Patent Application
20180084409
The described embodiments relate to techniques for communicating information among electronic devices. In particular, the described embodiments relate to techniques for establishing an Internet Protocol Security tunnel on behalf of another electronic device.
Many electronic devices are capable of wirelessly communicating with other electronic devices. For example, these electronic devices can include a networking subsystem that implements a network interface, such as a wireless local area network (WLAN), e.g., a wireless network such as one described in an Institute of Electrical and Electronics Engineers (IEEE) 802.11 standard (which is sometimes referred to as Wi-Fi′).
There is increased interest in using a WLAN communication protocol to communicate voice communication (such as telephone calls), which is sometimes referred to as ‘Wi-Fi calling.’ In order to enhance the security of this communication, Wi-Fi calling often uses an Internet Security Protocol (IPSec) tunnel between a portable electronic device and the telephone network infrastructure, such as an Evolved Packet Core (EPC).
However, the communication using WLAN communication protocol is also typically encrypted. This dual encryption is processor intensive and, therefore, may significantly reduce the battery life of the portable electronic device. In addition, the dual encryption can result in fragmentation issues. For example, the encrypted layer 2 packets associated with the WLAN communication protocol can become too large for inclusion in layer 3 packets (such as Ethernet packets). Consequently, the layer 3 packets may need to be disassembled and reassembled using multiple layer 2 packets, which increases the complexity and latency during processing and, thus, can degrade the communication performance.
An electronic device that establishes one or more Internet Protocol Security (IPSec) tunnels with an Evolved Packet Core (EPC) for another electronic device is described. The electronic device includes: an antenna; and an interface circuit that, during operation, communicates with the other electronic device using a wireless local area network (WLAN) communication protocol and the EPC via a wired communication protocol. Moreover, during operation, the electronic device receives, from the other electronic device, Extensible Authentication Protocol (EAP) information using the WLAN communication protocol, where the EAP information includes credentials used by the EPC to authenticate the other electronic device. Then, the electronic device establishes, with the EPC, one or more IPSec tunnels on behalf of the other electronic device using the wired communication protocol, where the one or more IPSec tunnels originate and terminate at the electronic device. Next, the electronic device communicates encrypted information with the other electronic device using the WLAN communication protocol, where the encrypted information is encrypted using a different encryption protocol than IPSec.
Note that the WLAN communication protocol may include Wi-Fi. Moreover, the electronic device may include an access point.
Furthermore, the electronic device may include a network function other than an access point. For example, the electronic device may include a router.
Additionally, during operation the electronic device may advertise to the other electronic device a capability to establish the one or more IPSec tunnels.
In some embodiments, prior to receiving the EAP information, the electronic device associates in the context of the WLAN communication protocol with the other electronic device.
Note that the encrypted information may exclude a second encryption technique associated with the one or more IPSec tunnels.
Moreover, when communicating a packet with the EPC via the one or more IPSec tunnels, the electronic device may include an access point name (APN) in the packet for use by the EPC.
Furthermore, the electronic device: may receive, from the electronic device, a set of APNs associated with different types of information; and when communicating a packet having a type of information with the EPC via the one or more IPSec tunnels, the electronic device may select an APN associated with the type of information and may include the APN in the packet for use by the EPC.
Additionally, the encrypted information may include Dynamic Host Configuration Protocol (DHCP) information associated with the EPC.
In some embodiments, the credentials in the EAP information are encrypted.
Moreover, the electronic device may include: a processor; and a memory, coupled to the processor, which stores a program module that, during operation, is executed by the processor. The program module may include instructions for at least some of the operations performed by the electronic device.
Another embodiment provides a computer-program product for use with the electronic device. This computer-program product includes instructions for at least some of the operations performed by the electronic device.
Another embodiment provides a method. This method includes at least some of the operations performed by the electronic device.
This Summary is provided merely for purposes of illustrating some exemplary embodiments, so as to provide a basic understanding of some aspects of the subject matter described herein. Accordingly, it will be appreciated that the above-described features are merely examples and should not be construed to narrow the scope or spirit of the subject matter described herein in any way. Other features, aspects, and advantages of the subject matter described herein will become apparent from the following Detailed Description, Figures, and Claims.
Note that like reference numerals refer to corresponding parts throughout the drawings. Moreover, multiple instances of the same part are designated by a common prefix separated from an instance number by a dash.
Furthermore, access point 112 may communicate with an Evolved Packet Core (EPC) 114-1 via a wired communication protocol. This communication may occur via an Internet Protocol Security (IPSec) tunnel 116 on behalf of electronic device 110 using the wired communication protocol, where the IPSec tunnel originates and terminates at access point 112. Thus, access point 112 may function as a virtual electronic device for electronic device 110 in IPSec tunnel 116. Note that access point 112 may store level-3 or network-layer information in memory on access point 112 in order to encrypt communication on behalf of electronic device 110 with EPC 114-1 using IPSec.
As shown in
In this way, electronic devices 110 and 128 may conduct secure communication with each other via EPCs 114. This secure communication may facilitate Wi-Fi calling between electronic devices 110 and 128. (More generally, the secure communication may facilitate communication of a wide variety of information, such as voice, video, data, gaming, etc.) However, by originating and terminating IPSec tunnels 116 and 126 at access points 112 and 124, respectively, this communication technique may avoid double encryption of the wireless communication between electronic device 110 and access point 124 and between electronic device 128 and access point 124. Thus, the communication technique may eliminate the problems that double encryption can cause, such as degraded battery life in electronic devices 110 and 128, and fragmentation issues.
In some embodiments, access points 112 and 124 add an access point name (APN) in the level-3 or the network-layer frames or packets communicated to EPCs 114 (such as in Internet Key Exchange or IKEv2 messages). This APN may be used by EPCs 114 for various functions, including selection of quality-of-service parameters and appropriate PGWs. Furthermore, in some embodiments access points 112 and 124 may establish multiple instances of IPSec tunnels for electronic devices 110 and 128. For example, there may be IPSec tunnels for different types of information, such as voice, data, etc. Then, when access point 112 (or 124) sets up the IPSec tunnels on behalf of electronic device 110 (or 128), electronic device 110 (or 128) may communicate a set of APNs associated with different types of information to electronic device 110 (or 128), which are stored in memory in electronic device 110 (or 128). Using access point 112 as an illustration, when subsequently communicating a packet having a type of information with EPC via one of a set of IPSec tunnels, access point 112 may select an APN associated with the type of information, may include the APN in the packet for use by EPC 114-1, and may route the packet to the selected IPSec tunnel associated with the APN.
Additionally, in some embodiments, if a user of electronic device 110 moves or changes their location, access point 112 hands off communication via the WLAN communication protocol to access point 130. This hand off may include transferring IPSec tunnel 116 (or state information specifying IPSec tunnel 116) so that access point 130 is able to skip some of the operations used to establish a new IPSec tunnel with EPC 114-1. This may involve level-3 or network-layer information being stored in memory on access points 112 and 130. Alternatively or additionally, the level-3 or network-layer information may be stored on a controller or a virtual controller for access points 112 and 130, and the level-3 or network-layer information may be selectively provided to access point 130 when a hand off occurs.
Note that may be multiple IPSec tunnels on an access point (such as access point 124) due to multiple electronic devices. Thus, if there was an electronic device in
While the preceding discussion used Wi-Fi as an illustration, the communication technique may be used with a wide variety of communication protocols. Moreover, while IPSec tunnels 116 and 126 are established by access points 112 and 124 in
We now describe a method for establishing an IPSec tunnel. Such as IPSec tunnel 116 (or 126) in
Moreover, the electronic device establishes, with the EPC, the IPSec tunnel (operation 214) on behalf of the other electronic device using a wired communication protocol, where the IPSec tunnel originates and terminates at the electronic device.
Next, the electronic device communicates encrypted information with the other electronic device using the WLAN communication protocol (operation 216), where the encrypted information is encrypted using a different encryption protocol than IPSec. (Note that, in general, the communication between electronic device and the other electronic device is bidirectional.) Because the IPSec tunnel originates and terminates at the electronic device, the encrypted information may exclude a second encryption technique associated with the IPSec tunnel (i.e., the encrypted information may only be encrypted once using the different encryption protocol than IPSec). Note that the encrypted information may include Dynamic Host Configuration Protocol (DHCP) information associated with the EPC, which may include an address of one of the instances of PGW 120 (
Furthermore, prior to receiving the Extensible Authentication Protocol (EAP) information (operation 212), the electronic device may optionally perform one or more operations (operation 210). For example, the electronic device may advertise to the other electronic device a capability to establish the IPSec tunnel, or the list of APNs it supports. Alternatively or additionally, the electronic device may associate in the context of the WLAN communication protocol with the other electronic device.
In some embodiments of method 200, there may be additional or fewer operations. Moreover, the order of the operations may be changed, and/or two or more operations may be combined into a single operation.
We now further describe exemplary embodiments of the communication technique.
Note that Wi-Fi association occurs before the EAP messages are exchanged. Moreover, note that access point 112 can find or identify the location of ePDG 118-1 based on the public land mobile network (PLMN) configured on a subscriber identification module (SIM) or a virtual subscriber identification module (vSIM). This information in the credentials of electronic device 110 may specify a fully qualified domain name that maps to the location of ePDG 118-1. Thus, access point 112 may store layer-3 or network-layer information.
After receiving EAP AUTH (which indicates successful completion of the EAP authorization), electronic device 110 may run an authentication and key agreement technique, verify the authentication, and generate RES and a master session key (MSK). Then, as described further below with reference to
Note that after method 400, IPSec tunnel 116 may established between access point 112 and ePDG 118-1, and the communication between electronic device 110 and access point 112 may be encrypted using a different encryption technique or protocol.
The forwarding of traffic from electronic device 110 to PGW 120-1 is shown in
In some embodiments, the communication technique eliminates the need for a trusted wireless access gateway (TWAG). Instead, the network operators can use an ePDG to achieve EPC integration and avoid an overlay ‘trusted non-3GPP network.’ As noted previously, the virtual electronic device running on the access point may result in numerous IPSec tunnels to the ePDG. Moreover, the access point may be more intelligent in the communication technique, e.g., the access point may be APN aware.
We now describe embodiments of an electronic device, such as an electronic device that performs the operations in
Memory subsystem 612 includes one or more devices for storing data and/or instructions for processing subsystem 610 and networking subsystem 614. For example, memory subsystem 612 can include dynamic random access memory (DRAM), static random access memory (SRAM), and/or other types of memory. In some embodiments, instructions for processing subsystem 610 in memory subsystem 612 include: one or more program modules or sets of instructions (such as program module 622 or operating system 624), which may be executed by processing subsystem 610. Note that the one or more computer programs may constitute a computer-program mechanism. Moreover, instructions in the various modules in memory subsystem 612 may be implemented in: a high-level procedural language, an object-oriented programming language, and/or in an assembly or machine language. Furthermore, the programming language may be compiled or interpreted, e.g., configurable or configured (which may be used interchangeably in this discussion), to be executed by processing subsystem 610.
In addition, memory subsystem 612 can include mechanisms for controlling access to the memory. In some embodiments, memory subsystem 612 includes a memory hierarchy that comprises one or more caches coupled to a memory in electronic device 600. In some of these embodiments, one or more of the caches is located in processing subsystem 610.
In some embodiments, memory subsystem 612 is coupled to one or more high-capacity mass-storage devices (not shown). For example, memory subsystem 612 can be coupled to a magnetic or optical drive, a solid-state drive, or another type of mass-storage device. In these embodiments, memory subsystem 612 can be used by electronic device 600 as fast-access storage for often-used data, while the mass-storage device is used to store less frequently used data.
Networking subsystem 614 includes one or more devices configured to couple to and communicate on a wired and/or wireless network (i.e., to perform network operations), including: control logic 616, an interface circuit 618 and one or more antennas 620 (or antenna elements). (While
Networking subsystem 614 includes processors, controllers, radios/antennas, sockets/plugs, and/or other devices used for coupling to, communicating on, and handling data and events for each supported networking system. Note that mechanisms used for coupling to, communicating on, and handling data and events on the network for each network system are sometimes collectively referred to as a ‘network interface’ for the network system. Moreover, in some embodiments a ‘network’ or a ‘connection’ between the electronic devices does not yet exist. Therefore, electronic device 600 may use the mechanisms in networking subsystem 614 for performing simple wireless communication between the electronic devices, e.g., transmitting advertising or beacon frames and/or scanning for advertising frames transmitted by other electronic devices as described previously.
Within electronic device 600, processing subsystem 610, memory subsystem 612, and networking subsystem 614 are coupled together using bus 628. Bus 628 may include an electrical, optical, and/or electro-optical connection that the subsystems can use to communicate commands and data among one another. Although only one bus 628 is shown for clarity, different embodiments can include a different number or configuration of electrical, optical, and/or electro-optical connections among the subsystems.
In some embodiments, electronic device 600 includes a display subsystem 626 for displaying information on a display, which may include a display driver and the display, such as a liquid-crystal display, a multi-touch touchscreen, etc.
Electronic device 600 can be (or can be included in) any electronic device with at least one network interface. For example, electronic device 600 can be (or can be included in): a desktop computer, a laptop computer, a subnotebook/netbook, a server, a tablet computer, a smartphone, a cellular telephone, a consumer-electronic device, a portable computing device, an access point, a transceiver, a router, a switch, communication equipment, test equipment, and/or another electronic device.
Although specific components are used to describe electronic device 600, in alternative embodiments, different components and/or subsystems may be present in electronic device 600. For example, electronic device 600 may include one or more additional processing subsystems 610, memory subsystems 612, networking subsystems 614, and/or display subsystems 626. Additionally, one or more of the subsystems may not be present in electronic device 600. Moreover, in some embodiments, electronic device 600 may include one or more additional subsystems that are not shown in
Moreover, the circuits and components in electronic device 600 may be implemented using any combination of analog and/or digital circuitry, including: bipolar, PMOS and/or NMOS gates or transistors. Furthermore, signals in these embodiments may include digital signals that have approximately discrete values and/or analog signals that have continuous values. Additionally, components and circuits may be single-ended or differential, and power supplies may be unipolar or bipolar.
An integrated circuit (which is sometimes referred to as a ‘communication circuit’) may implement some or all of the functionality of networking subsystem 614. The integrated circuit may include hardware and/or software mechanisms that are used for transmitting wireless signals from electronic device 600 and receiving signals at electronic device 600 from other electronic devices. Aside from the mechanisms herein described, radios are generally known in the art and hence are not described in detail. In general, networking subsystem 614 and/or the integrated circuit can include any number of radios. Note that the radios in multiple-radio embodiments function in a similar way to the described single-radio embodiments.
In some embodiments, networking subsystem 614 and/or the integrated circuit include a configuration mechanism (such as one or more hardware and/or software mechanisms) that configures the radio(s) to transmit and/or receive on a given communication channel (e.g., a given carrier frequency). For example, in some embodiments, the configuration mechanism can be used to switch the radio from monitoring and/or transmitting on a given communication channel to monitoring and/or transmitting on a different communication channel. (Note that ‘monitoring’ as used herein comprises receiving signals from other electronic devices and possibly performing one or more processing operations on the received signals)
In some embodiments, an output of a process for designing the integrated circuit, or a portion of the integrated circuit, which includes one or more of the circuits described herein may be a computer-readable medium such as, for example, a magnetic tape or an optical or magnetic disk. The computer-readable medium may be encoded with data structures or other information describing circuitry that may be physically instantiated as the integrated circuit or the portion of the integrated circuit. Although various formats may be used for such encoding, these data structures are commonly written in: Caltech Intermediate Format (CIF), Calma GDS II Stream Format (GDSII) or Electronic Design Interchange Format (EDIF). Those of skill in the art of integrated circuit design can develop such data structures from schematic diagrams of the type detailed above and the corresponding descriptions and encode the data structures on the computer-readable medium. Those of skill in the art of integrated circuit fabrication can use such encoded data to fabricate integrated circuits that include one or more of the circuits described herein.
While the preceding discussion used a Wi-Fi communication protocol as an illustrative example, in other embodiments a wide variety of cellular-telephone communication protocols and, more generally, wireless communication techniques may be used. Thus, the communication technique may be used in a variety of network interfaces. Furthermore, while some of the operations in the preceding embodiments were implemented in hardware or software, in general the operations in the preceding embodiments can be implemented in a wide variety of configurations and architectures. Therefore, some or all of the operations in the preceding embodiments may be performed in hardware, in software or both. For example, at least some of the operations in the communication technique may be implemented using program module 622, operating system 624 (such as a driver for interface circuit 618) or in firmware in interface circuit 618. Alternatively or additionally, at least some of the operations in the communication technique may be implemented in a physical layer, such as hardware in interface circuit 618.
In the preceding description, we refer to ‘some embodiments.’ Note that ‘some embodiments’ describes a subset of all of the possible embodiments, but does not always specify the same subset of embodiments.
The foregoing description is intended to enable any person skilled in the art to make and use the disclosure, and is provided in the context of a particular application and its requirements. Moreover, the foregoing descriptions of embodiments of the present disclosure have been presented for purposes of illustration and description only. They are not intended to be exhaustive or to limit the present disclosure to the forms disclosed. Accordingly, many modifications and variations will be apparent to practitioners skilled in the art, and the general principles defined herein may be applied to other embodiments and applications without departing from the spirit and scope of the present disclosure. Additionally, the discussion of the preceding embodiments is not intended to limit the present disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown, but is to be accorded the widest scope consistent with the principles and features disclosed herein.
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/US16/25064 | 3/30/2016 | WO | 00 |
| Number | Date | Country | |
|---|---|---|---|
| 62141157 | Mar 2015 | US |
