WO2010127706A1 - Method and apparatus for handling qos relating to secure ip access - Google Patents

Method and apparatus for handling qos relating to secure ip access Download PDF

Info

Publication number
WO2010127706A1
WO2010127706A1 PCT/EP2009/055578 EP2009055578W WO2010127706A1 WO 2010127706 A1 WO2010127706 A1 WO 2010127706A1 EP 2009055578 W EP2009055578 W EP 2009055578W WO 2010127706 A1 WO2010127706 A1 WO 2010127706A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
qos
rule
session
intermediate node
Prior art date
Application number
PCT/EP2009/055578
Other languages
French (fr)
Inventor
Ryoji Kato
Shinta Sugimoto
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to PCT/EP2009/055578 priority Critical patent/WO2010127706A1/en
Publication of WO2010127706A1 publication Critical patent/WO2010127706A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0894Policy-based network configuration management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer

Definitions

  • the present invention relates to a method and apparatus for handling Quality of Service rules where a secure IP access is involved.
  • the present invention relates to QoS for a secure IP access, such as an IPsec tunnel, established between a Mobile Node and an Evolved Packet Data Gateway in an Evolved Packet Core architecture.
  • FMC Fixed Mobile Convergence
  • IP-based technologies are common for fixed and mobile networks, which makes the convergence easier.
  • FMC mobile and fixed network operators will be able to utilize their network resource more efficiently, which leads to reduction of capital and operational expenditure (CAPEX and OPEX).
  • CAEX and OPEX capital and operational expenditure
  • MMTeI Multimedia Telephony
  • the EPC architecture defines the Evolved Packet Data Gateway (ePDG) that provides the terminal point of an IPsec tunnel for 3GPP UEs. Secure IP access to the EPC can be realized by establishing the IPsec tunnel with the ePDG.
  • ePDG Evolved Packet Data Gateway
  • Figure 1 shows a typical FMC use case in which a 3GPP UE 2 in a residential network 4 establishes a secure IP access 6, in this case an IPsec tunnel, with an ePDG 8 in an EPC 10.
  • Figure 1 also shows an Intermediate Node (IN) 12 through which the IPsec tunnel 6 passes.
  • I Intermediate Node
  • the IPsec tunnel 6 is established between the 3GPP UE 2 and the ePDG 8, so even if the wireless link in the residential network 4 is insecure, the IP access from the 3GPP UE 2 to the EPC 10 (ePDG 8) can be secured.
  • each QoS rule consists of: (a) the filtering rule of the user session, and (b) the QoS profile.
  • QoS1 represents the QoS profile for user session 1 (US1 )
  • QoS2 represents the QoS profile for user session 2 (US2)
  • QoS3 represents the QoS profile for user session 3 (US3)
  • FR1 represents the filtering rule for user session 1 (US1 )
  • FR2 represents the filtering rule for user session 2 (US2)
  • FR3 represents the filtering rule for user session 3 (US3).
  • the filtering rule FR1 , FR2, FR3 would typically include a 5-tuple identifying the user session, for example ⁇ IP source address, IP destination address, source port, destination port, protocol>, but any other fields in the IP packet header can be used to filter the packets.
  • the IN 12 One would hope to use the IN 12 to apply the filtering rules FR1 , FR2, FR3 to IP packets passing through. In this regard, one would hope for the IN 12 to determine the filtering rule matching the IP packet of the user sessions, and then to forward the IP packets according to the corresponding QoS profile (e.g. delay, packet error rate, priority etc).
  • the problem with the above filtering scenario described with reference to Figure 1 is that the IP header of user session is invisible to the IN 12 because, due to the IPsec tunnel 6 between the 3GPP UE 2 and ePDG 8, it is encrypted. Therefore, there is no way for the IN 12 to determine the matching filtering rule FR1 , FR2, FR3 for the user sessions US1 , US2, US3 and to apply the QoS profile QoS1 , QoS2, QoS3.
  • DSCP DiffServ Code Point
  • IPsec tunnel 6 not DSCP of the user sessions US1 , US2, US3.
  • the values of DSCP for the same QoS class may be different in different QoS domains, and the classification and granularity of QoS class may be different in different QoS domains.
  • FIG. 1 Two such QoS domains D1 and D2 are illustrated in Figure 1 , in which overprovisioning and DSCP QoS are respectively applied.
  • the 3GPP UE 2 or IN 12 may need to assign the appropriate DSCP value to the uplink packets of user sessions US1 , US2, US3.
  • two possible scenarios are described below; but both have problems:
  • the 3GPP UE 2 If the 3GPP UE 2 is assumed to assign the DSCP value, then the 3GPP UE 2 must have the mapping table from the QoS profiles QoS1 , QoS2, QoS3 to the DSCP values, which is specific to QoS Domain 2. But there is no way for the 3GPP UE 2 to obtain such a mapping table from the QoS Domain D2.
  • the IN 12 must distinguish the user sessions US1 , US2, US3. But there is no way for the IN 12 to do so because the user sessions US1 , US2, US3 are encrypted in the IPsec tunnel. And even if the IN 12 is assumed to be able to distinguish the user sessions US1 , US2, US3, then the IN 12 must have the mapping table from the user sessions US1 , US2, US3 to the QoS parameters. But there is no way for the IN 12 to obtain such a mapping table from the 3GPP UE 2 or ePDG 8 (EPC 10).
  • a method of handling rules relating to Quality of Service, QoS, for a plurality of user sessions on a secure IP access between a first node and a second node with an intermediate node between the first and second nodes comprises, for each session of the plurality: causing a QoS rule from the second node to be installed in the intermediate node in response to receipt at the second node of a predetermined IP packet of the session.
  • the QoS rule comprises a filtering rule and an associated QoS profile to be used at the intermediate node if an I P packet received at the intermediate node is determined to satisfy the filtering rule.
  • the filtering rule comprises information identifying the secure IP access as well as a label uniquely identifying to which of the user sessions from the first node to the second node the filtering rule applies.
  • a label is also applied to an unencrypted part of IP packets sent on the secure IP access from the first node to the second node via the intermediate node.
  • the method may comprise allocating the labels to their corresponding respective sessions at the first node.
  • the predetermined IP packet may be the first IP packet of the session, or at least one of the first several IP packets of the session.
  • the method may comprise determining the QoS rule for each session at the second node in response to receipt of the predetermined IP packet of the session.
  • the method may comprise determining the QoS rule for each session based on a preliminary QoS rule for that session together with the label applied to the predetermined IP packet of that session.
  • the preliminary QoS rule may be received at the second node from a policy server.
  • the method may comprise sending the QoS rules from the second node to the intermediate node via the policy server.
  • the method may comprise, at the policy server, receiving the QoS rules from the second node, identifying the intermediate node, and forwarding the QoS rules to the intermediate node.
  • the policy server may comprise a Policy and Charging Rules Function.
  • the method may comprise using the filtering rule at the intermediate node to determine the QoS profile to be used for a received IP packet.
  • the method may comprise comprising, before the predetermined I P packet for a session is received at the second node, such that the intermediate node has not yet received a QoS rule for that session from the second node, using a default QoS rule for any IP packet received for that session.
  • the label may be a flow label.
  • the IP packets may be IPv6 packets and the flow label may be an IPv6 flow label.
  • the method may comprise applying the labels at the first node to the unencrypted part of the IP packets.
  • the first and second nodes may form part of a mobile network and the intermediate node forms part of a fixed network.
  • the first node may be a mobile node.
  • the second node may be a gateway node in an Evolved Packet Core network.
  • the intermediate node may serve as a policy enforcement point.
  • the intermediate node may be a Broadband Network Gateway.
  • the secure IP access may be an IPsec tunnel.
  • the information identifying the IPsec tunnel may comprise two or more of: source IP address of the IPsec tunnel, destination IP address of the IPsec tunnel, and Security Parameter Index of the IPsec tunnel.
  • the QoS rule comprises a filtering rule and an associated QoS profile to be used at the intermediate node if an IP packet received at the intermediate node is determined to satisfy the filtering rule.
  • the filtering rule comprises information identifying the secure I P access as well as a label uniquely identifying to which of the user sessions the filtering rule applies. As part of a wider system embodying the present invention, such a label is also applied to an unencrypted part of IP packets sent on the secure IP access from the first node to the second node via the intermediate node.
  • a program for controlling an apparatus to perform a method according to the first aspect of the present invention or which, when loaded into an apparatus, causes the apparatus to become an apparatus according to the second aspect of the present invention may be carried on a carrier medium.
  • the carrier medium may be a storage medium.
  • the carrier medium may be a transmission medium.
  • an apparatus programmed by a program according to the third aspect of the present invention.
  • a storage medium containing a program according to the third aspect of the present invention.
  • IPv6 flow labels to different user sessions. It is the normal usage of IPv6 flow labels.
  • the IPv6 flow labels are not needed to encode any meaningful value (e.g. an indicator to QoS class, a hashed value of a filtering rule etc).
  • Figure 1 discussed hereinbefore, illustrates schematically a problem with applying appropriate QoS to multiple user sessions over multiple QoS domains where secure IP access is being used;
  • FIG. 2 is a schematic illustration of system embodying the present invention
  • Figure 3 is a schematic illustration of one possible way in which an updatedQoS rule can be installed to an intermediate IPsec node in an embodiment of the present invention
  • Figure 4 is a schematic block diagram showing parts of the system of Figures 2 and 3 in more detail.
  • Figure 5 is a schematic block diagram showing further parts of the system of Figures 2 and 3 in more detail.
  • Figure 2 is an overall schematic illustration of the method and the apparatus used, while Figure 3 shows one way of performing one of the steps of the method.
  • the nodes of Figure 2 are generally the same as those in Figure 1 , so no further explanation of those nodes will be provided here except where those nodes behave differently according to an embodiment of the present invention.
  • the various nodes making up the overall system of Figure 2 are shown in more detail in Figures 4 and 5.
  • the steps performed in the method embodying the present invention are shown circled in Figure 2, and these steps will now be described in detail.
  • a set of preliminary QoS rules (together denoted as QoS Rule A) is provisioned, either statically or dynamically, to the ePDG 8, being received at the preliminary QoS rule receiving portion E2 of the ePDG 8.
  • QoS Rule A can be considered to comprise a plurality of individual preliminary QoS rules, with preliminary QoS rule "n" comprising a filtering rule FRn and an associated QoS profile QoSn to be used if an IP packet is determined to satisfy the filtering rule FRn.
  • Figure 2 shows three such preliminary QoS rules: ⁇ FR1 , QoS1 ⁇ , ⁇ FR2, QoS2 ⁇ , and ⁇ FR3, QoS3 ⁇ .
  • step S2 the 3GPP UE 2 starts the User Session 1 (US1 ).
  • the flow label allocating portion U1 of the 3GPP UE 2 allocates a unique IPv6 flow labels (FL1 ) for the User Session 1 (US1 ).
  • Uplink packets of User Session 1 are encrypted in the I Psec tunnel 6 but the IPv6 flow label (FL1 ) is marked on the IPsec tunnel 6 by the flow label applying portion U2 of the UE 2, so that the IPv6 flow label (FL1 ) is visible to all intermediate nodes including IN 12.
  • the uplink packets are set on the IPsec tunnel 6 by the packet sending portion U3 of the UE 2.
  • step S3 the packet receiving portion E1 of the ePDG 8 receives and decrypts the first uplink packet of User Session 1 from the IPsec tunnel 6.
  • the ePDG 8 associates User Session 1 with the IPv6 flow label FL1 marked on the IPsec tunnel 6.
  • the ePDG 8 also uses the filtering rules FR1 , FR2 and FR3 to find a matching preliminary QoS rule from QoS Rule A; in this case the received packet matches the filtering rule FR1 in the first preliminary QoS rule ⁇ FR1 , QoS1 ⁇ , so that the ePDG 8 is able to determine the corresponding QoS profile as being QoS1 , and this is to be used for the User Session 1.
  • the ePDG 8 is thus able to associate the IPv6 flow label FL1 and the QoS profile QoS1 , both of which associate with the User Session 1.
  • the QoS rule updating portion E3 of the ePDG 8 updates the first preliminary QoS rule ⁇ FR1 , QoS1 ⁇ to produce an updated QoS rule, QoS Rule B, which comprises the QoS profile QoS1 and a new (modified) filtering rule FLR1.
  • the new filtering rule FLR1 is a combination of the IPv6 flow label FL1 and information relating to and identifying the IPsec tunnel 6 (e.g. source IP address, destination IP address, and SPI).
  • step S4 the QoS rule provisioning portion E4 of the ePDG 8 provisions the updated
  • FIG. 3 shows, in addition to the parts shown in Figure 2, a policy server in the form of a Policy and Charging Rules Function (PCRF) 18, a Resource and Admission Control Function (RACF) 20 (together forming a PCC Architecture) and an Application Function (AF) 16.
  • PCRF Policy and Charging Rules Function
  • RACF Resource and Admission Control Function
  • AF Application Function
  • the QoS rule is then sent onward by the QoS rule provisioning portion P3 of the PCRF 18 to the RACF 20, which in turn sends it to the IN 12.
  • the AF 16 of Figure 3 represents an application server (e.g. VoIP server, IPTV server or web server); only these servers know what QoS is required for the application traffic path.
  • the AF 16 utilizes the PCC architecture (PCRF 18 and RACF 20) to make the QoS parameters known throughout the (mobile and fixed) networks.
  • the AF 16 doesn't generate a QoS rule itself, but it notifies to the PCRF 18 some parameters that are necessary to generate a QoS rule (because some parameters in the QoS rule are only known to the PCRF 18).
  • step S5 the 3GPP UE 2 starts User Session 2 (US2) and allocates a new IPv6 flow label FL2 to User Session 2 (in a similar manner to step S2 above).
  • the 3GPP UE 2 is assumed to allocate different IPv6 flow labels FL1 , FL2, FL3 to the different user sessions US1 , US2, US3 on the IPsec tunnel 6.
  • the IPv6 flow labels can be any values and are not required to encode any underlying information.
  • step S6 in a similar manner to step S3 above, the ePDG 8 associates the IPv6 flow label FL2 to User Session 2 and gets the QoS profile QoS2.
  • the ePDG 8 determines an updated QoS rule, QoS Rule C, consisting of the QoS profile QoS2 and new (modified) filtering rule FLR2.
  • step S7 the ePDG 8 provisions the updated QoS rule, QoS Rule C, to the IN 12.
  • Steps S5 to S7, relating to User Session 2 correspond to steps S2 to S4, which relate to User Session 1. These steps are repeated again in relation to User Session 3 depicted in Figure 2.
  • the QoS rules handling portion N3 is able to use the QoS rules to determine what QoS to be used.
  • the updated QoS rule for a user session is provisioned (in step S4) to the IN 12 only after the ePDG 8 receives the first uplink packet of the user session (in step S3), the updated QoS rule will not be available at the IN 12 for application to at least one uplink packet received at the IN 12 during a time period towards the start of a session.
  • the default QoS could, for example, be "best effort", or could be the highest QoS available.
  • the default QoS in this situation could be determined in dependence upon the IPv6 flow labels, for example "best effort for IPv6 flow label O, and highest QoS for an other IPv6 flow label"; in this example, “best effort” is applied to user sessions requiring no QoS, and the highest or appropriate QoS is applied to those requiring some QoS.
  • the IPv6 flow label is used at least in part to determine the QoS profile to be used.
  • This general concept is known from US 20040125797 A1 , but the manner in which the IPv6 flow label is associated with the QoS profile, and the provisioning of the updated QoS rule to an intermediate node of an IPsec tunnel, is not known from that document.
  • the ePDG 8 when decrypting the IPsec tunnel 6 at the ePDG 8, the ePDG 8 can associate the user sessions with the IPv6 flow labels of IPsec tunnel 6. By combining this IPv6 flow label and the information of IPsec tunnel (e.g. source IP address and destination IP address), updated filtering rules (FLR1 , FLR2, and FLR3 in Figure 2) can be determined that enable the IN 12 to distinguish the user sessions, because different user sessions have different IP flow labels of the IPsec tunnel.
  • FLR1 , FLR2, and FLR3 in Figure 2 updated filtering rules
  • the ePDG 8 can determine updated QoS rules (QoS Rule B, and QoS Rule C in Figure 2) consisting of a newly generated (or modified) filtering rule based on IP flow label and QoS profile (QoS1 , QoS2, and QoS3 in Figure 2), and provision the updated QoS rules to the intermediate node IN 12.
  • the idea in an embodiment of the present invention is not to use explicit or extra signalling to associate the IPv6 flow label with the QoS profile, but instead to use the user sessions as implicit signalling. This enables the 3GPP UE to become free from QoS-related signalling.
  • operation of one or more of the above-described components can be controlled by a program operating on the device or apparatus.
  • Such an operating program can be stored on a computer-readable medium, or could, for example, be embodied in a signal such as a downloadable data signal provided from an Internet website.
  • the appended claims are to be interpreted as covering an operating program by itself, or as a record on a carrier, or as a signal, or in any other form.

Abstract

A method is provided of handling rules relating to Quality of Service, QoS, for a plurality of user sessions (US1, US2, US3) on a secure IP access (6) between a first node (2) and a second node (8) with an intermediate node (12) between the first and second nodes (2, 8). The method comprises, for each session (US1, US2, US3) of the plurality: causing a QoS rule (QoS Rule B, QoS Rule C) from the second node (8) to be installed in the intermediate node (12) in response to receipt at the second node (8) of a predetermined IP packet of the session. The QoS rule (QoS Rule B, QoS Rule C) comprises a filtering rule (FLR1, FLR2) and an associated QoS profile (QoS1, QoS2) to be used at the intermediate node (12) if an IP packet received at the intermediate node (12) is determined to satisfy the filtering rule (FLR1, FLR2). The filtering rule (FLR1, FLR2) comprises information identifying the secure IP access (6) as well as a label uniquely identifying to which of the user sessions from the first node (2) to the second node (8) the filtering rule (FLR1, FLR2) applies. As part of the overall method, such a label is also applied at the first node (2) to an unencrypted part of IP packets sent on the secure IP access (6) to the second node (8) via the intermediate node (12). The secure IP access (6) may be an IPsec tunnel.

Description

Method and Apparatus for Handling QoS relating to Secure IP Access
Technical field
The present invention relates to a method and apparatus for handling Quality of Service rules where a secure IP access is involved. In particular, but not exclusively, the present invention relates to QoS for a secure IP access, such as an IPsec tunnel, established between a Mobile Node and an Evolved Packet Data Gateway in an Evolved Packet Core architecture.
Background
There is an emerging need for converging fixed network and mobile network which is known as Fixed Mobile Convergence (FMC). The trend of evolving networks using IP- based technologies is common for fixed and mobile networks, which makes the convergence easier. By FMC, mobile and fixed network operators will be able to utilize their network resource more efficiently, which leads to reduction of capital and operational expenditure (CAPEX and OPEX). For instance, when a user is running an IP-based application such as Multimedia Telephony (MMTeI) inside their home, it is more efficient to utilize broadband connectivity of the fixed access network rather than the wireless access network.
Residential networks are a key to the success of FMC because they are the most commonly used fixed network access by ordinary users. Therefore, it is important to be able to connect mobile phones to the Evolved Packet Core (EPC; see "Architecture enhancements for non-3GPP Accesses," 3GPP TS 23.402, V8.2.0, 2008-06) through a residential network. Hereinafter the term User Equipment (UE) will be used in place of the term mobile phone; the term UE is familiar in the 3rd Generation Partnership Project (3GPP) documentation.
One issue relating to FMC is the security of the residential networks, in which insecure wireless links (e.g. W-LAN links encrypted by WEP) are typically used. Even if the fixed network access is secured, the insecure link in the residential networks degrades the secure IP access to EPS. Therefore, the EPC architecture defines the Evolved Packet Data Gateway (ePDG) that provides the terminal point of an IPsec tunnel for 3GPP UEs. Secure IP access to the EPC can be realized by establishing the IPsec tunnel with the ePDG.
Figure 1 shows a typical FMC use case in which a 3GPP UE 2 in a residential network 4 establishes a secure IP access 6, in this case an IPsec tunnel, with an ePDG 8 in an EPC 10. Figure 1 also shows an Intermediate Node (IN) 12 through which the IPsec tunnel 6 passes.
In the Figure 1 scenario, the IPsec tunnel 6 is established between the 3GPP UE 2 and the ePDG 8, so even if the wireless link in the residential network 4 is insecure, the IP access from the 3GPP UE 2 to the EPC 10 (ePDG 8) can be secured.
However, the present applicant has appreciated a problem with the Figure 1 scenario relating to the issue of Quality of Service (QoS). Suppose that the 3GPP UE 2 has three user sessions US1 , US2 and US3 as depicted in Figure 1 , each of which user sessions has a different QoS associated with it. In order to realize QoS between the 3GPP UE 2 and ePDG 8, one possible solution would be to install the QoS rules to the Intermediate Node (IN) 12. As is illustrated in Figure 1 , each QoS rule consists of: (a) the filtering rule of the user session, and (b) the QoS profile.
In Figure 1 , QoS1 represents the QoS profile for user session 1 (US1 ), QoS2 represents the QoS profile for user session 2 (US2), and QoS3 represents the QoS profile for user session 3 (US3). Likewise, in Figure 1 , FR1 represents the filtering rule for user session 1 (US1 ), FR2 represents the filtering rule for user session 2 (US2), and FR3 represents the filtering rule for user session 3 (US3).
The filtering rule FR1 , FR2, FR3 would typically include a 5-tuple identifying the user session, for example <IP source address, IP destination address, source port, destination port, protocol>, but any other fields in the IP packet header can be used to filter the packets.
One would hope to use the IN 12 to apply the filtering rules FR1 , FR2, FR3 to IP packets passing through. In this regard, one would hope for the IN 12 to determine the filtering rule matching the IP packet of the user sessions, and then to forward the IP packets according to the corresponding QoS profile (e.g. delay, packet error rate, priority etc). However, the problem with the above filtering scenario described with reference to Figure 1 is that the IP header of user session is invisible to the IN 12 because, due to the IPsec tunnel 6 between the 3GPP UE 2 and ePDG 8, it is encrypted. Therefore, there is no way for the IN 12 to determine the matching filtering rule FR1 , FR2, FR3 for the user sessions US1 , US2, US3 and to apply the QoS profile QoS1 , QoS2, QoS3.
One possible solution is to use DSCP (DiffServ Code Point; see "An Architecture for Differentiated Services," IETF RFC2475, 1998-12) of the IPsec tunnel 6 (not DSCP of the user sessions US1 , US2, US3). However, the values of DSCP for the same QoS class may be different in different QoS domains, and the classification and granularity of QoS class may be different in different QoS domains.
Two such QoS domains D1 and D2 are illustrated in Figure 1 , in which overprovisioning and DSCP QoS are respectively applied. For example, in order to enable the QoS for the uplink packets of user sessions in the QoS Domain D2 in which DSCP is used for QoS, the 3GPP UE 2 or IN 12 may need to assign the appropriate DSCP value to the uplink packets of user sessions US1 , US2, US3. In order to realize this, two possible scenarios are described below; but both have problems:
If the 3GPP UE 2 is assumed to assign the DSCP value, then the 3GPP UE 2 must have the mapping table from the QoS profiles QoS1 , QoS2, QoS3 to the DSCP values, which is specific to QoS Domain 2. But there is no way for the 3GPP UE 2 to obtain such a mapping table from the QoS Domain D2.
On the other hand, if the IN 12 is assumed to assign the appropriate DSCP value, then the IN 12 must distinguish the user sessions US1 , US2, US3. But there is no way for the IN 12 to do so because the user sessions US1 , US2, US3 are encrypted in the IPsec tunnel. And even if the IN 12 is assumed to be able to distinguish the user sessions US1 , US2, US3, then the IN 12 must have the mapping table from the user sessions US1 , US2, US3 to the QoS parameters. But there is no way for the IN 12 to obtain such a mapping table from the 3GPP UE 2 or ePDG 8 (EPC 10).
It is desirable to address the above issues identified by the applicant. Summary
According to a first aspect of the present invention there is provided a method of handling rules relating to Quality of Service, QoS, for a plurality of user sessions on a secure IP access between a first node and a second node with an intermediate node between the first and second nodes. The method comprises, for each session of the plurality: causing a QoS rule from the second node to be installed in the intermediate node in response to receipt at the second node of a predetermined IP packet of the session. The QoS rule comprises a filtering rule and an associated QoS profile to be used at the intermediate node if an I P packet received at the intermediate node is determined to satisfy the filtering rule. The filtering rule comprises information identifying the secure IP access as well as a label uniquely identifying to which of the user sessions from the first node to the second node the filtering rule applies. As part of a wider method embodying the present invention, such a label is also applied to an unencrypted part of IP packets sent on the secure IP access from the first node to the second node via the intermediate node.
The method may comprise allocating the labels to their corresponding respective sessions at the first node.
The predetermined IP packet may be the first IP packet of the session, or at least one of the first several IP packets of the session.
The method may comprise determining the QoS rule for each session at the second node in response to receipt of the predetermined IP packet of the session.
The method may comprise determining the QoS rule for each session based on a preliminary QoS rule for that session together with the label applied to the predetermined IP packet of that session.
The preliminary QoS rule may be received at the second node from a policy server.
The method may comprise sending the QoS rules from the second node to the intermediate node via the policy server. The method may comprise, at the policy server, receiving the QoS rules from the second node, identifying the intermediate node, and forwarding the QoS rules to the intermediate node.
The policy server may comprise a Policy and Charging Rules Function.
The method may comprise using the filtering rule at the intermediate node to determine the QoS profile to be used for a received IP packet.
The method may comprise comprising, before the predetermined I P packet for a session is received at the second node, such that the intermediate node has not yet received a QoS rule for that session from the second node, using a default QoS rule for any IP packet received for that session.
The label may be a flow label.
The IP packets may be IPv6 packets and the flow label may be an IPv6 flow label.
The method may comprise applying the labels at the first node to the unencrypted part of the IP packets.
The first and second nodes may form part of a mobile network and the intermediate node forms part of a fixed network.
The first node may be a mobile node.
The second node may be a gateway node in an Evolved Packet Core network.
The intermediate node may serve as a policy enforcement point.
The intermediate node may be a Broadband Network Gateway.
The secure IP access may be an IPsec tunnel. The information identifying the IPsec tunnel may comprise two or more of: source IP address of the IPsec tunnel, destination IP address of the IPsec tunnel, and Security Parameter Index of the IPsec tunnel. According to a second aspect of the present invention there is provided an apparatus for handling rules relating to Quality of Service, QoS, for a plurality of user sessions on an secure IP access between a first node and a second node with an intermediate node between the first and second nodes. The apparatus comprises means for causing, for each session of the plurality, a QoS rule from the second node to be installed in the intermediate node in response to receipt at the second node of a predetermined IP packet of the session. The QoS rule comprises a filtering rule and an associated QoS profile to be used at the intermediate node if an IP packet received at the intermediate node is determined to satisfy the filtering rule. The filtering rule comprises information identifying the secure I P access as well as a label uniquely identifying to which of the user sessions the filtering rule applies. As part of a wider system embodying the present invention, such a label is also applied to an unencrypted part of IP packets sent on the secure IP access from the first node to the second node via the intermediate node.
According to a third aspect of the present invention there is provided a program for controlling an apparatus to perform a method according to the first aspect of the present invention or which, when loaded into an apparatus, causes the apparatus to become an apparatus according to the second aspect of the present invention. The program may be carried on a carrier medium. The carrier medium may be a storage medium. The carrier medium may be a transmission medium.
According to a fourth aspect of the present invention there is provided an apparatus programmed by a program according to the third aspect of the present invention.
According to a fifth aspect of the present invention there is provided a storage medium containing a program according to the third aspect of the present invention.
An embodiment of the present invention has one or more of the following technical advantages:
The QoS problem described above is addressed.
No additional QoS-related signals are exchanged between the 3GPP UE and ePDG (EPC) or any fixed access networks. • The extra functionality required for the 3GPP UE is limited: to allocate different
IPv6 flow labels to different user sessions. It is the normal usage of IPv6 flow labels. The IPv6 flow labels are not needed to encode any meaningful value (e.g. an indicator to QoS class, a hashed value of a filtering rule etc).
Brief description of the drawings
Figure 1 , discussed hereinbefore, illustrates schematically a problem with applying appropriate QoS to multiple user sessions over multiple QoS domains where secure IP access is being used;
Figure 2 is a schematic illustration of system embodying the present invention;
Figure 3 is a schematic illustration of one possible way in which an updatedQoS rule can be installed to an intermediate IPsec node in an embodiment of the present invention;
Figure 4 is a schematic block diagram showing parts of the system of Figures 2 and 3 in more detail; and
Figure 5 is a schematic block diagram showing further parts of the system of Figures 2 and 3 in more detail.
Detailed description
An embodiment of the present invention will now be described with reference to Figures 2 to 5. Figure 2 is an overall schematic illustration of the method and the apparatus used, while Figure 3 shows one way of performing one of the steps of the method. The nodes of Figure 2 are generally the same as those in Figure 1 , so no further explanation of those nodes will be provided here except where those nodes behave differently according to an embodiment of the present invention. The various nodes making up the overall system of Figure 2 are shown in more detail in Figures 4 and 5. The steps performed in the method embodying the present invention are shown circled in Figure 2, and these steps will now be described in detail.
In step S1 , a set of preliminary QoS rules (together denoted as QoS Rule A) is provisioned, either statically or dynamically, to the ePDG 8, being received at the preliminary QoS rule receiving portion E2 of the ePDG 8. QoS Rule A can be considered to comprise a plurality of individual preliminary QoS rules, with preliminary QoS rule "n" comprising a filtering rule FRn and an associated QoS profile QoSn to be used if an IP packet is determined to satisfy the filtering rule FRn. Figure 2 shows three such preliminary QoS rules: {FR1 , QoS1}, {FR2, QoS2}, and {FR3, QoS3}. By using the filtering rules FR1 , FR2 and FR3, the ePDG 8 can distinguish user sessions for both uplink and downlink.
In step S2, the 3GPP UE 2 starts the User Session 1 (US1 ). The flow label allocating portion U1 of the 3GPP UE 2 allocates a unique IPv6 flow labels (FL1 ) for the User Session 1 (US1 ). Uplink packets of User Session 1 are encrypted in the I Psec tunnel 6 but the IPv6 flow label (FL1 ) is marked on the IPsec tunnel 6 by the flow label applying portion U2 of the UE 2, so that the IPv6 flow label (FL1 ) is visible to all intermediate nodes including IN 12. The uplink packets are set on the IPsec tunnel 6 by the packet sending portion U3 of the UE 2.
In step S3, the packet receiving portion E1 of the ePDG 8 receives and decrypts the first uplink packet of User Session 1 from the IPsec tunnel 6. In response, the ePDG 8 associates User Session 1 with the IPv6 flow label FL1 marked on the IPsec tunnel 6. The ePDG 8 also uses the filtering rules FR1 , FR2 and FR3 to find a matching preliminary QoS rule from QoS Rule A; in this case the received packet matches the filtering rule FR1 in the first preliminary QoS rule {FR1 , QoS1}, so that the ePDG 8 is able to determine the corresponding QoS profile as being QoS1 , and this is to be used for the User Session 1.
The ePDG 8 is thus able to associate the IPv6 flow label FL1 and the QoS profile QoS1 , both of which associate with the User Session 1. The QoS rule updating portion E3 of the ePDG 8 updates the first preliminary QoS rule {FR1 , QoS1} to produce an updated QoS rule, QoS Rule B, which comprises the QoS profile QoS1 and a new (modified) filtering rule FLR1. The new filtering rule FLR1 is a combination of the IPv6 flow label FL1 and information relating to and identifying the IPsec tunnel 6 (e.g. source IP address, destination IP address, and SPI).
In step S4, the QoS rule provisioning portion E4 of the ePDG 8 provisions the updated
QoS rule, QoS Rule B, to the IN 12, and is received at the IN 12 by the QoS rule receiving portion N2. The manner in which this new QoS rule is provisioned (or installed) to the IN 12 is not of importance, although an advantageous way of doing this is shown in Figure 3.
Figure 3 shows, in addition to the parts shown in Figure 2, a policy server in the form of a Policy and Charging Rules Function (PCRF) 18, a Resource and Admission Control Function (RACF) 20 (together forming a PCC Architecture) and an Application Function (AF) 16. In step S1 above, the preliminary rule sending portion P1 of the PCRF 18 would provide the preliminary QoS rule to the ePDG 8, for example using the Gx interface. Then, after the preliminary QoS rule is updated in step S3 above by the QoS rule updating portion E3, the updated QoS rule is sent (in this step S4) by the QoS rule provisioning portion E4 of the ePDG 8 to the PCRF 18, being received at the QoS rule receiving portion P2. The QoS rule is then sent onward by the QoS rule provisioning portion P3 of the PCRF 18 to the RACF 20, which in turn sends it to the IN 12. In this way, explicit signalling between the ePDG 8 and the IN 12 to provision the updated QoS rule from the ePDG 8 to the I N 12. The AF 16 of Figure 3 represents an application server (e.g. VoIP server, IPTV server or web server); only these servers know what QoS is required for the application traffic path. The AF 16 utilizes the PCC architecture (PCRF 18 and RACF 20) to make the QoS parameters known throughout the (mobile and fixed) networks. The AF 16 doesn't generate a QoS rule itself, but it notifies to the PCRF 18 some parameters that are necessary to generate a QoS rule (because some parameters in the QoS rule are only known to the PCRF 18).
Returning to the steps depicted in Figure 2, in step S5 the 3GPP UE 2 starts User Session 2 (US2) and allocates a new IPv6 flow label FL2 to User Session 2 (in a similar manner to step S2 above). The 3GPP UE 2 is assumed to allocate different IPv6 flow labels FL1 , FL2, FL3 to the different user sessions US1 , US2, US3 on the IPsec tunnel 6. The IPv6 flow labels can be any values and are not required to encode any underlying information.
In step S6, in a similar manner to step S3 above, the ePDG 8 associates the IPv6 flow label FL2 to User Session 2 and gets the QoS profile QoS2. The ePDG 8 determines an updated QoS rule, QoS Rule C, consisting of the QoS profile QoS2 and new (modified) filtering rule FLR2.
In step S7, the ePDG 8 provisions the updated QoS rule, QoS Rule C, to the IN 12. Steps S5 to S7, relating to User Session 2, correspond to steps S2 to S4, which relate to User Session 1. These steps are repeated again in relation to User Session 3 depicted in Figure 2.
With the QoS rules provisioned to the IN 12 as described above, when a packet is received at the packet receiving portion N1 of the IN 12, the QoS rules handling portion N3 is able to use the QoS rules to determine what QoS to be used.
However, because the updated QoS rule for a user session is provisioned (in step S4) to the IN 12 only after the ePDG 8 receives the first uplink packet of the user session (in step S3), the updated QoS rule will not be available at the IN 12 for application to at least one uplink packet received at the IN 12 during a time period towards the start of a session.
To deal with this situation, it would be possible to apply a default QoS to any uplink packets relating to the session concerned until the updated QoS rule for the session has been at the IN 12. Because the time in which the default QoS is applied would normally be relatively small, the average QoS of user sessions will not be greatly affected. The default QoS could, for example, be "best effort", or could be the highest QoS available.
Alternatively, the default QoS in this situation could be determined in dependence upon the IPv6 flow labels, for example "best effort for IPv6 flow label O, and highest QoS for an other IPv6 flow label"; in this example, "best effort" is applied to user sessions requiring no QoS, and the highest or appropriate QoS is applied to those requiring some QoS.
As is apparent from the above, in a method embodying the present invention, the IPv6 flow label is used at least in part to determine the QoS profile to be used. This general concept is known from US 20040125797 A1 , but the manner in which the IPv6 flow label is associated with the QoS profile, and the provisioning of the updated QoS rule to an intermediate node of an IPsec tunnel, is not known from that document.
In summary, when decrypting the IPsec tunnel 6 at the ePDG 8, the ePDG 8 can associate the user sessions with the IPv6 flow labels of IPsec tunnel 6. By combining this IPv6 flow label and the information of IPsec tunnel (e.g. source IP address and destination IP address), updated filtering rules (FLR1 , FLR2, and FLR3 in Figure 2) can be determined that enable the IN 12 to distinguish the user sessions, because different user sessions have different IP flow labels of the IPsec tunnel. Then, the ePDG 8 can determine updated QoS rules (QoS Rule B, and QoS Rule C in Figure 2) consisting of a newly generated (or modified) filtering rule based on IP flow label and QoS profile (QoS1 , QoS2, and QoS3 in Figure 2), and provision the updated QoS rules to the intermediate node IN 12.
The idea in an embodiment of the present invention is not to use explicit or extra signalling to associate the IPv6 flow label with the QoS profile, but instead to use the user sessions as implicit signalling. This enables the 3GPP UE to become free from QoS-related signalling.
It will be appreciated that operation of one or more of the above-described components can be controlled by a program operating on the device or apparatus. Such an operating program can be stored on a computer-readable medium, or could, for example, be embodied in a signal such as a downloadable data signal provided from an Internet website. The appended claims are to be interpreted as covering an operating program by itself, or as a record on a carrier, or as a signal, or in any other form.
It will be appreciated by the person of skill in the art that various modifications may be made to the above described embodiments without departing from the scope of the present invention. For instance, it although the above embodiments describe a UE and ePDG as the IPsec endpoints, the invention is applicable to other type of IPsec endpoint nodes.

Claims

CLAIMS:
1. A method of handling rules relating to Quality of Service, QoS, for a plurality of user sessions on a secure IP access between a first node and a second node with an intermediate node between the first and second nodes, the method comprising, for each session of the plurality: causing a QoS rule from the second node to be installed in the intermediate node in response to receipt at the second node of a predetermined IP packet of the session, the QoS rule comprising a filtering rule and an associated QoS profile to be used at the intermediate node if an IP packet received at the intermediate node is determined to satisfy the filtering rule, and the filtering rule comprising information identifying the secure IP access as well as a label uniquely identifying to which of the user sessions from the first node to the second node the filtering rule applies, such a label also being applied at the first node to an unencrypted part of IP packets sent on the secure IP access to the second node via the intermediate node.
2. A method as claimed in claim 1 , comprising allocating the labels to their corresponding respective sessions at the first node.
3. A method as claimed in claim 1 or 2, wherein the predetermined IP packet is the first IP packet of the session, or at least one of the first several IP packets of the session.
4. A method as claimed in claim 1 , 2 or 3, comprising determining the QoS rule for each session at the second node in response to receipt of the predetermined IP packet of the session.
5. A method as claimed in any preceding claim, comprising determining the QoS rule for each session based on a preliminary QoS rule for that session together with the label applied to the predetermined IP packet of that session.
6. A method as claimed in claim 5, wherein the preliminary QoS rule is received at the second node from a policy server.
7. A method as claimed in claim 6, comprising sending the QoS rules from the second node to the intermediate node via the policy server.
8. A method as claimed in claim 7, comprising, at the policy server, receiving the QoS rules from the second node, identifying the intermediate node, and forwarding the QoS rules to the intermediate node.
9. A method as claimed in claim 6, 7 or 8, wherein the policy server comprises a Policy and Charging Rules Function.
10. A method as claimed in any preceding claim, comprising using the filtering rule at the intermediate node to determine the QoS profile to be used for a received IP packet.
1 1. A method as claimed in claim 10, comprising, before the predetermined IP packet for a session is received at the second node, such that the intermediate node has not yet received a QoS rule for that session from the second node, using a default QoS rule for any IP packet received for that session.
12. A method as claimed in any preceding claim, wherein the label is a flow label.
13. A method as claimed in claim 12, wherein the IP packets are IPv6 packets and the flow label is an IPv6 flow label.
14. A method as claimed in any preceding claim, comprising applying the labels at the first node to the unencrypted part of the IP packets.
15. A method as claimed in any preceding claim, wherein the first and second nodes form part of a mobile network and the intermediate node forms part of a fixed network.
16. A method as claimed in claim 15, wherein the first node is a mobile node.
17. A method as claimed in claim 15 or 16, wherein the second node is a gateway node in an Evolved Packet Core network.
18. A method as claimed in claim 15, 16 or 17, wherein the intermediate node serves as a policy enforcement point.
19. A method as claimed in any one of claims 15 to 18, wherein the intermediate node is a Broadband Network Gateway.
20. A method as claimed in any preceding claim, wherein the secure IP access is an IPsec tunnel and the information identifying the IPsec tunnel comprises two or more of: source IP address of the IPsec tunnel, destination IP address of the IPsec tunnel, and Security Parameter Index of the IPsec tunnel.
21. An apparatus for handling rules relating to Quality of Service, QoS, for a plurality of user sessions on an secure IP access between a first node and a second node with an intermediate node between the first and second nodes, the apparatus comprising means for causing, for each session of the plurality, a QoS rule from the second node to be installed in the intermediate node in response to receipt at the second node of a predetermined IP packet of the session, the QoS rule comprising a filtering rule and an associated QoS profile to be used at the intermediate node if an IP packet received at the intermediate node is determined to satisfy the filtering rule, and the filtering rule comprising information identifying the secure IP access as well as a label uniquely identifying to which of the user sessions the filtering rule applies, such a label also being applied at the first node to an unencrypted part of IP packets sent on the secure IP access to the second node via the intermediate node.
22. A program for controlling an apparatus to perform a method as claimed in any one of claims 1 to 20.
23. A storage medium containing a program as claimed in claim 22.
PCT/EP2009/055578 2009-05-08 2009-05-08 Method and apparatus for handling qos relating to secure ip access WO2010127706A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2009/055578 WO2010127706A1 (en) 2009-05-08 2009-05-08 Method and apparatus for handling qos relating to secure ip access

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2009/055578 WO2010127706A1 (en) 2009-05-08 2009-05-08 Method and apparatus for handling qos relating to secure ip access

Publications (1)

Publication Number Publication Date
WO2010127706A1 true WO2010127706A1 (en) 2010-11-11

Family

ID=41535077

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2009/055578 WO2010127706A1 (en) 2009-05-08 2009-05-08 Method and apparatus for handling qos relating to secure ip access

Country Status (1)

Country Link
WO (1) WO2010127706A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102098651A (en) * 2011-01-21 2011-06-15 北京邮电大学 Method for performing strategy identification and control by using user service identification (USID)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040125797A1 (en) * 2002-12-27 2004-07-01 Raisanen Vilho I. Flow labels
US20080310334A1 (en) * 2007-06-15 2008-12-18 Hitachi Communication Technologies, Ltd. Communication system, server, control apparatus and communication apparatus
WO2009073504A2 (en) * 2007-11-29 2009-06-11 Qualcomm Incorporated Flow classification for encrypted and tunneled packet streams

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040125797A1 (en) * 2002-12-27 2004-07-01 Raisanen Vilho I. Flow labels
US20080310334A1 (en) * 2007-06-15 2008-12-18 Hitachi Communication Technologies, Ltd. Communication system, server, control apparatus and communication apparatus
WO2009073504A2 (en) * 2007-11-29 2009-06-11 Qualcomm Incorporated Flow classification for encrypted and tunneled packet streams

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"Universal Mobile Telecommunications System (UMTS); 3GPP system to Wireles Local Area Network (WLAN) interworking; System description (3GPP TS 23.234 version 7.7.0 Release 7); ETSI TS 123 234", ETSI STANDARD, EUROPEAN TELECOMMUNICATIONS STANDARDS INSTITUTE (ETSI), SOPHIA ANTIPOLIS CEDEX, FRANCE, vol. 3-SA2, no. V7.7.0, 1 June 2008 (2008-06-01), XP014042067 *
QUALCOMM EUROPE: "Enhanced security support for S2c", 3GPP DRAFT; S2-090902-SECURITY-DSMIP-DISCUSSION-FINAL, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, no. Budapest; 20090210, 10 February 2009 (2009-02-10), XP050333350 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102098651A (en) * 2011-01-21 2011-06-15 北京邮电大学 Method for performing strategy identification and control by using user service identification (USID)

Similar Documents

Publication Publication Date Title
US10582411B2 (en) Techniques for handling network traffic
US10939456B2 (en) Handling network traffic via a fixed access
US20110106933A1 (en) Policy control with predefined rules
EP2521385B1 (en) Policy and charging control method, gateway and mobile terminal thereof
KR100748095B1 (en) Method and system of guarantee qos in broadband convergence network deployed mobile ip
CA2743010A1 (en) Method and system for supporting sip session policy using existing authorization architecture and protocols
JP2008535301A (en) Packet radio network and communication method
KR20100039852A (en) Packet filtering/classification and/or policy control support from both visited and home networks
US20150110044A1 (en) Third party interface for provisioning bearers according to a quality of service subscription
US10616185B2 (en) Methods and first, second and network nodes for managing traffic characteristics
US20130188491A1 (en) Uplink Traffic Separation in an Edge Node of a Communication Network
KR20070118535A (en) Method of transferring data between a sending station in a first network and a receiving station in a second network, and apparatus for controlling the communication between the sending station in the first network and the receiving station in the second network
US20150110009A1 (en) Inter-layer quality of service preservation
Sun et al. Diameter Quality-of-Service Application
WO2010127706A1 (en) Method and apparatus for handling qos relating to secure ip access
JP6115961B2 (en) Technology for handling network traffic
US20110149734A1 (en) Smart border router and method for transmitting flow using the same
Liebsch et al. Quality-of-Service Option for Proxy Mobile IPv6
KR20230140376A (en) Apparatus and method for providng n6-lan using service function chaining in wireless communication system
Ergen Basics of All-IP Networking
Good et al. Policy-Based Middleware for QoS Management and Signaling in the Evolved Packet System
McCann et al. RFC 5866: Diameter Quality-of-Service Application

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09779426

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09779426

Country of ref document: EP

Kind code of ref document: A1