US 2006026883 8A1
`
`(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2006/0268838 A1
`
`Larsson et al.
`(43) Pub. Date:
`NOV. 30, 2006
`
`(54)
`
`(75)
`
`AUTHENTICATION OF AN APPLICATION
`LAYER MEDIA FLOW REQUEST FOR
`RADIO RESOURCES
`
`Inventors: Anders Larsson, Stockholm (SE);
`Martin Lars Backstrom, Danderyd
`(SE)
`
`Correspondence Address:
`NIXON & VANDERHYE, PC
`901 NORTH GLEBE ROAD, 11TH FLOOR
`ARLINGTON, VA 22203 (US)
`
`(73)
`
`LM
`Assignee: TELEFONAKTIEBOLAGET
`ERICSSON (publ), Stockholm (SE)
`
`(21)
`
`Appl. No.:
`
`11/370,171
`
`(22)
`
`Filed:
`
`Mar. 8, 2006
`
`Related US. Application Data
`
`(60)
`
`Provisional application No. 60/684,233, filed on May
`25, 2005.
`
`Publication Classification
`
`(51)
`
`Int. Cl.
`(2006.01)
`H04L 12/66
`(2006.01)
`H04L 12/56
`(52) use. ............................................ 370/352; 370/401
`
`(57)
`
`ABSTRACT
`
`A radio access bearer authentication procedure prevents a
`service application running on a mobile station from obtain-
`ing a higher level of radio access bearer service than is
`authorized by the network operator. A secret identifier is
`determined both at
`the mobile station and at
`the radio
`
`network. When the mobile’s service application requests a
`particular level of radio access bearer resources, the mobile
`sends its secret identifier to the radio network which com-
`
`pares the two. Such secret identifiers may be determined
`from a SIM associated with the mobile. If the secret iden-
`tifiers match,
`the radio access network allocates
`the
`requested radio access bearer resources for the service
`application. One example service application is voice over
`IP (VolP).
`
`
`
`3rd Party
`VoIP Service
`
`17
`
`
`
`BSS/ RAN
`
`
`
`
`BSC/RNC
`
`24
`
`
`
` DDEEl:3
`
`Page 1 of 17
`
`HTC EXHIBIT 1010
`
`1
`
`HTC EXHIBIT 1010
`
`Page 1 of 17
`
`

`

`Patent Application Publication Nov. 30, 2006 Sheet 1 of 7
`
`US 2006/0268838 A1
`
`' 5
`
`Service
`
`Mobile Network
`Operator’s VoIP
`
`\
`
`' VolP Service
`
`\
`
`.
`
`
`
` Radio Access
`
`Network (RAN)
`l
`:
`
`_ _ ._ — Authorized VolP
`
`‘
`
`Bearer Service
`
`7 ------------ Unauthorized VolP _
`Bearer Service
`
`Page 2 of 17
`
`2
`
`2
`
`Page 2 of 17
`
`

`

`Patent Application Publication Nov. 30, 2006 Sheet 2 of 7
`
`US 2006/0268838 A1
`
`
`RAN receives a request for a higher
`
`quality, “more expensive” RAN bearer
`for a mobile connection at set up.
`
`
`
`
`81
`
`
`
`
`
`
`Either rejectrequest
`
`or establish a lower
`
`
`
`
`
`Is the mobile
`requesting the more expensive
`
`RAN bearer associated'with a subscription .
`
`that permits or needs the more
`
`
`expensive RAN bearer
`’
`
`
`
`cost RAN bearer;
`Initiate changingrecord.
`
`
`
`
`
`
`
`
`
`
`
`-|s valid'secretj
`_
`,
`
`MS information associated with the
`
`more expensive RAN bearer received
`from the mobile
`?
`
`
`
`Establish the more expensive .‘
`RAN bearer'for-the connection.»
`
`Initiate changing record.
`_
`
`S5
`
`Fig. 2
`
`Page 3 of 17
`
`3
`
`3
`
`Page 3 of 17
`
`

`

`Patent Application Publication Nov. 30, 2006 Sheet 3 of 7
`
`US 2006/0268838 A1
`
`
`
`3rd Party
`VoIP Service
`
`17
`
`BSS/RAN
`
`'
`
`'
`
`BSC/RNC
`
`-24 ._
`
`
`
`
`'IllDUDE!
`
`_n
`DDUDE]
`ODDDD
`
`30
`
`Page 4 of 17
`
`4
`
`4
`
`Page 4 of 17
`
`

`

`Patent Application Publication Nov. 30, 2006 Sheet 4 of 7
`
`US 2006/0268838 A1
`
`cosmo=aa<
`
`
`
`2.5502.x8252
`
`023mm,.mo._2mm
`
`Page 5 of 17
`
`
`
`
`
`
`
`_280zmwm,mmm__ms.
`
`5
`
`Page 5 of 17
`
`

`

`Patent Application Publication Nov. 30, 2006 Sheet 5 of 7
`
`US 2006/0268838 A1
`
`30
`
`
`
`Mobile Station (MS)
`
`“
`
`Data Processor
`
`.'
`_ MS Signature
`Calculator
`
`'
`
`41
`
`Memory
`
`VolP Application
`
`.
`'
`Lower Com.
`
`'
`
`Protocol SW
`
`48
`
`50
`
`'
`
`_
`
`-
`
`»
`.7
`_ SIM Card
`
`52
`
`42 '
`
`,
`
`»
`
`Radio PrOCessing
`-
`
`'
`
`User Interfaces
`
`. keypad
`
`- display
`. speaker
`
`‘
`
`. mic
`
`~,
`
`.
`
`'
`
`' Fig.5
`
`" , RAN Node (e.g., BSC/PCU oi RNC)-
`
`60'
`
`Validator
`
`Radio Resource
`Allocator
`
`'
`
`MS Signature
`
`Page 6 of 17
`
`Fig. 6
`
`6
`
`6
`
`Page 6 of 17
`
`

`

`Patent Application Publication Nov. 30, 2006 Sheet 6 of 7
`
`US 2006/0268838 A1
`
`MS “attaches” to network to identify
`and authenticate itSeIf with the network.
`
`MS' requests a packet data session
`"
`With the network.
`
`secret MS information, e.g., by using SIM. ' specific'data and a frameior sequencen‘u'mb'er.
`
`The core network provides the radio network _
`(RANor BSS) with'secret MS information, e.g.,
`in a‘ packet flOw context creation procedure.
`
`MS determines aMS “signature”, using the
`
` MS requests radio resoUrces for an application-
`
`'
`layer service, e.g.,.a-VolPservice.
`
`‘ MS inclLIdes the MS signature in the request;
`
`
`
`The'radio network. receives the request
`and determines for itself the MS signature V
`Using the seCret MS'information '-
`received from the core network. __
`
`-
`
`fewer radio resourCes are granted.
`
`The radionetwork compares the received MS
`signature with the calcuiated MS signature. If
`they match, the requested radio resources are
`granted. if not, the request is denied. or
`
`Fig. 7
`
`Page 7 of 17
`
`S1
`
`82
`
`S3
`
`S4
`
`S5'
`
`.36
`
`S7
`
`7
`
`Page 7 of 17
`
`

`

`Patent Application Publication Nov. 30, 2006 Sheet 7 of 7
`
`US 2006/0268838 A1
`
`MS/SIM Card
`
`888
`
`SGSN
`
`GGSN
`
`HLR
`
`Attach Request
`Identity-
`Identify—
`
`
`
`
`
`
`Authentication and Ciphering Request
`
`Authentication and Ciphering Response
`
`SGSN has
`authentication tri
`
`MS/SIM has
`authenticati nti lets
`O
`rp
`
`
` Complete
`
`.5! Context Request
`
`’
`
`'
`
`.
`
`Packet Flow
`
`Context Procedures
`(Provide Authentication
`Triplet info. to RAN)
`
`
`
`Activate PDP Context Acceat
`
`Calculate MS 3
`Signature
`
`
`
`Packet Resource
`
`
`
`Request
`(for VolP-include MS
`
`
`Signature)
`
`Caiculate MS
`
`Signature & Compare
`
`Allocate Resources,
`e.g., set up TBF
`
`
`
`Packet Link A
`Assignment
`
`Page 8 of 17
`
`8
`
`Send Authen tication Info
`
`Send Authentication Info ACK
`
`
`
`
`lets
`
`p
`
`Update MS Location
`
`ACK & insert Subscriber Data
`
`
`
`Create PDP
`Context Re-uest
`
`-
`*
`
`PDP Context
`Response
`
`,
`
`-
`
`FIg 8
`
`8
`
`Page 8 of 17
`
`

`

`US 2006/0268838 A1
`
`Nov. 30, 2006
`
`AUTHENTICATION OF AN APPLICATION LAYER
`MEDIA FLOW REQUEST FOR RADIO
`RESOURCES
`
`RELATED CASES
`
`[0001] This application claims the benefit and priority of
`US. Provisional Patent Application 60/684,233, filed May
`25, 2005, the entire contents of which is incorporated by
`reference in its entirety.
`
`[0002] This application is related to the following related
`US. patent applications:
`
`Ser. No. 10/298,939, filed on Dec. 12, 2005 and
`[0003]
`entitled “Connection Type Handover Of Voice Over Internet
`Protocol Call Based On Resource Type,” which is also
`incorporated by reference in its entirety.
`
`Ser. No. 10/298,938, filed on Dec. 12, 2005 and
`[0004]
`entitled “Connection Type Handover Of Voice Over Internet
`Protocol Call Based Low-Quality Detection,” which is also
`incorporated by reference in its entirety.
`
`Ser. No. 10/314,973, filed on Dec. 22, 2005 and
`[0005]
`entitled “Local Switching of Calls Setup by a Multimedia
`Core Networ ,” which is also incorporated by reference in
`its entirety.
`
`Ser. No. 10/288,436, filed on Nov. 29, 2005 and
`[0006]
`entitled “Scheduling Radio Resources For Symmetric Ser-
`vice Data Connections,” which is also incorporated by
`reference in its entirety.
`
`Ser. No. 10/346,565, filed on Feb. 3, 2006 entitled
`[0007]
`“Enhanced VoIP Media Flow Quality By Adapting Speech
`Encoding Based On Selected Modulation And Coding
`Scheme (MCS),” which is also incorporated by reference in
`its entirety.
`
`TECHNICAL FIELD
`
`[0008] The present invention pertains to telecommunica-
`tions and finds advantageous example application to Voice
`over Internet Protocol (VoIP) communications.
`
`BACKGROUND
`
`[0009] VoIP is the transport of voice traffic using the
`Internet Protocol (IP). In the mobile world, VoIP means
`using a packet-switched (PS) service for transport of Internet
`Protocol (IP) packets which contain, e.g., Adaptive Multi-
`Rate (AMR) codec speech frames for voice mobile phone
`calls. A packet-switched com1ection is often simply referred
`to as a data connection.
`
`[0010] Circuit-switched networks use circuit switching for
`carrying voice traffic where the network resources are stati-
`cally allocated from the sender to receiver before the start of
`the message transfer, thus creating a “circuit.” The resources
`remain dedicated to the circuit during the entire message
`transfer and the entire message follows the same path. While
`this arrangement works quite well to transfer voice, IP is an
`attractive choice for voice transport
`for many reasons
`including lower equipment costs, integration of voice and
`data applications including multi-media like email, instant
`messaging, video, the world wide web, etc., lower band-
`width requirements, and the widespread availability of IP.
`
`In packet-switched networks, the message is bro-
`[0011]
`ken into packets, each of which can take a different route to
`the destination where the packets are recompiled into the
`original message. The packet switched (PS) service utilized
`for VoIP can be, for example, GPRS (General Packet Radio
`Service), EDGE (Enhanced Data Rates for Global Evolu-
`tion), or WCDMA (Wideband Code Division Multiple
`Access). Each of these example services happen to be built
`upon the Global System for Mobile communications
`(GSM), a second generation (“2G”) digital radio access
`technology originally developed for Europe. GSM was
`enhanced in 2.5G to include technologies such as GPRS.
`The third generation (3G) comprises mobile telephone tech-
`nologies covered by the International Telecommunications
`Union (ITU) IMT—2000 family. The Third Generation Part-
`nership Project (3GPP) is a group of international standards
`bodies, operators, and vendors working toward standardiz-
`ing WCDMA-based members of the IMT—2000.
`
`[0012] EDGE (sometimes referred to as Enhanced GPRS
`(EGPRS)) is a 3G technology that delivers broadband-like
`data speeds to mobile devices. EDGE allows consumers to
`connect to the Internet and send and receive data, including
`digital
`images, web pages and photographs,
`three times
`faster than possible with an ordinary GSM/GPRS network.
`EDGE enables GSM operators to offer higher-speed mobile-
`data access, serve more mobile-data customers, and free up
`GSM network capacity to accommodate additional voice
`traffic. EDGE uses the same TDMA (Time Division Multiple
`Access) frame structure,
`logical channels, and 200 kHz
`carrier bandwidth as GSM networks, which allows existing
`cell plans to remain intact.
`
`In EDGE technology, a base transceiver station
`[0013]
`(BTS) communicates with a mobile station (e.g., a cell
`phone, mobile terminal or the like, including computers such
`as laptops with mobile termination). The base transceiver
`station (BTS) typically has plural transceivers (TRX). A
`time division multiple access (TDMA) radio communication
`system like GSM, GPRS, and EDGE divides the time space
`into time slots on a particular radio frequency. Time slots are
`grouped into frames, with users being assigned one or more
`time slots. In packet-switched TDMA, even though one user
`might be assigned one or more time slots, other users may
`use the same time slot(s). So a time slot scheduler is needed
`to ensure that the time slots are allocated properly and
`efficiently.
`
`[0014] EDGE offers nine different Modulation and Coding
`Schemes (MSCs): MCSl
`through MCS9. Lower coding
`schemes (e.g., MCSl-MCS2) deliver a more reliable but
`slower bit rate and are suitable for less optimal radio
`conditions. Higher coding schemes (e.g., MCS8-MCS9)
`deliver a much higher bit rate, but require better radio
`conditions. Link Quality Control (LQC) selects which MCS
`to use in each particular situation based on the current radio
`conditions.
`
`In EDGE, the LQC selects a MCS for radio link
`[0015]
`control (RLC) data blocks for each temporary block flow
`(TBF). A TBF is a logical connection between a mobile
`station (MS) and a packet control unit in the radio access
`network and is usually located in the base station controller
`(BSC). A TBF is used for either uplink or downlink transfer
`of GPRS packet data. The actual packet transfer is made on
`physical data radio channels (PDCHs). The bit rate for a
`
`Page 9 of 17
`
`9
`
`Page 9 of 17
`
`

`

`US 2006/0268838 A1
`
`Nov. 30, 2006
`
`TBF is thus effectively selected by selecting a MCS, and
`changing the MCS for a TBF changes its bit rate.
`
`[0016] Wireless VoIP requires a certain quality of service
`(QoS) that is higher than other types of QoS such as basic
`background QoS provided for regular Internet data traffic.
`QoS is linked at least in part to bit rate, and thus, to the MCS
`selected by the LQC entity. Speech requires, for example,
`fairly low transfer delay and a guaranteed minimum bit rate
`over the air interface in both the uplink and downlink
`directions. In order for the radio access network to provide
`that higher QoS over the air interface,
`the radio access
`network must establish a radio access bearer that uses more
`
`radio resources than a radio access bearer for regular data
`Internet traffic that can tolerate delays and fluctuations in bit
`rate. In short, a VoIP radio access bearer costs the radio
`access network operator more than a regular data Internet
`traffic radio access bearer. Normally, that higher cost would
`be passed on by the network operator to its VoIP subscribers.
`
`[0017] But a problem arises if a mobile subscriber’s
`terminal uses a third party VoIP application to “trick” the
`radio access network into providing the more expensive
`VoIP radio access bearer service while only paying for
`cheaper basic Internet data transfer. An example third party
`VoIP provider is SKYPE. Such a mobile user will be a
`subscriber with a subscription with a radio network operator
`for one or more services (which may or may not include
`VoIP) that permit mobile application programs to request
`and receive higher quality radio access bearer service by the
`radio network. Although the radio network initially ensures
`that the mobile user is an authorized subscriber, the radio
`access network does not then determine whether that sub-
`scriber is an authorized VoIP subscriber. Nor does the
`
`network determine whether the subscriber is even using the
`network’s VoIP service (as opposed to a third party’s VoIP
`service) when the mobile is running a VoIP application.
`Instead,
`the radio access network is simply focused on
`configuring radio access bearers to support data flows with
`the requested QoS for each data flow.
`
`So if an authorized subscriber runs a VoIP appli-
`[0018]
`cation that requests VoIP QoS, the radio access network
`simply sees that QoS request and configures the radio access
`bearer to deliver the more expensive QoS, even though the
`data itself may not be traffic to the operator’s own VoIP
`service (but instead, for example, to a third party server on
`the Internet). The core network, which is where subscriber
`billing is normally performed, only sees regular Internet
`traffic for this data flow. As a result, the core network only
`charges the user for the lower cost radio access bearer
`service associated with regular Internet traffic, even though
`the user is receiving a higher cost radio access bearer
`service. A related negative consequence is that giving more
`radio resources and a higher priority to such a mobile user
`means that other mobile users paying the network operator
`for VoIP service are de-prioritized and potentially receive
`lower QoS.
`
`[0019] FIG. 1 helps illustrate the problem. The radio
`communications system 1 includes a mobile radio 2 com-
`municating over a radio interface with a radio access net-
`work (RAN) 3. The RAN 3 is coupled to one or more core
`networks 4, coupled in turn to a mobile network operator’s
`VoIP service node 5 and to a third party VoIP service node
`7, e.g., a SKYPE server, via the Internet 6. As shown, the
`
`long dashed line represents an authorized VoIP bearer ser-
`vice including radio access bearer (RAB) service at the QoS
`required to support VoIP. The dotted line represents an
`unauthorized VoIP bearer service in the sense that a higher
`quality radio access bearer (RAB) service normally used for
`delivering VoIP service using the mobile network operator’s
`VoIP service node 5 is being used to support VoIP service
`sponsored by the third party VoIP service node 7. In essence,
`the mobile user in the dotted line scenario is getting a “free
`ride” using the higher quality VoIP RAB service and more
`expensive LQC without having to pay the higher tariff the
`network operator would naturally charge for providing that
`higher level of RAB service normally provided for its own
`VoIP service.
`
`[0020] Access control to a certain quality of service (QoS)
`profile associated with a mobile subscription is typically not
`linked to charging for that QoS profile. The mobile sends a
`QoS request that includes an access point name (APN) to be
`used. Most network operators have or are moving towards
`using one on APN for all data services including data
`services terminated in the operator’s service network, such
`as the mobile network operator’s VoIP service node 5 shown
`in FIG. 1, and data services terminated on the Internet 6. A
`network node, e.g., an SGSN in EDGE,
`receives the
`mobile’s request and checks the HLR subscription database
`that the mobile subscriber subscription profile permits the
`requested APN and QoS. If permitted, the network node,
`e.g., the SGSN, signals to the a radio access network control
`node, e.g., a BSC, to create a packet flow context for the
`mobile. Based on that packet flow context, the BSC later
`allocates the requested QoS. As mentioned above, charging
`is usually done by a core network service node. Charging
`systems are typically set up to charge for the number of bytes
`transmitted and the APN used. Charging systems do not
`consider detailed parameters like QoS.
`
`it is possible to
`[0021] Given this system arrangement,
`obtain more expensive bearer service and not be charged for
`it. Consider a third party mobile application program, like a
`VoIP application program, running on the mobile. That third
`party mobile application program requests a high quality of
`radio access bearer service directly from the access network.
`Instead of sending the application data to the network
`operator’s application server, the third party mobile appli-
`cation program sends the application data to a third party
`server over the Internet. For a VoIP application, third party
`VoIP programs might send the VoIP data to a SKYPE server
`or an MSN server. Consequently, the mobile subscriber is
`not charged for the more expensive high quality radio access
`bearer service it receives because the mobile did not use the
`
`operator’s application server. The core network only charges
`for the lower quality radio access bearer service associated
`with delivering the application data packets to the Internet at
`a lower basic data traffic transport charge.
`
`SUMMARY
`
`[0022] The inventors conceived of a technological solu-
`tion that overcomes these problems. After a mobile radio has
`attached to and been authenticated by the mobile radio
`communications network as a valid mobile subscriber, the
`radio access network receives a radio resource request
`associated with the mobile radio for a first level of radio
`access bearer service. The radio access network receives a
`secret identifier from the mobile radio in connection with the
`
`Page 10 of 17
`
`10
`
`10
`
`Page 10 of 17
`
`

`

`US 2006/0268838 A1
`
`Nov. 30, 2006
`
`radio resource request and determines whether the secret
`identifier is valid. If it is valid, the radio access network
`allocates the radio resources requested to permit the first
`level of radio access bearer service to be established. If the
`secret identifier is invalid, the radio access network either
`rejects the request, allocates radio resources for a second
`lower level of radio access bearer service, or takes some
`other action.
`
`[0023] The radio access network preferably (though not
`necessarily) determines an application layer service associ-
`ated with the radio resource request. In addition, the radio
`access network may also make a general determination, not
`associated with any particular application layer service,
`whether the mobile subscriber is permitted to receive the
`first level of radio access bearer service for any application
`layer service. If not, the subscriber is authorized to only
`receive the second level of radio access bearer service, e.g.,
`general Internet service. One example of an application layer
`service is a Voice-over-IP (VoIP) service. In one example
`embodiment,
`the first level radio access bearer provides
`sufficient radio resources to support the VoIP service, and the
`second level radio access bearer provides sufficient radio
`resources to support basic data packet transfer over the
`Internet.
`
`identifier validation
`the secret
`[0024] Advantageously,
`procedure ensures that
`the mobile radio’s VoIP service
`application uses a VoIP service provided by the mobile radio
`network along with the first level radio access bearer service.
`The secret identifier validation also prevents the mobile
`radio’s VoIP application from obtaining the first level of
`radio access bearer service for use with another third party
`VoIP service provided by an entity other than the mobile
`radio network operator. A first tariff is initiated for the
`mobile radio subscriber when the first level radio access
`bearer service is allocated. A second lower tariff is initiated
`when the second level radio access bearer services is allo-
`cated.
`
`the mobile
`In one non-limiting implementation,
`[0025]
`radio sends a VoIP indication message to the radio network,
`and the secret information is a mobile station (MS) signature
`derivable from information associated with the mobile radio
`and information associated with the VoIP indication mes-
`
`sage. For example, the MS signature is derivable from data
`associated with subscriber identity module (SIM) data cor-
`responding to the mobile radio subscriber and a frame or
`sequence number associated with the VoIP indication mes-
`sage. Optionally, a one-way hash function may be used to
`determine the MS signature with information derivable from
`authentication triplet data used during general mobile station
`authentication and the frame or sequence number. In an
`example application to a GPRS/EDGE network, the VoIP
`indication message is received from the mobile radio during
`a temporary block flow (TBF) setup procedure.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0026] FIG. 1 is a simplified function block diagram of an
`example mobile radio communications system showing an
`example of a mobile obtaining higher quality radio access
`bearer service but not having to pay for it;
`
`[0027] FIG. 2 is a flow chart that outlines non-limiting
`example procedures for authenticating a mobile requesting a
`particular level of radio access bearer service to ensure that
`
`the subscriber is a valid subscriber and is charged for the
`level of radio access bearer service used;
`
`[0028] FIG. 3 is a function block diagram of an example,
`non-limiting radio communications system that supports
`EDGE (Enhanced Data Rates for Global Evolution);
`
`[0029] FIG. 4 is a communications protocol diagram of an
`EDGE (Enhanced Data Rates for Global Evolution) system;
`
`[0030] FIG. 5 is a function block diagram of mobile
`station;
`
`[0031] FIG. 6 is a function block diagram of a RAN node;
`
`[0032] FIG. 7 is a flow chart diagram that outlines non-
`limiting example procedures for authenticating a mobile
`station requesting a particular level of radio access bearer
`service to ensure that the subscriber is a valid subscriber and
`
`is charged for the level of radio access bearer service use;
`and
`
`[0033] FIG. 8 is a diagram illustrating non-limiting
`example signaling between various GPRS/EDGE nodes.
`
`DETAILED DESCRIPTION
`
`In the following description, for purposes of expla-
`[0034]
`nation and not limitation, specific details are set forth such
`as particular architectures,
`interfaces,
`techniques, etc.
`in
`order to provide a thorough understanding of the present
`invention. However, it will be apparent to those skilled in the
`art that the present invention may be practiced in other
`embodiments that depart from these specific details. That is,
`those skilled in the art will be able to devise various
`
`arrangements which, although not explicitly described or
`shown herein, embody the principles of the invention and
`are included within its spirit and scope. In some instances,
`detailed descriptions of well-known devices, circuits, and
`methods are omitted so as not to obscure the description of
`the present invention with unnecessary detail. All statements
`herein reciting principles, aspects, and embodiments of the
`invention, as well as specific examples thereof, are intended
`to encompass both structural and functional equivalents
`thereof. Additionally,
`it is intended that such equivalents
`include both currently known equivalents as well as equiva-
`lents developed in the future, i.e., any elements developed
`that perform the same function, regardless of structure.
`
`[0035] Thus, for example, it will be appreciated by those
`skilled in the art that block diagrams herein can represent
`conceptual views of illustrative circuitry embodying the
`principles of the technology. Similarly, it will be appreciated
`that any flow charts, state transition diagrams, pseudocode,
`and the like represent various processes which may be
`substantially represented in computer readable medium and
`so executed by a computer or processor, whether or not such
`computer or processor is explicitly shown.
`
`[0036] The functions of the various elements including
`functional blocks labeled as “processors” or “controllers”
`may be provided through the use of dedicated hardware as
`well as hardware capable of executing software in associa-
`tion with appropriate software. When provided by a proces-
`sor, the functions may be provided by a single dedicated
`processor, by a single shared processor, or by a plurality of
`individual processors, some of which may be shared or
`distributed. Moreover, explicit use of the term “processor”
`or “controller” should not be construed to refer exclusively
`
`Page 11 0f17
`
`11
`
`11
`
`Page 11 of 17
`
`

`

`US 2006/0268838 A1
`
`Nov. 30, 2006
`
`to hardware capable of executing software, and may include,
`without limitation, digital signal processor (DSP) hardware,
`read only memory (ROM) for storing software, random
`access memory (RAM), and non-volatile storage.
`
`[0037] FIG. 2 is a flow chart that outlines non-limiting
`examples procedures for the radio access network (RAN) to
`authenticate a mobile station requesting a particular level of
`radio access bearer (RAB) service to ensure that the mobile
`subscriber is authorized to receive that level of RAB service
`
`and is properly charged for the level of radio access bearer
`service actually used. Initially,
`the radio access network
`(RAN) receives a request for a higher quality, “more expen-
`sive” RAN bearer for a mobile connection at connection
`
`setup (step 81). An optional decision may be made whether
`the mobile station requesting the more expensive RAN
`bearer is associated with a subscription that permits (step
`S2). If not, the request is either rejected or a lower cost RAN
`bearer is established (step S3). A charging record associated
`with the lower cost RAN bearer is initiated to an appropriate
`charging entity. On the other hand, if the requesting mobile
`station has an appropriate subscription, a decision is made in
`step S4 whether valid, secret mobile station information
`associated with the more expensive RAN bearer has been
`received from the mobile station. If not, the procedures in
`step S3 are performed. If so, the more expensive (higher
`quality) RAN bearer is established for the connection/
`session, and an appropriate charging record is initiated (step
`SS). In this way, the radio access network can securely (1)
`determine whether the mobile station is authorized to
`
`receive the more expensive bearer service, and (2) ensure
`that the more expensive bearer service is charged for when
`the mobile radio uses it.
`
`[0038] Preferably, the secret MS information is informa-
`tion that can only be determined by an application running
`at the mobile station that has access to secret information.
`
`the secret MS information stored on a secure
`Typically,
`physical or logical subscription identity module or storage
`space (referred to in this application as a SIM). The SIM is
`owned by the network operator that controls (e.g., with
`security features) what functions have access to the SIM.
`Third party application software usually do not have access
`to SIM information. In the example described in the back-
`ground, the application would be a Voice over IP (VoIP)
`application. Only a VoIP application in the mobile station
`provided by the network operator will have access to the
`SIM or will otherwise have or be able to determine secret
`mobile station information.
`
`[0039] FIG. 3 shows an example mobile radio communi-
`cations system 10 that couples to one or more circuit-
`switched networks 12 like the Public Switched Telephone
`Network (PSTN) and/or the Integrated Services Digital
`Network (ISDN), etc. via a mobile switching center (MSC)
`16 core network node and to one or more packet-switched
`networks 14 like the Internet via a serving GPRS support
`node (SGSN) 20 and a gateway GPRS support node
`(GGSN) 22. The PSTN 12 and ISDN 14 are circuit-switched
`core networks and the MSC core network node 16 supports
`circuit-switched services. The Internet 14 is a packet-
`switched core network, and the SGSN 20 and GGSN 22 are
`packet-switched core network nodes. In addition to these
`core networks and associated core network nodes is an
`
`Internet Protocol Multimedia Subsystem (IMS) 13 which
`provides IP-based services, like VoIP, and multimedia ser-
`
`vices. The IMS 13 may include a media resource function
`(MRF) 15 to deliver media based services on behalf of the
`network operator. The IMS is coupled to the core networks,
`to the GGSN 22, and the SGSN 20. The MSC 16, the IMS
`13, and the SGSN 20 are coupled to a mobile subscriber
`database like a home subscriber server (H88) 18 that
`includes a mobile subscriber subscription database HLR 19
`and to a radio access network. Attached to the Internet is a
`
`third party VoIP service provider (e.g., a SKYPE server) that
`is not associated with the VoIP service provided by the
`network operator via the IMS 13.
`
`In a non-limiting example, the radio access net-
`[0040]
`work (RAN) is GSM/EDGE based and is referred to as a
`base station system (B88) 24 (or it can be simply a RAN).
`The B88 24 includes one or more base station controllers
`
`(BSCs) 26 (only one is illustrated) coupled to plural base
`transceiver stations (BTSs) 28. In UMTS, a similar node is
`called a radio access network controller (RNC). The base
`station controller 26 controls radio resources and radio
`
`connectivity for the cells served by the base transceiver
`stations BTSs 28 under its control. The BTSs 28 commu-
`
`nicate with mobile radio stations (MSs) 30 using radio
`communication over an air interface. Each BTS 28 serves
`one or more cells. For each served cell, the base transceiver
`station 28 provides a pool of radio transmission resources
`(typically managed and allocated by the BSC) for commu-
`nicating with mobile stations in that cell. Each base station
`(BTS) 28 includes a controller as well as radio transceivers
`and baseband processing circuitry to handle the radio trans-
`mission and reception within each served cell.
`
`[0041] Each mobile station (MS) 30 includes a radio
`transceiver and data processing and control entities/func-
`tionalities for providing Voice over Internet Protocol (VoIP)
`capability. The person skilled in the art will recognize that
`the mobile station 30 and its data processing and control
`typically include numerous other functionalities and appli-
`cations in addition to or other than VoIP. The mobile station
`
`30 includes input/output devices such as a display screen, a
`keypad, a speaker, a microphone, and the like. The mobile
`station 30 also includes SIM. In one example, the SIM may
`be a logical application running on a smartcard and includes
`various mobile subscriber subscription information, prefer-
`ences,
`identifiers, and authentication information. Other
`similar types of modules may be employed such as a
`universal subscriber identity module (USIM).
`
`link layer
`In EDGE, EGPRS, or GPRS, a first
`[0042]
`protocol context, called a temporary block flow (TBF), is set
`up uplink from the mobile to the radio network, and a second
`TBF is set up downlink from the radio network to the mobile
`radio. A TBF can be viewed as a logical connection between
`a mobile station (MS) and a packet control unit (PCU) in the
`network, e.g., the B88. FIG. 3 is a communications protocol
`diagram of an EDGE system familiar to those skilled in the
`art. The TBF is shown as a temporary connection between
`the radio link control (RLC) protocol layer entities in the
`BSC and the MS. Once an uplink TBF and a downlink TBF
`have been established for a data connection,
`then radio
`resources (time slots in the EDGE type systems) ca