Access through non-3GPP access networks

US 8,621,570 B2
Filed: 11/05/2008
Issued: 12/31/2013
Est. Priority Date: 04/11/2008
Status: Active Grant

First Claim

Patent Images

1. A method of establishing connectivity from a user equipment to an external network through an access network, comprising:

sending, to the access network from the user equipment, a request for a connectivity to the external network when the UE is not currently connected to the external network;

a node in the access network receiving the request and, in response thereto, initiating an authentication procedure for the user equipment by sending a message to an Authentication, Authorization, Accounting (AAA) server in a home network of the user equipment, the AAA server executing the authentication procedure; and

establishing the requested connectivity through the access network;

wherein a first message sent to the user equipment from the AAA server in the authentication procedure includes information indicative of whether the AAA server considers the access network to be trusted; and

wherein the user equipment, when establishing the requested connectivity, selectively sets up an Internet Protocol Security (IPSec) tunnel to a gateway in the home network based on the first message such that the user equipment;

does not set up an IPSec tunnel to the gateway if the first message indicates that the AAA server considers the access network to be trusted; and

does set up an IPSec tunnel to the gateway if the first message indicates that the AAA server considers the access network to be untrusted.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

When setting up communication from a user equipment UE (1), such as for providing IP access for the UE in order to allow it to use some service, information or an indication or at least one network properly relating to a first network, e.g. the current access network (3, 3′), is sent to the UE from a node (13) in a sue and network such as the home network (5) of the subscriber ask UE. The information or indication can be sent in a first stage of an authentication procedure being part of the setting up of a connection from the UE. In particular, the network property can indicate whether the access network (3, 3′) is trusted or not.

56 Citations

View as Search Results

19 Claims

1. A method of establishing connectivity from a user equipment to an external network through an access network, comprising:
- sending, to the access network from the user equipment, a request for a connectivity to the external network when the UE is not currently connected to the external network;
  
  a node in the access network receiving the request and, in response thereto, initiating an authentication procedure for the user equipment by sending a message to an Authentication, Authorization, Accounting (AAA) server in a home network of the user equipment, the AAA server executing the authentication procedure; and
  
  establishing the requested connectivity through the access network;
  
  wherein a first message sent to the user equipment from the AAA server in the authentication procedure includes information indicative of whether the AAA server considers the access network to be trusted; and
  
  wherein the user equipment, when establishing the requested connectivity, selectively sets up an Internet Protocol Security (IPSec) tunnel to a gateway in the home network based on the first message such that the user equipment;
  
  does not set up an IPSec tunnel to the gateway if the first message indicates that the AAA server considers the access network to be trusted; and
  
  does set up an IPSec tunnel to the gateway if the first message indicates that the AAA server considers the access network to be untrusted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the first message or another message sent to the user equipment from the AAA server indicates the use of at least one protocol to be used for communication along the requested connectivity to be established.
  - 3. The method of claim 2, wherein said at least one protocol relates to security.
  - 4. The method of claim 2, wherein said at least one protocol relates to mobility signaling.
  - 5. The method of claim 1, wherein the authentication procedure is based on the Extensible Authentication Protocol (EAP) and the first message is an EAP message sent from the AAA server.
  - 6. The method of claim 1, wherein the authentication procedure is based on the Extensible Authentication Protocol (EAP) Authentication and Key Agreement (AKA).
  - 7. The method of claim 6, wherein the first message is an EAP Request/AKA challenge signal.
  - 8. The method of claim 6, wherein the first message is an EAP Request/AKA-Notification signal.
  - 9. The method of claim 6, wherein the first message is an EAP Success signal.

10. A user equipment for communication to an external network through an access network, said user equipment comprising:
- one or more processing circuits configured to;
  
  interpret a special condition indicated in a first message sent to the user equipment from an Authentication, Authorization, Accounting (AAA) server in a home network of the user equipment in an authentication procedure being part of setting up a connection from the user equipment to the external network through the access network when the user equipment is not currently connected to the external network, the special condition being indicative of whether the AAA server considers the access network to be trusted; and
  
  elating to at least one network property of the access network; and
  
  subsequently establish a connection to the external network that selectively includes an Internet Protocol Security (IPSec) tunnel to a gateway in the home network based on the special condition such that;
  
  the connection to the external network omits the IPSec tunnel if the special condition indicates that the AAA server considers the access network to be trusted; and
  
  the connection to the external network includes the IPSec tunnel if the special condition indicates that the AAA server considers the access network to be untrusted.
- View Dependent Claims (11)
- - 11. The user equipment of claim 10, wherein the one or more processing circuits are configured to:
    - obtain information, from the first message or an additional message from the AAA server, indicating at least one protocol to be used for communication along the connectivity to be established; and
      
      use said at least one protocol in establishing the connectivity through the access network.

12. An Authentication, Authorization, Accounting (AAA) server in a home network of a user equipment, the AAA server configured to:
- send information to the user equipment in an authentication procedure being part of establishing connectivity from the user equipment to an external network through an access network;
  
  wherein the AAA server is configured to introduce, in a message included in said information sent to the user equipment, special information indicating a special condition indicative of whether the AAA server considers the access network to be trusted, or to modify said message to indicate the special condition, to control whether the user equipment, when not already connected to the external network, sets up an Internet Protocol Security (IPSec) tunnel to a gateway in the home network to establish a connection to the external network through the access network.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The server of claim 12, wherein the special information is also indicative of at least one protocol to be used for communication along the connectivity to be established.
  - 14. The server of claim 12, wherein the AAA server is configured to introduce the special information in an Extensible Authentication Protocol (EAP) message.
  - 15. The server of claim 14, wherein the EAP message is an EAP Request/AKA (Authentication and Key Agreement) challenge signal.
  - 16. The server of claim 14, wherein the EAP message is an EAP Request/AKA (Authentication and Key Agreement) Notification signal.
  - 17. The server of claim 14, wherein the EAP message is an EAP Success signal.

18. A computer program product for use by a user equipment related to an Authentication, Authorization, Accounting (AAA) server in a home network of the user equipment, the computer product being stored in non-transitory electronic memory carrying computer readable instructions which when run by the user equipment causes the user equipment to:
- interpret a special condition indicated in one of the messages sent to the user equipment from the AAA server in an authentication procedure being part of setting up a connection from the user equipment to an external network through an access network when the user equipment is not already connected to the external network, the special condition being indicative of whether the AAA server considers the access network to be trusted; and
  
  subsequently establish a connection to the external network that selectively includes an Internet Protocol Security (IPSec) tunnel to a gateway in the home network based on the special condition such that the connection to the external network;
  
  omits the IPSec tunnel if the special condition indicates that the AAA server considers the access network to be trusted; and
  
  includes the IPSec tunnel if the special condition indicates that the AAA server considers the access network to be untrusted.

19. A computer program product, for use by an Authentication, Authorization, Accounting (AAA) server in a home network of a user equipment, the computer program product being stored in non-transitory electronic memory carrying computer readable instructions which when run by the AAA server causes the AAA server to:
- introduce, in a message included in information sent to the user equipment, special information indicative of whether the AAA server considers an access network through which a connection to the user equipment is to be set up to be trusted, to control whether the user equipment, when not already connected to an external network, sets up an Internet Protocol Security (IPSec) tunnel to a gateway in the home network to establish a connection to the external network through the access network;
  
  ormodify said message to indicate the special condition.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Naslund, Mats, Blom, Rolf, Norrman, Karl, Rommer, Stefan, Arkko, Jari, Lehtovirta, Vesa, Sahlin, Bengt
Primary Examiner(s)
KOSOWSKI, CAROLYN M

Application Number

US12/937,008
Publication Number

US 20110035787A1
Time in Patent Office

1,882 Days
Field of Search

726/3, 709/222
US Class Current

726/3
CPC Class Codes

G06F 21/30   Authentication, i.e. establ...

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/0892   by using authentication-aut...

H04L 63/1433   Vulnerability analysis

H04L 63/162   at the data link layer

H04L 63/164   at the network layer

H04L 63/20   for managing network securi...

H04W 12/06   Authentication

H04W 60/00   Affiliation to network, e.g...

H04W 72/53   based on regulatory allocat...

Access through non-3GPP access networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

56 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Access through non-3GPP access networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links