SYSTEM

TECHNICAL FIELD

The present invention relates generally to security management in a telecommunications system, and more particularly to an arrangement and a method of handling security when a user equipment performs a handover from a serving base station to a target base station.

BACKGROUND

In wireless communications systems, security of mobile terminals is important not only to mobile users but also to service providers and to network operators. Security algorithms are often used to achieve authentication and consequently a basis for authorisation between the mobile terminal or the user equipment (UE) and one or several network nodes. These security algorithms often rely upon a secret that is shared between the mobile terminal and one or more network nodes that permits the user to be authenticated. Typically, this shared secret is embodied in the form of a cryptographic key. The handling of security between a mobile terminal and a network node generally occurs when the mobile terminal attaches to the network and may also occur when the mobile terminal requests service. In general, triggering of authentication can be based on the operator's policy and may in principle take place at any time.

Security check involving authentication and authorization is typically also performed when a mobile terminal is to be handed over from one access node (e.g. a serving base station) to another access node (e.g. a target base station). As an example, in the WiMAX (Worldwide Interoperability for Microwave Access) access system, a UE needs to authenticate itself to the network each time the UE encounters a new cell or a new radio base station, hi other words, although the UE moves or is handed over to a new radio base station within the same radio access technology, mutual authentication is needed to be performed. A handover within the same WiMAX access system is also known as an inter BS/ASN (Base Station/Access Service Network) handover. In a multi-access system that supports a plurality of access technologies such as WiMAX, LTE, UMTS, GSM, WLAN, etc. authentication and authorization of a UE that is moving from a serving base station of a first access system (e.g. LTE (Long Term Evolution)) to a target base station of a second access system (e.g. WiMAX) is also required. In this case, a mutual authentication and authorization process is performed between the UE and the target system when a decision to handover the UE has been made. In this process, a new security key is generated and shared between the UE and the target base station. In the event that the UE is to be handed over to yet another radio base station belonging to the same access system or to another access system, an additional mutual authentication and authorization process may be required between the UE and the new radio base station. This process is invoked for each handover situation. This results in performance degradation such as higher signalling load and an increase in delays experienced by the UE especially if the UE is having an ongoing call or service. Repeated invocation of authentication and authorization procedures also puts strain on the battery life of the UE.

It should be mentioned that in some access systems, such as LTE, authentication is not necessarily required at handover. This means that the amount of signalling required for performing a handover can be kept to a minimum. However, such a system has security drawbacks. In particular, a LTE system will most likely include radio base stations of different types: macro, pico and femto base stations and these will provide different levels of protection for the security keys and other sensitive data stored therein. For instance, macro base stations generally provide adequate level of protection compared to that provided by pico base stations or femto base stations. This implies that handover between macro base stations will most likely be more secure (i.e. higher level of protection) than a handover between a femto base station and a macro base station, and more secure than a handover between two pico base stations or between two femto base stations.

SUMMARY

It is thus an object of the exemplary embodiments of the present invention to address at least the above mentioned drawbacks by providing an arrangement in a network node and a method of handling security, in terms of authentication and authorization processes in handover procedures, that facilitates handovers of a UE from a first radio base station to a second radio base station independently of the radio access technology used by the radio base stations. According to a first aspect of exemplary embodiments of the present invention, the above stated problems are solved by means of a method of handling security in a telecommunications system that comprises one or several network areas, each network area is partitioned into a plurality of network groups and wherein a user equipment (UE) that is served by a first radio base station of a first network group, performs a handover to a second radio base station. According to exemplary embodiments of the present invention the method of handling security comprises the steps of: applying, if the second radio base station belongs to the first network group, a first authentication and authorization (AA) policy between the UE and the second radio base station to allow the UE to associate to the second radio base station independently of the radio access technology used by the second radio base station; and applying, if the second radio base station belongs to another network group that is different from the first network group, a second AA policy between the UE and the second radio base station independently of the radio access technology used by the second radio base station.

According to an exemplary embodiment of the present invention, application of the first AA policy comprises authorizing the UE to associate to the second radio base station. Thus, if the first and second radio base stations belong to the same network group, the UE, in accordance with this exemplary embodiment of the present invention, is not required to perform an AA procedure.

According to another exemplary embodiment of the present invention, applying the first AA policy comprises instructing the UE to update the security key prior to authorizing the UE to associate to the second radio base station. Thus, if the first and second radio base stations belong to the same network group, the UE, in accordance with this exemplary embodiment, is instructed to update it security key.

According to an exemplary embodiment of the present invention, applying of the second AA policy comprises enforcing the AA procedure between the UE and the second radio base station. This AA procedure resulting in AA information shared between the UE and the network. Thus, when the UE moves to a new network group, authentication and authorization procedure is enforced independently of the radio access technology used by the second radio base station in of the network group. The enforcing of the second AA policy may further comprise instructing the UE to update its key in addition to requiring a full authentication. According to another aspect of the exemplary embodiments of the present invention, the above stated problems are solved by means of an arrangement in a network node for handling security in a telecommunications system comprising a network area that is partitioned into a plurality of network groups, and wherein a UE that is served by a first radio base station of a first network group performs a handover to a second radio base station. The arrangement is configured to apply, if the second radio base station belongs to first network group, a first AA policy between the UE and the second radio base station to allow the UE to associate to the second radio base station independently of the radio access network used by the second radio base station. If the second radio base station belongs to another network group, the arrangement is configured to apply a second AA policy between the UE and the second radio base station independently of the radio access network used by the second radio base station.

An advantage with embodiments of the present invention is to facilitate security handling (i.e. AA handling) during handover of a UE from a serving base station to a target base station independently of the radio access technology used by the involved radio base stations.

Another advantage with embodiments of the present invention is to reduce the signalling load and to reduce the latency introduced by AA procedures.

A further another advantage with embodiments of the present invention is to avoid reducing the battery life of the UE.

Yet another advantage with embodiments of the present invention is that by introducing the network group concept, an increase in security is achieved in cases where the handover is between radio base stations of the same access technology but the serving and/or the target base station provide different protection levels.

Still other objects and features and advantages of embodiments of the present invention will become apparent from the following detailed description in conjunction with the accompanying drawings; attention to be called to the fact, however, that the following drawings are illustrative only, and that various modifications and changes may be made in the specific embodiments illustrated as described within the scope of the appended claims. It should further be understood that the drawings are not necessarily drawn to scale and that, unless otherwise indicated, they are merely intended to conceptually illustrate the structures and procedures described herein.

BRIEF DESCRIPTION OF THE DRAWINGS

Figure 1 is a schematic diagram of a network architecture comprising network groups and network areas wherein the exemplary embodiments of the present invention can be applied.

Figure 2 is a diagram illustrating a network scenario wherein the exemplary embodiment of the present invention can be applied.

Figure 3 is a diagram illustrating another network scenario wherein the exemplary embodiment of the present invention can be applied.

Figure 4 is a flowchart of a method of handling security in accordance with exemplary embodiments of the present invention

DETAILED DESCRIPTION

In the following description, for purposes of explanation and not limitation, specific details are set forth such as particular architectures, scenarios, techniques, etc. in order to provide thorough understanding of the exemplary embodiments of the present invention. However, it will be apparent from the following that the present invention and its embodiments may be practiced in other embodiments that depart from these specific details.

Referring to figure 1 there is illustrated a network 100 wherein the exemplary embodiments of the present invention can be applied. As shown, the architecture 100 comprises one or several network areas of which only two network areas 110, 120 are shown. Since the exemplary embodiments of the present invention relate to security handling involving authorization and authentication procedures, each network area is here denoted an AA area (Authentication and Authorization area). AA areal 110 is partitioned into a plurality of network groups denoted AA groups of which only three groups are shown, AA group 1 111, AA group2 112 and AA group3 113. AA area2 120 is shown partitioned into AA group 1 121 and AA group2 122. It should be noted that the exemplary embodiments of the present invention are not restricted to any particular number of AA areas and/or AA groups.

Also shown in figure 1, each AA group comprises at least one radio base station, denoted BS. AA groupl 111 is shown comprising base stations BSl 11 IA, BS2 11 IB, and BS3 111C; AA group2 112 is shown including base station BSl 112A; and AA group3 113 is shown comprising base station BSl 113A. For AA area2 120, AA groupl 121 comprises BSl 121 A and AA group2 122 comprises BS2 122A Again, the exemplary embodiments of the present invention are not restricted to any particular number of base stations per AA group.

An AA group may comprise BSs from various access technologies such as GSM, UMTS, LTE, WiMAX, GPRS, WLAN, that are logically or physically grouped together e.g. by geographical proximity to form an AA group.

An AA group may comprise BSs of a particular access technology and of a particular type of base stations, regardless of their physical location. As an example, an AA group may comprise macro base station(s) and/or femto base station(s) and/or pico radio base station(s) belonging to single network operator. Note that in this case, the AA group may not be based on physical proximity.

An AA group may comprise BSs of only a single access technology e.g. WiMAX/WIBRO (Wireless Broadband) or LTE or UMTS etc.

An AA group may comprise BSs of a particular access technology and of a particular type of base stations, regardless of their physical location. As an example, an AA group may comprise macro base station(s) and/or femto base station(s) and/or pico radio base station(s) belonging to single network operator. Thus in this case, the AA group may not be based on physical proximity, and

An AA group may comprise BSs of a particular ownership/administration. For instance, in a network shared between two or more operators, the jointly owned/administrated base stations could form a specific AA group, separate from those base stations owned/administrated by a single operator. An AA area may be an entire serving network or some suitable part thereof e.g. determined geographically in terms of a number of radio base stations and/or a number of cells. Several operators may jointly control the AA area. Alternatively, a single operator controls the AA area. The AA area could also coincide with existing concepts such as Location Area (LA, used in GSM), Routing Area (RA, used in GPRS) or Tracking Area (TA, used in LTE) and an AA area would in such case consist of only a part of a network.

Referring back to figure 1, there is also illustrated a location register 114 that can e.g. store parameters defining the AA areas, parameters defining the AA groups and the logical mapping of the BSs with respect to AA group/area. The parameters defining AA group/area may or may not be related to location. The mapping of BSs to AA group could for instance be a list of pairs of form (BS_ID, AA group ID), where BS ID is an identifier for the BS and AA group ID similarly is an identifier for the AA group. Each AA area can have it dedicated location register 114 as shown in figure 1. AA areas may also share a location register 114. It should be mentioned that the location register 114 is not necessarily a VLR (visitor location register) and/or a HLR (home location register).

Figure 1 also shows a UE 115 that is here assumed to be served by BS3 111C of AA groupl 11 IA of AA areal 110. It should be mentioned that the network 100 may comprise additional network nodes and UEs not illustrated in figure 1, e.g. core network nodes for control (such as AAA (Authentication Authorization and Accounting) servers (or AAA nodes) or mobility management nodes), or user plane data handling nodes (e.g. gateways). Note that the location register 114 may further store the location of UE(s).

Assuming now a scenario where the UE 115 performs a handover from the source/serving base station BS3 111C to a second radio base station i.e. to a target base station. According to an exemplary embodiment of the present invention, if the second radio base station belongs to AA groupl 11 IA, a first AA policy is applied between the UE 115 and the second radio base station to allow the UE 115 to associate to the second radio base station independently of the radio access technology used by the second radio base station.

As an example, assume that the target radio base station is BS2 H lB. Both BS2 H lB and BS3 111 belong to AA groupl H lA. In this case, a first AA policy is applied between UE 115 and BS2 11 IB. This first AA policy may comprise a rule to apply an implicit authentication in the sense that the UE 115 implicitly proves its authenticity by being able to use the correct AA information related to the UE i.e. the correct security parameter (e.g. a security key of ciphering and/or data/signalling integrity).

Assume for example that the UE 115 already has knowledge of the identification information (or identifier) of AA group 1, although this is not necessary. The information or this identifier may for instance have been communicated to the UE 115 prior to the initiation of the handover procedure. As an example, the information may have been communicated when the UE 115 initially attached to the serving BS3 111C or when the UE 115 initially performed an AA procedure with the serving BS3 H lC or during security establishment (for enabling air interface ciphering etc.) and radio bearer establishment. The UE 115 will generally be made aware of e.g. the identity (ID) of the cell served by the target base station BS2 11 IB and other information relating to BS2 H lB via a broadcast message transmitted from the target base station BS2 HB during discovery of the target base station by means of e.g. radio signal measurements or the like. The information included in the broadcast message may comprise the identifier of the AA group to which the BS2 11 IB belongs. The information may also include the identifier of the AA area that includes AA group 1 I HA. The broadcast information indicates to the UE 115 whether it can expect to authenticate if/when attaching to the target base station. In this case, both the source and the target base stations belong to the same network group AA group 1 11 IA. The UE 115 is thus already known to AA group 1 and therefore the AA policy to be applied is that no explicit authentication is necessary when the UE 115 performs the handover to BS2 11 IB. Instead, the UE 115 may for example implicitly proves its authenticity by using the correct AA information (security key of ciphering and/or data/signalling integrity) related to the UE and associates to the target base station.

As an example, assume that the network 100 and the UE 115 share some master key, denoted Km. Also, assume that the communication between the UE 115 and the serving base station BS3 111C is secured (e.g. encrypted) using a hashed key K3 = HASH(Km, BS3), where HASH indicates a hash function which can be any appropriate hash function. When the UE 115 performs a handover to the target base station BS2 11 IB, the UE 115 implicitly proves its authenticity by using K3 to secure communication between it and the target base station.

Thus, as long as the target and serving base stations belong to the same AA group no explicit authentication and authorization procedure is necessary independently of the radio access technology used by the target base station. In other words, the base stations of the same AA group have similar security level and share the same AA policy. This will facilitate security handling (i.e. AA handling) during handover of a UE, independently of the radio access technology used by the involved radio base stations. This will also reduce signalling load and the latency introduced by AA procedures.

It should be mentioned that application of the first AA policy may also (or alternatively) comprise issuing an instruction to the UE to perform some other security measures e.g. to update the UE 's security key prior to authorize the UE to associate to the target base station. In this case, the update of the security key is due to the desire to limit "wear" of the key. The longer the key is used (e.g. the more data that is processed by it), the greater is the risk that the key is compromised. Therefore, updating/replacing the key according to some pre-determined scheme will mean that security is improved. As an example, when the UE 115 performs a handover to the target base station BS2 H lB, the UE 115 can be instructed (in e.g. the broadcast message) to secure communication with BS2 H lB using a new key K2 = Hash (Km, BS2). In this case, the target base station BS2 11 IB is provided with K2 in connection to the signalling involved during the handover. K2 can be provides with K2 from an arrangement in the serving base station BS3 111C or can be provided from arrangement in another network node (e.g. AAA server, an AA controller node, a central node or any suitable network node).

According to another exemplary embodiment of the present invention, if the second radio base station (i.e. target base station) belongs to another AA group, then a second AA policy is applied between the UE 115 and the second radio base station independently of the radio access technology used by the second base station. The target radio base station is informed of (or provided with) AA information that is related to the UE 115, and an explicit AA procedure (e.g. explicit authentication) is enforced between the UE 115 and the target base station.

For example, assume that the UE 115 performs a handover from serving BS3 H lC of AA groupl 111 to target BSl 112A of AA group2 112. In this scenario, a second AA policy is applied between the UE 115 and BSl 112A which involves an explicit authentication and authorization of the UE 115. For instance, the authentication may be based on the UE 's USIM (Universal Subscriber Identity Module) and the AKA (Authentication and Key Agreement) protocol. When the UE 115 and BSl 112A (or some network node associated with BSl 112A e.g. a AAA node) have explicitly performed mutual authentication and authorization between each other and in the event of successful authentication/authorization of the UE 115, at least the new serving base station is provided with necessary AA information related to UE 115, e.g. security key(s). This AA information can be provided by an arrangement in a network node such as the serving base station and/or another network node (e.g. an AAA node). The radio base stations belonging to the second AA group (i.e. AA group2 112) may be informed of the AA information (e.g. security key) related the UE 115 through multicasting of said information within the second group. As a consequence, if a new handover is to be performed within the second AA group, no explicit authentication and authorization procedure is necessary and this is independent of the radio access technology used by the radio base stations belonging to this second AA group. Furthermore, once the UE is authenticated and authorized within an AA group, it can roam (freely) within the group regardless of its mode of operation (e.g. active, idle, sleep etc.). As a consequence, reduction of the battery life of the UE is avoided.

An AA group may be provided with a policy to apply an AA cycle of AA procedure(s) interval(s). At the end of the AA cycle, the UE and it serving base station may initiate a AA procedure. In between procedures, security can be based on an implicit authentication (or update of the security key) so that the UE can prove knowledge of the key.

In the following, two scenarios wherein exemplary embodiments of the present invention can be applied will be described. The first scenario, which is also illustrated in figure 2, relates to a case where both the first and second base stations are LTE base stations (i.e. eNBs). A UE 20 is considered here attaching to the first base station eNBl 21 (Step 1). After attachment, an initial AA procedure takes place between the UE 20 and a mobility management entity (MME 23) assisted by a home subscriber server (HSS 25) (Step 2), followed by a security establishment (for enabling air interface ciphering etc.) and an EPS (Evolved Packet System) protected bearer establishment (Step 3). The UE 20 can, at this stage, be informed (securely) about the AA group to which eNBl 21 belongs (i.e. AA group ID of eNBl). However, this is not necessary. After the security and EPS bearer establishments, data traffic can flow between UE 20 and eNBl 21 (Step 4) i.e. eNBl 21 is now the serving base station. The data traffic is forwarded via a Serving Gateway (SGW) 24 e.g. to/from the Internet. Step 5 indicates that a new eNB is discovered. This is done by radio signal measurements on broadcast messages from the second base station eNB2 22. The broadcast message comprises cell identifiers associated with eNB2 22 and may also comprise information about the AA group to which eNB2 22 belongs (i.e. AA group ID of eNB2). In Step 6, a handover decision is made (handover preparation procedure). In LTE, there exist two types of handovers, a so-called X2- handover and a so-called Sl -handover. X2 denotes the direct interface between eNBl and eNB2 whereas Sl denotes the interface between a eNB and central node in the network e.g. the MME 23 or the SGW 24.

In case a X2 -handover is made, the MME is not involved. Instead, eNBl 21 and eNB2 22 mutually check between each other if they belong to the same AA group or not. Thus, in this case the arrangement for handling the checking and security and enforcing AA policy is distributed between the eNBl 21 and the eNB2 22. As mentioned earlier, if eNBl 21 and eNB2 22 belong to the same AA group, then they have similar security level and they share the same AA policy. This means that the AA information (e.g. keys) related to the UE 20 is known to eNBl 21 and may directly be made known also to eNB2 22. In a handover, eNBl 21 provides eNB2 22 with said AA information over the aforementioned X2-interface.

In case a Sl -handover is made, the MME 23 is involved and can perform the AA group check i.e. checking if eNBl 21 and eNB2 22 belong to the same group or not. Thus in this case the arrangement for handling the checking and security may be implemented in the central node MME 23. In such a case, the AA information (e.g. keys) related to the UE 20 is sent from MME 23 to eNB2 22.

It should be noted that regardless of the type of handover (X2 or Sl), the UE 20 may be informed (in Step 6) about the AA group to which eNB2 22 belongs, unless this was performed earlier. However, the UE 20 does not need to know of the AA group ID of eNB2. In Step 7 and depending on the outcome of the AA group check, a selected AA policy is applied (AA policy application). If eNBl and eNB2 belong to the same AA group, then a first AA policy is applied, as previously described. If eNBl and eNB2 belong to different AA groups, then a second AA policy is applied, as described earlier. The handover procedure is then completed (Step 8 Handover Completion Procedure) and data traffic can be exchanged between UE 20 and the new serving base station eNB2 22 (Step 9). It should be mentioned that the AA information (e.g. the key(s)) related to the UE can be provided to radio base stations (through multicast or broadcast or unicast) belonging to the same group as that of eNB2, based on the location information of the UE. Referring to figure 3, there is illustrated the second scenario wherein exemplary embodiments of the present invention can be applied. In this scenario, also within the context of a 3GPP EPS network, two different access technologies are however used. The first radio base station eNB 31 is considered to represent a LTE base station which can be a macro LTE base station or a femto LTE base station or a pico LTE base station. The second radio base station BS 32 is considered to represent a WiMAX base station. Other combinations of access technologies are of course also possible.

Similarly to the previously described scenario, a UE 30 attaches to eNBl 31 (Step 1). After attachment, an initial AA procedure takes place between the UE 30 and the MME 33 (Step 2), followed by a security establishment and a bearer establishment (Step 3). The UE 30 can, at this stage, be informed (securely) about the AA group to which eNB 31 belongs (i.e. AA group ID of eNB). However, this is not necessary. After the security and bearer establishments, data traffic can flow between UE 30 and eNB 31 (Step 4) i.e. eNBl 31 is now the serving base station. It should be noted that non-3GPP access technologies such as WiMAX are, in the current technical specifications such as 3GPP TS 23.402: " Architecture enhancements for non-3GPP access ", integrated in EPS (Evolved Packet System) in a slightly different way than 3GPP native technologies. In this scenario, a network function called ANDSF (Access Network Discovery Function) 35 is used to inform the UE 30 about available networks. Thus, in this case, the UE is informed (Step 5 BS discovery) by the ANDSF 35 about a nearby WiMAX base station BS 32. The information can include the identity of BS 32 and also information of the AA group to which BS 32 belong. The information is sent through the LTE access because UE 30 is currently served by eNB 31. After having received this information, a handover preparation procedure is started (Step 6). In this scenario, an arrangement for checking whether eNB 31 and BS 32 belong to the same or different groups is provided in e.g. central node such as the HSS node 36 (or HSS/AAA node) or alternatively the ANDSF 35. If eNB 31 and BS 32 belong to the same AA group, a first AA policy is applied as previously described (Step 7. AA Policy application). Thus in this case eNB 31 and BS 32 have similar security level and they share the same AA policy. This means that the AA information (e.g. keys) related to the UE 30 is known both to eNB 31 and may directly be made known also to BS 32. HSS/AAA 36 provides BS 32 with said AA information. Thus, the arrangement for security handling (i.e. application of the first AA policy) is provided in the HSS 36. If eNB 31 and BS 32 belong to different AA groups, a second AA policy is applied at Step 7 as previously described. The necessary AA information (e.g. key(s)) related to the UE 30 are provided to BS 32 by HSS/AAA 36. It should be noted that the arrangement in the HSS/AAA 36 node can notify the UE 30 about the properties of the WiMAX network. As an example, the HSS/AAA 36 can inform the UE 30 of the AA group ID of BS 32. After the AA policy application, the handover procedure is complete (Step 8). The old LTE access is terminated and the HSS/AAA 36 is notified with a "cancel old location" notification etc. After the handover is completed, data traffic can be exchanged between the UE 30 and the new serving base station BS 32 (Step. 9). As previously described, the base stations that belong to the same AA group as BS 32 are provided with UE related AA information. In figure 3, additional nodes are shown such as a MME 33 and a gateway GW 34 which can be a SGW or a Packet Data Network Gateway (PGW).

Referring to figure 4 there is illustrated a flowchart of a method for handling security in a telecommunications system, in accordance with previously described exemplary of the present invention. The system comprises a network area partitioned into a plurality of network groups (i.e. AA groups), and wherein a UE that is served by a first radio base station (BSl) of a first network group, performs a handover to a second radio base station (BS2). As shown, it is determined if the first and second radio base stations belong to the same network group or if they belong to different network group, if the first base station and the second base station belong to the same network group (401) applying a first AA policy between the UE and the second base station to allow the UE to associate to the second radio base station independently of the radio access technology used by the second radio base station. If the second base station belongs to another network group that is different from the network group to which the first base station belongs to, a second AA policy is applied (402) between the UE and the second base station independently of the radio access technology used by the second radio base station. Details concerning the different exemplary embodiments of the present invention have already been described are therefore not repeated again.

As previously described, the exemplary embodiment of the present invention also relate to an arrangement in a network node for handling security in a telecommunications system comprising a network area that is partitioned into a plurality of network groups, and wherein a UE that is served by a first radio base station of a first network group, performs a handover to a second radio base station. The arrangement can be implemented in a network node corresponding to the first radio base station and/or in the second radio base station and/or in a central network node of the system and/or in any suitable node. When the UE performs the handover from the first to the second base station, the arrangement is configured to check if the second base station belongs to the first network group. This checking can be performed by a processor or processing means. If the arrangement determines that the first and second base stations belong to the same group, the processing means of the arrangement selects the AA policy to be used, which in this case, corresponds to the first AA policy. The arrangement is configured to apply the first AA policy between the UE and the second radio base station to allow the UE to associate to the second radio base station independently of the radio access technology used by the second radio base station. The application of the first AA policy may include a rule indicating that the UE is authorized to associate to the second radio base station (implicit AA procedure). The application of the first AA policy may instead include a rule indicating that the UE has to update its security key before it is authorized to associate to the second radio base station.

If the processing means of the arrangement determines that the second base station and the first base station belong to different groups, the arrangement is configured to select and apply a second AA policy between the UE and the second radio base station independently of the radio access technology used by the second radio base station. The arrangement is also configured to provide the second radio base station with AA information related to the UE (e.g. key(s)). The application of the second AA policy comprises enforcement of said policy. The arrangement is also configured to multicast the AA information related to the UE, to at least one radio base station belonging to the same group as that of the second base station. The arrangement can also provide the AA information related to the UE to at least one additional radio base station belonging to the group, based on location information of the UE.

The embodiments of the present invention can be realised in many ways. As an example, suitable processors of the arrangement in associations with software and hardware means may be used. For example, one embodiment of the present invention includes a computer-readable medium having instructions stored thereon that are executable by the arrangement in associations with hardware means. The instructions when executed perform the method steps as set forth in the claims. Furthermore, the exemplary embodiments of the present invention may be implemented in any type of wireless communications system. By way of example, the exemplary embodiments of the present invention may be implemented in a non-limiting general context in relation to a 3 G LTE concept and/or UMTS and/or WiMAX and/or HSPA and/or HSDPA (high speed downlink packet access) and/or HSUPA, GSM, UMTS; GPRS, WLAN, etc.

While the invention has been described in terms of several preferred embodiments, it is contemplated that alternatives, modifications, permutations and equivalents thereof will become apparent to those skilled in the art upon reading of the specifications and study of the drawings. It is therefore intended that the following appended claims include such alternatives, modifications, permutations and equivalents as fall within the scope of the embodiments of the present invention.