WO2021155918A1 - Sending data to a network function - Google Patents

Sending data to a network function Download PDF

Info

Publication number
WO2021155918A1
WO2021155918A1 PCT/EP2020/052783 EP2020052783W WO2021155918A1 WO 2021155918 A1 WO2021155918 A1 WO 2021155918A1 EP 2020052783 W EP2020052783 W EP 2020052783W WO 2021155918 A1 WO2021155918 A1 WO 2021155918A1
Authority
WO
WIPO (PCT)
Prior art keywords
network function
data
network
encrypt
processor
Prior art date
Application number
PCT/EP2020/052783
Other languages
French (fr)
Inventor
Federico PASINI
Maurizio PIGHETTI
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to PCT/EP2020/052783 priority Critical patent/WO2021155918A1/en
Publication of WO2021155918A1 publication Critical patent/WO2021155918A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Definitions

  • Embodiments of the present disclosure relate to sending data to a network function.
  • IPsec Internet protocol security
  • IP communications Internet Protocol
  • IPsec can use encryption to encrypt IP communications.
  • IPsec can also be used to set up virtual private networks (VPNs) in a secure manner.
  • VPNs virtual private networks
  • IPsec provides two security services for IP packets.
  • An Authentication Header (AH) may authenticate the sender of an IP packet, and may be used to identify whether there were any changes in the data in the packet during transmission.
  • Encapsulating Security Payload (ESP) performs authentication for the sender, as in AH, but also encrypts the data being sent.
  • IPsec may be used in one of two modes.
  • Tunnel Mode the whole IP packet is encrypted to secure communication between two nodes.
  • Transport Mode only encapsulates the IP payload (not the entire IP packet as in tunnel mode), i.e. the data being sent, to ensure a secure channel of communication.
  • base stations eNodeBs or eNBs
  • IPsec tunnels that is, IPsec in tunnel mode
  • O&M operations and maintenance
  • OSS Operations Support Systems
  • the X2-UP (User Plane) protocol tunnels end-user packets between the LTE eNodeBs, and X2-CP (Control Plane) may be used to perform load management (e.g. exchange of overload and traffic load information between LTE eNodeBs).
  • load management e.g. exchange of overload and traffic load information between LTE eNodeBs.
  • IPsec ESP tunnel mode When an eNB is connected to an untrusted network, the X2 traffic is typically routed via a centrally located security gateway using IPsec ESP tunnel mode. Depending on network structure, this might imply a high latency forX2 traffic therefore making it impossible to enable inter-eNB carrier aggregation.
  • an eNB can alternatively set up direct X2 IPsec VPN connections with another eNB. Summary
  • One aspect of the present disclosure provides a method in a first virtual network function of sending data to a second network function.
  • the method comprises selectively encrypting the data based on information relating to a location of the second network function, and sending the data to the second network function.
  • a further aspect of the present disclosure provides a computer program comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the above method.
  • An additional aspect of the present disclosure provides a subcarrier containing the above computer program, wherein the subcarrier comprises one of an electronic signal, optical signal, radio signal or computer readable storage medium.
  • Another aspect of the present disclosure provides a computer program product comprising non transitory computer readable media having stored thereon the above computer program.
  • the apparatus comprises a processor and a memory.
  • the memory contains instructions executable by the processor such that the apparatus comprises a first network function and is operable to selectively encrypt the data based on information relating to a location of the second network function, and send the data to the second network function.
  • the apparatus comprises a first network function.
  • the apparatus is configured to select whether to use an encryption protocol for communications with the second network function based on information relating to a location of the second network function, and communicate with the second network function according to the selecting.
  • Figure 1 is a flow chart of an example of a method in a first network function of sending data to a second network function;
  • Figure 2 is a schematic of an example of apparatus that may be used in an implementation of examples of this disclosure.
  • Figure 3 is a schematic of an example of apparatus 300 for sending data to a second network function.
  • Hardware implementation may include or encompass, without limitation, digital signal processor (DSP) hardware, a reduced instruction set processor, hardware (e.g., digital or analogue) circuitry including but not limited to application specific integrated circuit(s) (ASIC) and/or field programmable gate array(s) (FPGA(s)), and (where appropriate) state machines capable of performing such functions.
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • Network virtualization is defined by the ability to create logical, virtual networks that are decoupled from the underlying network hardware to ensure the network can better integrate with and support increasingly virtual environments.
  • a virtual network function may be a network function (NF) that is implemented using software on a virtualization platform.
  • the virtualization platform may be hardware (e.g. including one or more data processors) that implements one or more VNFs. Any network function may be virtualized as a VNF in this way where appropriate.
  • network functions examples include base stations (eNBs and/or gNBs), Access and Mobility Management Function (AMF), Packet Gateway (PGW), User Plane Function (UPF), Policy Control Function (PCF) and Network Repository Function (NRF), Session Management Function (SMF), Network Exposure Function (NEF), or any other network function.
  • AMF Access and Mobility Management Function
  • PGW Packet Gateway
  • UPF User Plane Function
  • PCF Policy Control Function
  • NRF Network Repository Function
  • Session Management Function SMF
  • NEF Network Exposure Function
  • a virtual base station network function may be split into different components: vPP (virtual Packet Processor), VRC (virtual Radio Controller) and BPU (Baseband Processing Unit).
  • vPP virtual Packet Processor
  • VRC virtual Radio Controller
  • BPU Baseband Processing Unit
  • IPsec processing e.g. implementation of IPsec protocol, and encryption/decryption of packets or data
  • vPP virtual Packet Processor
  • VRC virtual Radio Controller
  • BPU Baseband Processing Unit
  • a data center may comprise for example a cluster of co-located physical servers and their infrastructure, including communication interconnects between physical servers.
  • a vPP may be for example a software component of a virtualized node or network function running in a DC implementing a set of functions, including for example IPsec processing.
  • communication between two network functions may be inherently secure. That is, for example, communication between VNFs that are executing on the same virtualization platform may be inherently secure as the communications are never communicated outside of the virtualization platform. Alternatively, for example, communications between VNFs that are executing on different virtualization platforms within the same data center may be inherently secure as the communications never leave the data center. In another example, communication between two NFs (virtual or otherwise) may be inherently secure as a communication link between them may already use a secure protocol such as IPsec or VPN. In such cases, it may be superfluous to use IPsec (or another way of encrypting or protecting communications) for communications between the network functions, as doing so may not add significant further security to the communications.
  • IPsec secure protocol
  • embodiments of this disclosure may use encryption or protection for communications between network functions based on a location of one (or more) of the network functions. For example, in cases where communication between network functions is inherently secure, such as for example within the same data processing apparatus (e.g. virtualization platform) or data center, the use of such encryption or protection may be avoided, thus avoiding the drawbacks of such encryption or protection.
  • Drawbacks may include increased processing requirements (computational effort) and/or latency.
  • drawbacks may include an increase in packet size. Traffic subject to IPsec may for example generally add e.g. 36 bytes to the original size of the packet because of the ESP header (though this may vary in size).
  • Another drawback is that if the original packet size is of a size that the resulting packet to be sent following IPsec processing may be larger than an upper limit (e.g. 1500 bytes), the packet may need to be fragmented into multiple packets, which may add additional processing, delays and/or overhead. Furthermore, using protocols such as IPsec may require certificate distribution and management.
  • an upper limit e.g. 1500 bytes
  • network functions such as eNodeBs and gNodeBs may not have information relating to the location of other network functions (e.g. whether they reside in the same data center or virtualization platform apparatus), and thus in some examples a node may receive this information (or other information) and use the received information to selectively encrypt communications to another network function.
  • a first network function may use the information to determine whether or not to encrypt data sent to a second network function.
  • Some embodiments may thus provide advantages of reducing or minimizing configuration and computational costs, whilst maintaining the same level of integrity and confidentiality. Further, by avoiding encryption has the advantageous effect of reducing volume of data to be sent and this, in turn, reduces traffic load and probability of congestion.
  • FIG. 1 is a flow chart of an example of a method 100 in a first network function of sending data to a second network function.
  • Each network function may be a virtual network function, or may be a standalone network function (e.g. comprising or executing in its own dedicated apparatus).
  • the method 100 comprises, in step 102, selectively encrypting the data based on information relating to a location of the second network function. That is, for example, the method may comprise determining whether or not to encrypt the data based on the information.
  • the information relating to the location of the second network function may indicate (or may be used by the first network function to determine) whether the second network function is in a location that results in a communication link between the network functions being inherently secure, or whether the first and second network functions are virtual network functions executing in the same data processing apparatus or data center. In other embodiments, the information may simply indicate whether or not data sent to the second network function should be encrypted. Step 104 of the method 100 comprises sending the data (whether encrypted or not in step 102) to the second network function.
  • the method 100 may comprise receiving the information relating to the second network function from a Network Management System, NMS.
  • the NMS may have (or may be able to obtain) information relating to the topology of the network that includes the first and second network functions, and thus may be able to send the information (or other information derived from it) to the first network function.
  • the first network function may then use the information provided from the NMS to determine whether or not to encrypt the data before sending the data to the second network function.
  • the first network function may obtain the information relating to the location of the second network function from another source, such as for example another network function or node, or the second network function.
  • the information may indicate whether or not the first network function and the second network function are virtual network functions executing within the same processing apparatus (e.g. the same hardware, data processor or virtualization platform). Therefore, selectively encrypting the data in step 102 may comprise for example selecting to not encrypt the data if the information indicates that the first network function and the second network function are virtual network functions executing within the same processing apparatus. In such a scenario, communication between the network functions may be inherently secure and thus the use of IPsec or other encryption protocols may be avoided. Thus, selectively encrypting the data in step 102 may comprise for example selecting to encrypt the data if the information indicates that the first network function and/or the second network function are not virtual network functions and/or are not executing within the same processing apparatus. In this scenario, communication between the network functions may be insecure (e.g. on a shared network or on a network accessible by other parties), or the security of communication may be unknown.
  • the network functions may be insecure (e.g. on a shared network or on a network accessible
  • the information indicates whether or not the first network function and the second network function are virtual network functions executing within the same data center. Therefore, selectively encrypting the data in step 102 may comprise for example selecting to not encrypt the data if the information indicates that the first network function and the second network function are virtual network functions executing within the same data center. Selectively encrypting the data in step 102 may comprise for example selecting to encrypt the data if the information indicates that the first network function and/or the second network function are not virtual network functions and/or are not executing within the same data center.
  • the location of one or both of the first and second network functions may change over time. This may be due to for example one of the network functions being replaced by a virtualized version, or a virtual network function being moved from one data processing apparatus or data center to another. In such a scenario, the security level of communications between the first and second network functions may change.
  • the method 100 may then comprise for example receiving an update to the information relating to the location of the second network function, and selectively encrypting the data based on the updated information. The method may therefore for example cause the data (e.g.
  • the update may result in no change to whether the data is encrypted or not.
  • the update may be received in response to a security alert relating to the first network function and/or the second network function, or in response to relocation of the first network function and/or the second network function to a different processing apparatus or different data center.
  • the update to the information may be received from a NMS such as the NMS referred to above.
  • Selectively encrypting the data in step 102 may comprise for example selectively using Internet Protocol Security, IPsec, to encrypt the data.
  • IPsec Internet Protocol Security
  • the data is sent to the second network function over an X2 or S1 interface.
  • the first and/or second network function may in some embodiments comprise a base station such as an eNB or gNB.
  • FIG. 2 is a schematic of an example of apparatus 200 that may be used in an implementation of embodiments of this disclosure.
  • the apparatus 200 may comprise a Network Management System (NMS) 202, which may be the NMS referred to above in some embodiments.
  • NMS Network Management System
  • the NMS may in some examples represent the vendor specific OSS Network Element Management application usually deployed to allow FCAPS (Fault, Configuration, Accounting, Performance and Security) functionality on the network. It may in some examples also include one or more adaptation layers (e.g. APIs) for communicating with network elements, such as network nodes and network functions.
  • FCAPS fault, Configuration, Accounting, Performance and Security
  • the NMS 202 includes an IPsec configurator (IC) 204.
  • IC IPsec configurator
  • This may comprise for example a software module that is aware of the network configuration, such as for example locations of network functions.
  • the network configuration may be kept up-to-date in some embodiments.
  • the 1C 204 may send appropriate information to the first network function (e.g. the location of the second network function, and in some examples the location of the first network function; or a flag indicating whether the data should be encrypted) to enable the first network function to decide whether or not to encrypt data being sent to the second network function, i.e. to enable the first network function to selectively encrypt the data.
  • the apparatus 200 also includes a network element 206, which may be for example a network node or network function.
  • the network element 206 is a base station, such as an eNB or gNB, or a virtual base station.
  • the network element 206 includes an IPsec configuration evaluator (ICE) 208, which may comprise for example a software module able to evaluate information from the NMS 202 and use this information to determine whether or not to encrypt data sent from the network element 206 (which may be for example the first network function) to the second network function.
  • ICE IPsec configuration evaluator
  • the NMS 202 may send information 210 to the network element 206, including the information relating to the location of the second network function.
  • the NMS 202 may include an adaptation layer 212 (e.g. an API) for communicating effectively with the network element 206, and in some embodiments to translate vendor-specific communications to general or standard communications or otherwise communications that can be correctly received and understood by the network element 206.
  • the NMS 202 may include multiple adaption layers for communicating with different network nodes including network elements and/or network functions.
  • the adaptation layer(s) may allow the NMS 202 to communicate with nodes from different vendors.
  • the update of the information relating to the second network function referred to above may be performed (e.g by the IC 204) in certain circumstances.
  • These circumstances may comprise one or more of the following non-exhaustive examples:
  • the 1C 204 may in some examples activate encryption (e.g. IPsec) usage in the network element 206 (e.g. the first network function) for communication with a peer node (e.g. the second network function) in one or more of the following non-exhaustive example scenarios:
  • encryption e.g. IPsec
  • the first network function and/or the second network function is a physical node, i.e. not a VNF, or is a VNF in its own dedicated data processing apparatus;
  • the second NF is a VNF instantiated in a different data center than the first NF;
  • the second NF (or a communication link between the first and second NFs) is set up as untrusted for administrative or security reasons, e.g. through a security administrative interface.
  • the 1C 204 retrieves from the NMS 202 configuration information relating to nodes in the network including the first and second network functions.
  • the configuration information may include one or more of the following non-exhaustive examples for each node:
  • node is a physical node or a virtualized node such as a VNF
  • peer nodes e.g. adjacent nodes and/or nodes with which communication is expected
  • the 1C 204 or the NMS 202 may in some examples send the information relating to the location of the second network node to the relevant adaptation layer (e.g. adaptation layer 212) for the network element 206.
  • the adaptation layer may then forward the information (e.g. in the appropriate format) to the network element 206.
  • the configuration information for a node may in some embodiments include an object, the value of which may be set by the IC 204. This object may be accessed by the ICE 208 in the network element 206 (e.g. first network function) for selectively encrypting the data sent to the second network function.
  • the following is an example of an ASN.1 code implementation of the object: peersTable OBJECT-TYPE SYNTAX SEQUENCE OF peersEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION
  • peerslndex Integer32 SEQUENCE ⁇ peerslndex Integer32, peersAddress InetAddress, peersTrustiness INTEGER, peerslndex OBJECT-TYPE SYNTAX Integer32 (1..65535)
  • FIG. 3 is a schematic of an example of apparatus 300 for sending data to a second network function.
  • the apparatus 300 comprises processing circuitry 302 (e.g. one or more processors) and a memory 304 in communication with the processing circuitry 302.
  • the memory 304 contains instructions executable by the processing circuitry 302.
  • the apparatus 300 also comprises an interface 306 in communication with the processing circuitry 302. Although the interface 306, processing circuitry 302 and memory 304 are shown connected in series, these may alternatively be interconnected in any other way, for example via a bus.
  • the memory 304 contains instructions executable by the processing circuitry 302 such that the apparatus 300 comprises a first network function and is operable to selectively encrypt the data based on information relating to a location of the second network function, and send the data to the second network function.
  • the apparatus 300 is operable to carry out the method 100 described above with reference to Figure 1.

Abstract

Methods and apparatus are provided. In an example aspect, a method in a first virtual network function of sending data to a second network function is provided. The method comprises selectively encrypting the data based on information relating to a location of the second network function, and sending the data to the second network function.

Description

SENDING DATA TO A NETWORK FUNCTION
Technical Field
Embodiments of the present disclosure relate to sending data to a network function.
Background
Internet protocol security (IPsec) is a set of protocols that can provide security for communications using Internet Protocol (IP communications). IPsec can use encryption to encrypt IP communications. IPsec can also be used to set up virtual private networks (VPNs) in a secure manner.
IPsec provides two security services for IP packets. An Authentication Header (AH) may authenticate the sender of an IP packet, and may be used to identify whether there were any changes in the data in the packet during transmission. Encapsulating Security Payload (ESP) performs authentication for the sender, as in AH, but also encrypts the data being sent.
IPsec may be used in one of two modes. In Tunnel Mode, the whole IP packet is encrypted to secure communication between two nodes. Transport Mode only encapsulates the IP payload (not the entire IP packet as in tunnel mode), i.e. the data being sent, to ensure a secure channel of communication.
In LTE networks, base stations (eNodeBs or eNBs) may use IPsec tunnels (that is, IPsec in tunnel mode) for carrying operations and maintenance (O&M) traffic to connect eNBs and Operations Support Systems (OSS) over an untrusted network; and for traffic between eNBs and the core network (S1 interface) or between eNBs (X2 interface).
In the case of X2 interface traffic, the X2-UP (User Plane) protocol tunnels end-user packets between the LTE eNodeBs, and X2-CP (Control Plane) may be used to perform load management (e.g. exchange of overload and traffic load information between LTE eNodeBs). When an eNB is connected to an untrusted network, the X2 traffic is typically routed via a centrally located security gateway using IPsec ESP tunnel mode. Depending on network structure, this might imply a high latency forX2 traffic therefore making it impossible to enable inter-eNB carrier aggregation. To resolve this problem and to reduce latency, an eNB can alternatively set up direct X2 IPsec VPN connections with another eNB. Summary
One aspect of the present disclosure provides a method in a first virtual network function of sending data to a second network function. The method comprises selectively encrypting the data based on information relating to a location of the second network function, and sending the data to the second network function.
A further aspect of the present disclosure provides a computer program comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the above method.
An additional aspect of the present disclosure provides a subcarrier containing the above computer program, wherein the subcarrier comprises one of an electronic signal, optical signal, radio signal or computer readable storage medium.
Another aspect of the present disclosure provides a computer program product comprising non transitory computer readable media having stored thereon the above computer program.
Another aspect of the present disclosure provides apparatus for sending data to a second network function. The apparatus comprises a processor and a memory. The memory contains instructions executable by the processor such that the apparatus comprises a first network function and is operable to selectively encrypt the data based on information relating to a location of the second network function, and send the data to the second network function.
Another aspect of the present disclosure provides apparatus for communicating with a second network function. The apparatus comprises a first network function. The apparatus is configured to select whether to use an encryption protocol for communications with the second network function based on information relating to a location of the second network function, and communicate with the second network function according to the selecting.
Brief Description of the Drawings
For a better understanding of examples of the present disclosure, and to show more clearly how the examples may be carried into effect, reference will now be made, by way of example only, to the following drawings in which: Figure 1 is a flow chart of an example of a method in a first network function of sending data to a second network function;
Figure 2 is a schematic of an example of apparatus that may be used in an implementation of examples of this disclosure; and
Figure 3 is a schematic of an example of apparatus 300 for sending data to a second network function.
Detailed Description
The following sets forth specific details, such as particular embodiments or examples for purposes of explanation and not limitation. It will be appreciated by one skilled in the art that other examples may be employed apart from these specific details. In some instances, detailed descriptions of well-known methods, nodes, interfaces, circuits, and devices are omitted so as not obscure the description with unnecessary detail. Those skilled in the art will appreciate that the functions described may be implemented in one or more nodes using hardware circuitry (e.g., analog and/or discrete logic gates interconnected to perform a specialized function, ASICs, PLAs, etc.) and/or using software programs and data in conjunction with one or more digital microprocessors or general purpose computers. Nodes that communicate using the air interface also have suitable radio communications circuitry. Moreover, where appropriate the technology can additionally be considered to be embodied entirely within any form of computer-readable memory, such as solid-state memory, magnetic disk, or optical disk containing an appropriate set of computer instructions that would cause a processor to carry out the techniques described herein.
Hardware implementation may include or encompass, without limitation, digital signal processor (DSP) hardware, a reduced instruction set processor, hardware (e.g., digital or analogue) circuitry including but not limited to application specific integrated circuit(s) (ASIC) and/or field programmable gate array(s) (FPGA(s)), and (where appropriate) state machines capable of performing such functions.
Network virtualization (NV) is defined by the ability to create logical, virtual networks that are decoupled from the underlying network hardware to ensure the network can better integrate with and support increasingly virtual environments. In particular, for example, a virtual network function (VNF) may be a network function (NF) that is implemented using software on a virtualization platform. The virtualization platform may be hardware (e.g. including one or more data processors) that implements one or more VNFs. Any network function may be virtualized as a VNF in this way where appropriate. Examples of network functions that may be virtualized include base stations (eNBs and/or gNBs), Access and Mobility Management Function (AMF), Packet Gateway (PGW), User Plane Function (UPF), Policy Control Function (PCF) and Network Repository Function (NRF), Session Management Function (SMF), Network Exposure Function (NEF), or any other network function.
In an example 5G architecture, a virtual base station network function (e.g. eNB or gNB) may be split into different components: vPP (virtual Packet Processor), VRC (virtual Radio Controller) and BPU (Baseband Processing Unit). In some embodiments, IPsec processing (e.g. implementation of IPsec protocol, and encryption/decryption of packets or data) in a virtualized base station may be implemented by the vPP.
In this disclosure, a data center (DC) may comprise for example a cluster of co-located physical servers and their infrastructure, including communication interconnects between physical servers. A vPP may be for example a software component of a virtualized node or network function running in a DC implementing a set of functions, including for example IPsec processing.
In some embodiments, communication between two network functions may be inherently secure. That is, for example, communication between VNFs that are executing on the same virtualization platform may be inherently secure as the communications are never communicated outside of the virtualization platform. Alternatively, for example, communications between VNFs that are executing on different virtualization platforms within the same data center may be inherently secure as the communications never leave the data center. In another example, communication between two NFs (virtual or otherwise) may be inherently secure as a communication link between them may already use a secure protocol such as IPsec or VPN. In such cases, it may be superfluous to use IPsec (or another way of encrypting or protecting communications) for communications between the network functions, as doing so may not add significant further security to the communications.
In such scenarios, embodiments of this disclosure may use encryption or protection for communications between network functions based on a location of one (or more) of the network functions. For example, in cases where communication between network functions is inherently secure, such as for example within the same data processing apparatus (e.g. virtualization platform) or data center, the use of such encryption or protection may be avoided, thus avoiding the drawbacks of such encryption or protection. Drawbacks may include increased processing requirements (computational effort) and/or latency. In particular embodiments where IPsec may be used for encryption or protection, drawbacks may include an increase in packet size. Traffic subject to IPsec may for example generally add e.g. 36 bytes to the original size of the packet because of the ESP header (though this may vary in size). Another drawback is that if the original packet size is of a size that the resulting packet to be sent following IPsec processing may be larger than an upper limit (e.g. 1500 bytes), the packet may need to be fragmented into multiple packets, which may add additional processing, delays and/or overhead. Furthermore, using protocols such as IPsec may require certificate distribution and management.
In some embodiments of this disclosure, network functions such as eNodeBs and gNodeBs may not have information relating to the location of other network functions (e.g. whether they reside in the same data center or virtualization platform apparatus), and thus in some examples a node may receive this information (or other information) and use the received information to selectively encrypt communications to another network function. For example, a first network function may use the information to determine whether or not to encrypt data sent to a second network function.
Some embodiments may thus provide advantages of reducing or minimizing configuration and computational costs, whilst maintaining the same level of integrity and confidentiality. Further, by avoiding encryption has the advantageous effect of reducing volume of data to be sent and this, in turn, reduces traffic load and probability of congestion.
Figure 1 is a flow chart of an example of a method 100 in a first network function of sending data to a second network function. Each network function may be a virtual network function, or may be a standalone network function (e.g. comprising or executing in its own dedicated apparatus). The method 100 comprises, in step 102, selectively encrypting the data based on information relating to a location of the second network function. That is, for example, the method may comprise determining whether or not to encrypt the data based on the information. In some embodiments, the information relating to the location of the second network function may indicate (or may be used by the first network function to determine) whether the second network function is in a location that results in a communication link between the network functions being inherently secure, or whether the first and second network functions are virtual network functions executing in the same data processing apparatus or data center. In other embodiments, the information may simply indicate whether or not data sent to the second network function should be encrypted. Step 104 of the method 100 comprises sending the data (whether encrypted or not in step 102) to the second network function.
In some embodiments, the method 100 may comprise receiving the information relating to the second network function from a Network Management System, NMS. The NMS may have (or may be able to obtain) information relating to the topology of the network that includes the first and second network functions, and thus may be able to send the information (or other information derived from it) to the first network function. The first network function may then use the information provided from the NMS to determine whether or not to encrypt the data before sending the data to the second network function. In other embodiments, the first network function may obtain the information relating to the location of the second network function from another source, such as for example another network function or node, or the second network function.
In some embodiments, the information may indicate whether or not the first network function and the second network function are virtual network functions executing within the same processing apparatus (e.g. the same hardware, data processor or virtualization platform). Therefore, selectively encrypting the data in step 102 may comprise for example selecting to not encrypt the data if the information indicates that the first network function and the second network function are virtual network functions executing within the same processing apparatus. In such a scenario, communication between the network functions may be inherently secure and thus the use of IPsec or other encryption protocols may be avoided. Thus, selectively encrypting the data in step 102 may comprise for example selecting to encrypt the data if the information indicates that the first network function and/or the second network function are not virtual network functions and/or are not executing within the same processing apparatus. In this scenario, communication between the network functions may be insecure (e.g. on a shared network or on a network accessible by other parties), or the security of communication may be unknown.
In some embodiments, the information indicates whether or not the first network function and the second network function are virtual network functions executing within the same data center. Therefore, selectively encrypting the data in step 102 may comprise for example selecting to not encrypt the data if the information indicates that the first network function and the second network function are virtual network functions executing within the same data center. Selectively encrypting the data in step 102 may comprise for example selecting to encrypt the data if the information indicates that the first network function and/or the second network function are not virtual network functions and/or are not executing within the same data center.
In some embodiments, the location of one or both of the first and second network functions (or the information relating to the location of the second network function) may change over time. This may be due to for example one of the network functions being replaced by a virtualized version, or a virtual network function being moved from one data processing apparatus or data center to another. In such a scenario, the security level of communications between the first and second network functions may change. The method 100 may then comprise for example receiving an update to the information relating to the location of the second network function, and selectively encrypting the data based on the updated information. The method may therefore for example cause the data (e.g. data subsequently sent to the second network function) to be encrypted where it was not encrypted before the update, or alternatively may cause the data to be sent unencrypted where it was encrypted before the update. Alternatively, the update may result in no change to whether the data is encrypted or not. In some examples, the update may be received in response to a security alert relating to the first network function and/or the second network function, or in response to relocation of the first network function and/or the second network function to a different processing apparatus or different data center. In some embodiments, the update to the information may be received from a NMS such as the NMS referred to above.
Selectively encrypting the data in step 102 may comprise for example selectively using Internet Protocol Security, IPsec, to encrypt the data. In some embodiments, the data is sent to the second network function over an X2 or S1 interface. The first and/or second network function may in some embodiments comprise a base station such as an eNB or gNB.
Figure 2 is a schematic of an example of apparatus 200 that may be used in an implementation of embodiments of this disclosure. The apparatus 200 may comprise a Network Management System (NMS) 202, which may be the NMS referred to above in some embodiments. The NMS may in some examples represent the vendor specific OSS Network Element Management application usually deployed to allow FCAPS (Fault, Configuration, Accounting, Performance and Security) functionality on the network. It may in some examples also include one or more adaptation layers (e.g. APIs) for communicating with network elements, such as network nodes and network functions.
The NMS 202 includes an IPsec configurator (IC) 204. This may comprise for example a software module that is aware of the network configuration, such as for example locations of network functions. The network configuration may be kept up-to-date in some embodiments. The 1C 204 may send appropriate information to the first network function (e.g. the location of the second network function, and in some examples the location of the first network function; or a flag indicating whether the data should be encrypted) to enable the first network function to decide whether or not to encrypt data being sent to the second network function, i.e. to enable the first network function to selectively encrypt the data.
The apparatus 200 also includes a network element 206, which may be for example a network node or network function. In some embodiments, the network element 206 is a base station, such as an eNB or gNB, or a virtual base station. The network element 206 includes an IPsec configuration evaluator (ICE) 208, which may comprise for example a software module able to evaluate information from the NMS 202 and use this information to determine whether or not to encrypt data sent from the network element 206 (which may be for example the first network function) to the second network function.
The NMS 202 may send information 210 to the network element 206, including the information relating to the location of the second network function. In some embodiments, the NMS 202 may include an adaptation layer 212 (e.g. an API) for communicating effectively with the network element 206, and in some embodiments to translate vendor-specific communications to general or standard communications or otherwise communications that can be correctly received and understood by the network element 206. In some embodiments, the NMS 202 may include multiple adaption layers for communicating with different network nodes including network elements and/or network functions. Thus, for example, the adaptation layer(s) may allow the NMS 202 to communicate with nodes from different vendors.
In some examples, the update of the information relating to the second network function referred to above may be performed (e.g by the IC 204) in certain circumstances. These circumstances may comprise one or more of the following non-exhaustive examples:
• at start up (e.g. instantiation) of a network function, including the first and/or second network function;
• during migration of a network function from a physical node to a virtual network function, or vice versa;
• reassignment (movement) of a VNF from one data center to a different data center; or
• any use case driven by administrative or security reasons. The 1C 204 may in some examples activate encryption (e.g. IPsec) usage in the network element 206 (e.g. the first network function) for communication with a peer node (e.g. the second network function) in one or more of the following non-exhaustive example scenarios:
• the first network function and/or the second network function is a physical node, i.e. not a VNF, or is a VNF in its own dedicated data processing apparatus;
• the second NF is a VNF instantiated in a different data center than the first NF; or
• the second NF (or a communication link between the first and second NFs) is set up as untrusted for administrative or security reasons, e.g. through a security administrative interface.
In particular examples, during operation of the apparatus 200, the 1C 204 retrieves from the NMS 202 configuration information relating to nodes in the network including the first and second network functions. The configuration information may include one or more of the following non-exhaustive examples for each node:
• whether the node is a physical node or a virtualized node such as a VNF
• in case of a virtual node such as a VNF, the data center where it is executing
• a list of peer nodes (e.g. adjacent nodes and/or nodes with which communication is expected)
• a list of nodes set up as untrusted for administrative or security reasons
The 1C 204 or the NMS 202 may in some examples send the information relating to the location of the second network node to the relevant adaptation layer (e.g. adaptation layer 212) for the network element 206. The adaptation layer may then forward the information (e.g. in the appropriate format) to the network element 206.
The configuration information for a node may in some embodiments include an object, the value of which may be set by the IC 204. This object may be accessed by the ICE 208 in the network element 206 (e.g. first network function) for selectively encrypting the data sent to the second network function. The following is an example of an ASN.1 code implementation of the object: peersTable OBJECT-TYPE SYNTAX SEQUENCE OF peersEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION
"A list of peersEntries. " ::= { peers 1 } peersEntry OBJECT-TYPE SYNTAX peersEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION
INDEX { peerslndex }
::= { peers 1 } peersEntry::= SEQUENCE { peerslndex Integer32, peersAddress InetAddress, peersTrustiness INTEGER, peerslndex OBJECT-TYPE SYNTAX Integer32 (1..65535)
MAX-ACCESS read-only STATUS current DESCRIPTION
"The value of this object uniquely identifies this peers entry. "
::= { peersEntry 1 } peersAddress OBJECT-TYPE SYNTAX InetAddress
MAX-ACCESS not-accessible STATUS current
DESCRIPTION
"The IP address of the node peer (either physical or VNF" ::= { peersEntry 2 } peersTrustiness OBJECT-TYPE SYNTAX TruthValue
MAX-ACCESS read-create STATUS current
DESCRIPTION
"Trustiness = FALSE means to use IPSEC protocol to connect to the peer referenced in this instance" ::= { peersEntry 3 }
Figure 3 is a schematic of an example of apparatus 300 for sending data to a second network function. The apparatus 300 comprises processing circuitry 302 (e.g. one or more processors) and a memory 304 in communication with the processing circuitry 302. The memory 304 contains instructions executable by the processing circuitry 302. The apparatus 300 also comprises an interface 306 in communication with the processing circuitry 302. Although the interface 306, processing circuitry 302 and memory 304 are shown connected in series, these may alternatively be interconnected in any other way, for example via a bus.
In one embodiment, the memory 304 contains instructions executable by the processing circuitry 302 such that the apparatus 300 comprises a first network function and is operable to selectively encrypt the data based on information relating to a location of the second network function, and send the data to the second network function. In some embodiments, the apparatus 300 is operable to carry out the method 100 described above with reference to Figure 1.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design many alternative embodiments without departing from the scope of the appended statements. The word “comprising” does not exclude the presence of elements or steps other than those listed in a claim, “a” or “an” does not exclude a plurality, and a single processor or other unit may fulfil the functions of several units recited in the statements below. Where the terms, “first”, “second” etc. are used they are to be understood merely as labels for the convenient identification of a particular feature. In particular, they are not to be interpreted as describing the first or the second feature of a plurality of such features (i.e. the first or second of such features to occur in time or space) unless explicitly stated otherwise. Steps in the methods disclosed herein may be carried out in any order unless expressly otherwise stated. Any reference signs in the statements shall not be construed so as to limit their scope.

Claims

Claims
1. A method in a first network function of sending data to a second network function, the method comprising: selectively encrypting the data based on information relating to a location of the second network function; and sending the data to the second network function.
2. The method of claim 1 , wherein the first network function comprises a first virtual network function, and/or the second network function comprises a second virtual network function.
3. The method of claim 1 or 2, comprising receiving the information relating to the second network function from a Network Management System, NMS.
4. The method of any of claims 1 to 3, wherein the information indicates whether or not to use the encryption protocol for communications with the second network function.
5. The method of any of claims 1 to 4, wherein the information indicates whether or not the first network function and the second network function are virtual network functions executing within the same processing apparatus.
6. The method of any of claims 1 to 5, wherein selectively encrypting the data comprises selecting to not encrypt the data if the information indicates that the first network function and the second network function are virtual network functions executing within the same processing apparatus.
7. The method of any of claims 1 to 6, wherein selectively encrypting the data comprises selecting to encrypt the data if the information indicates that the first network function and/or the second network function are not virtual network functions and/or are not executing within the same processing apparatus.
8. The method of any of claims 1 to 7, wherein the information indicates whether or not the first network function and the second network function are virtual network functions executing within the same data center.
9. The method of any of claims 1 to 8, wherein selectively encrypting the data comprises selecting to not encrypt the data if the information indicates that the first network function and the second network function are virtual network functions executing within the same data center.
10. The method of any of claims 1 to 9, wherein selectively encrypting the data comprises selecting to encrypt the data if the information indicates that the first network function and/or the second network function are not virtual network functions and/or are not executing within the same data center.
11. The method of any of claims 1 to 10, comprising: receiving an update to the information relating to the location of the second network function; and selectively encrypting the data based on the updated information.
12. The method of claim 11 , comprising receiving the update in response to a security alert relating to the first network function and/or the second network function, or in response to relocation of the first network function and/or the second network function to a different processing apparatus or different data center.
13. The method of claim 11 or 12, comprising receiving the update to the information from a Network Management System, NMS.
14. The method of any of claims 1 to 13, wherein selectively encrypting the data comprises selectively using Internet Protocol Security, IPsec, to encrypt the data.
15. The method of any of claims 1 to 14, wherein sending the data to the second network function comprises sending the data to the second network function over an X2 or S1 interface.
16. A computer program comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out a method according to any of the preceding claims.
17. A subcarrier containing a computer program according to claim 16, wherein the subcarrier comprises one of an electronic signal, optical signal, radio signal or computer readable storage medium.
18. A computer program product comprising non transitory computer readable media having stored thereon a computer program according to claim 16.
19. Apparatus for sending data to a second network function, the apparatus comprising a processor and a memory, the memory containing instructions executable by the processor such that the apparatus comprises a first network function and is operable to: selectively encrypt the data based on information relating to a location of the second network function; and send the data to the second network function.
20. The apparatus of claim 19, wherein the first network function comprises a first virtual network function, and/or the second network function comprises a second virtual network function.
21. The apparatus of claim 19 or 20, wherein the memory contains instructions executable by the processor such that the apparatus is operable to receive the information relating to the second network function from a Network Management System, NMS.
22. The apparatus of any of claims 19 to 21 , wherein the information indicates whether or not to use the encryption protocol for communications with the second network function.
23. The apparatus of any of claims 19 to 22, wherein the information indicates whether or not the first network function and the second network function are virtual network functions executing within the same processing apparatus.
24. The apparatus of any of claims 19 to 23, wherein the memory contains instructions executable by the processor such that the apparatus is operable to selectively encrypt the data by selecting to not encrypt the data if the information indicates that the first network function and the second network function are virtual network functions executing within the same processing apparatus.
25. The apparatus of any of claims 19 to 24, wherein the memory contains instructions executable by the processor such that the apparatus is operable to selectively encrypt the data by selecting to encrypt the data if the information indicates that the first network function and/or the second network function are not virtual network functions and/or are not executing within the same processing apparatus.
26. The apparatus of any of claims 19 to 25, wherein the information indicates whether or not the first network function and the second network function are virtual network functions executing within the same data center.
27. The apparatus of any of claims 19 to 26, wherein the memory contains instructions executable by the processor such that the apparatus is operable to selectively encrypt the data by selecting to not encrypt the data if the information indicates that the first network function and the second network function are virtual network functions executing within the same data center.
28. The apparatus of any of claims 19 to 27, wherein the memory contains instructions executable by the processor such that the apparatus is operable to selectively encrypt the data by selecting to encrypt the data if the information indicates that the first network function and/or the second network function are not virtual network functions and/or are not executing within the same data center.
29. The apparatus of any of claims 19 to 28, wherein the memory contains instructions executable by the processor such that the apparatus is operable to: receive an update to the information relating to the location of the second network function; and selectively encrypt the data based on the updated information.
30. The apparatus of claim 29, wherein the memory contains instructions executable by the processor such that the apparatus is operable to receive the update in response to a security alert relating to the first network function and/or the second network function, or in response to relocation of the first network function and/or the second network function to a different processing apparatus or different data center.
31. The apparatus of claim 29 or 30, wherein the memory contains instructions executable by the processor such that the apparatus is operable to receive the update to the information from a Network Management System, NMS.
32. The apparatus of any of claims 19 to 31 , wherein the memory contains instructions executable by the processor such that the apparatus is operable to selectively use Internet Protocol Security, IPsec, to encrypt the data.
33. The apparatus of any of claims 19 to 32, wherein the memory contains instructions executable by the processor such that the apparatus is operable to send the data to the second network function over an X2 or S1 interface.
34. Apparatus for communicating with a second network function, the apparatus comprising a first network function, wherein the apparatus is configured to: select whether to use an encryption protocol for communications with the second network function based on information relating to a location of the second network function; and communicate with the second network function according to the selecting.
PCT/EP2020/052783 2020-02-04 2020-02-04 Sending data to a network function WO2021155918A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2020/052783 WO2021155918A1 (en) 2020-02-04 2020-02-04 Sending data to a network function

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2020/052783 WO2021155918A1 (en) 2020-02-04 2020-02-04 Sending data to a network function

Publications (1)

Publication Number Publication Date
WO2021155918A1 true WO2021155918A1 (en) 2021-08-12

Family

ID=69468563

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2020/052783 WO2021155918A1 (en) 2020-02-04 2020-02-04 Sending data to a network function

Country Status (1)

Country Link
WO (1) WO2021155918A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016172068A1 (en) * 2015-04-23 2016-10-27 Alcatel Lucent Improved virtualized application performance through disabling of unnecessary functions
US20170026349A1 (en) * 2015-07-20 2017-01-26 Schweitzer Engineering Laboratories, Inc. Communication device for implementing selective encryption in a software defined network
US20190372947A1 (en) * 2018-05-31 2019-12-05 Microsoft Technology Licensing, Llc Opportunistic encryption of a communication

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016172068A1 (en) * 2015-04-23 2016-10-27 Alcatel Lucent Improved virtualized application performance through disabling of unnecessary functions
US20170026349A1 (en) * 2015-07-20 2017-01-26 Schweitzer Engineering Laboratories, Inc. Communication device for implementing selective encryption in a software defined network
US20190372947A1 (en) * 2018-05-31 2019-12-05 Microsoft Technology Licensing, Llc Opportunistic encryption of a communication

Similar Documents

Publication Publication Date Title
JP7079866B2 (en) Packet processing method and device
WO2021136311A1 (en) Method and device for communication between vpcs
CN104521249B (en) Method and apparatus
US10897509B2 (en) Dynamic detection of inactive virtual private network clients
US20190081930A1 (en) Dynamic, user-configurable virtual private network
EP4114115A1 (en) Message processing method and related device
AU2018340618B2 (en) Parameter protection method and device, and system
US20120166804A1 (en) VLAN Tunneling
US11038857B1 (en) Data messaging service with distributed ledger control
US10397047B2 (en) Apparatus, system, and method for secure remote configuration of network devices
US11637771B2 (en) Technologies for managing network traffic through heterogeneous networks
WO2020238327A1 (en) Method, apparatus and system for establishing user plane connection
US20220052955A1 (en) Communications method, apparatus, and system
CN111756565A (en) Managing satellite devices within a branch network
US20230066604A1 (en) Performance improvement for encrypted traffic over ipsec
JP7442690B2 (en) SECURE COMMUNICATION METHODS, RELATED EQUIPMENT AND SYSTEMS
WO2021244356A1 (en) Data transmission method and apparatus
CN117254976B (en) National standard IPsec VPN realization method, device and system based on VPP and electronic equipment
US20210168614A1 (en) Data Transmission Method and Device
TW201739215A (en) Methods, apparatuses and systems directed to common transport of backhaul and fronthaul traffic
CN116601985A (en) Security context generation method, device and computer readable storage medium
WO2023030160A1 (en) Packet sending method, network device, storage medium, and program product
CN114205814B (en) Data transmission method, device and system, electronic equipment and storage medium
WO2021155918A1 (en) Sending data to a network function
US20230239279A1 (en) Method and apparatus for security communication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20703733

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20703733

Country of ref document: EP

Kind code of ref document: A1