WO2021219385A1 - Securely identifying network function - Google Patents

Securely identifying network function Download PDF

Info

Publication number
WO2021219385A1
WO2021219385A1 PCT/EP2021/059721 EP2021059721W WO2021219385A1 WO 2021219385 A1 WO2021219385 A1 WO 2021219385A1 EP 2021059721 W EP2021059721 W EP 2021059721W WO 2021219385 A1 WO2021219385 A1 WO 2021219385A1
Authority
WO
WIPO (PCT)
Prior art keywords
network function
network
context information
information
request
Prior art date
Application number
PCT/EP2021/059721
Other languages
French (fr)
Inventor
Nagendra Bykampadi
Jani Petteri EKMAN
Silke Holtmanns
Original Assignee
Nokia Technologies Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Technologies Oy filed Critical Nokia Technologies Oy
Publication of WO2021219385A1 publication Critical patent/WO2021219385A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data

Definitions

  • Embodiments of the present disclosure generally relate to the field of telecommunication and in particular, to devices, methods, apparatuses and computer readable storage media for securely identifying a network function (NF).
  • NF network function
  • NF instances for a specific NF type may be created or deleted from a system, or the NF instances may be inactivated if they are not totally deleted from the system. As such, the number of the NF instances may be increased or decreased. Accordingly, a flexible solution for securely identifying NF instances is needed.
  • example embodiments of the present disclosure provide a solution for securely identifying a network function.
  • a first device comprising at least one processor, and at least one memory including computer program codes.
  • the at least one memory and the computer program codes are configured to, with the at least one processor, cause the first device to: receive, from a first network function, a first request for registration of the first network function, the first request comprising a profile of the first network function; generate network function context information of the first network function based on the profile, the network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; digitally sign the network function context information by using a private key of the first device; and transmit the digitally signed network function context information to the first network function.
  • a second device comprises at least one processor, and at least one memory including computer program codes.
  • the at least one memory and the computer program codes are configured to, with the at least one processor, cause the second device to: transmit, to a first device, a first request for registration of the first network function, the first request comprising a profile of the first network function; and receive digitally signed network function context information of the first network function from the first device, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function.
  • a third device comprises at least one processor, and at least one memory including computer program codes.
  • the at least one memory and the computer program codes are configured to, with the at least one processor, cause the third device to: transmit to a first device a first request for an access token to be used by a first network function requesting a service from a second network function, the first request comprising at least digitally signed network function context information of the first network function, the first and second network functions communicating with each other via the service communication proxy, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; and in accordance with a success authentication of the first network function by the first device based on the digitally signed network function context information, receive from the first device the access token comprising at least the digitally signed network function context information.
  • a fourth device comprises at least one processor, and at least one memory including computer program codes.
  • the at least one memory and the computer program codes are configured to, with the at least one processor, cause the fourth device to: receive from a third device a service request message comprising an access token, the access token comprising at least digitally signed network function context information of a first network function, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; authenticate the first network function based on the digitally signed network function context information; in accordance with a success authentication of the first network function, provide service for the first network function.
  • a method implemented at a first device comprises: receiving, from a first network function, a first request for registration of the first network function, the first request comprising a profile of the first network function; generating network function context information of the first network function based on the profile, the network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; digitally signing the network function context information by using a private key of the first device; and transmitting the digitally signed network function context information to the first network function.
  • a method implemented at a second device comprises: transmitting, from a second device implementing a first network function to a first device, a first request for registration of the first network function, the first request comprising a profile of the first network function; and receiving digitally signed network function context information of the first network function from the first device, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function.
  • a method implemented at a third device comprises: transmitting, from a third device implementing a service communication proxy to a first device, a first request for an access token to be used by a first network function requesting a service from a second network function, the first request comprising at least digitally signed network function context information of the first network function, the first and second network functions communicating with each other via the service communication proxy, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; and in accordance with a success authentication of the first network function by the first device based on the digitally signed network function context information, receiving from the first device the access token comprising at least the digitally signed network function context information.
  • a method implemented at a fourth device comprises: receiving, at a second device implementing a second network function from a third device, a service request message comprising an access token, the access token comprising at least digitally signed network function context information of a first network function, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; authenticating the first network function based on the digitally signed network function context information; in accordance with a success authentication of the first network function, providing service for the first network function.
  • an apparatus comprising means for performing steps of the method according to the above third aspect.
  • an apparatus comprising means for performing steps of the method according to the above fourth aspect.
  • an apparatus comprising means for performing steps of the method according to the above fifth aspect.
  • an apparatus comprising means for performing steps of the method according to the above sixth aspect.
  • a non-transitory computer readable medium comprising a computer program for causing an apparatus to perform at least the method according to the above third aspect.
  • a fourteenth aspect there is provided a non-transitory computer readable medium comprising a computer program for causing an apparatus to perform at least the method according to the above fourth aspect.
  • a non-transitory computer readable medium comprising a computer program for causing an apparatus to perform at least the method according to the above fifth aspect.
  • a non-transitory computer readable medium comprising a computer program for causing an apparatus to perform at least the method according to the above sixth aspect.
  • FIG. 1 illustrates an example environment in which some example embodiments of the present disclosure can be implemented
  • Fig. 2 illustrates a signaling chart illustrating a process for securely identifying a NF according to some example embodiments of the present disclosure
  • FIG. 3 illustrates a signaling chart illustrating a process for authenticating a NF consumer according to some example embodiments of the present disclosure
  • Fig. 4 illustrates a flowchart of a method implemented at a first device according to some example embodiments of the present disclosure
  • FIG. 5 illustrates a flowchart of a method implemented at a second device according to some example embodiments of the present disclosure
  • FIG. 6 illustrates a flowchart of a method implemented at a third device according to some example embodiments of the present disclosure
  • FIG. 7 illustrates a flowchart of a method implemented at a fourth device according to some example embodiments of the present disclosure
  • Fig. 8 illustrates a simplified block diagram of an apparatus that is suitable for implementing embodiments of the present disclosure
  • Fig. 9 illustrates a block diagram of an example computer readable medium in accordance with some example embodiments of the present disclosure.
  • references in the present disclosure to “one embodiment,” “an embodiment,” “an example embodiment,” and the like indicate that the embodiment described may include a particular feature, structure, or characteristic, but it is not necessary that every embodiment includes the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an example embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
  • first and second etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be termed a second element, and similarly, a second element could be termed a first element, without departing from the scope of example embodiments. As used herein, the term “and/or” includes any and all combinations of one or more of the listed terms.
  • circuitry may refer to one or more or all of the following:
  • circuit(s) and or processor(s) such as a microprocessor(s) or a portion of a microprocessor(s), that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation.
  • software e.g., firmware
  • circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware.
  • circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
  • the term “communication network” refers to a network following any suitable communication standards, such as fifth generation (5G) systems, Long Term Evolution (LTE), LTE-Advanced (LTE-A), Wideband Code Division Multiple Access (WCDMA), High-Speed Packet Access (HSPA), Narrow Band Internet of Things (NB-IoT) and so on.
  • 5G fifth generation
  • LTE Long Term Evolution
  • LTE-A LTE-Advanced
  • WCDMA Wideband Code Division Multiple Access
  • HSPA High-Speed Packet Access
  • NB-IoT Narrow Band Internet of Things
  • the communications between a terminal device and a network device in the communication network may be performed according to any suitable generation communication protocols, including, but not limited to, the first generation (1G), the second generation (2G), 2.5G, 2.75G, the third generation (3G), the fourth generation (4G), 4.5G, the future fifth generation (5G) new radio (NR) communication protocols, and/or any other protocols either currently known or to be developed in the future.
  • suitable generation communication protocols including, but not limited to, the first generation (1G), the second generation (2G), 2.5G, 2.75G, the third generation (3G), the fourth generation (4G), 4.5G, the future fifth generation (5G) new radio (NR) communication protocols, and/or any other protocols either currently known or to be developed in the future.
  • Embodiments of the present disclosure may be applied in various communication systems. Given the rapid development in communications, there will of course also be future type communication technologies and systems with which the present disclosure may be embodied. It should not be seen as limiting the scope of the present disclosure to only the aforementioned system.
  • the term “network device” refers to a node in a communication network via which a terminal device accesses the network and receives services therefrom.
  • the network device may refer to a base station (BS) or an access point (AP), for example, a node B (NodeB or NB), an evolved NodeB (eNodeB or eNB), a NR Next Generation NodeB (gNB), Integraged Access and Backhaul node, a Remote Radio Unit (RRU), a radio header (RH), a remote radio head (RRH), a relay, a low power node such as a femto, a pico, and so forth, depending on the applied terminology and technology.
  • An RAN split architecture comprises a gNB-CU (Centralized unit, hosting RRC, SDAP and PDCP) controlling a plurality of gNB-DUs (Distributed unit, hosting RLC, MAC and PHY).
  • gNB-CU Centralized unit, hosting RRC, SDAP and
  • terminal device refers to any end device that may be capable of wireless communication.
  • a terminal device may also be referred to as a communication device, user equipment (UE), a Subscriber Station (SS), a Portable Subscriber Station, a Mobile Station (MS), or an Access Terminal (AT).
  • UE user equipment
  • SS Subscriber Station
  • MS Mobile Station
  • AT Access Terminal
  • the terminal device may include, but not limited to, a mobile phone, a cellular phone, a smart phone, voice over IP (VoIP) phones, wireless local loop phones, a tablet, a wearable terminal device, a personal digital assistant (PDA), portable computers, desktop computer, image capture terminal devices such as digital cameras, gaming terminal devices, music storage and playback appliances, vehicle-mounted wireless terminal devices, wireless endpoints, mobile stations, laptop-embedded equipment (LEE), laptop-mounted equipment (LME), USB dongles, smart devices, wireless customer-premises equipment (CPE), an Internet of Things (loT) device, a watch or other wearable, a head-mounted display (HMD), a vehicle, a drone, a medical device and applications (e.g., remote surgery), an industrial device and applications (e.g., a robot and/or other wireless devices operating in an industrial and/or an automated processing chain contexts), a consumer electronics device, a device operating on commercial and/or industrial wireless networks, and the like.
  • VoIP voice over
  • terminal device In the following description, the terms “terminal device”, “communication device”, “terminal”, “user equipment” and “UE” may be used interchangeably.
  • a user equipment apparatus such as a cell phone or tablet computer or laptop computer or desktop computer or mobile IOT device or fixed IOT device.
  • This user equipment apparatus can, for example, be furnished with corresponding capabilities as described in connection with the fixed and/or the wireless network node(s), as appropriate.
  • the user equipment apparatus may be the user equipment and/or or a control device, such as a chipset or processor, configured to control the user equipment when installed therein. Examples of such functionalities include the bootstrapping server function and/or the home subscriber server, which may be implemented in the user equipment apparatus by providing the user equipment apparatus with software configured to cause the user equipment apparatus to perform from the point of view of these functions/nodes.
  • the number of the NF instances may be increased or decreased. Accordingly, a flexible solution for securely identifying NF instances is needed.
  • a first device in response to reception of a request for registration of a NF, a first device generates network function context information of the network function.
  • the first device digitally signs the network function context information by using a private key of the first device.
  • other NFs may use an Application Program Interface (API) exposed by the first device to verify the digitally signed network function context information.
  • API Application Program Interface
  • other NFs may use a public key of the first device to independently verify the digitally signed network function context information. In this way, securely identifying NF instances is achieved.
  • Fig. 1 illustrate block diagrams of example environment 100 in which some example embodiments of the present disclosure can be implemented.
  • the environment 100 includes a network repository function (NRF) 110, NFs 120 and 130, and a service communication proxy (SCP) 140.
  • the NRF 110 is connected to the SCP 140.
  • the SCP 140 is connected to both the NFs 120 and 130.
  • the NFs 120 and 130 communicate with each other via the SCP 140.
  • the NF 120 may act as a NF service consumer, which may request a service from the NF 130 acting as a NF service producer. Only for the purpose of illustration, in the following, the NF 120 may be also referred to as “NFc 120” or “first NF 120”, and the NF 130 may be also referred to as “NFp 130” or “second NF 130”.
  • the NRF 110 is a network function which maintains NF profiles and available NF instances.
  • the NRF 110 can also provide service registration and discovery functionalities such that NFs can discover each other.
  • the NFc 120 may be registered with the NRF 110 so as to obtain digitally signed network function context information of the NFc 120 from the NRF 110.
  • the NFp 130 may be registered with the NRF 110 so as to obtain digitally signed network function context information of the NFp 130 from the NRF 110.
  • the NFc 120 and the NFp 130 are shown in Fig. 1 to be connected to each other via the SCP 140, in some example embodiments, the SCP 140 as an intermediate node may be not deployed.
  • the present disclosure may be also applicable to scenarios where the NFc 120 and the NFp 130 are connected to each other directly.
  • the NFs 120 and 130 can be implemented in a single physical device or different physical devices.
  • the NRF 110, the NFs 120 and 130, and the SCP 140 may be implemented at a single physical device.
  • the SCP 140 can be co-located with the NRF 110.
  • one or more of the NRF 110, the NFs 120 and 130, and the SCP 140 may operate as a service provided by a third party and therefore a message may be routed forth and back to the third party.
  • the NFc 120 and the NFp 130 are not directly connected to the each other.
  • the SCP 140 acts as an intermediate node between the NFc 120 and the NFp 130. It is to be understood that the number of SCPs shown in Fig. 1A is merely for illustrative purpose without any limitation and there may be more than one SCP between the NFc 120 and the NFp 130.
  • example environment 100 is shown only for purpose of illustration, without suggesting any limitation to the scope of the present disclosure. Embodiments of the present disclosure may also be applied to an environment with a different structure.
  • Fig. 2 illustrates a signaling chart illustrating a process 200 for securely identifying NF instances according to some example embodiments of the present disclosure.
  • the process 200 may involve the NFc 120 and a first device 150 implementing the NRF 110 or SCP 140 as shown in Fig. 1. It is to be understood that although the process 200 involves the NFc 120, the same mechanism can also be used in other scenarios involving the NFp 130.
  • the first device 150 receives 210, from the first NF 120, a first request for registration of the first NF 120.
  • the first request comprises a profile of the first NF 120.
  • the profile of the first NF 120 may only comprise an instance identifier (also referred to as NF instance ID) of the first NF 120.
  • the profile of the first NF 120 may comprise not only the NF instance ID of the first NF 120, but also other information concerning the first NF 120.
  • the profile of the first NF 120 may comprise information concerning services that the first NF 120 can provide.
  • the first device 150 Upon receiving the first request, the first device 150 generates 220 network function context information of the first NF 120 based on the profile of the first NF 120.
  • the network function context information comprises at least identification information of the first network function and information of at least one network slice associated with the first network function.
  • the network function context information is a secure, self- contained set of information encoded in JSON Web Token (JWT) format according to RFC 7519.
  • JWT JSON Web Token
  • the network function context information comprises at least identification information of the first NF 120 and information of at least one network slice associated with the first NF 120. Because the network function context information comprises the information of at least one network slice associated with the first NF 120, the at least one network slice may be identified based on the network function context information.
  • the identification information of the first NF 120 comprises at least one of: the NF instance ID of the first NF 120, or Fully Qualified Domain Name (FQDN) of the first NF 120.
  • FQDN Fully Qualified Domain Name
  • the information of the at least one network slice associated with the first NF 120 comprises at least one of: a list of identifiers of network slices that the first NF 120 is allowed to serve, or an identifier of a first network slice among the network slices that the first NF 120 is serving.
  • the network function context information further comprises type information of the first NF 120.
  • the type information of the first NF 120 may indicate that the first NF 120 is a User Port Function (UPF), Access and Mobility Management Function (AMF), Session Management Function (SMF), Policy Control Function (PCF), Network Exposure Function (NEF), Network Slice Selection Function (NSSF), Short Message Service Function (SMSF) or Authentication Server Function (AUSF).
  • UPF User Port Function
  • AMF Access and Mobility Management Function
  • SMF Session Management Function
  • PCF Policy Control Function
  • NEF Network Exposure Function
  • NSSF Network Slice Selection Function
  • SMSF Short Message Service Function
  • AUSF Authentication Server Function
  • the network function context information further comprises information concerning at least one SCP that the first NF 120 can be connected to.
  • the network function context information further comprises information concerning a SCP domain or a list of SCPs that the first NF 120 can be connected to.
  • the network function context information further comprises location information of the first NF 120.
  • the network function context information further comprises information concerning issuing of the network function context information.
  • the information concerning issuing of the network function context information comprises at least one of: a signature of an issuer of the network function context information, temporal information concerning issuing of the network function context information, address information which enables obtaining of a public key of the issuer, or an identifier of the issuer.
  • the address information may comprise a Uniform Resource Identifier (URI) that points to the public key of the issuer.
  • URI Uniform Resource Identifier
  • the issuer is the NRF 110. In embodiments where the network function context information of the first NF 120 is generated or issued by the first device 150 implementing the SCP 140, the issuer is the SCP 140.
  • the first device 150 digitally signs 230 the network function context information by using a private key of the first device 150.
  • the first device 150 transmits 240 the digitally signed network function context information to the first NF 120.
  • NFs may use an API exposed by the first device to verify the digitally signed network function context information of an NF.
  • the network function context information comprises the URI that points to the public key of the issuer
  • other NFs may use the public key to independently verify the digitally signed network function context information. In this way, securely identifying NF instances is achieved.
  • a NF producer may perform an authentication of a NF consumer based on the network function context information in an access token, which will be described with reference to Fig. 3.
  • Fig. 3 illustrates a signaling chart illustrating a process 300 for authenticating a NF consumer according to some example embodiments of the present disclosure. As shown in Fig. 3, the process 300 may involve the NRF 110, the NFc 120, the NFp 130 and the SCP 140 as shown in Fig. 1.
  • mutual authentication between the NFc 120 and the SCP 140 may be performed at 301, and mutual authentication between the SCP 140 and the NRF 110 may be performed 302.
  • TLS handshake procedures may be performed for the mutual authentications.
  • secure connections using TLS also referred to as “TLS connection”
  • TLS secure connections using TLS
  • a client certificate of the NFc 120 can be provided or indicated to the SCP 140.
  • the client certificate of the NFc 120 may comprise the network function context information of the NFc 120.
  • the network function context information of the NFc 120 may be included in a SubjectAltName field of the certificate.
  • a UniformResourceldentifier field may comprise a URI that points to the location where the network function context information of the NFc 120 can be obtained.
  • an OtherName field may directly points to the network function context information of the NFc 120 in signed JWT format.
  • a register procedure 303 may be performed between the NFc 120 and the NRF 110.
  • the NFc 120 is registered with the NRF 110 and obtains the network function context information of the NFc 120.
  • the NFc 120 obtains the network function context information of the NFc 120 by performing the process 200 as described above.
  • the NFc 120 may desire a NF service.
  • the NFc 120 transmits 304 or forwards a request for the service (which is also referred to as a service request herein) to the SCP 140 to which the NFc 120 is communicating with and has established a secure TLS connection.
  • a NFc instance ID, a NFc type and the digitally signed network function context information of the NFc 120 may be included in the service request.
  • the SCP 140 Upon receiving the service request from the NFc 120, the SCP 140 performs 305 discovery service operations with the NRF 110 to obtain a list of target NF producers that can serve the service request of the NFc 120. The SCP 140 then selects one NFp from the list. In this example process 300, the NFp 130 is selected.
  • the SCP 140 transmits 306 a request for an access token (which is also referred to as an access token request) to the NRF 110.
  • the requested access token is to be used for the NFc 120 to request a service from the NFp 130.
  • the access token request may include the digitally signed network function context information of the NFc 120.
  • 5GC 5G Core Network
  • eSBA enhanced Service Based Architecture
  • the NF Instance ID can be made optional in access token requests.
  • the access token request may include the NF Instance ID of the NFc 120.
  • the access token request may also include expected service name(s), a target NF type, and a NFc type.
  • the access token request from the NFc 120 or the SCP 140 to the NRF 110 may include the digitally signed network function context information of the NFc 120, it is possible to use the digitally signed network function context information for identifying the requester in addition to or instead of NF Instance Id.
  • SCP 140 adding the digitally signed network function context information on behalf of the NFc 120 may require mutual agreement between the SCP 140 and the NFc 120.
  • the NRF 110 Upon receiving the access token request from the SCP 140, the NRF 110 authenticates 307 the NFc 120 by verifying the digitally signed network function context information of the NFc 120.
  • the NRF 110 first verifies the signature in the digitally signed network function context information of the NFc 120.
  • the NRF 110 must have its own signature that it has to verify.
  • the NRF 110 may verify an instance of the NFc 120 is still alive.
  • the NRF 110 may verify whether the digitally signed network function context information in the access token request belongs to the NFc 120.
  • the NRF 110 authorizes 308 the NFc 120 to request desired service from the NFp 130. If the NFc 120 is authorized, the NRF 110 may generate 309 a digitally signed access token.
  • the NRF 110 includes 310 the digitally signed network function context information of the NFc 120 in the digitally signed access token.
  • the NRF 110 includes 310 the digitally signed network function context information of the NFc 120 in the existing “sub” information element (IE).
  • IE information element
  • the NRF 110 includes the digitally signed network function context information of the NFc 120 in a new IE that is created to carry the digitally signed network function context information of a NF.
  • the new IE may be called, for example, “nfSecureName”.
  • the NRF 110 includes the digitally signed network function context information of the NFc 120 in the existing “iss” IE. In this way, there is no need to rely on nflnstanceld as the primary NF identity but rather use this new signed NF context info instead.
  • Table 1 depicts the various information elements in the Access Token
  • the NRF 110 transmits 311 an Access Token Response to the SCP 140 with the access token included.
  • the SCP 140 Upon receiving the Access Token Response from the NRF 110 with the access token included, the SCP 140 includes 312 the access token in the Service Request message and sends 313 the message to the NFp 130.
  • the NFp 130 validates 314 the access token in the Service Request message. In addition, the NFp 130 also authenticates the NFc 120 by validating the digitally signed network function context information included in the access token.
  • the authentication process 300 as described with reference to Fig. 3 is performed based on the digitally signed network function context information of the NF. Because the digitally signed network function context information comprises not only the NF instance Id, but also addition information of the NF, the authentication process 300 allows for better granularity and compliance to local regulations.
  • the first device 150 implementing the NRF 110 may provide an API for a NF to deregister the NF and the digitally signed network function context information of the NF.
  • the first device 150 receives a third request for deregistration of the first NF 120 from the first NF 120.
  • the third request comprises the network function context information of the first NF 120. If the first device 150 successfully removes the profile of the first NF 120 from the first device 150, the first device 150 transmits to the first NF 120 a response indicating the success remove.
  • the first device 150 implementing the NRF 110 may provide an API for a NF to share a list of the digitally signed network function context information of the NF to a trusted entity.
  • a variation of this API is to query the digitally signed network function context information of the NF is applicable to a network slice, SCP domain and so on.
  • the first device 150 receives a fourth request for query of the first NF 120 from a second device, the first device 150 transmits the network function context information of the first NF 120 to the second device.
  • the fourth request comprises at least the information of the at least one network slice associated with the first NF 120.
  • the fourth request further comprises information concerning at least one SCP that the first NF 120 can be connected to.
  • the first device 150 implementing the NRF 110 may provide an API for a NF to allow NFs and/or an external entity to subscribe for information changes (register/deregister) related to digitally signed network function context information of a NF. In some embodiments, the first device 150 implementing the NRF 110 may provide an API to push changes within digitally signed network function context information of a NF to the concerned NF.
  • the first device 150 receives, from a third device, a fifth request for subscription to a notification of change of the network function context information. If the change of the network function context information occurs, the first device 150 transmits the notification to the third device.
  • the first device 150 receives a certificate from a SCP, the certificate comprising the network function context information.
  • the first device 150 validates the certificate based on the network function context information. If the first device 150 successfully validates the certificate, the first device 150 establishes a transport layer security connection between the first NF 120 and the SCP.
  • the first device 150 implementing the NRF 110 may provide an API for a NF to obtain new digitally signed network function context information of the NF with the more current timestamp.
  • the first device 150 receives, from the first NF 120, a sixth request for update of the network function context information.
  • the first device 150 updates the network function context information.
  • the first device 150 transmits the updated network function context information to the first NF 120.
  • Fig. 4 shows a flowchart of an example method 400 implemented at a first device in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 400 will be described from the perspective of the first device implementing the NRF 110 with reference to Fig. 1.
  • the first device 110 receives, from a first network function, a first request for registration of the first network function, the first request comprising a profile of the first network function.
  • the first device 110 generates network function context information of the first network function based on the profile.
  • the network function context information comprises at least identification information of the first network function and information of at least one network slice associated with the first network function.
  • the first device 110 digitally signs the network function context information by using a private key of the first device.
  • the first device 110 transmits the digitally signed network function context information to the first network function.
  • the first device is configured to implement a network repository function.
  • the method 400 further comprises: receiving, from a first service communication proxy, a second request for an access token to be used by the first network function requesting a service from a second network function, the second request comprising at least the network function context information of the first network function, the first and second network functions communicating with each other via the first service communication proxy; and in accordance with a success authentication of the first network function based on the network function context information, transmitting to the first service communication proxy the access token comprising at least the network function context information.
  • the method 400 further comprises: receiving a third request for deregistration of the first network function from the first network function, the third request comprising the network function context information; and in accordance with a success remove of the profile of the first network function from the first device, transmitting to the first network function a response indicating the success remove.
  • the method 400 further comprises: in accordance with reception of a fourth request for query of the first network function from a second device, transmitting the network function context information of the first network function to the second device, the fourth request comprising at least the information of the at least one network slice associated with the first network function.
  • the fourth request further comprises information concerning at least one second service communication proxy that the first network function can be connected to.
  • the method 400 further comprises: receiving, from a third device, a fifth request for subscription to a notification of change of the network function context information; and in accordance with the change of the network function context information, transmitting the notification to the third device.
  • the method 400 further comprises: receiving a certificate from a third service communication proxy, the certificate comprising the network function context information; validating the certificate based on the network function context information; and in accordance with a successful validation of the certificate, establishing a transport layer security connection between the first network function and the third service communication proxy.
  • the method 400 further comprises: receiving, from the first network function, a sixth request for update of the network function context information, update the network function context information; and transmitting the updated network function context information to the first network function.
  • the first device is configured to implement a fourth service communication proxy connected to the first network function directly.
  • the identification information of the first network function comprises at least one of: an instance identifier of the first network function, or Fully Qualified Domain Name of the first network function.
  • the information of the at least one network slice associated with the first network function comprises at least one of: a first list of identifiers of a first plurality of network slices that the first network function is allowed to serve, an identifier of a first network slice among the first plurality of network slices that the first network function is serving, a second list of identifiers of a second plurality of network slices that the first network function is allowed to use or be attached to, or an identifier of a second network slice among the second plurality of network slices that the first network function is using or attached to.
  • the network function context information further comprises at least one of: type information of the first network function, information concerning at least one service communication proxy that the first network function can be connected to, or location information of the first network function.
  • the network function context information further comprises information concerning issuer of the network function context information.
  • the information concerning issuer of the network function context information comprises at least one of: a signature of an issuer of the network function context information, temporal information concerning issuer of the network function context information, address information which enables obtaining of a public key of the issuer, or an identifier of the issuer.
  • FIG. 5 shows a flowchart of an example method 500 implemented at a second device in accordance with some example embodiments of the present disclosure.
  • the method 500 will be described from the perspective of the second device implementing the NRc 120 with reference to Fig. 1.
  • the second device transmits, to a first device, a first request for registration of the first network function, the first request comprising a profile of the first network function.
  • the second device receives digitally signed network function context information of the first network function from the first device, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function.
  • the first device is configured to implement a network repository function.
  • the method 500 further comprises: transmitting a second request for deregistration of the first network function to the first device, the second request comprising the network function context information; and in accordance with a success remove of the profile of the first network function from the first device, receiving from the first device a response indicating the success remove.
  • the method 500 further comprises: transmitting a third request for update of the network function context information to the first device; and receiving the updated network function context information from the first device.
  • the first device is configured to implement a service communication proxy connected to the first network function directly.
  • the network function context information comprises at least one of: an instance identifier of the first network function, or Fully Qualified Domain Name of the first network function.
  • the network function context information comprises at least one of: a first list of identifiers of a first plurality of network slices that the first network function is allowed to serve, an identifier of a first network slice among the first plurality of network slices that the first network function is serving, a second list of identifiers of a second plurality of network slices that the first network function is allowed to use or be attached to, or an identifier of a second network slice among the second plurality of network slices that the first network function is using or attached to.
  • the network function context information comprises at least one of: type information of the first network function, information concerning at least one service communication proxy that the first network function can be connected to, or location information of the first network function.
  • the network function context information comprises information concerning issuer of the network function context information.
  • the information concerning issuer of the network function context information comprises at least one of: a signature of an issuer of the network function context information, temporal information concerning issuer of the network function context information, address information which enables obtaining of a public key of the issuer, or an identifier of the issuer.
  • Fig. 6 shows a flowchart of an example method 600 implemented at a third device in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 600 will be described from the perspective of the third device implementing the SCP 140 with reference to Fig. 1.
  • the third device transmits to a first device a first request for an access token to be used by a first network function requesting a service from a second network function, the first request comprising at least digitally signed network function context information of the first network function, the first and second network functions communicating with each other via the service communication proxy, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function.
  • the third device receives from the first device the access token comprising at least the digitally signed network function context information.
  • the method 600 further comprises: transmitting to the first device a second request for query of the first network function, the second request comprising at least the information of the at least one network slice associated with the first network function; and receiving from the first device the network function context information of the first network function.
  • the service communication proxy can be connected to the first network function, and the second request further comprises information concerning the service communication proxy.
  • the method 600 further comprises: transmitting to the first device a certificate comprising the network function context information; and in accordance with a successful validation of the certificate by the first device, connecting to the first network function via a transport layer security connection.
  • the method 600 further comprises: receiving from the first device a request for a service from a second network function; transmitting to the first device a third request for an access token to be used by the first network function requesting the service, the third request comprising at least the digitally signed network function context information, the first and second network functions communicating with each other via the service communication proxy; in accordance with a success authentication of the first network function by the first device based on the digitally signed network function context information, receiving from the first device the access token comprising at least the network function context information; and transmitting to the second network function a service request message comprising the access token.
  • the identification information of the first network function comprises at least one of: an instance identifier of the first network function, or Fully Qualified Domain Name of the first network function.
  • the information of the at least one network slice associated with the first network function comprises at least one of: a first list of identifiers of a first plurality of network slices that the first network function is allowed to serve, an identifier of a first network slice among the first plurality of network slices that the first network function is serving, a second list of identifiers of a second plurality of network slices that the first network function is allowed to use or be attached to, or an identifier of a second network slice among the second plurality of network slices that the first network function is using or attached to.
  • the network function context information further comprises at least one of: type information of the first network function, information concerning at least one service communication proxy that the first network function can be connected to, or location information of the first network function.
  • the network function context information further comprises information concerning issuer of the network function context information.
  • the information concerning issuer of the network function context information comprises at least one of: a signature of an issuer of the network function context information, temporal information concerning issuer of the network function context information, address information which enables obtaining of a public key of the issuer, or an identifier of the issuer.
  • Fig. 7 shows a flowchart of an example method 700 implemented at a fourth device in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 700 will be described from the perspective of the fourth device implementing the NRp 130 with reference to Fig. 1.
  • the fourth device receives from a third device a service request message comprising an access token, the access token comprising at least digitally signed network function context information of a first network function, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function.
  • the fourth device authenticates the first network function based on the digitally signed network function context information.
  • the fourth device provides service for the first network function.
  • the identification information of the first network function comprises at least one of: an instance identifier of the first network function, or Fully Qualified Domain Name of the first network function.
  • the information of the at least one network slice associated with the first network function comprises at least one of: a first list of identifiers of a first plurality of network slices that the first network function is allowed to serve, an identifier of a first network slice among the first plurality of network slices that the first network function is serving, a second list of identifiers of a second plurality of network slices that the first network function is allowed to use or be attached to, or an identifier of a second network slice among the second plurality of network slices that the first network function is using or attached to.
  • the network function context information further comprises at least one of: type information of the first network function, information concerning at least one service communication proxy that the first network function can be connected to, or location information of the first network function.
  • the network function context information further comprises information concerning issuer of the network function context information.
  • the information concerning issuer of the network function context information comprises at least one of: a signature of an issuer of the network function context information, temporal information concerning issuer of the network function context information, address information which enables obtaining of a public key of the issuer, or an identifier of the issuer.
  • an apparatus capable of performing any of the method 400 may comprise means for performing the respective steps of the method 400.
  • the means may be implemented in any suitable form.
  • the means may be implemented in a circuitry or software module.
  • the apparatus comprises means for receiving, from a first network function, a first request for registration of the first network function, the first request comprising a profile of the first network function; means for generating network function context information of the first network function based on the profile, the network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; means for digitally signing the network function context information by using a private key of the first device; and means for transmitting the digitally signed network function context information to the first network function.
  • the first device is configured to implement a network repository function.
  • the apparatus further comprises: means for receiving, from a first service communication proxy, a second request for an access token to be used by the first network function requesting a service from a second network function, the second request comprising at least the network function context information of the first network function, the first and second network functions communicating with each other via the first service communication proxy; and in accordance with a success authentication of the first network function based on the network function context information, means for transmitting to the first service communication proxy the access token comprising at least the network function context information.
  • the apparatus further comprises: means for receiving a third request for deregistration of the first network function from the first network function, the third request comprising the network function context information; and in accordance with a success remove of the profile of the first network function from the first device, means for transmitting to the first network function a response indicating the success remove.
  • the apparatus further comprises: in accordance with reception of a fourth request for query of the first network function from a second device, means for transmitting the network function context information of the first network function to the second device, the fourth request comprising at least the information of the at least one network slice associated with the first network function.
  • the fourth request further comprises information concerning at least one second service communication proxy that the first network function can be connected to.
  • the apparatus further comprises: means for receiving, from a third device, a fifth request for subscription to a notification of change of the network function context information; and in accordance with the change of the network function context information, means for transmitting the notification to the third device.
  • the apparatus further comprises: means for receiving a certificate from a third service communication proxy, the certificate comprising the network function context information; means for validating the certificate based on the network function context information; and in accordance with a successful validation of the certificate, means for establishing a transport layer security connection between the first network function and the third service communication proxy.
  • the apparatus further comprises: means for receiving, from the first network function, a sixth request for update of the network function context information, means for updating the network function context information; and means for transmitting the updated network function context information to the first network function.
  • the first device is configured to implement a fourth service communication proxy connected to the first network function directly.
  • the identification information of the first network function comprises at least one of: an instance identifier of the first network function, or Fully Qualified Domain Name of the first network function.
  • the information of the at least one network slice associated with the first network function comprises at least one of: a first list of identifiers of a first plurality of network slices that the first network function is allowed to serve, an identifier of a first network slice among the first plurality of network slices that the first network function is serving, a second list of identifiers of a second plurality of network slices that the first network function is allowed to use or be attached to, or an identifier of a second network slice among the second plurality of network slices that the first network function is using or attached to.
  • the network function context information further comprises at least one of: type information of the first network function, information concerning at least one service communication proxy that the first network function can be connected to, or location information of the first network function.
  • the network function context information further comprises information concerning issuer of the network function context information.
  • the information concerning issuer of the network function context information comprises at least one of: a signature of an issuer of the network function context information, temporal information concerning issuer of the network function context information, address information which enables obtaining of a public key of the issuer, or an identifier of the issuer.
  • an apparatus capable of performing any of the method 500 may comprise means for performing the respective steps of the method 500.
  • the means may be implemented in any suitable form.
  • the means may be implemented in a circuitry or software module.
  • the apparatus comprises means for transmitting, from a second device implementing a first network function to a first device, a first request for registration of the first network function, the first request comprising a profile of the first network function; and means for receiving digitally signed network function context information of the first network function from the first device, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function.
  • the first device is configured to implement a network repository function.
  • the apparatus further comprises: means for transmitting a second request for deregistration of the first network function to the first device, the second request comprising the network function context information; and in accordance with a success remove of the profile of the first network function from the first device, means for receiving from the first device a response indicating the success remove.
  • the apparatus further comprises: means for transmitting a third request for update of the network function context information to the first device; and means for receiving the updated network function context information from the first device.
  • the first device is configured to implement a service communication proxy connected to the first network function directly.
  • the network function context information comprises at least one of: an instance identifier of the first network function, or Fully Qualified Domain Name of the first network function.
  • the network function context information comprises at least one of: a first list of identifiers of a first plurality of network slices that the first network function is allowed to serve, an identifier of a first network slice among the first plurality of network slices that the first network function is serving, a second list of identifiers of a second plurality of network slices that the first network function is allowed to use or be attached to, or an identifier of a second network slice among the second plurality of network slices that the first network function is using or attached to.
  • the network function context information comprises at least one of: type information of the first network function, information concerning at least one service communication proxy that the first network function can be connected to, or location information of the first network function.
  • the network function context information comprises information concerning issuer of the network function context information.
  • the information concerning issuer of the network function context information comprises at least one of: a signature of an issuer of the network function context information, temporal information concerning issuer of the network function context information, address information which enables obtaining of a public key of the issuer, or an identifier of the issuer.
  • an apparatus capable of performing any of the method 600 may comprise means for performing the respective steps of the method 600.
  • the means may be implemented in any suitable form.
  • the means may be implemented in a circuitry or software module.
  • the apparatus comprises means for transmitting, from a third device implementing a service communication proxy to a first device, a first request for an access token to be used by a first network function requesting a service from a second network function, the first request comprising at least digitally signed network function context information of the first network function, the first and second network functions communicating with each other via the service communication proxy, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; and in accordance with a success authentication of the first network function by the first device based on the digitally signed network function context information, means for receiving from the first device the access token comprising at least the digitally signed network function context information.
  • the apparatus further comprises: means for transmitting to the first device a second request for query of the first network function, the second request comprising at least the information of the at least one network slice associated with the first network function; and means for receiving from the first device the network function context information of the first network function.
  • the service communication proxy can be connected to the first network function, and the second request further comprises information concerning the service communication proxy.
  • the apparatus further comprises: means for transmitting to the first device a certificate comprising the network function context information; and in accordance with a successful validation of the certificate by the first device, means for connecting to the first network function via a transport layer security connection.
  • the apparatus further comprises: means for receiving from the first device a request for a service from a second network function; means for transmitting to the first device a third request for an access token to be used by the first network function requesting the service, the third request comprising at least the digitally signed network function context information, the first and second network functions communicating with each other via the service communication proxy; in accordance with a success authentication of the first network function by the first device based on the digitally signed network function context information, means for receiving from the first device the access token comprising at least the network function context information; and means for transmitting to the second network function a service request message comprising the access token.
  • the identification information of the first network function comprises at least one of: an instance identifier of the first network function, or Fully Qualified Domain Name of the first network function.
  • the information of the at least one network slice associated with the first network function comprises at least one of: a first list of identifiers of a first plurality of network slices that the first network function is allowed to serve, an identifier of a first network slice among the first plurality of network slices that the first network function is serving, a second list of identifiers of a second plurality of network slices that the first network function is allowed to use or be attached to, or an identifier of a second network slice among the second plurality of network slices that the first network function is using or attached to.
  • the network function context information further comprises at least one of: type information of the first network function, information concerning at least one service communication proxy that the first network function can be connected to, or location information of the first network function.
  • the network function context information further comprises information concerning issuer of the network function context information.
  • the information concerning issuer of the network function context information comprises at least one of: a signature of an issuer of the network function context information, temporal information concerning issuer of the network function context information, address information which enables obtaining of a public key of the issuer, or an identifier of the issuer.
  • an apparatus capable of performing any of the method 700 may comprise means for performing the respective steps of the method 700.
  • the means may be implemented in any suitable form.
  • the means may be implemented in a circuitry or software module.
  • the apparatus comprises: means for receiving, at a second device implementing a second network function from a third device, a service request message comprising an access token, the access token comprising at least digitally signed network function context information of a first network function, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; means for authenticating the first network function based on the digitally signed network function context information; means for in accordance with a success authentication of the first network function, providing service for the first network function.
  • the information of the at least one network slice associated with the first network function comprises at least one of: a first list of identifiers of a first plurality of network slices that the first network function is allowed to serve, an identifier of a first network slice among the first plurality of network slices that the first network function is serving, a second list of identifiers of a second plurality of network slices that the first network function is allowed to use or be attached to, or an identifier of a second network slice among the second plurality of network slices that the first network function is using or attached to.
  • the network function context information further comprises at least one of: type information of the first network function, information concerning at least one service communication proxy that the first network function can be connected to, or location information of the first network function.
  • the network function context information further comprises information concerning issuer of the network function context information.
  • the information concerning issuer of the network function context information comprises at least one of: a signature of an issuer of the network function context information, temporal information concerning issuer of the network function context information, address information which enables obtaining of a public key of the issuer, or an identifier of the issuer.
  • Fig. 8 is a simplified block diagram of a device 800 that is suitable for implementing embodiments of the present disclosure.
  • the device 800 may be provided to implement the communication device, for example the NFR 110, the NFc 120, the NFp 130, and the SCP 140.
  • the device 800 includes one or more processors 810, one or more memories 820 coupled to the processor 810, and one or more communication modules 840 coupled to the processor 810.
  • the communication module 840 is for bidirectional communications.
  • the communication module 840 has at least one antenna to facilitate communication.
  • the communication interface may represent any interface that is necessary for communication with other network elements.
  • the processor 810 may be of any type suitable to the local technical network and may include one or more of the following: general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multicore processor architecture, as non-limiting examples.
  • the device 800 may have multiple processors, such as an application specific integrated circuit chip that is slaved in time to a clock which synchronizes the main processor.
  • the memory 820 may include one or more non-volatile memories and one or more volatile memories.
  • the non-volatile memories include, but are not limited to, a Read Only Memory (ROM) 824, an electrically programmable read only memory (EPROM), a flash memory, a hard disk, a compact disc (CD), a digital video disk (DVD), and other magnetic storage and/or optical storage.
  • ROM Read Only Memory
  • EPROM electrically programmable read only memory
  • flash memory a hard disk
  • CD compact disc
  • DVD digital video disk
  • the volatile memories include, but are not limited to, a random access memory (RAM) 822 and other volatile memories that will not last in the power-down duration.
  • RAM random access memory
  • a computer program 830 includes computer executable instructions that are executed by the associated processor 810.
  • the program 830 may be stored in the ROM 820.
  • the processor 810 may perform any suitable actions and processing by loading the program 830 into the RAM 820.
  • the embodiments of the present disclosure may be implemented by means of the program 830 so that the device 800 may perform any process of the disclosure as discussed with reference to Figs. 4 to 7.
  • the embodiments of the present disclosure may also be implemented by hardware or by a combination of software and hardware.
  • the program 830 may be tangibly contained in a computer readable medium which may be included in the device 800 (such as in the memory 820) or other storage devices that are accessible by the device 800.
  • the device 800 may load the program 830 from the computer readable medium to the RAM 822 for execution.
  • the computer readable medium may include any types of tangible non-volatile storage, such as ROM, EPROM, a flash memory, a hard disk, CD, DVD, and the like.
  • Fig. 9 shows an example of the computer readable medium 900 in form of CD or DVD.
  • the computer readable medium has the program 830 stored thereon.
  • NFV network functions virtualization
  • a virtualized network function may comprise one or more virtual machines running computer program codes using standard or general type servers instead of customized hardware. Cloud computing or data storage may also be utilized.
  • radio communications this may mean node operations to be carried out, at least partly, in a central/centralized unit, CU, (e.g. server, host or node) operationally coupled to distributed unit, DU, (e.g. a radio head/node). It is also possible that node operations will be distributed among a plurality of servers, nodes or hosts. It should also be understood that the distribution of labour between core network operations and base station operations may vary depending on implementation.
  • the server may generate a virtual network through which the server communicates with the distributed unit.
  • virtual networking may involve a process of combining hardware and software network resources and network functionality into a single, software-based administrative entity, a virtual network.
  • Such virtual network may provide flexible distribution of operations between the server and the radio head/node.
  • any digital signal processing task may be performed in either the CU or the DU and the boundary where the responsibility is shifted between the CU and the DU may be selected according to implementation.
  • a CU-DU architecture is implemented.
  • the device 800 may be comprised in a central unit (e.g. a control unit, an edge cloud server, a server) operatively coupled (e.g. via a wireless or wired network) to a distributed unit (e.g. a remote radio head/node).
  • the central unit e.g. an edge cloud server
  • the distributed unit may be stand-alone apparatuses communicating with each other via a radio path or via a wired connection. Alternatively, they may be in a same entity communicating via a wired connection, etc.
  • the edge cloud or edge cloud server may serve a plurality of distributed units or a radio access networks.
  • at least some of the described processes may be performed by the central unit.
  • the device 800 may be instead comprised in the distributed unit, and at least some of the described processes may be performed by the distributed unit.
  • the execution of at least some of the functionalities of the device 800 may be shared between two physically separate devices (DU and CU) forming one operational entity. Therefore, the apparatus may be seen to depict the operational entity comprising one or more physically separate devices for executing at least some of the described processes.
  • CU-DU architecture may provide flexible distribution of operations between the CU and the DU. In practice, any digital signal processing task may be performed in either the CU or the DU and the boundary where the responsibility is shifted between the CU and the DU may be selected according to implementation.
  • the device 800 controls the execution of the processes, regardless of the location of the apparatus and regardless of where the processes/functions are carried out.
  • various embodiments of the present disclosure may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. Some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device. While various aspects of embodiments of the present disclosure are illustrated and described as block diagrams, flowcharts, or using some other pictorial representations, it is to be understood that the block, apparatus, system, technique or method described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
  • the present disclosure also provides at least one computer program product tangibly stored on a non-transitory computer readable storage medium.
  • the computer program product includes computer-executable instructions, such as those included in program modules, being executed in a device on a target real or virtual processor, to carry out the method 400, 500, 600 or 700 as described above with reference to Figs. 4-7.
  • program modules include routines, programs, libraries, objects, classes, components, data structures, or the like that perform particular tasks or implement particular abstract data types.
  • the functionality of the program modules may be combined or split between program modules as desired in various embodiments.
  • Machine-executable instructions for program modules may be executed within a local or distributed device. In a distributed device, program modules may be located in both local and remote storage media.
  • Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowcharts and/or block diagrams to be implemented.
  • the program code may execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
  • the computer program codes or related data may be carried by any suitable carrier to enable the device, apparatus or processor to perform various processes and operations as described above.
  • Examples of the carrier include a signal, computer readable medium, and the like.
  • the computer readable medium may be a computer readable signal medium or a computer readable storage medium.
  • a computer readable medium may include but not limited to an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of the computer readable storage medium would include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Embodiments of the present disclosure relate to securely identifying a network function. A first device receives, from a first network function, a first request for registration of the first network function. The first request comprises a profile of the first network function. The first device generates network function context information of the first network function based on the profile. The network function context information comprises at least identification information of the first network function and information of at least one network slice associated with the first network function. The first device digitally signs the network function context information by using a private key of the first device. The first device transmits the digitally signed network function context information to the first network function.

Description

SECURELY IDENTIFYING NETWORK FUNCTION
FIELD
[0001] Embodiments of the present disclosure generally relate to the field of telecommunication and in particular, to devices, methods, apparatuses and computer readable storage media for securely identifying a network function (NF).
BACKGROUND
[0002] The 3rd Generation Partnership Project (3GPP) is currently finalizing Release 16 (Rel-16) from security perspective. In cloud-native setups, life-time of a NF instance may be relatively short. Thus, NF instances for a specific NF type may be created or deleted from a system, or the NF instances may be inactivated if they are not totally deleted from the system. As such, the number of the NF instances may be increased or decreased. Accordingly, a flexible solution for securely identifying NF instances is needed.
SUMMARY
[0003] In general, example embodiments of the present disclosure provide a solution for securely identifying a network function.
[0004] In a first aspect, there is provided a first device. The first device comprises at least one processor, and at least one memory including computer program codes. The at least one memory and the computer program codes are configured to, with the at least one processor, cause the first device to: receive, from a first network function, a first request for registration of the first network function, the first request comprising a profile of the first network function; generate network function context information of the first network function based on the profile, the network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; digitally sign the network function context information by using a private key of the first device; and transmit the digitally signed network function context information to the first network function. [0005] In a second aspect, there is provided a second device. The second device comprises at least one processor, and at least one memory including computer program codes. The at least one memory and the computer program codes are configured to, with the at least one processor, cause the second device to: transmit, to a first device, a first request for registration of the first network function, the first request comprising a profile of the first network function; and receive digitally signed network function context information of the first network function from the first device, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function.
[0006] In a third aspect, there is provided a third device. The third device comprises at least one processor, and at least one memory including computer program codes. The at least one memory and the computer program codes are configured to, with the at least one processor, cause the third device to: transmit to a first device a first request for an access token to be used by a first network function requesting a service from a second network function, the first request comprising at least digitally signed network function context information of the first network function, the first and second network functions communicating with each other via the service communication proxy, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; and in accordance with a success authentication of the first network function by the first device based on the digitally signed network function context information, receive from the first device the access token comprising at least the digitally signed network function context information.
[0007] In a fourth aspect, there is provided a fourth device. The fourth device comprises at least one processor, and at least one memory including computer program codes. The at least one memory and the computer program codes are configured to, with the at least one processor, cause the fourth device to: receive from a third device a service request message comprising an access token, the access token comprising at least digitally signed network function context information of a first network function, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; authenticate the first network function based on the digitally signed network function context information; in accordance with a success authentication of the first network function, provide service for the first network function.
[0008] In a fifth aspect, there is provided a method implemented at a first device. The method comprises: receiving, from a first network function, a first request for registration of the first network function, the first request comprising a profile of the first network function; generating network function context information of the first network function based on the profile, the network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; digitally signing the network function context information by using a private key of the first device; and transmitting the digitally signed network function context information to the first network function.
[0009] In a sixth aspect, there is provided a method implemented at a second device. The method comprises: transmitting, from a second device implementing a first network function to a first device, a first request for registration of the first network function, the first request comprising a profile of the first network function; and receiving digitally signed network function context information of the first network function from the first device, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function.
[0010] In a seventh aspect, there is provided a method implemented at a third device. The method comprises: transmitting, from a third device implementing a service communication proxy to a first device, a first request for an access token to be used by a first network function requesting a service from a second network function, the first request comprising at least digitally signed network function context information of the first network function, the first and second network functions communicating with each other via the service communication proxy, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; and in accordance with a success authentication of the first network function by the first device based on the digitally signed network function context information, receiving from the first device the access token comprising at least the digitally signed network function context information. [0011] In an eighth aspect, there is provided a method implemented at a fourth device. The method comprises: receiving, at a second device implementing a second network function from a third device, a service request message comprising an access token, the access token comprising at least digitally signed network function context information of a first network function, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; authenticating the first network function based on the digitally signed network function context information; in accordance with a success authentication of the first network function, providing service for the first network function.
[0012] In a ninth aspect, there is provided an apparatus comprising means for performing steps of the method according to the above third aspect.
[0013] In a tenth aspect, there is provided an apparatus comprising means for performing steps of the method according to the above fourth aspect.
[0014] In an eleventh aspect, there is provided an apparatus comprising means for performing steps of the method according to the above fifth aspect.
[0015] In a twelfth aspect, there is provided an apparatus comprising means for performing steps of the method according to the above sixth aspect.
[0016] In a thirteenth aspect, there is provided a non-transitory computer readable medium comprising a computer program for causing an apparatus to perform at least the method according to the above third aspect.
[0017] In a fourteenth aspect, there is provided a non-transitory computer readable medium comprising a computer program for causing an apparatus to perform at least the method according to the above fourth aspect.
[0018] In a fifteenth aspect, there is provided a non-transitory computer readable medium comprising a computer program for causing an apparatus to perform at least the method according to the above fifth aspect.
[0019] In a sixteenth aspect, there is provided a non-transitory computer readable medium comprising a computer program for causing an apparatus to perform at least the method according to the above sixth aspect. [0020] It is to be understood that the summary section is not intended to identify key or essential features of embodiments of the present disclosure, nor is it intended to be used to limit the scope of the present disclosure. Other features of the present disclosure will become easily comprehensible through the following description.
BRIEF DESCRIPTION OF THE DRAWINGS
[0021] Some example embodiments will now be described with reference to the accompanying drawings, where:
[0022] Fig. 1 illustrates an example environment in which some example embodiments of the present disclosure can be implemented;
[0023] Fig. 2 illustrates a signaling chart illustrating a process for securely identifying a NF according to some example embodiments of the present disclosure;
[0024] Fig. 3 illustrates a signaling chart illustrating a process for authenticating a NF consumer according to some example embodiments of the present disclosure; [0025] Fig. 4 illustrates a flowchart of a method implemented at a first device according to some example embodiments of the present disclosure;
[0026] Fig. 5 illustrates a flowchart of a method implemented at a second device according to some example embodiments of the present disclosure;
[0027] Fig. 6 illustrates a flowchart of a method implemented at a third device according to some example embodiments of the present disclosure;
[0028] Fig. 7 illustrates a flowchart of a method implemented at a fourth device according to some example embodiments of the present disclosure;
[0029] Fig. 8 illustrates a simplified block diagram of an apparatus that is suitable for implementing embodiments of the present disclosure; and [0030] Fig. 9 illustrates a block diagram of an example computer readable medium in accordance with some example embodiments of the present disclosure.
[0031] Throughout the drawings, the same or similar reference numerals represent the same or similar element. DETAILED DESCRIPTION
[0032] Principle of the present disclosure will now be described with reference to some example embodiments. It is to be understood that these embodiments are described only for the purpose of illustration and help those skilled in the art to understand and implement the present disclosure, without suggesting any limitation as to the scope of the disclosure. The disclosure described herein can be implemented in various manners other than the ones described below.
[0033] In the following description and claims, unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skills in the art to which this disclosure belongs.
[0034] References in the present disclosure to “one embodiment,” “an embodiment,” “an example embodiment,” and the like indicate that the embodiment described may include a particular feature, structure, or characteristic, but it is not necessary that every embodiment includes the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an example embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
[0035] It shall be understood that although the terms “first” and “second” etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be termed a second element, and similarly, a second element could be termed a first element, without departing from the scope of example embodiments. As used herein, the term “and/or” includes any and all combinations of one or more of the listed terms.
[0036] The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments. As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises”, “comprising”, “has”, “having”, “includes” and/or “including”, when used herein, specify the presence of stated features, elements, and/or components etc., but do not preclude the presence or addition of one or more other features, elements, components and/ or combinations thereof.
[0037] As used in this application, the term “circuitry” may refer to one or more or all of the following:
(a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry) and
(b) combinations of hardware circuits and software, such as (as applicable):
(i) a combination of analog and/or digital hardware circuit(s) with software/firmware and
(ii) any portions of hardware processor(s) with software (including digital signal processor(s)), software, and memory(ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions) and
(c) hardware circuit(s) and or processor(s), such as a microprocessor(s) or a portion of a microprocessor(s), that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation.
[0038] This definition of circuitry applies to all uses of this term in this application, including in any claims. As a further example, as used in this application, the term circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware. The term circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
[0039] As used herein, the term “communication network” refers to a network following any suitable communication standards, such as fifth generation (5G) systems, Long Term Evolution (LTE), LTE-Advanced (LTE-A), Wideband Code Division Multiple Access (WCDMA), High-Speed Packet Access (HSPA), Narrow Band Internet of Things (NB-IoT) and so on. Furthermore, the communications between a terminal device and a network device in the communication network may be performed according to any suitable generation communication protocols, including, but not limited to, the first generation (1G), the second generation (2G), 2.5G, 2.75G, the third generation (3G), the fourth generation (4G), 4.5G, the future fifth generation (5G) new radio (NR) communication protocols, and/or any other protocols either currently known or to be developed in the future. Embodiments of the present disclosure may be applied in various communication systems. Given the rapid development in communications, there will of course also be future type communication technologies and systems with which the present disclosure may be embodied. It should not be seen as limiting the scope of the present disclosure to only the aforementioned system.
[0040] As used herein, the term “network device” refers to a node in a communication network via which a terminal device accesses the network and receives services therefrom. The network device may refer to a base station (BS) or an access point (AP), for example, a node B (NodeB or NB), an evolved NodeB (eNodeB or eNB), a NR Next Generation NodeB (gNB), Integraged Access and Backhaul node, a Remote Radio Unit (RRU), a radio header (RH), a remote radio head (RRH), a relay, a low power node such as a femto, a pico, and so forth, depending on the applied terminology and technology. An RAN split architecture comprises a gNB-CU (Centralized unit, hosting RRC, SDAP and PDCP) controlling a plurality of gNB-DUs (Distributed unit, hosting RLC, MAC and PHY).
[0041] The term “terminal device” refers to any end device that may be capable of wireless communication. By way of example rather than limitation, a terminal device may also be referred to as a communication device, user equipment (UE), a Subscriber Station (SS), a Portable Subscriber Station, a Mobile Station (MS), or an Access Terminal (AT). The terminal device may include, but not limited to, a mobile phone, a cellular phone, a smart phone, voice over IP (VoIP) phones, wireless local loop phones, a tablet, a wearable terminal device, a personal digital assistant (PDA), portable computers, desktop computer, image capture terminal devices such as digital cameras, gaming terminal devices, music storage and playback appliances, vehicle-mounted wireless terminal devices, wireless endpoints, mobile stations, laptop-embedded equipment (LEE), laptop-mounted equipment (LME), USB dongles, smart devices, wireless customer-premises equipment (CPE), an Internet of Things (loT) device, a watch or other wearable, a head-mounted display (HMD), a vehicle, a drone, a medical device and applications (e.g., remote surgery), an industrial device and applications (e.g., a robot and/or other wireless devices operating in an industrial and/or an automated processing chain contexts), a consumer electronics device, a device operating on commercial and/or industrial wireless networks, and the like. In the following description, the terms “terminal device”, “communication device”, “terminal”, “user equipment” and “UE” may be used interchangeably. [0042] Although functionalities described herein can be performed, in various example embodiments, in a fixed and/or a wireless network node may, in other example embodiments, functionalities may be implemented in a user equipment apparatus (such as a cell phone or tablet computer or laptop computer or desktop computer or mobile IOT device or fixed IOT device). This user equipment apparatus can, for example, be furnished with corresponding capabilities as described in connection with the fixed and/or the wireless network node(s), as appropriate. The user equipment apparatus may be the user equipment and/or or a control device, such as a chipset or processor, configured to control the user equipment when installed therein. Examples of such functionalities include the bootstrapping server function and/or the home subscriber server, which may be implemented in the user equipment apparatus by providing the user equipment apparatus with software configured to cause the user equipment apparatus to perform from the point of view of these functions/nodes.
[0043] As mentioned above, in cloud-native setups, the number of the NF instances may be increased or decreased. Accordingly, a flexible solution for securely identifying NF instances is needed.
[0044] In order to solve the above technical problems and potentially other technical problems in conventional solutions, embodiments of the present disclosure provide a solution for securely identifying NF. In some embodiments, in response to reception of a request for registration of a NF, a first device generates network function context information of the network function. The first device digitally signs the network function context information by using a private key of the first device. With this solution, other NFs may use an Application Program Interface (API) exposed by the first device to verify the digitally signed network function context information. Alternatively, other NFs may use a public key of the first device to independently verify the digitally signed network function context information. In this way, securely identifying NF instances is achieved.
[0045] Reference is now made to Fig. 1, which illustrate block diagrams of example environment 100 in which some example embodiments of the present disclosure can be implemented. As shown in Fig. 1, the environment 100 includes a network repository function (NRF) 110, NFs 120 and 130, and a service communication proxy (SCP) 140. The NRF 110 is connected to the SCP 140. The SCP 140 is connected to both the NFs 120 and 130. In the example environment 100, the NFs 120 and 130 communicate with each other via the SCP 140.
[0046] In some example embodiments, the NF 120 may act as a NF service consumer, which may request a service from the NF 130 acting as a NF service producer. Only for the purpose of illustration, in the following, the NF 120 may be also referred to as “NFc 120” or “first NF 120”, and the NF 130 may be also referred to as “NFp 130” or “second NF 130”.
[0047] The NRF 110 is a network function which maintains NF profiles and available NF instances. The NRF 110 can also provide service registration and discovery functionalities such that NFs can discover each other. The NFc 120 may be registered with the NRF 110 so as to obtain digitally signed network function context information of the NFc 120 from the NRF 110. Likewise, the NFp 130 may be registered with the NRF 110 so as to obtain digitally signed network function context information of the NFp 130 from the NRF 110.
[0048] Although the NFc 120 and the NFp 130 are shown in Fig. 1 to be connected to each other via the SCP 140, in some example embodiments, the SCP 140 as an intermediate node may be not deployed. The present disclosure may be also applicable to scenarios where the NFc 120 and the NFp 130 are connected to each other directly.
[0049] It is to be understood that the NFs 120 and 130 can be implemented in a single physical device or different physical devices. In some example embodiments, the NRF 110, the NFs 120 and 130, and the SCP 140 may be implemented at a single physical device. For example, the SCP 140 can be co-located with the NRF 110. In some example embodiments, one or more of the NRF 110, the NFs 120 and 130, and the SCP 140 may operate as a service provided by a third party and therefore a message may be routed forth and back to the third party.
[0050] As shown in Fig. 1, the NFc 120 and the NFp 130 are not directly connected to the each other. The SCP 140 acts as an intermediate node between the NFc 120 and the NFp 130. It is to be understood that the number of SCPs shown in Fig. 1A is merely for illustrative purpose without any limitation and there may be more than one SCP between the NFc 120 and the NFp 130.
[0051] It is also to be understood that the example environment 100 is shown only for purpose of illustration, without suggesting any limitation to the scope of the present disclosure. Embodiments of the present disclosure may also be applied to an environment with a different structure.
[0052] Fig. 2 illustrates a signaling chart illustrating a process 200 for securely identifying NF instances according to some example embodiments of the present disclosure. As shown in Fig. 2, the process 200 may involve the NFc 120 and a first device 150 implementing the NRF 110 or SCP 140 as shown in Fig. 1. It is to be understood that although the process 200 involves the NFc 120, the same mechanism can also be used in other scenarios involving the NFp 130.
[0053] The first device 150 receives 210, from the first NF 120, a first request for registration of the first NF 120. The first request comprises a profile of the first NF 120. In embodiments where the first NF 120 acts as a NF consumer, the profile of the first NF 120 may only comprise an instance identifier (also referred to as NF instance ID) of the first NF 120. In embodiments where the first NF 120 acts as a NF producer, the profile of the first NF 120 may comprise not only the NF instance ID of the first NF 120, but also other information concerning the first NF 120. For example, the profile of the first NF 120 may comprise information concerning services that the first NF 120 can provide.
[0054] Upon receiving the first request, the first device 150 generates 220 network function context information of the first NF 120 based on the profile of the first NF 120. The network function context information comprises at least identification information of the first network function and information of at least one network slice associated with the first network function.
[0055] In some embodiments, the network function context information is a secure, self- contained set of information encoded in JSON Web Token (JWT) format according to RFC 7519.
[0056] In some embodiments, the network function context information comprises at least identification information of the first NF 120 and information of at least one network slice associated with the first NF 120. Because the network function context information comprises the information of at least one network slice associated with the first NF 120, the at least one network slice may be identified based on the network function context information.
[0057] In some embodiments, the identification information of the first NF 120 comprises at least one of: the NF instance ID of the first NF 120, or Fully Qualified Domain Name (FQDN) of the first NF 120.
[0058] In some embodiments, the information of the at least one network slice associated with the first NF 120 comprises at least one of: a list of identifiers of network slices that the first NF 120 is allowed to serve, or an identifier of a first network slice among the network slices that the first NF 120 is serving.
[0059] In some embodiments, the network function context information further comprises type information of the first NF 120. For example, the type information of the first NF 120 may indicate that the first NF 120 is a User Port Function (UPF), Access and Mobility Management Function (AMF), Session Management Function (SMF), Policy Control Function (PCF), Network Exposure Function (NEF), Network Slice Selection Function (NSSF), Short Message Service Function (SMSF) or Authentication Server Function (AUSF).
[0060] In some embodiments, the network function context information further comprises information concerning at least one SCP that the first NF 120 can be connected to. In other words, the network function context information further comprises information concerning a SCP domain or a list of SCPs that the first NF 120 can be connected to.
[0061] In some embodiments, the network function context information further comprises location information of the first NF 120.
[0062] In some embodiments, the network function context information further comprises information concerning issuing of the network function context information.
[0063] In some embodiments, the information concerning issuing of the network function context information comprises at least one of: a signature of an issuer of the network function context information, temporal information concerning issuing of the network function context information, address information which enables obtaining of a public key of the issuer, or an identifier of the issuer. In some embodiments, the address information may comprise a Uniform Resource Identifier (URI) that points to the public key of the issuer.
[0064] In embodiments where the network function context information of the first NF 120 is generated or issued by the first device 150 implementing the NRF 110, the issuer is the NRF 110. In embodiments where the network function context information of the first NF 120 is generated or issued by the first device 150 implementing the SCP 140, the issuer is the SCP 140.
[0065] With continued reference to Fig. 2, the first device 150 digitally signs 230 the network function context information by using a private key of the first device 150.
[0066] The first device 150 transmits 240 the digitally signed network function context information to the first NF 120.
[0067] With the present disclosure, other NFs may use an API exposed by the first device to verify the digitally signed network function context information of an NF. Alternatively, in embodiments where the network function context information comprises the URI that points to the public key of the issuer, other NFs may use the public key to independently verify the digitally signed network function context information. In this way, securely identifying NF instances is achieved.
[0068] In some embodiments, a NF producer may perform an authentication of a NF consumer based on the network function context information in an access token, which will be described with reference to Fig. 3.
[0069] Fig. 3 illustrates a signaling chart illustrating a process 300 for authenticating a NF consumer according to some example embodiments of the present disclosure. As shown in Fig. 3, the process 300 may involve the NRF 110, the NFc 120, the NFp 130 and the SCP 140 as shown in Fig. 1.
[0070] In some example embodiments, as a pre-requisite to the process 300, mutual authentication between the NFc 120 and the SCP 140 may be performed at 301, and mutual authentication between the SCP 140 and the NRF 110 may be performed 302. For example, TLS handshake procedures may be performed for the mutual authentications. In this way, secure connections using TLS (also referred to as “TLS connection”) can be established between the NFc 120 and the SCP 140, and between the SCP 140 and the NRF 110. For example, during the TLS handshake between the NFc 120 and the SCP 140, a client certificate of the NFc 120 can be provided or indicated to the SCP 140.
[0071] In the example process of present disclosure, the client certificate of the NFc 120 may comprise the network function context information of the NFc 120. For example, the network function context information of the NFc 120 may be included in a SubjectAltName field of the certificate. Alternatively, a UniformResourceldentifier field may comprise a URI that points to the location where the network function context information of the NFc 120 can be obtained. Alternatively, an OtherName field may directly points to the network function context information of the NFc 120 in signed JWT format.
[0072] In some example embodiments, also as a pre-requisite to the process 300, a register procedure 303 may be performed between the NFc 120 and the NRF 110. Through the register procedure, the NFc 120 is registered with the NRF 110 and obtains the network function context information of the NFc 120. In some example embodiments, the NFc 120 obtains the network function context information of the NFc 120 by performing the process 200 as described above.
[0073] The NFc 120 may desire a NF service. The NFc 120 transmits 304 or forwards a request for the service (which is also referred to as a service request herein) to the SCP 140 to which the NFc 120 is communicating with and has established a secure TLS connection. A NFc instance ID, a NFc type and the digitally signed network function context information of the NFc 120 may be included in the service request.
[0074] Upon receiving the service request from the NFc 120, the SCP 140 performs 305 discovery service operations with the NRF 110 to obtain a list of target NF producers that can serve the service request of the NFc 120. The SCP 140 then selects one NFp from the list. In this example process 300, the NFp 130 is selected.
[0075] The SCP 140 transmits 306 a request for an access token (which is also referred to as an access token request) to the NRF 110. The requested access token is to be used for the NFc 120 to request a service from the NFp 130. The access token request may include the digitally signed network function context information of the NFc 120. In addition, in 5G Core Network (5GC) enhanced Service Based Architecture (eSBA) Release 16 or later, the NF Instance ID can be made optional in access token requests. In order for backward compatibility purposes (because Rel-15 includes NF Instance Id), the access token request may include the NF Instance ID of the NFc 120. Moreover, the access token request may also include expected service name(s), a target NF type, and a NFc type.
[0076] It is to be understood that because the access token request from the NFc 120 or the SCP 140 to the NRF 110 may include the digitally signed network function context information of the NFc 120, it is possible to use the digitally signed network function context information for identifying the requester in addition to or instead of NF Instance Id. However, SCP 140 adding the digitally signed network function context information on behalf of the NFc 120 may require mutual agreement between the SCP 140 and the NFc 120. [0077] Upon receiving the access token request from the SCP 140, the NRF 110 authenticates 307 the NFc 120 by verifying the digitally signed network function context information of the NFc 120. For example, the NRF 110 first verifies the signature in the digitally signed network function context information of the NFc 120. In case where the NRF 110 issued the digitally signed network function context information of the NFc 120, the NRF 110 must have its own signature that it has to verify. In addition, the NRF 110 may verify an instance of the NFc 120 is still alive. Moreover, the NRF 110 may verify whether the digitally signed network function context information in the access token request belongs to the NFc 120.
[0078] The NRF 110 authorizes 308 the NFc 120 to request desired service from the NFp 130. If the NFc 120 is authorized, the NRF 110 may generate 309 a digitally signed access token.
[0079] The NRF 110 includes 310 the digitally signed network function context information of the NFc 120 in the digitally signed access token.
[0080] In some embodiments, the NRF 110 includes 310 the digitally signed network function context information of the NFc 120 in the existing “sub” information element (IE).
[0081] Alternatively, in some embodiments, the NRF 110 includes the digitally signed network function context information of the NFc 120 in a new IE that is created to carry the digitally signed network function context information of a NF. The new IE may be called, for example, “nfSecureName”. [0082] Alternatively, in some embodiments, the NRF 110 includes the digitally signed network function context information of the NFc 120 in the existing “iss” IE. In this way, there is no need to rely on nflnstanceld as the primary NF identity but rather use this new signed NF context info instead.
[0083] Table 1 depicts the various information elements in the Access Token
Table 1 : definition of type AccessTokenClaims
Figure imgf000019_0001
Figure imgf000020_0001
[0084] The NRF 110 transmits 311 an Access Token Response to the SCP 140 with the access token included.
[0085] Upon receiving the Access Token Response from the NRF 110 with the access token included, the SCP 140 includes 312 the access token in the Service Request message and sends 313 the message to the NFp 130.
[0086] The NFp 130 validates 314 the access token in the Service Request message. In addition, the NFp 130 also authenticates the NFc 120 by validating the digitally signed network function context information included in the access token.
[0087] Compared with the authentication based only on the NF instance Id, the authentication process 300 as described with reference to Fig. 3 is performed based on the digitally signed network function context information of the NF. Because the digitally signed network function context information comprises not only the NF instance Id, but also addition information of the NF, the authentication process 300 allows for better granularity and compliance to local regulations. [0088] In some embodiments, the first device 150 implementing the NRF 110 may provide an API for a NF to deregister the NF and the digitally signed network function context information of the NF. In such embodiments, the first device 150 receives a third request for deregistration of the first NF 120 from the first NF 120. The third request comprises the network function context information of the first NF 120. If the first device 150 successfully removes the profile of the first NF 120 from the first device 150, the first device 150 transmits to the first NF 120 a response indicating the success remove.
[0089] In some embodiments, the first device 150 implementing the NRF 110 may provide an API for a NF to share a list of the digitally signed network function context information of the NF to a trusted entity. A variation of this API is to query the digitally signed network function context information of the NF is applicable to a network slice, SCP domain and so on. In such embodiments, if the first device 150 receives a fourth request for query of the first NF 120 from a second device, the first device 150 transmits the network function context information of the first NF 120 to the second device. The fourth request comprises at least the information of the at least one network slice associated with the first NF 120. In some embodiments, the fourth request further comprises information concerning at least one SCP that the first NF 120 can be connected to.
[0090] In some embodiments, the first device 150 implementing the NRF 110 may provide an API for a NF to allow NFs and/or an external entity to subscribe for information changes (register/deregister) related to digitally signed network function context information of a NF. In some embodiments, the first device 150 implementing the NRF 110 may provide an API to push changes within digitally signed network function context information of a NF to the concerned NF.
[0091] In such embodiments, the first device 150 receives, from a third device, a fifth request for subscription to a notification of change of the network function context information. If the change of the network function context information occurs, the first device 150 transmits the notification to the third device.
[0092] In some embodiments, the first device 150 receives a certificate from a SCP, the certificate comprising the network function context information. The first device 150 validates the certificate based on the network function context information. If the first device 150 successfully validates the certificate, the first device 150 establishes a transport layer security connection between the first NF 120 and the SCP.
[0093] In some embodiments, the first device 150 implementing the NRF 110 may provide an API for a NF to obtain new digitally signed network function context information of the NF with the more current timestamp. In such embodiments, the first device 150 receives, from the first NF 120, a sixth request for update of the network function context information. The first device 150 updates the network function context information. The first device 150 transmits the updated network function context information to the first NF 120.
[0094] Fig. 4 shows a flowchart of an example method 400 implemented at a first device in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 400 will be described from the perspective of the first device implementing the NRF 110 with reference to Fig. 1.
[0095] At block 410, the first device 110 receives, from a first network function, a first request for registration of the first network function, the first request comprising a profile of the first network function.
[0096] At block 420, the first device 110 generates network function context information of the first network function based on the profile. The network function context information comprises at least identification information of the first network function and information of at least one network slice associated with the first network function.
[0097] At block 430, the first device 110 digitally signs the network function context information by using a private key of the first device.
[0098] At block 440, the first device 110 transmits the digitally signed network function context information to the first network function.
[0099] In some embodiments, the first device is configured to implement a network repository function.
[00100] In some embodiments, the method 400 further comprises: receiving, from a first service communication proxy, a second request for an access token to be used by the first network function requesting a service from a second network function, the second request comprising at least the network function context information of the first network function, the first and second network functions communicating with each other via the first service communication proxy; and in accordance with a success authentication of the first network function based on the network function context information, transmitting to the first service communication proxy the access token comprising at least the network function context information.
[00101] In some embodiments, the method 400 further comprises: receiving a third request for deregistration of the first network function from the first network function, the third request comprising the network function context information; and in accordance with a success remove of the profile of the first network function from the first device, transmitting to the first network function a response indicating the success remove.
[00102] In some embodiments, the method 400 further comprises: in accordance with reception of a fourth request for query of the first network function from a second device, transmitting the network function context information of the first network function to the second device, the fourth request comprising at least the information of the at least one network slice associated with the first network function.
[00103] In some embodiments, the fourth request further comprises information concerning at least one second service communication proxy that the first network function can be connected to.
[00104] In some embodiments, the method 400 further comprises: receiving, from a third device, a fifth request for subscription to a notification of change of the network function context information; and in accordance with the change of the network function context information, transmitting the notification to the third device.
[00105] In some embodiments, the method 400 further comprises: receiving a certificate from a third service communication proxy, the certificate comprising the network function context information; validating the certificate based on the network function context information; and in accordance with a successful validation of the certificate, establishing a transport layer security connection between the first network function and the third service communication proxy.
[00106] In some embodiments, the method 400 further comprises: receiving, from the first network function, a sixth request for update of the network function context information, update the network function context information; and transmitting the updated network function context information to the first network function.
[00107] In some embodiments, the first device is configured to implement a fourth service communication proxy connected to the first network function directly.
[00108] In some embodiments, the identification information of the first network function comprises at least one of: an instance identifier of the first network function, or Fully Qualified Domain Name of the first network function. [00109] In some embodiments, the information of the at least one network slice associated with the first network function comprises at least one of: a first list of identifiers of a first plurality of network slices that the first network function is allowed to serve, an identifier of a first network slice among the first plurality of network slices that the first network function is serving, a second list of identifiers of a second plurality of network slices that the first network function is allowed to use or be attached to, or an identifier of a second network slice among the second plurality of network slices that the first network function is using or attached to.
[00110] In some embodiments, the network function context information further comprises at least one of: type information of the first network function, information concerning at least one service communication proxy that the first network function can be connected to, or location information of the first network function.
[00111] In some embodiments, the network function context information further comprises information concerning issuer of the network function context information.
[00112] In some embodiments, the information concerning issuer of the network function context information comprises at least one of: a signature of an issuer of the network function context information, temporal information concerning issuer of the network function context information, address information which enables obtaining of a public key of the issuer, or an identifier of the issuer.
[00113] Fig. 5 shows a flowchart of an example method 500 implemented at a second device in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 500 will be described from the perspective of the second device implementing the NRc 120 with reference to Fig. 1.
[00114] At block 510, the second device transmits, to a first device, a first request for registration of the first network function, the first request comprising a profile of the first network function.
[00115] At block 520, the second device receives digitally signed network function context information of the first network function from the first device, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function.
[00116] In some embodiments, the first device is configured to implement a network repository function.
[00117] In some embodiments, the method 500 further comprises: transmitting a second request for deregistration of the first network function to the first device, the second request comprising the network function context information; and in accordance with a success remove of the profile of the first network function from the first device, receiving from the first device a response indicating the success remove.
[00118] In some embodiments, the method 500 further comprises: transmitting a third request for update of the network function context information to the first device; and receiving the updated network function context information from the first device.
[00119] In some embodiments, the first device is configured to implement a service communication proxy connected to the first network function directly.
[00120] In some embodiments, the network function context information comprises at least one of: an instance identifier of the first network function, or Fully Qualified Domain Name of the first network function.
[00121] In some embodiments, the network function context information comprises at least one of: a first list of identifiers of a first plurality of network slices that the first network function is allowed to serve, an identifier of a first network slice among the first plurality of network slices that the first network function is serving, a second list of identifiers of a second plurality of network slices that the first network function is allowed to use or be attached to, or an identifier of a second network slice among the second plurality of network slices that the first network function is using or attached to.
[00122] In some embodiments, the network function context information comprises at least one of: type information of the first network function, information concerning at least one service communication proxy that the first network function can be connected to, or location information of the first network function.
[00123] In some embodiments, the network function context information comprises information concerning issuer of the network function context information. [00124] In some embodiments, the information concerning issuer of the network function context information comprises at least one of: a signature of an issuer of the network function context information, temporal information concerning issuer of the network function context information, address information which enables obtaining of a public key of the issuer, or an identifier of the issuer.
[00125] Fig. 6 shows a flowchart of an example method 600 implemented at a third device in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 600 will be described from the perspective of the third device implementing the SCP 140 with reference to Fig. 1.
[00126] At block 610, the third device transmits to a first device a first request for an access token to be used by a first network function requesting a service from a second network function, the first request comprising at least digitally signed network function context information of the first network function, the first and second network functions communicating with each other via the service communication proxy, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function.
[00127] At block 620, in accordance with a success authentication of the first network function by the first device based on the digitally signed network function context information, the third device receives from the first device the access token comprising at least the digitally signed network function context information.
[00128] In some embodiments, the method 600 further comprises: transmitting to the first device a second request for query of the first network function, the second request comprising at least the information of the at least one network slice associated with the first network function; and receiving from the first device the network function context information of the first network function.
[00129] In some embodiments, the service communication proxy can be connected to the first network function, and the second request further comprises information concerning the service communication proxy.
[00130] In some embodiments, the method 600 further comprises: transmitting to the first device a certificate comprising the network function context information; and in accordance with a successful validation of the certificate by the first device, connecting to the first network function via a transport layer security connection.
[00131] In some embodiments, the method 600 further comprises: receiving from the first device a request for a service from a second network function; transmitting to the first device a third request for an access token to be used by the first network function requesting the service, the third request comprising at least the digitally signed network function context information, the first and second network functions communicating with each other via the service communication proxy; in accordance with a success authentication of the first network function by the first device based on the digitally signed network function context information, receiving from the first device the access token comprising at least the network function context information; and transmitting to the second network function a service request message comprising the access token.
[00132] In some embodiments, the identification information of the first network function comprises at least one of: an instance identifier of the first network function, or Fully Qualified Domain Name of the first network function.
[00133] In some embodiments, the information of the at least one network slice associated with the first network function comprises at least one of: a first list of identifiers of a first plurality of network slices that the first network function is allowed to serve, an identifier of a first network slice among the first plurality of network slices that the first network function is serving, a second list of identifiers of a second plurality of network slices that the first network function is allowed to use or be attached to, or an identifier of a second network slice among the second plurality of network slices that the first network function is using or attached to.
[00134] In some embodiments, the network function context information further comprises at least one of: type information of the first network function, information concerning at least one service communication proxy that the first network function can be connected to, or location information of the first network function.
[00135] In some embodiments, the network function context information further comprises information concerning issuer of the network function context information. [00136] In some embodiments, the information concerning issuer of the network function context information comprises at least one of: a signature of an issuer of the network function context information, temporal information concerning issuer of the network function context information, address information which enables obtaining of a public key of the issuer, or an identifier of the issuer.
[00137] Fig. 7 shows a flowchart of an example method 700 implemented at a fourth device in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 700 will be described from the perspective of the fourth device implementing the NRp 130 with reference to Fig. 1.
[00138] At block 710, the fourth device receives from a third device a service request message comprising an access token, the access token comprising at least digitally signed network function context information of a first network function, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function.
[00139] At block 720, the fourth device authenticates the first network function based on the digitally signed network function context information.
[00140] At block 730, in accordance with a success authentication of the first network function, the fourth device provides service for the first network function.
[00141] In some embodiments, the identification information of the first network function comprises at least one of: an instance identifier of the first network function, or Fully Qualified Domain Name of the first network function.
[00142] In some embodiments, the information of the at least one network slice associated with the first network function comprises at least one of: a first list of identifiers of a first plurality of network slices that the first network function is allowed to serve, an identifier of a first network slice among the first plurality of network slices that the first network function is serving, a second list of identifiers of a second plurality of network slices that the first network function is allowed to use or be attached to, or an identifier of a second network slice among the second plurality of network slices that the first network function is using or attached to. [00143] In some embodiments, the network function context information further comprises at least one of: type information of the first network function, information concerning at least one service communication proxy that the first network function can be connected to, or location information of the first network function.
[00144] In some embodiments, the network function context information further comprises information concerning issuer of the network function context information.
[00145] In some embodiments, the information concerning issuer of the network function context information comprises at least one of: a signature of an issuer of the network function context information, temporal information concerning issuer of the network function context information, address information which enables obtaining of a public key of the issuer, or an identifier of the issuer.
[00146] In some example embodiments, an apparatus capable of performing any of the method 400 (for example, the first device implementing the NRF 110) may comprise means for performing the respective steps of the method 400. The means may be implemented in any suitable form. For example, the means may be implemented in a circuitry or software module.
[00147] In some example embodiments, the apparatus comprises means for receiving, from a first network function, a first request for registration of the first network function, the first request comprising a profile of the first network function; means for generating network function context information of the first network function based on the profile, the network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; means for digitally signing the network function context information by using a private key of the first device; and means for transmitting the digitally signed network function context information to the first network function.
[00148] In some embodiments, the first device is configured to implement a network repository function.
[00149] In some embodiments, the apparatus further comprises: means for receiving, from a first service communication proxy, a second request for an access token to be used by the first network function requesting a service from a second network function, the second request comprising at least the network function context information of the first network function, the first and second network functions communicating with each other via the first service communication proxy; and in accordance with a success authentication of the first network function based on the network function context information, means for transmitting to the first service communication proxy the access token comprising at least the network function context information.
[00150] In some embodiments, the apparatus further comprises: means for receiving a third request for deregistration of the first network function from the first network function, the third request comprising the network function context information; and in accordance with a success remove of the profile of the first network function from the first device, means for transmitting to the first network function a response indicating the success remove.
[00151] In some embodiments, the apparatus further comprises: in accordance with reception of a fourth request for query of the first network function from a second device, means for transmitting the network function context information of the first network function to the second device, the fourth request comprising at least the information of the at least one network slice associated with the first network function.
[00152] In some embodiments, the fourth request further comprises information concerning at least one second service communication proxy that the first network function can be connected to.
[00153] In some embodiments, the apparatus further comprises: means for receiving, from a third device, a fifth request for subscription to a notification of change of the network function context information; and in accordance with the change of the network function context information, means for transmitting the notification to the third device.
[00154] In some embodiments, the apparatus further comprises: means for receiving a certificate from a third service communication proxy, the certificate comprising the network function context information; means for validating the certificate based on the network function context information; and in accordance with a successful validation of the certificate, means for establishing a transport layer security connection between the first network function and the third service communication proxy.
[00155] In some embodiments, the apparatus further comprises: means for receiving, from the first network function, a sixth request for update of the network function context information, means for updating the network function context information; and means for transmitting the updated network function context information to the first network function.
[00156] In some embodiments, the first device is configured to implement a fourth service communication proxy connected to the first network function directly.
[00157] In some embodiments, the identification information of the first network function comprises at least one of: an instance identifier of the first network function, or Fully Qualified Domain Name of the first network function.
[00158] In some embodiments, the information of the at least one network slice associated with the first network function comprises at least one of: a first list of identifiers of a first plurality of network slices that the first network function is allowed to serve, an identifier of a first network slice among the first plurality of network slices that the first network function is serving, a second list of identifiers of a second plurality of network slices that the first network function is allowed to use or be attached to, or an identifier of a second network slice among the second plurality of network slices that the first network function is using or attached to.
[00159] In some embodiments, the network function context information further comprises at least one of: type information of the first network function, information concerning at least one service communication proxy that the first network function can be connected to, or location information of the first network function.
[00160] In some embodiments, the network function context information further comprises information concerning issuer of the network function context information.
[00161] In some embodiments, the information concerning issuer of the network function context information comprises at least one of: a signature of an issuer of the network function context information, temporal information concerning issuer of the network function context information, address information which enables obtaining of a public key of the issuer, or an identifier of the issuer.
[00162] In some example embodiments, an apparatus capable of performing any of the method 500 (for example, the first device implementing the NRc 120) may comprise means for performing the respective steps of the method 500. The means may be implemented in any suitable form. For example, the means may be implemented in a circuitry or software module.
[00163] In some example embodiments, the apparatus comprises means for transmitting, from a second device implementing a first network function to a first device, a first request for registration of the first network function, the first request comprising a profile of the first network function; and means for receiving digitally signed network function context information of the first network function from the first device, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function.
[00164] In some embodiments, the first device is configured to implement a network repository function.
[00165] In some embodiments, the apparatus further comprises: means for transmitting a second request for deregistration of the first network function to the first device, the second request comprising the network function context information; and in accordance with a success remove of the profile of the first network function from the first device, means for receiving from the first device a response indicating the success remove.
[00166] In some embodiments, the apparatus further comprises: means for transmitting a third request for update of the network function context information to the first device; and means for receiving the updated network function context information from the first device.
[00167] In some embodiments, the first device is configured to implement a service communication proxy connected to the first network function directly.
[00168] In some embodiments, the network function context information comprises at least one of: an instance identifier of the first network function, or Fully Qualified Domain Name of the first network function.
[00169] In some embodiments, the network function context information comprises at least one of: a first list of identifiers of a first plurality of network slices that the first network function is allowed to serve, an identifier of a first network slice among the first plurality of network slices that the first network function is serving, a second list of identifiers of a second plurality of network slices that the first network function is allowed to use or be attached to, or an identifier of a second network slice among the second plurality of network slices that the first network function is using or attached to.
[00170] In some embodiments, the network function context information comprises at least one of: type information of the first network function, information concerning at least one service communication proxy that the first network function can be connected to, or location information of the first network function.
[00171] In some embodiments, the network function context information comprises information concerning issuer of the network function context information.
[00172] In some embodiments, the information concerning issuer of the network function context information comprises at least one of: a signature of an issuer of the network function context information, temporal information concerning issuer of the network function context information, address information which enables obtaining of a public key of the issuer, or an identifier of the issuer.
[00173] In some example embodiments, an apparatus capable of performing any of the method 600 (for example, the first device implementing the SCP 140) may comprise means for performing the respective steps of the method 600. The means may be implemented in any suitable form. For example, the means may be implemented in a circuitry or software module.
[00174] In some example embodiments, the apparatus comprises means for transmitting, from a third device implementing a service communication proxy to a first device, a first request for an access token to be used by a first network function requesting a service from a second network function, the first request comprising at least digitally signed network function context information of the first network function, the first and second network functions communicating with each other via the service communication proxy, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; and in accordance with a success authentication of the first network function by the first device based on the digitally signed network function context information, means for receiving from the first device the access token comprising at least the digitally signed network function context information. [00175] In some embodiments, the apparatus further comprises: means for transmitting to the first device a second request for query of the first network function, the second request comprising at least the information of the at least one network slice associated with the first network function; and means for receiving from the first device the network function context information of the first network function.
[00176] In some embodiments, the service communication proxy can be connected to the first network function, and the second request further comprises information concerning the service communication proxy.
[00177] In some embodiments, the apparatus further comprises: means for transmitting to the first device a certificate comprising the network function context information; and in accordance with a successful validation of the certificate by the first device, means for connecting to the first network function via a transport layer security connection.
[00178] In some embodiments, the apparatus further comprises: means for receiving from the first device a request for a service from a second network function; means for transmitting to the first device a third request for an access token to be used by the first network function requesting the service, the third request comprising at least the digitally signed network function context information, the first and second network functions communicating with each other via the service communication proxy; in accordance with a success authentication of the first network function by the first device based on the digitally signed network function context information, means for receiving from the first device the access token comprising at least the network function context information; and means for transmitting to the second network function a service request message comprising the access token.
[00179] In some embodiments, the identification information of the first network function comprises at least one of: an instance identifier of the first network function, or Fully Qualified Domain Name of the first network function.
[00180] In some embodiments, the information of the at least one network slice associated with the first network function comprises at least one of: a first list of identifiers of a first plurality of network slices that the first network function is allowed to serve, an identifier of a first network slice among the first plurality of network slices that the first network function is serving, a second list of identifiers of a second plurality of network slices that the first network function is allowed to use or be attached to, or an identifier of a second network slice among the second plurality of network slices that the first network function is using or attached to.
[00181] In some embodiments, the network function context information further comprises at least one of: type information of the first network function, information concerning at least one service communication proxy that the first network function can be connected to, or location information of the first network function.
[00182] In some embodiments, the network function context information further comprises information concerning issuer of the network function context information.
[00183] In some embodiments, the information concerning issuer of the network function context information comprises at least one of: a signature of an issuer of the network function context information, temporal information concerning issuer of the network function context information, address information which enables obtaining of a public key of the issuer, or an identifier of the issuer.
[00184] In some example embodiments, an apparatus capable of performing any of the method 700 (for example, the fourth device implementing the NFp 130) may comprise means for performing the respective steps of the method 700. The means may be implemented in any suitable form. For example, the means may be implemented in a circuitry or software module.
[00185] In some embodiments, the apparatus comprises: means for receiving, at a second device implementing a second network function from a third device, a service request message comprising an access token, the access token comprising at least digitally signed network function context information of a first network function, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; means for authenticating the first network function based on the digitally signed network function context information; means for in accordance with a success authentication of the first network function, providing service for the first network function.
[00186] In some embodiments, the information of the at least one network slice associated with the first network function comprises at least one of: a first list of identifiers of a first plurality of network slices that the first network function is allowed to serve, an identifier of a first network slice among the first plurality of network slices that the first network function is serving, a second list of identifiers of a second plurality of network slices that the first network function is allowed to use or be attached to, or an identifier of a second network slice among the second plurality of network slices that the first network function is using or attached to.
[00187] In some embodiments, the network function context information further comprises at least one of: type information of the first network function, information concerning at least one service communication proxy that the first network function can be connected to, or location information of the first network function.
[00188] In some embodiments, the network function context information further comprises information concerning issuer of the network function context information.
[00189] In some embodiments, the information concerning issuer of the network function context information comprises at least one of: a signature of an issuer of the network function context information, temporal information concerning issuer of the network function context information, address information which enables obtaining of a public key of the issuer, or an identifier of the issuer.
[00190] Fig. 8 is a simplified block diagram of a device 800 that is suitable for implementing embodiments of the present disclosure. The device 800 may be provided to implement the communication device, for example the NFR 110, the NFc 120, the NFp 130, and the SCP 140. As shown, the device 800 includes one or more processors 810, one or more memories 820 coupled to the processor 810, and one or more communication modules 840 coupled to the processor 810.
[00191] The communication module 840 is for bidirectional communications. The communication module 840 has at least one antenna to facilitate communication. The communication interface may represent any interface that is necessary for communication with other network elements.
[00192] The processor 810 may be of any type suitable to the local technical network and may include one or more of the following: general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multicore processor architecture, as non-limiting examples. The device 800 may have multiple processors, such as an application specific integrated circuit chip that is slaved in time to a clock which synchronizes the main processor.
[00193] The memory 820 may include one or more non-volatile memories and one or more volatile memories. Examples of the non-volatile memories include, but are not limited to, a Read Only Memory (ROM) 824, an electrically programmable read only memory (EPROM), a flash memory, a hard disk, a compact disc (CD), a digital video disk (DVD), and other magnetic storage and/or optical storage. Examples of the volatile memories include, but are not limited to, a random access memory (RAM) 822 and other volatile memories that will not last in the power-down duration.
[00194] A computer program 830 includes computer executable instructions that are executed by the associated processor 810. The program 830 may be stored in the ROM 820. The processor 810 may perform any suitable actions and processing by loading the program 830 into the RAM 820.
[00195] The embodiments of the present disclosure may be implemented by means of the program 830 so that the device 800 may perform any process of the disclosure as discussed with reference to Figs. 4 to 7. The embodiments of the present disclosure may also be implemented by hardware or by a combination of software and hardware.
[00196] In some embodiments, the program 830 may be tangibly contained in a computer readable medium which may be included in the device 800 (such as in the memory 820) or other storage devices that are accessible by the device 800. The device 800 may load the program 830 from the computer readable medium to the RAM 822 for execution. The computer readable medium may include any types of tangible non-volatile storage, such as ROM, EPROM, a flash memory, a hard disk, CD, DVD, and the like. Fig. 9 shows an example of the computer readable medium 900 in form of CD or DVD. The computer readable medium has the program 830 stored thereon.
[00197] It should be appreciated that future networks may utilize network functions virtualization (NFV) which is a network architecture concept that proposes virtualizing network node functions into “building blocks” or entities that may be operationally connected or linked together to provide services. A virtualized network function (VNF) may comprise one or more virtual machines running computer program codes using standard or general type servers instead of customized hardware. Cloud computing or data storage may also be utilized. In radio communications, this may mean node operations to be carried out, at least partly, in a central/centralized unit, CU, (e.g. server, host or node) operationally coupled to distributed unit, DU, (e.g. a radio head/node). It is also possible that node operations will be distributed among a plurality of servers, nodes or hosts. It should also be understood that the distribution of labour between core network operations and base station operations may vary depending on implementation.
[00198] In an embodiment, the server may generate a virtual network through which the server communicates with the distributed unit. In general, virtual networking may involve a process of combining hardware and software network resources and network functionality into a single, software-based administrative entity, a virtual network. Such virtual network may provide flexible distribution of operations between the server and the radio head/node. In practice, any digital signal processing task may be performed in either the CU or the DU and the boundary where the responsibility is shifted between the CU and the DU may be selected according to implementation.
[00199] Therefore, in an embodiment, a CU-DU architecture is implemented. In such case the device 800 may be comprised in a central unit (e.g. a control unit, an edge cloud server, a server) operatively coupled (e.g. via a wireless or wired network) to a distributed unit (e.g. a remote radio head/node). That is, the central unit (e.g. an edge cloud server) and the distributed unit may be stand-alone apparatuses communicating with each other via a radio path or via a wired connection. Alternatively, they may be in a same entity communicating via a wired connection, etc. The edge cloud or edge cloud server may serve a plurality of distributed units or a radio access networks. In an embodiment, at least some of the described processes may be performed by the central unit. In another embodiment, the device 800 may be instead comprised in the distributed unit, and at least some of the described processes may be performed by the distributed unit.
[00200] In an embodiment, the execution of at least some of the functionalities of the device 800 may be shared between two physically separate devices (DU and CU) forming one operational entity. Therefore, the apparatus may be seen to depict the operational entity comprising one or more physically separate devices for executing at least some of the described processes. In an embodiment, such CU-DU architecture may provide flexible distribution of operations between the CU and the DU. In practice, any digital signal processing task may be performed in either the CU or the DU and the boundary where the responsibility is shifted between the CU and the DU may be selected according to implementation. In an embodiment, the device 800 controls the execution of the processes, regardless of the location of the apparatus and regardless of where the processes/functions are carried out.
[00201] Generally, various embodiments of the present disclosure may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. Some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device. While various aspects of embodiments of the present disclosure are illustrated and described as block diagrams, flowcharts, or using some other pictorial representations, it is to be understood that the block, apparatus, system, technique or method described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
[00202] The present disclosure also provides at least one computer program product tangibly stored on a non-transitory computer readable storage medium. The computer program product includes computer-executable instructions, such as those included in program modules, being executed in a device on a target real or virtual processor, to carry out the method 400, 500, 600 or 700 as described above with reference to Figs. 4-7. Generally, program modules include routines, programs, libraries, objects, classes, components, data structures, or the like that perform particular tasks or implement particular abstract data types. The functionality of the program modules may be combined or split between program modules as desired in various embodiments. Machine-executable instructions for program modules may be executed within a local or distributed device. In a distributed device, program modules may be located in both local and remote storage media.
[00203] Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowcharts and/or block diagrams to be implemented. The program code may execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
[00204] In the context of the present disclosure, the computer program codes or related data may be carried by any suitable carrier to enable the device, apparatus or processor to perform various processes and operations as described above. Examples of the carrier include a signal, computer readable medium, and the like.
[00205] The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable medium may include but not limited to an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of the computer readable storage medium would include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
[00206] Further, while operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are contained in the above discussions, these should not be construed as limitations on the scope of the present disclosure, but rather as descriptions of features that may be specific to particular embodiments. Certain features that are described in the context of separate embodiments may also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment may also be implemented in multiple embodiments separately or in any suitable sub-combination. [00207] Although the present disclosure has been described in languages specific to structural features and/or methodological acts, it is to be understood that the present disclosure defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.

Claims

WE CLAIM:
1. A first device, comprising: at least one processor; and at least one memory including computer program code; the at least one memory and the computer program code configured to, with the at least one processor, cause the first device to: receive, from a first network function, a first request for registration of the first network function, the first request comprising a profile of the first network function; generate network function context information of the first network function based on the profile, the network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; digitally sign the network function context information by using a private key of the first device; and transmit the digitally signed network function context information to the first network function.
2. The first device of claim 1, wherein the first device is configured to implement a network repository function.
3. The first device of claim 2, wherein the first device is further caused to: receive, from a first service communication proxy, a second request for an access token to be used by the first network function requesting a service from a second network function, the second request comprising at least the network function context information of the first network function, the first and second network functions communicating with each other via the first service communication proxy; and in accordance with a success authentication of the first network function based on the network function context information, transmit to the first service communication proxy the access token comprising at least the network function context information.
4. The first device of claim 1, wherein the first device is further caused to: receive a third request for deregistration of the first network function from the first network function, the third request comprising the network function context information; and in accordance with a success remove of the the profile of the first network function from the first device, transmit to the first network function a response indicating the success remove.
5. The first device of claim 1, wherein the first device is further caused to: in accordance with reception of a fourth request for query of the first network function from a second device, transmit the network function context information of the first network function to the second device, the fourth request comprising at least the information of the at least one network slice associated with the first network function.
6. The first device of claim 5, wherein the fourth request further comprises information concerning at least one second service communication proxy that the first network function can be connected to.
7. The first device of claim 1, wherein the first device is further caused to: receive, from a third device, a fifth request for subscription to a notification of change of the network function context information; and in accordance with the change of the network function context information, transmit the notification to the third device.
8. The first device of claim 1, wherein the first device is further caused to: receive a certificate from a third service communication proxy, the certificate comprising the network function context information; validate the certificate based on the network function context information; and in accordance with a successful validation of the certificate, establish a transport layer security connection between the first network function and the third service communication proxy.
9. The first device of claim 1, wherein the first device is further caused to: receive, from the first network function, a sixth request for update of the network function context information, update the network function context information; and transmit the updated network function context information to the first network function.
10. The first device of claim 1, wherein the first device is configured to implement a fourth service communication proxy connected to the first network function directly.
11. The first device of claim 1, wherein the identification information of the first network function comprises at least one of: an instance identifier of the first network function, or Fully Qualified Domain Name of the first network function.
12. The first device of claim 1, wherein the information of the at least one network slice associated with the first network function comprises at least one of: a first list of identifiers of a first plurality of network slices that the first network function is allowed to serve, an identifier of a first network slice among the first plurality of network slices that the first network function is serving, a second list of identifiers of a second plurality of network slices that the first network function is allowed to use or be attached to, or an identifier of a second network slice among the second plurality of network slices that the first network function is using or attached to.
13. The first device of claim 1, wherein the network function context information further comprises at least one of: type information of the first network function, information concerning at least one service communication proxy that the first network function can be connected to, or location information of the first network function.
14. The first device of claim 1, wherein the network function context information further comprises information concerning issuer of the network function context information.
15. The first device of claim 14, wherein the information concerning issuer of the network function context information comprises at least one of: a signature of an issuer of the network function context information, temporal information concerning issuer of the network function context information, address information which enables obtaining of a public key of the issuer, or an identifier of the issuer.
16. A second device, comprising: at least one processor; and at least one memory including computer program code; the at least one memory and the computer program code configured to, with the at least one processor, cause the second device implementing a first network function to: transmit, to a first device, a first request for registration of the first network function, the first request comprising a profile of the first network function; and receive digitally signed network function context information of the first network function from the first device, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function.
17. The second device of claim 16, wherein the first device is configured to implement a network repository function.
18. The second device of claim 16, wherein the second device is further caused to: transmit a second request for deregistration of the first network function to the first device, the second request comprising the network function context information; and in accordance with a success remove of the profile of the first network function from the first device, receive from the first device a response indicating the success remove.
19. The second device of claim 16, wherein the second device is further caused to: transmit a third request for update of the network function context information to the first device; and receive the updated network function context information from the first device.
20. The second device of claim 16, wherein the first device is configured to implement a service communication proxy connected to the first network function directly.
21. The second device of claim 16, wherein the network function context information comprises at least one of: an instance identifier of the first network function, or
Fully Qualified Domain Name of the first network function.
22. The second device of claim 16, wherein the network function context information comprises at least one of: a first list of identifiers of a first plurality of network slices that the first network function is allowed to serve, an identifier of a first network slice among the first plurality of network slices that the first network function is serving, a second list of identifiers of a second plurality of network slices that the first network function is allowed to use or be attached to, or an identifier of a second network slice among the second plurality of network slices that the first network function is using or attached to.
23. The second device of claim 16, wherein the network function context information comprises at least one of: type information of the first network function, information concerning at least one service communication proxy that the first network function can be connected to, or location information of the first network function.
24. The second device of claim 16, wherein the network function context information comprises information concerning issuer of the network function context information.
25. The second device of claim 24, wherein the information concerning issuer of the network function context information comprises at least one of: a signature of an issuer of the network function context information, temporal information concerning issuer of the network function context information, address information which enables obtaining of a public key of the issuer, or an identifier of the issuer.
26. A third device, comprising: at least one processor; and at least one memory including computer program code; the at least one memory and the computer program code configured to, with the at least one processor, cause the third device implementing a service communication proxy to: transmit to a first device a first request for an access token to be used by a first network function requesting a service from a second network function, the first request comprising at least digitally signed network function context information of the first network function, the first and second network functions communicating with each other via the service communication proxy, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; and in accordance with a success authentication of the first network function by the first device based on the digitally signed network function context information, receive from the first device the access token comprising at least the digitally signed network function context information.
27. The third device of claim 26, wherein the first device is further caused to: transmit to the first device a second request for query of the first network function, the second request comprising at least the information of the at least one network slice associated with the first network function; and receive from the first device the network function context information of the first network function.
28. The first device of claim 26, wherein the service communication proxy can be connected to the first network function, and the second request further comprises information concerning the service communication proxy.
29. The third device of claim 26, wherein the third device is further caused to: transmit to the first device a certificate comprising the network function context information; and in accordance with a successful validation of the certificate by the first device, connecting to the first network function via a transport layer security connection.
30. The third device of claim 26, wherein the third device is further caused to: receive from the first device a request for a service from a second network function; transmit to the first device a third request for an access token to be used by the first network function requesting the service, the third request comprising at least the digitally signed network function context information, the first and second network functions communicating with each other via the service communication proxy; in accordance with a success authentication of the first network function by the first device based on the digitally signed network function context information, receive from the first device the access token comprising at least the network function context information; and transmit to the second network function a service request message comprising the access token.
31. The third device of claim 26, wherein the identification information of the first network function comprises at least one of: an instance identifier of the first network function, or
Fully Qualified Domain Name of the first network function.
32. The third device of claim 26, wherein the information of the at least one network slice associated with the first network function comprises at least one of: a first list of identifiers of a first plurality of network slices that the first network function is allowed to serve, an identifier of a first network slice among the first plurality of network slices that the first network function is serving, a second list of identifiers of a second plurality of network slices that the first network function is allowed to use or be attached to, or an identifier of a second network slice among the second plurality of network slices that the first network function is using or attached to.
33. The third device of claim 26, wherein the network function context information further comprises at least one of: type information of the first network function, information concerning at least one service communication proxy that the first network function can be connected to, or location information of the first network function.
34. The third device of claim 26, wherein the network function context information further comprises information concerning issuer of the network function context information.
35. The third device of claim 34, wherein the information concerning issuer of the network function context information comprises at least one of: a signature of an issuer of the network function context information, temporal information concerning issuer of the network function context information, address information which enables obtaining of a public key of the issuer, or an identifier of the issuer.
36. A fourth device, comprising: at least one processor; and at least one memory including computer program code; the at least one memory and the computer program code configured to, with the at least one processor, cause the second device implementing a second network function to: receive from a third device a service request message comprising an access token, the access token comprising at least digitally signed network function context information of a first network function, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; authenticate the first network function based on the digitally signed network function context information; in accordance with a success authentication of the first network function, provide service for the first network function.
37. The fourth device of claim 36, wherein the identification information of the first network function comprises at least one of: an instance identifier of the first network function, or
Fully Qualified Domain Name of the first network function.
38. The fourth device of claim 36, wherein the information of the at least one network slice associated with the first network function comprises at least one of: a first list of identifiers of a first plurality of network slices that the first network function is allowed to serve, an identifier of a first network slice among the first plurality of network slices that the first network function is serving, a second list of identifiers of a second plurality of network slices that the first network function is allowed to use or be attached to, or an identifier of a second network slice among the second plurality of network slices that the first network function is using or attached to.
39. The fourth device of claim 36, wherein the network function context information further comprises at least one of: type information of the first network function, information concerning at least one service communication proxy that the first network function can be connected to, or location information of the first network function.
40. The fourth device of claim 36, wherein the network function context information further comprises information concerning issuer of the network function context information.
41. The fourth device of claim 40, wherein the information concerning issuer of the network function context information comprises at least one of: a signature of an issuer of the network function context information, temporal information concerning issuer of the network function context information, address information which enables obtaining of a public key of the issuer, or an identifier of the issuer.
42. A method, comprising: receiving, from a first network function, a first request for registration of the first network function, the first request comprising a profile of the first network function; generating network function context information of the first network function based on the profile, the network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; digitally signing the network function context information by using a private key of the first device; and transmitting the digitally signed network function context information to the first network function.
43. A method, comprising: transmitting, from a second device implementing a first network function to a first device, a first request for registration of the first network function, the first request comprising a profile of the first network function; and receiving digitally signed network function context information of the first network function from the first device, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function.
44. A method, comprising: transmitting, from a third device implementing a service communication proxy to a first device, a first request for an access token to be used by a first network function requesting a service from a second network function, the first request comprising at least digitally signed network function context information of the first network function, the first and second network functions communicating with each other via the service communication proxy, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; and in accordance with a success authentication of the first network function by the first device based on the digitally signed network function context information, receiving from the first device the access token comprising at least the digitally signed network function context information.
45. A method, comprising: receiving, at a second device implementing a second network function from a third device, a service request message comprising an access token, the access token comprising at least digitally signed network function context information of a first network function, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; authenticating the first network function based on the digitally signed network function context information; in accordance with a success authentication of the first network function, providing service for the first network function.
46. An apparatus, comprising: means for receiving, from a first network function, a first request for registration of the first network function, the first request comprising a profile of the first network function; means for generating network function context information of the first network function based on the profile, the network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; means for digitally signing the network function context information by using a private key of the first device; and means for transmitting the digitally signed network function context information to the first network function.
47. An apparatus, comprising: means for transmitting, from a second device implementing a first network function to a first device, a first request for registration of the first network function, the first request comprising a profile of the first network function; and means for receiving digitally signed network function context information of the first network function from the first device, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function.
48. An apparatus, comprising: means for transmitting, from a third device implementing a service communication proxy to a first device, a first request for an access token to be used by a first network function requesting a service from a second network function, the first request comprising at least digitally signed network function context information of the first network function, the first and second network functions communicating with each other via the service communication proxy, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; and in accordance with a success authentication of the first network function by the first device based on the digitally signed network function context information, means for receiving from the first device the access token comprising at least the digitally signed network function context information.
49. An apparatus, comprising: means for receiving, at a second device implementing a second network function from a third device, a service request message comprising an access token, the access token comprising at least digitally signed network function context information of a first network function, the digitally signed network function context information comprising at least identification information of the first network function and information of at least one network slice associated with the first network function; means for authenticating the first network function based on the digitally signed network function context information; means for in accordance with a success authentication of the first network function, providing service for the first network function.
50. Anon-transitory computer readable medium comprising a computer program for causing an apparatus to perform at least the method of claim 42.
51. Anon-transitory computer readable medium comprising a computer program for causing an apparatus to perform at least the method of claim 43.
52. Anon-transitory computer readable medium comprising a computer program for causing an apparatus to perform at least the method of claim 44.
53. A non-transitory computer readable medium comprising a computer program for causing an apparatus to perform at least the method of claim 45.
PCT/EP2021/059721 2020-04-30 2021-04-15 Securely identifying network function WO2021219385A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN202041018542 2020-04-30
IN202041018542 2020-04-30

Publications (1)

Publication Number Publication Date
WO2021219385A1 true WO2021219385A1 (en) 2021-11-04

Family

ID=75562744

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2021/059721 WO2021219385A1 (en) 2020-04-30 2021-04-15 Securely identifying network function

Country Status (1)

Country Link
WO (1) WO2021219385A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11888946B2 (en) 2021-06-02 2024-01-30 Oracle International Corporation Methods, systems, and computer readable media for applying or overriding preferred locality criteria in processing network function (NF) discovery requests
US11888957B2 (en) 2021-12-07 2024-01-30 Oracle International Corporation Methods, systems, and computer readable media for locality and serving scope set based network function (NF) profile prioritization and message routing
US11930083B2 (en) 2021-08-09 2024-03-12 Oracle International Corporation Methods, systems, and computer readable media for processing network function (NF) discovery requests at NF repository function (NRF) using prioritized lists of preferred locations

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Security Aspects; Study on security aspects of the 5G Service Based Architecture (SBA) (Release 16)", no. V1.7.0, 22 September 2019 (2019-09-22), pages 1 - 101, XP051784633, Retrieved from the Internet <URL:ftp://ftp.3gpp.org/Specs/archive/33_series/33.855/33855-170.zip 33855-170.doc> [retrieved on 20190922] *
HUAWEI ET AL: "Clarification on NF consumer instance ID verification", vol. SA WG3, no. e-meeting; 20200302 - 20200306, 21 February 2020 (2020-02-21), XP051854951, Retrieved from the Internet <URL:https://ftp.3gpp.org/tsg_sa/WG3_Security/TSGS3_98e/Docs/S3-200215.zip S3-200215.docx> [retrieved on 20200221] *
HUAWEI ET AL: "Clarification on NF consumer instance ID verification", vol. SA WG3, no. e-meeting; 20200414 - 20200417, 3 April 2020 (2020-04-03), XP051868597, Retrieved from the Internet <URL:https://ftp.3gpp.org/tsg_sa/WG3_Security/TSGS3_98Bis_e/Docs/S3-200689.zip S3-200689.docx> [retrieved on 20200403] *
WIKIPEDIA: "Transport Layer Security - Wikipedia, the free encyclopedia", 7 September 2012 (2012-09-07), XP055274705, Retrieved from the Internet <URL:https://en.wikipedia.org/w/index.php?title=Transport_Layer_Security&oldid=511168759> [retrieved on 20160524] *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11888946B2 (en) 2021-06-02 2024-01-30 Oracle International Corporation Methods, systems, and computer readable media for applying or overriding preferred locality criteria in processing network function (NF) discovery requests
US11930083B2 (en) 2021-08-09 2024-03-12 Oracle International Corporation Methods, systems, and computer readable media for processing network function (NF) discovery requests at NF repository function (NRF) using prioritized lists of preferred locations
US11888957B2 (en) 2021-12-07 2024-01-30 Oracle International Corporation Methods, systems, and computer readable media for locality and serving scope set based network function (NF) profile prioritization and message routing

Similar Documents

Publication Publication Date Title
US20210058783A1 (en) Network authentication method, and related device and system
US11943615B2 (en) Method and apparatus for discussing digital certificate by ESIM terminal and server
WO2021219385A1 (en) Securely identifying network function
EP3375165A1 (en) Method and apparatus for downloading profile on embedded universal integrated circuit card of terminal
US20210306326A1 (en) Enhanced hop by hop security
CN111434083A (en) Network management equipment and centralized authorization server for NETCONF
EP4075845A1 (en) Enhanced security for access stratum transmission
WO2022073213A1 (en) Mechanism for dynamic authorization
EP4075722A1 (en) Security enhancement on inter-network communication
KR20200002506A (en) Apparatus and method for data communication in wireless communication system
WO2021160386A1 (en) Authorization service for providing access control
EP3216250B1 (en) Bootstrapping wi-fi direct communication by a trusted network entity
EP4173226A1 (en) Access control of service based management framework
WO2023071836A1 (en) Communication method and apparatus
EP4013091A1 (en) Communication method and apparatus
US20220360586A1 (en) Apparatus, methods, and computer programs
US20240275775A1 (en) Proxy certificate management for nfv environment (pcs)
EP4275324A1 (en) Access token handling for indirect communication
US10797889B2 (en) Digital letter of approval (DLOA) for device compliance
US20240056506A1 (en) Network function validation
US20230413052A1 (en) Access token revocation in security management
WO2023070340A1 (en) Network repository function policy control for different public land mobile networks
WO2024065798A1 (en) Certificate management for network functions
EP4270870A1 (en) Method, device and computer readable medium for communications
WO2023272706A1 (en) Network repository function services access authorization

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21719589

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21719589

Country of ref document: EP

Kind code of ref document: A1