EP4097999A1 - Network selection during disaster situations - Google Patents

Abstract

The invention provides a method for enabling a user equipment, UE, device having an association with a first network which is a home network of the UE device to communicate with a second network other than the home network in an event of the home network becoming unusable as a result of an occurrence of an event affecting the operation of the home network, the communicating termed disaster roaming, the method comprising receiving from the home network an indicator that the UE device is authorized to use the second network should the event occur; and receiving from the second network information that the second network is available for connection with the UE device for disaster roaming.

Description

Network Selection During Disaster Situations

The present invention relates to enabling a mobile phone, or user equipment device, associated with a home network to establish a communication path with another network if its home network becomes unusable in a disaster situation.

Mobile communication services have become an essential part of our society. For example, mobile payment, autonomous driving, monitoring of vital signs, and so on cannot work without omnipresent mobile connectivity. Thus, it is important to ensure that users of mobile communication services get their subscribed services without being interrupted.

Usually, a UE is camping on its home (or an equivalent) network. As long as its home (or equivalent) network is functioning properly, the UE will not try to select a cell of a neighbouring network and any attempt to do so from the UE would be rejected (apart from emergency calls). However, when the home network is no longer available to provide the subscribed service due to disaster events while neighbouring networks are still in operation, the only option for the UE to be online is to be served by one of those neighbouring networks.

Existing systems do not provide any means to trigger neighbouring networks to host “foreign” UEs and to inform concerned UEs about the presence of suitable alternative networks in case of a disaster.

3GPP is dealing with this important topic as part of the “Minimization of Service Interruption (MINT)” study item. Recently, 3GPP SA1 working group has finalized a technical report in preparation of 3GPP Release 17 (Rel-17) which gathers and analyses different scenarios where interruption to communication service may arise due to natural disaster or man-made disasters. At the same time, it derives potential service requirements out of these scenarios. The outcome of this endeavour has been collected in a technical report having the reference 3GPP TR 22.831.

In 3GPP TR 22.831 the following terminology is used:

Disaster Roaming:

This is the special type of roaming service that applies during a Disaster Condition. Disaster Condition: This is the condition that a government decides whether it is applicable or not based on, e.g. a natural disaster or a man-made disaster (incl. cyberattacks), for users to get mobile communication services from a PLMN they wouldn’t normally be served by. When this condition applies, users have the opportunity to mitigate service interruptions and failures.

Disaster Inbound Roamers:

Users that (a) cannot get service from the PLMN they would normally be served by, due to failure of service during a Disaster Condition, and (b) are able to register with other PLMNs.

3GPP TR 22.831 V17.1 .0 considers the following network failure scenarios that may happen in case of disaster.

The radio access network (RAN) is in part (e.g., in a given region) or in its entirety (temporarily) out of order or malfunctioning. Reasons for this could for instance be a RAN Component R1 suffering from power outage or a damaged backhaul connection IF1/IF2. It is noteworthy to mention that the term ‘RAN Component’ may for example comprise at least one entity from the following list of entities: a base station, a relay node, an IAB node, and a remote radio head.

The core network (CN) is in part or in its entirety (temporarily) out of order or malfunctioning. Reasons for this could for instance be a CN component suffering from power outage or damaged CN interconnections. It is noteworthy to mention that the term ‘core network (CN)’ describes a logical entity. In reality, the various core network components may be physically located in different locations (cf. 3GPP TS 23.501 , section 4.2 for details about the 5G-NR architecture reference model). For example, in case of 5G-NR, there may be multiple AMFs (access and mobility management functions), and one centralized UDM (unified data management) per country. Partial malfunctioning of CN components may result into a “network slice” (predominantly, a logical network that provides specific network capabilities and network characteristics) not working properly.

The RAN and CN together usually form a public land mobile network (PLMN) that is under control of a mobile network operator (MNO). The mobile communication device or ‘handset’ of a user is usually referred to as user equipment (UE). Fig. 1 shows three example failure scenarios that may cause problems to a subscriber’s UE (e.g., complete lack of service or reduction of network performance). There may be situations (for instance, a backhaul failure) in which a base station is still able to transmit (at least some basic sets of) control information to the UEs in its coverage area, for example in the form of system information blocks (SIB) in the downlink direction (base station or eNB to UE).

Before a UE can access a radio cell for the first time, it needs to know some basic information about the cell. Therefore, the base station transmits in the downlink direction on a regular, periodic schedule so-called system information (SI) to all UEs residing in that cell.

SI consists of a master information block (MIB) and a number of SIBs, which are divided into 'minimum SI' and 'other SI'.

Minimum SI comprises basic information required for initial access and information for acquiring any other SI. In detail, minimum SI consists of:

MIB which contains cell barred status information and essential physical layer information of the cell required to receive further system information, e.g. CORESET#0 configuration. MIB is periodically broadcast on BCH.

SIB1 defines the scheduling of other system information blocks and contains information required for initial access. SIB1 is also referred to as 'remaining minimum SI' (RMSI) and is periodically broadcast on DL-SCH or sent in a dedicated manner on DL-SCH to UEs in RRC_CONNECTED.

Other SI encompasses all SIBs not broadcast in the minimum SI. These SIBs can either be periodically broadcast on DL-SCH, broadcast on-demand on DL-SCH (i.e. upon request from UEs in RRCJDLE or RRCJNACTIVE), or sent in a dedicated manner on DL-SCH to UEs in RRC_CONNECTED.

We refer to 3GPP TS 38.300 §7.3 for more information.

3GPP document S1 -193603 submitted as change request SCR 0378 to 3GPP standard 22.261 includes a section comprising requirements related to access control when disaster condition applies in the scope of the ongoing MINT Study Item. An access identity number 3 is provided for use by UEs for which a disaster condition applies which is valid for PLMNs that indicate to potential disaster inbound roamers that the UEs can access the PLMN. Some of the operations described herein may require a secure processing environment (SPE). For example, an SPE may include a cryptographic circuit configured to provide one or more cryptographic services to ensure trustworthiness of the operations being performed. Cryptographic services may for instance include: an access control service, an identification service, an attestation service, an authentication service, an encryption service, a decryption service, and/or a digital signature service. The cryptographic circuit may include a memory to store cryptographic material such as cryptographic keys (for example, a certified public key and/or a secret key and/or various other encryption keys).

The SPE may be or may include a trusted platform module (TPM) and/or a smart card (such as a subscriber identity module (SIM) or a universal subscriber identity module (USIM)).

The TPM may be understood as an integrated circuit module that has been developed as part of the TCG specification (TCG — trusted computing group, formerly known as TCPA) in order to provide a secure environment for personal computers (PCs). It resembles a smart card inseparably mounted on a computation platform. A TPM may be coupled to a system (the computation platform) rather than to a user. Other deployment scenarios — apart from personal computers (PCs) — are PDA (personal digital assistants), cellular phones, and also consumer electronics. In the setting of the methods disclosed in the various embodiments of this invention, the UE may be equipped with a TPM or TPM chip.

Mobile phones operating according to the GSM standard require a SIM card for usage in the mobile network, whereas mobile phones operating according to subsequent standards (e.g., 3G-UMTS, 4G-LTE, 5G-NR) require a UICC (UICC — universal integrated circuit card) with at least one USIM. Both type of cards (SIM Card and UICC) offer storage capability for applications and application data in their application memory. Most of these applications are mobile communication specific and thus are issued, maintained, and updated by the MNO. A smart card may comprise different architecture elements, such as:

Application memory, for example implemented as a programmable read only memory (PROM), as an erasable programmable read only memory (EPROM), as an electrically erasable programmable read only memory (EEPROM). The application memory may be used to store application programs (computer programs in general), USIM application toolkit (USAT) applets and/or data (e.g. short message service (SMS) data, multimedia message service (MMS) data, phone book data, etc..

Read only memory (ROM). The ROM may be provided to store the USIM application toolkit (USAT), smart card application programs (e.g. USIM, ISIM, etc.), a file system, various algorithms, a JAVA virtual machine, one or more operating systems.

Random access memory (RAM). The RAM may be provided as a working memory to store e.g. results from calculations or input/output communication.

A microprocessor unit (MPU) which may be provided for the execution of instructions, in other words, of the respective computer programs mentioned above.

An input/output controller (I/O controller) which may be provided for the management of data flow between e.g. the terminal communication device such as e.g. the mobile equipment (ME) and the MPU.

SPE functions of high relevance for the present invention are the digital signature service (for example, the validation of received signatures) and the storage of cryptographic keys (for example, a certified public key).

Usually, a UE is camping on its home network (or on an equivalent network). As long as its home network (or an equivalent network) is functioning properly, the UE will not try to select a cell of a neighbouring network and any attempt to do so from the UE would be rejected, except for special service requests, such as those for emergency calls (depending on regulation).

However, when the home network is no longer available to provide the subscribed service due to disaster events while neighbouring networks are still in operation, the only option for the UE to be (or remain) online is to be served by one of those neighbouring networks.

The current state-of-the-art does not provide any means to inform UEs about alternative networks’ service offerings in case of disaster situations. In particular, when the home network is down, neighbouring networks are currently not capable to reliably inform “foreign” users about the fact they have been instructed (e.g., by some government agency such as a national telecommunications regulator) to open up for disaster roamers. As incoming users (disaster roamers) cause additional load on the network it would be desirable to restrict disaster roaming to relevant locations rather than opening up the entire network. The current state-of-the-art does not provide means to do this either. Due to the different network topologies in home network and neighbouring network (in particular, there are different base station sites and different coverage areas) implementing local restrictions is not a trivial task.

In TR 22.831 referred to above, in one scenario a UE can camp on a non-home network if the home network is not available for whatever reason with connectivity being granted in the event of a disaster occurring. In a second scenario, each network in a country allows disaster roaming support and a UE can determine from a non-home network that a disaster has occurred and selects a PLMN accordingly, connecting to a network which is normally not available. In a third scenario, a second network is not forbidden to the UE and the second network accepts connections from UEs whose home network is unavailable. Services in the event of a disaster may be restricted to UEs from a particular region suffering network outage.

US 8,886,193 B2 describes a method for radio link failure recovery including storing backup cell information for re-establishing a connection if the target cell fails. US 2019/0081688 A1 describes a technique for coping with beam level failure in a beam- formed system.

EP 2445 244 A1 describes an arrangement whereby a PLMN is able to broadcast an additional standby PLMN code which is not on a list of forbidden codes, enabling a UE to gain access in the event of an emergency situation.

WO 2020/102831 A1 , published after the priority date of the present invention, describes an arrangement in which in the event of an access node of a first PLMN becoming inoperable a service change notification is sent by a network entity. A second PLMN then broadcasts a service change occurred indicator allowing a UE whose home network is the first PLMN to connect to the second PLMN.

3GPP technical repot TR 33.969 version 15.0.0 discusses security aspects of the public warning system (PWS) used for broadcasting messages to users to inform them about emergency situations. The intentions of the document are to prevent false warning notifications being sent and to prevent abuse of the system to send messages such as advertising and "spam" messages. The present invention provides a method for enabling a user equipment, UE, device having an association with a first network, which is a home network of the UE device, to communicate with a second network other than the home network in an event of the home network becoming unusable as a result of an occurrence of an event affecting the operation of the home network, the communicating termed disaster roaming, the method comprising receiving from the home network an indicator that the UE device is authorized to use the second network should the event occur; and receiving from the second network information that the second network is available for connection with the UE device for disaster roaming, wherein the information received from the second network is either (i) encrypted and the UE decrypts the information using cryptographic information received from the home network or (ii) digitally signed and the UE device validates the information using cryptographic information received from the home network.

The invention also provides a method for enabling a user equipment, UE, device having an association with a first network which is a home network of the UE device to communicate with a second network other than the home network in an event of the home network becoming unusable as a result of an occurrence of an event affecting the operation of the home network, the communicating termed disaster roaming, the method comprising transmitting from the home network to the UE device an indicator that the UE device is authorized to use the second network should the event occur; transmitting a notification to the second network that the event has occurred at the first network; and transmitting from the second network information that the second network is available for connection with the UE device for disaster roaming, wherein the information transmitted from the second network is either (i) encrypted and decryption information is transmitted from the home network or (ii) digitally signed such that a validation of the digital signature can be performed in the UE device based on information received from the home network.

In some embodiments of the present invention the access to alternative networks may also be granted by means of disaster collaboration agreements between the concerned MNOs (i.e. without any regulatory involvement).

The present invention addresses the use cases and scenarios identified by 3GPP during the study item phase on “Minimization of Service Interruption (MINT)” for Release-17. We propose some system enhancements to realize new service behaviour aiming at reducing interruption of subscribed services.

A first aspect provides a dissemination of ‘backup network indications’. The aim is to guide users to select the right backup network (among several available neighbouring and/or overlapping networks) in disaster situations. In detail, users suffering from disaster situations are prevented from trying to access networks that are not instructed (e.g., by government agency) to serve as a backup network for their home network and networks that their MNO doesn’t have a disaster collaboration agreement with, respectively.

A second aspect provides a mitigation of replay attacks. UEs are enabled to verify the ‘backup network indications’ received from alternative networks. Thus, replay attacks by fraudulent network deployments can be mitigated.

A third aspect provides a restriction to the area of relevance. Disaster roaming is restricted to areas of relevance (rather than opening up nationwide the entire neighbouring and/or overlapping network for incoming disaster roamers). The additional load that incoming disaster roamers may cause on the alternative network can thus be reduced.

A fourth aspect relates to an age of the disaster information. The 'up-to-date' status of the ‘backup network indications’ can be checked by UEs of incoming disaster roamers seeking service offerings from neighbouring networks.

A fifth aspect concerns regulator involvement. Inter-PLMN signalling between a home network experiencing a disaster situation and an alternative network (optionally, via an entity assigned to a regulator’s domain) is disclosed.

A sixth aspect concerns a disaster roaming indication in the uplink direction. UEs are enabled to indicate ‘disaster roaming’ as their motivation for accessing alternative networks. Upon reception of such an UL indication the alternative network can prepare to accommodate a large number of incoming “foreign” UEs in the course of a disaster by adjusting certain parameters and resources (e.g., related to the random access procedure, bandwidth part (BWP) configuration). When the home network is down, neighbouring networks are enabled to inform “foreign” users about the fact they are available to host disaster roamers. They may have been instructed by some government agency such as a national telecommunications regulator to open up for disaster roamers.

Replay attacks by fraudulent network deployments can be suppressed, because the users are enabled to verify backup indications received from alternative networks.

Disaster roaming is restricted to areas of relevance (i.e. not the entire alternative network is opened up for incoming disaster roamers). The additional load that disaster roamers may cause on the alternative network can thus be reduced.

For the realization of the first four aspects of the present invention several new information elements (lEs) are defined for usage in c-plane signalling of the mobile communication system, i.e. according to the radio resource control (RRC) protocol. In particular, a concept of ‘backup network indication’ is introduced as part of the SIB function in neighbouring networks that (are instructed to) serve as a fall back network in case of disaster situations comprising at least one of a backup indicator, a piece of location information (as used in the home network or as defined by some authority), a piece of time information (time stamp), and a digital signature.

For the realization of the fifth aspect of the present invention several new lEs are defined for usage in inter-PLMN signalling between mobile communication systems (optionally, via an entity operated by a government agency, such as a national telecommunications regulator).

For the realization of the sixth aspects of the present invention yet another new IE is defined for usage in c-plane signalling of the mobile communication system, i.e. according to the RRC protocol. In particular, a new connection establishment cause value ‘disaster roaming’ is introduced to be used (in uplink direction) when the UE tries to access the alternative network.

Before a disaster strikes networks are enabled to configure their UEs with a special indicator or token. When a network is going down it can ask neighbouring networks to host their subscribers. UEs that are compelled to look for alternative service offerings use at least one of a disaster roaming PLMN-ID list and said token to determine suitable alternative networks to camp on. In addition, several new elementary files (EFs) are defined for storage in an SPE of the UE (e.g., in a removable or perpetually mounted USIM or TPM). These new EFs may, for example, enable storage of encryption keys (such as dedicated public keys used for validating digital signatures) and/or network identifiers (such as PLMN-IDs) and/or location information (such as tracking area IDs) for the method of the invention.

Particular aspects of the invention provide several benefits.

UEs of disaster inbound roamers are provided with a convenient way to find and select alternative networks for their subscribed services when the network they would normally be served by (e.g., their home network) is experiencing a disaster condition.

Mobile payment, autonomous driving, monitoring of vital signs, and many other services that have become an essential part of our society are not interrupted in case of disasters, as users are enabled to access and use neighbouring and/or overlapping networks they wouldn’t normally be served by.

Access attempts by disaster inbound roamers are more likely to be successful, as users are informed which of the available neighbouring and/or overlapping networks actually serve as a backup network in the respective situation. In other words, users can be prevented from trying to access networks that have not been instructed to open up and networks that their MNO doesn’t have a disaster collaboration agreement with, respectively.

Furthermore, replay attacks by fraudulent network deployments can be suppressed, because the users are enabled to verify backup indications received from alternative networks.

Disaster roaming is restricted to areas of relevance (i.e. not the entire neighbouring and/or overlapping network is opened up for incoming disaster roamers). The additional load that disaster roamers may cause on the alternative network can thus be reduced.

The alternative network is enabled to prepare for a large number of incoming “foreign” UEs in the course of a disaster by adjusting certain (potentially cell specific) parameters and resources. Preferred embodiments of the invention will now be described, by way of example only, with reference to the accompanying drawings in which:

Fig. 1 shows a schematic representation of a public land mobile network and possible reasons for network failure;

Fig. 2 shows a schematic representation of a UE performing disaster roaming;

Fig. 3 shows a file structure EFUST for storage on a UE's USIM for enabling disaster roaming;

Fig. 4 shows a further file structure EFDRPLMN identifying allowed PLMNs if disaster roaming is enabled by EFUST;

Fig. 5 shows an exemplary SIB message for transmitting a "fall back" indication;

Fig. 6 shows an exemplary IE for transmitting a "backup for" indication;

Fig. 7 shows a file structure EFDRPUBKEYS for storage on a UE's USIM for storing disaster roaming public keys;

Fig. 8 shows an exemplary IE for transmitting a "fall back" signature;

Fig. 9 shows an exemplary IE for transmitting a "backup for" signature;

Fig. 10 shows an exemplary IE for transmitting a disaster location in the form of a tracking area code;

Fig. 11 shows a further exemplary IE for transmitting an encrypted disaster location indication;

Fig. 12 shows a still further exemplary IE for transmitting a disaster location indication;

Fig. 13 is a schematic diagram indicating a transmission of a disaster indication from a first mobile network to a second mobile network via a regulatory authority; and

Fig. 14 is an exemplary RRC setup request message providing a disaster roaming indication.

Embodiments will be described relating to the following exemplary scenario with reference to Fig. 2.

PLMN-A and PLMN-B provide overlapping coverage in a given country, region, city, street, or other spatially defined areas, such as company premises or campuses.

MNO-A operating PLMN-A and MNO-B operating PLMN-B may have set up a collaboration agreement for disaster events. Alternatively, MNO-B is requested by the authorities (e.g., a government agency) to allow incoming users from MNO-A in case of disaster events.

A disaster event is detected in PLMN-A. Users of PLMN-A experience a service failure (that may be locally restricted to a certain coverage region of PLMN-A).

Users of PLMN-A (currently residing in the affected region) are compelled to use a fall back network, if they want to continue to receive mobile communication services.

A government agency (e.g., the national telecommunications regulator) may instruct PLMN-B to open up for inbound disaster roamers stemming from PLMN-A.

In accordance with the first aspect of the invention referred to above, the following is an example of enabling detection of alternative networks in disaster situations.

In this example, PLMN-A is the subscriber’s home network experiencing malfunction and PLMN-B is a network suited to serve as a backup network in case of disasters events (incl. natural disasters and human-made disasters, for example as defined in 3GPP TR 22.831).

According to this embodiment, a collaboration agreement between the two MNOs recites that subscribers of MNO-A carry the PLMN-ID of PLMN-B in their list of allowed PLMNs, in particular in their lists of identifiers specifying the home-PLMN and the equivalent-home-PLMNs. While the former PLMN identifier (of the home-PLMN) can be derived from the IMSI (international mobile subscriber identity) stored in the USIM, the latter PLMN identifiers (of the equivalent-home-PLMNs) may be read directly from a distinct EF of the USIM called EFEHPLMN-

Alternatively, for USIMs being capable of supporting the method of the invention a new USIM service (“disaster roaming”) is defined in the USIM Service Table ( EFUST ) as depicted in Fig. 3. Furthermore, a separate EF is defined for storage in the USIM to carry a list of identifiers specifying a list of backup or fall back PLMNs that may be used in case of disaster roaming. It may be called EFDRPLMN as depicted in Fig. 4.

Fig. 3 shows an example of an EF called EFUST (USIM Service Table). This EF indicates which services are available. If a service is not indicated as available in the USIM, the Mobile Equipment (ME) shall not select this service. Service number 132 (n°132) indicates support of disaster roaming according to the present invention.

In the embodiment, if service n°132 is "available", the EF file of Fig. 4 shall be present.

It contains the coding for up to n disaster roaming (DR) PLMNs according to the invention.

When PLMN-B is open for disaster roamers (e.g., following instructions issued by a government agency) it may disseminate via its SIB an indication that it is serving as a backup or fall back PLMN (e.g., for the users that have formerly been served by PLMN- A). This indication may be transmitted as a simple “Fall back Indicator” (informing UEs that this network is serving as a fall back network in case of disasters, cf. Fig. 5) or, alternatively, in form of a more informative “Backup-For Indicator” (specifying the PLMN that a given network is serving as a backup network for, cf. Fig. 6). The “Backup-For Indicator” may occur multiple times. Both signalling variants allow a UE to check (thereby preferably using the EF EFDRPLMN depicted in Fig. 4) whether a given PLMN can be used as a backup network in case of disasters.

In detail, we propose to include a new IE as part of the PLMN-ldentitylnfoList IE that is contained in the CellAccessRelatedlnfo IE which is in turn contained in the SIB-Type1 RRC message (cf. Figs. 5 and 6).

Fig. 5 shows a possible structure for transmitting a fall back indication based on 3GPP TS 38.331. The SIB 1 includes in the PLMN-ldentitylnfoList IE the FallBacklndicator.

Alternatively, it is possible to further specify which PLMN (or PLMNs, if the Backup-For IE appears multiple times or contains a list of PLMN Identities) the backup network is replacing as shown in Fig. 6.

In one particular embodiment of the present invention the indication described above is restricted to a certain coverage region, i.e. only a few base stations in PLMN-B transmit this new backup indication. Flow such a restriction may be achieved is described below.

In accordance with the second aspect of the invention referred to above, the following is an example of preventing playback attacks in disaster situations. The preferred SIB-Type for the dissemination of the fall back or backup indication as described above is SIB-1 which can be readily received and interpreted by all UEs in a cell, since it is not protected (i.e., it is not ciphered by any network infrastructure element prior to transmission). As explained above, the information transmitted in SIB- 1 could theoretically be read by fake base stations and used in replay attacks. In this kind of attack a fake base station is acting between a target UE and the MNO’s real base station for the purpose of intercepting mobile phone traffic (this procedure is also known as “man in the middle attack”). An intercepted SIB-1 data package may be used (among other pieces of information) to lure users that have formerly been served by PLMN-A into a foreign communication system (e.g., into a cellular network operated by an MNO with whom MNO-A experiencing malfunction doesn’t have a disaster collaboration agreement with, or into a cellular network operated by an MNO that was not instructed by some government authority to open up its network for the purpose to enable disaster roaming).

For this reason, we propose to let MNO-B’s base stations transmit the ‘backup network indication’ in SIB-1 together with a digital signature in order to provide a layer of validation and security to all messages pertaining to disaster roaming that are sent over non-secure system information broadcast signalling methods. We propose the signature be generated on the infrastructure side by means of MNO-A’s or an authority’s (e.g., the regulator’s) secret key and validated in the UE by means of MNO- A’s or an authority’s (e.g., the regulator’s) public key. Doing so would allow all UEs receiving fall back or backup indications to validate their authenticity (if they have stored a matching public key).

Thus, we propose to store the at least one public key required to validate the various pieces of information relating to disaster roaming in a new EF on the USIM. It may be called EFDRPUBKEYS and structured as depicted in Fig. 7. In the example of Fig. 7 the key set identifier (KSI) may be used to differentiate a public key set associated with some MNO from a public key set associated with an authority. Alternatively, each public key entry may be preceded by an MNO or authority identifier (not shown in Fig. 7 for sake of brevity). It is thinkable also to use another encoding structure for example according to section 4.4.4.4 of 3GPP TS 31.102 “Third Party Root Public Key” (not shown in Fig.

7 either).

If service n°132 is "available", the EF file of Fig. 7 shall be present. It contains the coding for up to n disaster roaming (DR) public keys. In addition to the two new lEs we propose to be added to SIB-1 as part of the PLMN- IdentitylnfoList IE as described in connection with the first aspect of the invention above, we also propose introduction of a new IE for a ‘disaster roaming signature’ (according to the second aspect of the present invention), for instance, as shown in Fig. 8 or Fig. 9.

The ‘disaster roaming signature’ represented by the IE Signature as shown in Figs. 8 and 9 may be calculated over one or more of the lEs we propose to be added to SIB signalling to realize various aspects of the invention, i.e. it may be calculated over at least one of the backup or fall back indicator (cf. the first aspect above), the location information (cf. the third aspect below), and the timing information (cf. the fourth aspect below).

In accordance with the third aspect of the invention referred to above, the following is an example of restricting disaster roaming to an area of relevance.

Incoming disaster roamers (in this example, stemming from PLMN-A) may cause a heavy load on the fall back network (in this example, on PLMN-B). Thus, it is beneficial to restrict disaster roaming to areas of relevance (rather than opening up nationwide the entire alternative network for incoming disaster roamers).

In order to prevent users from entering/accessing an alternative network at locations that are not affected by disasters, we propose that UEs are required to perform a check on a location specific IE received via SIB signalling from an alternative network before they engage in the random access procedure in order to gain initial access to the alternative network in question.

For instance, the location specific IE may be received with SIB-1 , for example included in the PLMN-ldentitylnfoList IE, and it could be named DisasterLocation or something similar. It may contain the 24 bits of the latest assigned tracking area code (or the 8 bits of the RAN-based notification area code (NAC)) to the UE before the disaster struck either in plain text (cf. Fig. 10), or an encrypted representation of it (cf. Fig. 11).

Each tracking area has two main identities: The tracking area code (TAC) identifies a tracking area within a particular network and if combined with the PLMN-ID we get the globally unique tracking area identity (TAI). For the purpose of the present invention it doesn’t matter if the TAC or the TAI (or any other location specific information, for example relating to (a group of) disaster struck cells) is used. However, we propose to only use the TAC(s) as used by the UEs in the disaster struck region(s) of the home network.

Encryption may either take place in the home network, i.e. before the information is transmitted from the home network to the alternative network, or (if an entity of a regulator is involved) in the regulator’s domain, which is depicted as “REG” in Fig. 2. Upon reception of an encrypted DisasterLocation IE, as shown in Fig. 11 , the UE would have to decrypt the information using a cryptographic key before a comparison to the latest assigned TAC (or similar location specific information, such as a RAN-based NAC) can be performed on UE side.

If the PLMN-A specific location information about occurrence of a disaster is not (or, cannot be) disclosed by MNO-A, then in some cases the authority may be able to provide (and optionally encrypt) the desired information for dissemination in PLMN-B. This information may not have a direct relationship with MNO-A’s network topology, and it may be of coarser (or finer) granularity than the information MNO-A would have provided, but still accurate enough to prevent network overload in PLMN-B in case of disaster.

In case the authority provides the location information needed for implementing the method, the format may be different from the example formats depicted in Figs. 10 and 11 . It may for instance be location information based on a reference point and/or a radius (or distance) measured from said reference point and/or a tolerance range. In this embodiment, all UEs can (after performing a decryption operation on the data, if needed) determine whether they are residing within or outside of a (circular) area defined by the aforementioned set of parameters by calculating and comparing said area on the surface of the earth against their current positions as determined by means of a GNSS module (such as a module operating according to GPS, Galileo,

GLONASS, Beidou, or a similar satellite navigation system). UEs residing outside of the (circular) area defined by reference point and radius (and tolerance, if given) are therefore not entitled to access the alternative network. Fig. 12 gives a potential encoding option for the alternative location information that can be provided by an authority. In accordance with the fourth aspect of the invention referred to above, the following is an example taking into account how old the disaster roaming information is.

In one embodiment of the present invention we propose to provide UEs as long as they are residing in their home network with a token to take with them (during their search for an alternative PLMN, if their home network is down). The token may be composed of multiple input parameters (including one or more cryptographic ‘salt’ or 'seed' values).

UEs could be provisioned with the token either once or on a regular basis while they are residing in their home network. The token may for instance be related to or derived from a time stamp or a location stamp or a counter value (or a combination thereof) administered in the home network. In one embodiment of the present invention it may also be beneficial to use one or more salt or seed values that are unique for a single UE or for a group of UEs, such as identifiers of one or more relevant TACs, or RAN- based notification areas, or cell specific location information, or UE identifiers.

In addition to provisioning UEs with such a token, we propose to use the same token in the UEs’ home network (PLMN-A) when a disaster situation has been detected and the first disaster indication (Notification-1) is about to be generated: The idea is to use the same token as additional input data into a hash process for example, prior to calculating a digital signature over the (at least one) component(s) defining the ‘backup network indication’.

In one particular embodiment of the present invention new tokens may be generated consecutively by means of an update algorithm (for example, using an initial token as an input parameter). It is thinkable also that different instances of the same update algorithm are running on both sides, i.e. in the user equipment devices as well as in the user equipment devices’ home network. Ideally, in such a scenario, all instances of the update algorithm are configured to operate in a synchronous manner, so that matching output parameters (i.e., updated tokens) can be calculated on both sides over time even when the home network is down and communication between the user equipment devices and their home network is no longer possible.

UEs receiving the ‘backup network indications’ via SIB signalling according to the first aspect of the present invention in the alternative network (PLMN-B) could then use the initial token value they have been provisioned with in their home network or an updated token value they have calculated themselves by means of an update algorithm to interpret and verify the disaster roaming related pieces of information. UEs of inbound disaster roamers would for example ,be able to tell whether transmitted information about the available backup PLMN(s) is outdated or has been updated recently.

In accordance with the fifth aspect of the invention referred to above, the following is an example regulator involvement in disaster roaming.

Inter-PLMN signalling between a home network (PLMN-A) experiencing a disaster situation and an alternative network (PLMN-B) is shown in Fig. 2. In case of disaster (e.g., failure detection in some RAN or CN component) the home network sends out a first disaster indication (Notification-1) that may either go directly to the alternative network, or optionally go through the national telecommunications regulator’s (generally speaking, through an authority’s) domain “REG”, where - according to one embodiment of the present invention - it may be altered. In Fig. 2, the first disaster indication (Notification-1) is modified or enhanced by the authority. Consequently, a second disaster indication (Notification-2) is transmitted from the authority’s domain “REG” to the alternative network. It may be different in respect of at least one of the following ‘backup network indication’ components:

The “fall back” or “backup for” indicator has been changed/updated.

The authority’s signature has been added.

The content/format/granularity of the location information has been augmented or replaced, e.g. a reference point and a maximum distance measured from said reference point are present in addition to or instead of the location information provided by MNO-A, such as identifiers of one or more TACs (or RAN-based notification areas). The 'up-to-date' status has been changed or added.

The flow diagram of Fig. 13 illustrates the procedure.

In Step 1 , the home network (PLMN-A) detects a network failure (disaster occurred). A first disaster indication (Notification-1) is generated and sent via an authority’s REG entity, where it can be modified/augmented, to the alternative network (PLMN-B).

In Step 2, if the authority sees a need to modify the disaster indication, a second disaster indication (Notification-2) is transmitted from the REG entity to PLMN-B. Otherwise the first disaster indication (Notification-1) is conveyed to the alternative network unchanged. In this example, we assume that the authority has identified a need to modify at least one component of the disaster indication message received from PLMN-A.

In Step 3, the second disaster indication (Notification-2) is received by the alternative network, so PLMN-B can start selecting base stations that are operating in (roughly) the same area as the location where the disaster struck in PLMN-A. Identifying suitable base stations of PLMN-B may involve the AMF of the 5G-NR CN in MNO-B’s domain. After that, PLMN-B can start the dissemination of the inventive ‘Backup Network Indications’ via SIB signalling according to the first aspect of the present invention.

In accordance with the sixth aspect of the invention referred to above, the following is an example of providing disaster roaming indication in the uplink.

Incoming disaster roamers (in this example, stemming from PLMN-A) may cause an additional signalling load on the RAN of the selected or appointed fall back network (in this example, on PLMN-B). It would therefore be desirable to be able to differentiate incoming disaster roamers from the legacy UE population as early as possible in the access process to allow for disaster roaming specific handling of UEs. For instance, a disaster roaming specific handling of UEs may comprise an adjustment of random access related parameters and resources in the alternative network (e.g., increasing the number of random access preambles and/or enlarging the PRACH physical resources in the time/frequency grid and/or switching from a narrow bandwidth part (BWP) to a broader BWP) and so on.

According to the sixth aspect of this invention, UEs that are compelled to look for alternative communication service offerings in case of disaster should be enabled to inform the alternative network they have chosen to perform an access attempt on about their motivation, for example by means of a new EstablishmentCause value. This value could for instance be called “Disaster Roaming” as depicted in Fig. 14.

According to 3GPP TS 38.331 the EstablishmentCause IE is defined for usage in MSG3 (“Message #3”) of the 4-step random access procedure (i.e. in the “RRC Setup Request RRC Message), or MSGA (“Message A”) of the 2-step random access procedure.

The alternative network can then prioritize incoming requests, or to prepare for disaster roaming specific handling of incoming UEs accordingly, for example with at least one of an adjustment of random access related parameters and/or resources, and physical channel specific configuration details in general.

For the understanding of the present invention, the following should be noted.

The term ‘authority’ may mean some sort of government agency as well as a national or international regulatory body. All these terms are used interchangeably throughout this invention and are intended to describe the same thing.

Messages of the type ‘disaster indication’ (such as Notification- 1 and Notification-2) are usually generated and processed in the core networks of the respective mobile communication system and exchanged between different PLMNs. However, these messages may also traverse a REG entity associated with an authority where they can be checked, modified, and augmented.

The ‘backup network indications’ are usually transmitted from one or more base stations of the alternative network via downlink control signalling, e.g. as part of SIB signalling. A ‘backup network indication’ according to this invention may at least comprise the following elements: a “fall back” indicator; a “backup for” indicator; an MNO’s signature; an authority’s signature; an item of location information specific to the home network; identifiers of one or more TACs (or RAN-based notification areas) identifiers of one or more cells an item of (home network independent) geographical data reference point coordinates (such longitude and latitude) radii and maximum distances relating to said reference points an item of time information up-to-date status information (time stamp or counter value).

The term ‘base station’ may comprise all kinds of base stations, home base stations, relay nodes, and IAB-nodes regardless of the size of coverage area they are spanning, or the power class they are operating in, or their mounting position. In particular, all RAN components providing small cells, pico cells, femto cell, home cells, macro cells (and alike) are explicitly included in the scope of the present invention. The term ‘user equipment device’ (in short UE) may comprise all kinds of mobile or stationary communication terminals (with an integrated or attached cellular modem), such as cellular phones, tablet computers, wearables, personal digital assistants, and devices for machine-type communication, for example as can be used in an internet of things (loT) environment, such as factory automation, mobile payment, intelligent transport systems, traffic management, and so on.

The names of the message, events, and lEs shall be understood to merely serve as examples. There are many other options to get the information across the respective interface. This invention is by no means restricted to the naming, encoding examples, and message flows we disclose here.

Furthermore, the various lEs we propose to be used in the various messages may be assorted in one way or another, for example they may be collated in a new or already existing hierarchical structure, or grouped together with other lEs, for instance in form of a list or a container.

Even if we only show one new IE in the examples above, there may be embodiments making use of multiple instances of the same IE, for instance in form of a group, or a list, or a container.

Claims

1. A method for enabling a user equipment, UE, device having an association with a first network, which is a home network of the UE device, to communicate with a second network other than the home network in an event of the home network becoming unusable as a result of an occurrence of an event affecting the operation of the home network, the communicating termed disaster roaming, the method comprising: receiving from the home network an indicator that the UE device is authorized to use the second network should the event occur; and receiving from the second network information that the second network is available for connection with the UE device for disaster roaming, characterized in that the information received from the second network is either

(i) encrypted and the UE decrypts the information using cryptographic information received from the home network or

(ii) digitally signed and the UE device validates the information using cryptographic information received from the home network.

2. The method according claim 1 , wherein the information received from the second network includes location information indicative of a geographic region for which disaster roaming is enabled and the UE device is enabled to communicate with the second network if a geographic location of the UE device corresponds with the geographic region.

3. The method according to claim 1 or claim 2, wherein the UE device checks using the indicator whether the information received from the second network is up to date.

4. The method according to any preceding claim, wherein the UE device indicates to the second network that the UE device is performing disaster roaming during a random access procedure.

5. The method according to any preceding claim, wherein the UE device stores the indicator received from the home network as an entry in a file stored in a subscriber identity module.

6. A method for enabling a user equipment, UE, device having an association with a first network which is a home network of the UE device to communicate with a second network other than the home network in an event of the home network becoming unusable as a result of an occurrence of an event affecting the operation of the home network, the communicating termed disaster roaming, the method comprising: transmitting from the home network to the UE device an indicator that the UE device is authorized to use the second network should the event occur; transmitting a notification to the second network that the event has occurred at the first network; and transmitting from the second network information that the second network is available for connection with the UE device for disaster roaming, characterized in that the information transmitted from the second network is either

(i) encrypted and decryption information is transmitted from the home network or

(ii) digitally signed such that a validation of the digital signature can be performed in the UE device based on information received from the home network.

7. The method according to claim 6, wherein the information transmitted by the second network includes location information indicative of a geographic region for which disaster roaming is enabled.

8. The method according to claim 6 or claim 7, wherein the first network informs a regulatory authority that the event has occurred at the first network and the regulatory authority informs the second network to accept disaster roaming from UE devices associated with the first network.

9. The method according to one of claims 6 to 8, wherein the second network accepts a UE device for communication with the second network if the UE device indicates disaster roaming as a reason for performing an access attempt on the second network.

10. The method according to any one of claims 6 to 9 wherein the second network adjusts at least one of resources and parameters for UE devices which are performing disaster roaming.