GB2597343A - Slice specific authentication and authorization - Google Patents

Slice specific authentication and authorization Download PDF

Info

Publication number
GB2597343A
GB2597343A GB2101857.7A GB202101857A GB2597343A GB 2597343 A GB2597343 A GB 2597343A GB 202101857 A GB202101857 A GB 202101857A GB 2597343 A GB2597343 A GB 2597343A
Authority
GB
United Kingdom
Prior art keywords
authorization
network
nssai
default
user equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB2101857.7A
Other versions
GB2597343B (en
GB202101857D0 (en
Inventor
Watfa Mahmoud
Kumar Kaura Ricky
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Samsung Electronics Co Ltd
Original Assignee
Samsung Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung Electronics Co Ltd filed Critical Samsung Electronics Co Ltd
Publication of GB202101857D0 publication Critical patent/GB202101857D0/en
Publication of GB2597343A publication Critical patent/GB2597343A/en
Application granted granted Critical
Publication of GB2597343B publication Critical patent/GB2597343B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/02Access restriction performed under specific conditions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/18Selecting a network or a communication service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • H04W76/12Setup of transport tunnels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/18Service support devices; Network management devices

Abstract

There is disclosed a method for network slice authorization by a network management entity in a wireless communications system. The method comprises: receiving, from a user equipment, a message including a Protocol Data Unit (PDU) request; if the message does not include an indication of a network slice, and a default network slice associated with the user equipment is not available, transmitting a message indicating rejection of the PDU request or indicating not forwarding of the PDU request, to the user equipment; performing authorization on one or more default network slices associated with the user equipment; transmitting, to the user equipment, a configuration update command message including information indicating the one or more default network slices that authorization is being performed on; and in response to completion of the authorization, transmitting a configuration update command message including information on a result of the authorization to the user equipment.

Description

Slice-Specific Authentication and Authorization
BACKGROUND
Field
Certain examples of the present disclosure provide methods, apparatus and systems for performing slice-specific authentication and authorization in a network. For example, certain examples of the present disclosure provide methods, apparatus and systems for performing enhanced network slice-specific authentication and authorization on default slices in 3GPP 5G.
Description of the Related Art
Herein, the following documents are referenced: [1] 3GPP TS 23.501 V16.3.0 [2] 3GPP TS 23.502 V16.3.0 [3] 3GPP TS 24.501 V16.3.0 [4] 3GPP TS 23.503 V16.3.0 In 3GPP 5GS, the following are defined (e.g. in [1]). A Network Slice (NS) is defined as a logical network that provides specific network capabilities and network characteristics. A Network Slice Instance (NSI) is defined as a set of Network Function instances and the required resources (e.g. compute, storage and networking resources) which form a deployed NS. A Network Function (NF) is defined as a 3GPP adopted or 3GPP defined processing function in a network, which has defined functional behaviour and 3GPP defined interfaces.
A NS may be identified by Single Network Slice Selection Assistance Information (S-NSSAI).
Overview of Network slice-specific authentication and authorization (NSSAA) NSSAA was introduced as part of Re1-16 in 3GPP. The feature enables the network to perform slice-specific authentication and authorization for a set of S-NSSAI(s) to ensure that the user is allowed to access these slices. The procedure is executed after the 5GMM authentication procedure has been completed and also after the registration procedure completes. The high-level description of the feature can be found in [1] whereas further details can be found in [2] and [3]. The key points about the NSSAA procedure are summarized in this section.
The NSSAA procedure is access independent i.e. if a slice is successfully authorized, then it is considered as authorized for both access types (i.e. 3GPP and non-3GPP access type).
Note: "authorized" means that slice-specific authentication/authorization has succeeded for a particular S-NSSAI, however this does not mean that the S-NSSAI is allowed to be used in the UE's current tracking area (TA) over the 3GPP access.
The user has a subscription in the UDM containing a set of subscribed S-NSSAls where each S-NSSAI may contain an indication whether S-NSSAI is marked as default Subscribed 5-NSSAI; and an indication whether the S-NSSAI is subject to NSSAA. When the UE registers with the network, the UE may include a requested NSSAI (R-NSSAI) in the Registration Request message if available at the UE. Each default subscribed S-NSSAI is used to give access to the network when the user did not include a Requested NSSAI in the Registration Request or when the S-NSSAls that were included in the Requested NSSAI are not in the subscribed S-NSSAls. However, although [1] indicates that it is recommended that at least one of the Subscribed S-NSSAls marked as default S-NSSAI is not subject to NSSAA, in order to ensure access to services even when NSSAA fails, this is purely a recommendation, and the operator may wish for all the default S-NSSAls to be subject to NSSAA.
The following text describes the network behaviour as specified in [3] for NSSAA with the cases where default subscribed S-NSSAls are considered in the NSSAA process underlined.
In particular, when there is no R-NSSAI or the R-NSSAI contains S-NSSAls but none of these S-NSSAls are in the user's subscribed NSSAls, and all the default S-NSSAls require NSSAA, then the network informs the UE that NSSAA is pending on these default S-NSSAls.
If the UE indicated the support for network slice-specific authentication and authorization, and: a) if the Requested NSSAI IE only includes the S-NSSAls: 1) which are subject to network slice-specific authentication and authorization; and 2) for which the network slice-specific authentication and authorization procedure has not been initiated; the AMF shall in the REGISTRATION ACCEPT message include: 1) the "NSSAA to be performed" indicator in the 5GS registration result 1E set to indicate whether network slice-specific authentication and authorization procedure will be performed by the network; 2) pending NSSAI containing one or more S-NSSAls for which network slice-specific authentication and authorization will be performed; and 3) the current registration area in the list of "non-allowed tracking areas" in the Service area fist 1E; or b) if the Requested NSSAI IE includes one or more S-NSSAls subject to network slice-specific authentication and authorization, the AMF shall in the REGISTRATION ACCEPT message include: 1) the allowed NSSAI containing the S-NSSAls or the mapped S-NSSAls which are not subject to network slice-specific authentication and authorization or for which the network slice-specific authentication and authorization has been successfully performed; and 2) pending NSSAI containing one or more S-NSSAls for which network slice-specific authentication and authorization will be performed, if any.
If the LIE indicated the support for network slice-specific authentication and authorization, and if: a) the LIE did not include the requested NSSAI in the REGISTRATION REQUEST message or none of the 5-NSSAls in the requested NSSAI in the REGISTRATION REQUEST message are present in the subscribed S-NSSAls: and b) all of the S-NSSAls in the subscribed S-NSSAls are subiect to network slice-specific authentication and authorization.
the AMF shall in the REGISTRATION ACCEPT message include: a) the "NSSAA to be performed" indicator in the 5GS registration result IE to indicate whether network slice-specific authentication and authorization procedure will be performed by the network; b) pending NSSAI containing one or more S-NSSAls for which network slice-specific authentication and authorization will be performed; and c) the current registration area in the list of "non-allowed tracking areas" in the Service area list IE." NSSAA can be re-initiated at any time by the network as specified in section 5.15.10 of [-I]: "This procedure can be invoked for a supporting LIE by an AMF at any time, e.g. when: a. The UE registers with the AMF and one of the S-NSSAls of the HPLMN which maps to an S-NSSAI in the Requested NSSAI is requiring Network Slice-Specific Authentication and Authorization (see clause 5.15.5.2.1 for details), and can be added to the Allowed NSSAI by the AMF once the Network Slice-Specific Authentication and Authorization for the S-NSSAI succeeds; or b. The Network Slice-Specific AM Server triggers a UE re-authentication and re-authorization for an S-NSSAI; Or c. The AMF, based on operator policy or a subscription change, decides to initiate the Network Slice-Specific Authentication and Authorization procedure for a certain S-NSSAI which was previously authorized.
In the case of re-authentication and re-authorization (b. and c. above) the following applies: If S-NSSAls that are requiring Network Slice-Specific Authentication and Authorization are included in the Allowed NSSAI for each Access Type, AMF selects an Access Type to be used to perform the Network Slice Specific Authentication and Authorization procedure based on network policies.
-If the Network Slice-Specific Authentication and Authorization for some S-NSSAls in the Allowed NSSAI is unsuccessful, the AMF shall update the Allowed NSSAI for each Access Type to the UE via UE Configuration Update procedure - If the Network Slice-Specific Authentication and Authorization fails for all S-NSSAls in the Allowed NSSAI, the AMF shall execute the Network-initiated Deregistration procedure described in TS 23.502 131, clause 42.2.3.3, and shall include in the explicit De-Registration Request message the list of Rejected S-NSSAls, each of them with the appropriate rejection cause value." If all the default S-NSSAls are subject to NSSAA and the NSSAA procedures do not complete successfully, then the network will start the deregistration procedure. This is stated in [3] subclause 4.6.2.4 as: The network slice-specific authentication and authorization procedure can be invoked or revoked by an AMF for a UE supporting network slice-specific authentication and authorization at any time. After the network performs the network slice-specific re-authentication and re-authorization procedure: a) if network slice-specific authentication and authorization for some but not all S-NSSAls in the allowed NSSAI fails; the AMF updates the allowed NSSAI and the rejected NSSAI accordingly using the generic UE configuration update procedure as specified in the subclause 5.4.4; or b) if network slice-specific authentication and authorization fails for all S-NSSAls in the allowed NSSAI and the pending NSSAI then AMF performs the network-initiated de-registration procedure and includes the rejected NSSAI in the DEREGISTRATION REQUEST message as specified in the subclause 5.5.2.3 except when the UE has a PDU session for emergency services or the UE is establishing a PDU session for emergency services. In this case the AMF shall send CONFIGURATION UPDATE COMMAND containing rejected NSSAI. After the PDU session for the emergency service is released, the AMF performs the network-initiated de-registration procedure as specified in the subclause 5.5.2.3.
and in [3] in subclause 5.5.2.3.1 as: If the network de-registration is triggered due to network slice-specific authentication and authorization failure or revocation as specified in subclause 4.6.2.4, then the network shall set the 5GMM cause value to #62 "No network slices available" in the DEREGISTRATION REQUEST message. In addition, the AMF may include the rejected NSSAI IE in the DEREGISTRATION REQUEST message.
Figure la shows the scenario where at least one NSSAA procedure succeeds on a default SNSSAI PDU Session Establishment Due to the separation of mobility management functionality and session management functionality into separate components in the 5G architecture (AMF for mobility management and SMF for session management), when the UE establishes a PDU session, the UE encapsulates the 5GSM message (PDU SESSION ESTABLISHMENT REQUEST) into a 5GMM message (the 5GMM UL NAS TRANSPORT message). When the user wants to run an application, the UE Route Selection Policies (URSP) rules on the UE (as specified in [4]) will resolve the application to an appropriate DNN and slice that suits the application. The DNN and S-NSSAI information is then included in the UL NAS TRANSPORT message that allows the AMF to make the appropriate decision on which SMF to choose. The interface between the AMF and SMF is a service-based interface and the parameters are included in an appropriate service-based method which is used to invoke the SMF over the Nil interface. In some cases, the URSP rules may not be able to resolve the application to an appropriate DNN and/or S-NSSAI and therefore the UE will not select a DNN and/or an S-NSSAI for PDU session establishment. In these cases, the AMF uses rules to determine how best to select an SMF. Specifically in terms of the S-NSSAI, the AMF will attempt to use the default subscribed S-NSSAls to form a decision as specified in [3]: If the S-NSSAI IE is not included and the user's subscription context obtained from UDM: -contains one default S-NSSAI, the AMF shall use the default S-NSSAI as the S-NSSAI; contains two or more default S-NSSAls, the AMF shall use one of the default S-NSSAls selected by operator policy as the S-NSSAI; and does not contain a default S-NSSAI, the AMF shall use an S-NSSAI selected based on operator policy as the S-NSSAI.
The above information is presented as background information only to assist with an understanding of the present disclosure. No determination has been made, and no assertion is made, as to whether any of the above might be applicable as prior art with regard to the present invention.
SUMMARY
It is an aim of certain examples of the present disclosure to address, solve and/or mitigate, at least partly, at least one of the problems and/or disadvantages associated with the related art, for example at least one of the problems and/or disadvantages described herein. It is an aim of certain examples of the present disclosure to provide at least one advantage over the related art, for example at least one of the advantages described herein.
The present invention is defined in the independent claims. Advantageous features are defined in the dependent claims.
Other aspects, advantages, and salient features will become apparent to those skilled in the art from the following detailed description, taken in conjunction with the annexed drawings,
which disclose examples of the present disclosure.
BRIEF DESCRIPTION OF THE DRAWINGS Figure la illustrates an overview of NSSAA on default slices; Figure lb illustrates an overview of PDU Session Establishment; Figure 2 illustrates an updated 5GS registration result IE with a proposed new indication; Figure 3 illustrates an enhanced procedure for NSSAA on default S-NSSAls; Figure 4 illustrates performance of NSSAA on default S-NSSAls at the time of PDU Session Establishment; and Figure 5 is a block diagram of an exemplary network entity that may be used in certain
examples of the present disclosure.
DETAILED DESCRIPTION
The following description of examples of the present disclosure, with reference to the accompanying drawings, is provided to assist in a comprehensive understanding of the present invention, as defined by the claims. The description includes various specific details to assist in that understanding but these are to be regarded as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the examples described herein can be made without departing from the scope of the invention.
The same or similar components may be designated by the same or similar reference numerals, although they may be illustrated in different drawings.
Detailed descriptions of techniques, structures, constructions, functions or processes known in the art may be omitted for clarity and conciseness, and to avoid obscuring the subject matter of the present invention.
The terms and words used herein are not limited to the bibliographical or standard meanings, but, are merely used to enable a clear and consistent understanding of the invention.
Throughout the description and claims of this specification, the words "comprise", "include" and "contain" and variations of the words, for example "comprising" and "comprises", means "including but not limited to", and is not intended to (and does not) exclude other features, elements, components, integers, steps, processes, operations, functions, characteristics, properties and/or groups thereof.
Throughout the description and claims of this specification, the singular form, for example "a", "an" and "the", encompasses the plural unless the context otherwise requires. For example, reference to "an object" includes reference to one or more of such objects.
Throughout the description and claims of this specification, language in the general form of "X for Y" (where Y is some action, process, operation, function, activity or step and X is some means for carrying out that action, process, operation, function, activity or step) encompasses means X adapted, configured or arranged specifically, but not necessarily exclusively, to do Y. Features, elements, components, integers, steps, processes, operations, functions, characteristics, properties and/or groups thereof described or disclosed in conjunction with a particular aspect, embodiment, example or claim of the present invention are to be understood to be applicable to any other aspect, embodiment, example or claim described herein unless incompatible therewith.
Certain examples of the present disclosure provide methods, apparatus and systems for performing slice-specific authentication and authorization in a network. For example, certain examples of the present disclosure provide methods, apparatus and systems for performing enhanced network slice-specific authentication and authorization on default slices in 3GPP 5G. However, the skilled person will appreciate that the present invention is not limited to these examples, and may be applied in any suitable system or standard, for example one or more existing and/or future generation wireless communication systems or standards.
The following examples are applicable to, and use terminology associated with, 3GPP 5G. However, the skilled person will appreciate that the techniques disclosed herein are not limited to 3GPP 5G. For example, the functionality of the various network entities and other features disclosed herein may be applied to corresponding or equivalent entities or features in other communication systems or standards. Corresponding or equivalent entities or features may be regarded as entities or features that perform the same or similar role, function or purpose within the network. For example, the functionality of the AMF in the examples below may be applied to any other suitable type of entity performing mobility management functions, and the functionality of the SMF in the examples below may be applied to any other suitable type of entity performing session management functions. The skilled person will also appreciate that the transmission of information between network entities is not limited to the specific form or type of messages described in relation to the examples disclosed herein.
In the following, a Network Slice (NS) may be defined as a logical network that provides specific network capabilities and network characteristics. A NS may be identified by Single Network Slice Selection Assistance Information (S-NSSAI).
In the following examples, a network may include a User Equipment (UE), an Access and Mobility Management Function (AMF) entity, and a Session Management Function (SMF) entity.
A particular network function can be implemented either as a network element on a dedicated hardware, as a software instance running on a dedicated hardware, or as a virtualised function instantiated on an appropriate platform, e.g. on a cloud infrastructure. A NF service may be defined as a functionality exposed by a NF through a service based interface and consumed by other authorized NFs.
The 5GC AMF receives all connection and session related information from the UE (N 1/N2) but is responsible only for handling connection and mobility management tasks. All messages related to session management are forwarded over the N11 reference interface to the SMF.
The AMF performs the role of access point to the 5GC. The functional description of AMF is given in [1] clause 6.2.1.
The skilled person will appreciate that the present invention is not limited to the specific examples disclosed herein. For example.
* The techniques disclosed herein are not limited to 3GPP 5G.
* One or more entities in the examples disclosed herein may be replaced with one or more alternative entities performing equivalent or corresponding functions, processes or operations.
* One or more of the messages in the examples disclosed herein may be replaced with one or more alternative messages, signals or other type of information carriers that communicate equivalent or corresponding information.
* One or more further elements or entities may be added to the examples disclosed herein.
* One or more non-essential elements or entities may be omitted in certain examples.
* The functions, processes or operations of a particular entity in one example may be divided between two or more separate entities in an alternative example.
* The functions, processes or operations of two or more separate entities in one example may be performed by a single entity in an alternative example.
* Information carried by a particular message in one example may be carried by two or more separate messages in an alternative example.
* Information carried by two or more separate messages in one example may be carried by a single message in an alternative example.
* The order in which operations are performed and/or the order in which messages are transmitted may be modified, if possible, in alternative examples.
Certain examples of the present disclosure may be provided in the form of an apparatus/device/network entity configured to perform one or more defined network functions and/or a method therefor. Certain examples of the present disclosure may be provided in the form of a system comprising one or more such apparatuses/devices/network entities, and/or a method therefor.
At least the following problems exist in view of the related art: As stated in the background section, when the UE establishes a session and does not include S-NSSAI information and the UE has default subscribed S-NSSAls, the AMF will pick an appropriate default S-NSSAI to determine the SMF to send the session request towards. If all the default S-NSSAls in the subscribed S-NSSAls require NSSAA, then the network needs to perform NSSAA on one or more of the default S-NSSAls with the expectation that the procedure succeeds, otherwise the AMF is unable to pick a default S-NSSAI at time of session establishment.
However, in the case when all default S-NSSAls require NSSAA, it is not clear whether NSSAA is always run on the default subscribed NSSAls in certain scenarios as indicated in
the table below:
Scenario Details NSSAA run on all the default subscribed S-NSSAls marked for NSSAA? 1 UE does not include a Requested NSSAI in the Registration Request Yes 2 UE registers with Requested NSSAI and all S-NSSAls are not in the subscribed S-NSSAls Yes 3 UE included Requested NSSAI and all S-NSSAls require NSSAA Not specified 4 UE included Requested NSSAI and some S-NSSAls require NSSAA Not specified UE includes Requested NSSAI and no S-NSSAls require NSSAA Not specified Table 1 -Scenarios for running NSSAA on default subscribed S-NSSAls In scenario 1 and 2, the pending NSSAI that is sent to the UE will contain the default subscribed NSSAls. If NSSAA fails for all of the default S-NSSAls, then the network will start the Network Deregistration Procedure by sending cause #62 "No network slices available" and will include a Rejected NSSAI with a separate cause code for each Rejected S-NSSAI.
This is stated in [3] subclause 4.6.2.4 as: The network slice-specific authentication and authorization procedure can be invoked or revoked by an AMF for a UE supporting network slice-specific authentication and authorization at any time. After the network performs the network slice-specific re-authentication and re-authorization procedure: a) if network slice-specific authentication and authorization for some but not all S-NSSAls in the allowed NSSAI fails; the AMF updates the allowed NSSAI and the rejected NSSAI accordingly using the generic UE configuration update procedure as specified in the subclause 5.4.4; or b) if network slice-specific authentication and authorization fails for all S-NSSAls in the allowed NSSAI and the pending NSSAI then AMF performs the network-initiated de-registration procedure and includes the rerected NSSAI in the DEREGISTRATION REQUEST message as specified in the subclause 5.5.2.3 except when the UE has a PDU session for emergency services or the UE is establishing a PDU session for emergency services. In this case the AMF shall send CONFIGURATION UPDATE COMMAND containing rejected NSSAI. After the PDU session for the emergency service is released, the AMF performs the network-initiated de-registration procedure as specified in the subclause 5.5.2.3.
and subclause 5.5.2.3.1 as: If the network de-registration is triggered due to network slice-specific authentication and authorization failure or revocation as specified in subclause 4.6.2.4, then the network shall set the 5GMM cause value to #62 "No network slices available" in the DEREGISTRATION REQUEST message. In addition, the AMF may include the rejected NSSAI IE in the DEREGISTRATION REQUEST message.
Observation 1: 5GMM will not allow a UE to be registered without having been authenticated with at least one S-NSSAI (whether that be default or non-default) In scenario 3, it is not clear whether the AMF is supposed to include the default subscribed SNSSAls in the pending NSSAI when determining which S-NSSAls to run NSSAA on. Currently [1] indicates that the determination of whether to include a default S-NSSAI in the Allowed NSSAI comes after the completed NSSAA procedure, and nothing is said about running NSSAA on the default S-NSSAls: Once completed the Network Slice-Specific Authentication and Authorization procedure, if the AMF determines that no S-NSSAI can be provided in the Allowed NSSAI for the UE, which is already authenticated and authorized successfully by a PLMN, and if no default S-NSSAI(s) could be added as described in step (A), the AMF shall execute the Network-initiated Deregistration procedure described in TS 23.502 [3], clause 4.2.2.3.3, and shall include in the explicit De-Registration Request message the list of Rejected S-NSSAls, each of them with the appropriate rejection cause value.
(A) Depending on fulfilling the configuration as described above, the AMF may be allowed to determine whether it can serve the UE, and the following is performed: For the mobility from EPS to 5G5, the AMF first derives the serving PLMN value(s) of S-NSSA1(s) based on the HPLMN S-NSSAI(s) in the mapping of Requested NSSAI (in CM-IDLE state) or the HPLMN S-NSSAI(s) received from PGW-C-I-SMF (in CM-CONNECTED state). After that the AMF regards the derived value(s) as the Requested NSSAL - AMF checks whether it can serve all the S-NSSAI(s) from the Requested NSSAI present in the Subscribed S-NSSAls (potentially using configuration for mapping S-NSSAI values between HPLMN and Serving PLMN), or all the S-NSSAI(s) marked as default in the Subscribed 5-NSSAls in the case that no Requested NSSAI was provided or none of the S-NSSAls in the Requested NSSAI are permitted, Le. do not match any of the Subscribed S-NSSAls or not available at the current UE's Tracking Area (see clause 5.15.3).
- If the AMF can serve the S-NSSAls in the Requested NSSAI, the AMF remains the serving AMF for the UE. The Allowed NSSAI is then composed of the list of S-NSSAI(s) in the Requested NSSAI permitted based on the Subscribed S-NSSAls and/or the list of S-NSSAI(s) for the Serving PLMN which are mapped to the HPLMN S-NSSA1(s) provided in the mapping of Requested NSSAI permitted based on the Subscribed S-NSSAls, or, if neither Requested NSSAI nor the mapping of Requested NSSAI was provided or none of the S-NSSAls in the Requested NSSAI are permitted, all the S-NSSAI(s) marked as default in the Subscribed SNSSAls and taking also into account the availability of the Network Slice instances as described in clause 5.15.8 that are able to serve the S-NSSAI(s) in the Allowed NSSAI in the current UE's Tracking Areas. It also determines the mapping if the S-NSSAI(s) included in the Allowed NSSAI needs to be mapped to Subscribed S-NSSAI(s) values. If no Requested NSSAI is provided, or the mapping of the S-NSSAls in Requested NSSAI to HPLMN S-NSSAls is incorrect, or the Requested NSSAI includes an S-NSSAI that is not valid in the Serving PLMN, or the UE indicated that the Requested NSSAI is based on the Default Configured NSSAI, the AMF, based on the Subscribed S-NSSAI(s) and operator's configuration, may also determine the Configured NSSAI for the Serving PLMN and, if applicable, the associated mapping of the Configured NSSAI to HPLMN S-NSSAls, so these can be configured in the UE. Then Step (C) is executed.
-Else, the AMF queries the NSSF (see (B) below).
Observation 2: When performing NSSAA on the default S-NSSAls, in Scenarios 1 and 2, the Pending NSSAI is sent in the Registration Accept message. However in Scenario 3 when all NSSAA fails on the S-NSSAls in the requested NSSAI, it is not clear whether NSSAA can now be run on the default S-NSSAls and how the UE can be made aware that such NSSAA is pending.
In scenario 4 and scenario 5, as the Allowed NSSAI can be populated, then currently it is not necessary for the network to run NSSAA on the default S-NSSAls.
In all scenarios, however, the important factor is that NSSAA must always be run on the default S-NSSAls when all the default S-NSSAls are marked as requiring NSSAA because there should be at least one default S-NSSAI that is available for use when the UE establishes a PDU session with no S-NSSAI.
Observation 3: If the subscription is marked with one or more default S-NSSAls, at least one of these S-NSSAls should be available to allow for support of PDU session establishment when the UE did not include an S-NSSAI.
In summary: NSSAA ensures that the UE remains registered with a PLMN only when at least one slice is allowed for use (i.e. either does not require NSSAA or NSSAA has been successfully completed for the slice) including a default slice. Default slices are required for default SMF selection when no S-NSSAI is provided by the UE during PDU session establishment. In some scenarios, e.g. when the UE sends a Requested NSSAI, it is not specified how NSSAA will impact default slices as the UE may end up requesting the establishment of a PDU session but without selecting a corresponding S-NSSAI. The network and UE behaviour in this case is unspecified.
In view of the above problems, certain examples of the present disclosure provide one or more of the following solutions.
Solution la: Mandate inclusion of the default S-NSSAls in Pending NSSAI at time of Registration This solution mandates that in all cases where all the subscribed NSSAls that are marked as default and require NSSAA, then these S-NSSAls must always be included in the Pending NSSAI during the registration procedure. For this purpose, the Pending NSSAI IF should be modified such that more than 8 S-NSSAls can be sent in the IE. The Pending NSSAI should be allowed to carry 16 S-NSSAls. This is because the UE may send (a maximum of) 8 S-NSSAls in the Requested NSSAI IE. If additionally the AMF has at least one default S-NSSAI for which NSSAA is pending, and all the entries in the Requested NSSAI IF are also subject to NSSAA, then including the requested S-NSSAls and the default S-NSSAI(s) in the Pending NSSAI IE will require that the IE carries more than 8 entries. By increasing the size of the Pending NSSAI IE to 16 elements would also mean that the Allowed NSSAI would need to increase to 16 elements to cater for the scenario where there were 8 S-NSSAls in the Requested NSSAI needing NSSAA and there were (for example) 3 default S_NSSAls that all required NSSAA. In this case the Pending NSSAI would carry 11 elements, and if NSSAA was successful on all the S-NSSAls in the requested NSSAI and the default S-NSSAls, then the AMF would indicate this success using the Configuration Update Command message with an Allowed NSSAI set to 11 elements.
Additionally, if NSSAA fails on all the default S-NSSAls, the AMF should indicate to the UE that NSSAA has failed for all default slices. The AMF can provide this indication to the UE in the Configuration Update Command message. This indication can be sent in a new 1E, e.g. with the use of a 1 bit indicator. This bit can be called, as an example, the NDSS bit -"NSSAA for default slices" -indication where the value 1 (one) may mean "NSSAA for default slices successful" and the value 0 (zero) may mean "NSSAA for default slices unsuccessful". Alternatively, an existing IF in the Configuration Update Command message can be used for this purpose where 1 bit can be defined as explained above. For example, the 5GS registration result IE can be updated to include the new bit indicator as shown in Figure 2.
The AM F can also send this indication in another NAS message e.g. in the Registration Accept message. This can happen when the network decides, based on local policies or subscription change, the AMF may revoke authorization for all default slices and therefore during the registration procedure the AMF may indicate to the UE that the use of default slices is not authorized. The AMF can indicate this to the UE as proposed above. Note that the indication can also be that the default slices are not allowed and therefore the AMF will set the bit to the corresponding/appropriate value.
At any time when the status changes in the network i.e. regarding the use of default slices for a UE, the network may send a Configuration Update Command message and inform the UE whether the use of default slices is permitted or not. For example, if the policies in the AMF change, or due to a change in subscription information, the AMF may at any time initiate NSSAA for the default S-NSSAI(s). To do so, the AMF should send a new pending NSSAI list to the UE including the S-NSSAls that are subject to NSSAA. After the completion of the procedure, and if NSSAA is successful for at least one S-NSSAI, or if one default slice becomes allowed for the UE without need to perform NSSAA, the AMF should send a Configuration Update Command message to the UE and indicate that a default slice is now allowed.
When a UE receives an indication that NSSAA for default slices has not succeeded (or any other similar indication e.g. use of default slices is not permitted due to NSSAA), the UE shall not initiate any 5GSM procedure (e.g. PDU session establishment procedure) that is associated with no S-NSSAI. The 5GMM entity in the UE may inform the 5GSM entity that no 5GSM procedure is allowed if the procedure is associated with no S-NSSAI. Similarly, the 5GSM entity in the UE may provide a similar indication to the upper layers in the UE.
When a UE receives an indication that the use of default slices is permitted, the UE may allow the initiation of 5GSM procedures (e.g. PDU session establishment procedure) that are associated with no S-NSSAI (or that are not associated with any S-NSSAI). The 5GMM entity may inform the 5GSM entity about this, and the latter may also inform the upper layers about this.
Figure 3 shows the overall proposal. Note that some messages (e.g. Registration Complete from the UE) may have been omitted for brevity.
Solution lb: Perform NSSAA on the defaults at time of registration without impacting the pending NSSAI.
In a variation of solution 1 without impacting the sizes of the Pending NSSAI and Allowed NSSAI, where all the default S-NSSAls require NSSAA, the network behaviour depends upon whether an Allowed NSSAI could be determined on the contents of the requested NSSAI or an Allowed NSSAI could not be determined on the contents of the requested NSSAI. The default behaviour is that the UE is allowed to send PDU sessions with no S-NSSAI.
Scenario 1: When an Allowed NSSAI could not be determined on the contents of the requested NSSAI This covers the cases 3, 4 and 5 in Table 1 when Allowed NSSAI could not be determined because: a) the S-NSSAls in the requested NSSAI which did not require NSSAA were not available; and b) the S-NSSAls in the requested NSSAI that required NSSAA were not successful in passing NSSAA.
In this scenario, the AMF needs to run NSSAA on all the default S-NSSAls, to determine if an 10 Allowed NSSAI can be sent in the Configuration Update Command message or whether the AMF needs to deregister the UE.
Once the AMF has run NSSAA: a) If NSSAA fails on all of the default S-NSSAls, then the AMF deregisters the UE.
b) If NSSAA passes on at least one default S-NSSAI, then the AMF will set the Allowed NSSAI to contain the default S-NSSAI(s) in the Configuration Update Command message. A Rejected NSSAI may be included to convey the failure of NSSAA for the S-NSSAls in the requested NSSAI that required NSSAA. There is no need to send the indication in the Configuration Update Command message (specified in solution 1) to indicate to the UE that sending PDU session establishment with no slice is not permitted, because the Allowed NSSAI contains an S-NSSAI which is a default S-NSSAI. Alternatively, the AMF can send the Configuration Update Command message (specified in solution 1) to indicate to the user that sending PDU session establishment with no slice is indeed permitted.
Scenario 2: When an Allowed NSSAI could be determined on the contents of the requested 25 NSSAI This covers cases 3, 4 and 5 in Table 1 when Allowed NSSAI could be determined by either: a) sending Registration Accept with an Allowed NSSAI but no Pending NSSAI b) sending Registration Accept with an Allowed NSSAI and Pending NSSAI, followed by Configuration Update Command to convey the results of NSSAA on the S-NSSAls in the Pending NSSAI (i.e. containing Allowed NSSAI and/or Rejected NSSAI); or c) sending Registration Accept with no Allowed NSSAI but with Pending NSSAI, followed by Configuration Update Command to convey the results of NSSAA on the S-NSSAls in the Pending NSSAI. In this case the Configuration Update Command must contain an Allowed NSSAI.
In these cases, as an Allowed NSSAI was determined on the contents of the requested NSSAI (either with or without NSSAA being required), then the AMF will not include any default S-S NSSAls in the Allowed NSSAI. The AMF runs NSSAA on all the default S-NSSAls (this can be done at the time of registration) and if all the procedures fail, the AMF must include the indication (defined in solution 1) in the Configuration Update Command to indicate that to the UE that sending PDU session establishment with no slice is not permitted. If policy of the AMF changes or NSSAA is re-run on default S-NSSAI(s) and they pass, then the AMF will need to include the indication (defined in solution 1) in the Configuration Update Command to indicate to the UE that sending PDU session establishment with no S-NSSAI is now permitted.
In summary, solution 2 always assumes that PDU session establishment with no S-NSSAI is allowed because the AMF created an allowed NSSAI from a default S-NSSAI or NSSAA passed on the default S-NSSAls when the default S-NSSAls are not included in the allowed NSSAI. Solution 2 uses the indication defined in Solution 1 only when the AMF determines that NSSAA on all the default S-NSSAls fails.
Solution 2: Invoke NSSAA at the time of PDU Session Establishment This solution requires the network to reject the PDU session establishment request with either an existing cause code e.g. 5GMM cause #90, indicating that the payload was not forwarded or by returning a new cause code indicating that no default S-NSSAI was available due to (pending) NSSAA. Note that this solution may be used if no default slice is allowed for the UE or if NSSAA for default slices is pending for the UE.
If the network (e.g. AMF) determines that NSSAA is pending for default slices for the UE, the network uses the Configuration Update Command to inform the UE that NSSAA is pending on the default S-NSSAls as proposed in the section above (or that requests with no S-NSSAI for default slices cannot be sent). The network then performs NSSAA and updates the UE using the Configuration Update Command with the results of the NSSAA by updating the allowed NSSAI and/or rejected NSSAI and/or by informing the UE about whether the use of default slices is allowed or not (based on the result of NSSAA). If all the default S-NSSAls failed NSSAA, then the network could include an indication that no default S-NSSAls were available.
Upon reception of a DL NAS Message that includes a 5GSM message that was not forwarded, and a new 5GMM cause indicating that the use of default slices is not allowed due to NSSAA (or that NSSAA is pending for default slices), the UE should forward the 5GSM message and the 5GMM cause to the 5GSM entity. The UE should not attempt to send any other 5GSM message, or should not initiate a 5GSM procedure, that is associated with no S-NSSAI. The UE can later send a 5GSM message, or initiate a 5GSM procedure, that is associated with no S-NSSAI if an explicit indication is received from the network that the use of default slices is allowed (e.g. based on the proposal in the previous section). If so, the 5GMM entity should inform the 5GSM entity that the use of default slices is now allowed. The UE can then resume 5GSM procedures that are not associated with any slice (or that are associated with no 3-NSSA1).
Figure 4 shows a sample signal flow with the proposed solution noting that some messages may not be shown for brevity. Also, some of the steps shown may occur in different orders and therefore the figure should not be interpreted as one that represents a solution which strictly follows the order of events/messages shown.
As an alternative to performing NSSAA, the conditions at the network side for determining an S-NSSAI could be updated such that the network is able to apply a policy to select when there are default S-NSSAls, but none of them are available.
If the network were to re-use an existing cause code to send the 5GSM message that was not forwarded (by the AMF to the SMF), as proposed above, back to the UE in the DL NAS Transport message, the UE may re-try the request again. This may cause unnecessary and undesired signalling in the network especially if the network decides to not run NSSAA for default slices and when no default slice is available/allowed for the UE. To avoid this potential unnecessary signalling, the network may send back the Back-off timer IE (see [3]) to back the UE off from re-trying. The network may also include the Re-attempt indicator IE (see [3]) to indicate whether the UE is allowed to re-try in the equivalent PLMN(s) or not. Note that the network may also send the Back-off timer IE and/or the Re-attempt indicator IE even if a new 5GMM cause is used as proposed above. When the UE receives a Back-off timer value IE in a DL NAS Transport message, the UE should start a timer with the received value and refrain from sending any 5GSM request that is associated with the S-NSSAI, or no S-NSSAI Of none was sent), that was included (or not included in case of no S-NSSAI) in the UL NAS Transport message. The UE may re-try the request upon expiry of the timer or when the UE gets an explicit indication that a slice is now allowed for use i.e. when the UE gets an explicit indication that: * The use of a default slice is now allowed, if the Back-off timer value IE was received for a 5GSM request for which no S-NSSAI was included, or * The use of a particular S-NSSAI is now allowed e.g. if the S-NSSAI is included in the allowed NSSAI, if the Back-off timer IE was received for a 5GSM request for which the S-NSSAI was sent by the UE.
Summary
Solution 1a/1b provides: * New behaviour at the AMF to always mandate NSSAA at the network on receipt of the Registration Request when all default S-NSSAls are set to requiring NSSAA.
* Inclusion of a parameter in the Configuration Update Command indicating when no default S-NSSAls are available to use / default S-NSSAls are available to use.
Solution 2 provides: * New behaviour at the AMF to reject the PDU Session Establishment Request when no default S-NSSAI is available when the PDU Session Establishment Request contained no S-NSSAI.
* Inform the UE with the Configuration Update Command that NSSAA is pending on the default S-NSSAls.
* Perform NSSAA due to the PDU Session Establishment Request rejection * Inclusion of a parameter in the Configuration Update Command when no default S-NSSAls are available to use.
* Inclusion of a parameter in the Configuration Update Command when default SNSSAls are available to use.
Certain examples of the present disclosure provide a method for network slice authorization by a network management entity in a wireless communications system, the method comprising: receiving, from a user equipment, a registration request message including an indication of one or more requested network slices associated with a subscription of the user equipment; transmitting, to the user equipment, a registration accept message including at least one of an indication of an allowable network slice from among the requested network slices and an indication of a network slice upon which authorization is to be performed; and performing authorization on network slices of the requested network slices upon which authorization is to be performed and one or more default network slices associated with the subscription of the user equipment, wherein all of the default network slices associated with the subscription of the user equipment require authorization.
In certain examples, the indication of the network slice upon which authorization is to be performed may be included in a pending authorization information element of the registration accept message.
In certain examples, the pending authorization information element may indicate up to 16 network slices.
In certain examples, the indication of a network slice upon which authorization is to be performed may include an indication of the requested network slices upon which authorization is to be performed and the one or more default network slices associated with the subscription of the user equipment.
In certain examples, the method may further comprise transmitting, in response to completion of the authorization, a configuration update command message including information on a result of the authorization to the user equipment.
In certain examples, the information on a result of the authorization may include an indication of whether authorization has been successfully completed on at least one of the default network slices associated with the subscription of the user equipment.
In certain examples, the information on a result of the authorization may include an indication of up to 16 network slices for which authorization has been successfully completed.
In certain examples, the information on a result of the authorization may include an indication of network slices for which authorization failed.
In certain examples, the method may comprise, in response to completion of the authorization, if the requested network slices are not available or have not been successfully authorized, and at least one default network slice associated with the subscription of the user equipment has been successfully authorized, transmitting a configuration update command message including information indicating the at least one default network slice associated with the subscription of the user equipment that has been successfully authorized.
In certain examples, the method may comprise, if a requested network slice can be used by the user equipment, and none of the default network slices associated with the subscription of the user equipment have been successfully authorized (or if the authorization has been revoked due to subscription changes or network local policies), transmitting a configuration update command message (or Registration Accept message) including information indicating that no default network slices associated with the subscription of the user equipment have been successfully authorized In certain examples, the method may further comprise transmitting, in response to at least one default slice becoming usable by the user equipment, transmitting a configuration update command message including information indicating that at least one default network slice associated with the subscription of the user equipment can be used by the user equipment.
In certain examples, an indication of the one or more default network slices associated with the subscription of the user equipment may not be included in the registration request message.
Certain examples of the present disclosure provide a method for network registration by a user equipment in a wireless communications system, the method comprising: transmitting, to a network management entity, a registration request message including an indication of one or more requested network slices associated with a subscription of the user equipment; receiving, from the network management entity, a registration accept message including at least one of an indication of an allowable network slice from among the requested network slices and an indication of a network slice upon which authorization is to be performed; receiving, from the network management entity, a configuration update command message (or Registration Accept message) including information on a result of network slice authorization, wherein the information on a result of the authorization includes an indication of whether authorization has been successfully completed on at least one of the default network slices associated with the subscription of the user equipment; and if the information on a result of the authorization indicates that authorization has not been successfully completed on at least one default slice, blocking transmission of session management request messages that do not include or are not associated with an indication of a requested network slice, wherein all of the default network slices associated with the subscription of the user equipment require authorization.
Certain examples of the present disclosure provide a method for network slice authorization by a network management entity in a wireless communications system, the method comprising: receiving, from a user equipment, a message including a Protocol Data Unit (PDU) request; if the message does not include an indication of a network slice, and a default network slice associated with the user equipment is not available, transmitting a message indicating rejection of the PDU request or indicating not forwarding of the PDU request, to the user equipment; performing authorization on one or more default network slices associated with the user equipment; transmitting, to the user equipment, a configuration update command message including information indicating the one or more default network slices that authorization is being performed on; and in response to completion of the authorization, transmitting a configuration update command message including information on a result of the authorization to the user equipment.
In certain examples, all of the default network slices associated with the user equipment may require authorization.
In certain examples, the information on a result of the authorization may include an indication of whether authorization has been successfully completed on at least one of the default network slices associated with the user equipment.
In certain examples, the information on a result of the authorization may include an indication of the default network slices for which authorization has been successfully completed.
In certain examples, the information on a result of the authorization may include an indication of default network slices for which authorization failed.
In certain examples, the message indicating rejection of the PDU request or indicating not forwarding of the PDU request may indicate that the transmission of messages including a PDU request without an indication of a network slice or that are not associated with an indication of a network slice is not permitted.
In certain examples, the indication that the transmission of messages including a PDU request without an indication of a network slice or that are not associated with an indication of a network slice is not permitted may be a 5G Mobility Management (5GMM) cause code.
In certain examples, the message indicating rejection of the PDU request or indicating not forwarding of the PDU request may include information on a back-off timer associated with retransmission of the message including a PDU request.
In certain examples, the message indicating rejection of the PDU request or indicating not forwarding of the PDU request may include information indicating whether transmission of the message including a PDU request is permitted in an equivalent Public Land Mobile Network 25 (PLMN).
Certain examples of the present disclosure provide a method for network registration by a user equipment in a wireless communications system, the method comprising: transmitting, to a network management entity, a message including a Protocol Data Unit (PDU) request without an indication of a network slice; receiving a message indicating rejection of the PDU request or indicating not forwarding of the PDU request, from the network management entity; blocking transmission of session management request messages that do not include or that are not associated with an indication of a requested network slice, receiving, from the network management entity, a configuration update command message including information indicating one or more default network slices that authorization is being performed on; receiving, from the network management entity, a configuration update command message including information on a result of the authorization; and updating the blocking of transmissions of session management request messages that do not include or that are not associated with an indication of a requested network slice based on the information on the result of the authorization.
Certain examples of the present disclosure provide a method for network slice authorization by a network management entity in a wireless communications system, the method comprising: receiving, from a user equipment, a registration request message including an indication of one or more requested network slices associated with a subscription of the user equipment; performing authorization on network slices of the requested network slices that require authorization and all default network slices associated with the subscription of the user equipment, wherein all of the default network slices associated with the subscription of the user equipment require authorization.
In certain examples, the method may further comprise transmitting, in response to completion of the authorization, a configuration update command message including an indication of whether authorization has been successfully completed on at least one of the default network slices associated with the subscription of the user equipment.
In certain examples, an indication of the one or more default network slices associated with the subscription of the user equipment may not be included in the registration request message Certain examples of the present disclosure provide a method for network slice authorization by a network management entity in a wireless communications system, the method comprising: receiving, from a user equipment, a registration request message including an indication of one or more requested network slices; transmitting, to the user equipment, a registration accept message indicating the network slices from among the one or more requested network slices upon which authorization is to be performed, and performing authorization on network slices of the requested network slices upon which authorization is to be performed, wherein the registration accept message indicates up to 16 network slices upon which authorization is to be performed.
Certain examples of the present disclosure provide a method for network registration by a user equipment in a wireless communications system, the method comprising: transmitting, to a network management entity, a registration request message including an indication of one or more requested network slices; receiving, from the network management entity, a registration accept message including an indication of a network slice upon which authorization is to be performed; receiving, from the network management entity, a configuration update command message including information on a result of network slice authorization, wherein the information on a result of the authorization includes an indication of whether authorization has been successfully completed on the network slice upon which authorization is to be performed, wherein the registration accept message indicates up to 16 network slices upon which authorization is to be performed.
Certain examples of the present disclosure provide a network management entity in a wireless communications system, wherein the network management entity is configured to perform any suitable method disclosed herein.
Certain examples of the present disclosure provide a user equipment in a wireless communication system, wherein the user equipment is configured to perform any suitable method disclosed herein.
Certain examples of the present disclosure provide a computer program comprising instructions which, when the program is executed by a computer or processor, cause the computer or processor to carry out any method disclosed herein.
Certain examples of the present disclosure provide a computer or processor-readable data carrier having stored thereon such a computer program.
Figure 5 is a block diagram of an exemplary network entity that may be used in examples of the present disclosure. For example, the UE, AMF and/or SMF may be provided in the form of the network entity illustrated in Figure 5. The skilled person will appreciate that the network entity illustrated in Figure 5 may be implemented, for example, as a network element on a dedicated hardware, as a software instance running on a dedicated hardware, or as a virtualised function instantiated on an appropriate platform, e.g. on a cloud infrastructure.
The entity 500 comprises a processor (or controller) 501, a transmitter 503 and a receiver 505. The receiver 505 is configured for receiving one or more messages or signals from one or more other network entities, for example one or more of the messages illustrated in Figures 1 to 4. The transmitter 503 is configured for transmitting one or more messages or signals to one or more other network entities, for example one or more of the messages illustrated in Figures 1 to 4. The processor 501 is configured for performing operations as described above in relation to Figures 1 to 4. For example, the processor 501 is configured for performing the operations of a UE, AMF and/or SM F. The techniques described herein may be implemented using any suitably configured apparatus and/or system. Such an apparatus and/or system may be configured to perform a method according to any aspect, embodiment, example or claim disclosed herein. Such an apparatus may comprise one or more elements, for example one or more of receivers, transmitters, transceivers, processors, controllers, modules, units, and the like, each element configured to perform one or more corresponding processes, operations and/or method steps for implementing the techniques described herein. For example, an operation/function of X may be performed by a module configured to perform X (or an X-module). The one or more elements may be implemented in the form of hardware, software, or any combination of hardware and software.
It will be appreciated that examples of the present disclosure may be implemented in the form of hardware, software or any combination of hardware and software. Any such software may be stored in the form of volatile or non-volatile storage, for example a storage device like a ROM, whether erasable or rewritable or not, or in the form of memory such as, for example, RAM, memory chips, device or integrated circuits or on an optically or magnetically readable medium such as, for example, a CD, DVD, magnetic disk or magnetic tape or the like.
It will be appreciated that the storage devices and storage media are embodiments of machine-readable storage that are suitable for storing a program or programs comprising instructions that, when executed, implement certain examples of the present disclosure.
Accordingly, certain example provide a program comprising code for implementing a method, apparatus or system according to any example, embodiment, aspect and/or claim disclosed herein, and/or a machine-readable storage storing such a program. Still further, such programs may be conveyed electronically via any medium, for example a communication signal carried over a wired or wireless connection.
While the invention has been shown and described with reference to certain examples, it will be understood by those skilled in the art that various changes in form and detail may be made therein without departing from the scope of the invention, as defined by any appended claims.
Acronyms, Abbreviations and Definitions In the present disclosure, the following acronyms, abbreviations and definitions are used.
3GPP 3rd Generation Partnership Project 5G 5th Generation 5GC 5G Core 5GMM 5G Mobility Management 5G5 5G System 5GSM 5G Session Management AAA Authentication, Authorization and Accounting AMF Access and Mobility Management Function A-NSSAI Allowed NSSAI CM Connection Management C-NSSAI Configured NSSAI DL DownLink/Downlink DNN Data Network Name (e)PCO (extended) Protocol Configuration Options EPS Evolved Packet System HPLMN Home Public Land Mobile Network ID Identity IE Information Element Ni Interface between UE and AMF Ni mode a mode of a UE allowing access to the 5G core network via the 5G access network N2 Interface between AMF via (R)AN N11 Interface between AMF and SMF NAS Non Access Stratum NF Network Function NS Network Slice NSI Network Slice Instance NSSAA Network Slice-Specific Authentication and Authorization NSSAI Network Slice Selection Assistance Information NSSF Network Slice Selection Function PDN Packet Data Network PDU Protocol Data Unit PGW-C PDN Gateway Control plane PLMN Public Land Mobile Network P-NSSAI Pending NSSAI PS Packet Switched RAN Radio Access Network Rel Release R-NSSAI Requested NSSAI RRC Radio Resource Control Si mode a mode of a UE that operates with a functional division that is in accordance with the use of an Si interface between the radio access network and the core network SMF Session Management Function S-NSSAI Single NSSAI TA Tracking Area TAI Tracking Area Identity
TS Technical Specification
UDM Unified Data Management UE User Equipment UL UpLink/Uplink URSP UE Route Selection Policies

Claims (12)

  1. Claims 1. A method for network slice authorization by a network management entity in a wireless communications system, the method comprising: receiving, from a user equipment, a message including a Protocol Data Unit (PDU) request; if the message does not include an indication of a network slice, and a default network slice associated with the user equipment is not available, transmitting a message indicating rejection of the PDU request or indicating not forwarding of the PDU request, to the user equipment; performing authorization on one or more default network slices associated with the user equipment; transmitting, to the user equipment, a configuration update command message including information indicating the one or more default network slices that authorization is being performed on; and in response to completion of the authorization, transmitting a configuration update command message including information on a result of the authorization to the user equipment.
  2. 2. The method of claim 1, wherein all of the default network slices associated with the user equipment require authorization.
  3. 3. The method of claim 2, wherein the information on a result of the authorization includes an indication of whether authorization has been successfully completed on at least one of the default network slices associated with the user equipment.
  4. 4. The method of claim 3, wherein the information on a result of the authorization includes an indication of the default network slices for which authorization has been successfully completed.
  5. 5. The method of claims 2 or 3, wherein the information on a result of the authorization includes an indication of default network slices for which authorization failed.
  6. 6. The method of any of claims 2 to 5, wherein the message indicating rejection of the PDU request or indicating not forwarding of the PDU request indicates that the transmission of messages including a PDU request without an indication of a network slice or that are not associated with an indication of a network slice is not permitted.
  7. 7. The method of claim 6, wherein the indication that the transmission of messages including a PDU request without an indication of a network slice or that are not associated with an indication of a network slice is not permitted is a 5G Mobility Management (5GMM) cause code.
  8. 8. The method of any of claims 2 to 7, wherein the message indicating rejection of the PDU request or indicating not forwarding of the PDU request includes an information on a back-off timer associated with retransmission of the message including a PDU request.
  9. 9. The method of any of claims 2 to 8, wherein the message indicating rejection of the PDU request or indicating not forwarding of the PDU request includes information indicating whether transmission of the message including a PDU request is permitted in an equivalent Public Land Mobile Network (PLMN).
  10. 10. A method for network registration by a user equipment in a wireless communications system, the method comprising: transmitting, to a network management entity, a message including a Protocol Data Unit (PDU) request without an indication of a network slice; receiving a message indicating rejection of the PDU request or indicating not forwarding of the PDU request, from the network management entity; blocking transmission of session management request messages that do not include or that are not associated with an indication of a requested network slice, receiving, from the network management entity, a configuration update command message including information indicating one or more default network slices that authorization is being performed on; receiving, from the network management entity, a configuration update command message including information on a result of the authorization; and updating the blocking of transmissions of session management request messages that do not include or that are not associated with an indication of a requested network slice based on the information on the result of the authorization.
  11. 11. A network management entity in a wireless communications system, wherein the network management entity is configured to perform the method of any of claims 1 to 9.
  12. 12. A user equipment in a wireless communication system, wherein the user equipment is configured to perform the method of claim 10.
GB2101857.7A 2020-02-12 2021-02-10 Slice-specific authentication and authorization Active GB2597343B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB2001942.8A GB2593436B (en) 2020-02-12 2020-02-12 Slice-specific authentication and authorization

Publications (3)

Publication Number Publication Date
GB202101857D0 GB202101857D0 (en) 2021-03-24
GB2597343A true GB2597343A (en) 2022-01-26
GB2597343B GB2597343B (en) 2022-08-24

Family

ID=69897113

Family Applications (2)

Application Number Title Priority Date Filing Date
GB2001942.8A Active GB2593436B (en) 2020-02-12 2020-02-12 Slice-specific authentication and authorization
GB2101857.7A Active GB2597343B (en) 2020-02-12 2021-02-10 Slice-specific authentication and authorization

Family Applications Before (1)

Application Number Title Priority Date Filing Date
GB2001942.8A Active GB2593436B (en) 2020-02-12 2020-02-12 Slice-specific authentication and authorization

Country Status (1)

Country Link
GB (2) GB2593436B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021086157A1 (en) 2019-11-02 2021-05-06 Samsung Electronics Co., Ltd. Method and system for managing discovery of edge application servers

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11683682B2 (en) * 2020-04-22 2023-06-20 Qualcomm Incorporated Network slice authentication for default slices
CN113709764B (en) * 2020-05-21 2023-06-27 华为技术有限公司 Communication method and device

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190335392A1 (en) * 2018-04-30 2019-10-31 Weihua QIAO 5G Policy Control for Restricted Local Operator Services

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10660016B2 (en) * 2017-11-08 2020-05-19 Ofinno, Llc Location based coexistence rules for network slices in a telecommunication network
EP3972347A1 (en) * 2017-12-08 2022-03-23 Comcast Cable Communications LLC User plane function selection for isolated network slice

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190335392A1 (en) * 2018-04-30 2019-10-31 Weihua QIAO 5G Policy Control for Restricted Local Operator Services

Non-Patent Citations (7)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; System Architecture for the 5G System; Stage 2 (Release 16)", 21 December 2019 (2019-12-21), XP051867063, Retrieved from the Internet <URL:https://ftp.3gpp.org/tsg_sa/WG2_Arch/Latest_SA2_Specs/DRAFT_INTERIM/Archive/23501-g30_CRs_Implemented_No_CR1848r4.zip 23501-g30_CRs_Implemented.doc> [retrieved on 20191221] *
"Technical Specification Group Core Network and Terminals; Non-Access-Stratum (NAS) protocol for 5G System (5GS); Stage 3 (Release 16)", 16 December 2019 (2019-12-16), XP051839236, Retrieved from the Internet <URL:https://ftp.3gpp.org/tsg_ct/WG1_mm-cc-sm_ex-CN1/TSGC1_122_Sophia-Antipolis/draftspecsafterCT86/draft_24501-g30-v1.zip draft_24501-g30-v1.doc> [retrieved on 20191216] *
3GPP TS 23.501
3GPP TS 23.502
3GPP TS 23.503
3GPP TS 24.501
ANONYMOUS: "3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Procedures for the 5G System (5GS); Stage 2 (Release 16)", vol. SA WG2, no. V16.3.0, 22 December 2019 (2019-12-22), pages 1 - 558, XP051840932, Retrieved from the Internet <URL:ftp://ftp.3gpp.org/Specs/archive/23_series/23.502/23502-g30.zip 23502-g30.docx> [retrieved on 20191222] *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021086157A1 (en) 2019-11-02 2021-05-06 Samsung Electronics Co., Ltd. Method and system for managing discovery of edge application servers
EP4029317A4 (en) * 2019-11-02 2022-10-26 Samsung Electronics Co., Ltd. Method and system for managing discovery of edge application servers

Also Published As

Publication number Publication date
GB2593436A (en) 2021-09-29
GB2593436B (en) 2022-08-17
GB202001942D0 (en) 2020-03-25
GB2597343B (en) 2022-08-24
GB202101857D0 (en) 2021-03-24

Similar Documents

Publication Publication Date Title
US11330642B2 (en) Method for supporting and providing LADN service in wireless communication system and apparatus therefor
GB2597343A (en) Slice specific authentication and authorization
CN113039825A (en) Access denied network resource
WO2020103823A1 (en) Handling of mapped eps bearer context for invalid qos flow
CN112219428A (en) Apparatus and method for policy management of user equipment in wireless communication system
GB2595751A (en) Slice specific authentication and authorization
US11889456B2 (en) Network slice-specific authentication and authorization
GB2595750A (en) Slice-Specific Authentication and Authorization
EP3913982A1 (en) Network slicing with a radio access network node
WO2020074542A1 (en) Configured nssai for other plmns
US20230199605A1 (en) Method and apparatus for improving cellular internet of things (ciot) optimizations in a telecommunication network
GB2593039A (en) UE in restricted service area
GB2592356A (en) Network security
US11924632B2 (en) Network slice-specific authentication and authorization
US20230354460A1 (en) Method and apparatus for recovery from fallback for cellular internet of things device
GB2619798A (en) Network Slice-Specific Authentication and Authorization
CN115244991A (en) Communication method, device and system
US20230140726A1 (en) Method and apparatus for providing emergency service in a network
GB2605718A (en) Network security
GB2619269A (en) 5G ProSe PC5 operations based on network procedures
GB2594082A (en) Data session multi-mode interworking
WO2023186953A1 (en) Ue policies provisioning in a communications network
GB2593673A (en) Data session management
WO2023073559A1 (en) Configuring buffering based on information in a container
CN117479263A (en) Method for determining access identifier and user equipment