1. Patent Search
  2. Details

Outbound Roaming Into MNO and Enterprise Networks with SHNI Based Subscription

20220330008 · 2022-10-13

    Inventors

    Cpc classification

    International classification

    Abstract

    A method and apparatus is disclosed that provides a means by which user equipment (UE) having an International Mobile Subscriber Identity (IMSI) that has a Shared Home Network Identity (SHNI) can gain access to a Home Subscriber Server (HSS) to access authentication information when the UE is not currently within its home network.

    Claims

    1. A system comprising: a central server for routing communications originating at a user equipment (UE) that is associated with an identifier; a second routing component coupled to the central server, for receiving communications routed from the central server to the second routing component based on the enterprise deployment vendor to which the identifier was assigned; and a third routing component coupled to the second routing component, the third routing component receiving communications from the second routing component based on the particular network to which the identifier was assigned by the vendor, the third routing component routing the communications to a particular site in the network at which a repository of information resides that can be used to assist in authenticating the UE.

    2. The system of claim 1, wherein the identifier is a UE identifier.

    3. The system of claim 2, wherein the identifier is an International Mobile Subscriber Identifier (IMSI) assigned to the UE.

    4. The system of claim 1, wherein the identifier is a network related identifier.

    5. The system of claim 4, wherein the network related identifier is a Network Identifier (NID).

    6. The system of claim 3, further comprising a plurality of second routing components, wherein the central server comprises a database containing information to cross reference IMSIs provided by user equipment to a particular one of a plurality of second routing components, the central server being configurated to determine, from the information contained within database, to which of the plurality of second routing components to send the communication.

    7. The system of claim 6, further comprising a plurality of third routers, wherein the second router comprises a second database containing information to cross reference IMSIs received from the particular one of the second routing components to a particular one of the plurality of third routers, the particular one of the second routing components configured to determine, from the information contained within the second database, to which of the plurality of third routing components to send the communication.

    8. The system of claim 7, wherein the third routing component is configured to: a) request information from the repository of information that resides at the particular site in the network; b) receive the requested information; and c) send the received requested information to the particular second routing component.

    9. The system of claim 8, wherein the requested information includes authentication information.

    10. The system of claim 8, wherein the requested information includes performance parameters.

    11. The system of claim 10, wherein the performance parameters include limitations placed on the operation of the UE.

    12. The system of claim 1, wherein the central receiver is coupled to a visitor Public Land Mobile Network (VPLMN) and to the UE, and through which the communication originating at the UE is provided to the central server during an authentication procedure.

    13. The system of claim 12, wherein the communications from the VPLMN to the repository of information is communicated over a secure connection.

    14. The system of claim 13, wherein the secure connection is an IPSec connection.

    Description

    BRIEF DESCRIPTION OF THE DRAWINGS

    [0034] The disclosed method and apparatus, in accordance with one or more various embodiments, is described with reference to the following figures. The drawings are provided for purposes of illustration only and merely depict examples of some embodiments of the disclosed method and apparatus. These drawings are provided to facilitate the reader's understanding of the disclosed method and apparatus. They should not be considered to limit the breadth, scope, or applicability of the claimed invention. It should be noted that for clarity and ease of illustration these drawings are not necessarily made to scale.

    [0035] FIG. 1 is an illustration of a basic configuration for a communication network, such as a “4G LTE” (fourth generation Long-Term Evolution) or “5G NW” (fifth generation New Radio) network.

    [0036] FIG. 2 is a simplified illustration of a private enterprise network (PEN).

    [0037] FIG. 3 illustrates the roaming architecture for home routed traffic based on 3GPP (Third Generation Partnership Project) specifications.

    [0038] FIG. 4 shows a 4G LTE architecture for a VPLMN connecting to the HPLMN using what is referred to as a “local breakout” (LBO).

    [0039] FIG. 5 shows a 5G NR roaming architecture in which traffic is routed through the HPLMN to the UE being serviced through the VPLMN RAN.

    [0040] FIG. 6 shows a 5G NR architecture for local breakout operation in the NR context.

    [0041] FIG. 7 is an illustration of a system in which a Visitor Public Land Mobile Network (VPLMN) operating as a 4G network can identify a communication path to a Home Private Enterprise Network (HPEN) or Home PLMN to which a User Equipment (UE) is a subscriber.

    [0042] FIG. 8 illustrates the relationship between the SHNI, the administered portions of each identifier and an operator portion of an identifier with respect to a Network Identifier (NID), IMSI, E-UTRAN Cell Global Identity (ECGI), Global Unique Mobile Management Entity Identity (GUMMEI), and Tracking Area Identity (TAI).

    [0043] FIG. 9 reflects the fact that the VPLMN and HPLMN may be a 5G NR networks.

    [0044] The figures are not intended to be exhaustive or to limit the claimed invention to the precise form disclosed. It should be understood that the disclosed method and apparatus can be practiced with modification and alteration, and that the invention should be limited only by the claims and the equivalents thereof.

    DETAILED DESCRIPTION

    [0045] FIG. 7 is an illustration of a system 700 in which a Visitor Public Land Mobile Network (VPLMN) 702 operating as a 4G network can identify a communication path to a Home Private Enterprise Network (HPEN) or Home Public Land Mobile Network (HPLMN) 704 to which a User Equipment (UE) 706 is a subscriber (or otherwise has access credentials stored in an HSS 708 to allow the allow the VPLMN to authenticate the UE 706).

    [0046] In some embodiments, the VPLMN 702 reaches a central server 714 to find the HPLMN 704 (which in some embodiments is an enterprise network) to authenticate the UE 706 with credentials associated with a Shared Home Network Identity (SHNI). Normally a Home Network Identifier (HNI) is assigned to a single operator. In such cases, the operator is responsible for managing the uniqueness of International Mobile Subscription Identify (IMSI) codes and other identifiers constructed using the HNI. However, the Alliance for Telecommunications Industry Solutions (ATIS) IMSI Oversight Committee (IOC) has made it possible for a SHNI to be used simultaneously by a large number of operators in a Citizens Broadband Radio System (CBRS) ecosystem.

    [0047] FIG. 8 illustrates the relationship between the SHNI, the administered portions of each identifier and an operator portion of an identifier with respect to a Network Identifier (NID), IMSI, E-UTRAN Cell Global Identity (ECGI), Global Unique Mobile Management Entity Identity (GUMMEI), and Tracking Area Identity (TAI).

    [0048] An IMSI is a number that uniquely identifies every UE that has access to a PLMN (whether MNO, Private Enterprise Network (PEN) or other network operating in accordance with 3GPP standards). It is stored as a 64-bit field and is sent by the UE 706 to the PLMN (such as an HPLMN or when the UE 706 is outside the HPLMN coverage area, a VPLMN 702). It is also used for authenticating and acquiring other details of the UE 706 in the HPLMN or VPLMN. To prevent eavesdroppers from identifying and tracking the subscriber on the radio interface, the IMSI is sent as rarely as is possible and a randomly-generated Temporary Mobile Subscriber Identity (TMSI) is sent instead.

    [0049] In some embodiments one or more central servers 714 may exist. In some embodiments, this is based on the relationships between interacting entities (e.g., MNOs and operators of PENs that have established agreements with the MNOs). In some embodiments, the central server 714 has the required association information to reach and attain desired authentication information from the HSS 708, Authentication Server Function (AUSF) 908 (see FIG. 9), or other authentication apparatus within a PEN or other network operating in accordance with 3GPP standards.

    [0050] When the UE 706 attempts to connect to the VPLMN 702, the VPLMN communicates with the central server 714 to authenticate the UE 706. In some embodiments, routing from the central server 714 is done based on the PLMN. In other embodiments, it is possible to use the NID to determine the route through the central server to the establish a connection to an HSS during authentication or for other purpose in which information from the home network is desired. In some cases, the PLMN ID is an SHNI. The PLMN ID is part of the IMSI provided by the UE 706 during an attach procedure performed by the UE 706 and the VPLMN 702. There is only one value currently assigned as an SHNI. Accordingly, in some embodiments, when the UE 706 attempts to access a 4G network, the MME 712 recognizes the SHNI within the IMSI of the UE 706 and so routes a request for information that is stored in the HSS 708 through an associated central server 714. As noted above, in other embodiments, the central server uses the NID to determine the route to the source of information within the UE's home network. Accordingly, the central server uses either a network ID or UE associated identifier (such as the IMSI) to route requests for information toward a source of such information (such as an HSS within the UE's home network).

    [0051] Given that the size of a typical PEN and the fact that the size and number of such PENs that might be associated with the same SHNI may vary significantly, directly identifying PENs from a central server 714 that maintains information for all of the possible IMSIs for all of the possible networks that exist, may not be possible. Therefore, in accordance with some embodiments of the disclosed method and apparatus, a request received by the central server 714 for authentication information is routed to a device that has information regarding the vendor that is responsible for having supplied the credentials to the specific UE 706 and the network to which the UE 706 subscribes.

    [0052] The central server 714 maintains a mapping of IMSI ranges and associates each IMSI with the specific vendor. The number of vendors will be much smaller than the number of enterprises where PENs are deployed, since each such vendor typically will be responsible for having deployed a significant number of PENs.

    [0053] The vendor retains a central repository of the credentials supplied to the different enterprises. A router 718 with which the central server 714 communicates maintains information that allows that router 718 to route the request to yet another router 720. That router 720 maintains information regarding the specific enterprise deployment, including information allowing information to be retrieved from an HSS supported by the specific enterprise. In addition, the HSS may have particular information regarding the UE having an IMSI that is the subject of the query being serviced.

    [0054] In some embodiments, the PEN supports the HSS in a central cloud across different sites for that enterprise. Alternatively, an HSS retains the credential in the individual site that is the home for the UE 706 within the PEN. Accordingly, the routing to the appropriate HSS entity is performed.

    [0055] It can be seen that there is a hierarchy of user credential storage. That is a first server (e.g., the central server 714) stores a list of vendors associated with the SHNI. A second server (e.g., the router 718) identifies a PEN central entity that might be responsible for several sites within the PEN. A third router (e.g., the router 720) identifies the particular enterprise site at which the HSS information can be found.

    [0056] That is, the server 714 is essentially a router that has the ability to associate the IMSI with a particular vendor and route the communications originating from the UE 706 with that IMSI to a second component 718 that handles only IMSIs associated with that particular vendor. The second component 718 is essentially another router that routes IMSIs associated with that particular vendor to a particular PEN. That is, as noted above, there are typically several PENs for which a particular vendor has assigned one or more groups of IMSIs. Each PEN is assigned a unique subset of the vendors from the total allotment of IMSIs. The second router 718 maintains a database of information that allows it to route the communications originating from UE 706 associated with the IMSI to a third router (e.g., router 720). The router 720 has information regarding the logical location of an HSS 708 (or other such repository of information required for authentication), within a particular physical location (campus) in the PEN. It should be noted that in addition to information required for authentication, other information regarding limitations or minimum performance parameters may be attained from an information repository (such as the HSS) that indicate capabilities and limitations of the UE, as imposed by the UE's subscription to the enterprise and agreements between the enterprise and other networks.

    [0057] In some embodiments, the ultimate location at which the information resides is where the IMSI (and others in the same subset of IMSIs) were assigned. The router 720 can then access the HSS 708 (or other such repository of performance and HSS type information) within the HPLMN 704 (or home PEN).

    [0058] The intermediate communications links 710 between components 714, 718, 720 are protected by using Internet Protocol Secure (IPsec) tunneling. Security certificates are mutually managed between the participating components 714, 718, 720 and the associated communication links 710.

    [0059] This established route through the components 714, 718, 720 is used for both home routing of the packet connectivity and to support billing.

    [0060] FIG. 9 is similar to FIG. 7 but reflects the fact that the VPLMN may be a 5G NR network 902 with an AMF 812 and the HPLMN 904 is a 5G NR network with an AUS 908. However, in this case, the central server 714 operates essentially the same.

    [0061] Although the disclosed method and apparatus is described above in terms of various examples of embodiments and implementations, it should be understood that the particular features, aspects and functionality described in one or more of the individual embodiments are not limited in their applicability to the particular embodiment with which they are described. Thus, the breadth and scope of the claimed invention should not be limited by any of the examples provided in describing the above disclosed embodiments.

    [0062] Terms and phrases used in this document, and variations thereof, unless otherwise expressly stated, should be construed as open ended as opposed to limiting. As examples of the foregoing: the term “including” should be read as meaning “including, without limitation” or the like; the term “example” is used to provide examples of instances of the item in discussion, not an exhaustive or limiting list thereof; the terms “a” or “an” should be read as meaning “at least one,” “one or more” or the like; and adjectives such as “conventional,” “traditional,” “normal,” “standard,” “known” and terms of similar meaning should not be construed as limiting the item described to a given time period or to an item available as of a given time, but instead should be read to encompass conventional, traditional, normal, or standard technologies that may be available or known now or at any time in the future. Likewise, where this document refers to technologies that would be apparent or known to one of ordinary skill in the art, such technologies encompass those apparent or known to the skilled artisan now or at any time in the future.

    [0063] A group of items linked with the conjunction “and” should not be read as requiring that each and every one of those items be present in the grouping, but rather should be read as “and/or” unless expressly stated otherwise. Similarly, a group of items linked with the conjunction “or” should not be read as requiring mutual exclusivity among that group, but rather should also be read as “and/or” unless expressly stated otherwise. Furthermore, although items, elements or components of the disclosed method and apparatus may be described or claimed in the singular, the plural is contemplated to be within the scope thereof unless limitation to the singular is explicitly stated.

    [0064] The presence of broadening words and phrases such as “one or more,” “at least,” “but not limited to” or other like phrases in some instances shall not be read to mean that the narrower case is intended or required in instances where such broadening phrases may be absent. The use of the term “module” does not imply that the components or functionality described or claimed as part of the module are all configured in a common package. Indeed, any or all of the various components of a module, whether control logic or other components, can be combined in a single package or separately maintained and can further be distributed in multiple groupings or packages or across multiple locations.

    [0065] Additionally, the various embodiments set forth herein are described with the aid of block diagrams, flow charts and other illustrations. As will become apparent to one of ordinary skill in the art after reading this document, the illustrated embodiments and their various alternatives can be implemented without confinement to the illustrated examples. For example, block diagrams and their accompanying description should not be construed as mandating a particular architecture or configuration.