FI129827B - Authorization of time synchronization messages - Google Patents

Authorization of time synchronization messages Download PDF

Info

Publication number
FI129827B
FI129827B FI20205943A FI20205943A FI129827B FI 129827 B FI129827 B FI 129827B FI 20205943 A FI20205943 A FI 20205943A FI 20205943 A FI20205943 A FI 20205943A FI 129827 B FI129827 B FI 129827B
Authority
FI
Finland
Prior art keywords
time synchronization
filtering
time
synchronization message
message
Prior art date
Application number
FI20205943A
Other languages
Finnish (fi)
Swedish (sv)
Other versions
FI20205943A1 (en
Inventor
Daniel Fraunholz
Genevieve Mange
Devaki Chandramouli
Anja Jerichow
Original Assignee
Nokia Technologies Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Technologies Oy filed Critical Nokia Technologies Oy
Priority to FI20205943A priority Critical patent/FI129827B/en
Publication of FI20205943A1 publication Critical patent/FI20205943A1/en
Application granted granted Critical
Publication of FI129827B publication Critical patent/FI129827B/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04JMULTIPLEX COMMUNICATION
    • H04J3/00Time-division multiplex systems
    • H04J3/02Details
    • H04J3/06Synchronising arrangements
    • H04J3/0635Clock or time synchronisation in a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/088Access security using filters or firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W56/00Synchronisation arrangements

Abstract

There is provided an apparatus (700) comprising means for: receiving (310) a time synchronization message for a given time domain; filtering (320) the time synchronization message based on one or more time synchronization specific authorization policies; and deciding (330) whether to drop or allow the time synchronization message based on the filtering.

Description

Authorization of time synchronization messages
FIELD
[0001] Various example embodiments relate to authorization of time — synchronization messages in time sensitive networks.
BACKGROUND
[0002] Time sensitive networking is a set of standards that define mechanisms for time-sensitive transmission of data over Ethernet networks. In applications of internet of things, e.g. in industrial automation and communication technology, various devices may be connected forming a network of devices, wherein it is of great importance that the data is delivered reliably and with low latency between the devices.
[0003] Wireless communication systems, e.g. 5G systems, may be integrated into time sensitive networks. Time synchronization plays important role in time-critical applications. There is a need to provide secure time synchronization procedures.
SUMMARY
[0004] According to some aspects, there is provided the subject-matter of the independent claims. Some example embodiments are defined in the dependent claims. The scope of protection sought for various example embodiments is set out by the independent claims. The example embodiments and features, if any, described in this specification that — do not fall under the scope of the independent claims are to be interpreted as examples
O N useful for understanding various example embodiments.
N 3 [0005] According to a first aspect, there is provided an apparatus comprising means X for: receiving a time synchronization message for a given time domain; filtering the time E synchronization message based on one or more time synchronization specific authorization @ 25 policies; and deciding whether to drop or allow the time synchronization message based on
O TUE 0 the filtering.
O N
O N [0006] According to an embodiment, the one or more authorization policies are stored in close proximity to one or more filters configured to perform the filtering; or co- located with the one or more filters configured to perform the filtering; or stored at a policy control function; or stored at a unified data management, and the apparatus further comprises means for receiving the one or more authorization policies from the policy control function or the unified data management if stored therein.
[0007] According to an embodiment the time synchronization message is a downlink — time synchronization message, and the filtering is configured to be performed by one or more filters residing at a network-side translator side and/or at user plane function and/or at a device-side translator side.
[0008] According to an embodiment, the time synchronization message is an uplink time synchronization message, and the filtering is configured to be performed by one or more filters residing at a device-side translator side; and/or at a network-side translator side and/or at user plane function.
[0009] According to an embodiment, the time synchronization message is from a first user equipment to a second user equipment, and the filtering is configured to be performed by one or more filters residing at a device-side translator side and/or at user — plane function.
[0010] According to an embodiment, the one or more filters residing at a network- side translator side or at a device-side translator side are configured via port management information container(s).
[0011] According to an embodiment, the one or more filters residing at a network- side translator side or at user plane function are configured via forwarding action rules.
[0012] According to an embodiment, the one or more time synchronization specific N authorization policies are based on a time domain parameter and/or master clock 3 functionality. X [0013] According to an embodiment, the time synchronization message is a E 25 generalized precision time protocol message or a precision time protocol message. I [0014] According to an embodiment, the means comprises at least one processor; S and at least one memory including computer program code, the at least one memory and N the computer program code configured to, with the at least one processor, cause the performance of the apparatus.
[0015] According to a second aspect, there is provided a method comprising: receiving a time synchronization message for a given time domain; filtering the time synchronization message based on a time synchronization specific authorization policy; and deciding whether to drop or allow the time synchronization message based on the filtering.
[0016] According to an embodiment, the one or more time synchronization specific authorization policies are based on a time domain parameter and/or master clock functionality.
[0017] According to an embodiment, the time synchronization message is a — generalized precision time protocol message or a precision time protocol message.
[0018] According to an embodiment, the method further comprises receiving filter configuration via port management information container(s) or via forwarding action rules.
[0019] According to a third aspect, there is provided a computer program configured to cause a method in accordance with at least one of claims 11 to 14 to be performed.
[0020] According to a further aspect, there is provided an optionally non-transitory computer readable medium comprising program instructions that, when executed by at least one processor, cause an apparatus to at least to perform the method of the second aspect and the embodiments thereof.
[0021] According to a further aspect, there is provided an apparatus comprising at — least one processor; and at least one memory including computer program code, the at least one memory and the computer program code configured to, with the at least one processor,
O O cause the apparatus to perform: receiving a time synchronization message for a given time & domain; filtering the time synchronization message based on one or more time
O o synchronization specific authorization policies; and deciding whether to drop or allow the
N I 25 — time synchronization message based on the filtering. =
Q BRIEF DESCRIPTION OF THE DRAWINGS O
LO S [0022] Fig. 1 shows, by way of example, an overview of a time sensitive network
O N integration of a communication system;
[0023] Fig. 2 shows, by way of example, a spoofing attack;
[0024] Fig. 3 is a flowchart of a method;
[0025] Fig. 4 shows, by way of example, filters in downlink time synchronization scenario;
[0026] Fig. 5 shows, by way of example, filters in uplink time synchronization — scenario;
[0027] Fig. 6 shows, by way of example, filters in UE-to-UE time synchronization scenario; and
[0028] Fig. 7 shows, by way of example, a block diagram of an apparatus.
DETAILED DESCRIPTION
[0029] Fig. 1 shows, by way of example, an overview of a time sensitive network (TSN) integration of a communication system, such as a 5G system (5GS). For TSN time synchronization, the communication system, e.g. 5GS, may be integrated as a bridge or bridges, e.g. bridge 1 110 and bridge 2 120, in an external network, e.g. a time sensitive network (TSN) 105. 5GS may be considered as a time-aware system, i.e. time — synchronization is to be supported. As time synchronization protocol, a generalized precision time protocol (gPTP) or precision time protocol (PTP) may be used to synchronize clocks throughout the network.
[0030] The bridges 110, 120, i.e. TSN bridges, may comprise one or more device- side translators (DS-TT), one or more user equipments (UE) 160, 162, 164, one or more — user plane functions (UPFs), which may comprise one or more network-side translators o (NW-TT). The bridges may comprise TSN translator functionality for ingress and egress & communication. Ingress refers to traffic that originates outside the network and travels into S the network across a network boundary. Egress refers to traffic that originates within the N network and exits across a network boundary. The device-side translator (DS-TT) 130, E 25 132, 134, 136 is deployed at the UE side, and the network-side translator (NW-TT) 140, Q 142 is deployed at the network side. TSN nodes 150, 152, 154 are connected to the system 3 via DS-TT and NW-TT. The UEs may be connected to one or more communication O systems, e.g. one or more 5GSs. For example, the UE A 160 is connected to bridge 110 and bridge 120.
[0031] Upon reception of a downlink time synchronization message, e.g. (g)PTP message, for a given TSN working domain from TSN network 105, the NW-TT 140, 142 makes an ingress timestamping for the (g)PTP event message. The (g)PTP message is then delivered or forwarded over the user plane function (UPF), to the UEs 160, 162, 164. The 5 UE receives the (g)PTP message and forwards it to the DS-TT 130, 132, 134, 136, which makes egress timestamping for the (g)PTP event message for external TSN working domain(s). Then, the (g)PTP message is sent to TSN node 150, 152, 154. Timestamping is based on the system clock at NW-TT and DS-TT.
[0032] TSN working domain refers to a synchronization time domain for a localized set of devices collaborating on a specific task or work function in a TSN network. For example, TSN node 1 150 may be part of a first working domain (white circle 180) and a second working domain (dotted circle 182). TSN node 2 152 may be part of the second working domain. TSN node 3 154 may be part of the first working domain. In case of multiple TSN working domains, DS-TT and NW-TT may identify the TSN working domain e.g. based on the domainNumber parameter comprised in the time synchronization message. The domainNumber parameter may be provided by the TSN node. There may be only one protocol data unit (PDU) session, 170, 172, 174, 176 per DS-TT port for a given UPF. Port number of Ethernet port on the DS-TT for the PDU session is assigned by the UPF during PDU session establishment.
[0033] In some scenarios, a TSN node may be untrusted. Such an untrusted device may send tampered data, e.g. a tampered domainNumber parameter, to the system, e.g. to the 5GS. By spoofing other TSN working domains, an untrusted TSN node may access TSN working domains that are intended to be access restricted for this node. After S establishing access to such a restricted TSN working domain, an attacker, i.e. the untrusted o 25 TSN node, may send tampered or spoofed time synchronization messages. Tampered or > spoofed time synchronization messages may cause damages, e.g. denial of service 2 scenarios, degradation of the accuracy, or distribution of false time information in the TSN - working domain. Furthermore, network reconnaissance may be performed and compromise of other TSN nodes may become more likely.
O O 30 — [0034] Fig. 2 shows, by way of example, a spoofing attack. A TSN node 2 152 may be an untrusted device, which is part of the second TSN working domain (dotted circle). The TSN node 2 may have, for example, tampered the domainNumber parameter of the time synchronization messages. Then, the TSN node 2 may be sending those messages 210 (small white circles) that pretend to be part of the first TSN working domain, which is different than the second TSN working domain. Flow of tampered messages 210 is illustrated with small white circles and thick arrows, i.e. the message 210 is sent from the TSN node 2 152 to DS-TT 134, from DS-TT to UE B 162, from UE B to UPF/NW-TT 142, from UPF/NW-TT to UE € 164, from UE € to DS-TT 136, and from DS-TT to TSN node 3 154.
[0035] There is provided an apparatus and a method for authorization of time synchronization messages.
[0036] The apparatus may be or may comprise a filter configured to decide whether to forward, i.e. allow, or drop a time synchronization message for a specific time domain. The filtering decision is based on an authorization policy or authorization policies, which may be specific for a given time domain, for example. The authorization policy or policies may be stored in an authorization table, or other suitable data structure. The authorization — data structure may be stored in close proximity to the filter, or co-located with the filter, which is beneficial in the sense of strict requirements of timing behaviour of time synchronization. A decentralized set of local authorization data structures may provide policies to the filters. The authorization policies may be updated e.g. periodically after a certain time interval.
[0037] Alternatively, the authorization data structure may be stored at a central location, which may provide simplified management due to single storage instance. The central location may refer to e.g. a policy control function (PCF) or a unified data S management (UDM). The authorization policies may then be received, by the filter or an N apparatus comprising a filter, from the central location.
3 2 25 [0038] A filter may be considered as an apparatus that is configured to match an I incoming message against a set of policies. Based on the matching, the filter may select an * appropriate policy, and determine an action to perform on the message. The action may be 3 e.g. to drop the message or to forward, i.e. allow, the message. Then, the message is either S dropped or allowed.
N
[0039] The set of policies comprises authorization policies that describe message characteristics that are used to verify whether an incoming message is subject to this policy. In case the characteristics are matched positively, an action corresponding to the policy is to be performed. Authorization policies may provide default actions and particular authorization policies for messages. As an example of a default action, it may be determined to drop each message that is not associated to at least one particular authorization policy. As an example of a particular authorization policy, it may be determined that a message of a certain type from a certain UE to another certain UE is allowed.
[0040] Fig. 3 shows, by way of example, a flowchart of a method 300 for authorization of time synchronization messages, e.g. (g)PTP messages. The method may be performed e.g. by filter(s) residing at DS-TT side and/or at UPF/NW-TT side, or in a control device configured to control the functioning thereof, when installed therein. The method 300 comprises receiving 310 a time synchronization message for a given time domain. The method 300 comprises filtering the time synchronization message based on one or more time synchronization specific authorization policies. The method 300 comprises deciding whether to drop or allow the time synchronization message based on the filtering.
[0041] The method as disclosed herein ensures that the time synchronization messages from trusted sources, e.g. only time synchronization messages from trusted sources, may pass through. The method as disclosed herein allows time domain specific filtering based on time synchronization specific authorization policy.
[0042] A time synchronization message, e.g. a gPTP message or a PTP message, may be received by an apparatus, e.g. a filter or an apparatus comprising a filter. For S example, the time synchronization message may be a downlink message sent from the N network to the UE/DS-TT side. As another example, the time synchronization message 3 25 may be an uplink message from the device side, e.g. from the TSN node(s), to the network. N As a further example, the time synchronization message may be a message from a first user E equipment, e.g. a first TSN node, to a second user equipment, e.g. a second TSN node. 3 [0043] Fig. 4 shows, by way of example, filters in downlink time synchronization S scenario. The received message is a downlink time synchronization message from the N 30 — network-side 105 to the UE/DS-TT-side. Filtering may be performed by filter(s) 410, 420 residing at network-side translator side, e.g. at UPF/NW-TT and/or by filter(s) 420, 430,
440, 450 residing at DS-TT side. Filtering by filters at UPF/NW-TT may be preferable, since UPF/NW-TT may be more trusted than the DS-TT.
[0044] Time synchronization messages, e.g. gPTP messages or PTP messages, require a master clock in the network. The master clock, i.e. a grand master (GM) clock, — gives the time to other clocks in the network. To determine which clock within the network should act as the master clock, the best master clock algorithm (BMCA) may be used. The BCMA defines a measure to evaluate or quantify the quality of each clock in the network. Based on this evaluation, each clock identifies its neighboring clock with the highest quality. Then each clock may decide the state of the ports, i.e. whether the port should be — in master mode or slave mode, or in passive mode. The port connecting to the clock with the highest quality is in slave mode, while other ports are master mode, thus propagating the time from the master clock in the network. The messages that are exchanged during BMCA may be referred to as announce messages.
[0045] Fig. 5 shows, by way of example, filters in uplink time synchronization — scenario. The received message is an uplink time synchronization message from the device side to the network. The device side may provide the GM capabilities, and the announce messages may be considered as a subset of time synchronization messages. For example, the TSN nodes 150, 152, 154 may send messages to the network 105. Filtering may be performed by filter(s) 510, 520, 530, 540 residing at DS-TT-side and/or by filter(s) 550, — 560 residing at UPF/NW-TT side. DS-TT filters may be used to filter incoming packets from potentially untrusted TSN nodes 150, 152, 154. UPF filters may be used to filter incoming messages from the UEs 160, 162, 164. Filtering either at DS-TT or UPF/NW-TT may be sufficient to mitigate possibly spoofing TSN nodes. However, if DS-TT/UE is a S spoofing entity, the tampered messages from that entity may need to be filtered by a filter o 25 at the UPF/NW-TT. For example, DS-TT may send tampered messages to NW-TT, and > filter(s) located at UPF/NW-TT may perform the filtering and detect the tampering. As 2 another example, DS-TT may send tampered messages to another DS-TT, in which case a - filter located at UPF may perform the filtering and detect the tampering. As a further example, a filter located at UPF may be used to verify if messages previously filtered at N 30 DS-TT were filtered in accordance to the deployed authorization policies.
N
[0046] Fig. 6 shows, by way of example, filters in UE-to-UE time synchronization scenario. The received message is a time synchronization message from a first user equipment (UE) to a second user equipment (UE). The UEs connect the TSN nodes to the 5GS. Let us consider an example, wherein the GM capabilities may be provided from a first TSN node on the device side to a second TSN node on the device side, and the announce messages may be considered as a subset of time synchronization messages. Filtering may be performed by filter(s) 610, 620, 630, 640 residing at DS-TT side and/or by filter(s) 650, 660 residing at UPF side. In addition, the target DS-TT may perform filtering as well, as illustrated by filters 615, 625, 635, 645, which may provide better protection. The source DS-TT may verify messages before sending them to external TSN nodes. Filtering either at DS-TT or UPF may be sufficient to mitigate possibly spoofing TSN nodes. However, if DS-TT/UE is a spoofing entity, the tampered messages from that entity may need to be filtered by a filter at the UPF.
[0047] For example, the first UE may be e.g. UE B 162, and the second UE may be e.g. UE C 164. The UEs connect the TSN nodes to the 5GS. Let us consider an example, wherein the GM capabilities may be provided from a first TSN node 152 on the device side to a second TSN node 154 on the device side, and the announce messages may be considered as a subset of time synchronization messages. Filtering may be performed by a filter 630 at DS-TT, and by a filter 660 at UPF, and by a filter 645 at DS-TT.
[0048] The filters at UE/DS-TT or at NW-TT may be configured e.g. via port management information container(s) (PMIC(s)). PMIC comprises information exchanged transparently between TSN application function (AF) and NW-TT or DS-TT via communication system, e.g. 5GS, for time sensitive communications (TSC) PDU sessions. Each port may use separate PMIC. S [0049] The PMIC may be extended to comprise parameters needed to perform N filtering of time synchronization messages, e.g. (g)PTP messages, for a given time domain. 3 25 The PMIC may be extended to comprise authorized and/or unauthorized time domain Q information, authorization policies so that it may be enforced by the NW-TT and UE/DS- E TT. The authorization policies along with authorized/unauthorized time domain 2 information may be stored in the NW-TT and UE/DS-TT as part of authorization data : structure, e.g. a table. N 30 — [0050] Filtering may be based on various features or authorization policies, e.g. time domain parameter, i.e. TSN domainNumber (working domain) and/or GM functionality, i.e. whether a GM clock is allowed on a certain port or not.
[0051] For example, an authorization table with exemplary authorization policies for the device side (DS-TT/UE) may comprise (reference numbers in brackets refer to Fig. 1): 1 (130) A (160) Access TSN | Allowed/FORWARD working domain 1 (180) 1 (130) A (160) Access TSN | Allowed/FORWARD working domain 2 (182) 1 (130) A (160) GM functionality Allowed/FORWARD 2 (132) A (160) Access TSN | Allowed/FORWARD working domain 1 (180) 2 (132) A (160) Access TSN | Allowed/FORWARD working domain 2 (182) 3 (134) B (162) Access TSN | Not allowed/DROP working domain 1 (180) o 3 (134) B (162) GM functionality Not allowed/DROP
S
N o
O o [0052] Based on the table, it may be seen that UE A 160 has access to both working I 5 domains, i.e. to working domain 1 180 and working domain 2 182, and the GM clock is a JN allowed on DS-TT ports 130, 132. UE B 162, on the other hand, does not have access to S working domain 1 (180), and the GM clock is not allowed on DS-TT port 134.
O
N Q [0053] Flexible authorization allows filtering of particular TSN devices and particular operations. Grouping of TSN devices is possible, e.g. via DS-TT port or UE, as 10 in table above.
[0054] In order to detect e.g. a tampered domainNumber, the filter is aware of working domains of TSN devices. Then, if the working domain of the device does not match with the domainNumber parameter, the filter may detect that the device is sending tampered messages.
[0055] When the filters are configured via PMIC, the signalling for a single bridge may be described as follows. In the first step, the time domain authorization may be reguested by the TSN AF. The configured policy may be, for example, dynamic or static. In case of dynamic policy built based on external time domain integration, the TSN AF may request authorization from policy control function (PCF). In case of static policy built based on configured time domains, the TSN AF may request authorization from unified data management (UDM).
[0056] In the second step, the PCF (dynamic policy) or the UDM (static policy) will send the external time domain authorization policies to the TSN AF.
[0057] In the third step, the TSN AF will forward the authorization policies on a per — time domain basis to the DS-TT and/or NW-TT. DS-TT and/or NW-TT are then able to perform authorization based on the information retrieved from the TSN AF.
[0058] The filters in the UPF/NW-TT side may be configured via forwarding action rules (FARs). FAR defines how a message or packet shall be buffered, dropped or forwarded. FAR further defines packet encapsulation/decapsulation and forwarding — destination.
[0059] FARs may be configured so that a session management function (SMF) > enables time domain specific filtering of time synchronization messages, e.g. (g)PTP N messages, at UPF/NW-TT. The FAR may be extended to comprise authorized and/or 3 unauthorized time domain information, authorization policies so that it may be enforced by Q 25 the UPF/NW-TT. The authorization policies along with authorized/unauthorized time E domain information may be stored in the UPF/NW-TT as part of authorization data 2 structure, e.g. as a table above.
D a [0060] When the filters are configured via FAR, the signalling for a single bridge N may be described as follows. In the first step, the time domain authorization may be requested by the session management function (SMF). The configured policy may be, for example, dynamic or static. In case of dynamic policy built based on external time domain integration, the SMF may request authorization from the PCF. In case of static policy built based on configured time domains, the SMF may request authorization from the UDM.
[0061] In the second step, the PCF (dynamic policy) or the UDM (static policy) will send the external time domain authorization policies to the SMF.
[0062] In the third step, the SMF will forward the authorization policies on a per time domain basis to the UPF/NW-TT. UPF/NW-TT is then able to perform authorization based on the information retrieved from the SMF.
[0063] As disclosed herein, filters within existing FAR and PMIC data structures, e.g. tables, are provided. By filtering the time synchronization messages by filtering rules, e.g. time domain specific rules, it is ensured that authorized messages from trusted sources may pass through.
[0064] Fig. 7 shows, by way of example, an apparatus capable of performing the method as disclosed herein. Illustrated is device 700, which may comprise, for example, a filter residing at DS-TT side and/or at UPF/NW-TT side. Alternatively, the apparatus may bea network function in a communication system, wherein the network function is configured to provide time sensitive networking or communications. The network function may be e.g. DS-TT or UPF/NW-TT.
[0065] Comprised in device 700 is processor 710, which may comprise, for example, a single- or multi-core processor wherein a single-core processor comprises one processing — core and a multi-core processor comprises more than one processing core. Processor 710 may comprise, in general, a control device. Processor 710 may comprise more than one S processor. Processor 710 may be a control device. Processor 710 may comprise at least one N application-specific integrated circuit, ASIC. Processor 710 may comprise at least one 3 field-programmable gate array, FPGA. Processor 710 may be means for performing Q 25 — method steps. Processor 710 may be configured, at least in part by computer instructions, E to perform actions. 2 [0066] A processor may comprise circuitry, or be constituted as circuitry or Q circuitries, the circuitry or circuitries being configured to perform phases of methods in N accordance with example embodiments described herein. As used in this application, the term “circuitry” may refer to one or more or all of the following: (a) hardware-only circuit implementations, such as implementations in only analog and/or digital circuitry, and (b)
combinations of hardware circuits and software, such as, as applicable: (i) a combination of analog and/or digital hardware circuit(s) with software/firmware and (ii) any portions of hardware processor(s) with software (including digital signal processor(s)), software, and memory(ies) that work together to cause an apparatus to perform various functions) and (c) hardware circuit(s) and or processor(s), such as a microprocessor(s) or a portion of a microprocessor(s), that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation.
[0067] This definition of circuitry applies to all uses of this term in this application, including in any claims. As a further example, as used in this application, the term circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware. The term circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or — other computing or network device.
[0068] Device 700 may comprise memory 720. Memory 720 may comprise random- access memory and/or permanent memory. Memory 720 may comprise at least one RAM chip. Memory 720 may comprise solid-state, magnetic, optical and/or holographic memory, for example. Memory 720 may be at least in part accessible to processor 710. Memory 720 may be at least in part comprised in processor 710. Memory 720 may be means for storing information. Memory 720 may comprise computer instructions that processor 710 is configured to execute. When computer instructions configured to cause processor 710 to perform certain actions are stored in memory 720, and device 700 overall S is configured to run under the direction of processor 710 using computer instructions from 2 25 memory 720, processor 710 and/or its at least one processing core may be considered to be > configured to perform said certain actions. Memory 720 may be at least in part external to I device 700 but accessible to device 700. a 2 [0069] Device 700 may comprise a transmitter 730. Device 700 may comprise a 3 receiver 740. Transmitter 730 and receiver 740 may be configured to transmit and receive, O 30 respectively, information in accordance with at least one cellular or non-cellular standard. Transmitter 730 may comprise more than one transmitter. Receiver 740 may comprise more than one receiver.
[0070] Device 700 may comprise user interface, UI, 750. UI 750 may comprise at least one of a display, a keyboard, a touchscreen, a speaker and a microphone. A user may be able to operate device 700 via UI 750, for example to configure device 400 and/or functions it runs.
O N O
N o
O O N
I a a 0 +
O LO O N O N

Claims (13)

CLAIMS:
1. An apparatus (700) comprising means for: receiving (310) a time synchronization message for a given time domain; filtering (320) the time synchronization message based on one or more time synchronization specific authorization policies, which are stored in close proximity to one or more filters configured to perform the filtering or co-located with the one or more filters configured to perform the filtering; and deciding (330) whether to drop or allow the time synchronization message based on the filtering.
2. The apparatus (700) of claim 1, wherein the time synchronization message is a downlink time synchronization message, and the filtering is configured to be performed by one or more filters (410) residing at a network-side translator side and/or at user plane function and/or at a device-side translator side.
3. The apparatus (700) of claim 1, wherein the time synchronization message is an uplink time synchronization message, and the filtering is configured to be performed by one or more filters (420) residing at a device-side translator side; and/or at a network-side translator side and/or at user plane function.
4. The apparatus (700) of claim 1, wherein the time synchronization message is from a first S 25 — user eguipment to a second user eguipment, and the filtering is configured to be performed O by one or more filters residing at a device-side translator side and/or at user plane function. 5 z 5. The apparatus (700) of any of the claims 2 to 4, N wherein the one or more filters residing at a network-side translator side or at S 30 — adevice-side translator side are configured via port management information container(s).
O
S
6. The apparatus (700) of any of the claims 2 to 4, wherein the one or more filters residing at a network-side translator side or at user plane function are configured via forwarding action rules.
7. The apparatus (700) of any preceding claim, wherein the one or more time synchronization specific authorization policies are based on a time domain parameter and/or master clock functionality.
8. The apparatus (700) of any preceding claim, wherein the time synchronization message is a generalized precision time protocol message or a precision time protocol message.
9. A method (300) comprising: — receiving (310) a time synchronization message for a given time domain; filtering (320) the time synchronization message based on one or more time synchronization specific authorization policies, which are stored in close proximity to one or more filters configured to perform the filtering or co-located with the one or more filters configured to perform the filtering; and — deciding (330) whether to drop or allow the time synchronization message based on the filtering.
10. The method (300) of claim 9, wherein the one or more time synchronization specific authorization policies are based on a time domain parameter and/or master clock functionality.
11. The method (300) of claim 9 or 10, wherein the time synchronization message is a generalized precision time protocol message or a precision time protocol message. S 25
12. The method (300) of any of the claims 9 to 11, further comprising receiving filter O configuration via port management information container(s) or via forwarding action rules. 5 z
13. A computer program configured to cause a method (300) in accordance with at least N one of claims 9 to 12 to be performed. S 30
N
NN
FI20205943A 2020-09-29 2020-09-29 Authorization of time synchronization messages FI129827B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
FI20205943A FI129827B (en) 2020-09-29 2020-09-29 Authorization of time synchronization messages

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
FI20205943A FI129827B (en) 2020-09-29 2020-09-29 Authorization of time synchronization messages

Publications (2)

Publication Number Publication Date
FI20205943A1 FI20205943A1 (en) 2022-03-30
FI129827B true FI129827B (en) 2022-09-15

Family

ID=81579273

Family Applications (1)

Application Number Title Priority Date Filing Date
FI20205943A FI129827B (en) 2020-09-29 2020-09-29 Authorization of time synchronization messages

Country Status (1)

Country Link
FI (1) FI129827B (en)

Also Published As

Publication number Publication date
FI20205943A1 (en) 2022-03-30

Similar Documents

Publication Publication Date Title
Chaudhary et al. Network service chaining in fog and cloud computing for the 5G environment: Data management and security challenges
CN109842906B (en) Communication method, device and system
CN111866987B (en) Communication method and device
US20210250771A1 (en) Method For Determining Class Information And Apparatus
Sajid et al. Securing cognitive radio networks using blockchains
US20150237027A1 (en) Apparatus, method and system for context-aware security control in cloud environment
Choi et al. The impact of application signaling traffic on public land mobile networks
JP7193060B2 (en) COMMUNICATION METHOD, COMMUNICATION DEVICE, AND COMMUNICATION SYSTEM
CN112312466A (en) Method, device and system for sending event report
WO2021135382A1 (en) Network security protection method and protection device
US20230198939A1 (en) System And Method For Remotely Filtering Network Traffic Of A Customer Premise Device
EP3932044B1 (en) Automatic distribution of dynamic host configuration protocol (dhcp) keys via link layer discovery protocol (lldp)
WO2019099290A1 (en) Method and system for providing signed user location information
FI129827B (en) Authorization of time synchronization messages
US20230217385A1 (en) Communication Method, Communication Apparatus, Terminal Device, and User Plane Network Element
US20230199499A1 (en) Core network node, mec server, external server, communication system, control method, program, and non-transitory recording medium having recorded thereon program
CN113452663B (en) Network Service Control Based on Application Characteristics
US11412007B2 (en) Lawfully intercepting traffic and providing the traffic to a content destination based on chained traffic tapping
US11765090B2 (en) Network traffic control based on application identifier
US11432158B2 (en) Systems and methods for using a unique routing indicator to connect to a network
US20230071309A1 (en) Privacy preserving vulnerability detection for devices
US20220217161A1 (en) Counteractions against suspected identity imposture
CN116546040A (en) Integrated Broadband Network Gateway (BNG) device for providing BNG control plane for one or more BNG user plane devices
Singh et al. Performance Evaluation of Secure Asymmetric Key Exchange Mechanisms for 4G Networks
CN117295145A (en) Clock detection method and communication device

Legal Events

Date Code Title Description
FG Patent granted

Ref document number: 129827

Country of ref document: FI

Kind code of ref document: B