Patent Application
20130040608
The invention relates to a network element and method for providing access control for a cellular communication network, and more particularly to a network element and method for providing access control for in-building wireless (mobile) communication units attempting to connect to a core network of a cellular communication network.
Wireless communication systems are well known in the art, such as the 3rd Generation (3G) of mobile telephone standards and technology. An example of such 3G standards and technology is the Universal Mobile Telecommunications System (UMTS), developed by the 3rd Generation Partnership Project (3GPP) (www.3qpp.org).
Typically, wireless communication units, or User Equipment (UE) as they are often referred to, communicate with a Core Network (CN) of a wireless communication system via a Radio Network Subsystem (RNS). A wireless communication network typically comprises a plurality of radio network subsystems, each radio network subsystem comprising one or more cells to which UEs may attach, and thereby connect to the network.
Access to a network, or services provided by the network, is typically authorised by the CN of the network. Furthermore, such access to the network is typically provided irrespective of the particular cell to which a UE is attached, so long as they are within communication range of a serving base station. However, the inventor has recognised that in certain circumstances it may be desirable for access to the network via specific cells to be limited, for example to specific UEs or users, or indeed access to be prevented for specific UEs or users.
By way of example, femto-cell or pico-cell Access Points (APs) are a recent development within the field of wireless cellular communication systems. Femto-cells or pico-cells are effectively communication coverage areas supported by low power base stations (otherwise referred to as serving communication units). These cells are able to be piggy-backed onto the more widely used macro-cellular network and support communications to UEs in a restricted, for example ‘in-building’, environment. Typical applications for such femto-cell or pico-cell APs include, by way of example, residential and commercial (e.g. office) locations, ‘hotspots’, etc, whereby an AP can be connected to a core network via, for example, the Internet using a broadband connection or the like. In this manner, femto-cells or pico-cells can be provided in a simple, scalable deployment in specific in-building locations where, for example, network congestion at the macro-cell level is an issue.
As will be appreciated, where the provider of the AP is a homeowner, business, etc., for example in a case of residential or commercial applications, public access to the network via the AP would be undesirable. Accordingly, it would be desirable for access to the network via such APs to be limited, for example to specific UEs or users, or access to be prevented for specific UEs or users.
As previously mentioned, access to a network, or services provided by the network, is typically authorised by the CN. When a UE moves from one location area to another location area, the UE sends a location update request to the core network, the location update request typically comprises a mobile subscriber identity number for the UE and a location area code (LAC) for the location area for which the UE has moved into. In order for the CN to limit access for individual cells, it would be necessary for each cell to be provided with a unique LAC. As will be appreciated by a skilled artisan, the LAC typically only comprises 16 bits, and as such only 65,535 unique LACs are possible. Since wireless communication networks typically comprise individual cells which number in the millions, using the LAC to limit access for individual cells is clearly not a practical solution.
3GPP technical specification 22.043 defines Support of Localized Service Area (SoLSA), which specifies a mechanism that can be used as a platform for providing special tariffs, and/or a special set of service features for certain subscriber units within a regionally restricted area or areas. In particular, SoLSA allows a network operator to offer subscribers, or groups of subscribers, different services, different tariffs and different access rights depending on their geographical location.
A problem with SoLSA is that it requires the CN, the radio network sub-system (RNS) and the UE to be upgraded in order to support this functionality. This is a particular problem with regard to UEs, since it takes significant effort and a long time for new functionality to be provided within UEs, and to achieve a level of market penetration where it becomes possible to rely on the use of the new functionality. As a consequence, there has been limited, if any, support for SoLSA. Thus, SoLSA has failed to provide a suitable mechanism with which to limit access to the network for individual cells.
Thus, there exists a need for a method and apparatus for providing access control for a cellular communication network, which aims to address at least some of the shortcomings of past and present access control techniques and/or mechanisms.
Accordingly, the invention seeks to mitigate, alleviate or eliminate one or more of the abovementioned disadvantages singly or in any combination.
According to a first aspect of the invention, there is provided a network element for providing access control, for a wireless communication unit operating within a communication cell supported by the network element, to a core network of a cellular communication network. The network element comprises a receiver for receiving a message from the wireless communication unit comprising identity information. The network element further comprises logic, operably coupled to the receiver, for determining whether to permit the mobile communication unit access to the core network, based at least in part on the received identity information.
In one optional embodiment of the invention, the network element comprises a transmitter for transmitting an Identity Request message to the wireless communication unit, such that the message received from the mobile communication unit comprising identity information is received in response thereto.
In one optional embodiment of the invention, the receiver receives a Location Update Request message from the wireless communication unit attempting to connect to the core network and the network element transmits an Identity Request message to the wireless communication unit in response thereto.
In one optional embodiment of the invention, the Location Update Request message may be intended for the core network, and the logic in the network element may be arranged to intercept the Location Update Request message. In one optional embodiment of the invention, the Location Update Request message may be in a form of a Mobility Management (MM) message, intended for receipt by the core network.
In this manner, when a mobile communication unit attaches to a cell, and performs, say a location update procedure, the identity of the mobile communication unit attempting to connect to the core network via the cell may be determined. For example, an identity for the wireless communication unit may be requested, in order to determine whether the wireless communication unit should be allowed to access the core network via that communication cell. Consequently, access to the network may be limited on an individual cell basis. Furthermore, by utilising the location update procedure, it may not be necessary for wireless communication units or the core network to be upgraded in order to support this enhanced functionality.
In one optional embodiment of the invention, the network element may comprise a memory element, operably coupled to the logic, and arranged to store the message such that the logic may retrieve the message from the memory element and forward the message to the core network, if the logic determines that the wireless communication unit is permitted access to the core network. In this manner, the network element may be able to store and process the message whilst determining whether the message emanates from a valid wireless communication unit, and forwards the message on to the core network if it does.
In one optional embodiment of the invention, the logic may be arranged to send a null message to the core network in addition to forwarding the message to the core network. In this manner, the sending of a null message to the core network may ensure that counters between the wireless communication unit and the core network remain synchronised.
In one optional embodiment of the invention, the logic may be arranged to construct the null message with a same sequence number as that of the message received from the wireless communication unit comprising identity information.
In one optional embodiment of the invention, the logic may construct and send, and optionally continue to re-send, a User Authentication Request message comprising an invalid Authentication Token, in response to the logic determining that the wireless communication unit is not permitted access to the core network. In this manner, by using a failed authentication procedure to reject the wireless communication unit, the network element may force the wireless communication unit to treat the individual cell as ‘cell barred’.
In one optional embodiment of the invention, the communication cell supported by the network element may be allocated a locally unique location area code. In this manner, by modifying the known allocation of location area codes, the network may ensure that no adjacent cells have the same code. This may force the wireless communication unit to perform a location update whenever it enters a new cell.
In one optional embodiment of the invention, the network element may comprise a memory element arranged to store IMSIs for wireless communication units permitted access to the core network via the communication cell. In this manner, the network element may be able to provide access control based on information contained therein, without needing to consult or pass on messages to the core network.
In one optional embodiment of the invention, the network element may be an access point base station, for example, one part of a radio network sub-system comprising an access point base station controller, via which the access to the core network is supported. For example, the network element may be a Node-B arranged to support access over a Universal Mobile Telecommunications System (UMTS) network. In this manner, the network element is suitable to support femto-cell or pico-cell communications.
According to a second aspect of the invention, there is provided a method for providing access control to a core network of a cellular communication network, for a wireless communication unit operating within a communication cell and supported by the network element. The method comprises receiving a message from the wireless communication unit comprising identity information and determining whether to permit the wireless communication unit access to the core network based at least in part on the received identity information.
According to a third aspect of the invention, there is provided a radio network sub-system comprising an aforementioned network element.
According to a fourth aspect of the invention, there is provided a wireless communication system comprising an aforementioned network element or adapted to support the aforementioned method of access control.
According to a fifth aspect of the invention there is provided a computer-readable storage element having computer-readable code stored thereon for programming signal processing logic to perform a method for providing access control to a core network of a cellular communication network for a wireless communication unit operating within a communication cell supported by the network element. The method comprises receiving a message from the wireless communication unit comprising identity information and determining whether to permit the wireless communication unit access to the core network, based at least in part on the received identity information.
These and other aspects, features and advantages of the invention will be apparent from, and elucidated with reference to, the embodiment(s) described hereinafter.
Embodiments of the invention will be described, by way of example only, with reference to the accompanying drawings, in which:
Referring now to the drawings, and in particular
The UMTS network 100 comprises a radio network sub-system (RNS) 110 operably coupled to a core network (CN) 120 of the UMTS network 100. The RNS 110 comprises a network element 130 arranged to support communication in at least one communication cell within the UMTS network, via which at least one mobile communication unit, or User Equipment (UE) 150, may connect to the CN 120. The network element 130 is further arranged to provide access control for UEs 150 attempting to connect to the core network 120 from the at least one communication cell. The RNS 110 further comprises a controller 140, via which the network element 130 is coupled to the CN 120. The network element 130 comprises signal processing logic 160 and memory element 170.
In the context of embodiments of the invention, the UE 150 is a wireless communication unit comprising a transceiver 152 arranged to transmit and receive signals to/from the radio network, in this case network element 130. As would be appreciated by a skilled person, UE 150 comprises numerous other functional and logical elements, operably coupled to the transceiver 152, to support wireless communications and functionality and which will not be described further herein. In addition, network element 130 also comprises at least one transceiver 155, comprising receiver circuitry and transceiver circuitry, arranged to transmit and receive signals to/from the UE 150. As would be appreciated by a skilled person, network element 130 comprises numerous other functional and logical elements and functionality, in addition to those illustrated, in order to support wireless communications with the UE and wired or wireless communication with the core network 120, and which will not be described further herein.
Referring now to
As will be appreciated by a skilled artisan, ‘Node-B’ is a term used within UMTS to denote a base transceiver station (BTS). As is typical in cellular communication systems, a base station, such as a Node-B 230, comprises at least one radio frequency (RF) receiver (not shown) and at least one RF transmitter (not shown), used to communicate wirelessly with UEs, such as UE 150, over an air interface (Uu).
As will also be appreciated by a skilled artisan, a radio network controller (RNC) 240 within a UMTS radio access network (UTRAN), which for the illustrated embodiment comprises the RNS 110, is responsible for control of each Node-B connected thereto via an lub interface. Typically, the RNC carries out radio resource management, some of the mobility management functions, etc. The RNC 240 is coupled to the CN 120 via, in a case of a packet switched core network, an lu-PS interface.
Referring now to
As will be appreciated by a skilled artisan, an Access Point (AP) is a communication element that facilities access to a communication network via a communication cell, such as a femto-cell. One application is that a femto-AP may be purchased by a member of the public and installed in their home. The femto-AP may then be connected to a femto-AP controller over the owner's broadband connection. As the femto-AP is using resources paid for by the owner, it is desirable for the owner to control who has access to the femto-AP.
Thus, an AP is a scalable, multi-channel, two-way communication device that may be provided within, say, residential and commercial (e.g. office) locations, ‘hotspots’ etc, to extend or improve upon network coverage within those locations. Although there are no standard criteria for the functional components of an AP, an example of a typical AP for use within a UMTS system may comprise Node-B functionality and some aspects of RNC functionality. For the embodiment illustrated in
In the same manner as for a Node-B, such as the Node-B 230 of
The AP controller 340 may be coupled to the CN 120 via lu-PS interface. In this manner, the AP 330 is able to provide voice and data services to a cellular handset, such as UE 150, in the same way as a conventional Node-B, but with the deployment simplicity of, for example, a Wireless Local Area Network (WLAN) access point.
Referring now to
The method starts with an establishment of a Radio Resource Control (RRC) connection 405 when the UE 150 attempts to join a cell provided by the AP 330. Having established an RRC connection 405, the UE 150 sends a Location Update Request message 410 to the CN 120, via the RNS 110.
As will be appreciated by a skilled artisan, a UE 150 will send a Location Update Request message when it enters a communication cell having a Location Area Code (LAC) different to that of the communication cell from which the UE 150 has come, or when the UE 150 first attempts to connect to the network. In order to ensure that a UE 150 sends a Location Update Request, the communication cell supported by the AP 330 preferably comprises a locally unique LAC, such that the LAC differs from those of neighbouring/adjacent communication cells from which a UE 150 may move. Thus, the LAC may relate to one or more further communication cells, if those communication cells are not adjacent to the communication cell supported by the AP 330.
The Location Update Request message 410 is in a form of a Mobility Management (MM) message, and initiates a location update procedure, allowing a UE 150 to inform the CN 120 whenever it moves from one location area to another. Typically, MM messages are communicated between a UE 150 and the CN 120, the RNS 110 being substantially transparent and simply relaying the MM messages between the UE 150 and the CN 120.
In one embodiment of the invention, the Location Update Request message comprises a Temporary Mobile Subscriber Identity (TMSI) number that has preferably previously been assigned to the UE 150 by the CN 120 and the LAC of the communication cell to which the UE 150 has moved (e.g. the LAC of the AP 330 for the illustrated embodiment). In this manner, the CN 120 is able to identify the UE 150, and determine to which location area the UE 150 has moved. As will be appreciated by a skilled artisan, only the CN 120 is able to identify a UE 150 from the TMSI of that UE 120.
For the embodiment illustrated in
The AP 330 then determines whether the UE 150 should be permitted access to the network using the IMSI, and for the example illustrated in
Typically, Identity Request messages to a UE 150 originate from the CN 120, for example in a form of a MM message. Consequently, in accordance with one embodiment of the invention, the AP 330 may send the Identity Request message 420 as a MM message, which appears to originate from the CN 120. Where this is the case, the Identity Response message 425 from the UE 150 will also be in a form of a MM message, intended for the CN 120.
As will be appreciated by a skilled artisan, uplink messages from the UE 150 to the CN 120 contain a sequence number. The CN 120 checks the sequence number in all received messages it receives from a UE 150 and discards the message if the sequence number is incorrect. When the AP 330 exchanges Identity Request/Response messages with the UE 150, the counter in the UE 150 will have been incremented, as the UE 150 believed it was communicating with the CN 120.
In order to maintain synchronisation between the UE 150 and the CN 120, the AP 330 sends a null message 440 to the CN 120, via the AP controller 340, in addition to forwarding the Location Update Request message. The null message 440 is constructed with the same sequence number as that of the Identity Response message 425 received from the UE 150.
The AP controller 340 receives the Location Update Request message 435, and the null message 440, and establishes a Signalling Connection Control Part (SCOP) connection 445 with the CN 120, and transmits the Location Update Request message 450 and the null message 455 to the CN 120 via, for example, the lu-PS connection. Upon receipt of each message, the CN 120 increments its counter in order to remain synchronised with the UE 150. Thus, the null message 455 causes the CN 120 to increment its counter a second time, thereby avoiding a loss of synchronisation that would otherwise be caused by the Identity Response message 425.
Having received the Location Update Request, the CN 120 identifies the UE 150 based on its TMSI, and then decides whether to allow the UE 150 into the new location area. For the example illustrated in
The AP controller 340 receives the Location Update Accept message 465, and forwards the message 470 to the AP 330, which then transmits the message 475 over the air interface to the UE 150.
Having transmitted the Location Update Accept message 465 back to the RNS 110, the CN 120 sends a Connection Release message 480 to the RNS 110. The RNS 110, upon receipt of the Connection Release message 480, releases the SCCP connection 485 there between. Similarly, once the AP 350 has transmitted the Location Update Accept message 475 to the UE 150, it releases the RRC connection 490 there between.
Referring now to
In the same way as for the method of
Upon receipt of the Location Update Request message 410 from the UE 150 over the air-interface, the RNS 110, or more particularly the AP 330 for the illustrated embodiment, intercepts and stores 415 the message, and sends an Identity Request message 420 to the UE 150. The UE 150 then responds with an Identity Response message 425 comprising the identification of the UE 150, which for the illustrated embodiment comprises the IMSI of the UE 150.
The AP 330 then determines whether the UE 150 should be permitted access to the network using the IMSI, and for the example illustrated in
For the embodiment illustrated in
Alternative techniques are contemplated for rejecting a UE. For example, a network element, upon determining not to permit the UE access to the core network, may release the RRC connection. However, this may result in the UE attempting to establish a new connection with the network element. A further alternative may be for the network element to send a ‘Location Update Reject’ message to the UE. However, this would cause the UE to stop accessing any cell having the Location Area Code as that of the cell provided by the network element.
The determination by the AP 330 whether the UE 150 should be permitted access to the network provides the advantage of enabling access to a network to be limited on an individual cell basis. Furthermore, by utilising the location update procedure within, for example, a UMTS system, in order to enable the AP 330 to identify when a UE 150 joins the cell, and to request the identity (IMSI) of the UE 150, the mechanism substantially alleviates any need for the UE to be adapted to support the functionality. The same is true for the use of an invalid Authentication Token within a User Authentication Request message, as the use of such a parameter in the manner described effectively causes the UE to leave the cell.
Thus, it is envisaged that the inventive concept may be implemented for current UEs, and thus substantially alleviates a problem of providing new functionality within UEs, which is known to be time consuming and only commercially viable once a high level of market penetration has been achieved. Furthermore, the determination by the AP 330 as to whether the UE 150 should be permitted access to the network is advantageously substantially hidden from the CN 120, and as such requires no supporting functionality to be provided within the CN 120.
As previously mentioned, a network element, such as the AP 330 described above is arranged to provide access control for UEs attempting to connect to a core network (CN) of a cellular communication network. The network element may determine whether to accept a UE or not based on the IMSI for the UE. By way of example, IMSIs for each UE that is permitted to access the CN via the cell of that network element may be stored in a memory element 170 of the network element. In this manner, when a UE attempts to connect to the core network, the network element may compare the IMSI for that UE to those stored in the memory element 170. If the IMSI for that UE matches one of the IMSIs stored in memory, the IMSI is accepted, and the UE is permitted access to the CN. Conversely, if the IMSI does not match one of the IMSIs stored in memory, the IMSI is not accepted, and the network element may apply the procedure described in
Alternatively, the IMSIs for UEs that are not permitted to access the CN via the particular communication cell of the network element may be stored in memory. In this manner, when a UE attempts to connect to the core network, the network element may compare the IMSI for that UE to those stored in memory. If the IMSI for that UE matches one of the IMSIs stored in memory, the IMSI is not accepted, and the network element cause may again employ the method of
It is envisaged that the IMSIs may be stored within a memory unit of the network element (whether those IMSIs are for UEs permitted to access the core network or not permitted access via the cell for that network element), in any suitable manner. For example, the network element may comprise a user interface, or may be operably coupled to a device comprising a user interface such as a personal computer or the like. IMSI may then be stored manually or automatically or provided to the network element in any other manner, say, via the user interface.
Alternatively, telephone numbers associated with IMSIs may be entered into the user interface, and in this way provided to the network element. Upon receipt of one or more telephone numbers, the network element may then request, for example from the core network or other server or host, the IMSI with which the, or each, telephone number is associated.
In this manner, the network element may be configured to provide the required access control, and updated as required.
It will be appreciated that, for clarity purposes, the above description has described embodiments of the invention with reference to different functional units and processors. However, it will be apparent that any suitable distribution of functionality between different functional units or processors, for example with respect to the network element or controller, may be used without detracting from the invention. For example, it is envisaged that functionality illustrated to be performed by separate processors or controllers may be performed by the same processor or controller. Hence, references to specific functional units are only to be seen as references to suitable means for providing the described functionality, rather than indicative of a strict logical or physical structure or organization.
Aspects of the invention may be implemented in any suitable form including hardware, software, firmware or any combination of these. The invention may optionally be implemented, at least partly, as computer software running on one or more data processors and/or digital signal processors. Thus, the elements and components of an embodiment of the invention may be physically, functionally and logically implemented in any suitable way. Indeed, the functionality may be implemented in a single unit, in a plurality of units or as part of other functional units.
Although one embodiment of the invention describes an AP for UMTS network, it is envisaged that the inventive concept is not restricted to this embodiment.
It is envisaged that the aforementioned inventive concept aims to provide one or more of the following advantages:
The inventive concept enables access control for a network to be provided on an individual cell basis.
The inventive concept only requires supporting functionality to be provided within an RNS, and in particular within a network element arranged to support communication in at least one communication cell within the cellular communication network, such as a base station, Node-B, access point, etc.
The inventive concept does not require supporting functionality to be provided within UEs.
The inventive concept does not require supporting functionality to be provided within the core network.
The modifying of the known allocation of location area codes ensures that no adjacent cells have the same code. This forces the UE to perform a location update whenever it enters a new cell.
Initiating an Identity Procedure from the Access Network instead of the core network allows the access network to discover the IMSI of a UE when it connects.
Sending a MM_NULL message to the core network ensures that the counters of the network element and the core network remain synchronised.
Using the failed authentication procedure to reject the UE makes the UE treat the individual cell as ‘cell barred’. A more usual method of rejecting the UE is to send a Location Update Reject message. This has the downside that the UE is blocked from accessing all the cells with the same Location Area Code rather than just the individual cell.
Although the invention has been described in connection with some embodiments, it is not intended to be limited to the specific form set forth herein. Rather, the scope of the present invention is limited only by the accompanying claims. Additionally, although a feature may appear to be described in connection with particular embodiments, one skilled in the art would recognize that various features of the described embodiments may be combined in accordance with the invention. In the claims, the term ‘comprising’ does not exclude the presence of other elements or steps.
Moreover, an embodiment can be implemented as a computer-readable storage element having computer readable code stored thereon for programming a computer (e.g., comprising a signal processing device) to perform a method as described and claimed herein. Examples of such computer-readable storage elements include, but are not limited to, a hard disk, a CD-ROM, an optical storage device, a magnetic storage device, a ROM (Read Only Memory), a PROM (Programmable Read Only Memory), an EPROM (Erasable Programmable Read Only Memory), an EEPROM (Electrically Erasable Programmable Read Only Memory) and a Flash memory. Further, it is expected that one of ordinary skill, notwithstanding possibly significant effort and many design choices motivated by, for example, available time, current technology, and economic considerations, when guided by the concepts and principles disclosed herein will be readily capable of generating such software instructions and programs and ICs with minimal experimentation.
Furthermore, although individually listed, a plurality of means, elements or method steps may be implemented by, for example, a single unit or processor. Additionally, although individual features may be included in different claims, these may possibly be advantageously combined, and the inclusion in different claims does not imply that a combination of features is not feasible and/or advantageous. Also, the inclusion of a feature in one category of claims does not imply a limitation to this category, but rather indicates that the feature is equally applicable to other claim categories, as appropriate.
Furthermore, the order of features in the claims does not imply any specific order in which the features must be performed and in particular the order of individual steps in a method claim does not imply that the steps must be performed in this order. Rather, the steps may be performed in any suitable order. In addition, singular references do not exclude a plurality. Thus, references to ‘a’, ‘an’, ‘first’, ‘second’ etc. do not preclude a plurality.
Thus, a method and apparatus for providing access control for a cellular communication network has been described, which substantially addresses at least some of the shortcomings of past and present access control techniques and/or mechanisms.
| Number | Date | Country | Kind |
|---|---|---|---|
| 0619179.5 | Sep 2006 | GB | national |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 12442985 | Oct 2009 | US |
| Child | 13653685 | US |
