TECHNICAL FIELD

[0001] Embodiments of the invention relate to the field of networking; and more specifically, to a disaggregated network gateway.

BACKGROUND

[0002] Network gateways such as the mobile Packet Data Network Gateway (PDN-GW) and the fixed Broadband Network Gateway (BNG) are essential elements of enabling access to both human users and machines in the future Internet of Things (IoT). Service providers (e.g., telecommunication service providers, network service providers, Application service providers, storage service providers, Internet service providers, etc.) enable subscribers of a service to access a core network (e.g., an enterprise network, a packet data network, the Internet, etc.) through a network gateway. Network gateways are an integral element of service providers' networks and enable subscribers and/or devices to connect to the network using an access technology (for instance LTE in the case of wireless access and DSL/Cable in the case of fixed access), and provide a subscriber management functionality (authentication, authorization, accounting, and the application of policies). Mobile networks (e.g., networks that utilize High Speed Packet Access (HSPA) or Long-Term Evolution (LTE)) use a PDN-GW to enable mobile users to access the Internet, while fixed access networks (Wi-Fi, DSL, Cable, Passive Optical Network (PON), etc.) rely on a BNG. The advent of virtualization, and the industry effort to create an Internet of Things (IoT), introduce value added services that unlock further revenue potential for service providers. Monitoring temperatures or water leaks, monitoring airplane engines, monitoring or performing remote surgeries, security monitoring services, triggering repair services based on detection of system failures, etc., are examples of value added services that can be offered by service providers to customers of the service.

[0003] A common method of implementing network gateways is through a monolithic component that provides access management and subscribers management functionalities combined into one physical component (e.g., one physical network device). Thus, the existing mechanisms for any value added services have two options for location with respect to the network gateway. Any application providing a value added service (VAS) can be located on the access side towards the user device or on the network side towards the core network.

[0004] According to this infrastructure, any information about devices and/or subscribers is internal to the gateway and not exposed to external applications and/or network devices. As a result, a value added service suffers from lack of visibility of the information obtained and processed within the network gateway. For example, when a value added service application is located south of the network gateway toward the access network, it needs to interact with the access technology in order to obtain relevant information about the devices and/or the subscribers. For example, the VAS application needs to access General Packet Radio Service (GPRS) Tunneling Protocol (GTP) packets, Point-to-Point Protocol over Ethernet (PPPoE) packets, or Layer 2 Tunneling Protocol (L2TP) packets, etc. However, this either increases complexity, or can be precluded due to the use of encrypted tunnels, or due to the need to break pre-established end-to-end security associations. Thus, in a scenario of a monolithic gateway device, when a (VAS) application is implemented on the access side of the gateway towards the user device, the (VAS) application cannot have access to information about device or subscriber identification.

[0005] In a similar way, when a value added service application is located north of the network gateway, towards the core network (e.g., the Internet), this application is limited in the sense that it is at best IP flow aware (based on the source and destination address pairs) as the network gateway interfaces with the core network at this point and outputs flows of IP packets. In an example, where subscriber processing within the gateway depends on the output of the VAS application (such as allowing a higher level of subscriber control, or policy enforcement in an emergency situation identified by the VAS application, etc.), the VAS application would need to go through the entire processing that was performed in the gateway again in order to reach the subscriber information. In some cases, it would be impossible, as the gateway may prevent access to this information due to internal policies. Thus, a VAS application which needs to access further details regarding a subscriber or a device of a subscriber needs much integration effort to access the information from the policy and accounting infrastructure of the network gateway. Typically, the integration effort is heavy and tedious enough to be a big deterrent, so the providers of such services resign themselves to being only IP flow aware and not truly subscriber or device aware.

[0006] As a result of the above, service providers cannot really avail themselves of the information to which they have exclusive access through the network gateway, which leaves them no better off than over-the-top players in terms of what they can offer competitively.

SUMMARY

[0007] Methods and apparatuses for disaggregating a network gateway are described. The embodiments present a disaggregated network gateway enabling the dynamic and flexible incorporation of services at a proper location within the processing flow of traffic in a network gateway without compromising the fundamental structure of the network gateway. The embodiments enable service providers to avail themselves of the rich functionality possible with access to subscriber and device related information available to the network gateway. Further, the embodiments enable independent scalability of different functions performed at the network gateway rendering the network gateway adaptable to a varying number of subscriber/devices serviced as well as an independently varying number of flows handled.

[0008] One general aspect includes a network gateway system located between an access network and a core packet data network of a carrier network. The network gateway system includes an access unit instance to receive or forward traffic from one or more user devices, and to determine device information associated with the received or forwarded traffic; a subscriber unit instance to perform at least one of identification, authentication and authorization of a subscriber's session associated with the received or forwarded traffic, and to determine subscriber information associated with the received or forwarded traffic; a network unit instance to receive or forward the received or forwarded traffic towards the core packet data network, and to determine network information associated with the received or forwarded traffic; an application unit instance to process the received or forwarded traffic; a gateway control mechanism to configure and manage the access unit instance, the subscriber unit instance, the application unit instance, and the network unit instance; and an internal communication mechanism to enable each one of the access unit instance, the subscriber unit instance, the application unit instance, and the network unit instance to expose the device information, the subscriber information, the network information, and a result of processing of the received or forwarded traffic at the application unit instance to other ones of the access unit instance, the subscriber unit instance, the network unit instance and the application unit instance, where each one of the access unit instance, the subscriber unit instance, the network unit instance and the application unit instance is separately implemented and separately scalable from the other ones of the access unit instance, the subscriber unit instance, the network unit instance, and the application unit instance.

[0009] One general aspect includes a method in a network gateway system located between an access network and a core packet data network of a carrier network. The method includes receiving, at an access unit instance, traffic from one or more user device; determining, at the access unit instance, device information associated with the received traffic; performing, at a subscriber unit instance, at least one of identification, authentication and authorization of a subscriber's session associated with the received traffic; determining, at the subscriber unit instance, subscriber information associated with the received traffic; forwarding, from a network unit instance, the received traffic towards the core packet data network; determining, at the network unit instance, network information associated with the received traffic; and exposing the device information, the subscriber information, the network information, and a result of processing of the traffic at an application unit instance to other ones of the access unit instance, the subscriber unit instance, the network unit instance, and the application unit instance, where each one of the access unit instance, the subscriber unit instance, the network unit instance and the application unit instance is separately implemented and separately scalable from the other ones of the access unit instance, the subscriber unit instance, the network unit instance and the application unit instance.

[0010] One general aspect includes a non-transitory computer readable storage medium that provides instructions, which when executed by one or more processors of a network gateway system located between an access network and a core packet data network of a carrier network, cause the one or more processor(s) to perform operations including: receiving, at an access unit instance, traffic from one or more user device; determining, at the access unit instance, device information associated with the received traffic; performing, at a subscriber unit instance, at least one of identification, authentication and authorization of a subscriber's session associated with the received traffic; determining, at the subscriber unit instance, subscriber information associated with the received traffic; forwarding, from a network unit instance, the received traffic towards the core packet data network; determining, at the network unit instance, network information associated with the received traffic; and exposing the device information, the subscriber information, the network information, and a result of processing of the traffic at an application unit instance to other ones of the access unit instance, the subscriber unit instance, the network unit instance, and the application unit instance, where each one of the access unit instance, the subscriber unit instance, the network unit instance and the application unit instance is separately implemented and separately scalable from the other ones of the access unit instance, the subscriber unit instance, the network unit instance and the application unit instance.

[0011] One general aspect includes a method in a network gateway system located between an access network and a core packet data network of a carrier network. The method includes receiving, at a network unit instance, traffic from the core packet data network; determining, at the network unit instance, network information associated with the received traffic; performing, at a subscriber unit instance, at least one of identification, authentication and authorization of a subscriber's session associated with the received traffic; determining, at the subscriber unit instance, subscriber information associated with the received traffic; forwarding, from an access unit instance, the received traffic towards the access network; determining, at the access unit instance, device information associated with the received traffic; and exposing the device information, the subscriber information, the network information, and a result of processing of the traffic at an application unit instance to other ones of the access unit instance, the subscriber unit instance, the network unit instance, and the application unit instance, wherein each one of the access unit instance, the subscriber unit instance, the network unit instance and the application unit instance is separately implemented and separately scalable from the other ones of the access unit instance, the subscriber unit instance, the network unit instance and the application unit instance.

[0012] One general aspect includes a non-transitory computer readable storage medium that provides instructions, which when executed by one or more processors of a network gateway system located between an access network and a core packet data network of a carrier network, cause the one or more processor(s) to perform operations including: receiving, at a network unit instance, traffic from the core packet data network; determining, at the network unit instance, network information associated with the received traffic; performing, at a subscriber unit instance, at least one of identification, authentication and authorization of a subscriber's session associated with the received traffic; determining, at the subscriber unit instance, subscriber information associated with the received traffic; forwarding, from an access unit instance, the received traffic towards the access network; determining, at the access unit instance, device information associated with the received traffic; and exposing the device information, the subscriber information, the network information, and a result of processing of the traffic at an application unit instance to other ones of the access unit instance, the subscriber unit instance, the network unit instance, and the application unit instance, wherein each one of the access unit instance, the subscriber unit instance, the network unit instance and the application unit instance is separately implemented and separately scalable from the other ones of the access unit instance, the subscriber unit instance, the network unit instance and the application unit instance.

BRIEF DESCRIPTION OF THE DRAWINGS

[0013] The invention may best be understood by referring to the following description and accompanying drawings that are used to illustrate embodiments of the invention. In the drawings:

[0014] Figure 1 illustrates a disaggregated network gateway system according to some embodiments.

[0015] Figure 2 illustrates a block diagram of an exemplary disaggregated network gateway according to some embodiments.

[0016] Figure 3 is a diagram of one embodiment of a physical disaggregated network gateway system according to some embodiments. [0017] Figure 4 is a diagram of one embodiment of a network device that can implement one or more virtual disaggregated gateway units (DGUs) that can be part of a network gateway system according to some embodiments.

[0018] Figure 5 illustrates an exemplary flow diagram of operations performed in a network gateway system located between an access network and a core packet data network of a carrier network when traffic is received from user devices according to some embodiments.

[0019] Figure 6 illustrates an exemplary flow diagram of operations performed in a network gateway system located between an access network and a core packet data network of a carrier network when traffic is received from the core network according to some embodiments.

DETAILED DESCRIPTION

[0020] The following describes methods and apparatuses for network gateway disaggregation. In the following description, numerous specific details such as logic implementations, opcodes, means to specify operands, resource partitioning/sharing/duplication implementations, types and interrelationships of system components, and logic partitioning/integration choices are set forth in order to provide a more thorough understanding of the present invention. It will be appreciated, however, by one skilled in the art that the invention may be practiced without such specific details. In other instances, control structures, gate level circuits and full software instruction sequences have not been shown in detail in order not to obscure the invention. Those of ordinary skill in the art, with the included descriptions, will be able to implement appropriate functionality without undue experimentation.

[0021] References in the specification to "one embodiment," "an embodiment," "an example embodiment," etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.

[0022] Bracketed text and blocks with dashed borders (e.g., large dashes, small dashes, dot- dash, and dots) may be used herein to illustrate optional operations that add additional features to embodiments of the invention. However, such notation should not be taken to mean that these are the only options or optional operations, and/or that blocks with solid borders are not optional in certain embodiments of the invention. [0023] In the following description and claims, the terms "coupled" and "connected," along with their derivatives, may be used. It should be understood that these terms are not intended as synonyms for each other. "Coupled" is used to indicate that two or more elements, which may or may not be in direct physical or electrical contact with each other, co-operate or interact with each other. "Connected" is used to indicate the establishment of communication between two or more elements that are coupled with each other.

[0024] Methods and apparatuses for disaggregating a network gateway are described. The embodiments present a disaggregated network gateway enabling the dynamic and flexible incorporation of services at a proper location within the processing flow of traffic in a network gateway without compromising the fundamental structure of the network gateway. The embodiments, enable service providers to avail themselves of the rich functionality possible with access to subscriber and device related information available to the network gateway. Further, the embodiments enable independent scalability of different functions performed at the network gateway rendering the network gateway adaptable to a varying number of subscriber/devices serviced as well as an independently varying number of flows handled.

[0025] A disaggregation of network gateways based on the separation of functionalities (access, subscriber, application and network) within the network gateway is proposed. These separate pieces of the gateway are connected via control and data communication channels such that they collectively behave within a disaggregated gateway system in the same manner as a monolithic network gateway. However, the new disaggregated architecture of the network gateway allows for novel deployment and operational options.

[0026] A network gateway system located between an access network and a core packet data network of a carrier network is described. The network gateway system comprises an access unit instance to receive traffic from one or more user devices, and to determine device information associated with the received traffic; a subscriber unit instance to perform at least one of identification, authentication and authorization of a subscriber's session associated with the received traffic, and to determine subscriber information associated with the received traffic; a network unit instance to forward the received traffic towards the core packet data network, and to determine network information associated with the received traffic; an application unit instance to process the received traffic; a gateway control mechanism to configure and manage the access unit instance, the subscriber unit instance, the application unit instance, and the network unit instance. The network gateway system further includes an internal communication mechanism to enable each one of the access unit instance, the subscriber unit instance and the network unit instance to expose the device information, the subscriber information, the network information, and a result of the processing of the received traffic at the application unit instance to other ones of the access unit instance, the subscriber unit instance, the network unit instance and the application unit instance. Each one of the access unit instance, the subscriber unit instance, the network unit instance, and the application unit instance is separately implemented and separately scalable from the other units of the network gateway system.

[0027] Figure 1 illustrates a disaggregated network gateway system according to some embodiments. The network gateway system 100 of Figure 1, forms part of a data plane of a carrier network of a service provider. The carrier network may serve various types of user devices (not shown; such as workstations, laptops, netbooks, tablets, palm tops, mobile phones, smartphones, phablets, multimedia phones, Voice Over Internet Protocol (VOIP) phones, terminals, portable media players, GPS units, wearable devices, gaming systems, set-top boxes, Internet of Things (IoT) devices (e.g., Internet enabled household appliances, wireless or wired sensing devices, smart cars, etc.)). These user devices may be coupled to the network gateway (directly or through other networks such as access networks (e.g., access network 101)) to communicate over the carrier network (e.g., the Internet or virtual private networks (VPNs) overlaid on (e.g., tunneled through) the Internet) with each other (directly or through servers) and/or access content and/or services. Such content and/or services are typically provided by one or more servers (not shown) belonging to a service/content provider or one or more end user devices (not shown) participating in a peer-to-peer (P2P) service, and may include, for example, public webpages (e.g., free content, store fronts, search services), private webpages (e.g., username/password accessed webpages providing email services), and/or corporate networks over VPNs. For instance, end user devices may be coupled (e.g., through customer premise equipment coupled to an access network (wired or wirelessly)) to the network gateway system 100, which is coupled (e.g., through one or more core network devices (NDs) of the core network 103) to other edge NDs, which are coupled to electronic devices acting as servers. Thus, the network gateway system 100 receives traffic from a user electronic device and forwards it towards a packet data network enabling users and/or devices to access

content/services, upload data, and/or to communicate with other users/devices over the core network 103. Further, the network gateway system 100 can receive traffic from the core network 103 to be forwarded towards the user electronic device.

[0028] The network gateway system 100 includes a gateway control 116, coupled with an access unit 106, a subscriber unit 108, a network unit 110, an internal communication mechanism 112 and one or more application units 114. The gateway control 116 includes a gateway controller 102 and a gateway manager 104. Each one of the access unit 106, the subscriber unit 108, the network unit 110, and the application unit 114 is a self-contained component of the network gateway that can be referred to as a disaggregated gateway unit (DGU) as will be described in further details with reference to Figures 3-4. While the network gateway system 100 is illustrated including a single one of each DGU, the present embodiments are not so limited. Some embodiments, may include any number of units for each one of the DGU.

[0029] The gateway control 116 orchestrates and manages the set of components of the network gateway enabling them to collectively operate and to provide coherent gateway functionalities (e.g., providing access and subscriber management functionalities to a carrier network as well as additional services (through the application unit 114) tailored to the needs of the service provider administrating the carrier network or to customers of the services provider). In some embodiments, the gateway control 116 includes two separate components : 1) the gateway controller 102, that is used to configure the components of the network gateway system 100 (i.e., configure the access unit 106 to operate according to a set of access network protocols; configure the subscriber unit 108 to process traffic according to a set of subscriber accounts; configure the network unit 110 to operate according to a set of network protocols for interfacing with the core network 103, and configure the application unit 114 according to a desired value added service that is to be offered to the subscribers of a service); and 2) the gateway manager 104 that is used to perform a variety of management tasks. For example, the gateway manager 104 is operative to perform statistics collections (e.g., statistics collection for each one of the disaggregated units, for each flow, per subscriber, etc.); manage the administrative rights corresponding to each component of the network gateway, enabling different

users/administrators of a service to obtain a varying scale of administrative rights over each one of the components (e.g., an administrator can have rights to configure the subscriber unit 108, while not have a right to modify/configure the network manager; alternatively another user may have rights to configure and manage all components of the gateway system, etc.); and/or other management tasks. While Figure 1 illustrates dashed lines coupling the gateway control 116 with the other units of the network gateway system 100, these lines are representative of control and data communication mechanisms between the gateway control and the units of the network gateway. This communication mechanism is not optional.

[0030] The access unit 106 handles all operations related to the access network (coupling the user device, or user equipment to the network gateway). For example, the access unit 106 is operative to terminate one or more network protocols between the user device and the network gateway system 100 (e.g., such as the point-to-point protocol over another protocol (PPPoX) (e.g., where X is Ethernet or Asynchronous Transfer Mode (ATM)), Ethernet, 802.1Q Virtual LAN (VLAN), Internet Protocol, or ATM). In some embodiments, the access unit 106 receives traffic from a single electronic device (not shown; such as end user devices including workstations, laptops, netbooks, tablets, palm tops, mobile phones, smartphones, phablets, multimedia phones, Voice Over Internet Protocol (VOIP) phones, terminals, portable media players, GPS units, wearable devices, gaming systems, set-top boxes, Internet of Things (IoT) devices (e.g., Internet enabled household appliances, wireless or wired sensing devices, etc.)). These electronic devices may be coupled to the access unit 106 directly or through other networks such as access networks (e.g., access network 101). In other embodiments, the access unit receives traffic from another network device that aggregates traffic from multiple electronic devices (e.g., a home gateway device to which one or more end user devices are coupled, or a gateway located at a manufacturing site to which one or more sensing devices are coupled, etc.). The access unit 106 provides device identification services for the other units of the network gateway system and exposes device information (e.g., Media Access Control (MAC) address of the user device, access technology used to couple to the network gateway system 100, device type and capabilities, etc.) to the other units of the network gateway system. In some embodiments, the device information can be delivered to the other units of the network gateway system via a response to an explicit request received from the other unit(s) and transmitted via the internal communication mechanism 112. In other embodiment, the device information can be delivered to the other units of the network gateway system as a form of metadata with device identification information correlated to a particular packet or processing stream, and forwarded to the other unit(s) via the internal communication mechanism 112. As will be described in further details below, with reference to Figures 2-4, an access unit 106 may include multiple instances, where each instance handles a different subset of user devices connecting to the network gateway system 100.

[0031] Subscriber unit 108 includes functionality for authentication, authorization, and accounting (AAA) protocols (e.g., RADIUS (Remote Authentication Dial-In User Service), Diameter, and/or TACACS+ (Terminal Access Controller Access Control System Plus)).

Authentication is the process of identifying and verifying a subscriber. For instance, a subscriber might be identified by a combination of a username and a password or through a unique key. Authorization determines what a subscriber can do after being authenticated, such as gaining access to certain electronic device information resources (e.g., through the use of access control policies). Accounting is recording user activity. By way of a summary example, end user devices may be coupled (e.g., through an access network) through the network gateway system 100 including the subscriber unit 108 (supporting AAA processing). AAA processing is performed to identify for a subscriber the subscriber record stored for that subscriber. A subscriber record includes a set of attributes (e.g., subscriber name, password, authentication information, access control information, rate-limiting information, policing information) used during processing of that subscriber's traffic.

[0032] In some embodiments, the subscriber unit 108 represents end user devices (or sometimes customer premise equipment (CPE) such as a residential gateway (e.g., a router, modem)) using subscriber circuits. A subscriber circuit uniquely identifies within the subscriber unit 108 a subscriber session and typically exists for the lifetime of the session. Thus, a subscriber unit 108 typically allocates a subscriber circuit when the subscriber connects to the network gateway system 100, and correspondingly de-allocates that subscriber circuit when that subscriber disconnects. Each subscriber session represents a distinguishable flow of packets communicated between the network gateway system 100 and an end user device (or sometimes CPE such as a residential gateway or modem) using an access protocol. A subscriber session can be initiated using a variety of mechanisms (e.g., manual provisioning a dynamic host configuration protocol (DHCP), DHCP/client-less internet protocol service (CLIPS) or Media Access Control (MAC) address tracking). For example, the point-to-point protocol (PPP) is commonly used for digital subscriber line (DSL) services and requires installation of a PPP client that enables the subscriber to enter a username and a password, which in turn may be used to select a subscriber record. When DHCP is used (e.g., for cable modem services), a username typically is not provided; but in such situations other information (e.g., information that includes the MAC address of the hardware in the end user device (or CPE)) is provided. The use of DHCP and CLIPS captures the MAC addresses and uses these addresses to distinguish subscribers and access their subscriber records. In other embodiments, device identification can be performed based on the subscriber identity module (SIM) parameters like the international mobile subscriber identity (IMSI) (for example card of soft SIM (e.g., in IoT). The MAC and IMSI are separable since the SIM card can be inserted into a different device.

[0033] The subscriber unit 108 performs policy enforcement based on the subscriber records, such that for flows of traffic received at the network gateway system, the subscriber unit identifies the subscriber associated with these flows and performs subscriber-specific policy enforcement (such as bandwidth monitoring/control, access control, etc.). The subscriber unit 108 can also provide subscriber identification services to the other units of the network gateway system 100 by exposing subscriber information (e.g., subscriber name, authentication information, access control information, rate-limiting information, policing information, devices enabled for the subscriber, services enabled for the subscriber, etc.) to the other units of the network gateway system. In some embodiments, the subscriber information can be delivered to the other units of the network gateway system via a response to an explicit request received from the other unit(s) and transmitted via the internal communication mechanism 112. In other embodiments, the subscriber information can be delivered to the other unit(s) of the network gateway system as a form of metadata with subscriber identification information correlated to a particular packet/flow or processing stream, and forwarded to the other unit(s) via the internal communication mechanism 112. As will be described in further detail below, with reference to Figures 2-4, a subscriber unit may include multiple instances, where each instance handles a different subset of subscribers connecting to the network gateway system 100.

[0034] Network unit 110 is the interface that couples the subscriber's traffic with the core packet data network 103. The network unit 110 handles traffic to and from other network devices that are communicatively coupled with the end user device through the core network and the network gateway system 100. Network unit 110 can implement one or more packet network communication protocols enabling the communication of traffic flows to and from the core network 103 (e.g., Internet Protocol Security (IPsec), Secure Sockets Layer (SSL) / Transport Layer Security (TLS), peer-to-peer (P2P), Voice over IP (VoIP) Session Border Controller, Gi/SGi interface in LTE, a VPN connection, etc.). Thus, the network unit 110 routes packets to and from the core network 103; it also performs various functions such as IP address/IP prefix allocation. The network unit 110 can also provide network information services to the other units of the network gateway system 100. In some embodiments, network information related to the traffic received (e.g., flow information, source and destination addresses, network policies, transport protocols, security settings, access control lists (ACL), routing policies, etc.) can be delivered to the other units of the network gateway system via a response to an explicit request received from the other unit(s) and transmitted via the internal communication mechanism 112. In other embodiment, the network information can be delivered to the other unit(s) of the network gateway system as a form of metadata with network information correlated to a particular packet or processing stream, and forwarded to the other unit(s) via the internal communication mechanism 112. As will be described in further detail below, with reference to Figures 2-4, a network unit may include multiple instances, where each instance handles a different subset of traffic flows (e.g., different IP flows) forwarded (to and from the user devices) within the network gateway system 100.

[0035] The network gateway system 100 further includes an application unit 114, which provides value added services offered by a service provider. These value added services unlock further revenue potential to the service provider. Monitoring temperatures or water leaks, monitoring airplane engines, monitoring or performing remote surgeries, security monitoring services, triggering repair services based on detection of system failures, etc., are examples of value added services that can be offered by service providers to customers of the service. The application unit 114 may use all or some of the device information, subscriber information, network information exposed by the other unit(s) of the network gateway system 100 through the internal communication mechanism 112. In some embodiments, a result of processing of data in the application unit 114 can be delivered to and/or used by the other units of the network gateway system, including other application unit(s), to perform and/or update the processing of the traffic at these unit(s). As will be described in further detail below, with reference to Figures 2-4, a network unit may include multiple instances, where each instance handles a different subset of traffic flows (e.g., different IP flows) forwarded (to and from the user devices) within the network gateway system 100.

[0036] The network gateway system 100 further includes the internal communication mechanism 112 that enables communication and data exchanges between the different components of the network gateway system. The internal communication mechanism 112 enables each of the components of the network gateway system 100 to communicate and exchange data with one another. In particular, the internal communication mechanism 112 enables the application unit 114 to get access to data and information related to traffic received from or addressed to end user devices as obtained when the traffic is processed within the network gateway system 100. Thus, contrary to standard approaches of gateway

implementation, (in particular in carrier networks), in which any value-added application was implemented either before the access interface of a monolithic gateway or following the network interface of the monolithic gateway, the internal communication mechanism 112 enables an application to gain access to the result of the processing of the traffic at the access unit 106 (e.g., obtain device information), at the subscriber unit 108 (e.g., obtain subscriber information) or at the network unit 110 (e.g., obtain network information), or at another application unit.

Therefore, this architecture provides a service provider with the ability to offer dynamic and adaptable services applications that benefit from the information and data exposed by the various disaggregated elements of the network gateway architecture 100. The internal communication mechanism 112 further enables maintaining the state of each one of the components (the access unit 106, the subscriber unit 108, the network unit 110 and the application unit 114) of the network gateway system 100. The internal communication mechanism enables a flexible and adaptable communication between the components such that traffic received from an end user device through the access network can be processed in the various components of the network gateway in any suitable order desired by a service provider. In particular, the current architecture of the gateway system 100 enables a non-pipelined processing of traffic received from an end user device. For example, traffic entering the network gateway may be first processed at the access unit 106 then processed at the network unit 110 while skipping the subscriber unit 108. In other examples, the application unit 114 can be added at any step within the network gateway system. These processing flows of the traffic within the network gateway system 100 are intended to be exemplary only and not limiting. One of ordinary skill in the art would understand that other unit combination and/or ordering can apply for processing traffic received at the network gateway system 100.

[0037] In some embodiments, the internal communication mechanism 112 may be

implemented as a shared memory system that is accessible by each one of the access unit 106, the subscriber unit 108, the network unit 110 and the application unit 114. In another embodiment, the internal communication mechanism 112 may be implemented as a Remote procedure call (RPC) between the different components of the network gateway system. In another exemplary embodiment, the internal communication mechanism 112 is implemented as a database infrastructure (be it a database infrastructure distributed over multiple computing devices or implemented on a single computing device) shared between the different components. In another example, the internal communication mechanism 112 can be implemented as a service chaining infrastructure such that the components of the network gateway system 100 (i.e., the access unit 106, the subscriber unit 108, the network unit 110 and the application unit 114) are communicatively coupled through a packet network.

[0038] Figure 2 illustrates a block diagram of an exemplary disaggregated network gateway system 200 according to one embodiment. The example disaggregated network gateway system 200 includes a set of physical or virtual disaggregated gateway units (DGUs) comprising the access unit instances 106-106N; the application unit instances 114A-L; the subscriber unit instance 108A-M, and the network unit instances 110A-R. The network gateway further includes gateway control 116 (including the gateway controller 102 and the gateway manager 104). Network gateway system 200 is an exemplary embodiment of a disaggregated network gateway system 100 as described with reference to Figure 100. Thus, while not shown in Figure 2, the network gateway system 200 also includes an internal communication mechanism which enables the various instances of the DGUs to communicate with one another. The instances are virtual or physical implementation of the corresponding units illustrated in Figure 1. Any number of DGUs can form the disaggregated network gateway system 200. The network gateway system 200 is coupled with a set of user devices 205 A-N. For clarity, the example network shows three UEs 205 A, 205B, and 205N connecting (either directly or indirectly) to the network gateway system 200. However, more than three UEs 205 A-N may be connected to the gateway at a given time. The arrows coupling the multiple DGUs illustrate the path that traffic takes within the network gateway system 200 when received at one of the access unit instances 106A-C. Given that each DGU is a separate computing component (physical or virtual), that is independent of the other DGUs, each one may be configured to process traffic according to different configuration parameters (e.g., different access technologies and protocols, various value added applications that can be configured according to the needs of the service provider or to the customers of the service providers).

[0039] Unlike traditional network gateways that include a monolithic Network Gateway (which would, for example, support a single access technology and a single path for traffic within the gateway), a disaggregated gateway architecture implements separate components that can be configured according to different technologies and which provides various paths for traffic within the gateway. For example, the access unit instance 106 A is configured to interface and process traffic from wireless/mobile access networks and/or user devices (e.g., GERAN, UTRAN, E-UTRAN, CDMA2000, GSM, UMTS, lxEVDO, LTE, Wi-Fi, WiMAX, etc.); while the access unit instance 106C is configured to interface and process traffic from wired access networks/user devices.

[0040] Further, in the example of Figure 2, traffic that reaches the network gateway system 200 from a user device may follow at least 3 paths within the gateway device. For example, traffic received at the access unit instance 106A is processed and forwarded towards the application unit instance 114A, following its processing at the application unit instance 114A, the traffic is communicated to the subscriber unit instance 108A to be processed. Following the processing of the traffic at the subscriber unit instance 108 A, it is communicated to the network unit instance 11 OA.

[0041] In another example, traffic received at the access unit instance 106C is processed and forwarded towards the subscriber unit instance 108 A to be processed. Following the processing of the traffic at the subscriber unit instance 108 A, it is communicated to the network unit instance 11 OA. Thus, in this example, despite being received at different access points (that implement different access technologies: wired vs. wireless), the traffic is then communicated to a common subscriber unit instance 108 A to be processed. Thus, according to this architecture, a service provider may now offer different access technologies to customers of the service while availing the same subscriber unit of process subscriber information. The architecture of the gateway allows a flexible and dynamic configuration of the various components of the network gateway.

[0042] In a third example traffic received at the access unit instance 106B is processed and forwarded towards the subscriber unit instance 108B to be processed. Following the processing of the traffic at the subscriber unit instance 108B, it is communicated to the application unit instance 114B. Following the processing of the traffic at the application unit instance 114B, the traffic is communicated to the network unit instance HOB. [0043] Similarly, traffic received at the network gateway system from the network side may follow at least 3 paths within the gateway device towards the user devices 205 A-N. Further, in the example of Figure 2, traffic may reach the network gateway system 200 from the network at the network unit instance 11 OA (for example, the network unit instance may implement an IPv4/MPLS tunnel, while the network unit instance HOB implements an IPv6 tunnel). For example, traffic received at the network unit instance 11 OA is processed and forwarded towards the subscriber instance 108A; following its processing at the subscriber unit instance 108A, the traffic is communicated to the application unit instance 114A, to be processed. Following the processing of the traffic at the application unit instance 114A, it is communicated to the access unit instance 106 A to be forwarded towards one of the user devices 205 A-N.

[0044] In another example, traffic received at the network unit instance 110A is processed and forwarded towards the subscriber instance 108A; following its processing at the subscriber unit instance 108 A, the traffic is communicated to the access unit instance 106C to be forwarded towards one of the user devices 205 A-N. Thus, according to this architecture, a service provider may now offer different access technologies to customers of the service while availing the same subscriber unit of process subscriber information. The architecture of the gateway allows a flexible and dynamic configuration of the various components of the network gateway.

[0045] In a third example traffic received at the network unit instance 110B is processed and forwarded towards the application unit instance 114B to be processed. Following the processing of the traffic at the application unit instance 114B, it is communicated to the subscriber unit instance 108B. Following the processing of the traffic at the subscriber unit instance 108B, the traffic is communicated to the access unit instance 106B.

[0046] The disaggregated architecture of the gateway enables a service provider to implement various levels of scalability within the gateway offering support to different types of access technologies and/or network technologies, as well as enabling varying processing paths of data within the gateway. The disaggregation gateway system can support varying scaling possibilities for each unit within the gateway. For example, the access units (and corresponding instances) can be scaled to support millions of end user devices that couple to the gateway. The access units can be distributed close to the end user devices. Alternatively, the network unit (and corresponding instances) can be scaled to support tens or hundreds of flows (as there is a significantly lower number of service providers offering content and services) that are accessed by the end user devices through the gateway system 100. Further, the service provider may implement different applications (within application unit(s) 114) that can use the information output from each one of the access unit instances, the subscriber unit instances and/or the network unit instances. Thus, with the current architecture, the application unit may now access subscriber information, device information and network information related to traffic processed at the network gateway system 100, which was exposed by the various units through the intra- communication interface, and without significant implementation efforts at the application unit level.

[0047] An electronic device stores and transmits (internally and/or with other electronic devices over a network) code (which is composed of software instructions and which is sometimes referred to as computer program code or a computer program) and/or data using machine -readable media (also called computer-readable media), such as machine -readable storage media (e.g., magnetic disks, optical disks, read only memory (ROM), flash memory devices, phase change memory) and machine -readable transmission media (also called a carrier) (e.g., electrical, optical, radio, acoustical or other form of propagated signals - such as carrier waves, infrared signals). Thus, an electronic device (e.g., a computer) typically includes hardware and software, such as a set of one or more processors coupled to one or more machine- readable storage media to store code for execution on the set of processors and/or to store data. For instance, an electronic device may include non-volatile memory containing the code since the non-volatile memory can persist code/data even when the electronic device is turned off (when power is removed), and while the electronic device is turned on that part of the code that is to be executed by the processor(s) of that electronic device is typically copied from the slower non-volatile memory into volatile memory (e.g., dynamic random access memory (DRAM), static random access memory (SRAM)) of that electronic device. Typical electronic devices also include a set or one or more physical network interface(s) to establish network connections (to transmit and/or receive code and/or data using propagating signals) with other electronic devices. One or more parts of an embodiment of the invention may be implemented using different combinations of software, firmware, and/or hardware.

[0048] A network device (ND) is an electronic device that communicatively interconnects other electronic devices on the network (e.g., other network devices, end-user devices). Some network devices are "multiple services network devices" that provide support for multiple networking functions (e.g., routing, bridging, switching, Layer 2 aggregation, session border control, Quality of Service, and/or subscriber management), and/or provide support for multiple application services (e.g., data, voice, and video).

[0049] Figure 3 is a diagram of one embodiment of a physical disaggregated network gateway system. The physical (i.e., hardware) gateway system 300 is a network device that can perform some or all of the operations and methods described above for one or more of the embodiments. The physical gateway system 300 can include one or more network interface controllers (NICs; also known as network interface cards) 315, processor(s) ("processor circuitry") 310, memory 305, and internal communication mechanism 112.

[0050] The processor(s) 310 may include one or more data processing circuits, such as a general purpose and/or special purpose processor (e.g. , microprocessor and/or digital signal processor). The processor(s) 310 is configured to execute of the access unit 106, the subscriber unit 108, the network unit 110, and one or more application units 114, to perform some or all of the operations and methods described above for one or more of the embodiments. Although the various modules of Fig. 3 are shown to be included as part of the processor 310, one having ordinary skill in the art will appreciate that the various modules may be stored separately from the processor 310, for example, in a non-transitory computer readable storage medium. The processor 310 can execute the various modules stored in the non-transitory computer readable medium, to perform some or all of the operations and methods described above. Accordingly, the processor 310 can be configured by execution of various modules to carry out some or all of the functionality disclosed herein. While the processor 110 is shown to include a single one of each of the access unit 106, the subscriber unit 108, the network unit 110, and the application units 114, one having ordinary skill in the art will appreciate that any number per type of unit can be included. Further, as described with reference to Figures 1-2, units of a same type (e.g., access unit, network unit, or subscriber unit) may be implemented to support different technologies (access technologies, network technologies, etc.) within the same network gateway system.

[0051] Figure 4 is a diagram of one embodiment of a network device that can implement one or more virtual disaggregated gateway units (DGU) that can be part of a network gateway system (e.g., such as gateway 100, 200). Each one of the DGU, can implement one of an access unit, a subscriber unit, a network unit or an application unit.

[0052] The network device 400 includes hardware 401 comprising a set of one or more processor(s) 405 (which are often commercial off-the-shelf COTS processors) and NIC(s) 410 (which include physical NIs 415), as well as non-transitory machine readable storage media 420 having stored therein a DGU 4 72. A physical NI 415 is hardware in a network device 400 through which a network connection (e.g., wirelessly through a wireless network interface controller (WNIC) or through plugging in a cable to a physical port connected to a NIC 410) is made. During operation, the processor(s) 405 may execute software to instantiate a hypervisor 470 (sometimes referred to as a virtual machine monitor (VMM)) and one or more virtual entities 440A-Z that are run by the hypervisor 470, which are collectively referred to as software instance(s) 402. A virtual entity 440 is a software implementation of a physical machine that runs programs as if they were executing on a physical, non-virtualized machine; and applications generally do not know they are running on a virtual entity as opposed to running on a "bare metal" host electronic device, though some systems provide para-virtualization which allows an operating system or application to be aware of the presence of virtualization for optimization purposes. Each of the virtual entities 440A-Z, and that part of the hardware 401 that executes that virtual machine (be it hardware dedicated to that virtual machine and/or time slices of hardware temporally shared by that virtual machine with others of the virtual machine(s)), may form a separate virtualized DGU 404A-Z.

[0053] Each such virtualized DGU can include a DGU manager interface 446A, a DGU controller interface 444A, where the DGU manager interface enables the DGU to communicate with the gateway manager and the gateway controller respectively. The DGU includes an internal communication interface 442A that enables the DGU to communicate with other DGUs of the network gateway system. The DGU further includes a processing module 448A, that performs the operations/services of a particular DGU (e.g., enables an access unit to receive traffic from user devices and expose device information; enables the subscriber unit to perform subscriber identification, authentication and authorization, policy enforcement, as well as exposure of subscriber information; enables the network unit to interface with packet data networks, and expose flow information; and/or enables application units to use the result of the processing of each one of the other processing units to provide value added services to a service provider). In the embodiment of Figure 4, DGU instances 450Y-Z, as illustrated, represent the DGU manager interface 446, the DGU controller interface 444, the processing module 448, and the internal communication interface 442 included in the respective virtualized DGUs.

[0054] While one embodiment implements virtualization with the hypervisor 470 and virtual entities 440A-Z such as virtual machines, alternative embodiments may use other techniques (e.g., using operating system level virtualization where, instead of a hypervisor and virtual machines, the kernel of the operating system allows for multiple user space instances (often called software containers, virtualization engines, virtual private servers, or jails) that may execute a virtualized DGU.

[0055] While one embodiment implements each type of DGU (e.g., an access unit, a network unit, or a subscriber unit) on a single network device such that one or more virtualized instances of the same type operate on a single network device, in other embodiments, the various types of DGUs, may be included within the same network device, such as each one is part of a single independent virtual entity, or alternatively as part of the same virtual entity.

[0056] The operations in the flow diagrams will be described with reference to the exemplary embodiments of the other figures. However, it should be understood that the operations of the flow diagrams can be performed by embodiments of the invention other than those discussed with reference to the other figures, and the embodiments of the invention discussed with reference to these other figures can perform operations different than those discussed with reference to the flow diagrams.

[0057] Figure 5 illustrates an exemplary flow diagram of operations performed in a network gateway system located between an access network and a core packet data network of a carrier network when traffic is received from one or more user devices. At operation 502, traffic is received at an access unit instance from one or more user device. For example, traffic is received from one or more of the user devices 205A-N at access unit instances (106A-C). At operation 504, an access unit instance (e.g., access unit instances 106A, 106B, 106C) determines device information associated with the received traffic (e.g., MAC address of the device forwarding the traffic, access technology used for coupling the user device to the network gateway system, etc.). At operation 506, traffic is processed at the subscriber unit instance, where the processing includes performing at least one of identification, authentication and authorization of a subscriber's session associated with the received traffic. At operation 508, the subscriber unit instance (108 A, 108B) determines subscriber information associated with the received traffic. At operation 510, traffic is forwarded from the network unit instance towards the core packet data network. At operation 512, the network unit instance (110A, HOB) determines network information associated with the received traffic. At operation 514, the device information, the subscriber information, the network information, and a result of the processing of the traffic at an application unit instance (114A, 114B) is exposed to other ones of the access unit instance (106A, 106B, 106C), the subscriber unit instance (108A, 108B), the network unit instance (110A, HOB), and the application unit instance (114A, 114B). Each one of the access unit instance, the subscriber unit instance and the network unit instance is separately implemented and separately scalable from the other ones of the access unit instance, the subscriber unit instance and the network unit instance.

[0058] Figure 6 illustrates an exemplary flow diagram of operations performed in a network gateway system located between an access network and a core packet data network of a carrier network when traffic is received from the core network. At operation 602, traffic is received at a network unit instance from the core network 103. The traffic is received through a packet data network at one of the network unit instances 110A or HOB. In some embodiments each of the network unit instances implements a given packet data network protocol (e.g., IPv4, IP/MPLS, IPv6, etc.) and is operative to receive one or flows destined to one or more user devices 205 A-N. At operation 604, a network unit instance (e.g., network unit instances 110A, HOB) determines network information associated with the received traffic. At operation 606, traffic is processed at the subscriber unit instance, where the processing includes performing at least one of identification, authentication and authorization of a subscriber's session associated with the received traffic. At operation 608, the subscriber unit instance (108 A, 108B) determines subscriber information associated with the received traffic. At operation 610, traffic is forwarded from the access unit instance towards one or more user devices. For example, traffic is forwarded towards one or more user devices 205 A-N from access unit instances (106A-C) according to a one or more access technologies. At operation 612, the access unit instance determines device information associated with the traffic to be forwarded (e.g., MAC address of the device to which the traffic is to be forwarded, access technology used for coupling the user device to the network gateway system, the device's type and capabilities, etc.). At operation 614, the device information, the subscriber information, the network information, and a result of the processing of the traffic at an application unit instance (114A, 114B) is exposed to other ones of the access unit instance (106A, 106B, 106C), the subscriber unit instance (108A, 108B), the network unit instance (110A, HOB), and the application unit instance (114A, 114B). Each one of the access unit instance, the subscriber unit instance and the network unit instance is separately implemented and separately scalable from the other ones of the access unit instance, the subscriber unit instance and the network unit instance.

[0059] An advantage provided by the processes and systems described herein above is that disaggregated network gateway enables independent scalability of functions (independent scalability of the access unit, the subscriber unit, the network unit and the application unit of the gateway). In addition, a disaggregated network gateway enables an easier scalability

implementation. For example, to support millions of IoT sensors smaller (less complex) access unit instances need to be deployed while having a centralized subscriber and network unit within the gateway system. In this example, the implementation complexity of each instance is smaller, and can be, for example, be easier to virtualize it and may be implemented within a single processing core.

[0060] A disaggregated gateway system may be built from components/functions provided by different suppliers based on their unique expertise, existing products, roadmap, etc. Further, the DGU instances 450 are more flexible in terms of their location. The various DGUs can be deployed on the same server/network device to distributed cloud infrastructure (for example: access unit instances deployed in a number of micro-DCs closer to the end-user, while subscriber unit can be more centralized).

[0061] A disaggregated gateway system, enables a more flexible infrastructure to develop and deploy Value-Added-Services (VAS) (i.e., applications), which can be inserted between any unit within the gateway. For example, it is possible to develop the aggregation unit that will combine communication from multiple devices into a smaller number of data streams toward the subscriber unit, such as aggregate messages from all moisture sensors in a particular geographical area. Or do such aggregation after the subscriber unit to create a data stream of PG&E electrical meters. If needed, VAS may also be deployed after the Network Function, similarly to current deployments of services on Gi interface in mobile networks. Also, we can deploy a number of VAS at different "locations" within the network gateway. The disaggregated gateway system enables the creation of multi-access and multi-tenant deployments more easily, efficiently, and flexibly than in standard network gateway architectures.

[0062] While the invention has been described in terms of several embodiments, those skilled in the art will recognize that the invention is not limited to the embodiments described, can be practiced with modification and alteration within the spirit and scope of the appended claims. The description is thus to be regarded as illustrative instead of limiting. For example, while the flow diagrams in the figures show a particular order of operations performed by certain embodiments of the invention, it should be understood that such order is exemplary (e.g., alternative embodiments may perform the operations in a different order, combine certain operations, overlap certain operations, etc.). For example, the flow of traffic within the disaggregated network gateway may be performed in another order than the one depicted in the flow diagram of Figure 5 or Figure 6, and some operations may be skipped without departing from the scope of the present invention. The disaggregated network gateway structure allows for a flexible configuration of flows of operations within the network gateway such as multiple operations can be performed in a different order.