WO2022233541A1 - New attribute to the definition of type clientcredentialsassertion to enable backwards compatibility with rel-16 nf producers - Google Patents

New attribute to the definition of type clientcredentialsassertion to enable backwards compatibility with rel-16 nf producers Download PDF

Info

Publication number
WO2022233541A1
WO2022233541A1 PCT/EP2022/059575 EP2022059575W WO2022233541A1 WO 2022233541 A1 WO2022233541 A1 WO 2022233541A1 EP 2022059575 W EP2022059575 W EP 2022059575W WO 2022233541 A1 WO2022233541 A1 WO 2022233541A1
Authority
WO
WIPO (PCT)
Prior art keywords
fittp
message
service request
service
hash
Prior art date
Application number
PCT/EP2022/059575
Other languages
French (fr)
Inventor
Dan Xu
Jesus Angel DE GREGORIO RODRIGUEZ
Christine Jost
Songmao LI
Sune Gustafsson
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Publication of WO2022233541A1 publication Critical patent/WO2022233541A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity

Definitions

  • the present disclosure relates to Network Function (NF) service requests in a core network of a cellular communications system.
  • NF Network Function
  • a method performed by a NF service consumer in a core network of a cellular communications system comprises sending a service request to another NF.
  • the service request comprises a client credentials assertion (CCA).
  • the service request is in the form of a Hyper-Text Transfer Protocol (HTTP) message or comprised within the HTTP message, and the CCA is defined as having a plurality of attributes comprising a hash attribute that comprises a hash of a body of the HTTP message and a HTTP method of the HTTP message.
  • HTTP Hyper-Text Transfer Protocol
  • the CCA is defined as having a plurality of attributes comprising a hash attribute that comprises a hash of a body of the HTTP message and a HTTP method of the HTTP message.
  • sending the service request to the other NF comprises sending the service request to the other NF via indirect communication.
  • sending the service request to the other NF comprises sending the service request to the other NF via a Service Communication Proxy (SCP).
  • SCP Service Communication Proxy
  • the hash attribute is utilized for end-to-end integrity protection.
  • the other NF is a NF service producer.
  • the other NF is a NF Repository Function (NRF).
  • NEF NF Repository Function
  • an input S to a Key Derivation Function (KDF) used to compute the hash is a concatenation of a plurality of parameters comprising:
  • a NF service consumer for a core network of a cellular communications system is adapted to send a service request to another NF.
  • the service request comprises a CCA.
  • the service request is in the form of an HTTP message or comprised within the HTTP message, and the CCA is defined as having a plurality of attributes comprising a hash attribute that comprises a hash of a body of the HTTP message and a HTTP method of the HTTP message.
  • a network node for implementing a NF service consumer for a core network of a cellular communications system comprises processing circuitry configured to cause the network node to send a service request to another NF.
  • the service request comprises a CCA.
  • the service request is in the form of an HTTP message or comprised within the HTTP message, and the CCA is defined as having a plurality of attributes comprising a hash attribute that comprises a hash of a body of the HTTP message and a HTTP method of the HTTP message.
  • a method performed by a NF in a core network of a cellular communications system comprises receiving a service request from a NF service consumer.
  • the service request comprises a CCA.
  • the service request is in the form of an HTTP message or comprised within the HTTP message, and the CCA is defined as having a plurality of attributes comprising a hash attribute that comprises a hash of a body of the HTTP message and a HTTP method of the HTTP message.
  • the method further comprises validating the CCA.
  • receiving the service request comprises receiving the service request from the NF service consumer via indirect communication.
  • receiving the service request comprises receiving the service request from the NF service consumer via a SCP.
  • the hash attribute is utilized for end-to-end integrity protection.
  • the NF is a NF service producer.
  • the NF is an NRF.
  • an input S to a KDF used to compute the hash is a concatenation of a plurality of parameters comprising:
  • a NF for a core network of a cellular communications system is adapted to receive a service request from a NF service consumer.
  • the service request comprises a CCA.
  • the service request is in the form of an HTTP message or comprised within the HTTP message, and the CCA is defined as having a plurality of attributes comprising a hash attribute that comprises a hash of a body of the HTTP message and a HTTP method of the HTTP message.
  • a network node for implementing a NF for a core network of a cellular communications system comprises processing circuitry configured to cause the network node to receive a service request from a NF service consumer.
  • the service request comprises a CCA.
  • the service request is in the form of an HTTP message or comprised within the HTTP message, and the CCA is defined as having a plurality of attributes comprising a hash attribute that comprises a hash of a body of the HTTP message and a HTTP method of the HTTP message.
  • Figure 1 illustrates one example of a cellular communications system according to some embodiments of the present disclosure
  • Figures 2 and 3 illustrate example embodiments in which the cellular communication system of Figure 1 is a Fifth Generation (5G) System (5GS);
  • 5G Fifth Generation
  • 5GS Fifth Generation
  • FIG. 4 illustrates the operation of Network Function (NF) service consumer and either a NF service producer or NF Repository Function (NRF) in accordance with an embodiment of the present disclosure
  • Figure 5 is a schematic block diagram of a network node according to some embodiments of the present disclosure.
  • Figure 6 is a schematic block diagram that illustrates a virtualized embodiment of the network node of Figure 5 according to some embodiments of the present disclosure.
  • Figure 7 is a schematic block diagram of the network node of Figure 5 according to some other embodiments of the present disclosure.
  • Radio Node As used herein, a "radio node” is either a radio access node or a wireless communication device.
  • Radio Access Node or RAN Node As used herein, a “radio access node” or “radio network node” or “radio access network node” or “RAN node” is any node in a Radio Access Network (RAN) of a cellular communications network that operates to wirelessly transmit and/or receive signals.
  • RAN Radio Access Network
  • a radio access node examples include, but are not limited to, a base station (e.g., a New Radio (NR) base station (gNB) in a Third Generation Partnership Project (3GPP) Fifth Generation (5G) NR network or an enhanced or evolved Node B (eNB) in a 3GPP Long Term Evolution (LTE) network), a high-power or macro base station, a low-power base station (e.g., a micro base station, a pico base station, a home eNB, or the like), a relay node, a network node that implements part of the functionality of a base station or a network node that implements a gNB Distributed Unit (gNB-DU)) or a network node that implements part of the functionality of some other type of radio access node.
  • a base station e.g., a New Radio (NR) base station (gNB) in a Third Generation Partnership Project (3GPP) Fifth Generation (5G) NR network or an enhanced or evolved Node B
  • a "core network node” is any type of node in a core network or any node that implements a core network function.
  • Some examples of a core network node include, e.g., a Mobility Management Entity (MME), a Packet Data Network Gateway (P-GW), a Service Capability Exposure Function (SCEF), a Home Subscriber Server (HSS), or the like.
  • MME Mobility Management Entity
  • P-GW Packet Data Network Gateway
  • SCEF Service Capability Exposure Function
  • HSS Home Subscriber Server
  • a core network node examples include a node implementing an Access and Mobility Function (AMF), a User Plane Function (UPF), a Session Management Function (SMF), an Authentication Server Function (AUSF), a Network Slice Selection Function (NSSF), a Network Exposure Function (NEF), a Network Function (NF) Repository Function (NRF), a Policy Control Function (PCF), a Unified Data Management (UDM), or the like.
  • AMF Access and Mobility Function
  • UPF User Plane Function
  • SMF Session Management Function
  • AUSF Authentication Server Function
  • NSSF Network Slice Selection Function
  • NEF Network Exposure Function
  • NRF Network Exposure Function
  • NRF Network Exposure Function
  • PCF Policy Control Function
  • UDM Unified Data Management
  • a "communication device” is any type of device that has access to an access network.
  • Some examples of a communication device include, but are not limited to: mobile phone, smart phone, sensor device, meter, vehicle, household appliance, medical appliance, media player, camera, or any type of consumer electronic, for instance, but not limited to, a television, radio, lighting arrangement, tablet computer, laptop, or Personal Computer (PC).
  • the communication device may be a portable, hand-held, computer-comprised, or vehicle-mounted mobile device, enabled to communicate voice and/or data via a wireless or wireline connection.
  • One type of communication device is a wireless communication device, which may be any type of wireless device that has access to (i.e., is served by) a wireless network (e.g., a cellular network).
  • a wireless communication device include, but are not limited to: a User Equipment device (UE) in a 3GPP network, a Machine Type Communication (MTC) device, and an Internet of Things (IoT) device.
  • UE User Equipment
  • MTC Machine Type Communication
  • IoT Internet of Things
  • Such wireless communication devices may be, or may be integrated into, a mobile phone, smart phone, sensor device, meter, vehicle, household appliance, medical appliance, media player, camera, or any type of consumer electronic, for instance, but not limited to, a television, radio, lighting arrangement, tablet computer, laptop, or PC.
  • the wireless communication device may be a portable, hand-held, computer-comprised, or vehicle-mounted mobile device, enabled to communicate voice and/or data via a wireless connection.
  • Network Node As used herein, a "network node” is any node that is either part of the RAN or the core network of a cellular communications network/system.
  • a TRP may be either a network node, a radio head, a spatial relation, or a Transmission Configuration Indicator (TCI) state.
  • a TRP may be represented by a spatial relation or a TCI state in some embodiments.
  • a TRP may be using multiple TCI states.
  • a TRP may a part of the gNB transmitting and receiving radio signals to/from UE according to physical layer properties and parameters inherent to that element.
  • multi-TRP Multiple TRP
  • a serving cell can schedule UE from two TRPs, providing better Physical Downlink Shared Channel (PDSCH) coverage, reliability and/or data rates.
  • PDSCH Physical Downlink Shared Channel
  • DCI Downlink Control Information
  • MAC Medium Access Control
  • a set Transmission Points is a set of geographically co-located transmit antennas (e.g., an antenna array (with one or more antenna elements)) for one cell, part of one cell or one Positioning Reference Signal (PRS) -only TP.
  • TPs can include base station (eNB) antennas, Remote Radio Heads (RRHs), a remote antenna of a base station, an antenna of a PRS-only TP, etc.
  • eNB base station
  • RRHs Remote Radio Heads
  • One cell can be formed by one or multiple TPs. For a homogeneous deployment, each TP may correspond to one cell.
  • a set of TRPs is a set of geographically co-located antennas (e.g., an antenna array (with one or more antenna elements)) supporting TP and/or Reception Point (RP) functionality.
  • RP Reception Point
  • Embodiments of the present disclosures address the backwards compatibility problem by introducing a new attribute to the definition of type ClientCredentialsAssertion described in 3GPP Technical Specification (TS) 29.500 V17.2.0 Table 5.2.3.2.11 -1.
  • TS Technical Specification
  • Embodiments of the present disclosure provide a number of advantages over existing solutions.
  • embodiments of the present disclosure enable backwards compatibility with Release 16 NF producers supporting only existing Client Credentials Assertion (CCA).
  • CCA Client Credentials Assertion
  • FIG. 1 illustrates one example of a cellular communications system 100 in which embodiments of the present disclosure may be implemented.
  • the cellular communications system 100 is a 5G system (5GS) including a Next Generation RAN (NG-RAN) and a 5G Core (5GC); however, the embodiments disclosed herein may be used in other similar types of wireless networks.
  • the RAN includes base stations 102-1 and 102-2, which in the 5GS include NR base stations (gNBs) and optionally next generation eNBs (ng-eNBs) (e.g., LTE RAN nodes connected to the 5GC), controlling corresponding (macro) cells 104-1 and 104-2.
  • gNBs NR base stations
  • ng-eNBs next generation eNBs
  • LTE RAN nodes connected to the 5GC
  • controlling corresponding (macro) cells 104-1 and 104-2 controlling corresponding (macro) cells 104-1 and 104-2.
  • the base stations 102-1 and 102-2 are generally referred to herein collectively as base stations 102 and individually as base station 102.
  • the (macro) cells 104-1 and 104-2 are generally referred to herein collectively as (macro) cells 104 and individually as (macro) cell 104.
  • the RAN may also include a number of low power nodes 106-1 through 106-4 controlling corresponding small cells 108-1 through 108-4.
  • the low power nodes 106-1 through 106-4 can be small base stations (such as pico or femto base stations) or RRHs, or the like.
  • one or more of the small cells 108-1 through 108-4 may alternatively be provided by the base stations 102.
  • the low power nodes 106-1 through 106-4 are generally referred to herein collectively as low power nodes 106 and individually as low power node 106.
  • the small cells 108-1 through 108-4 are generally referred to herein collectively as small cells 108 and individually as small cell 108.
  • the cellular communications system 100 also includes a core network 110, which in the 5G System (5GS) is referred to as the 5GC.
  • the base stations 102 (and optionally the low power nodes 106) are connected to the core network 110.
  • the base stations 102 and the low power nodes 106 provide service to wireless communication devices 112-1 through 112-5 in the corresponding cells 104 and 108.
  • the wireless communication devices 112-1 through 112-5 are generally referred to herein collectively as wireless communication devices 112 and individually as wireless communication device 112.
  • the wireless communication devices 112 are oftentimes UEs, but the present disclosure is not limited thereto.
  • Figure 2 illustrates a wireless communication system represented as a 5G network architecture composed of core Network Functions (NFs), where interaction between any two NFs is represented by a point-to-point reference point/interface.
  • Figure 2 can be viewed as one particular implementation of the system 100 of Figure 1.
  • NFs Network Functions
  • the 5G network architecture shown in Figure 2 comprises a plurality of UEs 112 connected to either a RAN 102 or an Access Network (AN) as well as an AMF 200.
  • the R(AN) 102 comprises base stations, e.g. such as eNBs or gNBs or similar.
  • the 5GC NFs shown in Figure 2 include a NSSF 202, an AUSF 204, a UDM 206, the AMF 200, a SMF 208, a PCF 210, and an Application Function (AF) 212.
  • the N1 reference point is defined to carry signaling between the UE 112 and AMF 200.
  • the reference points for connecting between the AN 102 and AMF 200 and between the AN 102 and user plane function, UPF, 214 are defined as N2 and N3, respectively.
  • N4 is used by the SMF 208 and UPF 214 so that the UPF 214 can be set using the control signal generated by the SMF 208, and the UPF 214 can report its state to the SMF 208.
  • N9 is the reference point for the connection between different UPFs 214
  • N14 is the reference point connecting between different AMFs 200, respectively.
  • N15 and N7 are defined since the PCF 210 applies policy to the AMF 200 and SMF 208, respectively.
  • N12 is required for the AMF 200 to perform authentication of the UE 112.
  • N8 and N10 are defined because the subscription data of the UE 112 is required for the AMF 200 and SMF 208.
  • the 5GC network aims at separating user plane, UP, and control plane, CP.
  • the UP carries user traffic while the CP carries signaling in the network.
  • the UPF 214 is in the UP and all other NFs, i.e., the AMF 200, SMF 208, PCF 210, AF 212, NSSF 202, AUSF 204, and UDM 206, are in the CP. Separating the UP and CP guarantees each plane resource to be scaled independently. It also allows UPFs to be deployed separately from CP functions in a distributed fashion. In this architecture, UPFs may be deployed very close to UEs to shorten the Round Trip Time (RTT) between UEs and data network for some applications requiring low latency.
  • RTT Round Trip Time
  • the core 5G network architecture is composed of modularized functions.
  • the AMF 200 and SMF 208 are independent functions in the CP. Separated AMF 200 and SMF 208 allow independent evolution and scaling.
  • Other CP functions like the PCF 210 and AUSF 204 can be separated as shown in Figure 2.
  • Modularized function design enables the 5GC network to support various services flexibly.
  • Each NF interacts with another NF directly. It is possible to use intermediate functions to route messages from one NF to another NF.
  • a set of interactions between two NFs is defined as service so that its reuse is possible. This service enables support for modularity.
  • the UP supports interactions such as forwarding operations between different UPFs.
  • Figure 3 illustrates a 5G network architecture using service-based interfaces between the NFs in the CP, instead of the point-to-point reference points/interfaces used in the 5G network architecture of Figure 2.
  • the NFs described above with reference to Figure 2 correspond to the NFs shown in Figure 3.
  • the service(s) etc. that a NF provides to other authorized NFs can be exposed to the authorized NFs through the service-based interface.
  • the service based interfaces are indicated by the letter "N" followed by the name of the NF, e.g. Namf for the service based interface of the AMF 200 and Nsmf for the service based interface of the SMF 208, etc.
  • the AMF 200 provides UE-based authentication, authorization, mobility management, etc.
  • a UE 112 even using multiple access technologies is basically connected to a single AMF 200 because the AMF 200 is independent of the access technologies.
  • the SMF 208 is responsible for session management and allocates Internet Protocol (IP) addresses to UEs. It also selects and controls the UPF 214 for data transfer. If a UE 112 has multiple sessions, different SMFs 208 may be allocated to each session to manage them individually and possibly provide different functionalities per session.
  • the AF 212 provides information on the packet flow to the PCF 210 responsible for policy control in order to support Quality of Service, QoS.
  • the PCF 210 determines policies about mobility and session management to make the AMF 200 and SMF 208 operate properly.
  • the AUSF 204 supports authentication function for UEs or similar and thus stores data for authentication of UEs or similar while the UDM 206 stores subscription data of the UE 112.
  • the Data Network (DN) not part of the 5GC network, provides Internet access or operator services and similar.
  • An NF may be implemented either as a network element on a dedicated hardware, as a software instance running on a dedicated hardware, or as a virtualized function instantiated on an appropriate platform, e.g., a cloud infrastructure.
  • Figure 4 illustrates the operation of a NF Service Consumer 400 and a NF Service Producer 402 or NRF 302 in accordance with one embodiment of the present disclosure. Note that optional steps are represented with dashed lines/boxes.
  • the NF Service Producer 402 is the NRF 302; however, the NF Service Producer 402 is not limited thereto.
  • the NF service consumer 400 is a NF in the core network 110 that consumes, or uses, a service of the NF service producer 402 or NRF 302. The steps of the process of Figure 4 are as follows:
  • Step 404 The NF service consumer 400 sends a service request including a signed Client credentials assertion (CCA) token to authenticate against the NF service producer 402 or the NRF 302 as described in TS 33.501 Clause 13.3.8.
  • CCA Client credentials assertion
  • 3GPP TR 33.875 V0.2.0 it is proposed to add an optional field in CCA to protect the part of the message itself.
  • the added field is a hash of the HTTP body and the HTTP method.
  • the service request is in the form of a HTTP message or comprised within an HTTP message.
  • the HTTP body and the HTTP method are those from this HTTP message.
  • the service request is sent from the NF service consumer 400 to the NF service producer 402 or the NRF 302 via indirection communication (e.g., via a Service Communication Proxy (SCP)).
  • SCP Service Communication Proxy
  • Step 406 The NF service producer 402 or the NRF 302 validates the CCA as described in 3GPP 33.501 Clause 13.3.8.3. But since one optional field is supposed to be added to the CCA, the receiving end point (NF service producer
  • NRF 302 also needs to compute the hash of the HTTP body and HTTP method and validate that it is identical to the hash received in the CCA.
  • Step 408 The NF service producer 402 or the NRF 302 may send a service response to the NF service consumer 400.
  • the added attribute is a hash of the body of the HTTP message and HTTP method.
  • the input S to the KDF specified in Annex B of 3GPP TS 33.220 is computed as follows:
  • FIG. 5 is a schematic block diagram of a network node 500 according to some embodiments of the present disclosure.
  • the network node 500 may be, for example, a core network node that implements the NF service consumer 402, the NF service producer 404, or the NRF 302.
  • the network node 500 includes a control system 502 that includes one or more processors 504 (e.g., Central Processing Units (CPUs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs), and/or the like), memory 506, and a network interface 508.
  • the one or more processors 504 are also referred to herein as processing circuitry.
  • the network node 500 may also include one or more radio units 510 that each includes one or more transmitters 512 and one or more receivers 514 coupled to one or more antennas 516.
  • the radio units 510 may be referred to or be part of radio interface circuitry.
  • the radio unit(s) 510 is external to the control system 502 and connected to the control system 502 via, e.g., a wired connection (e.g., an optical cable).
  • a wired connection e.g., an optical cable
  • the radio unit(s) 510 and potentially the antenna(s) 516 are integrated together with the control system 502.
  • the one or more processors 504 operate to provide one or more functions of a network node 500 as described herein (e.g., one or more functions of the NF service consumer 402, the NF service producer 404, or the NRF 302 as described herein).
  • the function(s) are implemented in software that is stored, e.g., in the memory 506 and executed by the one or more processors 504.
  • FIG. 6 is a schematic block diagram that illustrates a virtualized embodiment of the network node 500 according to some embodiments of the present disclosure. Again, optional features are represented by dashed boxes.
  • a "virtualized" network node is an implementation of the network node 500 in which at least a portion of the functionality of the network node 500 is implemented as a virtual component(s) (e.g., via a virtual machine(s) executing on a physical processing node(s) in a network(s)).
  • the network node 500 includes one or more processing nodes 600 coupled to or included as part of a network(s) 602.
  • Each processing node 600 includes one or more processors 604 (e.g., CPUs, ASICs, FPGAs, and/or the like), memory 606, and a network interface 608.
  • the network node 500 is a RAN node (e.g., a base station 102)
  • the network node 500 may also include the control system 502 and/or the one or more radio units 510, as described above.
  • the control system 502 may be connected to the radio unit(s) 510 via, for example, an optical cable or the like. If present, the control system 502 or the radio unit(s) are connected to the processing node(s) 600 via the network 602.
  • functions 610 of the network node 500 described herein are implemented at the one or more processing nodes 600 or distributed across the one or more processing nodes 600 and the control system 502 and/or the radio unit(s) 510 in any desired manner.
  • some or all of the functions 610 of the network node 500 described herein are implemented as virtual components executed by one or more virtual machines implemented in a virtual environ ment(s) hosted by the processing node(s) 600.
  • additional signaling or communication between the processing node(s) 600 and the control system 502 is used in order to carry out at least some of the desired functions 610.
  • the control system 502 may not be included, in which case the radio unit(s) 510 communicate directly with the processing node(s) 600 via an appropriate network interface(s).
  • a computer program including instructions which, when executed by at least one processor, causes the at least one processor to carry out the functionality of network node 500 or a node (e.g., a processing node 600) implementing one or more of the functions 610 of the network node 500 in a virtual environment according to any of the embodiments described herein is provided.
  • a carrier comprising the aforementioned computer program product is provided.
  • the carrier is one of an electronic signal, an optical signal, a radio signal, or a computer readable storage medium (e.g., a non-transitory computer readable medium such as memory).
  • FIG 7 is a schematic block diagram of the network node 500 according to some other embodiments of the present disclosure.
  • the network node 500 includes one or more modules 700, each of which is implemented in software.
  • the module(s) 700 provide the functionality of the network node 500 described herein (e.g., one or more functions of the NF service consumer 402, the NF service producer 404, or the NRF 302 as described herein).
  • This discussion is equally applicable to the processing node 600 of Figure 6 where the modules 700 may be implemented at one of the processing nodes 600 or distributed across multiple processing nodes 600 and/or distributed across the processing node(s) 600 and the control system 502.
  • any appropriate steps, methods, features, functions, or benefits disclosed herein may be performed through one or more functional units or modules of one or more virtual apparatuses.
  • Each virtual apparatus may comprise a number of these functional units.
  • These functional units may be implemented via processing circuitry, which may include one or more microprocessor or microcontrollers, as well as other digital hardware, which may include Digital Signal Processors (DSPs), special-purpose digital logic, and the like.
  • the processing circuitry may be configured to execute program code stored in memory, which may include one or several types of memory such as Read Only Memory (ROM), Random Access Memory (RAM), cache memory, flash memory devices, optical storage devices, etc.
  • Program code stored in memory includes program instructions for executing one or more telecommunications and/or data communications protocols as well as instructions for carrying out one or more of the techniques described herein.
  • the processing circuitry may be used to cause the respective functional unit to perform corresponding functions according one or more embodiments of the present disclosure.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Systems and methods are disclosed herein that relate to end-to-end authentication of a Network Function (NF) service request. In one embodiment, a method performed by a NF service consumer in a core network of a cellular communications system comprises sending a service request to another NF. The service request comprises a client credentials assertion (CCA). The service request is in the form of a Hyper-Text Transfer Protocol (HTTP) message or comprised within the HTTP message, and the CCA is defined as having a plurality of attributes comprising a hash attribute that comprises a hash of a body of the HTTP message and a HTTP method of the HTTP message.

Description

NEW ATTRIBUTE TO THE DEFINITION OF TYPE ClientCredentialsAssertion TO ENABLE BACKWARDS COMPATIBILITY WITH REL-16 NF PRODUCERS
TECHNICAL FIELD
The present disclosure relates to Network Function (NF) service requests in a core network of a cellular communications system.
BACKGROUND
In Third Generation Partnership Project (3GPP) Technical Report (TR) 33.875 VO.2.0 "Study on enhanced security aspects of the 5G Service Based Architecture (SBA)", a solution was proposed to address the end-to-end integrity of Flyper-Text Transfer Protocol (HTTP) messages. This solution enhanced the Client Credentials Assertion (CCA) to include a hash of the HTTP body and provided a HTTP method to protect the message itself.
However, there exists a problem in that the aforementioned solution does gives rise to a problem of backwards compatibility with Release 16 Network Function (NF) producers supporting only existing CCA.
SUMMARY
Systems and methods are disclosed herein that relate to end-to-end authentication of a Network Function (NF) service request. In one embodiment, a method performed by a NF service consumer in a core network of a cellular communications system comprises sending a service request to another NF. The service request comprises a client credentials assertion (CCA). The service request is in the form of a Hyper-Text Transfer Protocol (HTTP) message or comprised within the HTTP message, and the CCA is defined as having a plurality of attributes comprising a hash attribute that comprises a hash of a body of the HTTP message and a HTTP method of the HTTP message. In this manner, backward compatibility may be maintained for NFs that do not support end-to- end authentication using a hash of the body of the HTTP message and the HTTP method.
In one embodiment, sending the service request to the other NF comprises sending the service request to the other NF via indirect communication.
In one embodiment, sending the service request to the other NF comprises sending the service request to the other NF via a Service Communication Proxy (SCP). In one embodiment, the hash attribute is utilized for end-to-end integrity protection.
In one embodiment, the other NF is a NF service producer.
In one embodiment, the other NF is a NF Repository Function (NRF).
In one embodiment, for computation of the hash of the body of the FITTP message and the FITTP method of the FITTP message an input S to a Key Derivation Function (KDF) used to compute the hash is a concatenation of a plurality of parameters comprising:
• P0 = the HTTP body;
• L0 = length of the HTTP body;
• P1 = the HTTP method; and
• L1 = length of the HTTP method.
Corresponding embodiments of a NF service consumer are also disclosed. In one embodiment, a NF service consumer for a core network of a cellular communications system is adapted to send a service request to another NF. The service request comprises a CCA. The service request is in the form of an HTTP message or comprised within the HTTP message, and the CCA is defined as having a plurality of attributes comprising a hash attribute that comprises a hash of a body of the HTTP message and a HTTP method of the HTTP message.
In one embodiment, a network node for implementing a NF service consumer for a core network of a cellular communications system comprises processing circuitry configured to cause the network node to send a service request to another NF. The service request comprises a CCA. The service request is in the form of an HTTP message or comprised within the HTTP message, and the CCA is defined as having a plurality of attributes comprising a hash attribute that comprises a hash of a body of the HTTP message and a HTTP method of the HTTP message.
Embodiments of a method performed by a NF in a core network of a cellular communications system are also disclosed. In one embodiment, a method performed by a NF in a core network of a cellular communications system comprises receiving a service request from a NF service consumer. The service request comprises a CCA. The service request is in the form of an HTTP message or comprised within the HTTP message, and the CCA is defined as having a plurality of attributes comprising a hash attribute that comprises a hash of a body of the HTTP message and a HTTP method of the HTTP message. In one embodiment, the method further comprises validating the CCA.
In one embodiment, receiving the service request comprises receiving the service request from the NF service consumer via indirect communication.
In one embodiment, receiving the service request comprises receiving the service request from the NF service consumer via a SCP.
In one embodiment, the hash attribute is utilized for end-to-end integrity protection.
In one embodiment, the NF is a NF service producer.
In one embodiment, the NF is an NRF.
In one embodiment, for computation of the hash of the body of the FITTP message and the FITTP method of the FITTP message an input S to a KDF used to compute the hash is a concatenation of a plurality of parameters comprising:
• P0 = the HTTP body;
• L0 = length of the HTTP body;
• P1 = the HTTP method; and
• L1 = length of the HTTP method.
Corresponding embodiments of a NF for a core network of a cellular communications system are also disclosed. In one embodiment, a NF for a core network of a cellular communications system is adapted to receive a service request from a NF service consumer. The service request comprises a CCA. The service request is in the form of an HTTP message or comprised within the HTTP message, and the CCA is defined as having a plurality of attributes comprising a hash attribute that comprises a hash of a body of the HTTP message and a HTTP method of the HTTP message.
In one embodiment, a network node for implementing a NF for a core network of a cellular communications system comprises processing circuitry configured to cause the network node to receive a service request from a NF service consumer. The service request comprises a CCA. The service request is in the form of an HTTP message or comprised within the HTTP message, and the CCA is defined as having a plurality of attributes comprising a hash attribute that comprises a hash of a body of the HTTP message and a HTTP method of the HTTP message. BRIEF DESCRIPTION OF THE DRAWINGS
The accompanying drawing figures incorporated in and forming a part of this specification illustrate several aspects of the disclosure, and together with the description serve to explain the principles of the disclosure.
Figure 1 illustrates one example of a cellular communications system according to some embodiments of the present disclosure;
Figures 2 and 3 illustrate example embodiments in which the cellular communication system of Figure 1 is a Fifth Generation (5G) System (5GS);
Figure 4 illustrates the operation of Network Function (NF) service consumer and either a NF service producer or NF Repository Function (NRF) in accordance with an embodiment of the present disclosure;
Figure 5 is a schematic block diagram of a network node according to some embodiments of the present disclosure;
Figure 6 is a schematic block diagram that illustrates a virtualized embodiment of the network node of Figure 5 according to some embodiments of the present disclosure; and
Figure 7 is a schematic block diagram of the network node of Figure 5 according to some other embodiments of the present disclosure.
DETAILED DESCRIPTION
The embodiments set forth below represent information to enable those skilled in the art to practice the embodiments and illustrate the best mode of practicing the embodiments. Upon reading the following description in light of the accompanying drawing figures, those skilled in the art will understand the concepts of the disclosure and will recognize applications of these concepts not particularly addressed herein. It should be understood that these concepts and applications fall within the scope of the disclosure.
Radio Node: As used herein, a "radio node" is either a radio access node or a wireless communication device.
Radio Access Node or RAN Node: As used herein, a "radio access node" or "radio network node" or "radio access network node" or "RAN node" is any node in a Radio Access Network (RAN) of a cellular communications network that operates to wirelessly transmit and/or receive signals. Some examples of a radio access node include, but are not limited to, a base station (e.g., a New Radio (NR) base station (gNB) in a Third Generation Partnership Project (3GPP) Fifth Generation (5G) NR network or an enhanced or evolved Node B (eNB) in a 3GPP Long Term Evolution (LTE) network), a high-power or macro base station, a low-power base station (e.g., a micro base station, a pico base station, a home eNB, or the like), a relay node, a network node that implements part of the functionality of a base station or a network node that implements a gNB Distributed Unit (gNB-DU)) or a network node that implements part of the functionality of some other type of radio access node.
Core Network Node: As used herein, a "core network node" is any type of node in a core network or any node that implements a core network function. Some examples of a core network node include, e.g., a Mobility Management Entity (MME), a Packet Data Network Gateway (P-GW), a Service Capability Exposure Function (SCEF), a Home Subscriber Server (HSS), or the like. Some other examples of a core network node include a node implementing an Access and Mobility Function (AMF), a User Plane Function (UPF), a Session Management Function (SMF), an Authentication Server Function (AUSF), a Network Slice Selection Function (NSSF), a Network Exposure Function (NEF), a Network Function (NF) Repository Function (NRF), a Policy Control Function (PCF), a Unified Data Management (UDM), or the like.
Communication Device: As used herein, a "communication device" is any type of device that has access to an access network. Some examples of a communication device include, but are not limited to: mobile phone, smart phone, sensor device, meter, vehicle, household appliance, medical appliance, media player, camera, or any type of consumer electronic, for instance, but not limited to, a television, radio, lighting arrangement, tablet computer, laptop, or Personal Computer (PC). The communication device may be a portable, hand-held, computer-comprised, or vehicle-mounted mobile device, enabled to communicate voice and/or data via a wireless or wireline connection.
Wireless Communication Device: One type of communication device is a wireless communication device, which may be any type of wireless device that has access to (i.e., is served by) a wireless network (e.g., a cellular network). Some examples of a wireless communication device include, but are not limited to: a User Equipment device (UE) in a 3GPP network, a Machine Type Communication (MTC) device, and an Internet of Things (IoT) device. Such wireless communication devices may be, or may be integrated into, a mobile phone, smart phone, sensor device, meter, vehicle, household appliance, medical appliance, media player, camera, or any type of consumer electronic, for instance, but not limited to, a television, radio, lighting arrangement, tablet computer, laptop, or PC. The wireless communication device may be a portable, hand-held, computer-comprised, or vehicle-mounted mobile device, enabled to communicate voice and/or data via a wireless connection.
Network Node: As used herein, a "network node" is any node that is either part of the RAN or the core network of a cellular communications network/system.
Transmission/Reception Point (TRP): In some embodiments, a TRP may be either a network node, a radio head, a spatial relation, or a Transmission Configuration Indicator (TCI) state. A TRP may be represented by a spatial relation or a TCI state in some embodiments. In some embodiments, a TRP may be using multiple TCI states. In some embodiments, a TRP may a part of the gNB transmitting and receiving radio signals to/from UE according to physical layer properties and parameters inherent to that element. In some embodiments, in Multiple TRP (multi-TRP) operation, a serving cell can schedule UE from two TRPs, providing better Physical Downlink Shared Channel (PDSCH) coverage, reliability and/or data rates. There are two different operation modes for multi- TRP: single Downlink Control Information (DCI) and multi-DCI. For both modes, control of uplink and downlink operation is done by both physical layer and Medium Access Control (MAC). In single-DCI mode, UE is scheduled by the same DCI for both TRPs and in multi-DCI mode, UE is scheduled by independent DCIs from each TRP.
In some embodiments, a set Transmission Points (TPs) is a set of geographically co-located transmit antennas (e.g., an antenna array (with one or more antenna elements)) for one cell, part of one cell or one Positioning Reference Signal (PRS) -only TP. TPs can include base station (eNB) antennas, Remote Radio Heads (RRHs), a remote antenna of a base station, an antenna of a PRS-only TP, etc. One cell can be formed by one or multiple TPs. For a homogeneous deployment, each TP may correspond to one cell.
In some embodiments, a set of TRPs is a set of geographically co-located antennas (e.g., an antenna array (with one or more antenna elements)) supporting TP and/or Reception Point (RP) functionality.
Note that the description given herein focuses on a 3GPP cellular communications system and, as such, 3GPP terminology or terminology similar to 3GPP terminology is oftentimes used. However, the concepts disclosed herein are not limited to a 3GPP system. Note that, in the description herein, reference may be made to the term "cell"; however, particularly with respect to 5G NR concepts, beams may be used instead of cells and, as such, it is important to note that the concepts described herein are equally applicable to both cells and beams.
As discussed above, in 3GPP Technical Report (TR) 33.875 VO.2.0 "Study on enhanced security aspects of the 5G Service Based Architecture (SBA)", a solution was proposed to address the end-to-end integrity of Hyper-Text Transfer Protocol (HTTP) messages. This solution enhanced the Client Credentials Assertion (CCA) to include a hash of the HTTP body and HTTP method to protect the message itself. However, there exists a problem in that the aforementioned solution does gives rise to a problem of backwards compatibility with Release 16 Network Function (NF) producers supporting only existing CCA.
Systems and methods are disclosed here that address the aforementioned and/or other problems. Embodiments of the present disclosures address the backwards compatibility problem by introducing a new attribute to the definition of type ClientCredentialsAssertion described in 3GPP Technical Specification (TS) 29.500 V17.2.0 Table 5.2.3.2.11 -1.
Embodiments of the present disclosure provide a number of advantages over existing solutions. In particular, embodiments of the present disclosure enable backwards compatibility with Release 16 NF producers supporting only existing Client Credentials Assertion (CCA).
Figure 1 illustrates one example of a cellular communications system 100 in which embodiments of the present disclosure may be implemented. In the embodiments described herein, the cellular communications system 100 is a 5G system (5GS) including a Next Generation RAN (NG-RAN) and a 5G Core (5GC); however, the embodiments disclosed herein may be used in other similar types of wireless networks. In this example, the RAN includes base stations 102-1 and 102-2, which in the 5GS include NR base stations (gNBs) and optionally next generation eNBs (ng-eNBs) (e.g., LTE RAN nodes connected to the 5GC), controlling corresponding (macro) cells 104-1 and 104-2. The base stations 102-1 and 102-2 are generally referred to herein collectively as base stations 102 and individually as base station 102. Likewise, the (macro) cells 104-1 and 104-2 are generally referred to herein collectively as (macro) cells 104 and individually as (macro) cell 104. The RAN may also include a number of low power nodes 106-1 through 106-4 controlling corresponding small cells 108-1 through 108-4. The low power nodes 106-1 through 106-4 can be small base stations (such as pico or femto base stations) or RRHs, or the like. Notably, while not illustrated, one or more of the small cells 108-1 through 108-4 may alternatively be provided by the base stations 102. The low power nodes 106-1 through 106-4 are generally referred to herein collectively as low power nodes 106 and individually as low power node 106. Likewise, the small cells 108-1 through 108-4 are generally referred to herein collectively as small cells 108 and individually as small cell 108. The cellular communications system 100 also includes a core network 110, which in the 5G System (5GS) is referred to as the 5GC. The base stations 102 (and optionally the low power nodes 106) are connected to the core network 110.
The base stations 102 and the low power nodes 106 provide service to wireless communication devices 112-1 through 112-5 in the corresponding cells 104 and 108. The wireless communication devices 112-1 through 112-5 are generally referred to herein collectively as wireless communication devices 112 and individually as wireless communication device 112. In the following description, the wireless communication devices 112 are oftentimes UEs, but the present disclosure is not limited thereto.
Figure 2 illustrates a wireless communication system represented as a 5G network architecture composed of core Network Functions (NFs), where interaction between any two NFs is represented by a point-to-point reference point/interface. Figure 2 can be viewed as one particular implementation of the system 100 of Figure 1.
Seen from the access side the 5G network architecture shown in Figure 2 comprises a plurality of UEs 112 connected to either a RAN 102 or an Access Network (AN) as well as an AMF 200. Typically, the R(AN) 102 comprises base stations, e.g. such as eNBs or gNBs or similar. Seen from the core network side, the 5GC NFs shown in Figure 2 include a NSSF 202, an AUSF 204, a UDM 206, the AMF 200, a SMF 208, a PCF 210, and an Application Function (AF) 212.
Reference point representations of the 5G network architecture are used to develop detailed call flows in the normative standardization. The N1 reference point is defined to carry signaling between the UE 112 and AMF 200. The reference points for connecting between the AN 102 and AMF 200 and between the AN 102 and user plane function, UPF, 214 are defined as N2 and N3, respectively. There is a reference point, Nil, between the AMF 200 and SMF 208, which implies that the SMF 208 is at least partly controlled by the AMF 200. N4 is used by the SMF 208 and UPF 214 so that the UPF 214 can be set using the control signal generated by the SMF 208, and the UPF 214 can report its state to the SMF 208. N9 is the reference point for the connection between different UPFs 214, and N14 is the reference point connecting between different AMFs 200, respectively. N15 and N7 are defined since the PCF 210 applies policy to the AMF 200 and SMF 208, respectively. N12 is required for the AMF 200 to perform authentication of the UE 112. N8 and N10 are defined because the subscription data of the UE 112 is required for the AMF 200 and SMF 208.
The 5GC network aims at separating user plane, UP, and control plane, CP. The UP carries user traffic while the CP carries signaling in the network. In Figure 2, the UPF 214 is in the UP and all other NFs, i.e., the AMF 200, SMF 208, PCF 210, AF 212, NSSF 202, AUSF 204, and UDM 206, are in the CP. Separating the UP and CP guarantees each plane resource to be scaled independently. It also allows UPFs to be deployed separately from CP functions in a distributed fashion. In this architecture, UPFs may be deployed very close to UEs to shorten the Round Trip Time (RTT) between UEs and data network for some applications requiring low latency.
The core 5G network architecture is composed of modularized functions. For example, the AMF 200 and SMF 208 are independent functions in the CP. Separated AMF 200 and SMF 208 allow independent evolution and scaling. Other CP functions like the PCF 210 and AUSF 204 can be separated as shown in Figure 2. Modularized function design enables the 5GC network to support various services flexibly.
Each NF interacts with another NF directly. It is possible to use intermediate functions to route messages from one NF to another NF. In the CP, a set of interactions between two NFs is defined as service so that its reuse is possible. This service enables support for modularity. The UP supports interactions such as forwarding operations between different UPFs.
Figure 3 illustrates a 5G network architecture using service-based interfaces between the NFs in the CP, instead of the point-to-point reference points/interfaces used in the 5G network architecture of Figure 2. Flowever, the NFs described above with reference to Figure 2 correspond to the NFs shown in Figure 3. The service(s) etc. that a NF provides to other authorized NFs can be exposed to the authorized NFs through the service-based interface. In Figure 3 the service based interfaces are indicated by the letter "N" followed by the name of the NF, e.g. Namf for the service based interface of the AMF 200 and Nsmf for the service based interface of the SMF 208, etc. The NEF 300 and the NRF 302 in Figure 3 are not shown in Figure 2 discussed above. Flowever, it should be clarified that all NFs depicted in Figure 2 can interact with the NEF 300 and the NRF 302 of Figure 3 as necessary, though not explicitly indicated in Figure 2.
Some properties of the NFs shown in Figures 2 and 3 may be described in the following manner. The AMF 200 provides UE-based authentication, authorization, mobility management, etc. A UE 112 even using multiple access technologies is basically connected to a single AMF 200 because the AMF 200 is independent of the access technologies. The SMF 208 is responsible for session management and allocates Internet Protocol (IP) addresses to UEs. It also selects and controls the UPF 214 for data transfer. If a UE 112 has multiple sessions, different SMFs 208 may be allocated to each session to manage them individually and possibly provide different functionalities per session. The AF 212 provides information on the packet flow to the PCF 210 responsible for policy control in order to support Quality of Service, QoS. Based on the information, the PCF 210 determines policies about mobility and session management to make the AMF 200 and SMF 208 operate properly. The AUSF 204 supports authentication function for UEs or similar and thus stores data for authentication of UEs or similar while the UDM 206 stores subscription data of the UE 112. The Data Network (DN), not part of the 5GC network, provides Internet access or operator services and similar.
An NF may be implemented either as a network element on a dedicated hardware, as a software instance running on a dedicated hardware, or as a virtualized function instantiated on an appropriate platform, e.g., a cloud infrastructure.
Figure 4 illustrates the operation of a NF Service Consumer 400 and a NF Service Producer 402 or NRF 302 in accordance with one embodiment of the present disclosure. Note that optional steps are represented with dashed lines/boxes. In one embodiment, the NF Service Producer 402 is the NRF 302; however, the NF Service Producer 402 is not limited thereto. The NF service consumer 400 is a NF in the core network 110 that consumes, or uses, a service of the NF service producer 402 or NRF 302. The steps of the process of Figure 4 are as follows:
• Step 404: The NF service consumer 400 sends a service request including a signed Client credentials assertion (CCA) token to authenticate against the NF service producer 402 or the NRF 302 as described in TS 33.501 Clause 13.3.8. In 3GPP TR 33.875 V0.2.0, it is proposed to add an optional field in CCA to protect the part of the message itself. The added field is a hash of the HTTP body and the HTTP method. Note that the service request is in the form of a HTTP message or comprised within an HTTP message. The HTTP body and the HTTP method are those from this HTTP message. In one embodiment, the service request is sent from the NF service consumer 400 to the NF service producer 402 or the NRF 302 via indirection communication (e.g., via a Service Communication Proxy (SCP)).
• Step 406: The NF service producer 402 or the NRF 302 validates the CCA as described in 3GPP 33.501 Clause 13.3.8.3. But since one optional field is supposed to be added to the CCA, the receiving end point (NF service producer
402 or NRF 302) also needs to compute the hash of the HTTP body and HTTP method and validate that it is identical to the hash received in the CCA.
• Step 408: The NF service producer 402 or the NRF 302 may send a service response to the NF service consumer 400.
But this solution has backwards compatibility problem with Release 16 NF producers supporting only existing CCA, therefore an attribute is proposed to be added to the definition of tvoe CCA:
Table 5.2.3.2.11 -1: Definition of type ClientCredentialsAssertion
Figure imgf000013_0001
Figure imgf000014_0001
The added attribute is a hash of the body of the HTTP message and HTTP method. For computation of the hash of the HTTP body and HTTP method for inclusion into the Client credential assertion, the input S to the KDF specified in Annex B of 3GPP TS 33.220 is computed as follows:
• P0 = HTTP body;
• L0 = length of the HTTP body;
• PI = HTTP method;
• LI = length of HTTP method. The input key is equal to null. Note that the FC value will be allocated in the normative phase.
Figure 5 is a schematic block diagram of a network node 500 according to some embodiments of the present disclosure. Optional features are represented by dashed boxes. The network node 500 may be, for example, a core network node that implements the NF service consumer 402, the NF service producer 404, or the NRF 302. As illustrated, the network node 500 includes a control system 502 that includes one or more processors 504 (e.g., Central Processing Units (CPUs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs), and/or the like), memory 506, and a network interface 508. The one or more processors 504 are also referred to herein as processing circuitry. In addition, if the network node 500 is a RAN node (e.g., a base station 102), the network node 500 may also include one or more radio units 510 that each includes one or more transmitters 512 and one or more receivers 514 coupled to one or more antennas 516. The radio units 510 may be referred to or be part of radio interface circuitry. In some embodiments, the radio unit(s) 510 is external to the control system 502 and connected to the control system 502 via, e.g., a wired connection (e.g., an optical cable). Flowever, in some other embodiments, the radio unit(s) 510 and potentially the antenna(s) 516 are integrated together with the control system 502. The one or more processors 504 operate to provide one or more functions of a network node 500 as described herein (e.g., one or more functions of the NF service consumer 402, the NF service producer 404, or the NRF 302 as described herein). In some embodiments, the function(s) are implemented in software that is stored, e.g., in the memory 506 and executed by the one or more processors 504.
Figure 6 is a schematic block diagram that illustrates a virtualized embodiment of the network node 500 according to some embodiments of the present disclosure. Again, optional features are represented by dashed boxes. As used herein, a "virtualized" network node is an implementation of the network node 500 in which at least a portion of the functionality of the network node 500 is implemented as a virtual component(s) (e.g., via a virtual machine(s) executing on a physical processing node(s) in a network(s)). As illustrated, in this example, the network node 500 includes one or more processing nodes 600 coupled to or included as part of a network(s) 602. Each processing node 600 includes one or more processors 604 (e.g., CPUs, ASICs, FPGAs, and/or the like), memory 606, and a network interface 608. If the network node 500 is a RAN node (e.g., a base station 102), the network node 500 may also include the control system 502 and/or the one or more radio units 510, as described above. The control system 502 may be connected to the radio unit(s) 510 via, for example, an optical cable or the like. If present, the control system 502 or the radio unit(s) are connected to the processing node(s) 600 via the network 602. In this example, functions 610 of the network node 500 described herein (e.g., one or more functions of the NF service consumer 402, the NF service producer 404, or the NRF 302 as described herein) are implemented at the one or more processing nodes 600 or distributed across the one or more processing nodes 600 and the control system 502 and/or the radio unit(s) 510 in any desired manner. In some particular embodiments, some or all of the functions 610 of the network node 500 described herein are implemented as virtual components executed by one or more virtual machines implemented in a virtual environ ment(s) hosted by the processing node(s) 600. As will be appreciated by one of ordinary skill in the art, additional signaling or communication between the processing node(s) 600 and the control system 502 is used in order to carry out at least some of the desired functions 610. Notably, in some embodiments, the control system 502 may not be included, in which case the radio unit(s) 510 communicate directly with the processing node(s) 600 via an appropriate network interface(s).
In some embodiments, a computer program including instructions which, when executed by at least one processor, causes the at least one processor to carry out the functionality of network node 500 or a node (e.g., a processing node 600) implementing one or more of the functions 610 of the network node 500 in a virtual environment according to any of the embodiments described herein is provided. In some embodiments, a carrier comprising the aforementioned computer program product is provided. The carrier is one of an electronic signal, an optical signal, a radio signal, or a computer readable storage medium (e.g., a non-transitory computer readable medium such as memory).
Figure 7 is a schematic block diagram of the network node 500 according to some other embodiments of the present disclosure. The network node 500 includes one or more modules 700, each of which is implemented in software. The module(s) 700 provide the functionality of the network node 500 described herein (e.g., one or more functions of the NF service consumer 402, the NF service producer 404, or the NRF 302 as described herein). This discussion is equally applicable to the processing node 600 of Figure 6 where the modules 700 may be implemented at one of the processing nodes 600 or distributed across multiple processing nodes 600 and/or distributed across the processing node(s) 600 and the control system 502.
Any appropriate steps, methods, features, functions, or benefits disclosed herein may be performed through one or more functional units or modules of one or more virtual apparatuses. Each virtual apparatus may comprise a number of these functional units. These functional units may be implemented via processing circuitry, which may include one or more microprocessor or microcontrollers, as well as other digital hardware, which may include Digital Signal Processors (DSPs), special-purpose digital logic, and the like. The processing circuitry may be configured to execute program code stored in memory, which may include one or several types of memory such as Read Only Memory (ROM), Random Access Memory (RAM), cache memory, flash memory devices, optical storage devices, etc. Program code stored in memory includes program instructions for executing one or more telecommunications and/or data communications protocols as well as instructions for carrying out one or more of the techniques described herein. In some implementations, the processing circuitry may be used to cause the respective functional unit to perform corresponding functions according one or more embodiments of the present disclosure.
While processes in the figures may show a particular order of operations performed by certain embodiments of the present disclosure, it should be understood that such order is exemplary (e.g., alternative embodiments may perform the operations in a different order, combine certain operations, overlap certain operations, etc.).
At least some of the following abbreviations may be used in this disclosure. If there is an inconsistency between abbreviations, preference should be given to how it is used above. If listed multiple times below, the first listing should be preferred over any subsequent listing(s).
3GPP Third Generation Partnership Project
5G Fifth Generation
5GC Fifth Generation Core
5GS Fifth Generation System
AF Application Function
AMF Access and Mobility Function
AN Access Network
AP Access Point
ASIC Application Specific Integrated Circuit
AUSF Authentication Server Function
CPU Central Processing Unit
DN Data Network • DSP Digital Signal Processor
• FPGA Field Programmable Gate Array
• gNB New Radio Base Station
• FISS Flome Subscriber Server
• MME Mobility Management Entity
• NEF Network Exposure Function
• NF Network Function
• NR New Radio
• NRF Network Function Repository Function
• NSSF Network Slice Selection Function
• PCF Policy Control Function
• RAN Radio Access Network
• ROM Read Only Memory
• SCEF Service Capability Exposure Function
• SMF Session Management Function
• UDM Unified Data Management
• UE User Equipment
• UPF User Plane Function
Those skilled in the art will recognize improvements and modifications to the embodiments of the present disclosure. All such improvements and modifications are considered within the scope of the concepts disclosed herein.

Claims

1. A method performed by a Network Function, NF, service consumer (400) in a core network (110) of a cellular communications system (100), the method comprising: sending (404) a service request to another NF (402; 302), the service request comprising a client credentials assertion, CCA; wherein: the service request is in the form of a Flyper-Text Transfer Protocol, FITTP, message or comprised within the FITTP message; and the CCA is defined as having a plurality of attributes comprising a hash attribute that comprises a hash of a body of the FITTP message and a FITTP method of the FITTP message.
2. The method of claim 1 wherein sending (404) the service request to the other NF (402; 302) comprises sending (404) the service request to the other NF (402; 302) via indirect communication.
3. The method of claim 1 wherein sending (404) the service request to the other NF (402; 302) comprises sending (404) the service request to the other NF (402; 302) via a Service Communication Proxy, SCP.
4. The method of claim 2 or 3 wherein the hash attribute is utilized for end-to-end integrity protection.
5. The method of any of claims 1 to 4 wherein the other NF (402) is a NF service producer (402).
6. The method of any of claims 1 to 4 wherein the other NF (402) is a NF Repository Function, NRF, (302).
7. The method of any of claims 1 to 6 wherein, for computation of the hash of the body of the FITTP message and the FITTP method of the FITTP message an input S to a Key Derivation Function, KDF, used to compute the hash is a concatenation of a plurality of parameters comprising:
• the FITTP body;
• length of the FITTP body;
• the FITTP method; and
• length of the FITTP method.
8. A Network Function, NF, service consumer (400) for a core network (110) of a cellular communications system (100), the NF service consumer (400) being adapted to: send (404) a service request to another NF (402; 302), the service request comprising a client credentials assertion, CCA; wherein: the service request is in the form of a Flyper-Text Transfer Protocol, FITTP, message or comprised within the FITTP message; and the CCA is defined as having a plurality of attributes comprising a hash attribute that comprises a hash of a body of the FITTP message and a FITTP method of the FITTP message.
9. The NF service consumer (400) of claim 8 wherein the NF service consumer (400) is further adapted to perform the method of any of claims 2 to 7.
10. A network node (500) for implementing a Network Function, NF, service consumer (400) for a core network (110) of a cellular communications system (100), the network node (500) comprising processing circuitry (504; 604) configured to cause the network node (500) to: send (404) a service request to another NF (402; 302), the service request comprising a client credentials assertion, CCA; wherein: the service request is in the form of a Flyper-Text Transfer Protocol, FITTP, message or comprised within the FITTP message; and the CCA is defined as having a plurality of attributes comprising a hash attribute that comprises a hash of a body of the FITTP message and a FITTP method of the FITTP message.
11. The network node (500) of claim 10 wherein the processing circuitry (504; 604) is further configured to cause the network node (500) to perform the method of any of claims 2 to 7.
12. A method performed by a Network Function, NF, (402; 302) in a core network (110) of a cellular communications system (100), the method comprising: receiving (404) a service request from a NF service consumer (400), the service request comprising a client credentials assertion, CCA; wherein: the service request is in the form of a Flyper-Text Transfer Protocol, FITTP, message or comprised within the FITTP message; and the CCA is defined as having a plurality of attributes comprising a hash attribute that comprises a hash of a body of the FITTP message and a FITTP method of the FITTP message.
13. The method of claim 12 further comprising validating (406) the CCA.
14. The method of claim 12 or 13 wherein receiving (404) the service request comprises receiving (404) the service request from the NF service consumer (400) via indirect communication.
15. The method of claim 12 or 13 wherein receiving (404) the service request comprises receiving (404) the service request from the NF service consumer (400) via a Service Communication Proxy, SCP.
16. The method of claim 14 or 15 wherein the hash attribute is utilized for end-to-end integrity protection.
17. The method of any of claims 12 to 16 wherein the NF (402) is a NF service producer (402).
18. The method of any of claims 12 to 16 wherein the NF (402) is a NF Repository Function, NRF, (302).
19. The method of any of claims 12 to 18 wherein, for computation of the hash of the body of the FITTP message and the FITTP method of the FITTP message an input S to a Key Derivation Function, KDF, used to compute the hash is a concatenation of a plurality of parameters comprising:
• the FITTP body;
• length of the FITTP body;
• the FITTP method; and
• length of the FITTP method.
20. A Network Function, NF, (402; 302) for a core network (110) of a cellular communications system (100), the NF (402; 302) adapted to: receive (404) a service request from a NF service consumer (400), the service request comprising a client credentials assertion, CCA; wherein: the service request is in the form of a Flyper-Text Transfer Protocol, FITTP, message or comprised within the FITTP message; and the CCA is defined as having a plurality of attributes comprising a hash attribute that comprises a hash of a body of the FITTP message and a FITTP method of the FITTP message.
21. The NF (402; 302) of claim 20 wherein the NF (402; 302) is further adapted to perform the method of any of claims 13 to 19.
22. A network node (500) for implementing a Network Function, NF, (402; 302) for a core network (110) of a cellular communications system (100), the network node (500) comprising processing circuitry (504; 604) configured to cause the network node (500) to: receive (404) a service request from a NF service consumer (400), the service request comprising a client credentials assertion, CCA; wherein: the service request is in the form of a Hyper-Text Transfer Protocol, HTTP, message or comprised within the HTTP message; and the CCA is defined as having a plurality of attributes comprising a hash attribute that comprises a hash of a body of the HTTP message and a HTTP method of the HTTP message.
23. The network node (500) of claim 22 wherein the processing circuitry (504; 604) is further configured to cause the network node (500) to perform the method of any of claims 13 to 19.
PCT/EP2022/059575 2021-05-06 2022-04-11 New attribute to the definition of type clientcredentialsassertion to enable backwards compatibility with rel-16 nf producers WO2022233541A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNPCT/CN2021/091846 2021-05-06
CN2021091846 2021-05-06

Publications (1)

Publication Number Publication Date
WO2022233541A1 true WO2022233541A1 (en) 2022-11-10

Family

ID=81595868

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2022/059575 WO2022233541A1 (en) 2021-05-06 2022-04-11 New attribute to the definition of type clientcredentialsassertion to enable backwards compatibility with rel-16 nf producers

Country Status (1)

Country Link
WO (1) WO2022233541A1 (en)

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on enhanced security aspects of the 5G Service Based Architecture (SBA); (Release 17)", vol. SA WG3, no. V0.2.0, 17 March 2021 (2021-03-17), pages 1 - 20, XP052000072, Retrieved from the Internet <URL:https://ftp.3gpp.org/Specs/archive/33_series/33.875/33875-020.zip 33875-020.docx> [retrieved on 20210317] *
ERICSSON: "New Solution to KI#5: End-to-end integrity protection of HTTP body and method", vol. SA WG3, no. e-meeting; 20210301 - 20210305, 22 February 2021 (2021-02-22), XP051980436, Retrieved from the Internet <URL:https://ftp.3gpp.org/tsg_sa/WG3_Security/SGS3_102Bis-e/Docs/S3-211047.zip S3-211047_pCR_Sol_Http_messages_protection.docx> [retrieved on 20210222] *
ERICSSON: "Update Solution #5: End-to-end integrity protection of HTTP body and method", vol. SA WG3, no. e-meeting; 20210516 - 20210527, 9 August 2021 (2021-08-09), XP052063415, Retrieved from the Internet <URL:https://ftp.3gpp.org/tsg_sa/WG3_Security/TSGS3_104e/Docs/S3-212764.zip S3-212764_pCR_Update_Sol5_e2e.docx> [retrieved on 20210809] *

Similar Documents

Publication Publication Date Title
US11937337B2 (en) Methods and apparatuses for alternative data over non-access stratum, donas, data delivery in a roaming scenario
EP3906647B1 (en) Flexible authorization in 5g service based core network
US10034173B2 (en) MTC service management using NFV
JP2023504228A (en) Reporting of API capability changes based on Application Programming Interface (API) filters
US20240015493A1 (en) CORE NETWORK BECOMING AWARE OF PLMNs WITH DISASTER CONDITIONS
WO2019219752A1 (en) Conditional connection and tunnel setup for small data transmission
WO2022003570A1 (en) Determining a default network slice
US20220303833A1 (en) Relation indication for multi-sim devices
US20230388909A1 (en) Ensuring network control of simultaneous access to network slices with application awareness
WO2022179367A1 (en) New method for external parameter provisioning for an af session
US20230104162A1 (en) Using dnai to identify a smf supporting connection to a local dn
WO2022153256A1 (en) Redirection and retry of registration
WO2022233541A1 (en) New attribute to the definition of type clientcredentialsassertion to enable backwards compatibility with rel-16 nf producers
US20230156653A1 (en) Network requested registration procedure initiation
TWI807458B (en) Methods for enabling quadrature amplitude modulation and associated user equipment
US20240023182A1 (en) Handling the unknown rrc establishment cause value in nr
WO2022238911A1 (en) Controlled ue steering due to slicing
WO2023214043A1 (en) Ursp rule provisioning in roaming
WO2023040610A1 (en) Channel state parameter transmission method and communication device
WO2023021464A1 (en) Oauth2 requirement per plmn to the definition of type nfservice
WO2022269045A1 (en) Policy driven network slice orchestration
WO2023187662A1 (en) MOBILITY SUPPORT FOR INTEGRATED ACCESS AND BACKHAUL (IAB) NODE WITH CONNECTED USER EQUIPMENTS (UEs)
WO2022238115A1 (en) Method and apparatus of failure handling for traffic steering
WO2022157734A1 (en) Rvas network function for hplmn
WO2023037341A1 (en) Exposure of redundant transmission in a cellular communications system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22722193

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE