Patent Application
20130095789
This invention relates to an access point, and in particular to an access point that can be used to establish connections with user equipment devices using both a cellular air interface and a WiFi air interface.
Many mobile devices are equipped with radio transceivers that allow them to connect to a network either using WiFi or using a cellular radio access technology, such as GPRS, WCDMA or LTE. Typically, the user will make use of the cellular radio access technology while moving, but might choose to use WiFi when stationary in the vicinity of a WiFi access point. In some situations, WiFi will provide higher data rates over the air interface, and thereby allow faster upload and download times. However, discovery of available WiFi access points typically involves selecting a suitable access point, and subsequent authentication typically requires the user to enter a password. Thus, the use of WiFi might be less efficient than that of the cellular access technology, even if the data rate over the air interface is higher.
According to aspects of the present invention, there are provided methods of operation of an access point. According to other aspects of the invention, there are provided access points configured for operating in accordance with the methods. According to still further aspects of the invention, there are provided methods of operation of user equipment devices, and user equipment devices themselves configured for operating, in conjunction with the access points. According to still further aspects of the invention, there are provided core network nodes configured to operate with the access points.
For a better understanding of the present invention, and to show how it may be put into effect, reference will now be made, by way of example, to the accompanying drawings, in which:
The access point 10 has a connection, for example using the customer's existing broadband internet connection, over a public wide area network (WAN) such as the internet 18. This allows the access point to be connected to the core network (CN) 20 of the cellular communications network through a femtocell gateway (FGW) 22. Equally, the processor 16 can direct traffic to other destinations over the internet, without passing it through the core network (CN) 20 of the cellular communications network, when required.
A user equipment (UE) device, such as a smartphone 24, is able to establish connections with the femtocell modem 12 over the 3G cellular air interface and/or with the WiFi transceiver 14 over the WiFi air interface using unlicensed radio spectrum.
As described with reference to
A user equipment (UE) device, such as a smartphone 48, is able to establish connections with any one of the access points 30, 32, 34, 36, 38 over the cellular air interface and/or over the WiFi air interface using unlicensed radio spectrum. In this illustrated example, the cellular air interface is a 3G air interface, and the remainder of the description will refer to this specific case, but the cellular air interface can rely on any cellular technology, including, but not limited to, a 4G LTE cellular technology.
The basic mode of operation of the access point is that 3G will be the “master” connection and WiFi the “slave” for any UE device that includes both 3G and WiFi radio transceivers. The co-location of WiFi and 3G in the access point allows localised and dynamic decision making on authentication and usage policy of the two air interfaces to offer an overall better user experience by making discovery and authentication of WiFi automatic from a user point of view and allowing the use of potentially higher WiFi air interface speeds to reduce upload/download times. The result is to make the WiFi experience more like cellular where discovery and authentication are, in almost all circumstances, zero-touch and invisible to the user.
The close integration of the 3G and WiFi solutions also allows the WiFi traffic to be connected into a 3G Iuh gateway which simplifies WiFi deployment by a cellular operator in that it is included within standard 3G infrastructure. No specialised WiFi core elements are required, providing economic advantages to the operator whilst also delivering high security for the WiFi traffic and attached WiFi users.
When considering the arrival, registration and subsequent operation of a 3G/WiFi UE, such as a smartphone, on a combined 3G/WiFi access point, there are a number of operational steps that can be controlled by 3G processes to allow the WiFi connection in the UE to attach and provide managed service.
The WiFi transceiver in the access point detects signals transmitted by other nearby WiFi access points, and uses the results to configure itself so that it operates on the least interfered WiFi frequency. Alternatively, the choice of WiFi channel can be configured in conjunction with the selection of UMTS Primary Scrambling Code (PSC), in order to maximise diversity and interference distance between access points.
The WiFi power setting can also be determined based on measurements made in the access point, in a manner corresponding to power setting in femtocells. In an environment as shown in
The access point also uses the detected signals transmitted by other nearby WiFi access points to set a locally-determined identifier, for example a service set identifier (SSID). This self-configuration can be repeated as necessary to adapt to the changing RF environment as other WiFi access points come and go around the cell, but the SSID would preferably remain constant unless the same SSID were detected to be in use by another local access point, in which case it could be changed.
A first question is whether a UE, that has roamed onto the access point so that it has a connection thereto over the cellular air interface, should also establish a WiFi connection. This can be configured in the access point so that: all connected UEs are invited to connect to the WiFi access point; only compatible UEs are invited to connect to the WiFi access point; all UEs that are determined to be involved in sessions requiring high data rates are invited to connect to the WiFi access point; or only UEs that initiate a request are invited to connect.
In this way, the access policy of the femtocell can be extended to the co-located WiFi access point. Thus, if the femtocell is operating in closed mode, with a predetermined list of allowed users (a “white list”), the same list of users can be allowed to use the WiFi access point, if desired. Alternatively, the WiFi access point can be made open to guest users, in which case it is possible to reserve capacity for users on the white list, and to throttle the data rate for guest users when necessary, or even to redirect guest users when the needs of the white list users make this necessary.
In any event where a connection is to be established, the WiFi transceiver in the UE needs to be configured to attempt to connect to the WiFi access point included within the small cell, and therefore the locally determined SSID needs to be set up within the UE WiFi transceiver. There are a number of mechanisms that can be used to provide an appropriate communications path to perform this function.
With the UE having connected to the WiFi transceiver within the small cell, the next step is to authenticate with the WiFi access point. There are several methods whereby this can be achieved.
In general terms, the authentication procedure for the WiFi transceiver is unified with the authentication procedure for the cellular access point.
The current WLAN base standard, i.e., IEEE Std 802.11-2007 defines two forms of authentication: 1) Pre-Shared Key authentication and 2) IEEE 802.1X/EAP-based authentication.
The Wi-Fi Alliance mandates that all WPA/WPA2 certified devices support at least Pre-Shared Key Authentication, however this form of authentication is usually associated with what is called WPA/WPA2-Personal mode; where there is a special ‘association’ between the WLAN Station and one specific WLAN Access Point (AP) [e.g. Residential or Small Office situations] because Pre-Shared Key authentication relies on a Shared Key/secret having been pre-configured in the Station and the AP before the Station tries to connect to the AP (
This makes Pre-Shared Key Authentication by itself unsuitable to ‘roaming’ scenarios where clients continuously move between APs with which they had no previous association.
The IEEE 802.1X/EAP-based authentication (
There is described here (
Thus the method replaces the use of an IEEE 802.1X/EAP infrastructure with 3G infrastructure to deliver the same level of WLAN security for the WLAN part of the communications between a dual mode client and dual mode Access Point. This is of special relevance in the context of the deployment of Small Multi-Standard Cells, where the same Access Point supports at least 3G and WLAN air interfaces, since this will allow such an access point to be connected simply with the 3G CN for authentication purposes on both the WLAN and 3G air interfaces, saving the need to also integrate the AP in a IEEE 802.1X/EAP-based infrastructure.
Furthermore in the case of a deployment consisting of several networked Multi-Standard Cells a Pre-Shared Key generated during a UMTS/GSM AKA procedure over the 3G air interface in one cell can be forwarded by that cell to all other Multi-Standard Cells in the deployment; which means that the UE will automatically share the same PSK with all cells in the deployment, and as such can re-use the same PSK to securely associate to every cell in the deployment. This offers a clear advantage relative to the typical enterprise/metro WLAN mobility case where the WLAN Station must perform a whole new EAP authentication run each time it decides to securely associate with a new Access Point, which not only requires heavier usage of infrastructure resources but also increases the ‘handover’ delay.
There is therefore defined a combined 3G+WLAN authentication and key management (AKM) framework in which the IEEE standards-based Pre-Shared Key AKM defined for the WLAN air interface relies on a previous run of the 3GPP standards-based AKM over the 3G air interface to generate the Pre-Shared Key (which is at the root of the Pre-Shared Key AKM for the WLAN air interface)
This allows a dual mode client equipped with a (U)SIM application to securely access any dual mode access points working as per this invention over the WLAN air interface using IEEE-standards based Pre-Shared Key AKM without either having to previously configure Pre-Shared Key(s) in all those Access Points, which means that there is no need to deploy a parallel NW infrastructure to support IEEE 802.1X/EAP based authentication (in addition to its 3G counterpart) because the run of the 3GPP standards-based AKM over the 3G air interface replaces the run of IEEE 802.1X/EAP based authentication.
MM—the Mobility Management protocol as defined in 3GPP TS 24.008
GMM—the GPRS Mobility Management protocol as defined in 3GPP TS 24.008
RRC—the radio Resource Control protocol as defined in 3GPP TS 25.331
RANAP—the Radio Application NW Application Protocol as defined in 3GPP TS 25.413
RUA—the RANAP User Adaptation protocol as defined in 3GPP TS 25.468
HNBAP—the HNB Application Protocol as defined in 3GPP TS 25.469
EAP—the “Extensible Authentication Protocol defined in IETF RFC 3748
IEEE 802.11—the protocol defined in IEEE Std 802.11-2007
Kc—GSM cipher key
Uu—Air interface between the UE and the UTRAN
WPA—Wireless Protected Access as defined by the Wi-Fi Alliance
WPA2—Wireless Protected Access 2 as defined by the Wi-Fi Alliance
STA_nonce—Nonce generated by the Station
AP_nonce—Nonce generated by the AP
EAPOL—EAP over LAN protocol defined in IEEE Std 802.1X and IEEE Std 802.11-2007
CCMP—Counter mode Cipher-block chaining Message authentication code Protocol
In order to provide a detailed description of the invention we shall first describe the how a WLAN Station securely associates with an Access Point in accordance with the current 802.11 base standard, i.e., IEEE Std 802.11-2007 which is at the base of the Wireless Protected Access frameworks WPA and WPA2 as defined by the Wi-Fi alliance.
We shall consider both Authentication and Key Management (AKM) frameworks and protocols supported by the standard, i.e., PSK-based and IEE 802.1X/EAP-based.
In order to establish communication with an WLAN AP the WLAN Station determines the AP capabilities and requirements either from listening to the periodical IEEE 802.11: BEACON management frame broadcast by the AP (passive scanning) or by receiving a IEEE 802.11: PROBE RESPONSE management frame in response to a previously sent a IEEE 802.11: PROBE REQUEST management frame (active scanning). (In the Figure, H stands for Header of the IEEE 802.11 Management frame, B for body of the frame.)
In particular the Robust Security Network Information Element (RSN IE) sent by the AP (in BEACON and PROBE RESPONSE) will contain the AKM protocols [PSK and/or IEEE 802.1X] and the Cryptographic suite(s) [TKIP for WPA, CCMP for WPA2] supported by the AP.
If the WLAN Station then determines that it wishes to associate it will start by performing an open system authentication procedure in which it formally declares its MAC address as its identity via a IEEE 802.11: AUTHENTICATION management frame Note that the AP will not actually perform any type of authentication at this time (this procedure has only been left in the current standard to maintain backward compatibility with the pre-IEEE Std 802.11-2007 state machine) and so the AP will simply respond with a ‘Success’ Status-code.
Then the WLAN Station shall send an IEEE 802.11: ASSOCIATION REQUEST management frame to the AP which lists the capabilities supported by the WLAN Station and its choices from any supported options by the AP. In particular it will include a RSN IE with its chosen AKM protocol (in this case PSK-based) and Cryptographic suite. If the AP agrees with this choice it will reply with IEEE 802.11: ASSOCIATION RESPONSE management frame containing a ‘Success’ Status-code. This completes the negotiation of the security mechanisms to be used to establish the necessary security associations between the Station and AP for mutual authentication and the secure exchange of L3 traffic
The AP will then start the ‘4-Way Handshake’ key management protocol where at the top of the key hierarchy for the protection of unicast (aka pairwise) traffic resides what is called the Pairwise Master Key (PMK). This key is 256 bit long.
In the base standard, i.e., IEEE Std 802.11-2007, the PMK is simply the Pre-Shared Key (PSK), expected to be pre-configured directly into the AP and WLAN Station via some type of user interface. (Case 1 in
However, when the Wi-Fi Alliance defined the requirements for WPA/WPA2 certification it introduced an extra level of security to protect the PSK against the fact that: 1) Many users configure very weak PSKs on their personal networks and 2) Most users do not change the PSK very often—if at all. This leaves the PSK somewhat vulnerable to attacks. In order to guard against this vulnerability the Wi-Fi Alliance added the requirement that (in both WLAN station and AP) the user-entered ‘password’ is combined with the AP's SSID and subject to cryptographic hashes in order to create a stronger PSK which is then used as the PMK. (Case 2 in
Note: Several additional methods to generate secure PSKs without requiring non technology savvy users to manually configure strong passwords and to know/understand the concept of SSID, have been introduced under the optional Wi-Fi Protected Setup (WPS) framework by the Wi-Fi Alliance in 2007.
In any case, a 256 bit shared PMK key will be obtained and as per IEEE Std 802.11-2007 the AP starts the ‘4-Way Handshake’ protocol by sending a EAPOL-Key packet which amongst other information carries a randomly generated nonce. When the WLAN Station receives this packet it draws its own random nonce and then proceeds to compute the Pairwise Temporal Key (PTK) from the PMK, the Station's MAC address, the AP BSSID (i.e. its MAC address) and the AP and Station nonces using a Pseudo random function The Station then breaks the PTK into:
The Station then generates the response EAPOL-Key packet containing its nonce and protects the packet with a Message Integrity code (MIC) using the newly generated EAPOL-Key KCK key. which will act as proof that it knows EAPOL-Key KCK (which can only be the case because it knew PMK/PSK)
When the AP receives this packet it has the necessary information to perform the same key derivation operations as the Station and go from the PMK to the PTK and then TK, EAPOL-Key KEK and EAPOL-Key KCK. It will then use the newly derived EAPOL-Key KCK to verify the MIC in the received EAP-Key packet. If the MIC checks out the AP considers that the Station has been authenticated. It will then generate a new random Group Temporal Key (GTK) [which will protect the multicast/broadcast traffic sent by the AP], encrypt it with the EAPOL-Key KEK key, build a EAPOL-Key packet to carry it and finally protect the packet with a MIC computed using the newly generated EAPOL-Key KCK key
When the Station receives this packet it will use its EAPOL-Key KCK key to check the validity of the MIC. If the MIC checks out the Station considers that the AP has been authenticated. It will then use its EAPOL-Key KEK key to decrypt the GTK encapsulated in the packet. Finally it sends a EAPOL-Key packet which serves to inform the AP that mutual authentication has been successful and the new temporal keys (TK, KEK, KCK, GTK) have been installed.
Thus at the end of the ‘4-Way Handshake’ the Station and AP will have been mutually authenticated and installed the security associations to be used to protect unicast and multicast/broadcast traffic.
The ‘only’ difference between this case and the ‘PSK case’ is that after the Station informs the AP that it wishes to use IEEE 802.1X/EAP-based AKM (via the RSN IE it sends in the IEEE 802.11: AUTHENTICATION frame) the AP starts the EAP authentication procedure and only perform the ‘4-way handshake’ after the EAP run has been successfully completed. The EAP authentication procedure mutually authenticates the Station and the Authentication Server and generates (in the Station and Authentication Server) a shared key (the Master Session Key—MSK)—which the Authentication Server pushes to the AP—whose first 256 bits become the PMK. This PMK is then used in the subsequent ‘4-Way handshake’ protocol exchange to mutually authenticate the Station and the AP and install the newly derived temporal keys to protect the unicast and multicast/broadcast traffic.
Thus it can be seen that effectively what the EAP authentication run does is to install a per ‘WLAN station-AP association’ Pre-Shared Key (PSK) in the WLAN Station and the AP, which is then used as PMK during the 4-way Handshake which is the actual procedure that mutually authenticates the WLAN Station and AP.
The same can be achieved by performing a UMTS AKA/GSM AKA run between a USIM/SIM application in a dual mode (3G+WLAN) UE and the HLR/HSS in the 3G CN via a dual mode (3G+WLAN) Multi Standard Cell since this run results in fresh shared keying material being installed in both the UE and the Multi Standard Cell.
Two scenarios will be considered:
In this scenario we consider a Multi Standard Cell which is not networked with other Multi Standard Cells.
For concreteness we shall consider the most likely deployment scenario (
Note however that this invention applies to any Subsystem that is connected to the 3G CN via a standard Iu interface while exposing both a 3G and WLAN air interface, for example as shown in
The dual mode UE will either contain a USIM application if the subscriber (identified by its IMSI) is a UMTS subscriber or a SIM application if the if the subscriber (identified by its IMSI) is a GSM subscriber. This application may or may not be located in a UICC (Universal Integrated Circuit Card).
The 3G ‘personality’ of the Multi Standard Cell will be broadcasting a locally unique LAI and RAI to force any UE that selects the cell to perform a location update (if the 3G client is MM Registered) and/or routeing area update (if the 3G client is GMM registered) as per 3GPP TS 24.008.
In both procedures the 3G CN will trigger a run of UMTS AKA before it accepts the Location Update or Routeing Area Update request. If successful this run of UMTS AKA will generate a fresh ciphering key (CK) and integrity protection key (IK) in the USIM application and in the 3G CN. These will be then pushed respectively to the 3G client of the UE and the Multi Standard Cell which can then use them to generate a Pre-Shared Key for subsequent WLAN authentication, i.e., PSK=f (CK, IK)
The function f that is used to generate the 256 bit PSK/PMK from CK and IK is up to implementation, however in order to protect CK and IK it should be a ‘one way function’, i.e. f(CK, IK) is such that (CK, IK) cannot be extracted from f(CK, IK).
The following describes the main events in
GW. If the HNB GW accepts the registration the Multi Standard Cell will forward the MM:LOCATION UPDATE REQ message (sent by the UE) to the HNB GW encapsulated in a RANAP: INITIAL UE MESSAGE message which is in turn encapsulated in a RUA: CONNECT message
This is illustrated in
As a result the following steps will differ:
Networked Multi Standard Cells are a set of Multi Standard Cells which are in logical communication, either directly (as shown by the lines 1200, 1201, 1202, 1203, 1204, 1205 in
When the UE detects that it has entered the coverage area of one of these Multi Standard Cells it will perform a MM or GMM registration procedure that will trigger the 3G CN to perform a run of UMTS/GSM AKA (according to whether the subscriber is a UMTS or GSM subscriber). In the typical case that these cells will be operating a common LAI/RAI different from that of surrounding macro cells, then the change of LAI/RAI by itself will automatically trigger such procedures (MM Location Update/GMM Routeing Area Update). Each AKA run will end up with a shared (CK, IK) pair in the UE and the Multi Standard Cell.
If the Multi Standard Cell is unaware of a PSK for that UE (IMSI) (i.e. it was not informed by other Multi Standard Cells of one existing) it will generate one from the first generated (CK, IK)−PSK=f (CK, IK)
The UE will do the same and generate the same PSK (
After a Multi Standard Cell generates a Pre-Shared Key for a UE (IMSI) it will immediately ‘broadcast’ the Pre-Shared Key to all other cells in the deployment (
As a consequence the UE WLAN Station can now perform PSK-based authentication with any cell in the deployment using the same PSK (
Note that this provides a clear advantage relative to the case where IEEE 802.1X/EAP authentication is used since in that case the UE WLAN Station would have to perform a new EAP round every time it associated with a new access point.
4. At some point the UE WLAN Station will read the BEACON frame from the WLAN AP in cell 1 and learn its SSID which triggers it to try to securely associate with that AP. It will perform the usual IEEE 802.11 ‘open system’ Authentication and Association procedures during which it will convey to the AP the is of the UE it is part of via a Vendor-specific IE
10. From reading the BEACON of cell 2 it knows cell 2 is part of the same NW since it is operating the same SSID as cell 1, the WLAN Station will thus automatically decide to re-use PSK—1 to perform the PSK-based authentication with the AP function in Cell 2. The UE will include both its MAC address and IMSI in either the AUTHENTICATION (in the figure) of REASSOCATION REQ frames. This ensures that cell 2 can retrieve the (CK, IK) associated to the UE, i.e., (CK—1, IK—1) and check that the binding between UE's IMSI and MAC address corresponds to that informed by cell 1 (this makes it impossible for a rogue UE to modify its asserted MAC address). At the same time the UE should inform the AP function in Cell 1 that it is disassociating so that no more traffic for the UE is sent there
Thus, this arrangement has the advantage that the operator does not have to support the CAPEX and OPEX of a typical WLAN metro/enterprise infrastructure in order to provide WLAN services to 3G+WLAN UEs. Instead it can re-use its 3G infrastructure to support both the 3G and WLAN services.
Also, WLAN Mobility between networked WLAN access points that are part of Multi Standard Cells is made quicker because the UE does not need to perform a fresh EAP authentication round every time it moves from on AP to another. This means that there is a shorter interruption in the traffic flow when the UE moves between access points and thus less disruption is felt by applications relying on a continuous traffic stream.
A 3G CN can provide authentication and key management services to 3G+WLAN UEs in both air interfaces without requiring the deployment of a AAA Server infrastructure.
Thus, as options for authentication, it is possible to:
The use of the local AAA could allow pure WiFi devices to connect if the standard WPA2 procedures were used.
As an alternative to providing an AAA server in the small cell access point, the AAA server could be provided in the cellular core network (for example in the HLR), and a part of the required functionality could be provided in the access point so that it can use the AAA server.
Currently, in the absence of any other mechanism, the WiFi usage policy for a 3G/WiFi smartphone is set by the manufacturer and/or user of the device. However, having authenticated the UE, the access point can then also send commands as to how the usage policy of the WiFi air interface is fixed by the smartphone UE. For example, data sessions typically connect over WiFi in preference to 3G if the phone is connected to a WiFi AP in accordance with the connection manager configuration within the phone. (Which WiFi AP to connect to can be set by the ANDSF function in the operator network—or, far more commonly, by user intervention when a WiFi AP is detected.) It would be attractive to actively manage the WiFi connection in response to changing congestion/interference levels on both 3G and WiFi so that data throughput is maintained as best as possible under varying traffic loads. There are various ways in which this could be achieved:
The co-location of WiFi and a sophisticated FAP software stack would allow WiFi traffic to be passed into the cellular core by packaging up the data traffic as a separate PDP context from other PS traffic flowing through the phone. Alternatively, the WiFi data might be sent as part of the same PDP context, using the same Iuh IPsec tunnel.
In general it might be expected that a cellular operator might seek to avoid sending additional traffic to a cellular core if it was possible to be offloaded directly onto the internet at the WiFi AP. However, filters or the like that have been set by the user for the cellular traffic can automatically be applied to the WiFi traffic, allowing operators to build customer value from managing all user traffic through a centralised core for enhanced security (that is, with a guarantee that a user identity could not be spoofed) or for guarantees on content (for example with access to adult sites restricted or prevented). This builds on the principle that the access point knows the identity of the user, because of the cellular connection, and can use this to provide services relating to the WiFi connection.
The small cell access point includes a processing function to perform a number of functions that decouple the backhaul performance from the air interface performance. These functions include downlink caching of files/web pages that are accessed by multiple users, uplink caching of large files uploaded by users which can be fed up a congested backhaul link without burdening the air interface, compression functions that reduce the file sizes of large video, photo and audio files.
Any of these functions can be applied in common to traffic over either of the air interfaces in the access point.
The availability of this processing function in the access point means that it is also possible to include URL filters, to enforce operators' policies on accessible web sites, and to perform virus scanning of any files transferred. The use of common filters, policies, and the like allows freer integration of the WiFi data traffic into the cellular core network, and of data transferred over the cellular air interface into the IP network without passing through the cellular core network.
In the case of deployment of the type shown in
The handover of connections will now be described in more detail.
Traditionally the deployment of new 3G cells would involve a high effort in terms of network planning in order to integrate those new cells with each other and into the existing (typically macro) network in a tightly coordinated fashion. Such a coordinated deployment of new 3G cells would involve the setting up of dedicated physical transport connections between the new cells themselves and towards the existing NW infrastructure, the manual configuration of new neighbour relations between the new cells and between the new cells and the existing macro cells, etc.
However, deployments of 3G cells that do not follow such a coordinated methodology are increasingly common. They rely on the widespread availability of cheap IP and/or LAN connectivity and on the ability of the new 3G cells to self-configure themselves and create the necessary logical and transport level associations between themselves and the existing 3G deployments.
Nevertheless such un-coordinated deployments of 3G cells suffer from several limitations by having to re-use the legacy 3G standards, arising from the inbuilt assumption in those standards of the use of a coordinated deployment procedure.
One of the most important of these limitations concerns the fact that before 3GPP Release 9 it was not possible to request a 3G UE to report the (unique) Logical Cell Identity of a measured 3G cell. This is because the 3G standards assumed that, as a result of the logical associations created during the coordinated deployment procedure, the UE reporting the Physical Cell Identity (PCI) (i.e. primary scrambling code PSC, and frequency carrier, UARFCN) operated by a 3G cell would always be enough for the NW to uniquely identify the reported cell.
3G standards also ‘force’ the UE to rely heavily on NW-provided detailed neighbour cells lists (where each neighbour cell is identified by its PCI) for mobility purposes, i.e., to a large extent if a cell's PCI is not provided as part of a neighbour list that cell will be ‘invisible’ to the UE for mobility purposes. At the same time the standards place strong restrictions on the number of entries that can be provided in a neighbour list.
The consequence is that operators typically can only spare a few entries/PCIs in their existing network neighbour lists to be used as pointers to the un-coordinated 3G cells and these 3G cells are thus forced to heavily re-use that small number of PCIs across their deployments.
This inexorably leads to difficulties in resolving the UE reported PCI of an un-coordinated 3G cell into that cell's unique Logical Cell ID, which is essential for supporting handover to that cell as the target cell needs to be prepared in anticipation for the UE arrival
The situation in WLAN networks operating according to IEEE Std 802.11-2007 is very different. The mobility framework in these networks follows the UE-controlled mobility principle, instead of the NW controlled/UE-assisted mobility principle used in 3G NWs. This means that, while in 3G NWs during the handover procedure it is the role of the NW to prepare the target 3G cell to receive the 3G UE, in WLAN NWs that role is played by the UE itself. A consequence of this is that during the WLAN mobility preparation procedures the WLAN UE will always need to address the target WLAN AP using that AP's unique address/logical identity which is its MAC address.
Thus unlike the 3G mobility case, in the course of a WLAN mobility preparation procedure it will always be clear what the unique identity of the target AP is.
When one considers a network of integrated 3G+WLAN cells/APs, whose 3G ‘personality’ is deployed in an un-coordinated fashion (as described above) it is clear that there is scope for the integrated APs to cooperate in using the WLAN mobility preparation procedure to guide the resolution of the identity of the target 3G cell for an associated 3G handover procedure. The following describes how this can be achieved.
A network of ‘smart’ dual mode APs takes advantage of the fact that each AP is simultaneously a 3G and WLAN ‘provider’, by having their 3G personalities use UE mobility-related information gathered via their WLAN personalities to prepare 3G handovers between themselves, which would otherwise be compromised by the source 3G AP's inability to uniquely identify the target 3G AP from UE 3G measurement reports alone.
In order to describe the invention we shall start by reviewing in detail what are the limitations in supporting 3G handover between 3G ‘cells’ deployed in a ‘un-coordinated’ fashion i.e. with no manual cell planning in the macro network or the cells themselves, etc. Then we shall review how mobility is handled in WLAN networks.
Finally we describe an embodiment of the invention that consists on how in the case of a deployment of dual mode 3G+WLAN APs/Cells, (where the 3G cell “personality’ of the AP is deployed in an un-coordinated fashion) the WLAN mobility procedure between two APs can assist in the ‘associated’ 3G handover procedure between two APs.
Consider the case of a 3 G operator which determines that it can only set aside four entries in its 3G macro cell's neighbour lists for the support of mobility towards un-coordinated 3G small cell deployments. Each entry in these lists corresponds to one Physical Cell ID (PCI). The reserved PCIs are denominated {PCI—1, PCI—2, PCI—3, and PCI—4}.
Consider then the case of an enterprise deployment of (contiguous) ‘small 3G cells’ which is not coordinated with the macro cellular network that surrounds/overlaps the enterprise and which is deployed without local manual cell planning. That is, the small cells self-configure their PCI, (logical) Cell ID etc.
Naturally, all small 3G cells must operate one of these four PCIs: {PCI—1, PCI—2, PCI—3, and PCI—4}.
In order to minimise the probability of a UE being exposed to transmissions from two different small cells using the same PCI, each small cell will be programmed to self-configure to use a PCI that is not being used by any of the other small cells it detects in its surroundings (roughly speaking its first order neighbours).
The small cells in the enterprise are assumed to be able to inter-communicate allowing them to exchange information relevant to each other's operations, e.g. the (Cell ID, PCI) pairs each small cell detects.
This and other information sharing procedures may go some way towards allowing each small cell to build a ‘map of the deployment’. However, there will always be cases where, when a small cell receives a UE measurement report for a certain PCI, it cannot resolve that PCI into the associated unique Cell Identity. This means that the standardised 3G handover methods cannot be used since they assume that the source RNC/BSC function knows the unique cell identity of the target cell so that it can address it to prepare it for the handover.
An example scenario is shown in
As such it does not know which small cell to prepare for the 3G handover.
In WLAN networks, contrary to the case of 3G networks, mobility is UE controlled, i.e., it is the UE (WLAN station), not the Network (i.e. the WLAN APs), that ultimately decides which WLAN AP the UE associates with.
Accordingly, unlike the case of 3G NWs, where the network is responsible for preparing the target 3G cell for the 3G handover procedure, in WLAN NWs it is up to the UE (WLAN Station) to prepare the target WLAN AP for the transition from being associated with the ‘source’ AP to being associated with the ‘target’ AP.
The current WLAN base standard, i.e., IEEE Std 802.11-2007 supports two BSS/AP transition methods:
(Note: A Base Station Service (BSS) is composed of a WLAN AP and the WLAN Stations that are associated with it.)
In this case, as shown in
If pre-authentication is successful both the UE and the target AP will share a cached authentication SA.
Thus when the UE decides to reassociate with the Target AP it can skip the 802.1X/EAP authentication procedure and will only have to perform the ‘4-Way handshake procedure’ to setup the Security Associations to protect the data traffic. This reduces the amount of time the UE looses data connectivity during AP transition.
In this case, as shown in
The IEEE 802.11r-2008 ‘Fast BSS Transition’ (aka FT) amendment of IEEE Std 802.11-2007 introduces two new mechanisms by which a WLAN UE can create the necessary state in a Target AP (i.e. prepare the target AP) to receive it before the UE actually dissociates with the Source AP, that go beyond pre-authentication (i.e. the ‘pre-creation’ of an authentication context/SA between UE and Target AP) in order to further reduce the amount of time during which the UE has to suspend data traffic when moving between APs.
Both mechanisms allow not only the ‘pre-creation’ of an authentication context/SA between UE and Target AP, but also the ‘pre-creation’ of Security Associations between UE and Target AP to be used to protect the unicast and the multi/broadcast traffic and even make any necessary QoS reservations (when QoS Admission Control is supported in the NW).
In this method, as shown in
In this method, as shown in
Thus it can be seen that, either using the traditional BSS transition mechanisms of IEEE Std 802.11-2007 or using the Fast BSS Transition mechanisms of IEEE Std 802.11r-2008, there are two scenarios: 1) the UE uses over-the-air preparation of the Target AP and 2) the UE uses over-the DS preparation of the Target AP.
We now consider the scenario originally described in
A relevant part of the network is illustrated in
Now consider a UE 220 that enters the enterprise deployment via Multi Standard Cell A and accesses its services via both its 3G and WLAN radios, where it is in RRC CELL_DCH state—see 3GPP TS 25.331—in the 3G domain and has the necessary security associations [see IEEE Std 802.11-2007] (and optionally QoS state) in the WLAN domain which allow it to receive/transmit MAC data frames at ‘any time’.
Furthermore assume that:
As a consequence, Multi Standard Cell A knows the binding between the UE's IMSI and MAC address.
If at some point the UE's WLAN personality decides (e.g. due to e.g. radio quality issues) that it should stop being associated with Multi Standard Cell A and instead become associated with Multi Standard Cell E then, as reviewed above, there are four possible ways in which the UE can go about preparing the target AP functionality of Multi Standard Cell E. Assuming that the UE is programmed to always include its IMSI as a vendor-specific IE in the first IEEE 802.11 Management frame it sends to the Target AP the four cases are described below:
In this case, as shown in
6. MS Cell E uses the communication framework that inter-connects the MS Cells in the deployment to inform MS Cell A that the UE is preparing its WLAN transition thus informing MS Cell A of the 3G cell identity of the target cell
7. Meanwhile the BSS transition (without new authentication) procedure continues
In this case, as shown in
In this case, as shown in
In this case, as shown in
Thus, there is no need for the operator to deploy complex proprietary solutions or be restricted to 3GPP Release 9 UEs (not available) to identify the target 3G cell in order to support 3G handover between dual mode Access Points in non-radio planned deployments of such APs, e.g. enterprise-like deployments.
There is therefore disclosed an access point that allows efficient use of the available radio spectrum, in order to improve a user experience, while limiting additional costs for the operator.
| Number | Date | Country | Kind |
|---|---|---|---|
| 1117783.9 | Oct 2011 | GB | national |
