System and method for providing selective bearer security in a network environment

摘要

An example method includes receiving a message related to a bearer or an Internet Protocol (IP) flow, the message includes an extension indicating whether an Internet Protocol security (IPsec) feature is designated for the bearer or the IP flow. The method further includes mapping a communication flow to the bearer or the IP flow, and applying the IPsec feature to the bearer or the IP flow. In other embodiments, the method can include communicating the extension to a next destination, and updating a security policy to indicate that the bearer or the IP flow is designated for the IPsec feature. In yet other embodiments, an Internet Key Exchange (IKE) is used to establish a security association for a serving gateway associated with the communication flow. The extension is provided at an IP flow level or at a bearer level such that network traffic is designated for the IPsec feature.

主权项

1. A method, comprising:
receiving a message related to a bearer or an Internet Protocol (IP) flow, wherein the message includes selectors indicating whether an Internet Protocol security (IPsec) feature is designated for the bearer or the IP flow, and wherein the selectors can facilitate adjusting IPsec security policy databases in network elements using, at least in part, control plane signaling messages between the network elements and a packet data network gateway, wherein the IPsec security policy databases are adjusted at the flow level and not the encapsulating security payload bearer level, wherein policy control and charging extensions adjust the IPsec security policy databases on both a sending side and a receiving side such that the sending side and the receiving side are synchronized; mapping a communication flow to the bearer or the IP flow, wherein an Internet Key Exchange (IKE) is used to establish a security association for a serving gateway associated with the communication flow, and wherein the selectors are provided at a bearer level or at an IP flow level such that network traffic associated with the communication flow is designated for the IPsec feature, wherein signaling for user plane and control plane network elements are extended to indicate whether the bearer or the IP flow is designated for the IPsec feature; and applying the IPsec feature to the bearer or the IP flow.