WO2011011467A1 - Femto access security gateway discovery in wireless communications - Google Patents

Femto access security gateway discovery in wireless communications Download PDF

Info

Publication number
WO2011011467A1
WO2011011467A1 PCT/US2010/042671 US2010042671W WO2011011467A1 WO 2011011467 A1 WO2011011467 A1 WO 2011011467A1 US 2010042671 W US2010042671 W US 2010042671W WO 2011011467 A1 WO2011011467 A1 WO 2011011467A1
Authority
WO
WIPO (PCT)
Prior art keywords
security
access point
server
wireless
domain name
Prior art date
Application number
PCT/US2010/042671
Other languages
French (fr)
Inventor
Jianquan Song
Tricci So
Wen Luo
Li Chu
Yiwen Liu
Original Assignee
Zte (Usa) Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zte (Usa) Inc. filed Critical Zte (Usa) Inc.
Priority to JP2012521742A priority Critical patent/JP5559882B2/en
Publication of WO2011011467A1 publication Critical patent/WO2011011467A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/16Discovering, processing access restriction or access information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/04Large scale networks; Deep hierarchical networks
    • H04W84/042Public Land Mobile systems, e.g. cellular systems
    • H04W84/045Public Land Mobile systems, e.g. cellular systems using private Base Stations, e.g. femto Base Stations, home Node B

Definitions

  • This document relates to wireless communications and systems.
  • the wireless coverage could be divided into many small geographic areas called cells. Depending on the size and capacity, a cell could be categorized as macro cell, micro cell or pico cell.
  • An access network equipment i.e. Base Station, is usually installed in each cell to serve the access terminals or mobile stations located in the radio coverage region of the base station through wireless connection.
  • Wireless communication systems can include a network of one or more base stations to communicate with one or more wireless devices such as a mobile device, cell phone, wireless air card, mobile station (MS), user equipment (UE), access terminal (AT), or subscriber station (SS). Each base station can emit radio signals that carry data such as voice data and other data content to wireless devices.
  • a base stations can be referred to as an access point (AP) or access network (AN) or can be included as part of an access network.
  • a wireless communication system can include one or more access networks to control one or more base stations.
  • Radio coverage of the base stations can be limited under certain conditions
  • An extension base station can be implemented to extend the coverage of the base stations and such an extension base station is often referred to as a femtocell base station (FBS).
  • FBS femto base station
  • FAP Femto Access Point
  • a femto base station (FBS) or Femto Access Point (FAP) is used to provide radio coverage for a femto cell by wirelessly transmitting radio signals to mobile stations or subscriber stations located in the femto cell based on a wireless air link standard, such as WiMAX specification.
  • the FAP can adopt the home or offices' wired broadband connection, like ADSL or cable modem or on-premise fiber link, as backhaul to connect to the wireless core network.
  • the mobile station could switch its connection from macro cell to FAP and continues its wireless service connectivity.
  • a method for discovering a security gateway for attaching a wireless access point in a wireless communication system is provided to
  • a wireless access point to a communication network to obtain an IP address of a security server that is configured to assist the wireless access point to discover security gateways in the system; using the obtained IP address to establish a communication between the wireless access point and the security server; operating the security server to obtain information of the wireless access point and to select a security gateway from security gateways in the system, based on the information of the wireless access point; operating the wireless access point to obtain an IP address of the selected security gateway from the security server; and using the obtained IP address of the selected security gateway to establish a communication between the wireless access point and the security gateway and to attach the wireless point to the system via the security gateway.
  • a wireless communication system in another aspect, includes a radio access service network (ASN) that includes security gateways to which one or more wireless access points can be attached; and a security server that is connected to the ASN and configured to assist a wireless access point to discover one of the security gateways to attach.
  • ASN radio access service network
  • Each security gateway includes a mechanism operable to authenticate the security server to a wireless access point before authenticating the wireless access point.
  • the security server includes a mechanism to select one of the security gateways based on information from the wireless access point and to send an IP address of the selected security gateway to the wireless access point for establishing a communication between the wireless access point and the selected security gateway.
  • FIG. 1 shows an example of a wireless communication system with femto base stations.
  • FIG. 2 shows an example of a radio station architecture for a wireless communication device or a base station in FIG. 1.
  • FIGS. 3 and 4 show an example of a WiMAX implementation of the system in FIG. 1 that obtains the IP address of the SeGw via the pre-configured FQDN, URL or public IP address of the Security Server.
  • FIGS. 5 and 6 show an example of a WiMAX implementation of the system in FIG. 1 that obtains the IP address of the SeGw via the pre-configured FQDN, URL or public IP address of a femto DHCP Server. .
  • FIG. 1 shows an example of a wireless communication system with femto base stations.
  • a wireless communication system can be a wireless network and includes one or more base stations 105 such as a macrocell base station, microcell, or picocell base stations.
  • One or more femtocell base stations 120 can be provided as femto-cell wireless access points (WFAPs) to extend the wireless service provided by base stations 105.
  • Base stations 105 and femtocell base stations 120 can provide wireless service to wireless devices such as mobile stations 110 (MSs).
  • the system can include one or more core network components 125 to provide wireless services via the base stations 105 and 120.
  • Various wireless communication technologies can be implemented in FIG.
  • CDMA Code division Multiple Access
  • HRPD High Rate Packet Data
  • eHRPD evolved HRPD
  • UMTS Universal Mobile Telecommunications System
  • UTRAN Universal Terrestrial Radio Access Network
  • E-UTRAN Evolved UTRAN
  • LTE Long-Term Evolution
  • WiMAX Worldwide Interoperability for Microwave Access
  • FIG. 2 shows an example of a radio station architecture for a wireless communication device 110 or a base station 105 or 120 in FIG. 1.
  • a radio station 205 in this example includes processor electronics 210 such as a microprocessor that implements methods such as one or more of the wireless communication techniques presented in this document.
  • the radio station 205 includes transceiver electronics 215 to send and/or receive wireless signals over one or more communication interfaces such as an antenna 220.
  • the radio station 205 can include other communication interfaces for transmitting and receiving signaling and data.
  • the radio station 205 can include one or more memories configured to store information such as data and/or instructions.
  • the wireless communication device 110 is also known as a wireless subscriber stations or mobile stations(MS) and is capable of wirelessly
  • a base station 105 in the system is a radio transceiver that is conceptually at a center of a cell and wirelessly communicates with a MS in the cell via downlink radio signals.
  • Each BS may be designed to have directional antennas and to produce two or more directional beams to further divide each cell into different sections.
  • Base station controllers (BSCs) are provided in the system to control the BSs. Each BSC is connected to a group of two or more two or more designated BSs and controls the connected BSs.
  • a wireless femto access point (WFAP) 120 is directly attached to the wired or wireless broadband network infrastructure
  • the wired or wireless broadband network infrastructure may not belong to the same operator for managing the femto network service provider (NSP). Under such circumstances, it is desirable to provide a mechanism for the WFAP to obtain the IP address of the Security Gateway (SeGw) which safe-guards the WFAP access to the corresponding femto- gateway and the backend network of the temto NSP. Often times, the specific location of the WFAP access may not be determined in advance and the deployment could be at any location, e.g., nationwide or international. It is therefore important for a WFAP to obtain the IP address of the SeGw from any deployment location. For example, the WFAP can obtain the IP address of the SeGw via the pre-configured
  • Fully Qualified Domain Name URL or public IP address of the SeGw.
  • the following examples use a special security server for the femto ASN and a Dynamic Host Configuration Protocol (DHCP) server to obtain the IP address of the SeGw.
  • DHCP Dynamic Host Configuration Protocol
  • FIG. 3 shows an example of a WiMAX implementation of the system in FIG. 1 that obtains the IP address of the SeGw via the pre-configured FQDN, URL or public IP address of the Security Server.
  • the system includes one or more macro radio access service networks (ASNs) 310, a Connectivity Serving Network (CSN) 320 with an AAA module 322 for authentication, authorization and accounting functions and a home agent module 324 for user registration functions for WiMAX communications, and one or more femto radio access service networks (Femto ASNs) 330.
  • a femto network service provider (NSP) module 340 is provided to manage or control the femto ASN 330 and th.
  • the ASN 310 includes one or more base stations (BSs) 312 or base transceiver stations (BSTs) that are spatially distributed in a service area to provide the radio access and an ASN-Gateway (GW) 314 to control the BS 312 and to manage the communications of the ASN 310 with the CSN 320 and the femto ASN 330.
  • the femto ASN 330 includes one or more WFAPs 332, one or more security gateways (SeGWs) 334 that safeguards the WFAP access by the WFAP 332, and a femto gateway (Femto-GW) 336 that manages communications of the femto ASN 330 with ASN 310 and the CSN 320.
  • the femto NSP 340 is provided to manage the femto ASN 330 and is responsible for the operation, authentication and management of the WFAP 332.
  • the femto NSP 340 includes a femto-AAA module 342 to perform the authentication and accounting of the WFAP 332, and a security server 344 for handling the initial process of checking the identity of the WFAP 332 and directing the WFAP 332 to a proper SeGW 334 within the femto ASN 330.
  • the security server 344 supports the initial bootstrap of the WFAP 332 to the network and thus is also referred to as a bootstrap server.
  • a WFAP management server is also provided to operation and maintenance (O&M) features of the WFAP based on a standard such as Simple Network Management Protocol (SNMP), TR069 or DOCSIS.
  • SNMP Simple Network Management Protocol
  • TR069 DOCSIS
  • this WFAP management server can be part of the femto NSP 340.
  • the Reference Point R3 includes the set of Control Plane protocols and Bearer Plane protocols to support AAA functions and also to transfer of user data between the Femto ASN 330 and the CSN 320.
  • the AAA 322 is responsible for subscriber authentication and accounting operations.
  • the Reference Point R4 includes the set of Control Plane protocols and Bearer Plane protocols
  • the Fe- GW 336 may also be connected to Macro ASN-GW 314 through R4.
  • the Reference Point R6-F includes the set of Control Plane and Bearer Plane for communication between the WFAP 332 and the Fe-GW 336.
  • the control and bearer plane traffic over the Reference Point R6-F is sent through an IPsec 9 tunnel between the WFAP and the Se-GW.
  • the Reference Point R3-F includes the set of Control Plane protocols based on the protocols for R3 in the macro WiMAX network, to support the authorization, authentication and accounting of the WFAP 332 between Femto ASN 330 26 and Femto NSP 340.
  • R3-F can also include management plane protocols between the Management server and WFAP.
  • the Reference Point Rx includes the set of the initial bootstrapping protocol between the WFAP and the bootstrap server.
  • FIG. 4 shows an example of the operational flow for discovery of the SeGw 334 via the security server or bootstrap server 344.
  • Step 1 the WFAP 332 is booted up.
  • the WFAP 332 obtains the (outer) IP address from the backhaul network (e.g.: DSL, Cable) via DHCP server. If the WFAP 332 does not have a pre- provisioned FQDN of the bootstrap server 344, the IP address of this bootstrap server 344 may be provided as a DHCP option.
  • the backhaul network e.g.: DSL, Cable
  • the WFAP sends out a domain name server (DNS) query for the IP address of the bootstrap server 344 as shown by Step 3.
  • DNS domain name server
  • Step 4 once the IP address of the bootstrap server 344 is determined by the WFAP 332 in either Step 2 or Step3, the WFAP 332 establishes secure connection with the bootstrap server using, e.g., HTTPS based on pre-provisioned credentials such as a digital certificate for the bootstrap server 344 to authenticate the server 344.
  • the WFAP 332 does not provide its certificate to the server 344. Only the bootstrap server 344 is authenticated.
  • the WFAP 332 connects to the bootstrap server 344 and requests and downloads initial configuration information, e.g., the IP address of the Se-Gw
  • the WFAP 332 provides its IP address and may also provide other location information (e.g. GPS info) so that the appropriate Se-GW 334 can be selected for the WFAP 332 by the bootstrap server 344.
  • the WFAP 332 obtains the IP address of the Se-GW 334 from the bootstrap server 344.
  • the WFAP 332 can obtain the FQDN of the management server.
  • the WFAP 332 and Se-GW 334 authenticate each other, and establish the VPN tunnel.
  • the Se-GW 334 communicates with the Femto-AAA 342 via the Femto-GW 314 for the authorization of the WFAP 332.
  • the inner IP address is also assigned to the WFAP 332 by the Se-GW 334
  • the WFAP 332 and theFemto AAA 342 communicate to perform the WFAP authentication.
  • the WFAP 332 does a DNS query to obtain the IP address of the management server from the FQDN of the management server at Step 5.
  • the WFAP 332 connects to the management server.
  • the WFAP 332 sends its local information to the management server such as the IP address of the WFAP 332, its location information and others.
  • the WFAP 332 downloads from the management server configuration information of the WFAP 332.
  • the WFAP 332 may authenticate the Security Server 344 to prevent malicious spoofing, e.g. via server certificate of the Security Server.
  • Fully Qualified Domain Name (FQDN) is pre-configured in the WFAP 332, the WFAP 332 performs the DNS query to obtain the public IP address or the URL of the Security Server 344 prior to authenticating the Security Server 344, if required. If the deployment of the WFAP is nation-wide and international, it is likely the security server 344 is deployed based on the Server Farm based architecture and the closest
  • Security Server 344 is approached by the WFAP 332 to obtain the IP address or the URL of the SeGw 334.
  • the Security Server 344 communicates with the WFAP 332 via HTTPS or HTTP, the format of the initial configuration parameters including the IP address or URL of the SeGw can be standardized, e.g., in the form of
  • the WFAP 332 opens a HTTPS session to the bootstrap server 344.
  • the bootstrap server certificate is presented during the authentication without using the WFAP certificate.
  • the WFAP 332 authenticates the bootstrap server 334.
  • This session is used by the WFAP 332 to inform the bootstrap server 344 of its IP address and location information and retrieve the Se-GW IP address and the FQDN of the management server.
  • a system can be provided to allow the WFAP 332 to obtain the IP address or the URL of the SeGw via the pre-configured FQDN or public IP address of the DHCP Server.
  • FIGS. 5 and 6 show an example.
  • FIG. 5 shows an example of a WiMAX implementation of the system in FIG. 1 that obtains the IP address of the SeGw via the pre-configured FQDN, URL or public IP address of a femto DHCP Server 510.
  • FQDN is pre- configured in the WFAP
  • the WFAP will perform the DNS query to obtain the public IP address of the femto DHCP Server 510.
  • it is nation-wide and international deployment it is likely the femto DHCP server 510 is deployed based on the Server Farm based architecture and the closest femto DHCP Server 510 is approached by the
  • FIG. 6 shows a control flow of the system interactions for the WFAP to obtain the IP address of the SeGw via the DHCP Server access.
  • the disclosed and other embodiments and the functional operations described in this document can be implemented in digital electronic circuitry, or in computer software, firmware, or hardware, including the structures disclosed in this document and their structural equivalents, or in combinations of one or more of them.
  • the disclosed and other embodiments can be implemented as one or more computer program products, i.e., one or more modules of computer program instructions encoded on a computer readable medium for execution by, or to control the operation of, data processing apparatus.
  • the computer readable medium can be a machine- readable storage device, a machine-readable storage substrate, a memory device, a composition of matter effecting a machine -readable propagated signal, or a combination of one or more them.
  • data processing apparatus encompasses all apparatus, devices, and machines for processing data, including by way of example a programmable processor, a computer, or multiple processors or computers.
  • the apparatus can include, in addition to hardware, code that creates an execution environment for the computer program in question, e.g., code that constitutes processor firmware, a protocol stack, a database management system, an operating system, or a combination of one or more of them.
  • a propagated signal is an artificially generated signal, e.g., a machine-generated electrical, optical, or electromagnetic signal, that is generated to encode information for transmission to suitable receiver apparatus.
  • a computer program (also known as a program, software, software application, script, or code) can be written in any form of programming language, including compiled or interpreted languages, and it can be deployed in any form, including as a stand alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment.
  • a computer program does not necessarily correspond to a file in a file system.
  • a program can be stored in a portion of a file that holds other programs or data (e.g., one or more scripts stored in a markup language document), in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub programs, or portions of code).
  • a computer program can be deployed to be executed on one computer or on multiple computers that are located at one site or distributed across multiple sites and interconnected by a communication network.
  • the processes and logic flows described in this document can be performed by one or more programmable processors executing one or more computer programs to perform functions by operating on input data and generating output.
  • the processes and logic flows can also be performed by, and apparatus can also be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application specific integrated circuit).
  • processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer.
  • a processor will receive instructions and data from a read only memory or a random access memory or both.
  • the essential elements of a computer are a processor for performing instructions and one or more memory devices for storing instructions and data.
  • a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto optical disks, or optical disks.
  • mass storage devices for storing data, e.g., magnetic, magneto optical disks, or optical disks.
  • a computer need not have such devices.
  • Computer readable media suitable for storing computer program instructions and data include all forms of non volatile memory, media and memory devices, including by way of example semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory devices; magnetic disks, e.g., internal hard disks or removable disks;
  • semiconductor memory devices e.g., EPROM, EEPROM, and flash memory devices
  • magnetic disks e.g., internal hard disks or removable disks
  • magneto optical disks and CD ROM and DVD-ROM disks.
  • the processor and the memory can be supplemented by, or incorporated in, special purpose logic circuitry.

Abstract

Techniques and systems for discovering a security gateway for attaching a wireless access point in a wireless communication system.

Description

FEMTO ACCESS SECURITY GATEWAY DISCOVERY IN WIRELESS
COMMUNICATIONS
PRIORITY CLAIM AND RELATED APPLICATION
[oooi] This patent document claims benefit of U.S. Provisional Application No.
61/227,028 entitled "FEMTO ACCESS SECURITY GATEWAY DISCOVERY" and filed on July 20, 2009, the entire disclosure of which is incorporated by reference as part of the specification of this document.
BACKGROUND
[0002] This document relates to wireless communications and systems.
[0003] In various wireless communication networks, the wireless coverage could be divided into many small geographic areas called cells. Depending on the size and capacity, a cell could be categorized as macro cell, micro cell or pico cell. An access network equipment, i.e. Base Station, is usually installed in each cell to serve the access terminals or mobile stations located in the radio coverage region of the base station through wireless connection.
[0004] Wireless communication systems can include a network of one or more base stations to communicate with one or more wireless devices such as a mobile device, cell phone, wireless air card, mobile station (MS), user equipment (UE), access terminal (AT), or subscriber station (SS). Each base station can emit radio signals that carry data such as voice data and other data content to wireless devices. A base stations can be referred to as an access point (AP) or access network (AN) or can be included as part of an access network. A wireless communication system can include one or more access networks to control one or more base stations.
[0005] Radio coverage of the base stations can be limited under certain
circumstances. For example, indoor areas and certain areas between tall buildings may not have good radio coverage by the base stations. An extension base station can be implemented to extend the coverage of the base stations and such an extension base station is often referred to as a femtocell base station (FBS). A femto base station (FBS) or Femto Access Point (FAP) is used to provide radio coverage for a femto cell by wirelessly transmitting radio signals to mobile stations or subscriber stations located in the femto cell based on a wireless air link standard, such as WiMAX specification. The FAP can adopt the home or offices' wired broadband connection, like ADSL or cable modem or on-premise fiber link, as backhaul to connect to the wireless core network. When a mobile station enters a femto cell coverage, the mobile station could switch its connection from macro cell to FAP and continues its wireless service connectivity.
SUMMARY
[0006] Techniques and systems for discovering a security gateway for attaching a wireless access point in a wireless communication system are provided.
[0007] In one aspect, a method for discovering a security gateway for attaching a wireless access point in a wireless communication system is provided to
includeconnecting a wireless access point to a communication network to obtain an IP address of a security server that is configured to assist the wireless access point to discover security gateways in the system; using the obtained IP address to establish a communication between the wireless access point and the security server; operating the security server to obtain information of the wireless access point and to select a security gateway from security gateways in the system, based on the information of the wireless access point; operating the wireless access point to obtain an IP address of the selected security gateway from the security server; and using the obtained IP address of the selected security gateway to establish a communication between the wireless access point and the security gateway and to attach the wireless point to the system via the security gateway.
[0008] In another aspect, a wireless communication system is provided to include a radio access service network (ASN) that includes security gateways to which one or more wireless access points can be attached; and a security server that is connected to the ASN and configured to assist a wireless access point to discover one of the security gateways to attach. Each security gateway includes a mechanism operable to authenticate the security server to a wireless access point before authenticating the wireless access point. The security server includes a mechanism to select one of the security gateways based on information from the wireless access point and to send an IP address of the selected security gateway to the wireless access point for establishing a communication between the wireless access point and the selected security gateway.
[0009] These and other aspects and various implementations are described in greater detail in the drawing, the description and the claims.
BRIEF DESCRIPTION OF DRAWINGS
[ooio] FIG. 1 shows an example of a wireless communication system with femto base stations.
[ooii] FIG. 2 shows an example of a radio station architecture for a wireless communication device or a base station in FIG. 1.
[0012] FIGS. 3 and 4 show an example of a WiMAX implementation of the system in FIG. 1 that obtains the IP address of the SeGw via the pre-configured FQDN, URL or public IP address of the Security Server.
[0013] FIGS. 5 and 6 show an example of a WiMAX implementation of the system in FIG. 1 that obtains the IP address of the SeGw via the pre-configured FQDN, URL or public IP address of a femto DHCP Server. .
DETAILED DESCRIPTION
[0014] FIG. 1 shows an example of a wireless communication system with femto base stations. A wireless communication system can be a wireless network and includes one or more base stations 105 such as a macrocell base station, microcell, or picocell base stations. One or more femtocell base stations 120 can be provided as femto-cell wireless access points (WFAPs) to extend the wireless service provided by base stations 105. Base stations 105 and femtocell base stations 120 can provide wireless service to wireless devices such as mobile stations 110 (MSs). The system can include one or more core network components 125 to provide wireless services via the base stations 105 and 120. Various wireless communication technologies can be implemented in FIG. 1, such as Code division Multiple Access (CDMA) such as CDMA2000 Ix, High Rate Packet Data (HRPD), evolved HRPD (eHRPD), Universal Mobile Telecommunications System (UMTS), Universal Terrestrial Radio Access Network (UTRAN), Evolved UTRAN (E-UTRAN), Long-Term Evolution (LTE), and Worldwide Interoperability for Microwave Access (WiMAX) based on an IEEE
802.16 standard.
[0015] FIG. 2 shows an example of a radio station architecture for a wireless communication device 110 or a base station 105 or 120 in FIG. 1. A radio station 205 in this example includes processor electronics 210 such as a microprocessor that implements methods such as one or more of the wireless communication techniques presented in this document. The radio station 205 includes transceiver electronics 215 to send and/or receive wireless signals over one or more communication interfaces such as an antenna 220. The radio station 205 can include other communication interfaces for transmitting and receiving signaling and data. The radio station 205 can include one or more memories configured to store information such as data and/or instructions.
[0016] The wireless communication device 110 is also known as a wireless subscriber stations or mobile stations(MS) and is capable of wirelessly
communicating with the base station 105 or the WFAP 120 and may be implemented as a mobile or fixed device which may be relocated within the system. Examples of a stationary wireless device may include desktop computers and computer servers. Examples of a mobile wireless device may include mobile wireless phones, Personal Digital Assistants (PDAs), and mobile computers. A base station 105 in the system is a radio transceiver that is conceptually at a center of a cell and wirelessly communicates with a MS in the cell via downlink radio signals. Each BS may be designed to have directional antennas and to produce two or more directional beams to further divide each cell into different sections. Base station controllers (BSCs) are provided in the system to control the BSs. Each BSC is connected to a group of two or more two or more designated BSs and controls the connected BSs.
[0017] In wireless communication systems, a wireless femto access point (WFAP) 120 is directly attached to the wired or wireless broadband network infrastructure
125, e.g. DSL, Cable Modem etc. In various implementations, the wired or wireless broadband network infrastructure may not belong to the same operator for managing the femto network service provider (NSP). Under such circumstances, it is desirable to provide a mechanism for the WFAP to obtain the IP address of the Security Gateway (SeGw) which safe-guards the WFAP access to the corresponding femto- gateway and the backend network of the temto NSP. Often times, the specific location of the WFAP access may not be determined in advance and the deployment could be at any location, e.g., nationwide or international. It is therefore important for a WFAP to obtain the IP address of the SeGw from any deployment location. For example, the WFAP can obtain the IP address of the SeGw via the pre-configured
Fully Qualified Domain Name (FQDN), URL or public IP address of the SeGw. The following examples use a special security server for the femto ASN and a Dynamic Host Configuration Protocol (DHCP) server to obtain the IP address of the SeGw.
[0018] FIG. 3 shows an example of a WiMAX implementation of the system in FIG. 1 that obtains the IP address of the SeGw via the pre-configured FQDN, URL or public IP address of the Security Server. In this example, the system includes one or more macro radio access service networks (ASNs) 310, a Connectivity Serving Network (CSN) 320 with an AAA module 322 for authentication, authorization and accounting functions and a home agent module 324 for user registration functions for WiMAX communications, and one or more femto radio access service networks (Femto ASNs) 330. A femto network service provider (NSP) module 340 is provided to manage or control the femto ASN 330 and th.
[0019] The ASN 310 includes one or more base stations (BSs) 312 or base transceiver stations (BSTs) that are spatially distributed in a service area to provide the radio access and an ASN-Gateway (GW) 314 to control the BS 312 and to manage the communications of the ASN 310 with the CSN 320 and the femto ASN 330. The femto ASN 330 includes one or more WFAPs 332, one or more security gateways (SeGWs) 334 that safeguards the WFAP access by the WFAP 332, and a femto gateway (Femto-GW) 336 that manages communications of the femto ASN 330 with ASN 310 and the CSN 320.
[0020] In FIG. 3, the femto NSP 340 is provided to manage the femto ASN 330 and is responsible for the operation, authentication and management of the WFAP 332. The femto NSP 340 includes a femto-AAA module 342 to perform the authentication and accounting of the WFAP 332, and a security server 344 for handling the initial process of checking the identity of the WFAP 332 and directing the WFAP 332 to a proper SeGW 334 within the femto ASN 330. The security server 344 supports the initial bootstrap of the WFAP 332 to the network and thus is also referred to as a bootstrap server. A WFAP management server is also provided to operation and maintenance (O&M) features of the WFAP based on a standard such as Simple Network Management Protocol (SNMP), TR069 or DOCSIS. In some
implementations, this WFAP management server can be part of the femto NSP 340.
[0021] In FIG. 3, the Reference Point R3 includes the set of Control Plane protocols and Bearer Plane protocols to support AAA functions and also to transfer of user data between the Femto ASN 330 and the CSN 320. The AAA 322 is responsible for subscriber authentication and accounting operations. The Reference Point R4 includes the set of Control Plane protocols and Bearer Plane protocols
originating/terminating in various functions entities of an ASN that coordinates MS mobility between different ASNs and Fe-GW as well as between Fe-GWs. The Fe- GW 336 may also be connected to Macro ASN-GW 314 through R4. The Reference Point R6-F includes the set of Control Plane and Bearer Plane for communication between the WFAP 332 and the Fe-GW 336. The control and bearer plane traffic over the Reference Point R6-F is sent through an IPsec 9 tunnel between the WFAP and the Se-GW. The Reference Point R3-F includes the set of Control Plane protocols based on the protocols for R3 in the macro WiMAX network, to support the authorization, authentication and accounting of the WFAP 332 between Femto ASN 330 26 and Femto NSP 340. R3-F can also include management plane protocols between the Management server and WFAP. The Reference Point Rx includes the set of the initial bootstrapping protocol between the WFAP and the bootstrap server.
[0022] FIG. 4 shows an example of the operational flow for discovery of the SeGw 334 via the security server or bootstrap server 344.
[0023] At Step 1, the WFAP 332 is booted up.
[0024] At Step 2, the WFAP 332 obtains the (outer) IP address from the backhaul network (e.g.: DSL, Cable) via DHCP server. If the WFAP 332 does not have a pre- provisioned FQDN of the bootstrap server 344, the IP address of this bootstrap server 344 may be provided as a DHCP option.
[0025] If the WFAP 332 is pre-provisioned with the FQDN of the bootstrap server
344, the WFAP sends out a domain name server (DNS) query for the IP address of the bootstrap server 344 as shown by Step 3.
[0026] At Step 4, once the IP address of the bootstrap server 344 is determined by the WFAP 332 in either Step 2 or Step3, the WFAP 332 establishes secure connection with the bootstrap server using, e.g., HTTPS based on pre-provisioned credentials such as a digital certificate for the bootstrap server 344 to authenticate the server 344. The WFAP 332 does not provide its certificate to the server 344. Only the bootstrap server 344 is authenticated.
[0027] At Step 5, the WFAP 332 connects to the bootstrap server 344 and requests and downloads initial configuration information, e.g., the IP address of the Se-Gw
334, from the bootstrap server 344. The WFAP 332 provides its IP address and may also provide other location information (e.g. GPS info) so that the appropriate Se-GW 334 can be selected for the WFAP 332 by the bootstrap server 344. The WFAP 332 obtains the IP address of the Se-GW 334 from the bootstrap server 344. In addition, the WFAP 332 can obtain the FQDN of the management server. [0028] At Step 6, the WFAP 332 and Se-GW 334 authenticate each other, and establish the VPN tunnel. The Se-GW 334 communicates with the Femto-AAA 342 via the Femto-GW 314 for the authorization of the WFAP 332. The inner IP address is also assigned to the WFAP 332 by the Se-GW 334
[0029] At Step 7, the WFAP 332 and theFemto AAA 342 communicate to perform the WFAP authentication. The WFAP 332 does a DNS query to obtain the IP address of the management server from the FQDN of the management server at Step 5.
[0030] At Step 8, the WFAP 332 connects to the management server. The WFAP 332 sends its local information to the management server such as the IP address of the WFAP 332, its location information and others. The WFAP 332 downloads from the management server configuration information of the WFAP 332.
[0031] At Step 9, the WFAP 332 and the femto GW 336 establish their
communication R6-F via the Se-Gw 334.
[0032] In the above process, the WFAP 332 may authenticate the Security Server 344 to prevent malicious spoofing, e.g. via server certificate of the Security Server.
If Fully Qualified Domain Name (FQDN) is pre-configured in the WFAP 332, the WFAP 332 performs the DNS query to obtain the public IP address or the URL of the Security Server 344 prior to authenticating the Security Server 344, if required. If the deployment of the WFAP is nation-wide and international, it is likely the security server 344 is deployed based on the Server Farm based architecture and the closest
Security Server 344 is approached by the WFAP 332 to obtain the IP address or the URL of the SeGw 334. When the Security Server 344 communicates with the WFAP 332 via HTTPS or HTTP, the format of the initial configuration parameters including the IP address or URL of the SeGw can be standardized, e.g., in the form of
SOAP/XML.
[0033] In the process in FIG. 4, the WFAP 332 opens a HTTPS session to the bootstrap server 344. The bootstrap server certificate is presented during the authentication without using the WFAP certificate. Hence, the WFAP 332 authenticates the bootstrap server 334. This session is used by the WFAP 332 to inform the bootstrap server 344 of its IP address and location information and retrieve the Se-GW IP address and the FQDN of the management server. [0034] Alternatively, a system can be provided to allow the WFAP 332 to obtain the IP address or the URL of the SeGw via the pre-configured FQDN or public IP address of the DHCP Server. FIGS. 5 and 6 show an example.
[0035] FIG. 5 shows an example of a WiMAX implementation of the system in FIG. 1 that obtains the IP address of the SeGw via the pre-configured FQDN, URL or public IP address of a femto DHCP Server 510. In this example, if FQDN is pre- configured in the WFAP, the WFAP will perform the DNS query to obtain the public IP address of the femto DHCP Server 510. If it is nation-wide and international deployment, it is likely the femto DHCP server 510 is deployed based on the Server Farm based architecture and the closest femto DHCP Server 510 is approached by the
WFAP to obtain the IP address of the SeGw. The standard based secured mechanism that DHCP protocol has been supported can also be applied in FIG. 5. Since the DHCP protocol is well publicly standardized in a well-known format, this design does not require any additional format within the DHCP configuration file to support this capability. Only the specific parameters for the initial configurations need to be specified.
[0036] FIG. 6 shows a control flow of the system interactions for the WFAP to obtain the IP address of the SeGw via the DHCP Server access.
[0037] The disclosed and other embodiments and the functional operations described in this document can be implemented in digital electronic circuitry, or in computer software, firmware, or hardware, including the structures disclosed in this document and their structural equivalents, or in combinations of one or more of them. The disclosed and other embodiments can be implemented as one or more computer program products, i.e., one or more modules of computer program instructions encoded on a computer readable medium for execution by, or to control the operation of, data processing apparatus. The computer readable medium can be a machine- readable storage device, a machine-readable storage substrate, a memory device, a composition of matter effecting a machine -readable propagated signal, or a combination of one or more them. The term "data processing apparatus" encompasses all apparatus, devices, and machines for processing data, including by way of example a programmable processor, a computer, or multiple processors or computers. The apparatus can include, in addition to hardware, code that creates an execution environment for the computer program in question, e.g., code that constitutes processor firmware, a protocol stack, a database management system, an operating system, or a combination of one or more of them. A propagated signal is an artificially generated signal, e.g., a machine-generated electrical, optical, or electromagnetic signal, that is generated to encode information for transmission to suitable receiver apparatus.
[0038] A computer program (also known as a program, software, software application, script, or code) can be written in any form of programming language, including compiled or interpreted languages, and it can be deployed in any form, including as a stand alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment. A computer program does not necessarily correspond to a file in a file system. A program can be stored in a portion of a file that holds other programs or data (e.g., one or more scripts stored in a markup language document), in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub programs, or portions of code). A computer program can be deployed to be executed on one computer or on multiple computers that are located at one site or distributed across multiple sites and interconnected by a communication network.
[0039] The processes and logic flows described in this document can be performed by one or more programmable processors executing one or more computer programs to perform functions by operating on input data and generating output. The processes and logic flows can also be performed by, and apparatus can also be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application specific integrated circuit).
[0040] Processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer. Generally, a processor will receive instructions and data from a read only memory or a random access memory or both. The essential elements of a computer are a processor for performing instructions and one or more memory devices for storing instructions and data. Generally, a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto optical disks, or optical disks. However, a computer need not have such devices. Computer readable media suitable for storing computer program instructions and data include all forms of non volatile memory, media and memory devices, including by way of example semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory devices; magnetic disks, e.g., internal hard disks or removable disks;
magneto optical disks; and CD ROM and DVD-ROM disks. The processor and the memory can be supplemented by, or incorporated in, special purpose logic circuitry.
[0041] While this document contains many specifics, these should not be construed as limitations on the scope of an invention that is claimed or of what may be claimed, but rather as descriptions of features specific to particular embodiments. Certain features that are described in this document in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable sub-combination. Moreover, although features may be described above as acting in certain
combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination may be directed to a sub-combination or a variation of a sub- combination. Similarly, while operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results.
[0042] Only a few examples and implementations are disclosed. Variations, modifications, and enhancements to the described examples and implementations and other implementations can be made based on what is disclosed.

Claims

What is claimed is: 1. A method for discovering a security gateway for attaching a wireless access point in a wireless communication system, comprising:
connecting a wireless access point to a communication network to obtain an IP address of a security server that is configured to assist the wireless access point to discover security gateways in the system;
using the obtained IP address to establish a communication between the wireless access point and the security server;
operating the security server to obtain information of the wireless access point and to select a security gateway from security gateways in the system, based on the information of the wireless access point;
operating the wireless access point to obtain an IP address of the selected security gateway from the security server; and
using the obtained IP address of the selected security gateway to establish a communication between the wireless access point and the security gateway and to attach the wireless point to the system via the security gateway.
2. The method as in claim 1, comprising:
after connecting the wireless access point to the communication network, performing a domain name search from a domain name server to obtain a domain name of the security server; and
based on the obtained domain name of the security server; operating the wireless access point to authenticate the security server prior to operating the security server to select the security gateway from security gateways in the system.
3. The method as in claim 2, comprising:
after establishing the communication between the wireless access point and the security gateway; operating the security gateway to authenticate the wireless access point before attaching the wireless point to the system via the security gateway.
4. The method as in claim 1, comprising:
after connecting the wireless access point to the communication network, using pre- provisioned information in the wireless access point to obtain a domain name of the security server without conducting a domain name search; and
based on the obtained domain name of the security server; operating the wireless access point to authenticate the security server prior to operating the security server to select the security gateway from security gateways in the system.
5. The method as in claim 4, comprising:
after connecting the wireless access point to the communication network, using pre- provisioned information in the wireless access point to obtain a domain name of the security server without conducting a domain name search; and
based on the obtained domain name of the security server; operating the wireless access point to authenticate the security server prior to operating the security server to select the security gateway from security gateways in the system.
6. A wireless communication system, comprising:
a radio access service network (ASN) that includes security gateways to which one or more wireless access points can be attached; and
a security server that is connected to the ASN and configured to assist a wireless access point to discover one of the security gateways to attach,
wherein each security gateway includes a mechanism operable to authenticate the security server to a wireless access point before authenticating the wireless access point; wherein the security server includes a mechanism to select one of the security gateways based on information from the wireless access point and to send an IP address of the selected security gateway to the wireless access point for establishing a communication between the wireless access point and the selected security gateway.
7. The system as in claim 6, comprising:
a mechanism that performs a domain name search from a domain name server to obtain a domain name of the security server prior to selecting one of the security gateways.
8. A method for discovering a security gateway for attaching a wireless access point in a wireless communication system based on WiMAX, comprising:
operating a wireless femto access point to obtain an IP address of a bootstrap server that is configured to assist the wireless femto access point to discover security gateways in the system;
using the obtained IP address to establish a communication between the wireless femto access point and the bootstrap server;
operating the bootstrap server to obtain information of the wireless femto access point and to select a security gateway from security gateways in the system, based on the information of the wireless femto access point;
operating the wireless femto access point to obtain an IP address of the selected security gateway from the bootstrap server; and
using the obtained IP address of the selected security gateway to establish a communication between the wireless access point and the security gateway and to attach the wireless point to the system via the security gateway.
9. The method as in claim 8, comprising:
performing a domain name search from a domain name server to obtain a domain name of the bootstrap server; and
based on the obtained domain name of the bootstrap server; operating the wireless femto access point to authenticate the bootstrap server prior to operating the bootstrap server to select the security gateway from security gateways in the system.
10. The method as in claim 9, comprising:
after establishing the communication between the wireless femto access point and the security gateway; operating the security gateway to authenticate the wireless femto access point before attaching the wireless point to the system via the security gateway.
11. The method as in claim 8, comprising:
using pre -provisioned information in the wireless femto access point to obtain a domain name of the bootstrap server without conducting a domain name search; and
based on the obtained domain name of the bootstrap server; operating the wireless femto access point to authenticate the bootstrap server prior to operating the bootstrap server to select the security gateway from security gateways in the system.
12. The method as in claim 11, comprising:
using pre-provisioned information in the wireless femto access point to obtain a domain name of the bootstrap server without conducting a domain name search; and
based on the obtained domain name of the bootstrap server; operating the wireless femto access point to authenticate the bootstrap server prior to operating the bootstrap server to select the security gateway from security gateways in the system.
PCT/US2010/042671 2009-07-20 2010-07-20 Femto access security gateway discovery in wireless communications WO2011011467A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2012521742A JP5559882B2 (en) 2009-07-20 2010-07-20 Discovery of femto access security gateway in wireless communication

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US22702809P 2009-07-20 2009-07-20
US61/227,028 2009-07-20

Publications (1)

Publication Number Publication Date
WO2011011467A1 true WO2011011467A1 (en) 2011-01-27

Family

ID=43499389

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2010/042671 WO2011011467A1 (en) 2009-07-20 2010-07-20 Femto access security gateway discovery in wireless communications

Country Status (2)

Country Link
JP (1) JP5559882B2 (en)
WO (1) WO2011011467A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013038613A1 (en) * 2011-09-12 2013-03-21 東京応化工業株式会社 Diffusion-agent composition, method for forming impurity-diffusion layer, and solar cell
KR20140119733A (en) * 2012-01-16 2014-10-10 노키아 솔루션스 앤드 네트웍스 오와이 Vendor specific base station auto-configuration framework

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5830128B2 (en) * 2014-04-11 2015-12-09 西日本電信電話株式会社 COMMUNICATION SYSTEM, ACCESS POINT DEVICE, SERVER DEVICE, GATEWAY DEVICE, AND COMMUNICATION METHOD

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050089052A1 (en) * 2000-01-31 2005-04-28 3E Technologies International, Inc. Broadband communications access device
US20050102381A1 (en) * 2003-11-10 2005-05-12 Jiang Zhaowei C. Upload security scheme
US20050254651A1 (en) * 2001-07-24 2005-11-17 Porozni Baryy I Wireless access system, method, signal, and computer program product
US20070083470A1 (en) * 2005-10-12 2007-04-12 Cingular Wireless Ii, Llc Architecture that manages access between a mobile communications device and an IP network
US20090106831A1 (en) * 2007-10-18 2009-04-23 Yingzhe Wu IPsec GRE TUNNEL IN SPLIT ASN-CSN SCENARIO

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5018999B2 (en) * 2009-03-19 2012-09-05 日本電気株式会社 Mobile communication system, wireless communication method, gateway, HomeNodeB
JP2012532512A (en) * 2009-07-01 2012-12-13 ゼットティーイー コーポレーション Initial setup and authentication of femto access points

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050089052A1 (en) * 2000-01-31 2005-04-28 3E Technologies International, Inc. Broadband communications access device
US20050254651A1 (en) * 2001-07-24 2005-11-17 Porozni Baryy I Wireless access system, method, signal, and computer program product
US20050102381A1 (en) * 2003-11-10 2005-05-12 Jiang Zhaowei C. Upload security scheme
US20070083470A1 (en) * 2005-10-12 2007-04-12 Cingular Wireless Ii, Llc Architecture that manages access between a mobile communications device and an IP network
US20090106831A1 (en) * 2007-10-18 2009-04-23 Yingzhe Wu IPsec GRE TUNNEL IN SPLIT ASN-CSN SCENARIO

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013038613A1 (en) * 2011-09-12 2013-03-21 東京応化工業株式会社 Diffusion-agent composition, method for forming impurity-diffusion layer, and solar cell
US9048175B2 (en) 2011-09-12 2015-06-02 Tokyo Ohka Kogyo Co., Ltd. Diffusion-agent composition for forming an impurity-diffusing agent layer on a semiconductor substrate
KR20140119733A (en) * 2012-01-16 2014-10-10 노키아 솔루션스 앤드 네트웍스 오와이 Vendor specific base station auto-configuration framework
JP2015513807A (en) * 2012-01-16 2015-05-14 ノキア ソリューションズ アンド ネットワークス オサケユキチュア Vendor-specific base station autoconfiguration framework
CN104040997B (en) * 2012-01-16 2017-11-07 诺基亚通信公司 The specific base station of supplier automatically configures framework
KR101896420B1 (en) * 2012-01-16 2018-09-11 노키아 솔루션스 앤드 네트웍스 오와이 Vendor specific base station auto-configuration framework

Also Published As

Publication number Publication date
JP5559882B2 (en) 2014-07-23
JP2012533970A (en) 2012-12-27

Similar Documents

Publication Publication Date Title
US10021566B2 (en) Non-mobile authentication for mobile network gateway connectivity
US8594628B1 (en) Credential generation for automatic authentication on wireless access network
KR101899182B1 (en) Mobile router in eps
EP2406975B1 (en) Setup and configuration of relay nodes
US9668285B2 (en) Methods and apparatus for standalone LTE RAN using unlicensed frequency band
US10419994B2 (en) Non-access stratum based access method and terminal supporting the same
US9148776B1 (en) Network address preservation in mobile networks
WO2013192108A2 (en) Methods, apparatus and systems for implementing hierarchical policy servers and for control of coordinated femtocell-wifi operation in co-sited deployments
WO2019047197A1 (en) Method and system to integrate fixed access into converged 5g core
RU2536386C2 (en) Private base station and radio network entity
WO2011011467A1 (en) Femto access security gateway discovery in wireless communications
EP2482597B1 (en) Home base station access method, home base station system and home base station access point
US10595254B2 (en) Non-access stratum based access method and terminal supporting the same
CN112567812B (en) Location reporting for mobile devices
US20120236787A1 (en) Method for enabling a wirless communication device, connected to a first domain of a network, to access a service in a second domain, wireless communication device and communication system
US20220360493A1 (en) Apparatus and method for performing onboarding procedure for remote provisioning
CN114339688A (en) Apparatus and method for authentication of a UE with an edge data network
WO2020201207A1 (en) System information for wireline access
GB2475968A (en) Super frame header configuration bit to indicate an advance base station is connected to a legacy network
US11283798B2 (en) Network nodes and methods performed by network node for selecting authentication mechanism
EP4322618A1 (en) Method and apparatus to access core networks via gateway functions
EP4322581A1 (en) Method and apparatus to control network slices requested by a user equipment
CN113498055B (en) Access control method and communication equipment
Khan Coreless 5g mobile network
JP6477901B2 (en) Gateway, radio base station, and communication system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10802815

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2012521742

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10802815

Country of ref document: EP

Kind code of ref document: A1