Login| Sign Up| Help| Contact|

Patent Searching and Data


Title:
METHOD AND SYSTEM FOR HANDLING SUBSCRIBERS' NETWORK TRAFFIC
Document Type and Number:
WIPO Patent Application WO/2014/060589
Kind Code:
A1
Abstract:
A method for handling subscribers' network traffic between a customer premises equipment - CPE - and a broadband access network is disclosed. The method comprises the steps: establishing a subscriber session between said CPE and a broadband network gateway - BNG, thus setting up a network route between said CPE and said BNG, said BNG being an entity within said broadband access network, wherein data transmitted at said subscriber session being encapsulated into protocol frames, acquiring the state of said subscriber session by a network control entity - NCE, updating network policies in at least one network entity on said network route by said NCE based on said state of said subscriber session, deciding, by a dynamic encapsulation module - DEM, based on DEM configuration, whether data is sent to said broadband access network as encapsulated data within said subscriber session or as non-encapsulated data outside said subscriber session, and transmitting said encapsulated and/or said non-encapsulated data on at least a part of said network route, wherein said encapsulated data and said non-encapsulated data being handled according to said network policies. Additionally, an according system is disclosed.

Inventors:
BIFULCO ROBERTO (DE)
KOLBE HANS-JOERG (DE)
Application Number:
PCT/EP2013/071868
Publication Date:
April 24, 2014
Filing Date:
October 18, 2013
Export Citation:
Click for automatic bibliography generation   Help
Assignee:
NEC EUROPE LTD (DE)
International Classes:
H04L12/28; H04L12/46; H04L45/50
Foreign References:
US7646713B12010-01-12
US20120082073A12012-04-05
EP2403186A12012-01-04
Other References:
None
Attorney, Agent or Firm:
ULLRICH & NAUMANN (Heidelberg, DE)
Download PDF:
Claims:
C l a i m s

1. Method for handling subscribers' network traffic between a customer premises equipment - CPE - and a broadband access network, comprising the steps:

establishing a subscriber session between said CPE and a broadband network gateway - BNG, thus setting up a network route between said CPE and said BNG, said BNG being an entity within said broadband access network, wherein data transmitted at said subscriber session being encapsulated into protocol frames,

acquiring the state of said subscriber session by a network control entity -

NCE,

updating network policies in at least one network entity on said network route by said NCE based on said state of said subscriber session,

deciding, by a dynamic encapsulation module - DEM, based on DEM configuration, whether data is sent to said broadband access network as encapsulated data within said subscriber session or as non-encapsulated data outside said subscriber session, and

transmitting said encapsulated and/or said non-encapsulated data on at least a part of said network route, wherein said encapsulated data and said non- encapsulated data being handled according to said network policies.

2. Method according to claim 1 , wherein said protocol frames are tunneling protocol frames, such as the Point-to-Point Protocol - PPP, Generic Transport Protocol - GTP.

3. Method according to claim 1 or 2, wherein at said step of transmitting encapsulated data, said encapsulated data are transmitted to said BNG and are de-capsulated by said BNG.

4. Method according to one of claims 1 to 3, wherein at said step of transmitting non-encapsulated data, said non-encapsulated data are transmitted to said BNG on said network route or to a offload-point on a part of said network route.

5. Method according to one of claims 1 to 4, said step of transnnitting non- encapsulated data only being performed, if said subscriber session is alive.

6. Method according to one of claims 1 to 5, wherein at said step of acquiring session state said NCE is sending a query to an authentication server to gather information about said subscriber session, wherein said authentication server is participated in establishing said subscriber session.

7. Method according to one of claims 1 to 5, wherein at said step of acquiring session state said NCE is sniffing answers of an authentication server to obtain information about said session, wherein said authentication server is participated in establishing said subscriber session.

8. Method according to one of claims 1 to 5, wherein at said step of acquiring session state a network attached subsystem - NASS - forwards session state information to said NCE, said NASS preferably being a subsystem of said BNG.

9. Method according to one of claims 1 to 8, said network route being based on a network configuration, said network configuration being used at transmitting said encapsulated data and at transmitting said non-encapsulated data.

10. Method according to one of claims 1 to 9, said DEM configuration defining static provisioning of network resources which might be adapted based on dynamically learned parameters, said DEM configuration preferably being installed by said NCE.

1 1. Method according to one of claims 1 to 10, said DEM configuration are defined on request, preferably using a remote policy controller. 12. System for handling subscribers' network traffic between a customer premises equipment - CPE - and a broadband access network, particularly for performing a method according to one of claims 1 to 1 1 , said system comprising: a broadband network gateway - BNG, said BNG being configured to establish a subscriber session with said CPE and to de-capsulate encapsulated data received via said subscriber session,

network entities, said network entities being interconnected to each other and providing a network route for data transmitted at said subscriber session, a network controller entity - NCE, said NCE being configured to acquire the state of said subscriber session and to update network policies in at least one of said network entities,

a dynamic encapsulation module - DEM, said DEM being configured to decide, whether data is sent to said broadband access network as encapsulated data within said subscriber session or as non-encapsulated data outside said subscriber session,

wherein said encapsulated and/or said non-encapsulated data is transmitted on at least a part of said network route, wherein said encapsulated data and said non-encapsulated data being handled according to said network policies.

13. System according to claim 12, said DEM being part of said CPE or an entity within said broadband access network. 14. System according to claim 12 or 13, said DEM working as a policy-based router or switch or being implemented using reactive principles.

15. System according to one of claims 12 to 14, said NCE being part of said broadband access network and/or being implemented as centralized or distributed system.

Description:
METHOD AND SYSTEM FOR HANDLING

SUBSCRIBERS' NETWORK TRAFFIC

The present invention relates to methods and systems for handling subscribers' network traffic between a customer premises equipment and a broadband access network.

To provide broadband network access to subscribers, operators need to solve

(i) the technical issues related to the provisioning of the network connection to the subscriber premises, and

(ii) the technical issues related to the process of Authentication, Accounting and Authorization (AAA) of the subscribers.

Several solutions have been developed to this aim, with the use of tunneling being the most prominent. In particular, DSL access lines use the Point-to-Point Protocol (PPP) to establish a tunnel between a Customer Premises Equipment (CPE) and the operator's Broadband Network Gateway (BNG), which is the point where the operator performs AAA.

In order to obtain network connectivity, a subscriber establishes a PPP session in first place. The PPP session between the subscriber and the BNG provides several functions:

• subscriber authentication, session establishment and session maintenance (i.e., if the subscriber session is alive or not)

• IP address assignment including further options to configure network access of the client

• subscriber traffic isolation through tunneling

• subscriber policies enforcement (authorization)

• session-based accounting

• server discovery, automatic reconnect.

The CPE is in charge of performing the PPP session establishment and subsequent network traffic encapsulation (i.e., it puts subscriber's packets into PPP frames). The BNG is the termination point of the PPP session, so it is in charge of:

• providing Authentication, Authorization and Accounting (AAA)

• terminate the PPP sessions, i.e. de-capsulation of network packets so that they can be delivered to services (that are unaware of PPP)

Terminating the PPP sessions at BNG enables operators to correctly apply policies on the subscribers' network traffic. Nevertheless, it introduces a hard constraint on the service provisioning architecture, since the subscribers' traffic can flow to services only after the PPP session termination, i.e., all the network traffic coming from a subscriber has to pass through the BNG server.

As network packets coming from or destined to the CPE are encapsulated into the PPP tunnel when traversing the network segment between CPE and BNG, there are certain constraints on the applicability of several network technologies that rely on IP forwarding mechanisms, which are hidden by the use of the PPP tunnel. E.g. multicast functions of the IP protocol are not applicable in the network segment between the CPE and the BNG, forcing the operators in applying complex and inefficient solutions to provide such feature. Another drawback resides in the implementation of the BNG server itself. In fact, this server has to provide several functions (PPP session termination, policies application, traffic forwarding, etc.) in a centralized way. The BNG server, hence, is a really complex system in charge of providing many critical services (for the subscribers it is serving), and represent a single point of failure in the access network.

Additionally, the requirement of locating all services after the BNG prevents providing service breakout before the termination point, i.e. the BNG. Some systems known in the art (based on PPP or other session based protocols) try to solve some of these issues. One solution is provided by TR-101 Issue 2 (see http://www.broadband-forum.org/technical/download/TR-101_lss ue-2.pdf). In order to support multicast (e.g. for IPTV services), the CPE must be able to support at the same time PPP encapsulated traffic and plain IP traffic over the same WAN interface. A PPP session is established and all the network traffic flows through this session, with the exception of multicast traffic. A VLAN (Virtual Local Area Network) connects directly the CPE with the BNG. To support efficiently multicast, the multicast traffic is sent from the BNG to the DSLAM (Digital Subscriber Line Access Multiplexer) over a dedicated Multicast-VLAN, so that the DSLAM can separate the multicast flows, and send them to the CPE using plain IP.

Hence, the downstream multicast traffic to the CPE is sent over IP. The CPE is able to send plain IP in the upstream direction (towards the DSLAM) as well, i.e. to send IGMP (Internet Group Multicast Protocol) "joins". Such messages, anyway, are sent with source IP address set to "0.0.0.0".

However, this approach is restricted to IGMP traffic. It is not possible to flexibly define breakouts for the network traffic. Additionally, the traffic has to be handled by "multicast-architecture-aware devices" (DSLAM/BNG).

Another approach is provided by TR-124 issue 3 (see http://www.broadband- forum.org/technical/download/TR-124_lssue-3.pdf). TR-124 issue 3 describes support for the handling of multiple sessions with mixed use of PPP packets and plain IP packets. This technique allows flexible traffic handling. However, management of the multiple sessions is complex.

In mobile networks, LIPA and SIPTO provide another approach. Local IP Access (LIPA) and Selected IP Traffic Offload architectures (SIPTO) use the concept of separated network flows for subscribers' session management and selected services access. LIPA is a traffic offload solution towards a local network, while SIPTO can be used to offload traffic to the global Internet as well. Both solutions can be applied in two different ways:

• Dedicated offload PDN connection. The User Equipment (UE) is enabled at handling more than one PDN (Packet Data Network) connection at the same time. A dedicated PDN connection is used for handling LIPA/SIPTO traffic. The UE establishes a second session (e.g. it gets a second IP address) to handle the offload network traffic. It is an essential drawback of this solution that is requires multiple sessions. • NA T based solution. This solution uses a single PDN connection and NAT functions installed in the operator controlled equipment (see figure 5), e.g. HeNB (Home E-UTRAN NodeB) or L-PGW (Local PDN Gateway). The UE establishes a session via an S-GW (Serving Gateway) with a P-GW (PDN Gateway) using a GTP (Generic Transport Protocol) tunnel.

The UE is configured with a single subscriber session using a single subscriber session and a single IP address. When a network flow should be offloaded, the HeNB (or the L-PGW) sends it out as plain IP. Since the IP address assigned through the subscriber's session to the UE belongs to the mobile network domain, it is not routable in the local network where the

HeNB [L-PGW] is located. Hence, the HeNB [L-PGW] performs a source NAT (Network Address Translation) in order to properly forward traffic toward the global Internet.

A drawback of this approach is the requirement of a NAT which make in- network subscriber identification complicated and involves checking of NAT tables. Furthermore, this approach refers to the routing of packets to the (uncontrolled) global internet, i.e., it still requires the use of the broadband access network to deliver the packets to the global internet. As stated earlier, it means that network packets are encapsulated in, e.g. a PPP subscriber session, which involves the limitations and issues discussed earlier.

It is therefore an objective of the present invention to improve and further develop a method and a system of the initially described type which provides the ability to flexibly and preferable dynamically handle subscriber traffic.

It is a further objective of the present invention to provide a method and a system which allows flexible enforcement of network policies in the access network. It is an even further objective of the present invention to provide a method and a system which enables flexible definition of breakout point. In accordance with the invention, the aforementioned objectives are accomplished by a method comprising the features of claim 1. According to this claim, such a method comprises the steps of:

establishing a subscriber session between said CPE and a broadband net- work gateway (BNG), thus setting up a network route between said CPE and said BNG, said BNG being an entity within said broadband access network, wherein data transmitted at said subscriber session being encapsulated into protocol frames,

acquiring the state of said subscriber session by a network control entity (NCE),

updating network policies in at least one network entity on said network route by said NCE based on said state of said subscriber session,

deciding, by a dynamic encapsulation module (DEM), based on DEM configuration, whether data is sent to said broadband access network as encapsu- lated data within said subscriber session or as non-encapsulated data outside said subscriber session, and

transmitting said encapsulated and/or said non-encapsulated data on at least a part of said network route, wherein said encapsulated data and said non- encapsulated data being handled according to said network policies.

The aforementioned objectives are also accomplished by a system comprising the features of claim 12. According to this claim, such a system comprises:

a broadband network gateway (BNG), said BNG being configured to establish a subscriber session with said CPE and to de-capsulate encapsulated data received via said subscriber session,

network entities, said network entities being interconnected to each other and providing a network route for data transmitted at said subscriber session,

a network controller entity (NCE), said NCE being configured to acquire the state of said subscriber session and to update network policies in at least one of said network entities,

a dynamic encapsulation module (DEM), said DEM being configured to decide, whether data is sent to said broadband access network as encapsulated data within said subscriber session or as non-encapsulated data outside said subscriber session, wherein said encapsulated and/or said non-encapsulated data is transmitted on at least a part of said network route, wherein said encapsulated data and said non-encapsulated data being handled according to said network policies. The term "broadband access network" should be understood in the most general sense: The broadband access network connects a subscriber to a service provider and provides high-speed access to services. Generally, it is implemented as wired network and might contain wireless connections. The broadband access network connects the customer premises equipment with the service provider's core network. Although the "borders" of the access network are not well defined, a skilled person will understand the concept of the broadband access network as used at the present invention.

The term "customer premises equipment" (CPE) should be understood in the most general sense: It refers to the device or devices which is/are used at the premises of the subscriber. It might include a gateway, switch, access point and other entities for exchanging data within the customer premises.

The term "broadband network gateway" (BGN) should also be understood in the most general sense: It is part of the broadband access network and provides a termination point for the subscriber session. Although the BNG is very often used at DSL (Digital Subscriber Line) systems, the invention is not limited to this usage.

The terns "subscriber" and "subscriber session" should also be understood in the most general sense: A subscriber is a person (or device) who (or which) accesses the broadband access network. To this end, the subscriber establishes a subscriber session, i.e. a network route between the CPE and the BGN is set up. This generally includes exchanging address information, allocating or reserving resources, defining, how the traffic on the route should be handled, and the like. Very often, the session has to be kept alive, i.e. the session will be terminated, if no data are transmitted or if no keep-alive messages are sent to the BGN.

When establishing a subscriber session, a suitable protocol is used. When transmitting data during a subscriber session, the data is encapsulated into protocol frames. This generally includes putting the data into the payload of frames with header information specific for the used protocol. Sometimes the payload is also encrypted.

According to the invention it has first been recognized that it is not necessary to encapsulate all data, which should be exchanged between a customer premises equipment (CPE) and a broadband access network, into protocol frames. In fact, both encapsulated traffic and non-encapsulated traffic can be used. It has further been recognized that transmitting non-encapsulated data does not inevitably result in the loss of secure and reliable network traffic handling. By incorporating a new entity, the operator can keep control of the transmitted traffic. To this end, a network control entity (NCE) is provided which receives information regarding the state of the subscriber session - the session state. Basic session states may be "alive", "not alive" or "idle". This information is used when transmitting non- encapsulated traffic.

In a first step, a subscriber session between the CPE and a broadband network gateway (BNG) is established, where the BNG is an entity within the broadband access network. When establishing a subscriber session, a network route between the CPE and the BNG is set up. This includes exchanging network configuration data, which may include IP addresses, quality of service (QoS) data, encryption parameter, etc. Generally, this step also includes authentication of the subscriber which may be performed by providing a user-password combination. Traffic which is transmitted during and within a subscriber session is encapsulated into protocol frames. This step is similar to "traditional" approaches.

In a second step, the state of the subscriber session is acquired by a network control entity (NCE). By doing so, knowledge about the session state is also available at an entity different to the BNG. Thus, the session state information can be moved from a centralized point (the BNG) to the whole access network.

In a third step, the NCE updates network policies in at least one network entity which is participated on transporting a data packet in the network route. Updating network policies may include installing network policies in the network entity when setting up the network route. In this case, the updating process may concern each of the network entities on the network route, but installing network policies may also be limited to selected network entities.

However, the updating process may also include dynamic rerouting of network flows according to subscriber's required services and policies. In this case, the updating process will most likely concern a single network entity.

The step of updating network policies is performed based on the acquired session state. Depending on the session state, policies may allow transmitting encapsulated and/or non-encapsulated network traffic or may grant certain quality of service. If the subscriber session is no longer alive, policies may deny transmitting encapsulated and non-encapsulated network traffic.

In a forth step, a dynamic encapsulation module (DEM) decides, whether data is sent by the CPE to the broadband access network as encapsulated data within the subscriber session or a non-encapsulated data outside the subscriber session. The decision will be based on DEM configuration. The encapsulation process can range from encapsulating almost all the network packets into a protocol frame, to using encapsulation only for subscriber session related network packets, e.g. keep-alive messages, and using no encapsulation for any other packet. In the last case, the encapsulated traffic has the only aim of maintaining the subscriber session with the BNG.

The encapsulation decision may be based on various conditions. For instance, the necessity of a breakout or offload point between the CPE and the BNG may result in a decision of using non-encapsulated traffic, as non-encapsulated traffic has not to pass the BNG in order to de-capsulate the data. "Breakout" of "offload" point refers to a point within the broadband access network, where the network packets leave the "general" network route. In the present case, the breakout point may be point outside the network route between the CPE and the BNG, where the (non- encapsulated) data are available.

In a next step, the data is sent towards the broadband access network based on the encapsulation decision, i.e. as encapsulated data or as non-encapsulated data. When forwarding the data on the network route both encapsulated data and non-encapsulated data are handled according to the network policies installed in the network entities.

By these method according to the invention and an according system, non- encapsulated traffic can be exchanged between the CPE and the broadband access network and can be handled with the same network rules like the encapsulated traffic. This allows for controlling the network traffic within the broadband access network and allows for providing breakout points between CPE and BNG in an efficient and flexible way. At the same time, non-encapsulated traffic is tightly coupled with the subscriber session, as the transmitting is based on the session state. Thus, authentication, accounting and authorization of the subscriber are possible for encapsulated and non-encapsulated traffic.

By introducing the NCE into the system, functions which are located at the BNG can be moved to several components within the operator's broadband access network. Thus a singles point of failure, e.g. the BNG at most PPP systems, can be avoided or the influence of a failure can be reduced.

The present invention may be used in combination with each session based protocol, i.e. where a session is established and has to be kept alive and where data are transported as payload in protocol frames. It may also be applied to IPoE (Internet Protocol over Ethernet). In this case, keep-alive messages may be sent to the BNG while most of the traffic is sent as non-encapsulated traffic which does not have to pass the BNG.

However, in preferred embodiments of the invention, the protocol which is used for encapsulating data is a tunneling protocol. This tunneling protocol may be GTP (Generic Transport Protocol), DSMIP (Dual Stack Mobile IP) or PMIP (Proxy Mobile IP). According to the most preferred embodiment, this tunneling protocol is PPP (Point-to-Point Protocol).

When transmitting encapsulated data, the encapsulated data are preferably transmitted to the BNG and are de-capsulated by the BNG. The de-capsulated data are transmitted within the broadband access network and/or the core network of the operator depending on the provided service. If for instance PPP is used and the data are IP packets, CPE encapsulates the IP packets into PPP frames. The BNG is the session termination point and the data, which are encapsulated within PPP frames, are de-capsulated by the BNG. The de-capsulated IP packets are forwarded according to the header information of the IP packets.

When transmitting non-encapsulated data, the data may be transmitted to the BNG and further into the broadband access network. However, the data may also be transmitted on a part of the network route and may leave the route towards an offload-point. This option may for instance be used for multicast traffic.

As already mentioned, the non-encapsulated traffic is tightly coupled with the subscriber session. This coupling may be implemented in such a way that non- encapsulated data is only forwarded, if the subscriber session is still alive. As the NCE is aware of the session state, the NCE may update the policies within all or some of the network entities on the network route so that the data is not forwarded anymore. It is sufficient that one network entity does not forward the data, e.g. the gateway at the CPE. According to a first embodiment of acquiring the session state, the NCE may send queries to an authentication server to gather information about the subscriber session. In most cases, an authentication server (generally an AAA (Authentication, Accounting, Authorization) server) is involved at establishing a subscriber session. The NCE may be implemented as an AAA client that sends AAA queries to the AAA server. Such AAA communication is well known in the art. However, the NCE may also directly access the session state information at the AAA server. E.g. the NCE may access the log files or the database of the AAA server. One advantage of this embodiment is that does not require a substantial change to the authentication server or the BNG. However, this solution needs additional inter- communication between the BNG and the AAA server.

According to a second embodiment of acquiring the session state, NCE may sniff answers of the authentication server. When a subscriber session is established, the BNG communicates with an authentication server, e.g. an AAA server, in order to gain information about the right of a subscriber to access the requested service. The NCE may sniff the replies of the AAA server directed to the BNG and may obtain the required information about the subscriber. This approach does not need any direct interaction with the AAA server, as the NCE just evaluates the packets which are exchanged between the BNG and the AAA server.

According to a third embodiment of acquiring the session state, BNG is extended to actively forward changes of the state of subscriber session to the NCE. To this end the BNG may contain an additional module. This functionality may be pro- vided by a NASS (Network Attached Subsystem) which is preferably a subsystem of the BNG. At this embodiment, changes of the session state are directly forwarded to the NCE which results in high accuracy and reliability of the session state data stored at the NCE. According to a forth embodiment of acquiring the session state, the NCE may receive the session state via interconnection with any other kind of session state server such as a subscriber portal.

The network route which is set up when establishing the subscriber session is based on a network configuration. Preferably, the network configuration is applied to both data flows (i.e. encapsulated and non-encapsulated data). For example, the IP configuration, particularly the IP address of the CPE, is the same for both encapsulated and non-encapsulated data. This is particularly beneficial regarding the handling of the network packets. Due to the same network configuration and in contrast to some systems known in the art, there is no necessity for source NAT (Network Address Translation) system.

The encapsulation decision at the DEM is based on DEM configuration. According to a first embodiment, the DEM configuration defines static network provisioning, i.e. encapsulation decision is defined once and the according DEM configuration is kept substantially unchanged. Static provisioning may be implemented by static routes or access lists, which match given packets in order to categorize them, e.g. tagging them, so that they can be then routed according to the specific packet's tag. This embodiment does need very little management and can be used in many systems.

According to a second embodiment of the DEM configuration, the DEM configura- tion defines static network provisioning which can be configured dynamically. That means that "basic settings" of the network are initially defined. However, these basic settings may be refined dynamically. This refining may be based on parameters which are dynamically learnt, such as the number of bytes transferred by a network flow. This option may be implemented using the same approach explained in the previous embodiment, where static routes and access lists are updated dynamically, in response to the mentioned parameters variation, by a process running inside the CPE.

According to a third embodiment of the DEM configuration, the DEM configuration is fully dynamic and may be adapted upon request. This embodiment provides a highly flexible encapsulation decision which can be adapted according to current demands. This embodiment may be implemented using a remote policy controller such as an H-RACS (Home-Resource and Admission Control Subsystem), an AAA server using Radius CoA, an OpenFlow controller, etc. The remote policy controller, which can be integrated in the NCE or orchestrated by it, defines the DEM policy according to both static and dynamic parameters retrieved from the access network, e.g., links congestion.

Preferably, the DEM configuration is installed on the DEM (or on the CPE, if DEM is implemented in the CPE) by the NCE. Thus, the operator of the broadband access network can flexibly influence the encapsulation decision. This provides great flexibility when a new breakout point should be installed.

The DEM might be implemented in different ways. At one preferred embodiment, the DEM is part of the CPE. This embodiment reduces network communication, when an encapsulation decision should be made. According to another preferred embodiment, the DEM is external entity, i.e. an entity within the broadband access network. Thus, reliability can be improved, as the DEM can be implemented as a redundant system or certain backup capabilities can be provided. Preferably, the DEM works as a policy-based router or switch. It may be implemented using reactive principles, like for example in OpenFlow, i.e. a DEM policy is installed in reaction to the creation of a new network flow. In such an implementation, the OpenFlow controller can be either local, so that it can handle all local network events without requiring an interaction with the systems operating the remaining part of the access network, or a remote OpenFlow controller can be queried upon receipt of an unknown packet. This last option reduces the number of OpenFlow controllers that would need to be deployed in the access network, paying an increase in the control messages related to network events. The two previous options are the extremes of a range of deployment options which are related to the actual size and properties of the access network.

Preferably, the NCE is part of the broadband access network. It may be implemented by a proxy within the broadband access network

The NCE may be implemented as a centralized system, i.e. there is one server within the broadband access network which is responsible for each subscriber session which is established within this network. However, the NCE may also be implemented as a distributed system. Different distribution mechanisms may be used. There may be several independent NCE systems within the broadband access network. When a subscriber session is established, a NCE may be assigned dynamically to this session. Another implementation may be a redundant system, where one primary NCE system is active and one or more further NCE run as redundant systems which store a current set of the data of the primary NCE and which are activated when the primary NCE fails. A skilled person will realize that other distribution mechanisms may be applied as well. There are several ways how to design and further develop the teaching of the present invention in an advantageous way. To this end it is to be referred to the patent claims subordinate to patent claims 1 and 12 on the one hand and to the following explanation of preferred embodiments of the invention by way of example, illustrated by the figure on the other hand. In connection with the explanation of the preferred embodiments of the invention by the aid of the figure, generally preferred embodiments and further developments of the teaching will be explained. In the drawing

Fig. 1 is a block diagram which shows the logical functions of the CPE with reference to PPP,

Fig. 2 is a block diagram of a first embodiment of the invention in a DSL system,

Fig. 3 is a block diagram of a second embodiment of the invention within a trusted WiFi system,

Fig. 4 is a block diagram of an implementation of the second embodiment and

Fig. 5 is a block diagram of LIPA/SIPTO as known in the art.

Fig. 1 shows an example of the separation of network traffic into encapsulated traffic and non-encapsulated traffic with reference to PPP. A rectangle in the middle of the figure represents the CPE (Costumer Premises Equipment). On the left hand side of the CPE is the LAN (Local Area Network). On the right hand side, the CPE is connected to the broadband access network. Communication within the LAN is based on the MAC (Media Access Control) address and the (local) IP (Internet Protocol) address. According to the invention, communication in the broadband access network is separated into encapsulated and non-encapsulated network traffic. The encapsulated network traffic is based on MAC address, (global) IP address and PPP encapsulation. A dedicated module within the CPE performs PPP encapsulation. The non-encapsulated network traffic is based on MAC address and (global) IP address. For this traffic, the CPE performs packets forwarding.

Like in traditional approaches, the CPE is in charge of establishing and maintaining a PPP session with the BNG, but it is also able of dynamically selecting the network packets that need to be encapsulated into the established PPP session. The non-encapsulated traffic is tightly coupled with the PPP session: The network configuration is applied to both flows, e.g. the CPE IP address is the same for both encapsulated and non-encapsulated packets, and in case the PPP session is closed, the non-encapsulated traffic cannot flow anymore.

Figure 2 shows the implementation of this basic concept within a DSL (Digital Subscriber Line) system. The CPE is connected to the broadband access network via a number of DSLAMs (Digital Subscriber Line Access Multiplexer). An ACL (Access Control List) is provided at the first routing point where network flows are separated with the help of advanced PPP handling. Non-encapsulated data are offloaded at a local breakout point DC1. Encapsulated data has to be passed to a BNG where the session is terminated, i.e. the encapsulated data is de-capsulated. In Fig. 2, the BNG is provided by several NASSs (Network Attached Subsystems). The NASSs forward each change of a session state to a centralized NCE (Network Control Entity). The NCE provides some or all of the following functions:

• acquisition of subscribers' state after PPP session establishment;

• set up the correct network routes between the CPE and the BNG. The routes' granularity may vary according to the implemented operator's services. E.g. routes can be defined per subscribers group, subscriber, service, etc.;

• install operator's policies in-network;

• dynamically reroute network flows according to the subscriber's required services and policies;

• providing dynamic traffic breakouts;

· coordinating the CPE PPP encapsulation process with the subscriber network flows routing

Acquiring the subscriber state, the NCE is able of deciding the access network routes for subscribers according to their states. Furthermore it is able to install the required policies in a distributed manner in the access network, e.g. exploiting dynamic configuration capabilities of the networking devices and/or using middle- boxes located at strategic locations. Since the NCE is able to configure the PPP encapsulation process at the CPE, it is able to easily set up services breakout in the access network. I.e. network flows directed to a service are instructed to be not encapsulated at the CPE, so that they can be processed by the service without any need to pass through the PPP session termination point, while specific network routes are installed in the network entities to redirect the flows to the local service breakout. Since the operator's policies are distributed in network, e.g. setting up ACLs in the first routing point, the NCE ensures that the subscriber's network flow passes through network devices/middle boxes so that the policies are correctly enforced.

Another embodiment of the invention is shown in connection with Fig. 3 and 4. This embodiment refers to trusted WiFi access to the 3GPP (3 rd Generation Partnership Project) via a BBF (Broad Band Forum) network with the need to offload traffic inside the BBF network, the 3GPP UE's (end device) traffic gets tunneled via layer 2 towards an access gateway such as the TWAG (Trusted Wireless LAN Access Gateway). HGW and UE is the CPE of the claims, BNG/BRAS (Broadband Remote Access Server) is the BNG.

Using the present invention, such a session could be coupled to an existing PPP session from the CPE's access session to create a combined path management such as e.g. for resource control.

More advanced use can be made, if the access session of the WiFi terminal / UE gets coupled with a new un-tunneled session inside the fixed network: In one embodiment, the subscriber session between the UE and TWAG uses a tunneling protocol. Then, a plain IP session can be coupled to the session. In another embodiment, there is no tunneling protocol between the UE's IP and Ethernet layer. In that case, the sessions get separated at the breakout point (e.g. at DC1 in Fig. 4). In both cases the TWAG transfer session state to the controller.

It could also be the case that Layer 2 headers such as VLAN headers separate both sessions (one towards the 3GPP network, another one for local traffic). Then again the invention applies. The invention and its embodiments provide several advantages:

1) Ability to dynamically select multiple traffic routes per subscriber, per service, without any need to pass through the BNG while maintaining the subscriber session concept.

2) Ability to use non-encapsulated network traffic between CPEs and BNG in order to allow full use of e.g. IP features.

3) Enforcement of network policies in network, instead of having a single point for their application.

4) Using same IP address for each route.

Many modifications and other embodiments of the invention set forth herein will come to mind the one skilled in the art to which the invention pertains having the benefit of the teachings presented in the foregoing description and the associated drawings. Therefore, it is to be understood that the invention is not to be limited to the specific embodiments disclosed and that modifications and other embodiments are intended to be included within the scope of the appended claims. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.