WO2019224132A1 - A pulling mechanism for requesting the protection policies in an edge node based on n32 signaling between edge nodes - Google Patents

A pulling mechanism for requesting the protection policies in an edge node based on n32 signaling between edge nodes Download PDF

Info

Publication number
WO2019224132A1
WO2019224132A1 PCT/EP2019/062901 EP2019062901W WO2019224132A1 WO 2019224132 A1 WO2019224132 A1 WO 2019224132A1 EP 2019062901 W EP2019062901 W EP 2019062901W WO 2019224132 A1 WO2019224132 A1 WO 2019224132A1
Authority
WO
WIPO (PCT)
Prior art keywords
policy information
protection policy
protection
network
land mobile
Prior art date
Application number
PCT/EP2019/062901
Other languages
French (fr)
Inventor
Anja Jerichow
Suresh Nair
Nagendra S BYKAMPADI
Original Assignee
Nokia Technologies Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Technologies Oy filed Critical Nokia Technologies Oy
Publication of WO2019224132A1 publication Critical patent/WO2019224132A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/70Services for machine-to-machine communication [M2M] or machine type communication [MTC]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/18Service support devices; Network management devices
    • H04W88/182Network node acting on behalf of an other network entity, e.g. proxy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W92/00Interfaces specially adapted for wireless communication networks
    • H04W92/16Interfaces between hierarchically similar devices
    • H04W92/24Interfaces between hierarchically similar devices between backbone network devices

Definitions

  • An example embodiment relates generally to a method and apparatus for the obtaining protection policies between edge nodes and, more particularly, for facilitating signaling-based remote pulling and/or requesting of protection policies necessary to treat a protected message from a roaming partner to be forwarded to the network function (NF) in a Security Edge Protection Proxy (SEPP) of the roaming partner’s network.
  • NF network function
  • SEPP Security Edge Protection Proxy
  • Service Based Architecture defined in TS 23.501, is introduced to model services as network functions (NFs) that communicate with each other using representation state transfer (REST)ful application programming interfaces (APIs).
  • REST representation state transfer
  • APIs application programming interfaces
  • 5G introduces SEPP as the entity sitting at the perimeter of the PLMN network and acting as a gateway that protects all the traffic going out of the network.
  • SEPP implements application layer security for all the data exchanged between two inter network NFs at the service layer.
  • HTTP hypertext transfer protocol
  • HTTP Request/Response Line HTTP Request/Response Line
  • HTTP header HTTP Payload
  • HTTP Payload HTTP Payload
  • differing levels of protection may be required for different parts of the message. For example, some parts of the message may need to be encrypted, while the rest of the message may require integrity protection.
  • a method, apparatus and computer program product are provided in accordance with an example embodiment in order to facilitate, at a visiting SEPP of a visited network, signaling-based remote obtaining, for example, via requesting and/or pulling of the protection information, from the home SEPP.
  • the instant application describes a pulling mechanism, utilizing a signaling based approach, for the remote pulling and/or requesting of protection policy information, for example stored in a protection policy file, thus enabling the visiting SEPP (e.g., vSEPP) sitting at the edge of the visited network to gain access to necessary protection policy information from a home SEPP sitting at the edge of the home network, the home network hosting the network functions and their resources.
  • hSEPP obtains the protection policy information from a centralized repository, for example, from a Network Repository Function (NRF), or through local configuration, such as, for example, through an NRF.
  • NRF Network Repository Function
  • Operation, Administration, and Maintenance (OAM) interface that directly configures hSEPP with the protection policy information, and subsequently utilizes a signaling channel with vSEPP to provide this information to the vSEPP, for example, over the N32 interface
  • embodiments described herein enable the remote access of that protection policy information by vSEPP, via a signaling based mechanism for obtaining that protection policy information, via a pulling and/or requesting mechanism, thus allowing vSEPP to gain access to the necessary information required to protect outgoing messages destined towards hSEPP in the home network, thus improving the security between the home network (e.g., hPLMN) and the visited network (e.g., vPLMN).
  • the home network e.g., hPLMN
  • the visited network e.g., vPLMN
  • a method for obtaining protection policies between edge nodes, the method comprising obtaining, at a visiting security edge protection proxy, a protected message, the visited security edge protection proxy within a visited public land mobile network, the visited security edge protection proxy being a network node at a boundary of the visited public land mobile network; performing an initial evaluation determining an unavailability of a protection policy information required to treat the protected message, wherein the protection policy information comprises information regarding protection of signaling messages addressed for network functions hosted in a home network, the home network being a home public land mobile network and configured for enabling the visited security edge protection proxy to selectively protect outgoing messages addressed to network functions in the home public land mobile network; obtaining the protection policy information; and applying the protection policy information to the protected message.
  • the determination of the protection policy information comprises: determining unavailability of applicable protection policy information from protection policy information stored in a local repository of the visited public land mobile network, and wherein the obtaining of the protection policy information is obtaining updated protection policy information.
  • obtaining the protection policy information comprises: directly accessing a local repository in a home network, to obtain the protection policy information.
  • the method further comprises preceding the direct access of the local repository in public land mobile network to obtain the protection policy information, evaluating the protected message to identify a presence of or determine a direct link to the local repository in public land mobile network.
  • obtaining the protection policy information comprises: determining at least one of that protected message fails to include protection policy information or that a local repository of the visited public land mobile network fails to include the protection policy information; and transmitting a request to a home security edge protection proxy, for the protection policy information.
  • obtaining the protection policy information comprises: causing the home security edge protection proxy, when obtaining the protection policy information, to at least one of pull the protection policy information from a repository function or trigger the network function to register, re-register, or update the protection policy information previously transmitted to the network repository function; and causing reception, at the home security edge protection proxy, from the repository function, and subsequent transmission of updated protection policy information in an instance in which an update occurs to the protection policy information.
  • the signaling interface comprises an N32 interface.
  • the method further comprises storing the updated protection policy information in the local repository of the visited public land mobile network.
  • an apparatus for obtaining protection policies between edge nodes, the apparatus comprising means for obtaining, at a visiting security edge protection proxy, a protected message, the visited security edge protection proxy within a visited public land mobile network, the visited security edge protection proxy being a network node at a boundary of the visited public land mobile network; means for performing an initial evaluation determining an unavailability of a protection policy information required to treat the protected message, wherein the protection policy information comprises information regarding protection of signaling messages addressed for network functions hosted in a home network, the home network being a home public land mobile network and configured for enabling the visited security edge protection proxy to selectively protect outgoing messages addressed to network functions in the home public land mobile network; means for obtaining the protection policy information; and means for applying the protection policy information to the protected message.
  • the means for determination of the protection policy information comprises: means for determining unavailability of applicable protection policy information from protection policy information stored in a local repository of the visited public land mobile network, and wherein the obtaining of the protection policy information is obtaining updated protection policy information.
  • the means for obtaining the protection policy includes
  • the information comprises: means for directly accessing a local repository in a home network, to obtain the protection policy information.
  • the apparatus further comprises means for, preceding the direct access of the local repository in public land mobile network to obtain the protection policy information, evaluating the protected message to identify a presence of or determine a direct link to the local repository in public land mobile network.
  • the means for obtaining the protection policy includes
  • protection policy information comprises: means for determining at least one of that protected message fails to include protection policy information or that a local repository of the visited public land mobile network fails to include the protection policy information; and means for transmitting a request to a home security edge protection proxy, for the protection policy information.
  • protection policy information comprises: means for causing the home security edge protection proxy, when obtaining the protection policy information, to at least one of pull the protection policy information from a repository function or trigger the network function to register, re- register, or update the protection policy information previously transmitted to the network repository function; and means for causing reception, at the home security edge protection proxy, from the repository function, and subsequent transmission of updated protection policy information in an instance in which an update occurs to the protection policy information.
  • the signaling interface comprises an N32 interface.
  • the apparatus further comprises means for storing the updated protection policy information in the local repository of the visited public land mobile network.
  • an apparatus for obtaining protection policies between edge nodes, the apparatus comprising at least one processor and at least one memory including computer program code for one or more programs, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus at least to: obtain, at a visiting security edge protection proxy, a protected message, the visited security edge protection proxy within a visited public land mobile network, the visited security edge protection proxy being a network node at a boundary of the visited public land mobile network; perform an initial evaluation determining an unavailability of a protection policy information required to treat the protected message, wherein the protection policy information comprises information regarding protection of signaling messages addressed for network functions hosted in a home network, the home network being a home public land mobile network and configured for enabling the visited security edge protection proxy to selectively protect outgoing messages addressed to network functions in the home public land mobile network; obtain the protection policy information; and apply the protection policy information to the protected message.
  • the computer program code configured to, with the at least one processor, cause the apparatus at least to determine the protection policy information further comprises computer program code configured to, with the at least one processor, cause the apparatus at least to: determine unavailability of applicable protection policy information from protection policy information stored in a local repository of the visited public land mobile network, and wherein the obtaining of the protection policy information is obtaining updated protection policy information.
  • the computer program code configured to, with the at least one processor, cause the apparatus at least to determine the protection policy information further comprises computer program code configured to, with the at least one processor, cause the apparatus at least to: directly access a local repository in a home network, to obtain the protection policy information.
  • the computer program code further comprises computer program code configured to, with the at least one processor, cause the apparatus at least to: preceding the direct access of the local repository in public land mobile network to obtain the protection policy information, evaluate the protected message to identify a presence of or determine a direct link to the local repository in public land mobile network.
  • the computer program code configured to, with the at least one processor, cause the apparatus at least to determine the protection policy information further comprises computer program code configured to, with the at least one processor, cause the apparatus at least to: determining at least one of that protected message fails to include protection policy information or that a local repository of the visited public land mobile network fails to include the protection policy information; and transmitting a request to a home security edge protection proxy, for the protection policy information.
  • the computer program code configured to, with the at least one processor, cause the apparatus at least to determine the protection policy information further comprises computer program code configured to, with the at least one processor, cause the apparatus at least to: causing the home security edge protection proxy, when obtaining the protection policy information, to at least one of pull the protection policy information from a repository function or trigger the network function to register, re-register, or update the protection policy information previously transmitted to the network repository function; and causing reception, at the home security edge protection proxy, from the repository function, and subsequent transmission of updated protection policy information in an instance in which an update occurs to the protection policy information.
  • the signaling interface comprises an N32 interface.
  • the computer program code further comprises computer program code configured to, with the at least one processor, cause the apparatus at least to: store the updated protection policy information in the local repository of the visited public land mobile network.
  • a computer program product for obtaining protection policies between edge nodes, the computer program product comprising at least one non-transitory computer-readable storage medium having computer-executable program code instructions stored therein, the computer-executable program code instructions comprising program code instructions configured, upon execution, to: obtain, at a visiting security edge protection proxy, a protected message, the visited security edge protection proxy within a visited public land mobile network, the visited security edge protection proxy being a network node at a boundary of the visited public land mobile network; perform an initial evaluation determining an unavailability of a protection policy information required to treat the protected message, wherein the protection policy information comprises information regarding protection of signaling messages addressed for network functions hosted in a home network, the home network being a home public land mobile network and configured for enabling the visited security edge protection proxy to selectively protect outgoing messages addressed to network functions in the home public land mobile network; obtain the protection policy information; and apply the protection policy information to the protected message.
  • the computer-executable program code instructions configured to obtain the protection policy information further comprises program code instructions configured, upon execution, to: determine unavailability of applicable protection policy information from protection policy information stored in a local repository of the visited public land mobile network, and wherein the obtaining of the protection policy information is obtaining updated protection policy information.
  • the computer-executable program code instructions configured to obtain the protection policy information further comprises program code instructions configured, upon execution, to: directly access a local repository in a home network, to obtain the protection policy information.
  • the computer-executable program code instructions further comprise program code instructions configured, upon execution, to: preceding the direct access of the local repository in public land mobile network to obtain the protection policy information, evaluate the protected message to identify a presence of or determine a direct link to the local repository in public land mobile network.
  • the computer-executable program code instructions configured to obtain the protection policy information further comprises program code instructions configured, upon execution, to: determine at least one of that protected message fails to include protection policy information or that a local repository of the visited public land mobile network fails to include the protection policy information; and transmit a request to a home security edge protection proxy, for the protection policy information.
  • the computer-executable program code instructions configured to obtain the protection policy information further comprises program code instructions configured, upon execution, to: cause the home security edge protection proxy, when obtaining the protection policy information, to at least one of pull the protection policy information from a repository function or trigger the network function to register, re-register, or update the protection policy information previously transmitted to the network repository function; and cause reception, at the home security edge protection proxy, from the repository function, and subsequent transmission of updated protection policy information in an instance in which an update occurs to the protection policy information.
  • the signaling interface comprises an N32 interface.
  • the computer-executable program code instructions further comprise program code instructions configured, upon execution, to store the updated protection policy information in the local repository of the visited public land mobile network.
  • FIG. 1 is a block diagram of a system that may be specifically configured to facilitate signaling-based remote provisioning and updating of the protection information, in accordance with an example embodiment of the present disclosure
  • Figure 2 is a block diagram of an apparatus that may be specifically configured in accordance with an example embodiment of the present disclosure
  • Figure 3 is a flowchart depicting operations performed, such as by the apparatus of Figure 2, to facilitate signaling-based remote pulling of the protection information in accordance with an example embodiment of the present disclosure
  • Figure 4 is a block diagram of a system specifically configured to facilitate signaling-based remote pulling and requesting of the protection policy information and showing an order of operations to perform the signaling-based remote pulling and requesting of the protection policy information, in accordance with an example embodiment of the present disclosure.
  • circuitry refers to (a) hardware-only circuit implementations (e.g., implementations in analog circuitry and/or digital circuitry); (b) combinations of circuits and computer program product(s) comprising software and/or firmware instructions stored on one or more computer readable memories that work together to cause an apparatus to perform one or more functions described herein; and (c) circuits, such as, for example, a microprocessor(s) or a portion of a microprocessor(s), that require software or firmware for operation even if the software or firmware is not physically present.
  • This definition of‘circuitry’ applies to all uses of this term herein, including in any claims.
  • the term‘circuitry’ also includes an implementation comprising one or more processors and/or portion(s) thereof and accompanying software and/or firmware.
  • the term‘circuitry’ as used herein also includes, for example, a baseband integrated circuit or applications processor integrated circuit for a mobile phone or a similar integrated circuit in a server, a cellular network device, other network device, field programmable gate array, and/or other computing device.
  • a method, apparatus and computer program product are provided in order to provide for remote provisioning of protection policies in an edge node based on signaling, such as N32 signaling, between edge nodes.
  • HTTP based signaling flows are protected by the SEPP before they are sent to the roaming network partner over the corresponding N32 interface.
  • selective protection is applied to the message by the sending SEPP, wherein parts of the message undergo encryption, for example, to prevent eavesdropping on sensitive information, integrity protection, for example, to allow reading by the middlebox, but prevent modification, and integrity protection with modification tracking, for example, to allow modification by the middlebox, but to enable detecting what was modified, and which middlebox has performed the modification.
  • the receiving SEPP in the roaming network decodes the received message after necessary verification, and rebuilds the HTTP signaling message to be sent internally to the corresponding network function. This requires the sending SEPP to know how to selectively protect each part of the message received from the network function, and the receiving SEPP to know how to treat the received protected message from the roaming partner to recreate the message to be forwarded to the network function.
  • a method, apparatus and computer program product are provided in order to provide for remote provisioning of protection policies in an edge node based on N32 signaling between edge nodes.
  • two networks including, for example, a home network and a visited network configured to communicate via an internetworking protocol, such as for example, as supported by an internetwork packet exchange (IPX) network 110.
  • IPX internetwork packet exchange
  • the home network which as shown, may be, for example, home PLMN (hPLMN) 120 is an operator network that hosts network functions (NFs) 140 providing a set of services to the other NFs, including NFs in the remote partner network.
  • NFs network functions
  • the hPLMN 120 may include a home SEPP (hSEPP) 160, the hSEPP 160 being a network node at the boundary of the Home PLMN 120 that obtains the protection policy from a repository 170 in hPLMN 120, and uses its signaling connection 110 with the visited SEPP 180 to remotely provision the policy in the visiting SEPP 180.
  • the visited network which as shown, may include a visited SEPP (vSEPP) 180, the vSEPP 180 being a network node at the boundary of the network that receives the protection policy from the hSEPP 160 that contains information on how to protect signaling messages addressed for NFs 140 hosted in the hPLMN 120.
  • the hPLMN 120 may further include a repository function (RF) 150, the repository function 150 being an entity in the hPLMN 120 that stores protection policy information applicable to all the NFs 140 in the hPLMN 120.
  • RF 150 may also be a service in an existing network function, for example, NF 140.
  • an apparatus 200 is provided and as shown, for example, in Figure 2.
  • the apparatus may be embodied by any of a variety of different components and, in one embodiment, is embodied by an edge node of the hPLMN, such as the hSEPP 160 of the hPLMN 120.
  • the apparatus of an example embodiment includes, is associated with or is otherwise in communication with a processor 210, an associated memory 220 and a communication interface 230.
  • the processor 210 may be in communication with the memory device 220 via a bus for passing information among components of the apparatus 200.
  • the memory device may be non-transitory and may include, for example, one or more volatile and/or non-volatile memories.
  • the memory device may be an electronic storage device (e.g., a computer readable storage medium) comprising gates configured to store data (e.g., bits) that may be retrievable by a machine (e.g., a computing device like the processor).
  • the memory device may be configured to store information, data, content, applications, instructions, or the like for enabling the apparatus to carry out various functions in accordance with an example embodiment of the present disclosure.
  • the memory device could be configured to buffer input data for processing by the processor. Additionally or alternatively, the memory device could be configured to store instructions for execution by the processor.
  • the apparatus 200 may, in some embodiments, be embodied in various computing devices as described above. However, in some embodiments, the apparatus may be embodied as a chip or chip set. In other words, the apparatus may comprise one or more physical packages (e.g., chips) including materials, components and/or wires on a structural assembly (e.g., a baseboard). The structural assembly may provide physical strength, conservation of size, and/or limitation of electrical interaction for component circuitry included thereon. The apparatus may therefore, in some cases, be configured to implement an embodiment of the present invention on a single chip or as a single“system on a chip.” As such, in some cases, a chip or chipset may constitute means for performing one or more operations for providing the functionalities described herein.
  • a chip or chipset may constitute means for performing one or more operations for providing the functionalities described herein.
  • the processor 210 may be embodied in a number of different ways.
  • the processor may be embodied as one or more of various hardware processing means such as a coprocessor, a microprocessor, a controller, a digital signal processor (DSP), a processing element with or without an accompanying DSP, or various other circuitry including integrated circuits such as, for example, an ASIC (application specific integrated circuit), an FPGA (field programmable gate array), a microcontroller unit (MCU), a hardware accelerator, a special-purpose computer chip, or the like.
  • the processor may include one or more processing cores configured to perform independently.
  • a multi-core processor may enable multiprocessing within a single physical package.
  • the processor may include one or more processors configured in tandem via the bus to enable independent execution of instructions, pipelining and/or multithreading.
  • the processor 210 may be configured to execute instructions stored in the memory device 220 or otherwise accessible to the processor. Alternatively or additionally, the processor may be configured to execute hard coded functionality. As such, whether configured by hardware or software methods, or by a combination thereof, the processor may represent an entity (e.g., physically embodied in circuitry) capable of performing operations according to an embodiment of the present disclosure while configured accordingly. Thus, for example, when the processor is embodied as an ASIC, FPGA or the like, the processor may be specifically configured hardware for conducting the operations described herein. Alternatively, as another example, when the processor is embodied as an executor of instructions, the instructions may specifically configure the processor to perform the algorithms and/or operations described herein when the instructions are executed.
  • the processor may be a processor of a specific device (e.g., an image processing system) configured to employ an embodiment of the present invention by further configuration of the processor by instructions for performing the algorithms and/or operations described herein.
  • the processor may include, among other things, a clock, an arithmetic logic unit (ALU) and logic gates configured to support operation of the processor.
  • ALU arithmetic logic unit
  • the communication interface 230 may be any means such as a device or circuitry embodied in either hardware or a combination of hardware and software that is configured to receive and/or transmit data from/to a network.
  • the communication interface may include, for example, an antenna (or multiple antennas) and supporting hardware and/or software for enabling communications with a wireless communication network. Additionally or alternatively, the communication interface may include the circuitry for interacting with the antenna(s) to cause transmission of signals via the antenna(s) or to handle receipt of signals received via the antenna(s).
  • the communication interface may alternatively or also support wired communication.
  • the communication interface may include a communication modem and/or other hardware/software for supporting communication via cable, digital subscriber line (DSL), universal serial bus (USB) or other mechanisms.
  • hSEPP upon obtaining an initial set of policies from the RF, may utilize its established N32 signaling channel with vSEPP to forward the policies to the vSEPP.
  • hSEPP may forward the new policy update (e.g., updated protection policy information) to vSEPP over the corresponding N32 signaling channel. That is, hSEPP is configured to receive from the RF, updated protection policy information in an instance in which an update occurs to the protection policy information in the local store of the RF and to distribute, via use of the signaling channel, the updated protection policy to the vSEPP.
  • updated protection policy information e.g., updated protection policy information
  • the apparatus 200 includes means, such as the processor 210 or the like, configured to receive, at the vSEPP, a message, such as, for example, a protected message. See block 305 of Figure 3.
  • vSEPP evaluates the message, for example, to determine if protection policy information associated therewith arrived as part of the message or is stored locally.
  • the apparatus 200 includes means, such as the processor 210 or the like, configured to determine, at the vSEPP, availability of protection policy information, for example, necessary to treat the message. See block 310 of Figure 3.
  • the apparatus 200 includes means, such as the processor 210 or the like, configured to determine, at the vSEPP, that no protection policy information is available or that the stored and/or available protection policy information is not fresh enough (e.g., out-of-date), for example, according to the vSEPP's configuration, thus requiring updated information. See block 315 of Figure 3.
  • the apparatus then obtains the protection policy information, for example, by way of at least one of two means, mechanisms, or processes.
  • the apparatus 200 includes means, such as the processor 210 or the like, configured to determine that vSEPP has been previously provided with a link allowing direct access to repository of hPLMN, and as such is further configured to directly access, via the signaling channel, the repository to pull updated protection policy information from the hSEPP. See block 320 of Figure 3.
  • vSEPP determines that it has not been provided with direct access to hPLMN, vSEPP is not configured to directly access hPLMN, or hPLMN is not configured to allow direct access
  • a request for updated protection policy information may be made.
  • the apparatus 200 includes means, such as the processor 210 or the like, configured to transmit, via the signaling channel, a request for updated protection policy information to the hSEPP. See block 325 of Figure 3.
  • hSEPP may then receive the request for updated protection policy information, and subsequently acquiring the necessary information to fulfill the request. For example, in some embodiments, hSEPP may contact NRF and gain access to updated protection policy information. While in other embodiments, hSEPP may determine and/or be informed that the applicable protection policy information is not present in NRF, subsequently triggering an NF to register and/or provide (or re-provide) its protection policy information.
  • the hSEPP obtains protection policies, applicable to all NFs in the hPLMN, from the RF in hPFMN.
  • the RF may be standalone from existing NFs or may be a service in an existing NF.
  • policies may be pulled from the RF by the hSEPP, pushed to the hSEPP by the RF, for example, based on certain triggers such as for example, time of the day, a new agreement with a roaming partner, a policy update, a request from vSEPP, or the like.
  • protection policy information may be provided out-of-band (e.g., hSEPP may be provisioned out-of-band with the protection policy information, such as, for example, via the OAM interface).
  • the apparatus 200 includes means, such as the processor 210 or the like, configured to receive, at the vSEPP, via the signaling channel, the updated protection policy. See block 330 of Figure 3.
  • vSEPP has been enabled to obtain protection policy information directly, for example, via a link provided by hSEPP, from a repository in hPLMN, or whether vSEPP obtained the protection policy information from hSEPP, which obtained it from the local repository in hPLMN, the apparatus has acquired and/or gained access to the protection policy information.
  • the apparatus 200 includes means, such as the processor 210 or the like, configured to update, at the vSEPP, local storage with the new and/or updated protection policy information. See block 335 of Figure 3.
  • the apparatus 200 includes means, such as the processor 210 or the like, configured to apply, at the vSEPP, the updated protection policy information to the message destined for hPLMN. See block 340 of Figure 3.
  • FIG. 4 is a signal flow diagram showing an embodiment in which NRF acts as the Repository Function in the hPLMN.
  • NRF stores protection policy information on a per-NF type basis.
  • the content in the protection policy information is not restricted to being stored on a per- NF type basis, and may be stored on a per-roaming partner or roaming operator basis, for example, where vSEPP sits.
  • content in the protection policy information may be applied differently based on the roaming partner or particular characteristics of a roaming partner, such as for example, geography.
  • the protection policy information in NRF may either be: a) statically provisioned via an OAM interface or b) dynamically built when a new NF Instance of a previously un-registered NF type, registers with the NRF.
  • NRF may be configured such that the protection policy information is dynamically built due to the new NF type with the NRF.
  • the NF instance supplies its required protection policy information to the NRF at registration time.
  • the NRF executes, for example, a push of the policy information to the hSEPP.
  • the hSEPP then forwards the policy information to the vSEPP over the N32 interface.
  • NF provides its protection policy, for example, during registration.
  • NRF updates its local store.
  • NRF maintains this policy information on a per-NF type basis.
  • NRF updates its local store only when there is a change in policy for the existing NF type or there is a new NF type that is registering.
  • hSEPP receives a message from NF.
  • hSEPP pushes, forwards, or otherwise transmits the message or information indicative or representative of the message to vSEPP.
  • vSEPP check availability of protection policy information necessary to treat the message.
  • vSEPP determines an availability of applicable protection policy information
  • the applicable protection policy information may be applied.
  • vSEPP may either directly access the repository in hPLMN, to obtain or, alternatively, transmit a request for updated protection policy information (e.g., the missing protection policy information) as shown at block 430.
  • hSEPP may contact NRF and gain the policy.
  • hSEPP determines and/or is informed that the applicable protection policy information is not present in NRF, subsequently triggering, for example, steps 405 and 410, where protection policy information for NF is transferred to NRF, and in some embodiments, stored.
  • NRF may then push the updated protection policy information to hSEPP, as shown in block 440.
  • hSEPP upon receiving the request for applicable protection policy information and/or receiving information indicating that vSEPP lacks the necessary protection policy information and/or that the stored protection policy in vSEPP is not up to date, and subsequently obtaining the applicable protection policy information, hSEPP transmits the applicable protection policy information to vSEPP. That is, hSEPP uses its existing N32 signaling channel with the vSEPP to provision the updated protection policy in the vSEPP. As such, as shown in block 445, vSEPP receives, for example, via the existing N32 signaling channel with hSEPP, the applicable protection policy information. The protection policy information may then be stored. At block 450, vSEPP updates its local store. Subsequent to receiving the protection policy information, vSEPP is able to apply protection on the HTTP messages destined to the hPLMN.
  • Figure 3 is a flowchart of an apparatus 200, method, and computer program product according to example embodiments of the invention. It will be understood that each block of the flowcharts, and combinations of blocks in the flowcharts, may be implemented by various means, such as hardware, firmware, processor, circuitry, and/or other devices associated with execution of software including one or more computer program instructions. For example, one or more of the procedures described above may be embodied by computer program instructions. In this regard, the computer program instructions which embody the procedures described above may be stored by a memory device 220 of an apparatus employing an embodiment of the present invention and executed by a processor 210 of the apparatus. As will be appreciated, any such computer program instructions may be loaded onto a computer or other programmable apparatus (e.g., hardware) to produce a machine, such that the resulting computer or other programmable apparatus implements the functions specified in the flowchart blocks.
  • a computer or other programmable apparatus e.g., hardware
  • These computer program instructions may also be stored in a computer-readable memory that may direct a computer or other programmable apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture, the execution of which implements the function specified in the flowchart blocks.
  • the computer program instructions may also be loaded onto a computer or other programmable apparatus to cause a series of operations to be performed on the computer or other programmable apparatus to produce a computer-implemented process such that the instructions which execute on the computer or other programmable apparatus provide operations for implementing the functions specified in the flowchart blocks.
  • a computer program product is therefore defined in those instances in which the computer program instructions, such as computer-readable program code portions, are stored by at least one non-transitory computer-readable storage medium with the computer program instructions, such as the computer-readable program code portions, being configured, upon execution, to perform the functions described above, such as in conjunction with the flowchart of Figure 3.
  • the computer program instructions, such as the computer-readable program code portions need not be stored or otherwise embodied by a non-transitory computer-readable storage medium, but may, instead, be embodied by a transitory medium with the computer program instructions, such as the computer-readable program code portions, still being configured, upon execution, to perform the functions described above.
  • blocks of the flowcharts support combinations of means for performing the specified functions and combinations of operations for performing the specified functions. It will also be understood that one or more blocks of the flowcharts, and combinations of blocks in the flowcharts, may be implemented by special purpose hardware-based computer systems which perform the specified functions, or combinations of special purpose hardware and computer instructions.
  • certain ones of the operations above may be modified or further amplified. Furthermore, in some embodiments, additional optional operations may be included. Modifications, additions, or amplifications to the operations above may be performed in any order and in any combination.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method, apparatus and computer program product may be provided for signaling-based remote pulling or requesting of protection policy information in a SEPP of a visited network. A method may include obtaining, at a visiting security edge protection proxy, a protected message, performing an initial evaluation determining an unavailability of a protection policy information required to treat the protected message, wherein the protection policy information comprises information regarding protection of signaling messages addressed for network functions hosted in a home network and configured for enabling the visited security edge protection proxy to selectively protect outgoing messages addressed to network functions in the home public land mobile network, obtaining the protection policy information via a request or direct access to a local repository of the home network, and applying the protection policy information to the protected message.

Description

A PULLING MECHANISM FOR REQUESTING THE PROTECTION
POLICIES IN AN EDGE NODE BASED ON N32 SIGNALING BETWEEN EDGE NODES
TECHNICAL FIELD
[0001] An example embodiment relates generally to a method and apparatus for the obtaining protection policies between edge nodes and, more particularly, for facilitating signaling-based remote pulling and/or requesting of protection policies necessary to treat a protected message from a roaming partner to be forwarded to the network function (NF) in a Security Edge Protection Proxy (SEPP) of the roaming partner’s network.
BACKGROUND
[0002] In 5th generation wireless systems (5G), Service Based Architecture (SBA), defined in TS 23.501, is introduced to model services as network functions (NFs) that communicate with each other using representation state transfer (REST)ful application programming interfaces (APIs). In the scenario where the two communicating NFs are in two different public land mobile networks (PLMNs), communication happens over the roaming interface between the two participating PLMNs.
[0003] To protect NF specific content in the messages that are sent over the roaming interface, 5G introduces SEPP as the entity sitting at the perimeter of the PLMN network and acting as a gateway that protects all the traffic going out of the network. The SEPP implements application layer security for all the data exchanged between two inter network NFs at the service layer.
[0004] Application layer security involves protecting information sent in various parts of the hypertext transfer protocol (HTTP) message, including HTTP Request/Response Line, HTTP header and HTTP Payload. However, differing levels of protection may be required for different parts of the message. For example, some parts of the message may need to be encrypted, while the rest of the message may require integrity protection.
BRIEF SUMMARY
[0005] A method, apparatus and computer program product are provided in accordance with an example embodiment in order to facilitate, at a visiting SEPP of a visited network, signaling-based remote obtaining, for example, via requesting and/or pulling of the protection information, from the home SEPP. In particular, the instant application describes a pulling mechanism, utilizing a signaling based approach, for the remote pulling and/or requesting of protection policy information, for example stored in a protection policy file, thus enabling the visiting SEPP (e.g., vSEPP) sitting at the edge of the visited network to gain access to necessary protection policy information from a home SEPP sitting at the edge of the home network, the home network hosting the network functions and their resources.
[0006] In particular, in embodiments where hSEPP obtains the protection policy information from a centralized repository, for example, from a Network Repository Function (NRF), or through local configuration, such as, for example, through an
Operation, Administration, and Maintenance (OAM) interface that directly configures hSEPP with the protection policy information, and subsequently utilizes a signaling channel with vSEPP to provide this information to the vSEPP, for example, over the N32 interface, embodiments described herein enable the remote access of that protection policy information by vSEPP, via a signaling based mechanism for obtaining that protection policy information, via a pulling and/or requesting mechanism, thus allowing vSEPP to gain access to the necessary information required to protect outgoing messages destined towards hSEPP in the home network, thus improving the security between the home network (e.g., hPLMN) and the visited network (e.g., vPLMN).
[0007] In some embodiments, a method is provided for obtaining protection policies between edge nodes, the method comprising obtaining, at a visiting security edge protection proxy, a protected message, the visited security edge protection proxy within a visited public land mobile network, the visited security edge protection proxy being a network node at a boundary of the visited public land mobile network; performing an initial evaluation determining an unavailability of a protection policy information required to treat the protected message, wherein the protection policy information comprises information regarding protection of signaling messages addressed for network functions hosted in a home network, the home network being a home public land mobile network and configured for enabling the visited security edge protection proxy to selectively protect outgoing messages addressed to network functions in the home public land mobile network; obtaining the protection policy information; and applying the protection policy information to the protected message. [000S] In some embodiments, the determination of the protection policy information comprises: determining unavailability of applicable protection policy information from protection policy information stored in a local repository of the visited public land mobile network, and wherein the obtaining of the protection policy information is obtaining updated protection policy information.
[0009] In some embodiments, obtaining the protection policy information comprises: directly accessing a local repository in a home network, to obtain the protection policy information.
[0010] In some embodiments, the method further comprises preceding the direct access of the local repository in public land mobile network to obtain the protection policy information, evaluating the protected message to identify a presence of or determine a direct link to the local repository in public land mobile network.
[0011] In some embodiments, obtaining the protection policy information comprises: determining at least one of that protected message fails to include protection policy information or that a local repository of the visited public land mobile network fails to include the protection policy information; and transmitting a request to a home security edge protection proxy, for the protection policy information.
[0012] In some embodiments, obtaining the protection policy information comprises: causing the home security edge protection proxy, when obtaining the protection policy information, to at least one of pull the protection policy information from a repository function or trigger the network function to register, re-register, or update the protection policy information previously transmitted to the network repository function; and causing reception, at the home security edge protection proxy, from the repository function, and subsequent transmission of updated protection policy information in an instance in which an update occurs to the protection policy information.
[0013] In some embodiments, the signaling interface comprises an N32 interface. In some embodiments, the method further comprises storing the updated protection policy information in the local repository of the visited public land mobile network.
[0014] In some embodiments, an apparatus is provided for obtaining protection policies between edge nodes, the apparatus comprising means for obtaining, at a visiting security edge protection proxy, a protected message, the visited security edge protection proxy within a visited public land mobile network, the visited security edge protection proxy being a network node at a boundary of the visited public land mobile network; means for performing an initial evaluation determining an unavailability of a protection policy information required to treat the protected message, wherein the protection policy information comprises information regarding protection of signaling messages addressed for network functions hosted in a home network, the home network being a home public land mobile network and configured for enabling the visited security edge protection proxy to selectively protect outgoing messages addressed to network functions in the home public land mobile network; means for obtaining the protection policy information; and means for applying the protection policy information to the protected message.
[0015] In some embodiments, the means for determination of the protection policy information comprises: means for determining unavailability of applicable protection policy information from protection policy information stored in a local repository of the visited public land mobile network, and wherein the obtaining of the protection policy information is obtaining updated protection policy information.
[0016] In some embodiments, the means for obtaining the protection policy
information comprises: means for directly accessing a local repository in a home network, to obtain the protection policy information.
[0017] In some embodiments, the apparatus further comprises means for, preceding the direct access of the local repository in public land mobile network to obtain the protection policy information, evaluating the protected message to identify a presence of or determine a direct link to the local repository in public land mobile network.
[0018] In some embodiments, the means for obtaining the protection policy
information comprises: means for determining at least one of that protected message fails to include protection policy information or that a local repository of the visited public land mobile network fails to include the protection policy information; and means for transmitting a request to a home security edge protection proxy, for the protection policy information.
[0019] In some embodiments, the means for obtaining the protection policy
information comprises: means for causing the home security edge protection proxy, when obtaining the protection policy information, to at least one of pull the protection policy information from a repository function or trigger the network function to register, re- register, or update the protection policy information previously transmitted to the network repository function; and means for causing reception, at the home security edge protection proxy, from the repository function, and subsequent transmission of updated protection policy information in an instance in which an update occurs to the protection policy information.
[0020] In some embodiments, the signaling interface comprises an N32 interface. In some embodiments, the apparatus further comprises means for storing the updated protection policy information in the local repository of the visited public land mobile network.
[0021] In some embodiments, an apparatus is provided for obtaining protection policies between edge nodes, the apparatus comprising at least one processor and at least one memory including computer program code for one or more programs, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus at least to: obtain, at a visiting security edge protection proxy, a protected message, the visited security edge protection proxy within a visited public land mobile network, the visited security edge protection proxy being a network node at a boundary of the visited public land mobile network; perform an initial evaluation determining an unavailability of a protection policy information required to treat the protected message, wherein the protection policy information comprises information regarding protection of signaling messages addressed for network functions hosted in a home network, the home network being a home public land mobile network and configured for enabling the visited security edge protection proxy to selectively protect outgoing messages addressed to network functions in the home public land mobile network; obtain the protection policy information; and apply the protection policy information to the protected message.
[0022] In some embodiments, the computer program code configured to, with the at least one processor, cause the apparatus at least to determine the protection policy information further comprises computer program code configured to, with the at least one processor, cause the apparatus at least to: determine unavailability of applicable protection policy information from protection policy information stored in a local repository of the visited public land mobile network, and wherein the obtaining of the protection policy information is obtaining updated protection policy information.
[0023] In some embodiments, the computer program code configured to, with the at least one processor, cause the apparatus at least to determine the protection policy information further comprises computer program code configured to, with the at least one processor, cause the apparatus at least to: directly access a local repository in a home network, to obtain the protection policy information.
[0024] In some embodiments, the computer program code further comprises computer program code configured to, with the at least one processor, cause the apparatus at least to: preceding the direct access of the local repository in public land mobile network to obtain the protection policy information, evaluate the protected message to identify a presence of or determine a direct link to the local repository in public land mobile network.
[0025] In some embodiments, the computer program code configured to, with the at least one processor, cause the apparatus at least to determine the protection policy information further comprises computer program code configured to, with the at least one processor, cause the apparatus at least to: determining at least one of that protected message fails to include protection policy information or that a local repository of the visited public land mobile network fails to include the protection policy information; and transmitting a request to a home security edge protection proxy, for the protection policy information.
[0026] In some embodiments, the computer program code configured to, with the at least one processor, cause the apparatus at least to determine the protection policy information further comprises computer program code configured to, with the at least one processor, cause the apparatus at least to: causing the home security edge protection proxy, when obtaining the protection policy information, to at least one of pull the protection policy information from a repository function or trigger the network function to register, re-register, or update the protection policy information previously transmitted to the network repository function; and causing reception, at the home security edge protection proxy, from the repository function, and subsequent transmission of updated protection policy information in an instance in which an update occurs to the protection policy information.
[0027] In some embodiments, the signaling interface comprises an N32 interface. In some embodiments, the computer program code further comprises computer program code configured to, with the at least one processor, cause the apparatus at least to: store the updated protection policy information in the local repository of the visited public land mobile network.
[0028] In some embodiments, a computer program product is provided for obtaining protection policies between edge nodes, the computer program product comprising at least one non-transitory computer-readable storage medium having computer-executable program code instructions stored therein, the computer-executable program code instructions comprising program code instructions configured, upon execution, to: obtain, at a visiting security edge protection proxy, a protected message, the visited security edge protection proxy within a visited public land mobile network, the visited security edge protection proxy being a network node at a boundary of the visited public land mobile network; perform an initial evaluation determining an unavailability of a protection policy information required to treat the protected message, wherein the protection policy information comprises information regarding protection of signaling messages addressed for network functions hosted in a home network, the home network being a home public land mobile network and configured for enabling the visited security edge protection proxy to selectively protect outgoing messages addressed to network functions in the home public land mobile network; obtain the protection policy information; and apply the protection policy information to the protected message.
[0029] In some embodiments, the computer-executable program code instructions configured to obtain the protection policy information further comprises program code instructions configured, upon execution, to: determine unavailability of applicable protection policy information from protection policy information stored in a local repository of the visited public land mobile network, and wherein the obtaining of the protection policy information is obtaining updated protection policy information.
[0030] In some embodiments, the computer-executable program code instructions configured to obtain the protection policy information further comprises program code instructions configured, upon execution, to: directly access a local repository in a home network, to obtain the protection policy information.
[0031] In some embodiments, the computer-executable program code instructions further comprise program code instructions configured, upon execution, to: preceding the direct access of the local repository in public land mobile network to obtain the protection policy information, evaluate the protected message to identify a presence of or determine a direct link to the local repository in public land mobile network.
[0032] In some embodiments, the computer-executable program code instructions configured to obtain the protection policy information further comprises program code instructions configured, upon execution, to: determine at least one of that protected message fails to include protection policy information or that a local repository of the visited public land mobile network fails to include the protection policy information; and transmit a request to a home security edge protection proxy, for the protection policy information.
[0033] In some embodiments, the computer-executable program code instructions configured to obtain the protection policy information further comprises program code instructions configured, upon execution, to: cause the home security edge protection proxy, when obtaining the protection policy information, to at least one of pull the protection policy information from a repository function or trigger the network function to register, re-register, or update the protection policy information previously transmitted to the network repository function; and cause reception, at the home security edge protection proxy, from the repository function, and subsequent transmission of updated protection policy information in an instance in which an update occurs to the protection policy information.
[0034] In some embodiments, the signaling interface comprises an N32 interface. In some embodiments, the computer-executable program code instructions further comprise program code instructions configured, upon execution, to store the updated protection policy information in the local repository of the visited public land mobile network.
BRIEF DESCRIPTION OF THE DRAWINGS
[0035] Having thus described certain example embodiments of the present disclosure in general terms, reference will hereinafter be made to the accompanying drawings, which are not necessarily drawn to scale, and wherein:
[0036] Fig. 1 is a block diagram of a system that may be specifically configured to facilitate signaling-based remote provisioning and updating of the protection information, in accordance with an example embodiment of the present disclosure;
[0037] Figure 2 is a block diagram of an apparatus that may be specifically configured in accordance with an example embodiment of the present disclosure;
[0038] Figure 3 is a flowchart depicting operations performed, such as by the apparatus of Figure 2, to facilitate signaling-based remote pulling of the protection information in accordance with an example embodiment of the present disclosure;
[0039] Figure 4 is a block diagram of a system specifically configured to facilitate signaling-based remote pulling and requesting of the protection policy information and showing an order of operations to perform the signaling-based remote pulling and requesting of the protection policy information, in accordance with an example embodiment of the present disclosure.
DETAILED DESCRIPTION
[0040] Some embodiments of the present invention will now be described more fully hereinafter with reference to the accompanying drawings, in which some, but not all, embodiments of the invention are shown. Indeed, various embodiments of the invention may be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will satisfy applicable legal requirements. Like reference numerals refer to like elements throughout. As used herein, the terms“data,”“content,”“information,” and similar terms may be used interchangeably to refer to data capable of being transmitted, received and/or stored in accordance with embodiments of the present invention. Thus, use of any such terms should not be taken to limit the spirit and scope of embodiments of the present invention.
[0041] Additionally, as used herein, the term‘circuitry’ refers to (a) hardware-only circuit implementations (e.g., implementations in analog circuitry and/or digital circuitry); (b) combinations of circuits and computer program product(s) comprising software and/or firmware instructions stored on one or more computer readable memories that work together to cause an apparatus to perform one or more functions described herein; and (c) circuits, such as, for example, a microprocessor(s) or a portion of a microprocessor(s), that require software or firmware for operation even if the software or firmware is not physically present. This definition of‘circuitry’ applies to all uses of this term herein, including in any claims. As a further example, as used herein, the term‘circuitry’ also includes an implementation comprising one or more processors and/or portion(s) thereof and accompanying software and/or firmware. As another example, the term‘circuitry’ as used herein also includes, for example, a baseband integrated circuit or applications processor integrated circuit for a mobile phone or a similar integrated circuit in a server, a cellular network device, other network device, field programmable gate array, and/or other computing device.
[0042] As defined herein, a“computer-readable storage medium,” which refers to a physical storage medium (e.g., volatile or non-volatile memory device), may be differentiated from a“computer-readable transmission medium,” which refers to an electromagnetic signal.
[0043] A method, apparatus and computer program product are provided in order to provide for remote provisioning of protection policies in an edge node based on signaling, such as N32 signaling, between edge nodes. In 5G Service Based Architecture, HTTP based signaling flows are protected by the SEPP before they are sent to the roaming network partner over the corresponding N32 interface. For outgoing messages, selective protection is applied to the message by the sending SEPP, wherein parts of the message undergo encryption, for example, to prevent eavesdropping on sensitive information, integrity protection, for example, to allow reading by the middlebox, but prevent modification, and integrity protection with modification tracking, for example, to allow modification by the middlebox, but to enable detecting what was modified, and which middlebox has performed the modification.
[0044] Upon reception of the message from the N32 interface, the receiving SEPP in the roaming network decodes the received message after necessary verification, and rebuilds the HTTP signaling message to be sent internally to the corresponding network function. This requires the sending SEPP to know how to selectively protect each part of the message received from the network function, and the receiving SEPP to know how to treat the received protected message from the roaming partner to recreate the message to be forwarded to the network function.
[0045] A method, apparatus and computer program product are provided in order to provide for remote provisioning of protection policies in an edge node based on N32 signaling between edge nodes. Referring to Figure 1, two networks including, for example, a home network and a visited network configured to communicate via an internetworking protocol, such as for example, as supported by an internetwork packet exchange (IPX) network 110. The home network, which as shown, may be, for example, home PLMN (hPLMN) 120 is an operator network that hosts network functions (NFs) 140 providing a set of services to the other NFs, including NFs in the remote partner network. The hPLMN 120 may include a home SEPP (hSEPP) 160, the hSEPP 160 being a network node at the boundary of the Home PLMN 120 that obtains the protection policy from a repository 170 in hPLMN 120, and uses its signaling connection 110 with the visited SEPP 180 to remotely provision the policy in the visiting SEPP 180. [0046] The visited network, which as shown, may include a visited SEPP (vSEPP) 180, the vSEPP 180 being a network node at the boundary of the network that receives the protection policy from the hSEPP 160 that contains information on how to protect signaling messages addressed for NFs 140 hosted in the hPLMN 120. The hPLMN 120 may further include a repository function (RF) 150, the repository function 150 being an entity in the hPLMN 120 that stores protection policy information applicable to all the NFs 140 in the hPLMN 120. RF 150 may also be a service in an existing network function, for example, NF 140.
[0047] In order to provide for remote provisioning of protection policies in an edge node based on signaling, such as N32 signaling, between edge nodes, an apparatus 200 is provided and as shown, for example, in Figure 2. The apparatus may be embodied by any of a variety of different components and, in one embodiment, is embodied by an edge node of the hPLMN, such as the hSEPP 160 of the hPLMN 120. As shown in Figure 2, the apparatus of an example embodiment includes, is associated with or is otherwise in communication with a processor 210, an associated memory 220 and a communication interface 230.
[0048] The processor 210 (and/or co-processors or any other circuitry assisting or otherwise associated with the processor) may be in communication with the memory device 220 via a bus for passing information among components of the apparatus 200. The memory device may be non-transitory and may include, for example, one or more volatile and/or non-volatile memories. In other words, for example, the memory device may be an electronic storage device (e.g., a computer readable storage medium) comprising gates configured to store data (e.g., bits) that may be retrievable by a machine (e.g., a computing device like the processor). The memory device may be configured to store information, data, content, applications, instructions, or the like for enabling the apparatus to carry out various functions in accordance with an example embodiment of the present disclosure.
For example, the memory device could be configured to buffer input data for processing by the processor. Additionally or alternatively, the memory device could be configured to store instructions for execution by the processor.
[0049] The apparatus 200 may, in some embodiments, be embodied in various computing devices as described above. However, in some embodiments, the apparatus may be embodied as a chip or chip set. In other words, the apparatus may comprise one or more physical packages (e.g., chips) including materials, components and/or wires on a structural assembly (e.g., a baseboard). The structural assembly may provide physical strength, conservation of size, and/or limitation of electrical interaction for component circuitry included thereon. The apparatus may therefore, in some cases, be configured to implement an embodiment of the present invention on a single chip or as a single“system on a chip.” As such, in some cases, a chip or chipset may constitute means for performing one or more operations for providing the functionalities described herein.
[0050] The processor 210 may be embodied in a number of different ways. For example, the processor may be embodied as one or more of various hardware processing means such as a coprocessor, a microprocessor, a controller, a digital signal processor (DSP), a processing element with or without an accompanying DSP, or various other circuitry including integrated circuits such as, for example, an ASIC (application specific integrated circuit), an FPGA (field programmable gate array), a microcontroller unit (MCU), a hardware accelerator, a special-purpose computer chip, or the like. As such, in some embodiments, the processor may include one or more processing cores configured to perform independently. A multi-core processor may enable multiprocessing within a single physical package. Additionally or alternatively, the processor may include one or more processors configured in tandem via the bus to enable independent execution of instructions, pipelining and/or multithreading.
[0051] In an example embodiment, the processor 210 may be configured to execute instructions stored in the memory device 220 or otherwise accessible to the processor. Alternatively or additionally, the processor may be configured to execute hard coded functionality. As such, whether configured by hardware or software methods, or by a combination thereof, the processor may represent an entity (e.g., physically embodied in circuitry) capable of performing operations according to an embodiment of the present disclosure while configured accordingly. Thus, for example, when the processor is embodied as an ASIC, FPGA or the like, the processor may be specifically configured hardware for conducting the operations described herein. Alternatively, as another example, when the processor is embodied as an executor of instructions, the instructions may specifically configure the processor to perform the algorithms and/or operations described herein when the instructions are executed. However, in some cases, the processor may be a processor of a specific device (e.g., an image processing system) configured to employ an embodiment of the present invention by further configuration of the processor by instructions for performing the algorithms and/or operations described herein. The processor may include, among other things, a clock, an arithmetic logic unit (ALU) and logic gates configured to support operation of the processor.
[0052] The communication interface 230 may be any means such as a device or circuitry embodied in either hardware or a combination of hardware and software that is configured to receive and/or transmit data from/to a network. In this regard, the communication interface may include, for example, an antenna (or multiple antennas) and supporting hardware and/or software for enabling communications with a wireless communication network. Additionally or alternatively, the communication interface may include the circuitry for interacting with the antenna(s) to cause transmission of signals via the antenna(s) or to handle receipt of signals received via the antenna(s). In some environments, the communication interface may alternatively or also support wired communication. As such, for example, the communication interface may include a communication modem and/or other hardware/software for supporting communication via cable, digital subscriber line (DSL), universal serial bus (USB) or other mechanisms.
[0053] The operations performed by the apparatus 200 in order to provide for obtaining, for example, via a remote pulling and/or requesting mechanism or process, of protection policies in an edge node based on signaling, such as N32 signaling, between edge nodes, are depicted in a flowchart of Figure 3. Generally, hSEPP, upon obtaining an initial set of policies from the RF, may utilize its established N32 signaling channel with vSEPP to forward the policies to the vSEPP. Subsequently, in those instances in which and/or whenever the hSEPP receives an update of the protection policy information, whether it is via pull or push from the RF, or via, for example, an OAM interface, hSEPP may forward the new policy update (e.g., updated protection policy information) to vSEPP over the corresponding N32 signaling channel. That is, hSEPP is configured to receive from the RF, updated protection policy information in an instance in which an update occurs to the protection policy information in the local store of the RF and to distribute, via use of the signaling channel, the updated protection policy to the vSEPP. However, in the event vSEPP does not receive and/or has not received the necessary protection policy information, embodiments described herein provide for obtaining that information.
[0054] In an example embodiment, the apparatus 200 includes means, such as the processor 210 or the like, configured to receive, at the vSEPP, a message, such as, for example, a protected message. See block 305 of Figure 3. Upon reception of the message, or sometime subsequent to the reception, vSEPP evaluates the message, for example, to determine if protection policy information associated therewith arrived as part of the message or is stored locally. The apparatus 200 includes means, such as the processor 210 or the like, configured to determine, at the vSEPP, availability of protection policy information, for example, necessary to treat the message. See block 310 of Figure 3. The apparatus 200 includes means, such as the processor 210 or the like, configured to determine, at the vSEPP, that no protection policy information is available or that the stored and/or available protection policy information is not fresh enough (e.g., out-of-date), for example, according to the vSEPP's configuration, thus requiring updated information. See block 315 of Figure 3.
[0055] The apparatus then obtains the protection policy information, for example, by way of at least one of two means, mechanisms, or processes. For example, in some embodiments, the apparatus 200 includes means, such as the processor 210 or the like, configured to determine that vSEPP has been previously provided with a link allowing direct access to repository of hPLMN, and as such is further configured to directly access, via the signaling channel, the repository to pull updated protection policy information from the hSEPP. See block 320 of Figure 3.
[0056] Additionally or alternatively, for example, in those embodiments where vSEPP has not been provided with direct access to hPLMN, vSEPP determines that it has not been provided with direct access to hPLMN, vSEPP is not configured to directly access hPLMN, or hPLMN is not configured to allow direct access, a request for updated protection policy information may be made. In particular, the apparatus 200 includes means, such as the processor 210 or the like, configured to transmit, via the signaling channel, a request for updated protection policy information to the hSEPP. See block 325 of Figure 3.
[0057] As is described more fully with respect to Figure 4, hSEPP may then receive the request for updated protection policy information, and subsequently acquiring the necessary information to fulfill the request. For example, in some embodiments, hSEPP may contact NRF and gain access to updated protection policy information. While in other embodiments, hSEPP may determine and/or be informed that the applicable protection policy information is not present in NRF, subsequently triggering an NF to register and/or provide (or re-provide) its protection policy information. Generally, utilizing a signaling interface that exists between the SEPP (e.g., hSEPP) and the RF, for example, for management and update of the protection policies applicable to the set of NFs in a PLMN, in the hPLMN, the hSEPP obtains protection policies, applicable to all NFs in the hPLMN, from the RF in hPFMN. The RF may be standalone from existing NFs or may be a service in an existing NF. These policies may be pulled from the RF by the hSEPP, pushed to the hSEPP by the RF, for example, based on certain triggers such as for example, time of the day, a new agreement with a roaming partner, a policy update, a request from vSEPP, or the like. In some embodiments however, protection policy information may be provided out-of-band (e.g., hSEPP may be provisioned out-of-band with the protection policy information, such as, for example, via the OAM interface).
[0058] Regardless of the manner, in which hSEPP receives, accesses, gains access to, or otherwise obtains the necessary protection policy information, once hSEPP has acquired the applicable protection policy information identified as fulfilling the request from vSEPP, this protection policy information is transmitted to vSEPP.
[0059] Returning to Figure 3, the apparatus 200 includes means, such as the processor 210 or the like, configured to receive, at the vSEPP, via the signaling channel, the updated protection policy. See block 330 of Figure 3. Here, whether vSEPP has been enabled to obtain protection policy information directly, for example, via a link provided by hSEPP, from a repository in hPLMN, or whether vSEPP obtained the protection policy information from hSEPP, which obtained it from the local repository in hPLMN, the apparatus has acquired and/or gained access to the protection policy information.
[0060] As such, the apparatus 200 includes means, such as the processor 210 or the like, configured to update, at the vSEPP, local storage with the new and/or updated protection policy information. See block 335 of Figure 3. The apparatus 200 includes means, such as the processor 210 or the like, configured to apply, at the vSEPP, the updated protection policy information to the message destined for hPLMN. See block 340 of Figure 3.
[0061] Figure 4 is a signal flow diagram showing an embodiment in which NRF acts as the Repository Function in the hPLMN. NRF stores protection policy information on a per-NF type basis. Though, in other embodiments, the content in the protection policy information is not restricted to being stored on a per- NF type basis, and may be stored on a per-roaming partner or roaming operator basis, for example, where vSEPP sits. In some embodiments, where protection policy information is configured on a per-roaming operator basis, content in the protection policy information may be applied differently based on the roaming partner or particular characteristics of a roaming partner, such as for example, geography. [0062] The protection policy information in NRF may either be: a) statically provisioned via an OAM interface or b) dynamically built when a new NF Instance of a previously un-registered NF type, registers with the NRF. For example, when an NF of a newly introduced NF type registers with the NRF, NRF may be configured such that the protection policy information is dynamically built due to the new NF type with the NRF. In this scenario, the NF instance supplies its required protection policy information to the NRF at registration time. When there is an update to the protection policy in the NRF, the NRF executes, for example, a push of the policy information to the hSEPP. The hSEPP then forwards the policy information to the vSEPP over the N32 interface.
[0063] Turning to Figure 4, at block 405, NF provides its protection policy, for example, during registration. At block 410, NRF updates its local store. In some embodiments, NRF maintains this policy information on a per-NF type basis. NRF updates its local store only when there is a change in policy for the existing NF type or there is a new NF type that is registering.
[0064] At block 415, hSEPP receives a message from NF. At block 420, hSEPP pushes, forwards, or otherwise transmits the message or information indicative or representative of the message to vSEPP. At block 425, vSEPP check availability of protection policy information necessary to treat the message.
[0065] In an instance in which vSEPP determines an availability of applicable protection policy information, the applicable protection policy information may be applied. However, in an instance in which vSEPP determines the unavailability of applicable protection policy information, vSEPP may either directly access the repository in hPLMN, to obtain or, alternatively, transmit a request for updated protection policy information (e.g., the missing protection policy information) as shown at block 430.
[0066] At block 435, hSEPP may contact NRF and gain the policy. In an alternative embodiment, hSEPP determines and/or is informed that the applicable protection policy information is not present in NRF, subsequently triggering, for example, steps 405 and 410, where protection policy information for NF is transferred to NRF, and in some embodiments, stored. NRF, for example, may then push the updated protection policy information to hSEPP, as shown in block 440.
[0067] Regardless, upon receiving the request for applicable protection policy information and/or receiving information indicating that vSEPP lacks the necessary protection policy information and/or that the stored protection policy in vSEPP is not up to date, and subsequently obtaining the applicable protection policy information, hSEPP transmits the applicable protection policy information to vSEPP. That is, hSEPP uses its existing N32 signaling channel with the vSEPP to provision the updated protection policy in the vSEPP. As such, as shown in block 445, vSEPP receives, for example, via the existing N32 signaling channel with hSEPP, the applicable protection policy information. The protection policy information may then be stored. At block 450, vSEPP updates its local store. Subsequent to receiving the protection policy information, vSEPP is able to apply protection on the HTTP messages destined to the hPLMN.
[0068] As described above, Figure 3 is a flowchart of an apparatus 200, method, and computer program product according to example embodiments of the invention. It will be understood that each block of the flowcharts, and combinations of blocks in the flowcharts, may be implemented by various means, such as hardware, firmware, processor, circuitry, and/or other devices associated with execution of software including one or more computer program instructions. For example, one or more of the procedures described above may be embodied by computer program instructions. In this regard, the computer program instructions which embody the procedures described above may be stored by a memory device 220 of an apparatus employing an embodiment of the present invention and executed by a processor 210 of the apparatus. As will be appreciated, any such computer program instructions may be loaded onto a computer or other programmable apparatus (e.g., hardware) to produce a machine, such that the resulting computer or other programmable apparatus implements the functions specified in the flowchart blocks.
These computer program instructions may also be stored in a computer-readable memory that may direct a computer or other programmable apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture, the execution of which implements the function specified in the flowchart blocks. The computer program instructions may also be loaded onto a computer or other programmable apparatus to cause a series of operations to be performed on the computer or other programmable apparatus to produce a computer-implemented process such that the instructions which execute on the computer or other programmable apparatus provide operations for implementing the functions specified in the flowchart blocks.
[0069] A computer program product is therefore defined in those instances in which the computer program instructions, such as computer-readable program code portions, are stored by at least one non-transitory computer-readable storage medium with the computer program instructions, such as the computer-readable program code portions, being configured, upon execution, to perform the functions described above, such as in conjunction with the flowchart of Figure 3. In other embodiments, the computer program instructions, such as the computer-readable program code portions, need not be stored or otherwise embodied by a non-transitory computer-readable storage medium, but may, instead, be embodied by a transitory medium with the computer program instructions, such as the computer-readable program code portions, still being configured, upon execution, to perform the functions described above.
[0070] Accordingly, blocks of the flowcharts support combinations of means for performing the specified functions and combinations of operations for performing the specified functions. It will also be understood that one or more blocks of the flowcharts, and combinations of blocks in the flowcharts, may be implemented by special purpose hardware-based computer systems which perform the specified functions, or combinations of special purpose hardware and computer instructions.
[0071] In some embodiments, certain ones of the operations above may be modified or further amplified. Furthermore, in some embodiments, additional optional operations may be included. Modifications, additions, or amplifications to the operations above may be performed in any order and in any combination.
[0072] Many modifications and other embodiments of the inventions set forth herein will come to mind to one skilled in the art to which these inventions pertain having the benefit of the teachings presented in the foregoing descriptions and the associated drawings. Therefore, it is to be understood that the inventions are not to be limited to the specific embodiments disclosed and that modifications and other embodiments are intended to be included within the scope of the appended claims. Moreover, although the foregoing descriptions and the associated drawings describe example embodiments in the context of certain example combinations of elements and/or functions, it should be appreciated that different combinations of elements and/or functions may be provided by alternative embodiments without departing from the scope of the appended claims. In this regard, for example, different combinations of elements and/or functions than those explicitly described above are also contemplated as may be set forth in some of the appended claims. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.

Claims

WE CLAIM:
1. A method comprising:
obtaining, at a visiting security edge protection proxy, a protected message, the visited security edge protection proxy within a visited public land mobile network, the visited security edge protection proxy being a network node at a boundary of the visited public land mobile network;
performing an initial evaluation determining an unavailability of a protection policy information required to treat the protected message, wherein the protection policy information comprises information regarding protection of signaling messages addressed for network functions hosted in a home network, the home network being a home public land mobile network and configured for enabling the visited security edge protection proxy to selectively protect outgoing messages addressed to network functions in the home public land mobile network;
obtaining the protection policy information; and
applying the protection policy information to the protected message.
2. The method according to Claim 1, wherein the determination of the protection policy information comprises:
determining unavailability of applicable protection policy information from protection policy information stored in a local repository of the visited public land mobile network, and
wherein the obtaining of the protection policy information is obtaining updated protection policy information.
3. The method according to Claim 1, wherein obtaining the protection policy information comprises:
directly accessing a local repository in a home network, to obtain the protection policy information.
4. The method according to Claim 3, further comprising: preceding the direct access of the local repository in public land mobile network to obtain the protection policy information, evaluating the protected message to identify a presence of or determine a direct link to the local repository in public land mobile network.
5. The method according to Claim 1, wherein obtaining the protection policy information comprises:
determining at least one of that protected message fails to include protection policy information or that a local repository of the visited public land mobile network fails to include the protection policy information; and
transmitting a request to a home security edge protection proxy, for the protection policy information.
6. The method according to any of Claims 1 to 5, wherein obtaining the protection policy information comprises:
causing the home security edge protection proxy, when obtaining the protection policy information, to at least one of pull the protection policy information from a repository function or trigger the network function to register, re-register, or update the protection policy information previously transmitted to the network repository function; and
causing reception, at the home security edge protection proxy, from the repository function, and subsequent transmission of updated protection policy information in an instance in which an update occurs to the protection policy information.
7. The method according to any of Claims 1 to 6, wherein the signaling interface comprises an N32 interface.
8. The method according to any of Claim 1 to 7, further comprising:
storing the updated protection policy information in the local repository of the visited public land mobile network.
9. An apparatus comprising:
means for obtaining, at a visiting security edge protection proxy, a protected message, the visited security edge protection proxy within a visited public land mobile network, the visited security edge protection proxy being a network node at a boundary of the visited public land mobile network;
means for performing an initial evaluation determining an unavailability of a protection policy information required to treat the protected message, wherein the protection policy information comprises information regarding protection of signaling messages addressed for network functions hosted in a home network, the home network being a home public land mobile network and configured for enabling the visited security edge protection proxy to selectively protect outgoing messages addressed to network functions in the home public land mobile network;
means for obtaining the protection policy information; and
means for applying the protection policy information to the protected message.
10. The apparatus according to Claim 9, wherein the means for determination of the protection policy information comprises:
means for determining unavailability of applicable protection policy information from protection policy information stored in a local repository of the visited public land mobile network, and
wherein the obtaining of the protection policy information is obtaining updated protection policy information.
11. The apparatus according to Claim 9, wherein the means for obtaining the protection policy information comprises:
means for directly accessing a local repository in a home network, to obtain the protection policy information.
12. The apparatus according to Claim 11, further comprising:
means for, preceding the direct access of the local repository in public land mobile network to obtain the protection policy information, evaluating the protected message to identify a presence of or determine a direct link to the local repository in public land mobile network.
13. The apparatus according to Claim 9, wherein the means for obtaining the protection policy information comprises: means for determining at least one of that protected message fails to include protection policy information or that a local repository of the visited public land mobile network fails to include the protection policy information; and
means for transmitting a request to a home security edge protection proxy, for the protection policy information.
14. The apparatus according to any of Claims 9 to 13, wherein the means for obtaining the protection policy information comprises:
means for causing the home security edge protection proxy, when obtaining the protection policy information, to at least one of pull the protection policy information from a repository function or trigger the network function to register, re-register, or update the protection policy information previously transmitted to the network repository function; and
means for causing reception, at the home security edge protection proxy, from the repository function, and subsequent transmission of updated protection policy information in an instance in which an update occurs to the protection policy information.
15. The apparatus according to any of Claims 9 to 14, wherein the signaling interface comprises an N32 interface.
16. The apparatus according to any of Claim 9 to 15, further comprising:
means for storing the updated protection policy information in the local repository of the visited public land mobile network.
17. An apparatus comprising at least one processor and at least one memory including computer program code for one or more programs, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus at least to:
obtain, at a visiting security edge protection proxy, a protected message, the visited security edge protection proxy within a visited public land mobile network, the visited security edge protection proxy being a network node at a boundary of the visited public land mobile network; perform an initial evaluation determining an unavailability of a protection policy information required to treat the protected message, wherein the protection policy information comprises information regarding protection of signaling messages addressed for network functions hosted in a home network, the home network being a home public land mobile network and configured for enabling the visited security edge protection proxy to selectively protect outgoing messages addressed to network functions in the home public land mobile network;
obtain the protection policy information; and
apply the protection policy information to the protected message.
18. The apparatus according to Claim 17, wherein the computer program code configured to, with the at least one processor, cause the apparatus at least to determine the protection policy information further comprises computer program code configured to, with the at least one processor, cause the apparatus at least to:
determine unavailability of applicable protection policy information from protection policy information stored in a local repository of the visited public land mobile network, and
wherein the obtaining of the protection policy information is obtaining updated protection policy information.
19. The apparatus according to Claim 17, wherein the computer program code configured to, with the at least one processor, cause the apparatus at least to determine the protection policy information further comprises computer program code configured to, with the at least one processor, cause the apparatus at least to:
directly access a local repository in a home network, to obtain the protection policy information.
20. The apparatus according to Claim 19, wherein the computer program code further comprises computer program code configured to, with the at least one processor, cause the apparatus at least to:
preceding the direct access of the local repository in public land mobile network to obtain the protection policy information, evaluate the protected message to identify a presence of or determine a direct link to the local repository in public land mobile network.
21. The apparatus according to Claim 17, wherein the computer program code configured to, with the at least one processor, cause the apparatus at least to determine the protection policy information further comprises computer program code configured to, with the at least one processor, cause the apparatus at least to:
determining at least one of that protected message fails to include protection policy information or that a local repository of the visited public land mobile network fails to include the protection policy information; and
transmitting a request to a home security edge protection proxy, for the protection policy information.
22. The apparatus according to any of Claims 17 to 21, wherein the computer program code configured to, with the at least one processor, cause the apparatus at least to determine the protection policy information further comprises computer program code configured to, with the at least one processor, cause the apparatus at least to:
causing the home security edge protection proxy, when obtaining the protection policy information, to at least one of pull the protection policy information from a repository function or trigger the network function to register, re-register, or update the protection policy information previously transmitted to the network repository function; and
causing reception, at the home security edge protection proxy, from the repository function, and subsequent transmission of updated protection policy information in an instance in which an update occurs to the protection policy information.
23. The apparatus according to any of Claims 17 to 22, wherein the signaling interface comprises an N32 interface.
24. The apparatus according to any of Claim 17 to 23, wherein the computer program code further comprises computer program code configured to, with the at least one processor, cause the apparatus at least to:
store the updated protection policy information in the local repository of the visited public land mobile network.
25. A computer program product comprising at least one non-transitory computer-readable storage medium having computer-executable program code instructions stored therein, the computer-executable program code instructions comprising program code instructions configured, upon execution, to:
obtain, at a visiting security edge protection proxy, a protected message, the visited security edge protection proxy within a visited public land mobile network, the visited security edge protection proxy being a network node at a boundary of the visited public land mobile network;
perform an initial evaluation determining an unavailability of a protection policy information required to treat the protected message, wherein the protection policy information comprises information regarding protection of signaling messages addressed for network functions hosted in a home network, the home network being a home public land mobile network and configured for enabling the visited security edge protection proxy to selectively protect outgoing messages addressed to network functions in the home public land mobile network;
obtain the protection policy information; and
apply the protection policy information to the protected message.
26. The computer program product according to Claim 25, wherein the computer- executable program code instructions configured to obtain the protection policy
information further comprises program code instructions configured, upon execution, to: determine unavailability of applicable protection policy information from protection policy information stored in a local repository of the visited public land mobile network, and
wherein the obtaining of the protection policy information is obtaining updated protection policy information.
27. The computer program product according to Claim 25, wherein the computer- executable program code instructions configured to obtain the protection policy
information further comprises program code instructions configured, upon execution, to: directly access a local repository in a home network, to obtain the protection policy information.
28. The computer program product according to Claim 27, wherein the computer- executable program code instructions further comprise program code instructions configured, upon execution, to:
preceding the direct access of the local repository in public land mobile network to obtain the protection policy information, evaluate the protected message to identify a presence of or determine a direct link to the local repository in public land mobile network.
29. The computer program product according to Claim 25, wherein the computer- executable program code instructions configured to obtain the protection policy
information further comprises program code instructions configured, upon execution, to: determine at least one of that protected message fails to include protection policy information or that a local repository of the visited public land mobile network fails to include the protection policy information; and
transmit a request to a home security edge protection proxy, for the protection policy information.
30. The computer program product according to any of Claims 25 to 29, wherein the computer-executable program code instructions configured to obtain the protection policy information further comprises program code instructions configured, upon execution, to:
cause the home security edge protection proxy, when obtaining the protection policy information, to at least one of pull the protection policy information from a repository function or trigger the network function to register, re-register, or update the protection policy information previously transmitted to the network repository function; and
cause reception, at the home security edge protection proxy, from the repository function, and subsequent transmission of updated protection policy information in an instance in which an update occurs to the protection policy information.
31. The computer program product according to any of Claims 25 to 30, wherein the signaling interface comprises an N32 interface.
32. The computer program product according to any of Claim 25 to 31, wherein the computer-executable program code instructions further comprise program code instructions configured, upon execution, to:
store the updated protection policy information in the local repository of the visited public land mobile network.
PCT/EP2019/062901 2018-05-21 2019-05-20 A pulling mechanism for requesting the protection policies in an edge node based on n32 signaling between edge nodes WO2019224132A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN201841018989 2018-05-21
IN201841018989 2018-05-21

Publications (1)

Publication Number Publication Date
WO2019224132A1 true WO2019224132A1 (en) 2019-11-28

Family

ID=66690300

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2019/062901 WO2019224132A1 (en) 2018-05-21 2019-05-20 A pulling mechanism for requesting the protection policies in an edge node based on n32 signaling between edge nodes

Country Status (1)

Country Link
WO (1) WO2019224132A1 (en)

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"3 Generation Partnership Project; Technical Specification Group Services and System Aspects; Security architecture and procedures for 5G system (Release 15)", 3GPP STANDARD; TECHNICAL SPECIFICATION; 3GPP TS 33.501, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. V15.0.0, 26 March 2018 (2018-03-26), pages 1 - 128, XP051450501 *
CHINA MOBILE: "Living Document: Security of Service Based Architecture of 5G phase 1", vol. SA WG3, no. La Jolla (US); 20180521 - 20180525, 18 May 2018 (2018-05-18), XP051457086, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/Meetings%5F3GPP%5FSYNC/SA3/Docs> [retrieved on 20180518] *
HUAWEI ET AL: "Discussion on security policy provisioning for SEPP", vol. SA WG3, no. La Jolla (US); 20180521 - 20180525, 18 May 2018 (2018-05-18), XP051457066, Retrieved from the Internet <URL:http://www.3gpp.org/ftp/Meetings%5F3GPP%5FSYNC/SA3/Docs> [retrieved on 20180518] *

Similar Documents

Publication Publication Date Title
AU2021277736B2 (en) Pdu type setting method, ue policy setting method, and related entity
US20230013720A1 (en) Method and system for managing discovery of edge application servers
CN112534776B (en) Method and apparatus for detecting network function failure and restart in a network environment
US10389848B2 (en) Message transmission method and core network interface device
US10805792B2 (en) Method and apparatus for securing multiple NAS connections over 3GPP and non-3GPP access in 5G
JP2019525682A5 (en)
US11121801B2 (en) Method and apparatus for redundancy improvement in a communication system
US10070408B2 (en) Application registration methods and apparatuses
US11864149B2 (en) Systems and methods for user equipment (UE) registration
US11582599B2 (en) Method and apparatus for remote provisioning of protection policies in an edge node based on signaling between edge nodes
WO2019224132A1 (en) A pulling mechanism for requesting the protection policies in an edge node based on n32 signaling between edge nodes
EP3127353B1 (en) Machine-to-machine domain proxy
WO2022171156A1 (en) Method for configuring evolved packet system non-access stratum security algorithm, and related apparatus
CN113424608A (en) Entity for providing external services to a network
US9077700B2 (en) Authentication server, authentication method and computer program
US11910347B2 (en) Method and apparatus for network controlled radio resource control connection establishment
WO2015145197A1 (en) Method and apparatus for adaptive candidate list population for wlan offloading
WO2021146913A1 (en) Information backup method and apparatus, storage medium and computer device
CN118160284A (en) Network control applicability of routing parameters
WO2019145750A1 (en) Method and apparatus for application server based service network access restriction

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19727941

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19727941

Country of ref document: EP

Kind code of ref document: A1