WO2020260746A1 - Dataflow management solution for an industrial factory - Google Patents

Dataflow management solution for an industrial factory Download PDF

Info

Publication number
WO2020260746A1
WO2020260746A1 PCT/FI2019/050506 FI2019050506W WO2020260746A1 WO 2020260746 A1 WO2020260746 A1 WO 2020260746A1 FI 2019050506 W FI2019050506 W FI 2019050506W WO 2020260746 A1 WO2020260746 A1 WO 2020260746A1
Authority
WO
WIPO (PCT)
Prior art keywords
server device
entity
application
network
functionality
Prior art date
Application number
PCT/FI2019/050506
Other languages
French (fr)
Inventor
Yihenew BEYENE
Riku Jäntti
Marko KESKINEN
Keijo LEHTINEN
Kalle RUTTIK
Original Assignee
Raniot Technologies Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Raniot Technologies Oy filed Critical Raniot Technologies Oy
Priority to PCT/FI2019/050506 priority Critical patent/WO2020260746A1/en
Publication of WO2020260746A1 publication Critical patent/WO2020260746A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/009Security arrangements; Authentication; Protecting privacy or anonymity specially adapted for networks, e.g. wireless sensor networks, ad-hoc networks, RFID networks or cloud networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2213/00Indexing scheme relating to interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F2213/0006Extension to the industry standard architecture [EISA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/088Access security using filters or firewalls

Definitions

  • the invention concerns in general the technical field of telecommunications. 5 More particularly, the invention concerns a solution for local network.
  • a local cellular network provides an environment where the local operator can control the dataflow from each sensor.
  • Such local network can be created by a local network in a box (NIB) solution.
  • Design targets for the local NIB are different than design targets for large cellular networks.
  • NIB design targets for large cellular networks.
  • the application programs can be located in the same server platform and it is beneficial when the application can access network functions directly, not through multiple intermediate entities.
  • An object of the invention is to present a server device, a method and a computer program product for implementing a local network.
  • a server device for implementing a local network
  • the server device is configured to execute a base station functionality and a core network functionality, the server device comprising: at least one re mote radio head; an application supervisor entity; and an application execution platform entity.
  • An interface of the core network functionality may be arranged to be represented as a general service and is arranged to be accessible by the application super visor entity through an interface and by the application execution platform entity through an interface.
  • the application supervisor entity may be configured to control an application integrity and execution in the application execution plat form entity through an interface.
  • the application execution platform entity may comprise a data analysis and control functionality to handle internal data collection and pro cessing in the local network.
  • a firewall entity may be configured to allow communication between the base station functionality and the core network functionality with an outside net work and wherein the application execution platform entity may comprise a com munication entity connected to the firewall entity through an interface.
  • the application supervisor entity may be configured to authenticate the applica- tion execution platform entity and the core network functionality. Furthermore, the data analysis and control functionality may be configured to authenticate a remote node by performing an inquiry to the core network func tionality.
  • the core network entity may comprise a number of authentication and in- tegrity usage rights profiles for verifying an application by the application execu tion platform entity.
  • the server device may further comprise an interface between the application execution platform entity and the base station functionality to allow direct internal routing of data from the base station functionality to the application execution platform entity.
  • the server device may also further comprise a direct communication entity for communicatively coupling at least one remote node directly to the server device.
  • a method for managing data in a server device for implementing a local network comprising: establishing a connection with the remote node in response to a receipt of a request; determining if the remote node is allowed to access outside network; in response to a determination that the re mote node is not allowed to access the outside network: determining an appli cation for data received from the remote node; initiating the application; applying the data received from the remote node with the application; in response to a determination that the remote node is allowed to access the outside network: setting up an access the outside network; delivering of data to the outside net work.
  • the setting up the access to the outside network may comprise inquir- ing a right to access the outside network from a firewall.
  • a computer program product for implementing a local network which computer program product, when executed by at least one processor, cause a server device to perform the method as de scribed above.
  • a number of refers herein to any positive integer starting from one, e.g. to one, two, or three.
  • the expression “a plurality of” refers herein to any positive integer starting from two, e.g. to two, three, or four.
  • Figure 1 illustrates schematically a network environment comprising a local net work as a server device.
  • Figure 2 illustrates schematically further aspects of a local network according to an embodiment of the invention.
  • Figure 3 illustrates schematically a method according to an embodiment of the invention.
  • Figure 4 illustrates schematically an apparatus according to an embodiment of the invention.
  • the present invention relate to a cellular network structure where one or more applications executable by the cellular network in question are brought inside a network firewall.
  • data flow from user nodes may be only to processing applications, to outside network, or to outside network where the application in the network first filters the data.
  • the present invention comprises one or more new cellular network enti ties and one or more new interfaces that are needed for serving the in-network applications.
  • the network referred herein may be considered as a local network which may be considered as an in a box system.
  • Network in a box may be considered to refer to a system in which the radio access network and core network functionalities are co-located and run in the same server.
  • the network in a box system forms a local network that does not need any external network entities to operate.
  • Figure 1 illustrates schematically a network environment comprising a local net work as a server device 300 implementation according to an embodiment of the invention.
  • the local network may comprise a remote radio head (RRH) 200 residing externally to the server device 300 but operating as an external entity for a base station 340 of a soft ware radio access network RAN and core elements of a software defined net work core (SDN) 310.
  • the network core 310 may comprise a plurality of func tionalities some of which are illustrated in Figure 1.
  • the functionalities imple mented as a software solution may e.g.
  • the en tities belonging to the network core 310 may be communicatively coupled to each other either directly or indirectly e.g. with a software implementation.
  • the local network may be implemented in a cloud platform as a NIB.
  • the local network 300 may comprise an appli cation supervisor entity 320 and an application execution platform entity 330.
  • the core network 310 functionalities may be considered as general services of the local network and may be accessed by the application supervisor 320 through an interface 410 and by application execution platform entity 330 through an interface 430.
  • the application supervisor entity 320 may be arranged at least to control an application integrity and execution through an interface 420.
  • the applications may comprise two parts, i.e. functionalities, such as data analysis and control functionality 500.
  • the data analysis and control functionality 500 may be arranged to handle an internal data collection and processing.
  • an application needs to connect to outside world, i.e. outside network, it may be done through the network client type functionality 510.
  • a function may e.g. be needed for filtering of what data is to be com municated to the outside world or, for example, for providing client to cloud ser vices located in a public network (referred with 550 in Figure 1 ).
  • the software implemented network 300 may itself be located on a general cloud server platform, for example either in a local cloud or in a public cloud.
  • the local network as depicted in Figure 1 as a server device 300 is applied in a sensor solution for providing a non-limiting example of an operation of the local network.
  • the non-limiting example is related to a situation in which data from remote nodes 1 10A, 1 10B, 1 10C, such as sensor nodes 1 10A-110C, has to stay within the local network.
  • the network architecture according to the present in vention may be arranged to support usage of applications whose data has deci sions which have to remain inside the network control area.
  • At least one remote node 1 10A-110C may be arranged to establish a con nection to the local network implemented as a server device 300.
  • the connec tion may e.g. be done over remote radio head 200 and a standard cellular radio baseband interface implemented e.g. as an interface of a base station 340.
  • the connection establishment may e.g. be done by using an attach procedure de fined by the applied radio standard.
  • the server device 300 may be arranged to determine access rights of the remote node 1 10A-1 10C from data received from the remote node in question. This may be e.g. be performed by validating an identification data associated to the data received from the re mote node 1 10A-1 10C in question in the core network 310.
  • the identification data may comprise, but is not limited to, an identifier of the remote node in ques tion e.g. in a form of credentials, which are carried to the core network 310 by the remote radio head 200 and a functionality of the base station 340.
  • a management function such as MME 312 by consulting the database 314, of the core network 310 may be arranged to determine whether the remote node 110A-1 10C may have access to outside network 550 or the data received from the remote node 110A-1 10C shall stay within server device 300 implementing the local network. For example, it may be defined in the database 314 on a sensor-by-sensor basis if the data is allowed to be output from the server device 300 or not.
  • the information from the database 314 may be returned to the MME 312 function e.g. in response to an inquiry comprising e.g. identification data of the remote node 1 10A-1 10C in question.
  • an authentication procedure may e.g. be performed.
  • the MME 312 may determine, from the response received from the database 314, that the data received from the remote node 1 10A-1 10C has to be kept within local network, the MME 312 may be configured to determine an applica tion residing in the application execution platform entity 330 into which the data is to be sent. The determination may be done based on a policy that may e.g. be stored in the core network 310, such as in the database there from which the policy may be retrieved.
  • the core net work 310 executed e.g. by MME 312, may be arranged to apply e.g. through the interface 410 for the application supervisor entity 320 to validate and initiate the application.
  • the application supervisor entity 320 may use the interface 420 between the application supervisor entity 320 and the application execution platform entity 330 and may be arranged to perform a security check of the application code (for instance integrity check or any other checking).
  • Com- mands causing a start of the application by at least one of the entities 500 or 510 may also be transferred over the interface 420.
  • the data received from the remote node 1 10A-1 10C may be routed from the base station 340 implementing a base band process to the application executed by the ap- plication execution platform entity 330 over an interface 450.
  • the data analysis and control functionality 500 may be arranged to handle a local control and pro cessing of local data.
  • the operation may contain an industrial pro cess control function.
  • the local application executed by the data analysis and control functionality 500 may control one or more nodes 1 10A-1 10C, 1 12 in local control area over wireless connection or over wired connection. The control may be performed through the base station 340 functionality or directly from the ap plication execution platform entity 330.
  • the application execution platform entity 330 may be arranged to acquire the one or more pieces of information from the core network 310 over interface 430, for example.
  • the local application needs to communicate with an entity residing in the outside network 550, such as a server device residing therein. This may be arranged through a firewall entity 350.
  • a process may be started by the network client type functionality 510.
  • the process may utilize an interface 440 for communicating with the outside network 550.
  • the process executed by the network client type functionality 510 may acquire an access right from the firewall 350. This may be performed by first informing a policy and charging rules function (PCRF) 316 in the core network 310 through the interface 430, such as an application interface, for an intention to access the outside network 550.
  • PCRF policy and charging rules function
  • the policy and charging rules function (PCRF) 316 may be arranged to identify the access right process and to configure the firewall 350 correspondingly. In response to the configuration the process executed by the network client type functionality 510 may access the outside network 550 through the interface and the firewall 350.
  • Some further aspects of the present invention may relate to processes executed in the application execution platform entity 330. Namely, a communication with the processes, or the corresponding application, are advantageously secured. Preferably the security is arranged on both two sides.
  • the remote nodes 110A- 1 10C, 112 may be required to validate the application process executed by the application execution platform entity 330 and the application process, respec tively, may be required to validate the remote node 1 10A-1 10C, 1 12.
  • the application process may take advantage of the remote node 1 10A-1 10C, 112 validation process carried out between the remote node 1 10A-1 10C, 112 and the core network 310.
  • the core network 310 may first validate the remote node 1 10A-1 10C, 1 12. Additionally, the remote node 110A-1 10C, 1 12 may validate the local network 300 implemented by the server device 300.
  • the local network may use a pro cess executed by the application supervisor entity 320 and may validate the process.
  • the server device 300 imple- menting the local network may allow sensor node connection to the process in question.
  • the application process needs to validate the re mote node 1 10A-1 10C, 1 12 separately it may be inquired from the core network 310 through the interface 430. Furthermore, in an implementation in which the application process needs to access the outside network 550 the core network 310 may be arranged to ena ble a connection between the application execution platform entity 330 and the firewall 350. First, it may be arranged to check and to validate both a process executed by the data analysis and control functionality 500 and a process exe- cuted by the network client type functionality 510 e.g. by means of a number of integrity checks, and allows data exchange between them in accordance with the check and the validation.
  • the server device 300 implementing the local network may be realized as a cloud service where baseband processing of the base station functionality 340 may reside in a server and radio communication is over a remote radio head RRH 200.
  • the entity 340 performing the baseband processing becomes a centralized computing unit.
  • the inputs to this unit are not only from RRH but from other remote nodes 600, such as from sensor nodes like lidars, radars and cameras.
  • the server device 300 may re ceive inputs (indicated as a direct communication entity 610 in Figure 2) from the remote nodes over RRH 200. It may also receive further data, such as meas urement data, from the other remote nodes 600.
  • the data received from different sources may be processed locally in the server device 300 and used e.g. for local control.
  • the RRH 200 may in- tegrate functions of at least some of the nodes 600.
  • the RRH 200 becomes a remote sensing unit that is connected to a server de vice 300.
  • Such an approach enables for instance control of moving objects by tracking them by the local network and communicating control information to the tracked object.
  • Figure 3 illustrates schematically aspects relating to the present invention as a method.
  • the method may be initiated in various embodiments of the invention in response to a receipt of a request to establish a connection from at least one remote node 110A-1 10C, 1 12 which causes a connection establishment 710 by the server device 300.
  • the server device 300 and especially in the core net work entity 310, the database entity 314, PCRF 316 and the management entity MME 312, may be arranged, in response to the connection establishment, to determine 720 if the remote node 1 10A-1 10C, 1 12 in question has right to ac cess outside network.
  • This may correspond to a determination if the data re- ceived from the remote node 110A-1 10C, 1 12 shall be kept in the local network or if the data may be delivered outside from the local network.
  • the determination of the right to access outside network may e.g. be arranged by performing an authentication procedure of the network node 1 10A-1 10C, 1 12, such as by re DCving at least one authentication key from the remote node by confirming a validity of the authentication keys with an inquiry to a database 314.
  • the MME 312 may be arranged to determine 730 an application to whom the data received from the remote node 1 10A-1 10C, 112 is dedicated to.
  • the MME 312 may need to trigger the analysis and control func- tionality 500 through an interface 430 for the incoming data which, in turn, needs to execute the application that will use the data.
  • the application is running standard means of switching or routing the packets, such as TCP sockets, may be utilized for the communication between the network node and the application (server).
  • a trigger signal is generated for initiating 740 the application in the application execution plat form entity 330.
  • the core network 310 executed e.g. by MME 312 among other entities, may be arranged to apply e.g. through the interface 410 for the application supervisor entity 320 to validate and to initiate the application.
  • the received data from the remote node 1 10A-110C, 1 12 may be applied 750 by the application i.e. the application uses the received in accordance with the instruc tions defined by the computer program code of the application.
  • the applica- tion execution platform entity 330 may setup 760 the access to the outside network 550.
  • the setup of the access may comprise an inquiry of a right to access the outside network 550 from a firewall 350 in a manner as described.
  • the channel to outside network 550 may be granted and the data from the remote node 110A-1 10C, 1 12 may be delivered 770 to a predetermined entity in the outside network 550 may be per formed.
  • the invention as described allows running of a mobile network on industrial gen eral purpose edge computing platforms.
  • the invention allows these computing platforms to leverage advanced security features of the mobile systems to im prove the system security.
  • remote devices connected to the server device 300 are mainly referred as sensor nodes.
  • the invention is not limited to such sensor nodes only, but any other node type comprising necessary hardware and software functionalities may be communicatively cou pled to the server device 300.
  • an apparatus suitable for implementing a local network in a box solution according to various embodiments as described herein is schemat ically illustrated in Figure 4.
  • the apparatus may comprise at least one processor 810 and at least one memory 820.
  • the memory 820 may store data and com puter program code 825.
  • the apparatus may further comprise a communication interface 830, or communication means, for wired or wireless communication with other apparatuses.
  • the communication interface 830 may comprise hardware and software components for implementing a communica tion protocol(s) of the local network, for example. This may e.g. refer to suitable radio modems included in the apparatus.
  • the apparatus may com- prise user I/O (input/output) components 840 that may be arranged, together with the processor 810 and a portion of the computer program code 825, to pro vide the user interface for receiving input from a user and/or providing output to the user.
  • the user I/O components 840 may include user input means, such as one or more keys or buttons, a keyboard, a touchscreen or a touchpad, etc.
  • the user I/O components may include output means, such as a display or a touchscreen.
  • the components of the apparatus may be communi catively coupled to each other via a bus 850 that enables transfer of data and control information between the components.
  • the apparatus schematically illus trated in Figure 4 is a non-limiting example suitable for implementing at least some of the functionalities discussed for example as concepts in the description of other Figures.
  • the apparatus may correspond to the server device.
  • the present invention enables using standardized authenti cation mechanisms, such as 3GPP Network Authentication and Integrity func- tionality, for validating not only users but also the other functions (programs) and interfaces that may be attached to a local network implemented as a server de vice. For instance, to load a program to the server device it has to the be regis tered in the local network database and the program integrity is to be checked when it is executed by the local network.
  • 3GPP Network Authentication and Integrity func- tionality for validating not only users but also the other functions (programs) and interfaces that may be attached to a local network implemented as a server de vice. For instance, to load a program to the server device it has to the be regis tered in the local network database and the program integrity is to be checked when it is executed by the local network.

Abstract

The invention relates to a server device (300) for implementing a local network, the server device (300) is configured to execute a base station functionality (340) and a core network functionality (310), the server device (300) comprising: at least one remote radio head (200); an application supervisor entity (320); and an application execution platform entity (330). The invention also relates to a method for implementing the local network and a computer program product thereto.

Description

DATAFLOW MANAGEMENT SOLUTION FOR AN INDUSTRIAL FACTORY
TECHNICAL FIELD
The invention concerns in general the technical field of telecommunications. 5 More particularly, the invention concerns a solution for local network.
BACKGROUND
There are approximately 10,7 million factories in the world. A modern industrial factory is a highly automated environment with multiple control loops and data collecting units. Currently most of these units are connected over wires. A wired 0 solution provides necessary connection reliability and security. With the Internet of Things (loT) approach a number of sensors in a factory is increasing. Many of those sensors are in places that are difficult to reach, and wireless solutions would simplify the network rollout and maintenance. The sensors in the factory are usually intended to be kept away from the outside world. Such protection is 5 problematic when sensors are connected wirelessly. The problem in wireless network is twofold. First, we have to protect the wireless connection from eaves droppers and, second, we have to control the dataflow from access point to ap plications.
One way to protect wireless connections is to use cellular systems where secu- 0 rity solutions are an integral part of the wireless protocol. However, the commu nication is not recommended to be acquired through public cellular networks since the data is routed through an operator network. In order to keep the con trol, factory owners prefer to have a private network where they have control over the dataflow in the network. 5 A local cellular network provides an environment where the local operator can control the dataflow from each sensor. Such local network can be created by a local network in a box (NIB) solution. Design targets for the local NIB are different than design targets for large cellular networks. In a NIB one is interested in nimble processing and low overhead communication between the processes. Moreover, the application programs can be located in the same server platform and it is beneficial when the application can access network functions directly, not through multiple intermediate entities.
In current mobile networks the application operating Internet domains are con nected to mobile users through multiple gateways and policy control entities. These entities are needed for the required security, routing and policy enforce ment purposes in large mobile networks. The traditional core network pro- cessing overhead and increased delays limit the possibility to use the network for many low latency applications. Moreover, security and policy enforcement functions are often duplicated in applications.
In the NIB solution one can foresee a new type of network architecture where the applications can be located inside the network and have direct access to base stations. In order to realize such architecture 1 ) One has to guarantee ap plication security and 2) Add additional interfaces that enable application access to the cellular core network entities, to the core network.
Hence, there is need to introduce local network implementations which meet the above described requirements at least in part. SUMMARY
The following presents a simplified summary in order to provide basic under standing of some aspects of various invention embodiments. The summary is not an extensive overview of the invention. It is neither intended to identify key or critical elements of the invention nor to delineate the scope of the invention. The following summary merely presents some concepts of the invention in a simplified form as a prelude to a more detailed description of exemplifying em bodiments of the invention. An object of the invention is to present a server device, a method and a computer program product for implementing a local network.
The objects of the invention are reached by a server device, a method and a computer program product as defined by the respective independent claims. According to a first aspect, a server device for implementing a local network is provided, the server device is configured to execute a base station functionality and a core network functionality, the server device comprising: at least one re mote radio head; an application supervisor entity; and an application execution platform entity. An interface of the core network functionality may be arranged to be represented as a general service and is arranged to be accessible by the application super visor entity through an interface and by the application execution platform entity through an interface.
Alternatively or in addition, the application supervisor entity may be configured to control an application integrity and execution in the application execution plat form entity through an interface.
For example, the application execution platform entity may comprise a data analysis and control functionality to handle internal data collection and pro cessing in the local network. Also, a firewall entity may be configured to allow communication between the base station functionality and the core network functionality with an outside net work and wherein the application execution platform entity may comprise a com munication entity connected to the firewall entity through an interface.
The application supervisor entity may be configured to authenticate the applica- tion execution platform entity and the core network functionality. Furthermore, the data analysis and control functionality may be configured to authenticate a remote node by performing an inquiry to the core network func tionality.
Also, the core network entity may comprise a number of authentication and in- tegrity usage rights profiles for verifying an application by the application execu tion platform entity.
The server device may further comprise an interface between the application execution platform entity and the base station functionality to allow direct internal routing of data from the base station functionality to the application execution platform entity.
The server device may also further comprise a direct communication entity for communicatively coupling at least one remote node directly to the server device.
According to a second aspect, a method for managing data in a server device for implementing a local network is provided, wherein the data received from a remote node, the method comprising: establishing a connection with the remote node in response to a receipt of a request; determining if the remote node is allowed to access outside network; in response to a determination that the re mote node is not allowed to access the outside network: determining an appli cation for data received from the remote node; initiating the application; applying the data received from the remote node with the application; in response to a determination that the remote node is allowed to access the outside network: setting up an access the outside network; delivering of data to the outside net work.
Moreover, the setting up the access to the outside network may comprise inquir- ing a right to access the outside network from a firewall.
According to a third aspect, a computer program product for implementing a local network is provided, which computer program product, when executed by at least one processor, cause a server device to perform the method as de scribed above.
The expression "a number of” refers herein to any positive integer starting from one, e.g. to one, two, or three. The expression "a plurality of” refers herein to any positive integer starting from two, e.g. to two, three, or four.
Various exemplifying and non-limiting embodiments of the invention both as to constructions and to methods of operation, together with additional objects and advantages thereof, will be best understood from the following description of specific exemplifying and non-limiting embodiments when read in connection with the accompanying drawings.
The verbs“to comprise” and“to include” are used in this document as open limitations that neither exclude nor require the existence of unrecited features. The features recited in dependent claims are mutually freely combinable unless otherwise explicitly stated. Furthermore, it is to be understood that the use of“a” or“an”, i.e. a singular form, throughout this document does not exclude a plural ity.
BRIEF DESCRIPTION OF FIGURES
The embodiments of the invention are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings.
Figure 1 illustrates schematically a network environment comprising a local net work as a server device.
Figure 2 illustrates schematically further aspects of a local network according to an embodiment of the invention. Figure 3 illustrates schematically a method according to an embodiment of the invention. Figure 4 illustrates schematically an apparatus according to an embodiment of the invention.
DESCRIPTION OF THE EXEMPLIFYING EMBODIMENTS
The specific examples provided in the description given below should not be construed as limiting the scope and/or the applicability of the appended claims. Lists and groups of examples provided in the description given below are not exhaustive unless otherwise explicitly stated.
Some aspects of the present invention relate to a cellular network structure where one or more applications executable by the cellular network in question are brought inside a network firewall. As a result, it may be assumed that data flow from user nodes may be only to processing applications, to outside network, or to outside network where the application in the network first filters the data. Hence, the present invention comprises one or more new cellular network enti ties and one or more new interfaces that are needed for serving the in-network applications. In other words, the network referred herein may be considered as a local network which may be considered as an in a box system. Network in a box may be considered to refer to a system in which the radio access network and core network functionalities are co-located and run in the same server. The network in a box system forms a local network that does not need any external network entities to operate.
Figure 1 illustrates schematically a network environment comprising a local net work as a server device 300 implementation according to an embodiment of the invention. According to various embodiments of the invention the local network may comprise a remote radio head (RRH) 200 residing externally to the server device 300 but operating as an external entity for a base station 340 of a soft ware radio access network RAN and core elements of a software defined net work core (SDN) 310. The network core 310 may comprise a plurality of func tionalities some of which are illustrated in Figure 1. The functionalities imple mented as a software solution may e.g. be a mobility management entity MME 312 configured to manage at least in part an operation of the local network, a database 314 configured to store network related data, such as user data, and a policy and charging rules function (PCRF) 316 among other entities. The en tities belonging to the network core 310 may be communicatively coupled to each other either directly or indirectly e.g. with a software implementation.
As already indicated the local network may be implemented in a cloud platform as a NIB. In such an environment for giving access to one or more applications hosted by the local network 300 the local network 300 may comprise an appli cation supervisor entity 320 and an application execution platform entity 330. The core network 310 functionalities may be considered as general services of the local network and may be accessed by the application supervisor 320 through an interface 410 and by application execution platform entity 330 through an interface 430. The application supervisor entity 320 may be arranged at least to control an application integrity and execution through an interface 420. In the application execution platform entity 330 the applications may comprise two parts, i.e. functionalities, such as data analysis and control functionality 500. The data analysis and control functionality 500 may be arranged to handle an internal data collection and processing. According to various embodiments of the present invention if an application needs to connect to outside world, i.e. outside network, it may be done through the network client type functionality 510. Such a function may e.g. be needed for filtering of what data is to be com municated to the outside world or, for example, for providing client to cloud ser vices located in a public network (referred with 550 in Figure 1 ).
Furthermore, the software implemented network 300 may itself be located on a general cloud server platform, for example either in a local cloud or in a public cloud.
The local network as depicted in Figure 1 as a server device 300 is applied in a sensor solution for providing a non-limiting example of an operation of the local network. The non-limiting example is related to a situation in which data from remote nodes 1 10A, 1 10B, 1 10C, such as sensor nodes 1 10A-110C, has to stay within the local network. The network architecture according to the present in vention may be arranged to support usage of applications whose data has deci sions which have to remain inside the network control area.
In such an application the data and processing flow may be following in various embodiments of the invention:
First, at least one remote node 1 10A-110C may be arranged to establish a con nection to the local network implemented as a server device 300. The connec tion may e.g. be done over remote radio head 200 and a standard cellular radio baseband interface implemented e.g. as an interface of a base station 340. The connection establishment may e.g. be done by using an attach procedure de fined by the applied radio standard.
In response to an establishment of the connection the server device 300 may be arranged to determine access rights of the remote node 1 10A-1 10C from data received from the remote node in question. This may be e.g. be performed by validating an identification data associated to the data received from the re mote node 1 10A-1 10C in question in the core network 310. The identification data may comprise, but is not limited to, an identifier of the remote node in ques tion e.g. in a form of credentials, which are carried to the core network 310 by the remote radio head 200 and a functionality of the base station 340. A management function, such as MME 312 by consulting the database 314, of the core network 310 may be arranged to determine whether the remote node 110A-1 10C may have access to outside network 550 or the data received from the remote node 110A-1 10C shall stay within server device 300 implementing the local network. For example, it may be defined in the database 314 on a sensor-by-sensor basis if the data is allowed to be output from the server device 300 or not. The information from the database 314 may be returned to the MME 312 function e.g. in response to an inquiry comprising e.g. identification data of the remote node 1 10A-1 10C in question. Flence, an authentication procedure may e.g. be performed. The MME 312 may determine, from the response received from the database 314, that the data received from the remote node 1 10A-1 10C has to be kept within local network, the MME 312 may be configured to determine an applica tion residing in the application execution platform entity 330 into which the data is to be sent. The determination may be done based on a policy that may e.g. be stored in the core network 310, such as in the database there from which the policy may be retrieved.
In a situation that it is found out that the application does not exist the core net work 310, executed e.g. by MME 312, may be arranged to apply e.g. through the interface 410 for the application supervisor entity 320 to validate and initiate the application. In this case the application supervisor entity 320 may use the interface 420 between the application supervisor entity 320 and the application execution platform entity 330 and may be arranged to perform a security check of the application code (for instance integrity check or any other checking). Com- mands causing a start of the application by at least one of the entities 500 or 510 may also be transferred over the interface 420.
In response to the determination and to the initiation of the application the data received from the remote node 1 10A-1 10C may be routed from the base station 340 implementing a base band process to the application executed by the ap- plication execution platform entity 330 over an interface 450. The data analysis and control functionality 500 may be arranged to handle a local control and pro cessing of local data. For example, the operation may contain an industrial pro cess control function. The local application executed by the data analysis and control functionality 500 may control one or more nodes 1 10A-1 10C, 1 12 in local control area over wireless connection or over wired connection. The control may be performed through the base station 340 functionality or directly from the ap plication execution platform entity 330.
It may also be determined that the local application needs a specific piece(s) of information, such as information relating to remote device security and validation information or information about the local specific policies. In response to such a determination the application execution platform entity 330 may be arranged to acquire the one or more pieces of information from the core network 310 over interface 430, for example.
It may also be determined that the local application needs to communicate with an entity residing in the outside network 550, such as a server device residing therein. This may be arranged through a firewall entity 350. In order to enable the communication to the outside network 550 a process may be started by the network client type functionality 510. The process may utilize an interface 440 for communicating with the outside network 550. More specifically, in order to access the outside network 550, the process executed by the network client type functionality 510 may acquire an access right from the firewall 350. This may be performed by first informing a policy and charging rules function (PCRF) 316 in the core network 310 through the interface 430, such as an application interface, for an intention to access the outside network 550. According to various embod- iments of the invention the policy and charging rules function (PCRF) 316 may be arranged to identify the access right process and to configure the firewall 350 correspondingly. In response to the configuration the process executed by the network client type functionality 510 may access the outside network 550 through the interface and the firewall 350. Some further aspects of the present invention may relate to processes executed in the application execution platform entity 330. Namely, a communication with the processes, or the corresponding application, are advantageously secured. Preferably the security is arranged on both two sides. The remote nodes 110A- 1 10C, 112 may be required to validate the application process executed by the application execution platform entity 330 and the application process, respec tively, may be required to validate the remote node 1 10A-1 10C, 1 12. According to various embodiments of the present invention the application process may take advantage of the remote node 1 10A-1 10C, 112 validation process carried out between the remote node 1 10A-1 10C, 112 and the core network 310. The core network 310 may first validate the remote node 1 10A-1 10C, 1 12. Additionally, the remote node 110A-1 10C, 1 12 may validate the local network 300 implemented by the server device 300. The local network may use a pro cess executed by the application supervisor entity 320 and may validate the process. In response to a successful validation the server device 300 imple- menting the local network may allow sensor node connection to the process in question.
In an implementation in which the application process needs to validate the re mote node 1 10A-1 10C, 1 12 separately it may be inquired from the core network 310 through the interface 430. Furthermore, in an implementation in which the application process needs to access the outside network 550 the core network 310 may be arranged to ena ble a connection between the application execution platform entity 330 and the firewall 350. First, it may be arranged to check and to validate both a process executed by the data analysis and control functionality 500 and a process exe- cuted by the network client type functionality 510 e.g. by means of a number of integrity checks, and allows data exchange between them in accordance with the check and the validation. In this manner not only the remote node 1 10A- 110C, 1 12 and the local network are secured but also applications inside the server device 300 implementing the local network are secured. Some further aspects with respect to the present invention as it comes to an integration of remote nodes with the server device 300 implementing the local network are provided by referring to Figure 2. A number of remote nodes to be integrated with the local network are referred with 600 in Figure 2. As is com monly known traditionally cellular networks may be accessed only through a ra- dio interface by terminal devices. In some areas, such as in industrial solutions, the server device 300 may be arranged to control industrial processes. The server device 300 implementing the local network may be realized as a cloud service where baseband processing of the base station functionality 340 may reside in a server and radio communication is over a remote radio head RRH 200. In this kind of implementation, the entity 340 performing the baseband processing becomes a centralized computing unit. The inputs to this unit are not only from RRH but from other remote nodes 600, such as from sensor nodes like lidars, radars and cameras. In other words, the server device 300 may re ceive inputs (indicated as a direct communication entity 610 in Figure 2) from the remote nodes over RRH 200. It may also receive further data, such as meas urement data, from the other remote nodes 600. The data received from different sources may be processed locally in the server device 300 and used e.g. for local control.
According to some embodiments of the present invention the RRH 200 may in- tegrate functions of at least some of the nodes 600. In such an implementation the RRH 200 becomes a remote sensing unit that is connected to a server de vice 300.
Such an approach enables for instance control of moving objects by tracking them by the local network and communicating control information to the tracked object.
Figure 3 illustrates schematically aspects relating to the present invention as a method. The method may be initiated in various embodiments of the invention in response to a receipt of a request to establish a connection from at least one remote node 110A-1 10C, 1 12 which causes a connection establishment 710 by the server device 300. In the server device 300, and especially in the core net work entity 310, the database entity 314, PCRF 316 and the management entity MME 312, may be arranged, in response to the connection establishment, to determine 720 if the remote node 1 10A-1 10C, 1 12 in question has right to ac cess outside network. This may correspond to a determination if the data re- ceived from the remote node 110A-1 10C, 1 12 shall be kept in the local network or if the data may be delivered outside from the local network. The determination of the right to access outside network may e.g. be arranged by performing an authentication procedure of the network node 1 10A-1 10C, 1 12, such as by re ceiving at least one authentication key from the remote node by confirming a validity of the authentication keys with an inquiry to a database 314. In response to a determination that there is no right to access outside network 720 the MME 312 may be arranged to determine 730 an application to whom the data received from the remote node 1 10A-1 10C, 112 is dedicated to. For example, in various embodiments the MME 312 may need to trigger the analysis and control func- tionality 500 through an interface 430 for the incoming data which, in turn, needs to execute the application that will use the data. Once the application is running standard means of switching or routing the packets, such as TCP sockets, may be utilized for the communication between the network node and the application (server). In response to the determination of the application 730 a trigger signal is generated for initiating 740 the application in the application execution plat form entity 330. In case the application does not exist the core network 310, executed e.g. by MME 312 among other entities, may be arranged to apply e.g. through the interface 410 for the application supervisor entity 320 to validate and to initiate the application. In response to the execution of the application the received data from the remote node 1 10A-110C, 1 12 may be applied 750 by the application i.e. the application uses the received in accordance with the instruc tions defined by the computer program code of the application.
On the other hand, in response to a determination, in step 720 of Figure 3, that the remote node 1 10A-1 10C, 1 12 may access the outside network the applica- tion execution platform entity 330, specifically e.g. the network client type func tionality 510 there, may setup 760 the access to the outside network 550. The setup of the access may comprise an inquiry of a right to access the outside network 550 from a firewall 350 in a manner as described. In response to a configuration of the firewall 350, if needed, the channel to outside network 550 may be granted and the data from the remote node 110A-1 10C, 1 12 may be delivered 770 to a predetermined entity in the outside network 550 may be per formed.
Further operations e.g. under the described steps, or in addition to them, may be performed. The invention as described allows running of a mobile network on industrial gen eral purpose edge computing platforms. The invention allows these computing platforms to leverage advanced security features of the mobile systems to im prove the system security. In the description of the present invention remote devices connected to the server device 300 are mainly referred as sensor nodes. However, the invention is not limited to such sensor nodes only, but any other node type comprising necessary hardware and software functionalities may be communicatively cou pled to the server device 300. For sake of clarity an apparatus suitable for implementing a local network in a box solution according to various embodiments as described herein is schemat ically illustrated in Figure 4. The apparatus may comprise at least one processor 810 and at least one memory 820. The memory 820 may store data and com puter program code 825. The apparatus may further comprise a communication interface 830, or communication means, for wired or wireless communication with other apparatuses. In other words, the communication interface 830 may comprise hardware and software components for implementing a communica tion protocol(s) of the local network, for example. This may e.g. refer to suitable radio modems included in the apparatus. Additionally, the apparatus may com- prise user I/O (input/output) components 840 that may be arranged, together with the processor 810 and a portion of the computer program code 825, to pro vide the user interface for receiving input from a user and/or providing output to the user. In particular, the user I/O components 840 may include user input means, such as one or more keys or buttons, a keyboard, a touchscreen or a touchpad, etc. The user I/O components may include output means, such as a display or a touchscreen. The components of the apparatus may be communi catively coupled to each other via a bus 850 that enables transfer of data and control information between the components. The apparatus schematically illus trated in Figure 4 is a non-limiting example suitable for implementing at least some of the functionalities discussed for example as concepts in the description of other Figures. In various embodiments the apparatus may correspond to the server device.
Generally speaking, the present invention enables using standardized authenti cation mechanisms, such as 3GPP Network Authentication and Integrity func- tionality, for validating not only users but also the other functions (programs) and interfaces that may be attached to a local network implemented as a server de vice. For instance, to load a program to the server device it has to the be regis tered in the local network database and the program integrity is to be checked when it is executed by the local network. The specific examples provided in the description given above should not be construed as limiting the applicability and/or the interpretation of the appended claims. Lists and groups of examples provided in the description given above are not exhaustive unless otherwise explicitly stated.

Claims

WHAT IS CLAIMED IS:
1 . A server device (300) for implementing a local network, the server device (300) is configured to execute a base station functionality (340) and a core net work functionality (310), the server device (300) comprising: at least one remote radio head (200), an application supervisor entity (320), and an application execution platform entity (330).
2. The server device (300) of claim 1 , wherein an interface of the core network functionality (310) is arranged to be represented as a general service and is arranged to be accessible by the application supervisor entity (320) through an interface (410) and by the application execution platform entity (330) through an interface (430).
3. The server device (300) of claim 1 or claim 2, wherein the application su pervisor entity (320) is configured to control an application integrity and execu tion in the application execution platform entity (330) through an interface (420).
4. The server device (300) of any of the preceding claims, wherein the appli cation execution platform entity (330) comprise a data analysis and control func tionality (500) to handle internal data collection and processing in the local net work.
5. The server device (300) of any of the preceding claims, wherein a firewall entity (350) is configured to allow communication between the base station func tionality (340) and the core network functionality (310) with an outside network (550) and wherein the application execution platform entity (330) comprises a communication entity (510) connected to the firewall entity (350) through an in terface (440).
6. The server device (300) of any of the preceding claims, wherein the appli cation supervisor entity (320) is configured to authenticate the application exe cution platform entity (330) and the core network functionality (310).
7. The server device (300) of any of the preceding claims 4 - 6, wherein the data analysis and control functionality (500) is configured to authenticate a re mote node (1 10A, 1 10B, 1 10C, 1 12) by performing an inquiry to the core net work functionality (310).
8. The server device (300) of any of the preceding claims 4 - 7, wherein the core network entity (310) comprises a number of authentication and integrity usage rights profiles for verifying an application by the application execution platform entity (330).
9. The server device (300) of any of the preceding claims 1 -8, wherein the server device (300) further comprises an interface (450) between the application execution platform entity (330) and the base station functionality (340) to allow direct internal routing of data from the base station functionality (340) to the ap plication execution platform entity (330).
10. The server device (300) of any of the preceding claims, the server device (300) further comprising a direct communication entity (710) for communicatively coupling at least one remote node (1 10A, 110B, 1 10C, 1 12) directly to the server device (300).
11. A method for managing data in a server device (300) for implementing a local network, the data received from a remote node (1 10A, 1 10B, 110C, 1 12), the method comprising: establishing a connection (710) with the remote node (1 10A, 1 10B, 1 10C, 112) in response to a receipt of a request, determining (720) if the remote node (1 10A, 1 10B, 1 10C, 1 12) is allowed to ac cess outside network (550), in response to a determination that the remote node (1 10A, 1 1 OB, 110C, 1 12) is not allowed to access the outside network (550): determining (730) an application for data received from the remote node (1 10A, 1 10B, 1 10C, 112), initiating (740) the application, applying (750) the data received from the remote node (1 10A, 1 10B, 1 10C, 112) with the application, in response to a determination that the remote node (1 10A, 1 1 OB, 110C, 1 12) is allowed to access the outside network (550): setting up (760) an access the outside network (550), delivering (770) of data to the outside network (550).
12. The method of claim 11 , wherein the setting up the access to the outside network (550) comprises inquiring a right to access the outside network (550) from a firewall (350).
13. A computer program product for implementing a local network, which, when executed by at least one processor, cause a server device (300) to per form the method according to any of claims 11 -12.
PCT/FI2019/050506 2019-06-27 2019-06-27 Dataflow management solution for an industrial factory WO2020260746A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/FI2019/050506 WO2020260746A1 (en) 2019-06-27 2019-06-27 Dataflow management solution for an industrial factory

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/FI2019/050506 WO2020260746A1 (en) 2019-06-27 2019-06-27 Dataflow management solution for an industrial factory

Publications (1)

Publication Number Publication Date
WO2020260746A1 true WO2020260746A1 (en) 2020-12-30

Family

ID=67297193

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FI2019/050506 WO2020260746A1 (en) 2019-06-27 2019-06-27 Dataflow management solution for an industrial factory

Country Status (1)

Country Link
WO (1) WO2020260746A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116546672A (en) * 2023-07-03 2023-08-04 广东省新一代通信与网络创新研究院 Mobile communication device based on universal server and pull rod box type mobile communication device

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180376338A1 (en) * 2016-08-05 2018-12-27 Nxgen Partners Ip, Llc Sdr-based massive mimo with v-ran cloud architecture and sdn-based network slicing

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180376338A1 (en) * 2016-08-05 2018-12-27 Nxgen Partners Ip, Llc Sdr-based massive mimo with v-ran cloud architecture and sdn-based network slicing

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Study on Communication for Automation in Vertical Domains (Release 16)", 3GPP STANDARD; TECHNICAL REPORT; 3GPP TR 22.804, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG1, no. V16.2.0, 21 December 2018 (2018-12-21), pages 1 - 196, XP051591356 *
STEPHAN LUDWIG ET AL: "A 5G Architecture for The Factory of the Future", ARXIV.ORG, CORNELL UNIVERSITY LIBRARY, 201 OLIN LIBRARY CORNELL UNIVERSITY ITHACA, NY 14853, 25 September 2018 (2018-09-25), XP080920912 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116546672A (en) * 2023-07-03 2023-08-04 广东省新一代通信与网络创新研究院 Mobile communication device based on universal server and pull rod box type mobile communication device
CN116546672B (en) * 2023-07-03 2023-09-12 广东省新一代通信与网络创新研究院 Mobile communication device based on universal server and pull rod box type mobile communication device

Similar Documents

Publication Publication Date Title
JP6360934B2 (en) Connection from IMSI-less device to EPC
CN108769009B (en) Data communication method, intelligent device and intelligent gateway
US20150111534A1 (en) System and method for automated whitelist management in an enterprise small cell network environment
CN111901135B (en) Data analysis method and device
US9197639B2 (en) Method for sharing data of device in M2M communication and system therefor
US8880688B2 (en) Apparatus and method for providing profile of terminal in communication system
RU2013143020A (en) COMMUNICATION SYSTEM, DATABASE, CONTROL DEVICE, COMMUNICATION METHOD AND PROGRAM
KR102472362B1 (en) Internet Of Things Device Control System and Method Based On Block Chain
CN103329091B (en) Cross access login controller
CN103888265A (en) Login system and method based on mobile terminal
US20160191524A1 (en) Relayed network access control systems and methods
TR201806942T4 (en) User profile, policy, and PMIP key distributions in a wireless network.
CN102075904A (en) Method and device for preventing re-authentication of roaming user
CN103179100A (en) Method and device for preventing the attack on a domain name system tunnel
CN108701278B (en) Method for providing a service to a user equipment connected to a first operator network via a second operator network
KR101988477B1 (en) Method of registration of devices for M2M network using M2M gateway and M2M gateway for it
US11523332B2 (en) Cellular network onboarding through wireless local area network
CN113498060B (en) Method, device, equipment and storage medium for controlling network slice authentication
WO2020260746A1 (en) Dataflow management solution for an industrial factory
EP1372298A1 (en) Method of transferring user data of a data transmission device of a wireless local area network, and wireless local area network system
CN106332080A (en) WIFI (Wireless Fidelity) hotspot connection control method based on communication system, server and WIFI hotspot
CN113873491A (en) Communication apparatus, system, and computer-readable storage medium
CN116208346A (en) Resource scheduling method, device, terminal, platform manager and orchestrator
CN109743237B (en) Authentication method of APP and gateway
EP3926923A1 (en) Method for enhanced detection of a user equipment type

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19740040

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19740040

Country of ref document: EP

Kind code of ref document: A1