1. Title: Network Firewall Configuration and Control (NFCC): High Level Overview Trevor Plestid +1-613-829-7465x4138 tplestid@rim.com Dan Willey +1-415-730-0839 dwilley@rim.com Shahid Chaudry +1-613-829-7465x4115 schaudry@rim.com@rim.com Khaled Islam +1-613-829-7465x4145 kislam@rim.com Source: Research In Motion Research In Motion grants a free, irrevocable license to 3GPP2 and its Organizational Partners to incorporate text or other copyrightable material contained in the contribution and any modifications thereof in the creation of 3GPP2 publications; to copyright and sell in Organizational Partner's name any Organizational Partner's standards publication even though it may include all or portions of this contribution; and at the Organizational Partner's sole discretion to permit others to reproduce in whole or in part such contribution or the resulting Organizational Partner's standards publication. Research In Motion is also willing to grant licenses under such contributor copyrights to third parties on reasonable, non-discriminatory terms and conditions for purpose of practicing an Organizational Partner’s standard which incorporates this contribution. This document has been prepared by Research In Motion to assist the development of specifications by 3GPP2. It is proposed to the Committee as a basis for discussion and is not to be construed as a binding proposal on Research In Motion. Research In Motion specifically reserves the right to amend or modify the material contained herein and to any intellectual property of Research In Motion other than provided in the copyright statement above.

2. December 06, 2004 Push Architecture Example RAN FA HA Push Application Server internet Push Recipient NAI A Proxy Application Server Address Resolver Notification Agent Push Recipient a MS on operator network Push AS establishes service with a known PR ‘userID’ (e.g. NAI/ IMSI / email/ sub name/ other / etc). Push AS establishes PR IP address with Proxy AS Proxy AS communicates with Address Resolver for Notification Agent NA NA notifies Proxy AS of the PR IP address

3. December 06, 2004 Network Initiated Push (where Subscriber may not have PPP session) RAN FA HA Stateful table dstsrc firewall Push Application Server internet IP Y.8.7.6 NAI/IP table X.3.2.1A Push Recipient NAI A Proxy Application Server Address Resolver Notification Agent 1 5 6 4 PPP 3 2 1.Push AS knows PR ‘userID’ and requests Proxy AS provide PR IP address. 2.Proxy AS request AR to map PR userID to a specific IP address 3.Proxy AS asks NA to query HA for the PR IP address. Where there is no PPP, this could be the trigger for network initiated PPP session (e.g. NIDS). 4.NA notifies Proxy AS of the PR’s IP address 5.Proxy AS provides PR IP address to Push AS. 6.Push does not work since no firewall entries yet exist, unless the Push AS has been operator configured.

4. December 06, 2004 NFCC 4-6, 9, 10 Example RAN FA HA Stateful table dstsrc firewall internet New Push AppServer IP Y.5.4.3 Push Recipient NAI A NA 6 3a Y.8.7.6 X.3.2.1 NFCC FW DB NAI/IP table X.3.2.1A Y.8.7.6 Known Push AppServer IP Y.8.7.6 NFCC will apply to the MS identity (rather than MS IP address), there shall be means to persistently store and apply the last known FW settings for a new PPP session, and allow an operator to pre-configure allowed entries. Per previous slide 3a. NA maintains a NFCC firewall database and triggers its population into the firewall based on PREVIOUS settings under the PR NAI. This may also include operator defined push subscription profiles. 6. Still does not resolve the issue of how an new entry is added to the stateful firewall, but does resolve allowing established Push AS (those Push ASs that have been allowed to talk to PR in a previous session) to send packets to the PR. This may mean that either the stateful firewall has operator configured default entries for each established Push AS MS has initiated communication with it’s ‘known’ Push AS, causing a stateful fw entry to be added.

5. December 06, 2004 NFCC 3, 7, 11, 12 Example for Legacy MS RAN FA HA Stateful table dstsrc firewall Push Application Server internet IP Y.5.4.3 Push Recipient NAI A NA 6 Y.8.7.6 X.3.2.1 others X.3.2.1 NFCC FW DB NAI/IP table X.3.2.1A 7 others X.3.2.1 Y.8.7.6 7 NFCC will allow individual users to infer their firewall settings without operator intervention, prevent firewall rules where MS aren’t reachable, and be compatible with existing MSs, Steps as before, changing step 6 6. Stateful firewall to always allow only the first “n” packets from a potential Push AS. Importantly, any packets subsequent to ‘n’ from potential Push AS are explicitly blocked for the specific PR (implemented if the PR is known to be reachable) 7. If PR returns any packet to Push AS, implicit firewall ‘allow’ entry is added, which causes the potential Push AS becomes an established Push AS. This data is updated in the NFCC Firewall database. Note: No requirements at all are placed on legacy Mobile station!

6. December 06, 2004 NFCC 22 Example for NFCC compliant MSs RAN FA HA Stateful table dstsrc firewall Push Application Server internet IP Y.8.7.6 Push Recipient NAI A config‘d for Push AS Y.8.7.6 NA NFCC FW DB IMSI/IP table A 1 2 3 X.3.2.1 Y.8.7.6 X.3.2.1 Y.8.7.6 NFCC allows a user to individually configure the firewall parameters via IP-based signaling from the mobile station. MS preconfigured (or user configured) with Push AS settings. MS uses IP signaling to communicate with HA it’s desired settings 1.HA forwards message contents to NFCC FW database 2.NA maintains PRs NFCC firewall database 3.NA triggers population into the firewall of PR fw rules. It is also feasible that an IP signaling channel may be used between HA and PR to provision the user’s settings