof, one or more of the following applies:
- the processor, for retrieving, is configured to fetch the authentication data from a local storage and/or request and receive, via the interface, the authentication data from a home subscription database at a home subscriber server or home location register,
- the processor is configured to provide the authentication data for authenticating the user equipment towards the packet data network after authentication of the user equipment towards the communication network,
- the authentication request is an authentication request according to one of a challenge-handshake authentication protocol, a password authentication protocol, an extensible authentication protocol, and an extensible authentication protocol with authentication and key agreement,
- the processor is configured to perform the authentication of the user equipment according to one of a challenge- handshake authentication protocol, a password authentication protocol, an extensible authentication protocol, and an extensible authentication protocol with authentication and key agreement,
- the processor is configured to perform the authentication of the user equipment in collaboration with an evolved packet data gateway of the communication network,
- the processor and/or the interface is configured to receive the request from and provide the authentication data for authenticating the user equipment towards the
communication network and the authentication data for
authenticating the user equipment towards the packet data network to an evolved packet data gateway of the
communication network, and/or - the apparatus is operable as or at an authentication server of the communication network.
According to an exemplary sixth aspect of the present
invention, there is provided an apparatus comprising a memory configured to store a home subscription database including, for a user equipment, a subscription profile containing authentication data for authenticating the user equipment towards a communication network together with authentication data for authenticating the user equipment towards a packet data network external to the communication network.
According to further developments or modifications thereof, one or more of the following applies:
- the apparatus further comprises an interface configured to receive a request for the authentication data for
authenticating the user equipment towards the communication network together with the authentication data for
authenticating the user equipment towards the packet data network,
- the apparatus further comprises a processor configured to provide, via the interface, the authentication data for authenticating the user equipment towards the communication network together with the authentication data for
authenticating the user equipment towards the packet data network,
- the processor and/or the interface is configured to receive the request from and provide the authentication data for authenticating the user equipment towards the
communication network and the authentication data for
authenticating the user equipment towards the packet data network to an authentication server of the communication network, and/or
- the apparatus is operable as or at a home subscriber server or home location register of the communication
network . According to an exemplary seventh aspect of the present invention, there is provided a computer program product including a program comprising software code portions being arranged, when run on a processor of an apparatus (such as e.g. according to the above fourth aspect and/or developments or modifications thereof) , to perform the method according to the above first aspect and/or developments or modifications thereof . According to an exemplary eighth aspect of the present invention, there is provided a computer program product including a program comprising software code portions being arranged, when run on a processor of an apparatus (such as e.g. according to the above fifth aspect and/or developments or modifications thereof) , to perform the method according to the above second aspect and/or developments or modifications thereof .
According to an exemplary ninth aspect of the present
invention, there is provided a computer program product including a program comprising software code portions being arranged, when run on a processor of an apparatus (such as e.g. according to the above sixth aspect and/or developments or modifications thereof) , to perform the method according to the above third aspect and/or developments or modifications thereof .
According to further developments or modifications thereof, the computer program product according to the seventh, eighth or ninth aspect comprises a computer-readable medium on which the software code portions are stored, and/or the program is directly loadable into a memory of the processor.
According to any one of the above aspects and/or developments or modifications thereof, the authentication data for
authenticating the user equipment towards the packet data network include at least one of user credential data for authentication towards the packet data network, one or more supported authentication methods towards the packet data network, an order of proposed application of authentication methods when multiple authentication methods are supported, contact information for contacting an authentication server of the packet data network, and application information for applying a selected authentication method for authenticating the user equipment towards the packet data network.
According to any one of the above aspects and/or developments or modifications thereof the unsecured access network is an internet protocol and/or non-3GPP network, and/or the
communication network is an evolved packet core and/or 3GPP network, and/or the packet data network is an internet protocol and/or wireless local area network.
By way of exemplary embodiments of the present invention, there are provided mechanisms for an external authentication support over untrusted access, i.e. for supporting an
authentication to an external packet data network over an untrusted access network.
By way of exemplary embodiments of the present invention, it is enabled that an evolved gateway apparatus such as an ePDG gets to know the required authentication data (such as e.g. user credential data and authentication methods) to be used when authenticating a UE ' s access to an external network via an untrusted access network. For this purpose, it is proposed that this information for an authentication towards the external network is brought to the evolved gateway apparatus such as an ePDG during a first authentication towards an evolved packet core when the UE authenticates towards the EPC.
By way of exemplary embodiments of the present invention, it is enabled that an evolved gateway apparatus such as an ePDG performs authentication of a UE ' s access via an untrusted access network towards an external network. For this purpose, it is proposed that the evolved gateway apparatus such as an ePDG uses respective information received during a preceding authentication of the UE ' s access via an untrusted access network towards an evolved packet core. Brief description of the drawings
In the following, the present invention will be described in greater detail by way of non-limiting examples with reference to the accompanying drawings, in which
Figures 1 and 2 show schematic diagrams illustrating
exemplary system architectures of an evolved packet system in which embodiments of the present invention are applicable, Figure 3 shows a signaling diagram illustrating an exemplary procedure according to embodiments of the present invention,
Figures 4 and 5 show signaling diagrams illustrating
exemplary procedures according to embodiments of the present invention, and
Figure 6 shows a block diagram illustrating exemplary devices according to embodiments of the present invention. Detailed description of embodiments of the present invention
The present invention is described herein with reference to particular non-limiting examples and to what are presently considered to be conceivable embodiments of the present invention. A person skilled in the art will appreciate that the invention is by no means limited to these examples, and may be more broadly applied.
The present invention and its embodiments are mainly
described in relation to 3GPP specifications being used as non-limiting examples for certain exemplary network
configurations and deployments. In particular, the EPS context with an (internal) EPC and an external PDN being accessible by a UE via an untrusted (non-3GPP) access network is used as a non-limiting example for the applicability of thus described exemplary embodiments. As such, the
description of exemplary embodiments given herein
specifically refers to terminology which is directly related thereto. Such terminology is only used in the context of the presented non-limiting examples, and does naturally not limit the invention in any way. Rather, any other network
configuration or system deployment, etc. may also be utilized as long as compliant with the features described herein.
Generally, embodiments of the present invention may be applicable for/in any kind of modern and future communication network including any conceivable mobile/wireless
communication networks according to 3GPP (Third Generation Partnership Project) or IETF (Internet Engineering Task
Force) specifications.
Hereinafter, various embodiments and implementations of the present invention and its aspects or embodiments are
described using several alternatives. It is generally noted that, according to certain needs and constraints, all of the described alternatives may be provided alone or in any conceivable combination (also including combinations of individual features of the various alternatives) .
In the description of exemplary embodiments of the present invention, an authentication of a user equipment (or the user thereof) towards a network (e.g. EPC, PDN) is construed to be equivalent to an authentication of/for an access of the user equipment (or the user thereof) to/for the respective network e.g. EPC, PDN) .
Exemplary embodiments of the present invention, as described hereinafter, are particularly applicable to an evolved packet system according to 3GPP standards. Figures 1 and 2 show schematic diagrams illustrating
exemplary system architectures of an evolved packet system in which embodiments of the present invention are applicable. In such an evolved packet system as depicted in Figures 1 and 2, a user equipment, such as a WLAN UE, may be attached to an untrusted non-3GPP access network via which it is connected to an evolved packet core (EPC) and an external packet data network (PDN) . The EPC and the external PDN (sometimes only referred to as PDN hereinafter) are linked via a PDN Gateway (PGW) . For exemplary embodiments of the present invention, the most relevant network entities in the EPC are the ePDG, the 3GPP AAA server as well as the HSS (Home Subscriber
System) and/or HLR (Home Location Register). Accordingly, reference points or interfaces SWm and SWx are particularly addressed in the following.
As is evident from Figures 1 and 2, the ePDG of an EPS/EPC does not have any connectivity to an external AAA server of the external PDN.
In the following, exemplary embodiments of the present invention are described with reference to methods, procedures and functions.
Figure 3 shows a signaling diagram illustrating an exemplary procedure according to embodiments of the present invention. In Figure 3, optional operations are indicated by use of dashed blocks and/or dotted arrows.
The exemplary procedure according to Figure 3 may, for example, be performed by or at a system comprising an
EPC/3GPP gateway apparatus (such as an ePDG) , an EPC/3GPP authentication apparatus (such as an 3GPP AAA server) and an EPC/3GPP subscription apparatus (such as a HSS/HLR) .
As shown in Figure 3, the gateway apparatus according to embodiments of the present invention may be operative for receiving, from the user equipment, an authentication request for authenticating the user equipment towards the EPC, i.e. the communication network providing connectivity for the user equipment across an unsecured access network, and for
authenticating the user equipment towards the EPC using authentication data for authenticating the user equipment towards the EPC. In the context of such UE authentication towards the EPC, the gateway apparatus according to
embodiments of the present invention may be operative for requesting and receiving, from the authentication apparatus according to embodiments of the present invention, the authentication data for authenticating the user equipment towards the communication EPC together with authentication data for authenticating the user equipment towards the external PDN. Optionally, the gateway apparatus according to embodiments of the present invention may be operative for, after having authenticated the user equipment towards the EPC, receiving, from the user equipment, an authentication request for authenticating the user equipment towards the external PDN, and for authenticating the user equipment towards the external PDN using the relevant authentication data previously received during the authentication of the user equipment towards the EPC. As shown in Figure 3, the authentication apparatus according to embodiments of the present invention may be operative for receiving, from the gateway apparatus according to
embodiments of the present invention, preferably within or in the context of a request for authenticating the user
equipment towards the EPC, a request for the authentication data for authenticating the user equipment towards the EPC together with the authentication data for authenticating the user equipment towards the external PDN, as well as for retrieving the requested types of authentication data
relating to EPC and external PDN and providing the retrieved authentication data relating to EPC and external PDN to the requesting gateway apparatus according to embodiments of the present invention. The retrieval of the authentication data -
may comprise a (local) fetching thereof from a local storage at the authentication apparatus, which is applicable when the authentication data have already been made available
previously in a proactive manner irrespective of the present authentication request or procedure (as indicated by the upper dotted arrow from a subscription apparatus or database to the authentication apparatus) , or a (remote) retrieval thereof by way of requesting and receiving the authentication data from a subscription apparatus or database in a reactive manner in view of the present authentication request or procedure (as indicated by the lower dotted arrow pair between the subscription apparatus or database and the authentication apparatus) .
As shown in Figure 3, the subscription apparatus according to embodiments of the present invention may be operative for storing a home subscription database including, for a user equipment, a subscription profile containing authentication data for authenticating the user equipment towards the EPC together with authentication data for authenticating the user equipment towards the external PDN. As indicated above, the two types of authentication data relating to EPC and external PDN (in the subscription profile of a corresponding user equipment) may be provided to the authentication apparatus either in proactive manner irrespective of the present authentication request or procedure or in a reactive manner in view of the present authentication request or procedure, i.e. upon a corresponding request for the authentication data for authenticating the user equipment towards the EPC
together with the authentication data for authenticating the user equipment towards the external PDN.
According to embodiments of the present invention, as is evident from the above, a gateway apparatus (ePDG) is enabled to use the SWm interface to request from an authentication apparatus (3GPP AAA server) the authentication data to be used for authenticating the UE ' s access to the external PDN when authenticating the UE ' s access to the 3GPP EPC. Further, the authentication apparatus (3GPP AAA server) is enabled to retrieve them and to provide the authentication data to be used for authenticating the UE ' s access to the external PDN when authenticating the UE ' s access to the 3GPP EPC. Still further, a subscription apparatus (HSS/HLR) is enabled store both authentication data for authenticating the UE ' s access to the external PDN and to the 3GPP EPC along with each other and to provide them accordingly to the authentication
apparatus .
According to embodiments of the present invention, the functionality of the SWm interface and its endpoints, i.e. the ePDG and the 3GPP AAA sever/HSS/HLR, is enhanced. According to embodiments of the present invention, the authentication data for the UE accessing an external packet data network is stored in the HSS/HLR together/along with the authentication data for the UE accessing an (internal) communication network, and the SWm interface is enhanced to carry such two types of authentication data between the 3GPP AAA Server/HSS/HLR together/along with each other in the context of authentication of the UE towards the (internal) communication network. In this way, the gateway apparatus (ePDG) does not need to be e.g. preconfigured to know
authentication data (e.g. user credentials and
required/supported authentication methods) for any UE
accessing an external packet data network.
According to embodiments of the present invention, the authentication data (e.g. user credentials and
required/supported authentication methods) for external packet data networks is shared with the 3GPP HSS/HLR
operator, stored in the HSS/HLR and accessible from the gateway apparatus (ePDG) via the 3GPP AAA server. According to embodiments of the present invention, the authentication data for external packet data networks is added to a
subscription profile for any respective user equipment in addition to the authentication data for internal communication networks. According to embodiments of the present invention, such enhanced subscription profiles and a correspondingly enhanced home subscription database at the subscription apparatus (HSS/HLR) are utilized for supporting an authentication to an external packet data network over an untrusted access network.
According to embodiments of the present invention,
authentication data comprise user credential data and/or required/supported authentication methods for the respective authentication, i.e. towards EPC or external PDN.
According to embodiments of the present invention, an
application of multiple authentication exchanges (according to RFC4739 and/or 3GPP 33.234) for authentication of the user equipment towards EPC and external PDN is enabled. For this purpose, particularly for enabling a second authentication round relating to external PDN, additional information
(according to the enhanced subscription profile) is provided to the gateway apparatus (ePDG) in a first authentication round relating to the EPC.
According to embodiments of the present invention, an
exchange of authentication protocol information between a user equipment (UE) and the gateway apparatus (ePDG) is enabled. In this regard, the gateway apparatus according to embodiments of the present invention is specifically
configured to receive authentication protocol information from a user equipment, process the received authentication protocol information according to the relevant authentication protocol, and send such processed authentication protocol information to the user equipment. The authentication
protocol information may be PAP and/or CHAP information, and the exchange between UE and ePDG may be such as defined in 3GPP TS 33.234 between UE and PDG.
According to embodiments of the present invention, the authentication data relating to the external PDN, i.e. the addition information elements in the home subscription database and on the SWm interface, may include one or more of the following:
- user credential data for authentication towards the
external PDN,
- one or more supported authentication methods towards the external PDN (like PAP/CHAP/EAP) preferably per APN (note that PAP may be implemented as EAP-GTC methods and CHAP may be implemented as EAP-MD5 methods) ,
- an order of proposed application of authentication methods (in which ePDG proposes them during the second authentication round, which is applicable for EAP-based methods as EAP itself allows negotiation of multiple EAP- methods) when multiple authentication methods are supported, - contact information for contacting the external AAA server (via the PGW) , e.g. the realm of the external PDN AAA server or the AAA server address, and
- application information for applying a selected
authentication method for authenticating the user equipment towards the external PDN, i.e. any information that might be needed to utilize the selected authentication method in the context of RFC4739 and/or 3GPP 33.234.
According to embodiments of the present invention, the measures and techniques described herein may be combined with measures and techniques described in the PCT application no. PCT/EP2010/056017 (by the same assignee). Namely, a gateway apparatus (such as an ePDG) according to embodiments of the present invention may be configured to act as described in connection with Figure 3 above and, in addition, to handle extensions to the authentication procedure between the UE and ePDG (i.e. the IKEv2 protocol), i.e. to translate PCO
information in IKEv2 signaling to PMIP (Proxy Mobile Internet Protocol) signaling towards PGW. For example, the ePDG may act as the final network receiver of PCO information included in IKEv2 signaling, as described in the referenced PCT application, and use such PCO information together with the authentication data (e.g. user credential data and/or required/supported authentication method (s) ) received from the 3GPP AAA server, as described herein.
In this regard, a gateway apparatus (such as an ePDG)
according to embodiments of the present invention may be configured to receive an authentication request of a key information exchange mechanism used across an unsecure internet protocol network, wherein the authentication request is for authenticating a user equipment by a communications network providing connectivity for the user equipment and includes a configuration parameter for a protocol
configuration option, which contains an information element of the protocol configuration option, wherein in the
information element authentication data according to an authentication protocol between the user equipment and a packet data network is encoded, wherein the authentication data is for authenticating the user equipment by the packet data network, and to include the information element of the protocol configuration option into a binding update request. Further, the apparatus may be configured to send the binding update request to a gateway apparatus for the packet data network. Still further, the apparatus may be configured to receive a binding update response from the gateway apparatus, which includes an information element of the protocol
configuration option in which authentication response data according to the authentication protocol between the user equipment and the packet data network is encoded, and the apparatus may be configured to include the information element in a configuration parameter for the protocol
configuration option and include the configuration parameter into an authentication response of the key information exchange mechanism, and to send the authentication response to the user equipment. Therein, the binding update response may include an internet protocol address allocated for the user equipment, and/or the binding update response may include an indication that an internet protocol address currently used for setting up a binding according to a mobility protocol of the user equipment is not an address allocated for the user equipment, and the apparatus may be configured to inhibit forwarding the internet protocol address to the user equipment. Still further, the apparatus may be configured to receive a further binding update
response including an internet protocol address allocated for the user equipment during a continued authentication
procedure for continuing authentication of the user equipment by the packet data network, wherein the continued
authentication procedure follows the binding update response. In view thereof, according to embodiments of the present invention, the other cooperating entities (such as UE, PGW, internal and/or external AAA server, and the like) may be adapted accordingly. Figures 4 and 5 show signaling diagrams illustrating
exemplary procedures according to embodiments of the present invention. In particular, Figure 4 illustrates an exemplary authentication and authorization procedure for a private network access using a CHAP procedure, and Figure 5
illustrates an exemplary tunnel full authentication and authorization in this regard.
Generally, any authentication protocol applicable in the context of EPS and UE authentication towards an external PDN via an untrusted access may be applied according to
embodiments of the present invention. This may for example include EAP, EAP-AKA, EAP-AKA', and the like.
In steps la and lb according to Figure 4, the WLAN UE and the ePDG exchange a first pair of messages, known as IKE_SA_INIT, in which the ePDG and the WLAN UE negotiate cryptographic algorithms, exchange nonces and perform a Diffie_Hellman exchange. The ePDG indicates that multiple authentications are supported.
In step 2 according to Figure 4, the WLAN UE sends the user identity (in the Idi payload) and the W-APN information (in the Idr payload) in this first message of the IKE_AUTH phase, and begins negotiation of child security associations. The UE also indicates that multiple authentications are supported.
In steps 3 to 11 according to Figure 4, the ePDG receives user credentials and supported authentication methods for second phase authentication, with the details thereof being illustrated in Figure 5.
In steps 3 to 8 according to Figure 5, the ePDG initiates the authentication of the UE for EPC access and receives
authentication information from the 3GPP AAA server. In particular, the ePDG may request both authentication data for authentication towards EPC and external PDN in the request for authentication towards the EPC in step 3. In this regard, the 3GPP AAA server fetches the user subscription profile of the WLAN UE and authentication vectors from HSS/HLR either locally or, if these parameters are not locally available, at the 3GPP HSS/HLR. In step 9 according to Figure 5, all checks (for the UE authentication towards the EPC are successful, the 3GPP AAA server sends the authentication answer including an EAP success and the key material relating to both EPC and
external PDN to the ePDG. In this regard, the 3GPP AAA server also includes the supported authentication methods per APN and other required information/credentials to complete the second round authentication towards the external PDN. The 3GPP AAA server may also provide information to populate User-Name and User-Password attributes/AVPs (AVP: attribute value pair) properly if those are not available depending on the authentication method used.
In steps 10 and 11 according to Figure 5, the ePDG completes the authentication of the UE for EPC access, i.e the first authentication round.
In step 12 according to Figure 4, i.e. after successful authentication of the UE towards the EPC, the ePDG receives an authentication request for UE authentication towards the external PDN.
In step 17 according to Figure 4, uses the previously
received authentication data for UE authentication towards the external PDN, as received in step 9, for authenticating the UE towards the external PDN (without involvement of the external AAA server to which the ePDG lacks connectivity) . In steps 19 and 20 according to Figure 4, the ePDG handles the accounting for the UE ' s access to the external PDN with the 3GPP AAA server of the PGW (not shown) . This is because the ePDG lacks connectivity to the external AAA server. The involvement of the 3GPP AAA server or the PGW is optional and equivalent, and may depend on deployment-specific issues between a mobile operator and an external PDN provider.
Otherwise, steps 21 to 23 according to Figure 4 are similar to known procedures, such as those known from 3GPP TS 33.234.
In the above description of the exemplary procedures
according to Figures 4 and 5, specific features of
embodiments of the present invention are associated with steps 3 and 9 as well as steps 12, 17, 19 and 20. Yet, it is to be noted that such arrangement is merely for illustrative purposes, and specific features of embodiments of the present invention may equally be associated with other steps and/or in-between the steps according to Figures 4and 5. For
example, the 3GPP AAA Server may deliver the information needed for UE authentication towards the external PDN to the ePDG also in some earlier signaling message than in step 9, e.g. in step 5.
The above-described procedures and functions may be
implemented by respective functional elements, processors, or the like, as described below. 2 b
While in the foregoing exemplary embodiments of the present invention are described mainly with reference to methods, procedures and functions, corresponding exemplary embodiments of the present invention also cover respective apparatuses, network nodes and systems, including both software and/or hardware thereof.
Respective exemplary embodiments of the present invention are described below referring to Figure 6, while for the sake of brevity reference is made to the detailed description of respective corresponding methods and operations according to Figures 3 to 5 as well as the underlying system architectures according to Figures 1 and 2.
In Figure 6 below, the solid line blocks are basically configured to perform respective operations as described above. The entirety of solid line blocks are basically configured to perform the methods and operations as described above, respectively. With respect to Figure 6, it is to be noted that the individual blocks are meant to illustrate respective functional blocks implementing a respective function, process or procedure, respectively. Such functional blocks are implementation-independent, i.e. may be
implemented by means of any kind of hardware or software, respectively. The arrows and lines interconnecting individual blocks are meant to illustrate an operational coupling there¬ between, which may be a physical and/or logical coupling, which on the one hand is implementation-independent (e.g. wired or wireless) and on the other hand may also comprise an arbitrary number of intermediary functional entities not shown. The direction of arrow is meant to illustrate the direction in which certain operations are performed and/or the direction in which certain data is transferred. Further, in Figure 6, only those functional blocks are illustrated, which relate to any one of the above-described methods, procedures and functions. A skilled person will acknowledge the presence of any other conventional functional blocks required for an operation of respective structural arrangements, such as e.g. a power supply, a central
processing unit, respective memories or the like. Among others, memories are provided for storing programs or program instructions for controlling the individual functional entities to operate as described herein.
Figure 6 shows a block diagram illustrating exemplary devices according to embodiments of the present invention. As
mentioned above, it is noted that the illustration of
(electronic) devices according to Figure 6 is simplified.
In view of the above, the thus described apparatuses 10, 20 and 30 are suitable for use in practicing the exemplary embodiments of the present invention, as described herein. The thus described apparatus 10 on the left hand side may represent a (part of a) gateway apparatus base such as an ePDG, as described above, and may be configured to perform a procedure and/or exhibit a functionality as described in conjunction with the gateway apparatus and/or ePDG of
according to any one of Figures 3 to 5. The thus described apparatus 20 in the middle may represent a (part of an) authentication apparatus as an (internal) AAA server, as described above, and may be configured to perform a procedure and/or exhibit a functionality as described in conjunction with the authentication apparatus and/or 3GPP AAA server of according to any one of Figures 3 to 5. The thus described apparatus 30 on the right hand side may represent a (part of a) subscription apparatus such as a HSS and/or HLR, as described above, and may be configured to perform a procedure and/or exhibit a functionality as described in conjunction with the subscription apparatus and/or HSS/HLR of according to any one of Figures 3 to 5. As shown in Fig. 6, according to embodiments of the present invention a gateway apparatus 10 which may comprise an ePDG comprises a processor 11, a memory 12 and an interface 13 which are connected by a bus 14 or the like. An authentication apparatus 20 which may comprise an 3GPP AAA server comprises a processor 21, a memory 22 and an interface 23 which are connected by a bus 24 or the like. A
subscription apparatus 30 which may comprise a HSS/HLR comprises a processor 31, a memory 32 and an interface 33 which are connected by a bus 34 or the like. The gateway apparatus 10 may be connected with a user equipment through a link or connection 16 which may comprise an SWn or SWu interface, the gateway apparatus 10 may be connected with the authentication apparatus 20 through a link or connection 17 which may comprise a SWm interface, and the authentication apparatus 20 may be connected with the subscription apparatus 30 through a link or connection 18 which may comprise a SWx interface .
The memories 12, 22 and 32 may store respective programs assumed to include program instructions that, when executed by the associated processors 11, 21 and 31, enable the electronic device to operate in accordance with the exemplary embodiments of this invention. The processors 11, 21 and 31 may also include a modem to facilitate communication over the (hardwire or wireless) links 16, 17 and 18 via the interfaces 13, 23, and 33. The interfaces 13, 23 and 33 may further include a suitable transceiver coupled to one or more
antennas or communication means for (hardwire or wireless) communications with the linked or connected device (s), respectively .
In general terms, the respective devices (and/or parts thereof) may represent means for performing respective operations and/or exhibiting respective functionalities, and/or the respective devices (and/or parts thereof) may have functions for performing respective operations and/or
exhibiting respective functionalities.
According to embodiments of the present invention, the interface 13 may be configured to receive an authentication request for authenticating a user equipment towards a communication network providing connectivity for the user equipment across an unsecured access network, and the
processor 11 may be configured to authenticate the user equipment towards the communication network using
authentication data for authenticating the user equipment towards the communication network. The processor 11, for authenticating the user equipment towards the communication network, may be configured to request and receive, via the interface 13, the authentication data for authenticating the user equipment towards the communication network together with authentication data for authenticating the user
equipment towards a packet data network external to the communication network. Also, the apparatus 10 may be
configured such that, after authentication of the user equipment towards the communication network, the interface 13 may be configured to receive an authentication request for authenticating the user equipment towards the packet data network across the unsecured access network, and the
processor 11 may be configured to authenticate the user equipment towards the packet data network using the
authentication data for authenticating the user equipment towards the packet data network requested and received during authentication of the user equipment towards the
communication network. The memory 12 may be configured to store the thus received authentication data for later use.
According to embodiments of the present invention, the interface 23 may be configured to receive a request for authenticating a user equipment towards a communication network providing connectivity for the user equipment across an unsecured access network, said request including a request for authentication data for authenticating the user equipment towards the communication network together with
authentication data for authenticating the user equipment towards a packet data network external to the communication network. The processor 21 may be configured to retrieve the authentication data for authenticating the user equipment towards the communication network together with the authentication data for authenticating the user equipment towards the packet data network, and to provide, via the interface 23, the authentication data for authenticating the user equipment towards the communication network together with the authentication data for authenticating the user equipment towards the packet data network. The processor 21, for retrieving, may be configured to fetch the authentication data from a local storage and/or request and receive, via the interface, the authentication data from a home subscription database at a home subscriber server or home location
register. Alternatively or additionally, the processor 21 may be configured to provide the authentication data for
authenticating the user equipment towards the packet data network after authentication of the user equipment towards the communication network. The memory 22 may be configured to store the respective authentication data for later use.
According to embodiments of the present invention, the memory 32 may be configured to store a home subscription database including, for a user equipment, a subscription profile containing authentication data for authenticating the user equipment towards a communication network together with authentication data for authenticating the user equipment towards a packet data network external to the communication network. The interface 33 may be configured to receive a request for the authentication data for authenticating the user equipment towards the communication network together with the authentication data for authenticating the user equipment towards the packet data network. Alternatively or additionally, the processor 31 may be configured to provide, via the interface 33, the authentication data for
authenticating the user equipment towards the communication network together with the authentication data for
authenticating the user equipment towards the packet data network.
In general, the exemplary embodiments of this invention may be implemented by computer software stored in the memories 12, 22 and 32 and executable by the processors 11, 21 and 31, or by hardware, or by a combination of software and/or firmware and hardware in any or all of the devices shown. The memories 12, 22 and 32 may be of any type suitable to the local technical environment and may be implemented using any suitable data storage technology, such as semiconductor based memory devices, magnetic memory devices and systems, optical memory devices and systems, fixed memory and removable memory. The processors 11, 21 and 31 may be of any type suitable to the local technical environment, and may include one or more of general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on a multi core processor architecture, as non limiting examples.
Embodiments of the inventions may be practiced in various components such as integrated circuit modules. The design of integrated circuits is by and large a highly automated process. Complex and powerful software tools are available for converting a logic level design into a semiconductor circuit design ready to be etched and formed on a
semiconductor substrate. According to exemplarily embodiments of the present
invention, a system may comprise any conceivable combination of the thus depicted apparatuses (such as one or more
terminals and associated one or more network entities such as base stations or home base stations)
In general, it is to be noted that respective functional blocks or elements according to above-described aspects can be implemented by any known means, either in hardware and/or software, respectively, if it is only adapted to perform the described functions of the respective parts. The mentioned method steps can be realized in individual functional blocks or by individual devices, or one or more of the method steps can be realized in a single functional block or by a single device .
Generally, any method step is suitable to be implemented as software or by hardware without changing the idea of the present invention. Such software may be software code
independent and can be specified using any known or future developed programming language, such as e.g. Java, C++, C, and Assembler, as long as the functionality defined by the method steps is preserved. Such hardware may be hardware type independent and can be implemented using any known or future developed hardware technology or any hybrids of these, such as MOS (Metal Oxide Semiconductor), CMOS (Complementary MOS) , BiMOS (Bipolar MOS), BiCMOS (Bipolar CMOS), ECL (Emitter Coupled Logic), TTL (Transistor-Transistor Logic), etc., using for example ASIC (Application Specific IC (Integrated Circuit) ) components, FPGA (Field-programmable Gate Arrays) components, CPLD (Complex Programmable Logic Device)
components or DSP (Digital Signal Processor) components. An apparatus may be represented by a semiconductor chip, a chipset, or a (hardware) module comprising such chip or chipset; this, however, does not exclude the possibility that a functionality of an apparatus or module, instead of being hardware implemented, be implemented as software in a
(software) module such as a computer program or a computer program product comprising executable software code portions for execution/being run on a processor. A device may be regarded as an apparatus or as an assembly of more than one apparatus, whether functionally in cooperation with each other or functionally independently of each other but in a same device housing, for example.
Devices and means can be implemented as individual devices, but this does not exclude that they are implemented in a distributed fashion throughout the system, as long as the functionality of the device is preserved. Such and similar principles are to be considered as known to a skilled person. Software in the sense of the present description comprises software code as such comprising code means or portions or a computer program or a computer program product for performing the respective functions, as well as software (or a computer program or a computer program product) embodied on a tangible medium such as a computer-readable (storage) medium having stored thereon a respective data structure or code
means/portions or embodied in a signal or in a chip,
potentially during processing thereof.
The present invention also covers any conceivable combination of method steps and operations described above, and any conceivable combination of nodes, apparatuses, modules or elements described above, as long as the above-described concepts of methodology and structural arrangement are applicable .
In view of the above, there are provided measures for supporting an authentication to an external packet data network over an untrusted access network, said measures exemplarily comprising requesting and/or providing
authentication data for authenticating a user equipment towards a communication network together with authentication data for authenticating the user equipment towards a packet data network external to the communication network when the user equipment is authenticated towards the communication network providing connectivity for the user equipment across an unsecured access network. Further, said measure may exemplarily comprise a subscription profile containing authentication data for authenticating the user equipment towards the communication network together with
authentication data for authenticating the user equipment towards the packet data network. Said measures may
exemplarily be applied in an evolved packet system.
The present invention and/or exemplary embodiments thereof are attractive from a network implementation point of view, especially for specifications such as e.g. 3GPP Rel-9/10 standards and beyond. The present invention and/or exemplary embodiments thereof are particularly effective for external PDN (access) authentication, especially but not exclusively on the basis of the concepts according to RFC4739. The present invention and/or exemplary embodiments thereof are particularly effective in a network or system environment in which both (untrusted) non-3GPP access with a corresponding ePDG and I-WLAN interworking with a corresponding PDG are implemented. In such network or system environment, the unified approach regarding authentication procedures for/at PDG and ePDG according to embodiments of the present
invention is particularly beneficial.
Even though the invention is described above with reference to the examples according to the accompanying drawings, it is to be understood that the invention is not restricted
thereto. Rather, it is apparent to those skilled in the art that the present invention can be modified in many ways without departing from the scope of the inventive concept as disclosed herein.

Claims

Claims
1. A method comprising
receiving an authentication request for authenticating a user equipment towards a communication network providing connectivity for the user equipment across an unsecured access network, and
authenticating the user equipment towards the
communication network using authentication data for
authenticating the user equipment towards the communication network, including requesting and receiving the
authentication data for authenticating the user equipment towards the communication network together with
authentication data for authenticating the user equipment towards a packet data network external to the communication network .
2. The method according to claim 1, further comprising, after authentication of the user equipment towards the
communication network,
receiving an authentication request for authenticating the user equipment towards the packet data network across the unsecured access network, and
authenticating the user equipment towards the packet data network using the authentication data for authenticating the user equipment towards the packet data network requested and received during authentication of the user equipment towards the communication network.
3. The method according to claim 1 or 2, wherein the
authentication data for authenticating the user equipment towards the packet data network include at least one of
user credential data for authentication towards the packet data network,
one or more supported authentication methods towards the packet data network,
an order of proposed application of authentication methods when multiple authentication methods are supported, contact information for contacting an authentication server of the packet data network, and
application information for applying a selected
authentication method for authenticating the user equipment towards the packet data network.
4. The method according to any one of claims 1 to 3, wherein the authentication request is an authentication request according to a key information exchange mechanism used across the unsecured access network, and/or
the authentication of the user equipment is performed according to one of a challenge-handshake authentication protocol, a password authentication protocol, an extensible authentication protocol, and an extensible authentication protocol with authentication and key agreement, and/or the authentication of the user equipment is performed in collaboration with an authentication server of the
communication network, and/or
the authentication data for authenticating the user equipment towards the communication network and the authentication data for authenticating the user equipment towards the packet data network is requested and received from an authentication server of the communication network.
5. The method according to any one of claims 1 to 4, wherein the method is operable at or by an evolved packet data gateway of the communication network, and/or
the unsecured access network is an internet protocol and/or non-3GPP network, and/or
the communication network is an evolved packet core and/or 3GPP network, and/or
the packet data network is an internet protocol and/or wireless local area network.
6. A method comprising
receiving a request for authenticating a user equipment towards a communication network providing connectivity for the user equipment across an unsecured access network, said request including a request for authentication data for authenticating the user equipment towards the communication network together with authentication data for authenticating the user equipment towards a packet data network external to the communication network,
retrieving the authentication data for authenticating the user equipment towards the communication network together with the authentication data for authenticating the user equipment towards the packet data network, and
providing the authentication data for authenticating the user equipment towards the communication network together with the authentication data for authenticating the user equipment towards the packet data network.
7. The method according to claim 6, wherein the
authentication data for authenticating the user equipment towards the packet data network include at least one of
user credential data for authentication towards the packet data network,
one or more supported authentication methods towards the packet data network,
an order of proposed application of authentication methods when multiple authentication methods are supported, contact information for contacting an authentication server of the packet data network, and
application information for applying a selected
authentication method for authenticating the user equipment towards the packet data network.
8. The method according to claim 6 or 7, wherein
the retrieving comprises fetching the authentication data from a local storage and/or requesting and receiving the authentication data from a home subscription database at a home subscriber server or home location register, and/or the authentication data for authenticating the user equipment towards the packet data network is provided after
authentication of the user equipment towards the
communication network.
9. The method according to any one of claims 6 to 8, wherein the authentication request is an authentication request according to one of a challenge-handshake authentication protocol, a password authentication protocol, an extensible authentication protocol, and an extensible authentication protocol with authentication and key agreement, and/or
the authentication of the user equipment is performed according to one of a challenge-handshake authentication protocol, a password authentication protocol, an extensible authentication protocol, and an extensible authentication protocol with authentication and key agreement, and/or the authentication of the user equipment is performed in collaboration with an evolved packet data gateway of the communication network, and/or
the authentication data for authenticating the user equipment towards the communication network and the authentication data for authenticating the user equipment towards the packet data network is requested from and provided to an evolved packet data gateway of the communication network.
10. The method according to any one of claims 6 to 9, wherein the method is operable at or by an authentication server of the communication network, and/or
the unsecured access network is an internet protocol and/or non-3GPP network, and/or
the communication network is an evolved packet core and/or 3GPP network, and/or
the packet data network is an internet protocol and/or wireless local area network.
11. A method comprising
storing a home subscription database including, for a user equipment, a subscription profile containing
authentication data for authenticating the user equipment towards a communication network together with authentication data for authenticating the user equipment towards a packet data network external to the communication network.
12. The method according to claim 11, further comprising receiving a request for the authentication data for authenticating the user equipment towards the communication network together with the authentication data for
authenticating the user equipment towards the packet data network, and/or
providing the authentication data for authenticating the user equipment towards the communication network together with the authentication data for authenticating the user equipment towards the packet data network.
13. The method according to claim 11 or 12, wherein the authentication data for authenticating the user equipment towards the packet data network include at least one of
user credential data for authentication towards the packet data network,
one or more supported authentication methods towards the packet data network,
an order of proposed application of authentication methods when multiple authentication methods are supported, contact information for contacting an authentication server of the packet data network, and
application information for applying a selected
authentication method for authenticating the user equipment towards the packet data network.
14. The method according to claims 12 or 13, wherein
the authentication data for authenticating the user equipment towards the communication network and the authentication data for authenticating the user equipment towards the packet data network is requested from and provided to an authentication server of the communication network.
15. The method according to any one of claims 11 to 14, wherein
the method is operable at or by a home subscriber server or home location register of the communication network, and/or the communication network is an evolved packet core and/or 3GPP network, and/or
the packet data network is an internet protocol and/or wireless local area network.
16. An apparatus comprising
an interface configured to receive an authentication request for authenticating a user equipment towards a communication network providing connectivity for the user equipment across an unsecured access network, and
a processor configured to authenticate the user
equipment towards the communication network using
authentication data for authenticating the user equipment towards the communication network, wherein
the processor, for authenticating the user equipment towards the communication network, is configured to request and receive, via the interface, the authentication data for authenticating the user equipment towards the communication network together with authentication data for authenticating the user equipment towards a packet data network external to the communication network.
17. The apparatus according to claim 16, wherein, after authentication of the user equipment towards the
communication network,
the interface is configured to receive an authentication request for authenticating the user equipment towards the packet data network across the unsecured access network, and the processor is configured to authenticate the user
equipment towards the packet data network using the
authentication data for authenticating the user equipment towards the packet data network requested and received during authentication of the user equipment towards the
communication network.
18. The apparatus according to claim 16 or 17, wherein the authentication data for authenticating the user equipment towards the packet data network include at least one of user credential data for authentication towards the packet data network,
one or more supported authentication methods towards the packet data network,
an order of proposed application of authentication methods when multiple authentication methods are supported, contact information for contacting an authentication server of the packet data network, and
application information for applying a selected
authentication method for authenticating the user equipment towards the packet data network.
19. The apparatus according to any one of claims 16 to 18, wherein
the authentication request is an authentication request according to a key information exchange mechanism used across the unsecured access network, and/or
the processor is configured to perform the
authentication of the user equipment according to one of a challenge-handshake authentication protocol, a password authentication protocol, an extensible authentication
protocol, and an extensible authentication protocol with authentication and key agreement, and/or
the processor is configured to perform the authentication of the user equipment in collaboration with an authentication server of the communication network, and/or
the processor and/or the interface is configured to request and receive the authentication data for authenticating the user equipment towards the communication network and the authentication data for authenticating the user equipment towards the packet data network from an authentication server of the communication network.
20. The apparatus according to any one of claims 16 to 19, wherein
the apparatus is operable as or at an evolved packet data gateway of the communication network, and/or the unsecured access network is an internet protocol and/or non-3GPP network, and/or
the communication network is an evolved packet core and/or 3GPP network, and/or
the packet data network is an internet protocol and/or wireless local area network.
21. An apparatus comprising
an interface configured to receive a request for
authenticating a user equipment towards a communication network providing connectivity for the user equipment across an unsecured access network, said request including a request for authentication data for authenticating the user equipment towards the communication network together with
authentication data for authenticating the user equipment towards a packet data network external to the communication network, and
a processor configured to
retrieve the authentication data for authenticating the user equipment towards the communication network together with the authentication data for authenticating the user equipment towards the packet data network, and
to provide, via the interface, the authentication data for authenticating the user equipment towards the communication network together with the authentication data for
authenticating the user equipment towards the packet data network .
22. The apparatus according to claim 21, wherein the
authentication data for authenticating the user equipment towards the packet data network include at least one of
user credential data for authentication towards the packet data network,
one or more supported authentication methods towards the packet data network,
an order of proposed application of authentication methods when multiple authentication methods are supported, contact information for contacting an authentication server of the packet data network, and
application information for applying a selected
authentication method for authenticating the user equipment towards the packet data network.
23. The apparatus according to claim 21 or 22, wherein the processor, for retrieving, is configured to fetch the authentication data from a local storage and/or request and receive, via the interface, the authentication data from a home subscription database at a home subscriber server or home location register, and/or
the processor is configured to provide the authentication data for authenticating the user equipment towards the packet data network after authentication of the user equipment towards the communication network.
24. The apparatus according to any one of claims 21 to 23, wherein
the authentication request is an authentication request according to one of a challenge-handshake authentication protocol, a password authentication protocol, an extensible authentication protocol, and an extensible authentication protocol with authentication and key agreement, and/or
the processor is configured to perform the
authentication of the user equipment according to one of a challenge-handshake authentication protocol, a password authentication protocol, an extensible authentication
protocol, and an extensible authentication protocol with authentication and key agreement, and/or
the processor is configured to perform the authentication of the user equipment in collaboration with an evolved packet data gateway of the communication network, and/or
the processor and/or the interface is configured to receive the request from and provide the authentication data for authenticating the user equipment towards the communication network and the authentication data for authenticating the user equipment towards the packet data network to an evolved packet data gateway of the communication network.
25. The apparatus according to any one of claims 21 to 24, wherein
the apparatus is operable as or at an authentication server of the communication network, and/or
the unsecured access network is an internet protocol and/or non-3GPP network, and/or
the communication network is an evolved packet core and/or 3GPP network, and/or
the packet data network is an internet protocol and/or wireless local area network.
26. An apparatus comprising
a memory configured to store a home subscription
database including, for a user equipment, a subscription profile containing authentication data for authenticating the user equipment towards a communication network together with authentication data for authenticating the user equipment towards a packet data network external to the communication network .
27. The apparatus according to claim 26, further comprising an interface configured to receive a request for the authentication data for authenticating the user equipment towards the communication network together with the
authentication data for authenticating the user equipment towards the packet data network, and/or
a processor configured to provide, via the interface, the authentication data for authenticating the user equipment towards the communication network together with the
authentication data for authenticating the user equipment towards the packet data network.
28. The apparatus according to claim 26 or wherein the authentication data for authenticating the r equipment towards the packet data network include at least one of user credential data for authentication towards the packet data network,
one or more supported authentication methods towards the packet data network,
an order of proposed application of authentication methods when multiple authentication methods are supported, contact information for contacting an authentication server of the packet data network, and
application information for applying a selected
authentication method for authenticating the user equipment towards the packet data network.
29. The apparatus according to claims 27 or 28, wherein the processor and/or the interface is configured to receive the request from and provide the authentication data for authenticating the user equipment towards the communication network and the authentication data for authenticating the user equipment towards the packet data network to an
authentication server of the communication network.
30. The apparatus according to any one of claims 26 to 29, wherein
the apparatus is operable as or at a home subscriber server or home location register of the communication network, and/or
the communication network is an evolved packet core and/or 3GPP network, and/or
the packet data network is an internet protocol and/or wireless local area network.
31. A computer program product including a program comprising software code portions being arranged, when run on a
processor of an apparatus, to perform the method according to any one of claims 1 to 5 or 6 to 10 or 11 to 15.
32. The computer program product according to claim 31, wherein the computer program product comprises a computer- readable medium on which the software code portions are stored, and/or wherein the program is directly loadable an internal memory of the processor.
PCT/EP2011/050424 2011-01-14 2011-01-14 External authentication support over untrusted access Ceased WO2012095179A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2011/050424 WO2012095179A1 (en) 2011-01-14 2011-01-14 External authentication support over untrusted access

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2011/050424 WO2012095179A1 (en) 2011-01-14 2011-01-14 External authentication support over untrusted access

Publications (1)

Publication Number Publication Date
WO2012095179A1 true WO2012095179A1 (en) 2012-07-19

Family

ID=43881150

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2011/050424 Ceased WO2012095179A1 (en) 2011-01-14 2011-01-14 External authentication support over untrusted access

Country Status (1)

Country Link
WO (1) WO2012095179A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108235315A (en) * 2016-12-15 2018-06-29 中国电信股份有限公司 Terminal exempts from the wireless VPDN cut-in methods and system of configuration
EP3324681A4 (en) * 2015-08-07 2018-07-11 Huawei Technologies Co., Ltd. Processing method and device for accessing to 3gpp network by terminal
CN110351729A (en) * 2019-07-15 2019-10-18 西安中兴物联软件有限公司 Method, system, terminal and storage medium for automatically matching authentication parameters
US11212676B2 (en) * 2016-11-23 2021-12-28 Telefonaktiebolaget Lm Ericsson (Publ) User identity privacy protection in public wireless local access network, WLAN, access

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Service and System Aspects; 3G Security; Wireless Local Area Network (WLAN) interworking security (Release 10)", 3GPP STANDARD; 3GPP TS 33.234, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, no. V10.0.0, 6 October 2010 (2010-10-06), pages 1 - 102, XP050461864 *
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; 3GPP System Architecture Evolution (SAE); Security aspects of non-3GPP accesses (Release 10)", 3GPP STANDARD; 3GPP TS 33.402, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, no. V10.0.0, 28 December 2010 (2010-12-28), pages 1 - 47, XP050462462 *
LG ELECTRONICS: "Access to private networks with S2b", 3GPP DRAFT; S2-105489_DISC_PCO_S2B, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Jacksonville; 20101115, 9 November 2010 (2010-11-09), XP050467905 *
NOKIA SIEMENS NETWORK: "Introducing user credentials in PCO for S2b", 3GPP DRAFT; S2-102594(UNTRUSTED_PCO), 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. Kyoto; 20100510, 4 May 2010 (2010-05-04), XP050434717 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3324681A4 (en) * 2015-08-07 2018-07-11 Huawei Technologies Co., Ltd. Processing method and device for accessing to 3gpp network by terminal
US10278073B2 (en) 2015-08-07 2019-04-30 Huawei Technologies Co., Ltd. Processing method for terminal access to 3GPP network and apparatus
EP3614741A1 (en) * 2015-08-07 2020-02-26 Huawei Technologies Co., Ltd. Processing apparatus for terminal access to 3gpp network and communication system
US10681546B2 (en) 2015-08-07 2020-06-09 Huawei Technologies Co., Ltd. Processing method for sim card equipped terminal access to 3GPP network and apparatus
US11212676B2 (en) * 2016-11-23 2021-12-28 Telefonaktiebolaget Lm Ericsson (Publ) User identity privacy protection in public wireless local access network, WLAN, access
CN108235315A (en) * 2016-12-15 2018-06-29 中国电信股份有限公司 Terminal exempts from the wireless VPDN cut-in methods and system of configuration
CN108235315B (en) * 2016-12-15 2021-04-23 中国电信股份有限公司 Wireless VPDN (virtual private network digital network) access method and system with configuration-free terminal
CN110351729A (en) * 2019-07-15 2019-10-18 西安中兴物联软件有限公司 Method, system, terminal and storage medium for automatically matching authentication parameters
CN110351729B (en) * 2019-07-15 2022-05-13 西安高新兴物联软件有限公司 Method, system, terminal and storage medium for automatically matching authentication parameters

Similar Documents

Publication Publication Date Title
EP3750342B1 (en) Mobile identity for single sign-on (sso) in enterprise networks
US11032706B2 (en) Unified authentication for integrated small cell and Wi-Fi networks
US8990925B2 (en) Security for a non-3GPP access to an evolved packet system
CN103688565B (en) Secure online registration and provisioning of WI‑FI hotspots using Device Management Protocol
AU2011355322B2 (en) External authentication support over an untrusted network
EP3120515B1 (en) Improved end-to-end data protection
CN101606372B (en) Support of UICC-less calls
EP3120591B1 (en) User identifier based device, identity and activity management system
KR101644723B1 (en) Mobile device and method for secure on-line sign-up and provisioning for wi-fi hotspots using soap-xml techniques
KR20230124621A (en) UE authentication method and system for non-3GPP service access
US20050114680A1 (en) Method and system for providing SIM-based roaming over existing WLAN public access infrastructure
EP3811588A1 (en) Handling failure of non-3gpp access to 5gcn not being allowed
US10212594B2 (en) System and method for session establishment by unauthenticated user equipment
US9226153B2 (en) Integrated IP tunnel and authentication protocol based on expanded proxy mobile IP
US20110035592A1 (en) Authentication method selection using a home enhanced node b profile
CN108781216A (en) Method and apparatus for network insertion
JP2021502739A (en) Secure authentication in communication networks
CN109891921B (en) Method, apparatus, and computer-readable storage medium for authentication of next-generation systems
CN109391937B (en) Method, device and system for obtaining public key
WO2012095179A1 (en) External authentication support over untrusted access
WO2011137928A1 (en) Packet data network connection with non-transparent interworking mode
ES2381552A1 (en) Reauthentication method
JP6189389B2 (en) Support for external authentication over untrusted networks
HK40002909B (en) Methods, apparatus, and computer readable storage medium for authentication for next generation systems
HK40002909A (en) Authentication for next generation systems

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11700343

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11700343

Country of ref document: EP

Kind code of ref document: A1