WO2023169688A1 - Enabling configuring an endpoint device - Google Patents

Enabling configuring an endpoint device Download PDF

Info

Publication number
WO2023169688A1
WO2023169688A1 PCT/EP2022/056272 EP2022056272W WO2023169688A1 WO 2023169688 A1 WO2023169688 A1 WO 2023169688A1 EP 2022056272 W EP2022056272 W EP 2022056272W WO 2023169688 A1 WO2023169688 A1 WO 2023169688A1
Authority
WO
WIPO (PCT)
Prior art keywords
bootstrap
server
request
endpoint device
network access
Prior art date
Application number
PCT/EP2022/056272
Other languages
French (fr)
Inventor
Jaime JIMÉNEZ
Valentin TUDOR
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to PCT/EP2022/056272 priority Critical patent/WO2023169688A1/en
Publication of WO2023169688A1 publication Critical patent/WO2023169688A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • H04L67/125Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/34Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters 

Definitions

  • the present disclosure relates to methods, a network access server, a bootstrap server, an endpoint device, computer programs, computer program products, and a system. More particularly, but not-exclusively, disclosure relates to the field of configuration of an endpoint device.
  • loT Internet-of-Things
  • LwM2M Lightweight Machine- to-Machine bootstrap procedure defined by OMA (Open Mobile Alliance) (Open Mobile Alliance, Lightweight Machine to Machine Technical Specification: Core, V1.2; 2020-11-10).
  • OMA Open Mobile Alliance
  • This procedure provides a mechanism for a LwM2M client in the loT device to retrieve bootstrap information from an LwM2M bootstrap server to enable boot and e.g. firmware updates.
  • the LwM2M client connects to a LwM2M Bootstrap-Server to obtain a bootstrap pack for configuration of the loT device.
  • the bootstrap pack contains at a minimum an LWM2M server account and may contain additional objects, e.g. for access control and connectivity monitoring. In this way, the loT device can be configured using a single message, which may contain several objects.
  • the LwM2M protocol is not sufficient for all configuration of the endpoint device, such as certain network parameters.
  • One object is to improve configuration of an endpoint device connectable to a communication network.
  • a method for enabling configuring an endpoint device is performed by a network access server.
  • the method comprises: receiving a network access request from the endpoint device, the network access request comprising a parameter request, the parameter request comprising a reference to a storage server for obtaining device parameters, the parameter request further comprising an identifier of the endpoint device and an indicator to use a bootstrap procedure; obtaining the device parameters from the storage server based on the reference; providing the parameter request to a bootstrap server; and providing a network resource allocation message to the endpoint device.
  • the parameter request may comply with a specification of Manufacturer Usage Description as defined in Internet Engineering Task Force Request for Comments 8520. (Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage Description Specification," RFC 8520, March 2019)
  • the device parameters may comprise access control parameters.
  • the network access request may comply with Link Layer Discovery Protocol, Dynamic Host Configuration Protocol, or Institute of Electrical and Electronics Engineers 802.IX.
  • the reference may be in the form of a Uniform Resource Identifier.
  • the method may further comprise: verifying integrity of the parameter request.
  • the method may further comprise: verifying integrity of the device parameters.
  • a network access server for enabling configuring an endpoint device.
  • the network access server comprises: a processor; and a memory storing instructions that, when executed by the processor, cause the network access server to: receive a network access request from the endpoint device, the network access request comprising a parameter request, the parameter request comprising a reference to a storage server for obtaining device parameters, the parameter request further comprising an identifier of the endpoint device and an indicator to use a bootstrap procedure; obtain the device parameters from the storage server based on the reference; provide the parameter request to a bootstrap server; and provide a network resource allocation message to the endpoint device.
  • the parameter request may comply with a specification of Manufacturer Usage Description, as defined in Internet Engineering Task Force Request for Comments, 8520.
  • the device parameters may comprise access control parameters.
  • the network access request may comply with Link Layer Discovery Protocol, Dynamic Host Configuration Protocol, or Institute of Electrical and Electronics Engineers, 802.IX.
  • the reference is in the form of a Uniform Resource Identifier.
  • the network access server may further comprise instructions that, when executed by the processor, cause network access server to verify integrity of the parameter request.
  • the network access server may further comprise instructions that, when executed by the processor, cause network access server to verify integrity of the device parameters.
  • a computer program for enabling configuring an endpoint device comprises computer program code which, when executed on a network access server causes the network access server to: receive a network access request from the endpoint device, the network access request comprising a parameter request, the parameter request comprising a reference to a storage server for obtaining device parameters, the parameter request further comprising an identifier of the endpoint device and an indicator to use a bootstrap procedure; obtain the device parameters from the storage server based on the reference; provide the parameter request to a bootstrap server; and provide a network resource allocation message to the endpoint device.
  • a method for enabling configuring an endpoint device it is provided a method for enabling configuring an endpoint device.
  • the method is performed by a bootstrap server.
  • the method comprises: receiving a parameter request, the parameter request comprising a reference to a storage server for obtaining device parameters, the parameter request further comprising an identifier of the endpoint device and an indicator to use a bootstrap procedure; obtaining the device parameters from the storage server based on the reference; generating a bootstrap data structure based on the device parameters; receiving a bootstrap request from the endpoint device; and transmitting the bootstrap data structure to the endpoint device.
  • the bootstrap data structure may comply with a bootstrap pack defined in Open Mobile Alliance Lightweight Machine to Machine.
  • the generating a bootstrap data structure may be based also on the identifier of the endpoint device.
  • the receiving a parameter request may comprise receiving the parameter request from a network access server.
  • the device parameters may comprise access control parameters, in which case the generating a bootstrap data structure is based on the access control parameters.
  • the reference may be in the form of a Uniform Resource Identifier.
  • a bootstrap server for enabling configuring an endpoint device.
  • the bootstrap server comprises: a processor; and a memory storing instructions that, when executed by the processor, cause the bootstrap server to: receive a parameter request, the parameter request comprising a reference to a storage server for obtaining device parameters, the parameter request further comprising an identifier of the endpoint device and an indicator to use a bootstrap procedure; obtain the device parameters from the storage server based on the reference; generate a bootstrap data structure based on the device parameters; receive a bootstrap request from the endpoint device; and transmit the bootstrap data structure to the endpoint device.
  • the bootstrap data structure may comply with a bootstrap pack defined in Open Mobile Alliance, Lightweight Machine to Machine.
  • the instructions to generate a bootstrap data structure may comprise instructions that, when executed by the processor, cause bootstrap server to generate the bootstrap data structure based also on the identifier of the endpoint device.
  • the instructions to receive a parameter request may comprise instructions that, when executed by the processor, cause bootstrap server to receive the parameter request from a network access server.
  • the device parameters may comprise access control parameters, in which case the instructions to generate a bootstrap data structure comprise instructions that, when executed by the processor, cause bootstrap server to generate the bootstrap data structure based on the access control parameters.
  • the reference may be in the form of a Uniform Resource Identifier.
  • a computer program for enabling configuring an endpoint device.
  • the computer program comprises computer program code which, when executed on a bootstrap server causes the bootstrap server to: receive a parameter request, the parameter request comprising a reference to a storage server for obtaining device parameters, the parameter request further comprising an identifier of the endpoint device and an indicator to use a bootstrap procedure; obtain the device parameters from the storage server based on the reference; generate a bootstrap data structure based on the device parameters; receive a bootstrap request from the endpoint device; and transmit the bootstrap data structure to the endpoint device.
  • a method for enabling configuring an endpoint device comprising: transmitting a network access request to a network access server, the network access request comprising a parameter request, the parameter request comprising a reference to a storage server for obtaining device parameters, the parameter request further comprising an identifier of the endpoint device and an indicator to use a bootstrap procedure; receiving a network resource allocation message; transmitting a bootstrap request to bootstrap server; and receiving a bootstrap data structure from the bootstrap server.
  • the parameter request may further comprise an authentication code based on other data in the parameter request.
  • the authentication code may be based on a digital signature or a message authentication code.
  • the bootstrap request may comprise the parameter request.
  • the reference may be in the form of a Uniform Resource Identifier.
  • an endpoint device for enabling configuring the endpoint device.
  • the endpoint device comprises: a processor; and a memory storing instructions that, when executed by the processor, cause the endpoint device, to: transmit a network access request to a network access server, the network access request comprising a parameter request, the parameter request comprising a reference to a storage server for obtaining device parameters, the parameter request further comprising an identifier of the endpoint device and an indicator to use a bootstrap procedure; receive a network resource allocation message; transmit a bootstrap request to bootstrap server; and receive a bootstrap data structure from the bootstrap server.
  • the parameter request may further comprise an authentication code based on other data in the parameter request.
  • the authentication code may be based on a digital signature or a message authentication code.
  • the bootstrap request may comprise the parameter request.
  • the reference may be in the form of a Uniform Resource Identifier.
  • a computer program for enabling configuring an endpoint device.
  • the computer program comprises computer program code which, when executed on the endpoint device, causes the endpoint device, to: transmit a network access request to a network access server, the network access request comprising a parameter request, the parameter request comprising a reference to a storage server for obtaining device parameters, the parameter request further comprising an identifier of the endpoint device and an indicator to use a bootstrap procedure; receive a network resource allocation message; transmit a bootstrap request to bootstrap server; and receive a bootstrap data structure from the bootstrap server.
  • a computer program product comprising a computer program according to the third aspect, the sixth aspect or the ninth aspect and a computer readable means comprising non-transitory memory in which the computer program is stored.
  • a system comprising the network access server according to the second aspect, the bootstrap server according to the fifth aspect and the endpoint device according to the eighth aspect.
  • FIG 1 is a schematic diagram illustrating an environment in which embodiments presented herein can be applied;
  • Fig 2 is a sequence diagram illustrating communication between various entities in embodiments which can be applied in the environment of Fig 1;
  • Fig 3 is a schematic diagram illustrating a parameter request according to one embodiment;
  • FIGs 4A-B are flowcharts illustrating embodiments of methods for enabling configuring an endpoint device, performed by a network access server;
  • Fig 5 is a flowchart illustrating embodiments of methods for enabling configuring an endpoint device, performed by a bootstrap server
  • FIG 6 is a flowchart illustrating embodiments of methods for enabling configuring an endpoint device, performed by an endpoint device
  • Fig 7 is a schematic diagram illustrating components of the endpoint device, the network access server and bootstrap server of Fig 1;
  • Fig 8 is a schematic diagram showing functional modules of the network access server of Fig 1 according to one embodiment
  • Fig 9 is a schematic diagram showing functional modules of the bootstrap server of Fig 1 according to one embodiment
  • Fig 10 is a schematic diagram showing functional modules of the endpoint device of Fig 1 according to one embodiment.
  • FIG 11 shows one example of a computer program product 90 comprising computer readable means.
  • FIG 1 is a schematic diagram illustrating an environment in which embodiments presented herein can be applied.
  • One or more endpoint devices 2 are provided.
  • the one or more endpoint devices 2 is referred to in singular form for reasons of clarity.
  • the endpoint device 2 can be any suitable device that benefits from obtaining network access.
  • the endpoint device 2 can be an Internet-of-Things (loT) device, which is an electronic device that is typically provided for a specific purpose, with ability to provide information and/ or be controlled by one or more other devices.
  • loT devices can be quite limited in its hardware resources and benefits from being easily deployed, preferably without any manual configuration.
  • a communication network 9 is provided to enable data communication between the various entities.
  • the communication network 9 can comprise a local area network (LAN) and/ or a wide area network (WAN), such as the Internet.
  • the communication network 9 supports IP (Internet Protocol) communication.
  • the communication network 9 can comprise wired and/or wireless components, e.g., based on Ethernet, IEEE 802. lx (e.g. Wi-Fi), cellular networks complying with any one or a combination of next generation mobile networks (fifth generation, 5G), LTE (Long Term Evolution), UMTS (Universal Mobile Telecommunications System) utilizing W-CDMA (Wideband Code Division Multiplex), or any other current or future wireless network. Connections between various entities over the communication network 9 can be encrypted or secured otherwise, as known in the art per se.
  • the endpoint device 2 comprises a MUD (Manufacturer Usage Description) client for requesting appropriate access and network connection for its need.
  • MUD is an embedded software standard defined by the IETF (Internet Engineering Task Force) that allows manufacturers of loT Device to advertise device parameters, including the intended communication patterns for their device when it connects to the network.
  • the device parameters are provided in a storage server 4 and is referred to in a parameter request which can comprise a MUD URI (Uniform Resource Identifier).
  • the network can then use this intent to author a context-specific access policy, so the device functions only within those parameters.
  • the MUD becomes the authoritative identifier and enforcer of policy for devices on the network.
  • the endpoint device 2 also comprises a pre-configured client for a client- initiated OMA LWM2M bootstrap procedure.
  • This procedure provides a mechanism for the LWM2M client to retrieve bootstrap information from an LwM2M bootstrap server 5.
  • the LWM2M client comprises preconfigured TLS (Transport Layer Security)/DTLS (Datagram TLS), and/or OSCORE (Object Security for Constrained Restful Environments) security credentials that are preloaded in the endpoint device 2, for authentication with the bootstrap server 5 to retrieve a bootstrap data structure.
  • the bootstrap data structure such as a bootstrap pack, contains at a minimum an LWM2M server account and may contain additional objects, e.g., for access control and connectivity monitoring.
  • an LWM2M client can be populated using a single message containing several objects and several instances of such objects.
  • a network access server 3 is provided to provide network access to the endpoint device 2 when it is powered up or otherwise need network access.
  • the network access server 3 can be provided in a single hardware device or can be implemented using several separate hardware devices in communication with each other.
  • the network access server 3 comprises several different functions.
  • the network access server 3 can include a net access device, an AAA (authentication, authorization, and accounting) server and a MUD controller.
  • the net access device allows clients to gain access to the network and can be implemented based on DHCP (Dynamic Host Configuration Protocol), LLDP (Link Layer Discovery Protocol), any of the IEEE (Institute of Electrical and Electronics Engineers) 802. lx specifications or any other suitable protocol.
  • the AAA server provides functions for access control.
  • the MUD controller communicates with the endpoint device 2 to establish initial access and network functionality that is requested by the endpoint device 2.
  • the endpoint device 2 When the endpoint device 2 wants to connect to a network it emits a parameter request, e.g., as a MUD URI, embedded in a LLDP, DHCP or 802.1X request to the network access server 3.
  • a parameter request e.g., as a MUD URI, embedded in a LLDP, DHCP or 802.1X request to the network access server 3.
  • This parameter request is extracted by the network access server 3, passed to the AAA server which passes the parameter request to the MUD Controller, which uses the parameter request to obtain the device parameters from the storage server 4.
  • the storage server 4 is any suitable server capable of storing device parameters that are retrievable using the parameter request.
  • the bootstrap server 5 is also connected to the communication network 9.
  • the bootstrap server 5 can e.g., be an LWM2M bootstrap server. As described in more detail below, the bootstrap server 5 is provided the parameter request and exploits this for including network specific data when generating the bootstrap data structure for the endpoint device 2.
  • a system 10 comprises the endpoint device 2, the network access server 3 and the bootstrap server 5.
  • Fig 2 is a sequence diagram illustrating communication between various entities in embodiments which can be applied in the environment of Fig 1. Specifically, Fig 2 illustrates communication between the endpoint device 2, the network access server 3, the storage server 4 and the bootstrap server 5. The sequence starts when the endpoint device 2 is powered on or for some other reason needs network access. Reference is also made to Fig 3, schematically illustrating a parameter request 34 according to one embodiment.
  • the endpoint device 2 sends a network access request 20 to the network access server 3.
  • the network access request 20 can be an DHCP, LLDP, or IEEE 802. lx access request.
  • the network access request 20 comprises a parameter request 34.
  • the parameter request 34 can comprise a reference 15 in the form of a MUD URL
  • the parameter request 34 optionally also comprises authentication data 16 to allow verification of the integrity of the parameter request.
  • the structure and content of the parameter request 34 can be hardcoded in the endpoint device 2 during manufacturing, to reduce requirements on the endpoint device 2. Alternatively, the parameter request 34 is constructed dynamically when needed by the endpoint device 2. [0072]
  • the network access server 3 receives the network access requests 20 and extracts the parameter request 34. The network access server 3 can then verify 21 the authenticity and integrity of the parameter request 34 with the help of underlying security technologies, e.g., using MACsec (Medium Access Control Security) or WPA2 (Wi-Fi Protected Access 2), based on the authentication data 16 of the parameter request 34.
  • MACsec Medium Access Control Security
  • WPA2 Wi-Fi Protected Access 2
  • the network access server 3 requests 22 the device parameters based on the parameter request 34, which is a reference to a resource on the storage server 4.
  • the network access server 3 can obtain the device parameters from the storage server 4 based on the reference, e.g., using a HTTP (Hypertext Transfer Protocol) or COAP (Constrained Application Protocol) GET request.
  • HTTP Hypertext Transfer Protocol
  • COAP Consstrained Application Protocol
  • TLS is applied, which can be used to implement HTTPS (HTTP Secure) and/or COAPS (COAP secure)
  • the storage server 4 responds with the device parameters 23 referred to in the parameter request 34.
  • the reference 15 can be provided in the form of a MUD file.
  • the network access server 3 (or more specifically its MUD controller) then verifies 24 the integrity of the device parameters 23, e.g., by verifying a MUDSIGNATURE attribute in the MUD file.
  • the network access server 3 configures an access control list based on the information in the device parameters 23.
  • the network access server 3 determines that the endpoint device 2 is to be provided with bootstrap information. This can e.g., be achieved by checking if the parameter request indicates that the endpoint device supports bootstrapping. Alternatively or additionally, this can be achieved by checking details in the device parameters 23, such as addresses and/or ports associated with LwM2M.
  • the network access device 3 sends a message 25 (e.g., a HTTP(S)/COAP(S) POST message) comprising the parameter request 34 to the bootstrap server 5.
  • a message 25 e.g., a HTTP(S)/COAP(S) POST message
  • the network access server 3 transmits a network resource allocation message 26 (including e.g., IP address to use, gateway) to the endpoint device 2 to enable initial access to the network for the endpoint device.
  • the network resource allocation message 26 is in response to the network access request 20, and can thus conform to DHCP, LLDP, or IEEE 802. lx.
  • the bootstrap server verifies the endpoint device identity (when included) in the parameter request against a database of valid identities.
  • This database can be populated with valid identities as part of the manufacturing process or provisioning process of endpoint devices 2.
  • the bootstrap server 5 then sends a request 28 (e.g., a HTTP(S) or COAP(S) GET request) based on the parameter request 34 to the storage server 4, upon which the storage server 4 responds with the device parameters 23.
  • a request 28 e.g., a HTTP(S) or COAP(S) GET request
  • the bootstrap server 5 can create a more elaborate bootstrap data structure. By knowing the network services allowed (indicated in the device parameters), as well the access control the bootstrap server can generate 30 a bootstrap data structure that contains a more specific firmware update object and access control granularity that conforms with the network configuration determined by the network access server 3.
  • the endpoint device 2 sends a bootstrap request 32 (e.g., in the form of a HTTP(S) or COAP(S) GET request) to the bootstrap server 5, the bootstrap server responds 33 with the generated tailor-made bootstrap data structure.
  • a bootstrap request 32 e.g., in the form of a HTTP(S) or COAP(S) GET request
  • Figs 4A-B are flowcharts illustrating embodiments of methods for enabling configuring an endpoint device, performed by a network access server 3. The steps correspond to the actions of the network access server 3 in Fig 2. First, embodiments illustrated by Fig 4A will be described.
  • the network access server 3 receives a network access request from an endpoint device 2.
  • the network access request comprises a parameter request 34 (e.g., as a URI) comprising a reference to a storage server 4 for obtaining device parameters.
  • the parameter request further comprises an identifier 18 of the endpoint device and an indicator 19 to use a bootstrap procedure.
  • the parameter request can e.g., comply with a specification of MUD defined in RFC (Request for Comments) 8520.
  • the parameter request 34 optionally comprises authentication data 16 as described above.
  • the network access request can e.g., comply with LLDP, DHCP, or any of the IEEE 802. lx specifications.
  • the network access server 3 obtains the device parameters from the storage server 4 based on the reference, e.g., using a HTTP(S) or COAP(S) GET request.
  • the device parameters can comprise access control parameters.
  • the network access server 3 provides
  • a bootstrap server 5 e.g., as a HTTP(S)/COAP(S) POST message
  • the bootstrap server 5 to consider device parameter when generating the bootstrap data structure.
  • a provide network resource allocation step 46 the network access server provides a network resource allocation message to the endpoint device 2, allowing the endpoint device 2 to connect to the network.
  • the network access server 3 verifies integrity of the parameter request.
  • the MUD specification provides some solutions to verify the integrity of the MUD URI, such as Extensible Authentication Protocol (EAP) over Radius, Tunnel EAP (TEAP). Furthermore, there maybe a need for additional security measures against malicious or malformed MUD URIs that could use resources unnecessarily.
  • EAP Extensible Authentication Protocol
  • TEAP Tunnel EAP
  • the parameter request (e.g., MUD URI) includes a digital signature or Message Authentication Code (MAC) as a parameter (see 16 of Fig 3 and description above).
  • a cryptographic key or certificate used to sign the URI could be the same as the one used for subsequent bootstrap communication.
  • the network access server 3 verifies integrity of the device parameters that are obtained from the storage server 4.
  • Fig 5 is a flowchart illustrating embodiments of methods for enabling configuring an endpoint device, performed by a bootstrap server 5. The steps correspond to the actions of the bootstrap server 5 in Fig 2.
  • the bootstrap server 5 receives a parameter request, comprising a reference 15 e.g., in the form of a URI.
  • the parameter request comprises a reference to a storage server 4 for obtaining device parameters.
  • the parameter request further comprises an identifier 18 of an endpoint device 2 and an indicator 19 to use a bootstrap procedure.
  • the parameter request can be received from the network access server 3.
  • the bootstrap server 5 obtains the device parameters from the storage server 4 based on the reference, e.g., using a HTTP or COAP GET request.
  • the bootstrap server 5 In a generate bootstrap data structure step 144, the bootstrap server 5 generates a bootstrap data structure based on the device parameters.
  • the bootstrap data structure can comply with a bootstrap pack as defined in OMA LwM2M.
  • the generating of a bootstrap data structure can also be based on the identifier 18 of the endpoint device.
  • the device parameters can comprise access control parameters.
  • the generating a bootstrap data structure can also be based on the access control parameters.
  • a receive bootstrap request step 146 the bootstrap server 5 receives a bootstrap request from the endpoint device 2, e.g., in a HTTP(S)/COAP(S) POST message.
  • the parameter request is included in the bootstrap request from the endpoint device 2, e.g., in the credentials used in the bootstrap request during establishment of secure communication between the endpoint device 2 and the bootstrap server 5.
  • a device certificate used in the authentication of the endpoint device 2 could include the parameter request, or an (D)TLS extension used in establishment of the secure communication could include the parameter request.
  • This provides the bootstrap server with more assurances that the parameter request is correct before generating and providing the bootstrap data structure.
  • a transmit bootstrap data structure step 148 the bootstrap server 5 transmits the bootstrap data structure to the endpoint device 2.
  • Fig 6 is a flowchart illustrating embodiments of methods for enabling configuring an endpoint device, performed by an endpoint device 2. The steps correspond to the actions of the endpoint device 2 in Fig 2.
  • a transmit network access request step 240 the endpoint device 2 transmits a network access request 20 to a network access server 3.
  • the network access request 20 can be an DHCP, LLDP, or IEEE 802.IX access request as mentioned above.
  • the network access request comprises a parameter request comprising a reference (e.g., in the form of a URI).
  • the parameter request comprises a reference to a storage server 4 for obtaining device parameters 23.
  • the parameter request further comprises an identifier 18 of the endpoint device 2 and an indicator 19 to use a bootstrap procedure.
  • the parameter request can further comprise an authentication code based on other data in the parameter request.
  • the authentication code is based on a digital signature or a message authentication code.
  • a receive network resource allocation message step 242 the endpoint device 2 receives a network resource allocation message.
  • the endpoint device can connect to the network e.g., on an IP level.
  • a transmit bootstrap request step 244 the endpoint device 2 transmits a bootstrap request to bootstrap server 5, e.g., in a HTTP(S)/COAP(S) GET message.
  • the bootstrap request can comprise the parameter request, allowing the bootstrap server 5, e.g., as part of credentials, to verify the integrity of the bootstrap request.
  • a receive bootstrap data structure step 246 the endpoint device 2 receives a bootstrap data structure (e.g., a LWM2M bootstrap pack) from the bootstrap server 5, e.g., in a HTTP(S)/COAP(S) response message to the GET of the bootstrap request.
  • a bootstrap data structure e.g., a LWM2M bootstrap pack
  • the embodiments presented herein exploits the information in the parameter request (e.g., MUD URI) and the device parameters (e.g., a MUD file) when the bootstrap data structure is generated.
  • the bootstrap data structure is set up to configure services and service access in alignment with network configuration, applications and device management.
  • Fig 7 is a schematic diagram illustrating components of the endpoint device 2, the network access server 3 and bootstrap server 5 of Fig 1.
  • a processor 60 is provided using any combination of one or more of a suitable central processing unit (CPU), graphics processing unit (GPU), multiprocessor, microcontroller, digital signal processor (DSP), etc., capable of executing software instructions 67 stored in a memory 64, which can thus be a computer program product.
  • the processor 60 could alternatively be implemented using an application specific integrated circuit (ASIC), field programmable gate array (FPGA), etc.
  • the processor 60 can be configured to execute the method described with reference to Figs 4A-B above for the network access server 3, the method described with reference to Fig 5 above for the bootstrap server 5 and the method described with reference to Fig 6 above for the endpoint device 2.
  • the memory 64 can be any combination of random-access memory (RAM) and/or read-only memory (ROM).
  • the memory 64 also comprises non-transitory persistent storage, which, for example, can be any single one or combination of magnetic memory, optical memory, solid-state memory or even remotely mounted memory.
  • a data memory 66 is also provided for reading and/ or storing data during execution of software instructions in the processor 60.
  • the data memory 66 can be any combination of RAM and/or ROM.
  • An I/O interface 62 is provided for communicating with external and/ or internal entities using wired communication, e.g., based on Ethernet, and/or wireless communication, e.g., Wi-Fi, and/or a cellular network, as long as the principles described hereinafter are applicable.
  • Fig 8 is a schematic diagram showing functional modules of the network access server 3 of Fig 1 according to one embodiment.
  • the modules are implemented using software instructions such as a computer program executing in the network access server 3.
  • the modules are implemented using hardware, such as any one or more of an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array), or discrete logical circuits.
  • the modules correspond to the steps in the methods illustrated in Figs 4A-B.
  • a request receiver 70 corresponds to step 40.
  • a parameter request verifier 71 corresponds to step 41.
  • a parameter obtainer 72 corresponds to step 42.
  • a device parameter verifier 73 corresponds to step 43.
  • a request provider 74 corresponds to step 44.
  • a network allocation message provider 76 corresponds to step 46.
  • Fig 9 is a schematic diagram showing functional modules of the bootstrap server 5 of Fig 1 according to one embodiment.
  • the modules are implemented using software instructions such as a computer program executing in the bootstrap server 5.
  • the modules are implemented using hardware, such as any one or more of an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array), or discrete logical circuits.
  • the modules correspond to the steps in the methods illustrated in Fig 5.
  • a parameter request receiver 170 corresponds to step 140.
  • a parameter obtainer 172 corresponds to step 142.
  • a bootstrap generator 174 corresponds to step 144-
  • a bootstrap request receiver 176 corresponds to step 146.
  • a bootstrap data transmitter 178 corresponds to step 148.
  • Fig 10 is a schematic diagram showing functional modules of the endpoint device 2 of Fig 1 according to one embodiment.
  • the modules are implemented using software instructions such as a computer program executing in the endpoint device 2.
  • the modules are implemented using hardware, such as any one or more of an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array), or discrete logical circuits.
  • the modules correspond to the steps in the methods illustrated in Fig 6.
  • a network access request transmitter 270 corresponds to step 240.
  • a network allocation receiver 272 corresponds to step 242.
  • a bootstrap request transmitter 274 corresponds to step 244.
  • a bootstrap data receiver 276 corresponds to step 246.
  • Fig 11 shows one example of a computer program product 90 comprising computer readable means.
  • a computer program 91 can be stored in a non-transitory memory.
  • the computer program can cause a processor to execute a method according to embodiments described herein.
  • the computer program product is in the form of a removable solid-state memory, e.g., a Universal Serial Bus (USB) drive.
  • USB Universal Serial Bus
  • the computer program product could also be embodied in a memory of a device, such as the computer program product 64 of Fig 7.
  • While the computer program 91 is here schematically shown as a section of the removable solid-state memory, the computer program can be stored in any way which is suitable for the computer program product, such as another type of removable solid-state memory, or an optical disc, such as a CD (compact disc), a DVD (digital versatile disc) or a Blu-Ray disc.
  • an optical disc such as a CD (compact disc), a DVD (digital versatile disc) or a Blu-Ray disc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Computer And Data Communications (AREA)

Abstract

It is provided a method for enabling configuring an endpoint device (2). The method is performed by a network access server (3). The method comprises: receiving (40) a network access request (20) from the endpoint device, the network access request comprising a parameter request (34), the parameter request comprising a reference (15) to a storage server (4) for obtaining device parameters (23), the parameter request further comprising an identifier (18) of the endpoint device and an indicator (19) to use a bootstrap procedure; obtaining (42) the device parameters from the storage server based on the reference; providing (44) the parameter request to a bootstrap server (5); and providing (46) a network resource allocation message (26) to the endpoint device. Computer programs, computer program products, and a system are also disclosed.

Description

ENABLING CONFIGURING AN ENDPOINT DEVICE
TECHNICAL FIELD
[0001] The present disclosure relates to methods, a network access server, a bootstrap server, an endpoint device, computer programs, computer program products, and a system. More particularly, but not-exclusively, disclosure relates to the field of configuration of an endpoint device.
BACKGROUND
[0002] The use of loT (Internet-of-Things) devices is increasing steadily and find new applications in many different fields. loT devices are by nature often limited in terms of available resources. Also, loT devices benefit from being easily deployed, preferably without any manual configuration.
[0003] One way to simplify deployment is to use a LwM2M (Lightweight Machine- to-Machine) bootstrap procedure defined by OMA (Open Mobile Alliance) (Open Mobile Alliance, Lightweight Machine to Machine Technical Specification: Core, V1.2; 2020-11-10). This procedure provides a mechanism for a LwM2M client in the loT device to retrieve bootstrap information from an LwM2M bootstrap server to enable boot and e.g. firmware updates.
[0004] In the LWM2M procedure, the LwM2M client connects to a LwM2M Bootstrap-Server to obtain a bootstrap pack for configuration of the loT device. The bootstrap pack contains at a minimum an LWM2M server account and may contain additional objects, e.g. for access control and connectivity monitoring. In this way, the loT device can be configured using a single message, which may contain several objects.
[0005] However, the LwM2M protocol is not sufficient for all configuration of the endpoint device, such as certain network parameters.
SUMMARY
[0006] One object is to improve configuration of an endpoint device connectable to a communication network. [0007] According to a first aspect, it is provided a method for enabling configuring an endpoint device. The method is performed by a network access server. The method comprises: receiving a network access request from the endpoint device, the network access request comprising a parameter request, the parameter request comprising a reference to a storage server for obtaining device parameters, the parameter request further comprising an identifier of the endpoint device and an indicator to use a bootstrap procedure; obtaining the device parameters from the storage server based on the reference; providing the parameter request to a bootstrap server; and providing a network resource allocation message to the endpoint device.
[0008] The parameter request may comply with a specification of Manufacturer Usage Description as defined in Internet Engineering Task Force Request for Comments 8520. (Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage Description Specification," RFC 8520, March 2019)
[0009] The device parameters may comprise access control parameters.
[0010] The network access request may comply with Link Layer Discovery Protocol, Dynamic Host Configuration Protocol, or Institute of Electrical and Electronics Engineers 802.IX.
[0011] The reference may be in the form of a Uniform Resource Identifier.
[0012] The method may further comprise: verifying integrity of the parameter request.
[0013] The method may further comprise: verifying integrity of the device parameters.
[0014] According to a second aspect, it is provided a network access server for enabling configuring an endpoint device. The network access server comprises: a processor; and a memory storing instructions that, when executed by the processor, cause the network access server to: receive a network access request from the endpoint device, the network access request comprising a parameter request, the parameter request comprising a reference to a storage server for obtaining device parameters, the parameter request further comprising an identifier of the endpoint device and an indicator to use a bootstrap procedure; obtain the device parameters from the storage server based on the reference; provide the parameter request to a bootstrap server; and provide a network resource allocation message to the endpoint device.
[0015] The parameter request may comply with a specification of Manufacturer Usage Description, as defined in Internet Engineering Task Force Request for Comments, 8520.
[0016] The device parameters may comprise access control parameters.
[0017] The network access request may comply with Link Layer Discovery Protocol, Dynamic Host Configuration Protocol, or Institute of Electrical and Electronics Engineers, 802.IX.
[0018] The reference is in the form of a Uniform Resource Identifier.
[0019] The network access server may further comprise instructions that, when executed by the processor, cause network access server to verify integrity of the parameter request.
[0020] The network access server may further comprise instructions that, when executed by the processor, cause network access server to verify integrity of the device parameters.
[0021] According to a third aspect, it is provided a computer program for enabling configuring an endpoint device. The computer program comprises computer program code which, when executed on a network access server causes the network access server to: receive a network access request from the endpoint device, the network access request comprising a parameter request, the parameter request comprising a reference to a storage server for obtaining device parameters, the parameter request further comprising an identifier of the endpoint device and an indicator to use a bootstrap procedure; obtain the device parameters from the storage server based on the reference; provide the parameter request to a bootstrap server; and provide a network resource allocation message to the endpoint device. [0022] According to a fourth aspect, it is provided a method for enabling configuring an endpoint device. The method is performed by a bootstrap server. The method comprises: receiving a parameter request, the parameter request comprising a reference to a storage server for obtaining device parameters, the parameter request further comprising an identifier of the endpoint device and an indicator to use a bootstrap procedure; obtaining the device parameters from the storage server based on the reference; generating a bootstrap data structure based on the device parameters; receiving a bootstrap request from the endpoint device; and transmitting the bootstrap data structure to the endpoint device.
[0023] The bootstrap data structure may comply with a bootstrap pack defined in Open Mobile Alliance Lightweight Machine to Machine.
[0024] The generating a bootstrap data structure may be based also on the identifier of the endpoint device.
[0025] The receiving a parameter request may comprise receiving the parameter request from a network access server.
[0026] The device parameters may comprise access control parameters, in which case the generating a bootstrap data structure is based on the access control parameters.
[0027] The reference may be in the form of a Uniform Resource Identifier.
[0028] According to a fifth aspect, it is provided a bootstrap server for enabling configuring an endpoint device. The bootstrap server comprises: a processor; and a memory storing instructions that, when executed by the processor, cause the bootstrap server to: receive a parameter request, the parameter request comprising a reference to a storage server for obtaining device parameters, the parameter request further comprising an identifier of the endpoint device and an indicator to use a bootstrap procedure; obtain the device parameters from the storage server based on the reference; generate a bootstrap data structure based on the device parameters; receive a bootstrap request from the endpoint device; and transmit the bootstrap data structure to the endpoint device. [0029] The bootstrap data structure may comply with a bootstrap pack defined in Open Mobile Alliance, Lightweight Machine to Machine.
[0030] The instructions to generate a bootstrap data structure may comprise instructions that, when executed by the processor, cause bootstrap server to generate the bootstrap data structure based also on the identifier of the endpoint device.
[0031] The instructions to receive a parameter request may comprise instructions that, when executed by the processor, cause bootstrap server to receive the parameter request from a network access server.
[0032] The device parameters may comprise access control parameters, in which case the instructions to generate a bootstrap data structure comprise instructions that, when executed by the processor, cause bootstrap server to generate the bootstrap data structure based on the access control parameters.
[0033] The reference may be in the form of a Uniform Resource Identifier.
[0034] According to a sixth aspect, it is provided a computer program for enabling configuring an endpoint device. The computer program comprises computer program code which, when executed on a bootstrap server causes the bootstrap server to: receive a parameter request, the parameter request comprising a reference to a storage server for obtaining device parameters, the parameter request further comprising an identifier of the endpoint device and an indicator to use a bootstrap procedure; obtain the device parameters from the storage server based on the reference; generate a bootstrap data structure based on the device parameters; receive a bootstrap request from the endpoint device; and transmit the bootstrap data structure to the endpoint device.
[0035] According to a seventh aspect, it is provided a method for enabling configuring an endpoint device. The method is performed by the endpoint device. The method comprises: transmitting a network access request to a network access server, the network access request comprising a parameter request, the parameter request comprising a reference to a storage server for obtaining device parameters, the parameter request further comprising an identifier of the endpoint device and an indicator to use a bootstrap procedure; receiving a network resource allocation message; transmitting a bootstrap request to bootstrap server; and receiving a bootstrap data structure from the bootstrap server.
[0036] The parameter request may further comprise an authentication code based on other data in the parameter request.
[0037] The authentication code may be based on a digital signature or a message authentication code.
[0038] The bootstrap request may comprise the parameter request.
[0039] The reference may be in the form of a Uniform Resource Identifier.
[0040] According to an eighth aspect, it is provided an endpoint device for enabling configuring the endpoint device. The endpoint device comprises: a processor; and a memory storing instructions that, when executed by the processor, cause the endpoint device, to: transmit a network access request to a network access server, the network access request comprising a parameter request, the parameter request comprising a reference to a storage server for obtaining device parameters, the parameter request further comprising an identifier of the endpoint device and an indicator to use a bootstrap procedure; receive a network resource allocation message; transmit a bootstrap request to bootstrap server; and receive a bootstrap data structure from the bootstrap server.
[0041] The parameter request may further comprise an authentication code based on other data in the parameter request.
[0042] The authentication code may be based on a digital signature or a message authentication code.
[0043] The bootstrap request may comprise the parameter request.
[0044] The reference may be in the form of a Uniform Resource Identifier.
[0045] According to a ninth aspect, it is provided a computer program for enabling configuring an endpoint device. The computer program comprises computer program code which, when executed on the endpoint device, causes the endpoint device, to: transmit a network access request to a network access server, the network access request comprising a parameter request, the parameter request comprising a reference to a storage server for obtaining device parameters, the parameter request further comprising an identifier of the endpoint device and an indicator to use a bootstrap procedure; receive a network resource allocation message; transmit a bootstrap request to bootstrap server; and receive a bootstrap data structure from the bootstrap server.
[0046] According to a tenth aspect, it is provided a computer program product comprising a computer program according to the third aspect, the sixth aspect or the ninth aspect and a computer readable means comprising non-transitory memory in which the computer program is stored.
[0047] According to an eleventh aspect, it is provided a system comprising the network access server according to the second aspect, the bootstrap server according to the fifth aspect and the endpoint device according to the eighth aspect.
[0048] Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise herein. All references to "a/an/the element, apparatus, component, means, step, etc." are to be interpreted openly as referring to at least one instance of the element, apparatus, component, means, step, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.
BRIEF DESCRIPTION OF THE DRAWINGS
[0049] Aspects and embodiments are now described, by way of example, with reference to the accompanying drawings, in which:
[0050] Fig 1 is a schematic diagram illustrating an environment in which embodiments presented herein can be applied;
[0051] Fig 2 is a sequence diagram illustrating communication between various entities in embodiments which can be applied in the environment of Fig 1; [0052] Fig 3 is a schematic diagram illustrating a parameter request according to one embodiment;
[0053] Figs 4A-B are flowcharts illustrating embodiments of methods for enabling configuring an endpoint device, performed by a network access server;
[0054] Fig 5 is a flowchart illustrating embodiments of methods for enabling configuring an endpoint device, performed by a bootstrap server;
[0055] Fig 6 is a flowchart illustrating embodiments of methods for enabling configuring an endpoint device, performed by an endpoint device;
[0056] Fig 7 is a schematic diagram illustrating components of the endpoint device, the network access server and bootstrap server of Fig 1;
[0057] Fig 8 is a schematic diagram showing functional modules of the network access server of Fig 1 according to one embodiment;
[0058] Fig 9 is a schematic diagram showing functional modules of the bootstrap server of Fig 1 according to one embodiment;
[0059] Fig 10 is a schematic diagram showing functional modules of the endpoint device of Fig 1 according to one embodiment; and
[0060] Fig 11 shows one example of a computer program product 90 comprising computer readable means.
DETAILED DESCRIPTION
[0061] The aspects of the present disclosure will now be described more fully hereinafter with reference to the accompanying drawings, in which certain embodiments of the invention are shown. These aspects may, however, be embodied in many different forms and should not be construed as limiting; rather, these embodiments are provided by way of example so that this disclosure will be thorough and complete, and to fully convey the scope of all aspects of invention to those skilled in the art. Like numbers refer to like elements throughout the description. [0062] Fig 1 is a schematic diagram illustrating an environment in which embodiments presented herein can be applied. One or more endpoint devices 2 are provided. In the following, the one or more endpoint devices 2 is referred to in singular form for reasons of clarity. The endpoint device 2 can be any suitable device that benefits from obtaining network access. For instance, the endpoint device 2 can be an Internet-of-Things (loT) device, which is an electronic device that is typically provided for a specific purpose, with ability to provide information and/ or be controlled by one or more other devices. loT devices can be quite limited in its hardware resources and benefits from being easily deployed, preferably without any manual configuration.
[0063] A communication network 9 is provided to enable data communication between the various entities. The communication network 9 can comprise a local area network (LAN) and/ or a wide area network (WAN), such as the Internet. The communication network 9 supports IP (Internet Protocol) communication. The communication network 9 can comprise wired and/or wireless components, e.g., based on Ethernet, IEEE 802. lx (e.g. Wi-Fi), cellular networks complying with any one or a combination of next generation mobile networks (fifth generation, 5G), LTE (Long Term Evolution), UMTS (Universal Mobile Telecommunications System) utilizing W-CDMA (Wideband Code Division Multiplex), or any other current or future wireless network. Connections between various entities over the communication network 9 can be encrypted or secured otherwise, as known in the art per se.
[0064] The endpoint device 2 comprises a MUD (Manufacturer Usage Description) client for requesting appropriate access and network connection for its need. MUD is an embedded software standard defined by the IETF (Internet Engineering Task Force) that allows manufacturers of loT Device to advertise device parameters, including the intended communication patterns for their device when it connects to the network. The device parameters are provided in a storage server 4 and is referred to in a parameter request which can comprise a MUD URI (Uniform Resource Identifier). The network can then use this intent to author a context-specific access policy, so the device functions only within those parameters. The MUD becomes the authoritative identifier and enforcer of policy for devices on the network. [0065] The endpoint device 2 also comprises a pre-configured client for a client- initiated OMA LWM2M bootstrap procedure. This procedure provides a mechanism for the LWM2M client to retrieve bootstrap information from an LwM2M bootstrap server 5. The LWM2M client comprises preconfigured TLS (Transport Layer Security)/DTLS (Datagram TLS), and/or OSCORE (Object Security for Constrained Restful Environments) security credentials that are preloaded in the endpoint device 2, for authentication with the bootstrap server 5 to retrieve a bootstrap data structure. The bootstrap data structure, such as a bootstrap pack, contains at a minimum an LWM2M server account and may contain additional objects, e.g., for access control and connectivity monitoring. By using a bootstrap-pack in the bootstrap interface, an LWM2M client can be populated using a single message containing several objects and several instances of such objects.
[0066] A network access server 3 is provided to provide network access to the endpoint device 2 when it is powered up or otherwise need network access. The network access server 3 can be provided in a single hardware device or can be implemented using several separate hardware devices in communication with each other. The network access server 3 comprises several different functions. For instance, the network access server 3 can include a net access device, an AAA (authentication, authorization, and accounting) server and a MUD controller. The net access device allows clients to gain access to the network and can be implemented based on DHCP (Dynamic Host Configuration Protocol), LLDP (Link Layer Discovery Protocol), any of the IEEE (Institute of Electrical and Electronics Engineers) 802. lx specifications or any other suitable protocol. The AAA server provides functions for access control. The MUD controller communicates with the endpoint device 2 to establish initial access and network functionality that is requested by the endpoint device 2.
[0067] When the endpoint device 2 wants to connect to a network it emits a parameter request, e.g., as a MUD URI, embedded in a LLDP, DHCP or 802.1X request to the network access server 3. This parameter request is extracted by the network access server 3, passed to the AAA server which passes the parameter request to the MUD Controller, which uses the parameter request to obtain the device parameters from the storage server 4. The storage server 4 is any suitable server capable of storing device parameters that are retrievable using the parameter request.
[0068] The bootstrap server 5 is also connected to the communication network 9. The bootstrap server 5 can e.g., be an LWM2M bootstrap server. As described in more detail below, the bootstrap server 5 is provided the parameter request and exploits this for including network specific data when generating the bootstrap data structure for the endpoint device 2.
[0069] Collectively a system 10 comprises the endpoint device 2, the network access server 3 and the bootstrap server 5.
[0070] Fig 2 is a sequence diagram illustrating communication between various entities in embodiments which can be applied in the environment of Fig 1. Specifically, Fig 2 illustrates communication between the endpoint device 2, the network access server 3, the storage server 4 and the bootstrap server 5. The sequence starts when the endpoint device 2 is powered on or for some other reason needs network access. Reference is also made to Fig 3, schematically illustrating a parameter request 34 according to one embodiment.
[0071] The endpoint device 2 sends a network access request 20 to the network access server 3. The network access request 20 can be an DHCP, LLDP, or IEEE 802. lx access request. The network access request 20 comprises a parameter request 34. The parameter request 34 can comprise a reference 15 in the form of a MUD URL Optionally, the parameter request 34 comprises an identifier 18 of the endpoint 2, e.g. “ep=8y3z92”. Optionally, the parameter request 34 comprises an indicator 19 that the endpoint device supports bootstrapping e.g. “rt=oma.lwm2m”. The parameter request 34 optionally also comprises authentication data 16 to allow verification of the integrity of the parameter request. The structure and content of the parameter request 34 can be hardcoded in the endpoint device 2 during manufacturing, to reduce requirements on the endpoint device 2. Alternatively, the parameter request 34 is constructed dynamically when needed by the endpoint device 2. [0072] The network access server 3 receives the network access requests 20 and extracts the parameter request 34. The network access server 3 can then verify 21 the authenticity and integrity of the parameter request 34 with the help of underlying security technologies, e.g., using MACsec (Medium Access Control Security) or WPA2 (Wi-Fi Protected Access 2), based on the authentication data 16 of the parameter request 34.
[0073] At this stage, the network access server 3 requests 22 the device parameters based on the parameter request 34, which is a reference to a resource on the storage server 4. For instance, the network access server 3 can obtain the device parameters from the storage server 4 based on the reference, e.g., using a HTTP (Hypertext Transfer Protocol) or COAP (Constrained Application Protocol) GET request. Optionally, TLS is applied, which can be used to implement HTTPS (HTTP Secure) and/or COAPS (COAP secure) The storage server 4 responds with the device parameters 23 referred to in the parameter request 34. The reference 15 can be provided in the form of a MUD file.
[0074] The network access server 3 (or more specifically its MUD controller) then verifies 24 the integrity of the device parameters 23, e.g., by verifying a MUDSIGNATURE attribute in the MUD file. When the device parameters 23 are found to be valid, the network access server 3 configures an access control list based on the information in the device parameters 23.
[0075] The network access server 3 determines that the endpoint device 2 is to be provided with bootstrap information. This can e.g., be achieved by checking if the parameter request indicates that the endpoint device supports bootstrapping. Alternatively or additionally, this can be achieved by checking details in the device parameters 23, such as addresses and/or ports associated with LwM2M.
[0076] When the endpoint device 2 is found to support bootstrapping, the network access device 3 sends a message 25 (e.g., a HTTP(S)/COAP(S) POST message) comprising the parameter request 34 to the bootstrap server 5.
[0077] Also, the network access server 3 transmits a network resource allocation message 26 (including e.g., IP address to use, gateway) to the endpoint device 2 to enable initial access to the network for the endpoint device. The network resource allocation message 26 is in response to the network access request 20, and can thus conform to DHCP, LLDP, or IEEE 802. lx.
[0078] Optionally, the bootstrap server verifies the endpoint device identity (when included) in the parameter request against a database of valid identities. This database can be populated with valid identities as part of the manufacturing process or provisioning process of endpoint devices 2.
[0079] The bootstrap server 5 then sends a request 28 (e.g., a HTTP(S) or COAP(S) GET request) based on the parameter request 34 to the storage server 4, upon which the storage server 4 responds with the device parameters 23.
[0080] From the information contained in the device parameters 23, and optionally the identifier of the endpoint device 2, the bootstrap server 5 can create a more elaborate bootstrap data structure. By knowing the network services allowed (indicated in the device parameters), as well the access control the bootstrap server can generate 30 a bootstrap data structure that contains a more specific firmware update object and access control granularity that conforms with the network configuration determined by the network access server 3.
[0081] When the endpoint device 2 sends a bootstrap request 32 (e.g., in the form of a HTTP(S) or COAP(S) GET request) to the bootstrap server 5, the bootstrap server responds 33 with the generated tailor-made bootstrap data structure.
[0082] Figs 4A-B are flowcharts illustrating embodiments of methods for enabling configuring an endpoint device, performed by a network access server 3. The steps correspond to the actions of the network access server 3 in Fig 2. First, embodiments illustrated by Fig 4A will be described.
[0083] In a receive network access request step 40, the network access server 3 receives a network access request from an endpoint device 2. The network access request comprises a parameter request 34 (e.g., as a URI) comprising a reference to a storage server 4 for obtaining device parameters. The parameter request further comprises an identifier 18 of the endpoint device and an indicator 19 to use a bootstrap procedure. The parameter request can e.g., comply with a specification of MUD defined in RFC (Request for Comments) 8520. The parameter request 34 optionally comprises authentication data 16 as described above.
[0084] The network access request can e.g., comply with LLDP, DHCP, or any of the IEEE 802. lx specifications.
[0085] In an obtain device parameters step 42, the network access server 3 obtains the device parameters from the storage server 4 based on the reference, e.g., using a HTTP(S) or COAP(S) GET request. As defined in the MUD specification, the device parameters can comprise access control parameters.
[0086] In a provide parameter request step 44, the network access server 3 provides
44 the parameter request to a bootstrap server 5 (e.g., as a HTTP(S)/COAP(S) POST message), to allow the bootstrap server 5 to consider device parameter when generating the bootstrap data structure.
[0087] In a provide network resource allocation step 46, the network access server provides a network resource allocation message to the endpoint device 2, allowing the endpoint device 2 to connect to the network.
[0088] Looking now to Fig 4B, only new or modified steps from Fig 4A will be described.
[0089] In an optional verify parameter request step 41, the network access server 3 verifies integrity of the parameter request.
[0090] The MUD specification provides some solutions to verify the integrity of the MUD URI, such as Extensible Authentication Protocol (EAP) over Radius, Tunnel EAP (TEAP). Furthermore, there maybe a need for additional security measures against malicious or malformed MUD URIs that could use resources unnecessarily.
[0091] In one embodiment, the parameter request (e.g., MUD URI) includes a digital signature or Message Authentication Code (MAC) as a parameter (see 16 of Fig 3 and description above). The endpoint device 2 then adds an additional parameter to the parameter request, e.g., “st=<MAC/Digital_Signature>”. [0092] A cryptographic key or certificate used to sign the URI could be the same as the one used for subsequent bootstrap communication.
[0093] In an optional verify device parameters step 43, the network access server 3 verifies integrity of the device parameters that are obtained from the storage server 4.
[0094] Fig 5 is a flowchart illustrating embodiments of methods for enabling configuring an endpoint device, performed by a bootstrap server 5. The steps correspond to the actions of the bootstrap server 5 in Fig 2.
[0095] In a receive parameter request step 140, the bootstrap server 5 receives a parameter request, comprising a reference 15 e.g., in the form of a URI. The parameter request comprises a reference to a storage server 4 for obtaining device parameters. The parameter request further comprises an identifier 18 of an endpoint device 2 and an indicator 19 to use a bootstrap procedure. As illustrated in Fig 2, the parameter request can be received from the network access server 3.
[0096] In an obtain device parameters step 142, the bootstrap server 5 obtains the device parameters from the storage server 4 based on the reference, e.g., using a HTTP or COAP GET request.
[0097] In a generate bootstrap data structure step 144, the bootstrap server 5 generates a bootstrap data structure based on the device parameters. The bootstrap data structure can comply with a bootstrap pack as defined in OMA LwM2M.
[0098] The generating of a bootstrap data structure can also be based on the identifier 18 of the endpoint device.
[0099] The device parameters can comprise access control parameters. In this case, the generating a bootstrap data structure can also be based on the access control parameters.
[0100] In a receive bootstrap request step 146, the bootstrap server 5 receives a bootstrap request from the endpoint device 2, e.g., in a HTTP(S)/COAP(S) POST message. Optionally, the parameter request is included in the bootstrap request from the endpoint device 2, e.g., in the credentials used in the bootstrap request during establishment of secure communication between the endpoint device 2 and the bootstrap server 5.
[0101] For example, a device certificate used in the authentication of the endpoint device 2 could include the parameter request, or an (D)TLS extension used in establishment of the secure communication could include the parameter request. This provides the bootstrap server with more assurances that the parameter request is correct before generating and providing the bootstrap data structure.
[0102] In a transmit bootstrap data structure step 148, the bootstrap server 5 transmits the bootstrap data structure to the endpoint device 2.
[0103] Fig 6 is a flowchart illustrating embodiments of methods for enabling configuring an endpoint device, performed by an endpoint device 2. The steps correspond to the actions of the endpoint device 2 in Fig 2.
[0104] In a transmit network access request step 240, the endpoint device 2 transmits a network access request 20 to a network access server 3. The network access request 20 can be an DHCP, LLDP, or IEEE 802.IX access request as mentioned above. The network access request comprises a parameter request comprising a reference (e.g., in the form of a URI). The parameter request comprises a reference to a storage server 4 for obtaining device parameters 23. The parameter request further comprises an identifier 18 of the endpoint device 2 and an indicator 19 to use a bootstrap procedure.
[0105] The parameter request can further comprise an authentication code based on other data in the parameter request. The authentication code is based on a digital signature or a message authentication code.
[0106] In a receive network resource allocation message step 242, the endpoint device 2 receives a network resource allocation message. At this point, the endpoint device can connect to the network e.g., on an IP level.
[0107] In a transmit bootstrap request step 244, the endpoint device 2 transmits a bootstrap request to bootstrap server 5, e.g., in a HTTP(S)/COAP(S) GET message. The bootstrap request can comprise the parameter request, allowing the bootstrap server 5, e.g., as part of credentials, to verify the integrity of the bootstrap request.
[0108] In a receive bootstrap data structure step 246, the endpoint device 2 receives a bootstrap data structure (e.g., a LWM2M bootstrap pack) from the bootstrap server 5, e.g., in a HTTP(S)/COAP(S) response message to the GET of the bootstrap request. This allows the endpoint device 2 to apply the objects in the bootstrap data structure to complete its booting process, e.g., by applying configuration and/ or firmware updates defined in the bootstrap data structure.
[0109] The embodiments presented herein exploits the information in the parameter request (e.g., MUD URI) and the device parameters (e.g., a MUD file) when the bootstrap data structure is generated. In this way, the bootstrap data structure is set up to configure services and service access in alignment with network configuration, applications and device management.
[0110] Fig 7 is a schematic diagram illustrating components of the endpoint device 2, the network access server 3 and bootstrap server 5 of Fig 1. A processor 60 is provided using any combination of one or more of a suitable central processing unit (CPU), graphics processing unit (GPU), multiprocessor, microcontroller, digital signal processor (DSP), etc., capable of executing software instructions 67 stored in a memory 64, which can thus be a computer program product. The processor 60 could alternatively be implemented using an application specific integrated circuit (ASIC), field programmable gate array (FPGA), etc. The processor 60 can be configured to execute the method described with reference to Figs 4A-B above for the network access server 3, the method described with reference to Fig 5 above for the bootstrap server 5 and the method described with reference to Fig 6 above for the endpoint device 2.
[0111] The memory 64 can be any combination of random-access memory (RAM) and/or read-only memory (ROM). The memory 64 also comprises non-transitory persistent storage, which, for example, can be any single one or combination of magnetic memory, optical memory, solid-state memory or even remotely mounted memory. [0112] A data memory 66 is also provided for reading and/ or storing data during execution of software instructions in the processor 60. The data memory 66 can be any combination of RAM and/or ROM.
[0113] An I/O interface 62 is provided for communicating with external and/ or internal entities using wired communication, e.g., based on Ethernet, and/or wireless communication, e.g., Wi-Fi, and/or a cellular network, as long as the principles described hereinafter are applicable.
[0114] Other components are omitted in order not to obscure the concepts presented herein.
[0115] Fig 8 is a schematic diagram showing functional modules of the network access server 3 of Fig 1 according to one embodiment. The modules are implemented using software instructions such as a computer program executing in the network access server 3. Alternatively or additionally, the modules are implemented using hardware, such as any one or more of an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array), or discrete logical circuits. The modules correspond to the steps in the methods illustrated in Figs 4A-B.
[0116] A request receiver 70 corresponds to step 40. A parameter request verifier 71 corresponds to step 41. A parameter obtainer 72 corresponds to step 42. A device parameter verifier 73 corresponds to step 43. A request provider 74 corresponds to step 44. A network allocation message provider 76 corresponds to step 46.
[0117] Fig 9 is a schematic diagram showing functional modules of the bootstrap server 5 of Fig 1 according to one embodiment. The modules are implemented using software instructions such as a computer program executing in the bootstrap server 5. Alternatively or additionally, the modules are implemented using hardware, such as any one or more of an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array), or discrete logical circuits. The modules correspond to the steps in the methods illustrated in Fig 5.
[0118] A parameter request receiver 170 corresponds to step 140. A parameter obtainer 172 corresponds to step 142. A bootstrap generator 174 corresponds to step 144- A bootstrap request receiver 176 corresponds to step 146. A bootstrap data transmitter 178 corresponds to step 148.
[0119] Fig 10 is a schematic diagram showing functional modules of the endpoint device 2 of Fig 1 according to one embodiment. The modules are implemented using software instructions such as a computer program executing in the endpoint device 2. Alternatively or additionally, the modules are implemented using hardware, such as any one or more of an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array), or discrete logical circuits. The modules correspond to the steps in the methods illustrated in Fig 6.
[0120] A network access request transmitter 270 corresponds to step 240. A network allocation receiver 272 corresponds to step 242. A bootstrap request transmitter 274 corresponds to step 244. A bootstrap data receiver 276 corresponds to step 246.
[0121] Fig 11 shows one example of a computer program product 90 comprising computer readable means. On this computer readable means, a computer program 91 can be stored in a non-transitory memory. The computer program can cause a processor to execute a method according to embodiments described herein. In this example, the computer program product is in the form of a removable solid-state memory, e.g., a Universal Serial Bus (USB) drive. As explained above, the computer program product could also be embodied in a memory of a device, such as the computer program product 64 of Fig 7. While the computer program 91 is here schematically shown as a section of the removable solid-state memory, the computer program can be stored in any way which is suitable for the computer program product, such as another type of removable solid-state memory, or an optical disc, such as a CD (compact disc), a DVD (digital versatile disc) or a Blu-Ray disc.
[0122] The aspects of the present disclosure have mainly been described above with reference to a few embodiments. However, as is readily appreciated by a person skilled in the art, other embodiments than the ones disclosed above are equally possible within the scope of the invention, as defined by the appended patent claims. Thus, while various aspects and embodiments have been disclosed herein, other aspects and embodiments will be apparent to those skilled in the art. The various aspects and embodiments disclosed herein are for purposes of illustration and are not intended to be limiting, with the true scope and spirit being indicated by the following claims.

Claims

1. A method for enabling configuring an endpoint device (2), the method being performed by a network access server (3), the method comprising: receiving (40) a network access request (20) from the endpoint device (2), the network access request (20) comprising a parameter request (34), the parameter request comprising a reference (15) to a storage server (4) for obtaining device parameters (23), the parameter request (34) further comprising an identifier (18) of the endpoint device and an indicator (19) to use a bootstrap procedure; obtaining (42) the device parameters (23) from the storage server (4) based on the reference (15); providing (44) the parameter request (34) to a bootstrap server (5); and providing (46) a network resource allocation message (26) to the endpoint device (2).
2. The method according to claim 1, wherein the parameter request (34) complies with a specification of Manufacturer Usage Description as defined in Internet Engineering Task Force Request for Comments 8520.
3. The method according to claim 1 or 2, wherein the device parameters (23) comprise access control parameters.
4. The method according to any one of claims 1 to 3, wherein the network access request (20) complies with Link Layer Discovery Protocol, Dynamic Host Configuration Protocol, or Institute of Electrical and Electronics Engineers 802. ix.
5. The method according to any one of the preceding claims, wherein the reference (15) is in the form of a Uniform Resource Identifier.
6. The method according to any one of the preceding claims, further comprising: verifying (41) integrity of the parameter request (34).
7. The method according to any one of the preceding claims, further comprising: verifying (43) integrity of the device parameters (23).
8. A network access server (3) for enabling configuring an endpoint device (2), the network access server (3) comprising: a processor (60); and a memory (64) storing instructions (67) that, when executed by the processor, cause the network access server (3) to: receive a network access request (20) from the endpoint device (2), the network access request (20) comprising a parameter request (34), the parameter request comprising a reference (15) to a storage server (4) for obtaining device parameters (23), the parameter request (34) further comprising an identifier (18) of the endpoint device and an indicator (19) to use a bootstrap procedure; obtain the device parameters (23) from the storage server (4) based on the reference (15); provide the parameter request (34) to a bootstrap server (5); and provide a network resource allocation message (26) to the endpoint device (2).
9. The network access server (3) according to claim 8, wherein the parameter request (34) complies with a specification of Manufacturer Usage Description, as defined in Internet Engineering Task Force Request for Comments, 8520.
10. The network access server (3) according to claim 8 or 9, wherein the device parameters (23) comprise access control parameters.
11. The network access server (3) according to any one of claims 8 to 10, wherein the network access request (20) complies with Link Layer Discovery Protocol, Dynamic Host Configuration Protocol, or Institute of Electrical and Electronics Engineers, 802. lx.
12. The network access server (3) according to any one of claims 8 to 11, wherein the reference (15) is in the form of a Uniform Resource Identifier.
13. The network access server (3) according to any one of claims 8 to 12, further comprising instructions (67) that, when executed by the processor, cause network access server (3) to verify integrity of the parameter request (34).
14- The network access server (3) according to any one of claims 8 to 13, further comprising instructions (67) that, when executed by the processor, cause network access server (3) to verify integrity of the device parameters (23).
15. A computer program (67, 91) for enabling configuring an endpoint device (2), the computer program comprising computer program code which, when executed on a network access server (3) causes the network access server (3) to: receive a network access request (20) from the endpoint device (2), the network access request (20) comprising a parameter request (34), the parameter request comprising a reference (15) to a storage server (4) for obtaining device parameters (23), the parameter request (34) further comprising an identifier (18) of the endpoint device and an indicator (19) to use a bootstrap procedure; obtain the device parameters (23) from the storage server (4) based on the reference (15); provide the parameter request (34) to a bootstrap server (5); and provide a network resource allocation message (26) to the endpoint device (2).
16. A method for enabling configuring an endpoint device (2), the method being performed by a bootstrap server (5), the method comprising: receiving (140) a parameter request (34), the parameter request (34) comprising a reference to a storage server (4) for obtaining device parameters (23), the parameter request (34) further comprising an identifier (18) of the endpoint device (2) and an indicator (19) to use a bootstrap procedure; obtaining (142) the device parameters (23) from the storage server (4) based on the reference; generating (144) a bootstrap data structure based on the device parameters (23); receiving (146) a bootstrap request from the endpoint device (2); and transmitting (148) the bootstrap data structure to the endpoint device (2).
17. The method according to claim 16, wherein the bootstrap data structure complies with a bootstrap pack defined in Open Mobile Alliance Lightweight Machine to Machine.
18. The method according to claim 16 or 17, wherein the generating (144) a bootstrap data structure is based also on the identifier (18) of the endpoint device.
19. The method according to any one of claims 16 to 18, wherein the receiving (140) a parameter request (34) comprises receiving the parameter request (34) from a network access server (3).
20. The method according to any one of claims 16 to 19, wherein the device parameters (23) comprise access control parameters, and wherein the generating (144) a bootstrap data structure is based on the access control parameters.
21. The method according to any one of claims 16 to 20, wherein the reference (15) is in the form of a Uniform Resource Identifier.
22. A bootstrap server (5) for enabling configuring an endpoint device (2), the bootstrap server (5) comprising: a processor (60); and a memory (64) storing instructions (67) that, when executed by the processor, cause the bootstrap server (5) to: receive a parameter request (34), the parameter request (34) comprising a reference (15) to a storage server (4) for obtaining device parameters (23), the parameter request (34) further comprising an identifier (18) of the endpoint device (2) and an indicator (19) to use a bootstrap procedure; obtain the device parameters (23) from the storage server (4) based on the reference (15); generate a bootstrap data structure based on the device parameters (23); receive a bootstrap request from the endpoint device (2); and transmit the bootstrap data structure to the endpoint device (2).
23. The bootstrap server (5) according to claim 22, wherein the bootstrap data structure complies with a bootstrap pack defined in Open Mobile Alliance, Lightweight Machine to Machine.
24. The bootstrap server (5) according to claim 22 or 23, wherein the instructions to generate a bootstrap data structure comprise instructions (67) that, when executed by the processor, cause bootstrap server (5) to generate the bootstrap data structure based also on the identifier (18) of the endpoint device.
25. The bootstrap server (5) according to any one of claims 22 to 24, wherein the instructions to receive a parameter request comprise instructions (67) that, when executed by the processor, cause bootstrap server (5) to receive the parameter request from a network access server (3).
26. The bootstrap server (5) according to any one of claims 22 to 25, wherein the device parameters (23) comprise access control parameters, and wherein the instructions to generate a bootstrap data structure comprise instructions (67) that, when executed by the processor, cause bootstrap server (5) to generate the bootstrap data structure based on the access control parameters.
27. The bootstrap server (5) according to any one of claims 22 to 26, wherein the reference (15) is in the form of a Uniform Resource Identifier.
28. A computer program (67, 91) for enabling configuring an endpoint device (2), the computer program comprising computer program code which, when executed on a bootstrap server (5) causes the bootstrap server (5) to: receive a parameter request (34), the parameter request (34) comprising a reference (15) to a storage server (4) for obtaining device parameters (23), the parameter request (34) further comprising an identifier (18) of the endpoint device (2) and an indicator (19) to use a bootstrap procedure; obtain the device parameters (23) from the storage server (4) based on the reference (15); generate a bootstrap data structure based on the device parameters (23); receive a bootstrap request from the endpoint device (2); and transmit the bootstrap data structure to the endpoint device (2).
29. A method for enabling configuring an endpoint device (2), the method being performed by the endpoint device (2), the method comprising: transmitting (240) a network access request (20) to a network access server (3), the network access request (20) comprising a parameter request (34), the parameter request (34) comprising a reference (15) to a storage server (4) for obtaining device parameters (23), the parameter request (34) further comprising an identifier (18) of the endpoint device (2) and an indicator (19) to use a bootstrap procedure; receiving (242) a network resource allocation message (26); transmitting (244) a bootstrap request to bootstrap server (5); and receiving (246) a bootstrap data structure from the bootstrap server (5).
30. The method according to claim 29, wherein the parameter request (34) further comprises an authentication code based on other data in the parameter request (34).
31. The method according to claim 30, wherein the authentication code is based on a digital signature or a message authentication code.
32. The method according to any one of claims 29 to 31, wherein the bootstrap request comprises the parameter request (34).
33. The method according to any one of claims 29 to 32, wherein the reference (15) is in the form of a Uniform Resource Identifier.
34. An endpoint device (2), for enabling configuring the endpoint device (2), the endpoint device (2) comprising: a processor (60); and a memory (64) storing instructions (67) that, when executed by the processor, cause the endpoint device (2), to: transmit a network access request (20) to a network access server (3), the network access request (20) comprising a parameter request (34), the parameter request comprising a reference (15) to a storage server (4) for obtaining device parameters (23), the parameter request (34) further comprising an identifier (18) of the endpoint device (2) and an indicator (19) to use a bootstrap procedure; receive a network resource allocation message (26); transmit a bootstrap request to bootstrap server (5); and receive a bootstrap data structure from the bootstrap server (5).
35- The endpoint device (2) according to claim 34, wherein the parameter request (34) further comprises an authentication code based on other data in the parameter request (34).
36. The endpoint device (2) according to claim 35, wherein the authentication code is based on a digital signature or a message authentication code.
37. The endpoint device (2) according to any one of claims 34 to 36, wherein the bootstrap request comprises the parameter request (34).
38. The endpoint device (2) according to any one of claims 34 to 37, wherein the reference (15) is in the form of a Uniform Resource Identifier.
39. A computer program (67, 91) for enabling configuring an endpoint device (2), the computer program comprising computer program code which, when executed on the endpoint device (2), causes the endpoint device (2), to: transmit a network access request (20) to a network access server (3), the network access request (20) comprising a parameter request (34), the parameter request (34) comprising a reference (15) to a storage server (4) for obtaining device parameters (23), the parameter request (34) further comprising an identifier (18) of the endpoint device (2) and an indicator (19) to use a bootstrap procedure; receive a network resource allocation message (26); transmit a bootstrap request to bootstrap server (5); and receive a bootstrap data structure from the bootstrap server (5).
40. A computer program product (64, 90) comprising a computer program according to claim 15, 28 or 39 and a computer readable means comprising non-transitory memory in which the computer program is stored.
41. A system (10) comprising the network access server (3) according to any one of claims 8 to 14, the bootstrap server (5) according to any one of claims 22 to 27 and the endpoint device (2) according to any one of claims 34 to 38.
PCT/EP2022/056272 2022-03-10 2022-03-10 Enabling configuring an endpoint device WO2023169688A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2022/056272 WO2023169688A1 (en) 2022-03-10 2022-03-10 Enabling configuring an endpoint device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2022/056272 WO2023169688A1 (en) 2022-03-10 2022-03-10 Enabling configuring an endpoint device

Publications (1)

Publication Number Publication Date
WO2023169688A1 true WO2023169688A1 (en) 2023-09-14

Family

ID=80999572

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2022/056272 WO2023169688A1 (en) 2022-03-10 2022-03-10 Enabling configuring an endpoint device

Country Status (1)

Country Link
WO (1) WO2023169688A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110016321A1 (en) * 2009-07-14 2011-01-20 Sundaram Ganapathy S Automated Security Provisioning Protocol for Wide Area Network Communication Devices in Open Device Environment
WO2020253931A1 (en) * 2019-06-15 2020-12-24 Telefonaktiebolaget Lm Ericsson (Publ) Methods and apparatus for lightweight machine to machine communication
US20210342163A1 (en) * 2018-10-05 2021-11-04 Telefonaktiebolaget Lm Ericsson (Publ) Methods for operation of a device, bootstrap server and network node

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110016321A1 (en) * 2009-07-14 2011-01-20 Sundaram Ganapathy S Automated Security Provisioning Protocol for Wide Area Network Communication Devices in Open Device Environment
US20210342163A1 (en) * 2018-10-05 2021-11-04 Telefonaktiebolaget Lm Ericsson (Publ) Methods for operation of a device, bootstrap server and network node
WO2020253931A1 (en) * 2019-06-15 2020-12-24 Telefonaktiebolaget Lm Ericsson (Publ) Methods and apparatus for lightweight machine to machine communication

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
LEAR, E.DROMS, R.D. ROMASCANU: "Manufacturer Usage Description Specification", RFC 8, March 2019 (2019-03-01)

Similar Documents

Publication Publication Date Title
GB2558205B (en) Enabling communications between devices
US10791506B2 (en) Adaptive ownership and cloud-based configuration and control of network devices
US10491583B2 (en) Provisioning remote access points
CN107005569B (en) End-to-end service layer authentication
US8438618B2 (en) Provisioning active management technology (AMT) in computer systems
JP6086987B2 (en) Restricted certificate enrollment for unknown devices in hotspot networks
US20200015087A1 (en) Reduced bandwidth handshake communication
EP3069545B1 (en) Methods and devices for bootstrapping of resource constrained devices
CN108886688B (en) Method, apparatus and readable medium operable in a service provider, SP, network connected to a wireless communication network
EP2950499B1 (en) 802.1x access session keepalive method, device, and system
US20180198786A1 (en) Associating layer 2 and layer 3 sessions for access control
CN105284178A (en) Configuring wireless accessory devices
GB2540987A (en) Bootstrapping without transferring private key
KR20120044945A (en) Methods and apparatus to register with external networks in wireless network environments
KR20140137454A (en) Authentication in secure user plane location (supl) systems
EP3466012B1 (en) Network application function registration
WO2009111866A1 (en) Touchless plug and play base transceiver station
US11496894B2 (en) Method and apparatus for extensible authentication protocol
US20200274719A1 (en) Generating trust for devices
CN101471934A (en) Bidirectional encipher and identification authentication method of dynamic host configuration protocol
US11475134B2 (en) Bootstrapping a device
WO2023169688A1 (en) Enabling configuring an endpoint device
WO2023169687A1 (en) Enabling configuring an endpoint device
EP3310078B1 (en) Communication method, small cell base station, small cell base station controller, terminal and system
CN113169864A (en) Bootstrapping with public credential data

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22713928

Country of ref document: EP

Kind code of ref document: A1