METHOD OF CONTROLLING TRAFFIC POLICIES FROM A SECURITY MODULE IN A MOBILE TERMINAL

Abstract

The invention relates to a method of controlling a packet stream generated by an application (APP) installed in a mobile terminal (UE), the stream being intended to be sent by the terminal over a communications network managed by an operator, the method comprising the following steps implemented in the terminal, for all or some of the packets generated by the application: obtaining and analysis of a packet, termed the first packet (P1), sending by the terminal of a second packet (P2) based on the first packet and conforming to at least one processing rule established by the operator, as a function of the result of the analysis and if the result of the analysis permits the sending.

Claims

1. A method for controlling a packet stream generated by an application (APP) installed in a mobile terminal (UE), the stream being intended to be transmitted by the terminal over a communications network managed by an operator, the method comprising the following steps implemented in the terminal, for all or some of the packets generated by the application: obtaining (E1) and analysis (E2, E3, E4, E5) of a packet, called first packet (P1), transmission (E7) by the terminal of a second packet (P2) based on the first packet and conforming to at least one processing rule established by the operator, based on the result of the analysis and if the result of the analysis authorizes the transmission.

2. The control method as claimed in claim 1, wherein the analysis step comprises the following steps: a step (E4) of transmission of a request message (Req) to a security module (SIM-PDP) installed in the terminal, the request message comprising at least one parameter based on the first packet (P1), a step (E5) of reception of a response message (Rep) from the security module (SIM-PDP), the response message comprising an instruction relating to the transmission of the second packet (P2), the instruction being based on the at least one parameter and established according to the at least one processing rule.

3. The control method as claimed in claim 2, wherein the step (E5) of reception of a response message is followed by a step (E5b) of addition, in a table (T-PEP), of a routine rule based on the instruction and intended to be applied to packets of the stream following the first packet (P1).

4. The control method as claimed in claim 2, wherein the request message (Req) comprises the first packet (P1) and the response message (Rep) comprises the second packet (P2).

5. The control method as claimed in claim 1, wherein a packet (P1, P2) comprises a header (H1, H2) and payload data, and wherein the second packet (P2) based on the first packet (P1) comprises a header (H2) different from the header (H1) of the first packet.

6. A method for determining an instruction relating to the transmission of a first packet (P1) included in a packet stream generated by an application (APP) installed in a mobile terminal (UE), the stream being intended to be transmitted over a communications network managed by an operator, the method being implemented in a security module (SIM-PDP) comprising at least one processing rule established by the operator, the method comprising the following steps: a step (F1) of reception of a request message (Req) from the terminal, the request message comprising at least one parameter based on the first packet (P1), determination (F2) of an instruction relating to the transmission of a second packet (P2) based on the at least one parameter, according to the at least one processing rule, a step (F3) of transmission of a response message (Rep) to the terminal, the response message comprising the determined instruction.

7. The determination method as claimed in one of claim 6, comprising a preliminary step (F0) of obtaining the at least one processing rule from a network node managed by the operator.

8. The determination method as claimed in claim 6, wherein the request message (Req) comprises the first packet (P1) and the response message (Rep) comprises the second packet (P2).

9. The determination method as claimed in claim 6, wherein a packet (P1, P2) comprises a header (H1, H2) and payload data, and wherein the second packet (P2) based on the first packet (P1) comprises a header (H2) different from the header (H1) of the first packet (P1).

10. A security module (SIM) intended to be installed in a mobile terminal (UE) capable of transmitting a packet stream generated by an application (APP) installed in the mobile terminal and intended to be transmitted over a communications network managed by an operator, the security module comprising: a module (240) for obtaining and storing at least one processing rule (PCC) established by the operator, a module (250) for receiving a request message (Req) from the terminal, the request message comprising at least one parameter based on a packet (P1) of the stream, a module (260) for determining an instruction relating to the transmission of the packet of the stream, according to the at least one processing rule, a module (270) for transmitting a response message (Rep) to the terminal, the response message comprising the determined instruction.

11. A mobile terminal (UE) capable of transmitting a packet stream generated by an application (APP) installed in the mobile terminal and intended to be transmitted over a communications network managed by an operator, the terminal comprising: a module (140) for obtaining a packet, called first packet (P1), a module (150) for analyzing the first packet, a module (160) for transmitting, from the terminal, a second packet (P2) based on the first packet and conforming to at least one processing rule established by the operator, according to the result of the analysis.

12. The mobile terminal (UE) as claimed in claim 11, comprising at least one security module (SIM) intended to be installed in a mobile terminal (UE) capable of transmitting a packet stream generated by an application (APP) installed in the mobile terminal and intended to be transmitted over a communications network managed by an operator, the security module comprising: a module (240) for obtaining and storing at least one processing rule (PCC) established by the operator, a module (250) for receiving a request message (Req) from the terminal, the request message comprising at least one parameter based on a packet (P1) of the stream, a module (260) for determining an instruction relating to the transmission of the packet of the stream, according to the at least one processing rule, a module (270) for transmitting a response message (Rep) to the terminal, the response message comprising the determined instruction.

13. A system comprising a mobile terminal (UE) capable of transmitting a packet stream generated by an application (APP) installed in the mobile terminal and intended to be transmitted over a communications network managed by an operator, the terminal comprising: a module (140) for obtaining a packet, called first packet (P1), a module (150) for analyzing the first packet, a module (160) for transmitting, from the terminal, a second packet (P2) based on the first packet and conforming to at least one processing rule established by the operator, according to the result of the analysis, and at least one security module (SIM) intended to be installed in the mobile terminal (UE), the security module comprising: a module (240) for obtaining and storing at least one processing rule (PCC) established by the operator, a module (250) for receiving a request message (Req) from the terminal, the request message comprising at least one parameter based on a packet (P1) of the stream, a module (260) for determining an instruction relating to the transmission of the packet of the stream, according to the at least one processing rule, a module (270) for transmitting a response message (Rep) to the terminal, the response message comprising the determined instruction.

14. A computer program (110) comprising instructions for implementing steps of a control method, when this method is executed by a processor, the control method for controlling a packet stream generated by an application (APP) installed in a mobile terminal (UE), the stream being intended to be transmitted by the terminal over a communications network managed by an operator, the method comprising the following steps implemented in the terminal, for all or some of the packets generated by the application: obtaining (E1) and analysis (E2, E3, E4, E5) of a packet, called first packet (P1), transmission (E7) by the terminal of a second packet (P2) based on the first packet and conforming to at least one processing rule established by the operator, based on the result of the analysis and if the result of the analysis authorizes the transmission.

15. A computer program (210) comprising instructions for implementing steps of a determination method, when this method is executed by a processor, the determination method for determining an instruction relating to the transmission of a first packet (P1) included in a packet stream generated by an application (APP) installed in a mobile terminal (UE), the stream being intended to be transmitted over a communications network managed by an operator, the method being implemented in a security module (SIM-PDP) comprising at least one processing rule established by the operator, the method comprising the following steps: a step (F1) of reception of a request message (Req) from the terminal, the request message comprising at least one parameter based on the first packet (P1), determination (F2) of an instruction relating to the transmission of a second packet (P2) based on the at least one parameter, according to the at least one processing rule, a step (F3) of transmission of a response message (Rep) to the terminal, the response message comprising the determined instruction.

16. The control method as claimed in claim 3, wherein the request message (Req) comprises the first packet (P1) and the response message (Rep) comprises the second packet (P2).

17. The determination method as claimed in claim 7, wherein the request message (Req) comprises the first packet (P1) and the response message (Rep) comprises the second packet (P2).

18. The determination method as claimed in claim 7, wherein a packet (P1, P2) comprises a header (H1, H2) and payload data, and wherein the second packet (P2) based on the first packet (P1) comprises a header (H2) different from the header (H1) of the first packet (P1).

19. The determination method as claimed in claim 8, wherein a packet (P1, P2) comprises a header (H1, H2) and payload data, and wherein the second packet (P2) based on the first packet (P1) comprises a header (H2) different from the header (H1) of the first packet (P1).

Description

4. DESCRIPTION OF THE FIGURES

[0061] Other advantages and features of the invention will become more clearly apparent on reading the following description of a particular embodiment of the invention, given as a purely illustrative and nonlimiting example, and the attached drawings, in which:

[0062] FIG. 1 presents an example of overview of a mobile terminal and of a security module, according to one aspect of the invention,

[0063] FIG. 2 schematically presents an example of implementation of the steps of a control method, according; to the invention,

[0064] FIG. 3 schematically presents an example of implementation of the steps of a determination method, according to the invention,

[0065] FIG. 4 presents an example of structure of a mobile terminal implementing the control method, according to one aspect of the invention,

[0066] FIG. 5 presents an example of structure of a security module implementing the determination method, according to one aspect of the invention.

5. DETAILED DESCRIPTION OF AT LEAST ONE EMBODIMENT OF THE INVENTION

[0067] Hereinafter in the description, examples of a number of embodiments of the invention are presented based on the LTE standards, but the invention applies also to other standards such as 3G, for example with a quality of service differentiated within a “bearer”, or to future standards such as 5G.

[0068] FIG. 1 presents an example of overview of a mobile terminal and of a security module, according to one aspect of the invention,

[0069] A SIM-PDP module controlling the packet streams transmitted by the terminal is installed on the SIM card (UICC) of the mobile terminal. Since the SIM card possesses the advantage of not being able to be modified by the user, this module profits from this advantage.

[0070] The SIM-PDP module acts as PDP (Policy Decision Point, decision point based on a policy) within the meaning of the RFC2753 standard, and the terminal, or more specifically the UE-PEP module of the terminal which is preferably implemented in a part of the terminal that cannot be modified by the user, acts as PEP (“Policy Enforcement Point”) within the meaning of the RFC2753 standard.

[0071] As illustrated in FIG. 1, one of the applications APP, downloaded by the terminal or native, transmits to the IP layer of the terminal the packets P1 that it wants to transmit, after having possibly marked them using a DiffServ code. Before transmitting a packet P1 to the underlying layers (for example the PDCP layer in LTE, PDCP standard for “Packet Data Convergence Protocol”, a convergence protocol for transporting data in packet mode), the IP layer transmits the packet P1 to the UE-PEP module which seeks the advice of the SIM-PDP module, which responds to the UE-PEP module by giving it the appropriate instructions, for example allowing or not allowing the packet to pass, modifying such or such a field of the header H1 of the packet P1 (for example the DiffServ code). The packet. P2 actually transmitted by the terminal can therefore be different from the packet P1, in particular its header H2 compared to the header H1. The SIM-PDP module can also provide instructions which are applied to all the packets corresponding to one and the same packet stream (for example, a bandwidth limitation).

[0072] The SIM-PDP module determines the instructions to be transmitted according to processing rules determined by the policy of the operator, and according to the profile of the user, the type of stream, etc. Each processing rule associates one or more actions with one or more conditions relating typically to the values of the fields of the header H1 of the packet P1. These rules can have been loaded on creation of the SIM card.

[0073] Furthermore, for optimization reasons, the SIM-PDP module can supply the UE-PEP module with a list of rules when the terminal is started up, or in response to a request from the UE-PEP module concerning a particular packet. In order to exploit these rules, before soliciting the SIM-PDP module, the UE-PEP module therefore checks in a table T-PEP to see if it does not already have rules, called routine rules, concerning how to process the packet P1.

[0074] The SIM-PDP module can also receive an update of the rules, directly from an element of the network managed by the operator, for example by using the OTA (“Over The Air”) mechanism defined by OMA (“Open Mobile Alliance”) organism.

[0075] FIG. 2 schematically presents an example of implementation of the steps of a control method, according to the invention.

[0076] The control method allows a terminal to perform controls imposed by the operator before the transmission of a packet.

[0077] In a step E1, a UE-PEP module of the terminal, called control module, obtains a packet P1 forming part of a packet stream generated by a communication application running on the terminal.

[0078] Based on both the parameters present in the header H1 of the packet P1, and on the network management policy of the operator to which the terminal is attached by subscription, different processing operations can be applied to the packet P1 and possibly to the other packets of the same stream. The control module is responsible for controlling that.

[0079] In a step E2, the control module therefore checks in a table T-PEP to see if it includes an instruction, called routine instruction, corresponding to the processing that the packet P1 must undergo. This is done for example by searching in the table T-PEP for an instruction with an identifier of the stream identical to that to which the packet P1 belongs, this identifier being included in the header H1 of the packet P1.

[0080] In a switching step E3, the method continues to a step E4 if such a routine instruction does not exist or branches to an execution step HG, described below, if the routine instruction exists.

[0081] In a step E4, the control module transmits a request message to a security module SIM-PDP, the request message comprising at least a part of the header H1 of the packet P1. The aim of this request message is to determine what processing has to be applied by the terminal to the packet P1. This processing must conform to the stream management policy of the operator on its network, and this is why the security module SIM—PDP is secured for the processing rules that it comprises to be modifiable only by the operator.

[0082] In a step E5, the control module receives a response message from the security module SIM-PDP, the response message comprising an instruction relating to the packet P1, established according to a processing rule specific to the operator.

[0083] In an optional step E5b following the step E5, the control module adds the receive instruction to the table T-PEP.

[0084] In a step E6, the instruction received in the step E5, relating to the packet P1, is executed by the control module UE-PEP. This step comprises a first switching sub-step E6a, in which the method continues to a second sub-step E6b if the instruction comprises an authorization to transmit the packet P1, or branches to a step E8 if the instruction comprises a prohibition to transmit the packet P1.

[0085] In the sub-step E6b, the control module prepares a packet P2 to be transmitted, which can differ from the packet. P1 according to the instruction. For example, the instruction received may be to modify the header field containing the DiffServ code which is used to establish the priority with which the packet will be routed in the network.

[0086] Generally, the packet P2 differs from the packet P1 only by its header H2 and not by the payload data that it contains.

[0087] Finally, in a step E7, the terminal transmits the packet P2, with the same payload data as the packet P1, and with a header H2 that is possibly different from the header H1 of the packet P1.

[0088] In the step E8 executed in the case of prohibition to transmit the packet P1, the terminal prevents the transmission of the packet P1, and, if necessary, prevents the transmission of packets of the same stream as P1. The application which has generated the packet P1 may possibly detect that its packets are not transmitted and may terminate this stream.

[0089] It will be understood that the steps E4 and E5 are performed only for a first packet of a new stream, and not for the subsequent packets of this stream.

[0090] FIG. 3 schematically presents an example of implementation of the steps of a determination method, according to the invention.

[0091] The determination method enables a terminal to determine what controls imposed by the operator have to be performed before the transmission of a packet.

[0092] In a step F1, a module SIM-PDP accessible to the terminal, called security module, receives a request message from the terminal, the request message comprising at least a part of the packet P1, generally all or part of its header H1. In one embodiment, the request message can also comprise the entire packet P1. This request message corresponds to the one which is transmitted in the step E4 of the control method which has just been described in relation to FIG. 2.

[0093] In a step E2, the security module determines an instruction relating to the transmission of the packet P1, based on a table T-PDP of processing rules. This table T-PDP comprises the processing rules conforming to the stream management policy of the operator on its network. The rule which must be applied to the packet P1 depends on parameters characterizing the stream to which P1 belongs and included in the request message, such as, for example, the DiffServ code, or the destination IP address, the destination port, the transport protocol (UDP or TOP), which are also parameters of the header H1 of the packet P1.

[0094] The instruction may be to transmit a packet P2, with the same payload data as the packet P1, and with a header H2 possibly different from the header H1 of the packet P1, or it may be to not transmit the packet at all.

[0095] If the instruction is to transmit a packet P2, the content of this packet is also determined in this step F2.

[0096] In a step F3, the security module transmits to the terminal a response message comprising the determined instruction. This response message corresponds to the one which is received in the step E5 of the control method which has just been described in relation to FIG. 2.

[0097] In a step F0, independent of the step F1, the security module obtains at least one processing rule established by the operator, by a suitable protocol, and stores it in the table T-PDP. Processing rules may have been installed initially upon the customization of the SIM card, then be updated according to the changes of policy of the operator, for example by using the OTA radio mechanism.

[0098] The request message, like the response message, can take several forms. For example, the communication between the terminal and the security module can be implemented by establishing a TCP channel between the two entities, according to the procedures specified in the standard ETSI TS 102 223 (“Open Channel related to UICC server mode”). Such a channel is capable of conveying an application protocol such as OpenFlow for example.

[0099] The SIM-PDP module of the SIM card then acts as OpenFlow controller whereas the UE-PEP module of the terminal acts as OpenFlow router. Before transmitting a packet to the outside, the UE-PDP module checks (step E2) if it locally has the rule making it possible to determine how to process it and otherwise transmits it (steps E4, E1) to the SIM-PDP module by means of the Packet-In message. The SIM-PDP module examines the packet (step F2) and responds (steps F3, E5) with a packet-out message containing this packet, possibly modified (step F2b), and a list of actions, typically “set-queue” to direct the packet to a queue and “output on port X” in which port X denotes an output interface to authorize its propagation (steps E6, E7). Furthermore, to avoid overloading the SIM card by transmitting to it all the packets to be transmitted by the terminal, the UE-PEP module is configured (step E5b) such that the next packets of the same stream can be processed autonomously by the latter (steps E3, E6). For that, the SIM-PDP module can transmit to the UE-PEP module a table configuration command in the form of a “modify flow entry” message (OFPT_FLOW_MOD), in addition to the Packet-Out message.

[0100] An alternative implementation consists in upgrading the interface between terminal and security module to introduce therein messages specific to the application exchanges between the two entities.

[0101] In relation to FIG. 4, there now follows a description of an example of structure of a mobile terminal implementing the control method, according to one aspect of the invention.

[0102] The UE-PEP module implements the control method, different embodiments of which have just been described.

[0103] Such a UE-PEP module can be implemented in a mobile terminal UE capable of connecting to an LTE or later generation network.

[0104] For example, the UE-PEP module comprises a processing unit 130, possibly equipped with a microprocessor and driven by a computer program 110, stored in a memory 120 and implementing the control method according to the invention. On initialization the code instructions of the computer program 110 are for example loaded into a RAM memory, before being executed by the processor of the processing unit 130.

[0105] Such a UE-PEP module comprises: [0106] an obtaining module 140, capable of obtaining a packet P1 generated by an application installed in the mobile terminal UE, the packet P1 forming part of a stream intended to be transmitted by the terminal over a communications network managed by an operator, [0107] an analysis module 150, capable of analyzing the packet P1 using at least one processing rule established by the operator or at least one routine rule stored in a table T-PEP included in the terminal UE, [0108] a transmission module 160, capable of transmitting a packet P2 based on the packet P1 and in accordance with at least one processing rule established by the operator, according to the result of the analysis, and if the result of the analysis authorizes the transmission, [0109] an addition module 170, capable of adding a routine rule to the table T-PEP based on the result of the analysis and intended to be applied to packets of the stream following the packet P1.

[0110] The UE-PEP module may also comprise: [0111] a transmission module 151, capable of transmitting a request message Req to a security module SIM-PDP, the request message comprising at least one parameter based on the packet P1, [0112] a reception module 152, capable of receiving a response message Rep from the security module SIM-PDP, the response message comprising an instruction relating to the packet P1 established according to at least one processing rule established by the operator, [0113] a search module 153, capable of searching in the table T-PEP for a routine rule corresponding to the packet P1.

[0114] In relation to FIG. 5, there now follows a description of an example of structure of a security module implementing the determination method, according to one aspect of the invention.

[0115] The SIM-POP module implements the determination method, different embodiments of which have just been described.

[0116] Such a SIM-POP module can be implemented for example in a SIM, mini-SIM or micro-SIM card. Such a SIM-POP module can also be implemented in a software module incorporated in the electronics of the terminal UE, known as soft-SIM. The term. “SIM card” used below designates any of these embodiments, including SIM, mini-SIM, micro-SIM and soft-SIM.

[0117] For example, the SIM-POP module comprises a processor unit 230, equipped for example with a microprocessor μP, and driven by a computer program 210, stored in a memory 220 and implementing the determination method according to the invention. On initialization, the code instructions of the computer program 210 are for example loaded into a RAN memory, before being executed by the processor of the processing unit 230.

[0118] Such a SIM-PDP module comprises: [0119] an obtaining module 240, capable of obtaining at least one processing rule P00 established by an operator and of storing it in a table T-PDP, [0120] a reception module 250, capable of receiving a request message Req from the terminal, the request message comprising at least one parameter based on a packet P1 generated by an application installed in the mobile terminal UE associated with the SIM card, the packet P1 forming part of a stream intended to be transmitted by the terminal. UE over a communications network managed by the operator, [0121] a determination module 260, capable of determining an instruction relating to the transmission of the packet of the stream, including, if necessary, the content of a packet P2 based on the packet P1, according to at least one processing rule included in the table T-PDP, [0122] a transmission module 270, capable of transmitting a response message Rep to the terminal UE, the response message comprising the determined instruction.

[0123] The modules described in relation to FIGS. 4 and 5 can be hardware or software modules.

METHOD OF CONTROLLING TRAFFIC POLICIES FROM A SECURITY MODULE IN A MOBILE TERMINAL

Inventors

Cpc classification

Classification Explorer

H04L45/64

ELECTRICITY

Classification Explorer

H04L45/38

ELECTRICITY

Classification Explorer

H04L69/16

ELECTRICITY

Classification Explorer

H04L69/22

ELECTRICITY

Classification Explorer

H04L67/125

ELECTRICITY

Classification Explorer

H04L12/1407

ELECTRICITY

Classification Explorer

H04L9/40

ELECTRICITY

Classification Explorer

H04L65/40

ELECTRICITY

Classification Explorer

H04L69/00

ELECTRICITY

International classification

Classification Explorer

H04L12/715

ELECTRICITY

Classification Explorer

H04L29/08

ELECTRICITY

Classification Explorer

H04L29/06

ELECTRICITY

Abstract

Claims

Description