WO2022106001A1 - Optimizing discovery queries - Google Patents

Optimizing discovery queries Download PDF

Info

Publication number
WO2022106001A1
WO2022106001A1 PCT/EP2020/082636 EP2020082636W WO2022106001A1 WO 2022106001 A1 WO2022106001 A1 WO 2022106001A1 EP 2020082636 W EP2020082636 W EP 2020082636W WO 2022106001 A1 WO2022106001 A1 WO 2022106001A1
Authority
WO
WIPO (PCT)
Prior art keywords
blacklist
profiles
attribute
service
profile
Prior art date
Application number
PCT/EP2020/082636
Other languages
French (fr)
Inventor
Ioannis Mouroulis
Saurabh Khare
Original Assignee
Nokia Solutions And Networks Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Solutions And Networks Oy filed Critical Nokia Solutions And Networks Oy
Priority to PCT/EP2020/082636 priority Critical patent/WO2022106001A1/en
Publication of WO2022106001A1 publication Critical patent/WO2022106001A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/51Discovery or management thereof, e.g. service location protocol [SLP] or web services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W72/00Local resource management
    • H04W72/04Wireless resource allocation

Definitions

  • the present disclosure relates to discovery queries, in particular (but not exclusively) discovery queries to SCP and/or NRF.
  • Each of the methods of the third and fourth aspects may be a method of querying.
  • Fig. 4 shows the rates of no-match queries in the example network according to an example embodiment of the invention
  • NRFs are vulnerable to DOS or DDOS ((Distributed) Denial-of-service) attacks in the case of malicious and/or misbehaving UEs issuing Requests with no profile match.
  • DOS distributed
  • DDOS distributed Denial-of-service
  • NRFs may also be capable to auto-discover/create Blacklist patterns.
  • Fig. 5 shows a message flow (discovery) according to some example embodiments of the invention.
  • the master NRF may resolve to a locally provisioned or dynamically created blacklist Profiles.
  • Blacklist profiles may be created ad hoc.
  • An example mechanism to create ad hoc a blacklist profiles triggered by NFs Queries with multiple Parameters is as follows:
  • the blacklist profile(s) do not need to be further propagated.
  • the NRF may discover whether the Consumer supports the blacklist functionality according to some example embodiments of the invention via the Supported Features negotiation mechanism, as specified in subclause 6.6.2 of 3GPP TS 29.500. If an NRF consumer receives a blacklist profile although it does not support blacklist profiles, it may ignore the received blacklist profile. Thus, backward compatibility is ensured.
  • the means for receiving 110 receives a query for an address of a requested service producer from a service consumer (S110).
  • the query comprises, for at least one specific type attribute of the requested service producer, respective one or more attribute values.
  • only one of actions a) and b) is performed.
  • the apparatus need not include the means for providing 150.
  • the means for storing 105 need not be configured to perform action b).
  • each NF to which a query for an instance of a service producer is directed may be considered as a repository function.
  • a SCP and, of course, a NRF may be considered as a repository function.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Apparatus comprising: one or more processors, and memory storing instructions that, when executed by the processor(s), cause the apparatus to: receive, from a service consumer, a request comprising, for at least one specific type attribute of a service producer, a respective attribute value; check one or more blacklist profiles, whether for each of the at least one specific type attribute, the respective attribute value matches one of the one or more blacklist profiles, wherein each of the blacklist profiles is defined by at least a subset of one or more type attributes, and for at least one of the one or more type attributes, each of the one or more blacklist profiles defines one or more attribute values; inhibit to query a repository function for the service producer if, for each of the at least one specific type attribute, the respective attribute value matches one of the blacklist profiles.

Description

Optimizing discovery queries
Field of the invention
The present disclosure relates to discovery queries, in particular (but not exclusively) discovery queries to SCP and/or NRF.
Abbreviations
3GPP 3rd Generation Partnership Project
3G / 4G / 5G 3rd 14th 15th Generation
5GC 5G Core Network
ACK Acknowledgment (Positive)
AMF Access and Mobility Management Function
API Application Programming Interface
APN Access Point Name
ALISF Authentication Server Function
DNN Data Network Name
DOS Denial of Service
DDOS Distributed DOS
GPSI Generic Public Subscription Identifier
HTTP Hypertext T ransfer Protocol
IE Information Element
IETF Internet Engineering Task Force
IMSI International Mobile Subscriber Identity
ISDN Integrated Services Digital Network
JSON JavaScript Object Notation
MBB Mobile Broadband
MSISDN Mobile Station ISDN number
MVNO Mobile Virtual Network Operator
NACK Negative Acknowledgment
NAS Non-access stratum
NF Network Function
NRF Network Repository Function
PDU Protocol Data Unit
PLMN Public Land Mobile Network
RFC Request for Comments RTC Realtime Communication
SBA Service Based Architecture
SBI Service Based Interface
SCP Service Communication Proxy
SIP Session Initiation Protocol
SMF Session Management Function
SNSSAI single network slice selection assistance information
SUPI Subscription Permanent Identifier
TAI Tracking Area Identifier
TCP Transmission Control Protocol
TS Technical Specification
UDM User Data Management
UDR User Data Repository
UE User Equipment
Background of the invention
In 2G/3G/4G peer endpoint selection was predominately based on rules/queries that used unique identifiers (e.g. MSISDN, IMSI, APN etc.). 5G provides a service based architecture. I.e., a consumer inquires NRF in order to discover an appropriate service producer instance, as shown in Fig. 1. That is, in 5G, as described in 3GPP TS 29.510, in order to discover and select the appropriate service instances, multiple filtering criteria are applied by NRF.
5GC Service Based architecture APIs are based on the HTTP protocol. According to 3GPP TS 23.501 , an NF service is one type of capability exposed by an NF (NF Service Producer) to other authorized NF (NF Service Consumer) through a service-based interface. A Network Function may expose one or more NF services. NF services may communicate directly between NF Service consumers and NF Service Producers, or indirectly via an SCP.
HTTP works in the client-server model. The client initiates a communication session with the server, which awaits incoming requests. The server provides a service to the client in response to the request. In HTTP a Server can clearly Respond to Client whether it was able to process a Request or not by using the appropriate Status codes, and adding problem details in a JSON Body etc. (as defined in RFC 7540 and further specified in 3GPP TS 29.500).
NACK/ACK mechanisms are part of the specification of certain protocols e.g. IETF SIP, TCP, WebRTC and 3GPP NAS. However, HTTP protocol specification supports neither ACK nor NACK messages and cannot be extended to do so, without IETF standardization.
In HTTP, a 2xx response means a response having a number between 200 and 299. It means that the request was successful. In particular, a 200 OK response means that the request was successfully executed, and a 201 Created response means that the request was successfully executed and that a resource was created in the HTTP server. A 202 response indicates that the request has been accepted for processing, but the processing has not been completed. A 204 response means No Content: The server successfully processed the request, and is not returning any content. For further details on HTTP 2xx responses, see e.g. "2xx success" at https://en.wikipedia.org/wiki/List_of_HTTP_status_codes.
The end-to-end interaction between two Network Functions (Consumer and Producer) within this NF service framework follows two mechanisms, irrespective of whether Direct Communication or Indirect Communication is used:
"Request-response": A Control Plane NF_B (NF Service Producer) is requested by another Control Plane NF_A (NF Service Consumer) to provide a certain NF service, which either performs an action or provides information or both. NF_B provides an NF service based on the request by NF_A. In Request-response mechanism, communication is one to one between two NFs (consumer and producer) and a one-time response from the producer to a request from the consumer is expected within a certain timeframe.
"Subscribe-Notify": A Control Plane NF_A (NF Service Consumer) subscribes to NF Service offered by another Control Plane NF_B (NF Service Producer). The NF Service Producer NF B notifies the NF Service Consumer NF A if a certain condition is fulfilled.
5G provides Network slicing. Network slicing is a specific form of virtualization that allows multiple logical networks to run simultaneously, for example on top of a shared physical network infrastructure. The key benefit of the network slicing concept is that it provides an end-to-end virtual network encompassing not just networking but compute and storage functions, too.
The principle of network slicing provides the ability to create different virtual networks over which different traffic flows can travel isolated from each other. For example, a network slice can include a collection of logical network functions that support a communication service requirement of a particular network service. Accordingly, different network slices can support different services and/or different types of communication devices. Connectivity between computing resources can be allocated so that traffic of one network slice can be isolated from that of another. Isolation can be based on one or more of network operator, service, application, user, user equipment, level of subscription service, and so on.
Network slice operation may be transparent or visible to end users or communication devices. The communication devices may be configured to discover what network slices are being provided by the operator (e.g., in the devices' current location and/or radio access network). A radio access network may belong to various network slices.
NRF may be hierarchically deployed with plural local NRFs and one or more Master NRFs (or Central NRFs). In case of Hierarchical NRF deployment, Local NRF may forward “no-match” queries to Central/M aster NRFs. Only if there isn’t any match in the “top” Central/Master NRFs, no-match is concluded and reported to the service consumer.
Summary of the invention
It is an object of the present invention to improve the prior art.
According to a first aspect of the invention, there is provided an apparatus comprising: one or more processors, and memory storing instructions that, when executed by the one or more processors, cause the apparatus to: receive, from a service consumer, a request comprising, for at least one specific type attribute of a service producer, a respective attribute value; check one or more blacklist profiles, whether for each of the at least one specific type attribute, the respective attribute value matches one of the one or more blacklist profiles, wherein each of the blacklist profiles is defined by at least a subset of one or more type attributes, and for at least one of the one or more type attributes, each of the one or more blacklist profiles defines one or more attribute values; inhibit to query a repository function for the service producer if, for each of the at least one specific type attribute, the respective attribute value matches one of the blacklist profiles.
According to a second aspect of the invention, there is provided an apparatus comprising: one or more processors, and memory storing instructions that, when executed by the one or more processors, cause the apparatus to: store, for each of one or more service producers, a respective stored profile in a repository, wherein each of the stored profiles is defined by one or more type attributes, each of the stored profiles comprises, for each of the one or more type attributes, respective one or more attribute values; receive a query for an address of a requested service producer from a service consumer, wherein the query comprises respective one or more attribute values of at least one specific type attribute of the requested service producer; check for each of the at least one specific type attribute, whether the respective one or more attribute values comprised by the query match at least one of the one or more stored profiles; if, for at least one of the at least one specific type attribute, the respective one or more attribute values comprised by the query do not match any of the one or more stored profiles: determine or update a set of one or more blacklist profiles such that none of the blacklist profiles of the set matches any of the stored profiles, wherein each of the blacklist profiles is defined by at least a subset of one or more type attributes, and for each of the one or more blacklist profiles and for each of the one or more type attributes defining the respective blacklist profile, the respective blacklist profile defines one or more attribute values; and at least one of: provide the set of the one or more blacklist profiles in response to the query; and store the set of the one or more blacklist profiles.
According to a third aspect of the invention, there is provided a method comprising: receiving, from a service consumer, a request comprising, for at least one specific type attribute of a service producer, a respective attribute value; checking one or more blacklist profiles, whether for each of the at least one specific type attribute, the respective attribute value matches one of the one or more blacklist profiles, wherein each of the blacklist profiles is defined by at least a subset of one or more type attributes, and for at least one of the one or more type attributes, each of the one or more blacklist profiles defines one or more attribute values; inhibiting to query a repository function for the service producer if, for each of the at least one specific type attribute, the respective attribute value matches one of the blacklist profiles.
According to a fourth aspect of the invention, there is provided a method comprising: storing, for each of one or more service producers, a respective stored profile in a repository, wherein each of the stored profiles is defined by one or more type attributes, each of the stored profiles comprises, for each of the one or more type attributes, respective one or more attribute values; receiving a query for an address of a requested service producer from a service consumer, wherein the query comprises respective one or more attribute values of at least one specific type attribute of the requested service producer; checking for each of the at least one specific type attribute, whether the respective one or more attribute values comprised by the query match at least one of the one or more stored profiles; if, for at least one of the at least one specific type attribute, the respective one or more attribute values comprised by the query do not match any of the one or more stored profiles: determining or updating a set of one or more blacklist profiles such that none of the blacklist profiles of the set matches any of the stored profiles, wherein each of the blacklist profiles is defined by at least a subset of one or more type attributes, and for each of the one or more blacklist profiles and for each of the one or more type attributes defining the respective blacklist profile, the respective blacklist profile defines one or more attribute values; and at least one of: providing the set of the one or more blacklist profiles in response to the query; and storing the set of the one or more blacklist profiles.
Each of the methods of the third and fourth aspects may be a method of querying.
According to a fifth aspect of the invention, there is provided a computer program product comprising a set of instructions which, when executed on an apparatus, is configured to cause the apparatus to carry out the method according to any of the third and fourth aspects. The computer program product may be embodied as a computer-readable medium or directly loadable into a computer.
According to a sixth aspect of the invention, there is provided an apparatus comprising: receiving means configured to receive, from a service consumer, a request comprising, for at least one specific type attribute of a service producer, a respective attribute value; checking means configured to check one or more blacklist profiles, whether for each of the at least one specific type attribute, the respective attribute value matches one of the one or more blacklist profiles, wherein each of the blacklist profiles is defined by at least a subset of one or more type attributes, and for at least one of the one or more type attributes, each of the one or more blacklist profiles defines one or more attribute values; inhibiting means configured to inhibit to query a repository function for the service producer if, for each of the at least one specific type attribute, the respective attribute value matches one of the blacklist profiles.
According to a seventh aspect of the invention, there is provided an apparatus comprising: first storing means configured to store, for each of one or more service producers, a respective stored profile in a repository, wherein each of the stored profiles is defined by one or more type attributes, each of the stored profiles comprises, for each of the one or more type attributes, respective one or more attribute values; receiving means configured to receive a query for an address of a requested service producer from a service consumer, wherein the query comprises, for at least one specific type attribute of the requested service producer, respective one or more attribute values;; checking means configured to check for each of the at least one specific type attribute, whether the respective one or more attribute values comprised by the query match at least one of the one or more stored profiles; if, for at least one of the at least one specific type attribute, the respective one or more attribute values comprised by the query do not match any of the one or more stored profiles: determining means configured to determine or update a set of one or more blacklist profiles such that none of the blacklist profiles of the set matches any of the stored profiles, wherein each of the blacklist profiles is defined by at least a subset of one or more type attributes, and for each of the one or more blacklist profiles and for each of the one or more type attributes defining the respective blacklist profile, the respective blacklist profile defines one or more attribute values; and at least one of: providing means configured to provide the set of the one or more blacklist profiles in response to the query; and second storing means configured to store the set of the one or more blacklist profiles.
According to some example embodiments of the invention, at least one of the following advantages may be achieved:
• Queries may be performed more efficiently;
• less load on SCP and/or (I oca l/m aster) NRFs;
• Vulnerability to DDOS attacks is reduced;
• Backwards compatibility.
It is to be understood that any of the above modifications can be applied singly or in combination to the respective aspects to which they refer, unless they are explicitly stated as excluding alternatives.
Brief description of the drawings
Further details, features, objects, and advantages are apparent from the following detailed description of the preferred embodiments of the present invention which is to be taken in conjunction with the appended drawings, wherein:
Fig. 1 shows a discovery request according to the prior art;
Fig. 2 shows how a discovery request is propagated according to the prior art;
Fig. 3 shows the rates of no-match queries in an example network according to the prior art;
Fig. 4 shows the rates of no-match queries in the example network according to an example embodiment of the invention;
Fig. 5 shows how a discovery request is propagated according to an example embodiment of the invention;
Fig. 6 shows an apparatus according to an example embodiment of the invention; Fig. 7 shows a method according to an example embodiment of the invention;
Fig. 8 shows an apparatus according to an example embodiment of the invention;
Fig. 9 shows a method according to an example embodiment of the invention; and Fig. 10 shows an apparatus according to an example embodiment of the invention.
Detailed description of certain embodiments
Herein below, certain embodiments of the present invention are described in detail with reference to the accompanying drawings, wherein the features of the embodiments can be freely combined with each other unless otherwise described. However, it is to be expressly understood that the description of certain embodiments is given by way of example only, and that it is by no way intended to be understood as limiting the invention to the disclosed details.
Moreover, it is to be understood that the apparatus is configured to perform the corresponding method, although in some cases only the apparatus or only the method are described.
The NF Profiles through which NRF searches an appropriate service instance may be large (>1 MB). Furthermore, several lEs (information elements) in the NF Profile may have a structure which does not allow an efficient index/hash-based search (e.g. Ranges, Patterns etc.). Queries that do not have any matching profile may be the most computationally intensive because exhaustive search in all IE array elements of all NF profiles of an NFType (type of NF) may be required.
NFs may cache “negative” responses for NRF Discovery Queries (i.e. when NRF 200 OK Response includes a SearchResult with empty nflnstances array), as described for NRF API (3GPP TS 29.510).
The following scenario may exemplify the problem of no-match queries:
In a relatively large network, a typical deployment can consist of:
• 50x SMFs
• Each SMF may support 3x PLMNs (MVNO) and its NFProfile may contain in average 20x SMFInfos in the SMFInfoList IE of its NFProfile • Each SMFInfo IE may contain 200 Tracking Area Identity Ranges (see 3GPP TS 29.510) and 20x sNssaiSmflnfoltems
• each sNssaiSmflnfoltems may contain in average 128 DNNs
• If a UE in a tracking area identified by a TAI attempts to create a PDU session for a
DNN/SNSSAI that is valid but not supported by an SMF in the specific TAI, NRF has to exhaustively search in all available SMF profiles to find whether there is any SMF that supports the specific DNN for the given Slice in the specific Tracking Area i. This information is stored in the SMF Profile in the NRF which is a JSON object comprising multiple Information elements including arrays/maps that further include Arrays of lEs which accordingly include other Arrays. For example, the TAI information as per 3GPP TS 29.510 is stored in the NFProfle->SmfinFoList(map)->TaiRangel_ist (array)->TacRangel_ist[array]-->start/end | pattern while the DNN is stored under the NFProfle->Smflnfol_ist(map) ->sNssaiSmflnfol_ist[Array[
Figure imgf000012_0001
dnnSmflnfoList
[Array] ->dnn
• In the aforementioned case
• The NRF has to find whether the SMF Info supports the TAI that is given as query parameter. That can consist of 50(SMF) x20 (SMFInfos) x 100 TAI Ranges (assuming match in middle of the array) = 100000 TAI range searches
• Then the NRF has to search if the SMF supports the given slice: 50(SMF) x20 (SMFInfo) x 10 sNssaiSmflnfoltems (assuming there was a match in the middle) = 1000 Snssais searches
• Then the NRF has to search if the SMF supports the given DNN 50(SMF) x20 (SMFInfo) x 3 x (PLMNs) x 128 (DNN - no match) = 384 000 DDNs searches
Conventionally, NRF can conclude that the requested combination is not supported in any NF Profile only via this exhaustive search. Similar searches may also have to be performed in the AMF, SCP caches, and in the Master NRF, as shown in Fig. 2.
As shown in Fig. 3, no match queries may heavily load all levels of a hierarchical NRF deployment. In the example of Fig. 3, the UEs generate 10.000 no-match queries per second in each AMF, i.e. where the AMF cannot identify the appropriate service producer instance based on its cached query results. Plural AMFs forward these no-match queries to a respective SCP. Each SCP may solve some of the queries based on its cached query results but still forwards 10.000 no-match queries per second to the respective local NRF. Each local NRF may solve some of the queries based on its stored NFProfiles but forwards still 10.000 no-match queries per second to the Master NRF. Among these queries, even the Master NRF may not solve 10.000 queries per second. Thus, all levels of the hierarchical NRF network are quite busy by no-match queries.
Another problem that accordingly arises is that the NRFs are vulnerable to DOS or DDOS ((Distributed) Denial-of-service) attacks in the case of malicious and/or misbehaving UEs issuing Requests with no profile match. Even if the NFs cache negative responses, it does not help much especially in case of malicious UEs due to the abundance of possible permutations of query parameters which can not be matched by any profile.
Caching of negative results according to 3GPP TS 29.510 is not very useful in this context because all query parameters of a subsequent NF discovery Request have to be exactly the same. Any difference in a query parameter e.g. TAI, DNN, SUPI etc., leads to a cache mismatch triggering a new Discovery Request.
Some example embodiments of this invention provide a solution to the aforementioned problems.
Some example embodiments of the invention provide a Blacklist NF Profile (also named blacklist profile hereinafter) in order to optimize NRF Discovery queries with no profile match. Blacklist NFProfiles are NFProfiles that include attributes (i.e. type attributes defining the type of the NF) defining value ranges for which no NF Producer exists. This allows NFs, SCP and/or NRFs to efficiently conclude whether a Discovery Query cannot be served by any NF Producer, without having to perform exhaustive search in the NFProfiles of all registered NF Instances.
NRFs may create static and/or dynamic Blacklist Profiles and propagate this information to the Consumers (SCPs, NFs, or other NRFs ) in the Discovery Query responses. This allows NF consumers to cache the blacklist Profiles and avoid propagating discovery queries when the Discovery query parameters match an entry in one of the blacklists (i.e., are included in one of the one or more ranges defined by one of the one or more blacklists). For example, the blacklist according to some example embodiments of the invention may be implemented as follows:
• A new IE type blackListNrflnfoList is introduced in the Nnrf API (3GPP TS 29.510) which is a list of a (newly introduced) group of lEs: blackListXXXInfoLists where “XXX” refers to a NF type such as blacklistAusflnfoList, blackListlldmlnfoList, blackListAmflnfoList etc. blackListXXXInfo contains attribute value ranges of a certain NF type for which no NF Producer instance exists.
• When the Discovery Query Parameters are included in one of the ranges defined in blackListNrflnfoList no further search is required and, hence, no further search is performed.
• Blacklist Profiles included in the blackListNrflnfoList may be locally provisioned in NRF or learned via Discovery/Registration or NFProfileRetrieval from other NRFs.
• NRFs may also be capable to auto-discover/create Blacklist patterns.
A mode of operation may be the following:
• When a NF consumer needs a NF Producer address to provide a service, the NF first searches in local cache for possibly matching NF profiles as per current procedures specified in 3GPP Rel-15 /16 TS 23.501 , TS 23.502, and TS 29.510.
• If not found there, the NF consumer then searches in the blacklist profile(s) (blackList cache).
• If the Discovery query parameter criterions are met by a blacklist Profile, the consumer can safely conclude that there is no NF producer instance that matches the requested attribute value(s).
• If there isn’t any match in the blacklist cache the consumer sends the NF Discovery Query to “next level” (e.g. SCP
Figure imgf000014_0001
NRF , Local NRF-> Central NRF) which also searches in its Profile Database.
• If the NF Discovery Query parameters can be met by one or more NF Producers, the NRF responds with the matching NF Profiles, as currently specified in 3GPP TS 29.510.
• in case the NF Discovery Query Parameters criterions cannot be met by one or more NF Producer Profiles but are matched by a blacklist profile the blackListXXXInfo profile is populated back to NF Consumers in the 200 OK response
• If the NF Discovery Query parameters criterions can neither be met by any existing NF Producer instance Profile nor in any blacklist profile, the NRF responds including a SearchResult with empty nflnstances array and no blackListNFInfo profile.
NRF consumers (NFs, SCP and other NRFs) may locally cache the blacklist Profiles to efficiently resolve subsequent queries that have no profile match and avoid discovery query forwarding. The validity duration the blacklist profiles are kept in the cache may be indicated by a validityPeriod included in the SearchResult.
In particular for NF/UEs demonstrating suspicious or abnormal behavior (e.g. having triggered X failed Discovery queries the last Y seconds), NFs, SCP or NRF may decide to first search in the blacklist cache before searching in the matching profile.
Fig. 4 shows in an example corresponding to that of Fig. 3, how the rate of no-match queries is reduced at SCP and NRF due to the blacklists. In this example, the SCPs have only 5000 no-match queries per second due to the blacklists in AMF compared to 10.000 no-match queries per second without blacklists. In local NRF, the rate of no-match queries is even reduced to 1.000 per second, compared to 10.000 per second without blacklists in AMF and SCP.
Fig. 5 shows a message flow (discovery) according to some example embodiments of the invention.
1 : AMF is trying to discover SMF having certain properties DNN= acme, SNSSAI=1 , TAI= 2222. (Of course, “2222” is not a real TAI because a real TAI is of a format like {"plmnld":{"mcc":"460","mnc":"02"},"tac":"007530"}. “2222” is selected in order to improve readability).
2.0: AMF first searches for a matching profile in the local cache. If not found, it searches in the cached blacklist profiles. The blacklist profiles may be either provisioned in the NF or SCP or NRF(s) or may be cached from older responses for NF Discovery requests for which there was no Profile match. 2.1 : If matching data are not found in any of both lists, as shown in the example of Fig. 5, the AMF sends a Discovery query to SCP (if available, as shown in Fig. 5) or NRF.
2.2, 2.3: SCP(s) and/or NRF(s) also perform the search in their local cache of Producer Instances and Blacklisted profiles. If the discovery queries do not match any profile, the SCP(s) and NRF(s) forward the discovery request to further downstream (“next level”).
2.4: Once the discovery request reaches the “final” NRF (i.e. the last NRF which can not forward the discovery request further, typically the master NRF), then the master NRF may resolve to a locally provisioned or dynamically created blacklist Profiles.
Example of BlacklistSMFInfo if DNN “acme” in slice MBB is supported only by SMF in TAIs range 0-1000
• blacklistSMFInfo o blackListSmflnfo.taiRangeList.[1], [1001-99999] o blackListSmflnfo.sNssaiSmflnfoList[0].Snssai MBB (1) o blackListSmflnfo.sNssaiSmflnfoList[0].dnn[0] acme
3: If the record is found in the existing Blacklist profile or in an ad hoc created blacklist profile (as explained below), the NRF handles that record as blacklisted. In that case the NRF includes the blacklistSMFInfo in the response of the Discovery request.
3.1, 3.2, 3.3, 3.4: NRF(s), SCP(s) and NF can cache the BlacklistNFInfo, so that subsequent query can be avoided from being propagated downstream. Blacklist may use a validityPeriod included in the SearchResult IE the same manner it is used for valid NFProfiles. Additionally the consumer may use the Blacklist Profile Id to Subscribe and get Notification about blacklist profile updates. The request is rejected.
4, 4.1, 4.2, 4.3: The next time, AMF receives the Create PDU request with DNN= acme, SNSSAI=1 , TAI= 2222, the attribute values will match the blacklist profile stored in the AMF Blacklist cache. Therefore, AMF knows that this Profile cannot be served. It need not send a discovery request to SCP/NRF but rejects the request.
Blacklist Creation in NRF: An NRF having a complete overview of the existing NFs in the network it serves, may automatically create Blacklist profiles in addition to the locally provisioned ones (shown as action 0 in the Fig. 5).
Blacklist profiles may be created ad hoc. An example mechanism to create ad hoc a blacklist profiles triggered by NFs Queries with multiple Parameters is as follows:
• Example: An NRF consumer sends a Discovery Query for a PCF providing as parameters a) required features and b) DNN (or GPSI/SUPI). The NRF may initially filter PCFs based on the required features and already discover that there is no candidate PCF. Accordingly, the NRF may include the non-supported Features in the Blacklist profile of the Response so that the Consumer can cache the information and know these features are not available for any SUPI/GSPI or DNN.
An alternative/complementary mechanism is to perform background scan of all profiles to deduce non supported patterns. For example, the background scan may be performed periodically or after a predefined duration of time was lapsed after the previous scan (background scan or ad hoc scan, as described in the previous example).
• Example: NRF may create the Union of the IdentityRanges supported by all Registered AUSFs. All the remaining Ranges that are not supported by any AUSF may be compiled in a blacklist AUSF profile. This blacklist profile can be provided back to the NRF consumers when a Discovery query containing a non-supported Routing indicator is received.
As another example, NRF may perform a scan when a service producer registers at NRF or when a registered service producer deregisters from NRF. As still another example, NRF may subscribe to notifications informing when an attribute value of a service producer changes. The receipt of such a notification may trigger a scan of all profiles to deduce non supported patterns and to define a range comprised in a blacklist, too.
This blacklist profile(s) may also be used (exchanged) between NRFs out of the scope of a Discovery Query. A NRF (or any other NF instance holding one or more blacklist profiles) may exchange with other NRFs (or other NF instances configured to hold a blacklist profile) a blackListNrflnfoList IE which contains the list of blackListNFInfos (e.g. blacklistUDMInfo, blackListUdmlnfo) the NRF (NF instance) currently holds. The NRF can share this information with other NRF(s) in the same manner as nrflnfoList profiles are used to share information about registered NF Producer Instances.
In case NRF consumers do not support an embodiment of this invention (e.g. implementation is initially limited only among NRFs and SCP), the blacklist profile(s) do not need to be further propagated. The NRF may discover whether the Consumer supports the blacklist functionality according to some example embodiments of the invention via the Supported Features negotiation mechanism, as specified in subclause 6.6.2 of 3GPP TS 29.500. If an NRF consumer receives a blacklist profile although it does not support blacklist profiles, it may ignore the received blacklist profile. Thus, backward compatibility is ensured.
Table 1 indicate how the SearchResult IE specified in 3GPP TS 29.510 may be extended to support blacklists
Table 6.2.6.2.2-1: Definition of type SearchResult
Figure imgf000018_0001
Table 1 : Definition of SearchResult IE according to some example embodiments of the invention
Table 2 indicates how the Nrflnfo IE specified in 3GPP TS 29.510 may be be extended to support blacklists Table 6.1.6.2.31-1: Definition of type Nrflnfo
Figure imgf000019_0001
Table 2: Definition of NRFInfo IE according to some example embodiments of the invention There are different options how a blacklist profile defines a range of attribute values not supported by any of the registered NFs. For example, the blacklist profile may comprise, for one of the type attributes, plural attribute values and, thus, define plural attribute values for this type attribute. The blacklist profile may comprise, for one of the type attributes, a range of plural attribute values and, thus, define a range of attribute values. In a specific example, if the NF is defined by plural type attributes, the blacklist profile may not comprise any attribute value for some of the type attributes and comprise a single attribute value for (at least) one of the type attributes. This is to be interpreted such that this single attribute value is not supported, regardless of the attribute values of the other attribute types. Thus, the blacklist profile may comprise only a single attribute value for one of the type attributes but defines a lot of attribute values.
All Attributes that are present in the blacklist profile must match with the respective attribute value(s) included in a Discovery Query so as to conclude that a valid NF profile does not exist. Blacklist profile attributes may have multiple values (e.g. an attribute has a range or list of values which it is valid). Absence of an attribute in a blacklist profile means that it can match any value for that attribute.
The expression “a first profile (e.g. blacklist profile) does not match a second profile (e.g. stored profile)” means that none of the combinations of type attributes and respective attribute values defined by the first profile matches one of the combinations of type attributes and respective attribute values defined by the second profile”.
The number of attributes increases depending on how specific the blacklist profile is. A blacklist profile with a single attribute is the most generic blacklist one can get. E.g.
A AMF may query for a NFType=SMF in TAI=123 within SNSSAI=456 serving DNN=ACME
A very Generic blacklist response would include only the NFType e.g. indicating that there is no SMF registered in any NRF (blacklist profile is only NFType=SMF)
A more specific blacklist Profile example includes ((SNSSAI=123 or SNSSAI 456 or SNSSAI=789 ) and NFType =SMF) indicating there is no SMF for SNSSAI value (slice) 123 or SNSSAI 456 or SNSSAI 798
An even more specific blacklist Profile would include only one slice ((SNSSAI=123) and NFType =SMF) indicating there is no SMF for SNSSAI (slice) 123
An even more specific blacklist Profile would indicate ((SNSSAI=123 or SNSSAI 456) and NFType =SMF and DNN=acme) that there is no SMF in within SNSSAI 123 or SNSSAI 456 supporting DNN = ACME An even more specific blacklist Profile would indicate ((SNSSAI=123 or SNSSAI 456)and NFType =SMF and DNN=acme and TAI=123) like there is no SMF in a list of specific DNNs is no SMF a SNSSAI 123 or SNSSAI 456 supporting DNN ACME in TAI 123
Etc.
Note that these examples are not limiting. A blacklist profile may be defined by other rules provided that all involved functions (e.g. NF, SCP, NRF) obey the same rules.
Fig. 6 shows an apparatus according to an example embodiment of the invention. The apparatus may be a network function such as a AMF, SCP, NRF or any other network function, or an element thereof. Fig. 7 shows a method according to an example embodiment of the invention. The apparatus according to Fig. 6 may perform the method of Fig. 7 but is not limited to this method. The method of Fig. 7 may be performed by the apparatus of Fig. 6 but is not limited to being performed by this apparatus.
The apparatus comprises means for receiving 5, means for checking 10, and means for inhibiting 20. The means for receiving 5, means for checking 10, and means for inhibiting 20 may be a receiving means, checking means, and inhibiting means, respectively. The means for receiving 5, means for checking 10, and means for inhibiting 20 may be a receiver, checker, and inhibitor, respectively. The means for receiving 5, means for checking 10, and means for inhibiting 20 may be a receiving processor, checking processor and inhibiting processor, respectively.
The means for receiving 5 receives, from a service consumer, a request (S5). The request comprises, for at least one specific type attribute of a service producer, a respective attribute value.
The means for checking 10 checks one or more blacklist profiles, whether for each of the at least one specific type attribute, the respective attribute value matches one of the one or more blacklist profiles (S10). Each of the blacklist profiles is defined by at least a subset of one or more type attributes, and for at least one of the one or more type attributes, each of the one or more blacklist profiles defines one or more attribute values. The means for inhibiting 20 inhibits to request a repository function for the service producer if, for each of the at least one specific type attribute, the respective attribute value matches one of the blacklist profiles.
For example, the apparatus (e.g. NF, SCP, NRF or element thereof) may be defined as follows:
Apparatus comprising: one or more processors, and memory storing instructions that, when executed by the one or more processors, cause the apparatus to: receive, from a service consumer, a request comprising, for at least one type attribute of a service producer, a respective attribute value; check one or more blacklist profiles, whether for each of the at least one type attribute, the respective attribute value matches one of the one or more blacklist profiles, wherein each of the blacklist profiles is defined by at least a subset of the one or more type attributes, and for at least one of the one or more type attributes, each of the one or more blacklist profiles defines more than one attribute value; inhibit to query a repository function for the service producer if, for each of the at least one type attribute, the respective attribute value matches one of the blacklist profiles.
Fig. 8 shows an apparatus according to an example embodiment of the invention. The apparatus may be a NRF or an element thereof. Fig. 9 shows a method according to an example embodiment of the invention. The apparatus according to Fig. 8 may perform the method of Fig. 9 but is not limited to this method. The method of Fig. 9 may be performed by the apparatus of Fig. 8 but is not limited to being performed by this apparatus.
The apparatus comprises means for storing 105, means for receiving 110, means for checking 120, means for determining 130, and means for providing 150. The means for storing 105, means for receiving 110, means for checking 120, means for determining 130, and means for providing 150 may be a storing means, receiving means, checking means, determining means, and providing means, respectively. The means for storing 105, means for receiving 110, means for checking 120, means for determining 130 and means for providing 150 may be a storage device, receiver, checker, determiner, and provider, respectively. The means for storing 105, means for receiving 110, means for checking 120, means for determining 130, and means for providing 150 may be a storing processor, receiving processor, checking processor, determining processor, and providing processor, respectively.
The means for storing 105 stores, for each of one or more service producers, a respective stored profile in a repository (S105). Each of the stored profiles is defined by one or more type attributes. Each of the stored profiles comprises, for each of the one or more type attributes, respective one or more attribute values.
The means for receiving 110 receives a query for an address of a requested service producer from a service consumer (S110). The query comprises, for at least one specific type attribute of the requested service producer, respective one or more attribute values.
The means for checking 120 checks, for each of the at least one specific type attribute, whether the respective one or more attribute values comprised by the query match at least one of the one or more stored profiles (S120).
If, for at least one of the at least one specific type attribute, the respective one or more attribute values comprised by the query do not match any of the one or more stored profiles (S120 = no):
The means for determining 130 determines (or updates) a set of one or more blacklist profiles such that none of the blacklist profiles of the set matches any of the stored profiles (S130). In detail, each of the blacklist profiles is defined by at least a subset of the one or more type attributes. For each of the one or more blacklist profiles and for each of the one or more type attributes defining the respective blacklist profile, the respective blacklist profile defines one or more attribute values.
In addition, if, for at least one of the at least one specific type attribute, the respective one or more attribute values comprised by the query do not match any of the one or more stored profiles (S120 = no), at least one of the following actions a) and b) is performed: a) The means for providing 150 provides the set of the one or more blacklist profiles in response to the query received by the means for receiving 110 (S150). Thus, the service consumer may consult the blacklist profile before it issues another query to the NRF. If the attribute values of the other inquiry match the blacklist profile, it may not issue the inquiry because it knows that the requested service producer is not supported by the NRF. b) The means for storing 105 stores the set of the one or more blacklist profiles (S140). Thus, the NRF may consult the blacklist profile if it receives a query and before it starts an extensive search. If the attribute values of the query match the blacklist profile, it may not start the search because it knows that the requested service producer is not supported by the NRF.
In some example embodiments, both actions a) and b) are performed, as shown in Fig.
9. In some example embodiments, only one of actions a) and b) is performed. For example, if only action b) is performed, the apparatus need not include the means for providing 150. For example, if only action a) is performed, the means for storing 105 need not be configured to perform action b).
In some example embodiments, at least one of the blacklist profiles of the set defines at least one of the at least one specific type attribute and the respective one or more attribute values comprised in the query.
For example, the apparatus (e.g. NRF or element thereof) may be defined as follows: Apparatus comprising: one or more processors, and memory storing instructions that, when executed by the one or more processors, cause the apparatus to: store, for each of one or more service producers, a respective stored profile in a repository, wherein each of the stored profiles is defined by one or more type attributes, each of the stored profiles comprises, for each of the one or more type attributes, respective one or more attribute values; receive a query for an address of a requested service producer from a service consumer, wherein the query comprises one or more attribute values of at least one of the one or more type attributes of the requested service producer; check, for each of the one or more type attributes, whether at least one of the respective one or more attribute values comprised by the query matches at least one of the one or more stored profiles; if for at least one of the one or more type attributes, none of the respective one or more attribute values comprised by the query matches any of the one or more stored profiles: determine or update a set of one or more blacklist profiles such that none of the blacklist profiles of the set matches any of the stored profiles, wherein each of the blacklist profiles is defined by at least a subset of the one or more type attributes, and for at least one of the one or more type attributes, each of the one or more blacklist profiles defines more than one attribute value; and at least one of: provide the set of the one or more blacklist profiles in response to the query; and store the set of the one or more blacklist profiles.
Fig. 10 shows an apparatus according to an embodiment of the invention. The apparatus comprises at least one processor 810, at least one memory 820 including computer program code, and the at least one processor 810, with the at least one memory 820 and the computer program code, being arranged to cause the apparatus to at least perform at least one of the methods according to Figs. 7 and 9 and related description.
Some example embodiments are explained with respect to a 5G core network. However, the invention is not limited to 5G. It may be used in other service based networks, too, e.g. in forthcoming generations of 3GPP core networks such as 6G, 7G, etc. The invention is not limited to 3GPP core networks but may be used in access networks and non-3GPP networks, too. In the context of this application, each NF to which a query for an instance of a service producer is directed may be considered as a repository function. In particular, a SCP and, of course, a NRF may be considered as a repository function.
One piece of information may be transmitted in one or plural messages from one entity to another entity. Each of these messages may comprise further (different) pieces of information.
Names of network elements, network functions, protocols, and methods are based on current standards. In other versions or other technologies, the names of these network elements and/or network functions and/or protocols and/or methods may be different, as long as they provide a corresponding functionality.
If not otherwise stated or otherwise made clear from the context, the statement that two entities are different means that they perform different functions. It does not necessarily mean that they are based on different hardware. That is, each of the entities described in the present description may be based on a different hardware, or some or all of the entities may be based on the same hardware. It does not necessarily mean that they are based on different software. That is, each of the entities described in the present description may be based on different software, or some or all of the entities may be based on the same software. Each of the entities described in the present description may be deployed in the cloud.
According to the above description, it should thus be apparent that example embodiments of the present invention provide, for example, a network function of a service based network, such as a SCP or an NRF, or any other function, or a component thereof, an apparatus embodying the same, a method for controlling and/or operating the same, and computer program(s) controlling and/or operating the same as well as mediums carrying such computer program(s) and forming computer program product(s).
Implementations of any of the above described blocks, apparatuses, systems, techniques or methods include, as non-limiting examples, implementations as hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof. Each of the entities described in the present description may be embodied in the cloud. It is to be understood that what is described above is what is presently considered the preferred embodiments of the present invention. However, it should be noted that the description of the preferred embodiments is given by way of example only and that various modifications may be made without departing from the scope of the invention as defined by the appended claims.

Claims

26 Claims:
1. Apparatus comprising: one or more processors, and memory storing instructions that, when executed by the one or more processors, cause the apparatus to: receive, from a service consumer, a request comprising, for at least one specific type attribute of a service producer, a respective attribute value; check one or more blacklist profiles, whether for each of the at least one specific type attribute, the respective attribute value matches one of the one or more blacklist profiles, wherein each of the blacklist profiles is defined by at least a subset of one or more type attributes, and for at least one of the one or more type attributes, each of the one or more blacklist profiles defines one or more attribute values; inhibit to query a repository function for the service producer if, for each of the at least one specific type attribute, the respective attribute value matches one of the blacklist profiles.
2. The apparatus according to claim 1 , wherein the instructions, when executed by the one or more processors, further cause the apparatus to: provide the one of the one or more blacklist profiles in response to the request from the service consumer if, for each of the at least one specific type attribute, the respective attribute value matches one of the blacklist profiles.
3. The apparatus according to claim 2, wherein the instructions, when executed by the one or more processors, further cause the apparatus to: check if a non-support information is received from the service consumer indicating that the service consumer is not configured to store any of the one or more blacklist profiles; inhibit the providing the one of the one or more blacklist profiles to the service consumer if the non-support information is received from the service consumer.
4. The apparatus according to any of claims 1 to 3, wherein the instructions, when executed by the one or more processors, further cause the apparatus to: query the repository function for the service producer if, for each of the at least one specific type attribute, the respective attribute value does not match any of the blacklist profiles .
5. The apparatus according to claim 4, wherein the instructions, when executed by the one or more processors, further cause the apparatus to: store, for the at least one specific type attribute of the service producer, the respective attribute value in a matching profile if the querying the repository function for the service producer is successful; check whether the matching profile stores, for the at least one specific type attribute of the service producer, the respective attribute value if the request from the service consumer is received; inhibit to query the repository function for the service producer if the matching profile stores, for the at least one specific type attribute of the service producer, the respective attribute value.
6. The apparatus according to claim 5, wherein the instructions, when executed by the one or more processors, further cause the apparatus to: decide if the service consumer is suspicious; if the service consumer is suspicious: check, for each of the at least one specific type attributes, whether the respective attribute value of the service producer matches one of the one or more blacklist profiles prior to the checking whether the matching profile stores, for the specific type attribute of the service producer, the respective attribute value; and if the service consumer is not suspicious: check, for each of the at least one specific type attributes, whether the respective attribute value of the service producer matches one of the one or more blacklist profiles after the checking whether the matching profile stores, for the at least one specific type attribute of the service producer, the respective attribute value.
7. The apparatus according to any of claims 4 to 6, wherein the one or more blacklist profiles are received from the repository function in a response to the querying for the service producer.
8. The apparatus according to any of claims 1 to 7, wherein the instructions, when executed by the one or more processors, further cause the apparatus to: monitor whether at least one other blacklist profile is received from another entity, wherein each of the at least one other blacklist profiles is defined by at least a subset of one or more type attributes, and for at least one of the one or more type attributes, each of the at least one other blacklist profiles defines one or more attribute values; store the at least one other blacklist profile as at least one of the one or more blacklist profiles in the apparatus if the at least one other blacklist profile is received, wherein the other entity is a network function, or a service communication proxy, or a network repository function.
9. The apparatus according to any of claims 1 to 8, wherein the instructions, when executed by the one or more processors, further cause the apparatus to: inform the repository function that the apparatus is configured to store the one or more blacklist profiles.
10. Apparatus comprising: one or more processors, and memory storing instructions that, when executed by the one or more processors, cause the apparatus to: store, for each of one or more service producers, a respective stored profile in a repository, wherein each of the stored profiles is defined by one or more type attributes, each of the stored profiles comprises, for each of the one or more type attributes, respective one or more attribute values; receive a query for an address of a requested service producer from a service consumer, wherein the query comprises, for at least one specific type attribute of the requested service producer, respective one or more attribute values;; check for each of the at least one specific type attribute, whether the respective one or more attribute values comprised by the query match at least one of the one or more stored profiles; 29 if, for at least one of the at least one specific type attribute, the respective one or more attribute values comprised by the query do not match any of the one or more stored profiles: determine or update a set of one or more blacklist profiles such that none of the blacklist profiles of the set matches any of the stored profiles, wherein each of the blacklist profiles is defined by at least a subset of one or more type attributes, and for each of the one or more blacklist profiles and for each of the one or more type attributes defining the respective blacklist profile, the respective blacklist profile defines one or more attribute values; and at least one of: provide the set of the one or more blacklist profiles in response to the query; and store the set of the one or more blacklist profiles.
11. The apparatus according to claim 10, wherein at least one of the blacklist profiles comprises, for at least one of the type attributes, respective one or more attribute values, wherein the one or more attribute values indicate that the respective attribute value of the at least one type attribute in combination with the attribute values of the other type attributes not comprised in the respective blacklist profile, is not comprised in any of the stored profiles.
12. The apparatus according to any of claims 10 and 11 , wherein at least one of the blacklist profiles does not comprise any attribute value for at least one of the type attributes, wherein the non-comprising of any attribute value means that an arbitrary attribute value of the respective type attribute in combination with the attribute values of the other type attributes not comprised in the respective blacklist profile is comprised in any of the stored profiles.
13. The apparatus according to any of claims 11 and 12, wherein at least one of the blacklist profile comprises a single attribute value for at least one of the type attributes, wherein the single attribute value indicates that the single attribute value in combination with the attribute values of the other type attributes not comprised in the respective blacklist profile is not stored in any of the stored profiles. 30
14. The apparatus according to any of claims 10 to 13, wherein the instructions, when executed by the one or more processors, further cause the apparatus to: determine, for each of the type attributes, a respective union of the attribute values of all the stored profiles in the local cache; wherein, for at least one of the type attributes, the blacklist profile comprises plural attribute values not comprised in the determined union.
15. The apparatus according to any of claims 10 to 14, wherein the set of the one or more blacklist profiles is stored; and the instructions, when executed by the one or more processors, further cause the apparatus to: check the one or more blacklist profiles whether, for each of the specific type attributes, the respective one or more attribute values of the service producer match one of the one or more blacklist profiles; inhibit the check whether, for each of the specific type attributes, the respective one or more attribute values comprised by the query match at least one of the one or more stored profiles if all of the one or more respective attribute values of the service producer match one of the blacklist profiles.
16. The apparatus according to any of claims 10 to 15, wherein the instructions, when executed by the one or more processors, further cause the apparatus to check whether a predefined trigger occurs; if the predefined trigger occurs: determine an event triggered blacklist profile such that the event triggered blacklist profile does not match any of the stored profiles; store the event triggered blacklist profile as one of the set of the one or more blacklist profiles.
17. The apparatus according to claim 16, wherein the predefined trigger comprises at least one of the following: lapse of a predefined duration of time after one of the blacklist profiles of the set of blacklist profiles was determined a last time; a trigger which is periodical in time; receiving a notification indicating a change of at least one of the attribute values of at least one of all the service producers; and a registration or deregistration of one of the service producers. 31
18. The apparatus according to any of claims 10 to 17, wherein at least one of the blacklist profiles of the set defines at least one of the at least one specific type attribute and the respective one or more attribute values comprised in the query.
19. The apparatus according to any of claims 1 to 18, wherein the instructions, when executed by the one or more processors, further cause the apparatus to: check whether an expiry time is associated to one of the one or more blacklist profiles; remove the one of the one or more blacklist profiles from the apparatus at the expiry time if the expiry time is associated to the one of the one or more blacklist profiles.
20. The apparatus according to any of claims 1 to 19, wherein at least one of the one or more blacklist profiles stored in the apparatus and/or at least one of the attribute values defined by one of the one or more blacklist profiles stored in the apparatus is predefined by an entity, wherein the entity is a network function, or a service communication proxy, or a network repository function.
21. Method comprising: receiving, from a service consumer, a request comprising, for at least one specific type attribute of a service producer, a respective attribute value; checking one or more blacklist profiles, whether for each of the at least one specific type attribute, the respective attribute value matches one of the one or more blacklist profiles, wherein each of the blacklist profiles is defined by at least a subset of one or more type attributes, and for at least one of the one or more type attributes, each of the one or more blacklist profiles defines one or more attribute values; inhibiting to query a repository function for the service producer if, for each of the at least one specific type attribute, the respective attribute value matches one of the blacklist profiles.
22. The method according to claim 21 , further comprising: 32 providing the one of the one or more blacklist profiles in response to the request from the service consumer if, for each of the at least one specific type attribute, the respective attribute value matches one of the blacklist profiles.
23. The method according to claim 22, further comprising: checking if a non-support information is received from the service consumer indicating that the service consumer is not configured to store any of the one or more blacklist profiles; inhibiting the providing the one of the one or more blacklist profiles to the service consumer if the non-support information is received from the service consumer.
24. The method according to any of claims 21 to 23, further comprising: querying the repository function for the service producer if, for each of the at least one specific type attribute, the respective attribute value does not match any of the blacklist profiles .
25. The method according to claim 24, further comprising: storing, for the at least one specific type attribute of the service producer, the respective attribute value in a matching profile if the querying the repository function for the service producer is successful; checking whether the matching profile stores, for the at least one specific type attribute of the service producer, the respective attribute value if the request from the service consumer is received; inhibiting to query the repository function for the service producer if the matching profile stores, for the at least one specific type attribute of the service producer, the respective attribute value.
26. The method according to claim 25, further comprising: deciding if the service consumer is suspicious; if the service consumer is suspicious: checking, for each of the at least one specific type attributes, whether the respective attribute value of the service producer matches one of the one or more blacklist profiles prior to the checking whether the matching profile stores, for the specific type attribute of the service producer, the respective attribute value; and 33 if the service consumer is not suspicious: checking, for each of the at least one specific type attributes, whether the respective attribute value of the service producer matches one of the one or more blacklist profiles after the checking whether the matching profile stores, for the specific type attribute of the service producer, the respective attribute value.
27. The method according to any of claims 24 to 26, wherein the one or more blacklist profiles are received from the repository function in a response to the querying for the service producer.
28. The method according to any of claims 21 to 27, further comprising: monitoring whether at least one other blacklist profile is received from another entity, wherein each of the at least one other blacklist profiles is defined by at least a subset of one or more type attributes, and for at least one of the one or more type attributes, each of the at least one other blacklist profiles defines one or more attribute values; storing the at least one other blacklist profile as at least one of the one or more blacklist profiles in an apparatus performing the method if the at least one other blacklist profile is received, wherein the other entity is a network function, or a service communication proxy, or a network repository function.
29. The method according to any of claims 21 to 28, further comprising: inform the repository function that the apparatus performing the method is configured to store the one or more blacklist profiles.
30. Method comprising: storing, for each of one or more service producers, a respective stored profile in a repository, wherein each of the stored profiles is defined by one or more type attributes, each of the stored profiles comprises, for each of the one or more type attributes, respective one or more attribute values; 34 receiving a query for an address of a requested service producer from a service consumer, wherein the query comprises, for at least one specific type attribute of the requested service producer, respective one or more attribute values;; checking for each of the at least one specific type attribute, whether the respective one or more attribute values comprised by the query match at least one of the one or more stored profiles; if, for at least one of the at least one specific type attribute, the respective one or more attribute values comprised by the query do not match any of the one or more stored profiles: determining or updating a set of one or more blacklist profiles such that none of the blacklist profiles of the set matches any of the stored profiles, wherein each of the blacklist profiles is defined by at least a subset of one or more type attributes, and for each of the one or more blacklist profiles and for each of the one or more type attributes defining the respective blacklist profile, the respective blacklist profile defines one or more attribute values; and at least one of: providing the set of the one or more blacklist profiles in response to the query; and storing the set of the one or more blacklist profiles.
31. The method according to claim 30, wherein at least one of the blacklist profiles comprises, for at least one of the type attributes, respective one or more attribute values, wherein the one or more attribute values indicate that the respective attribute value of the at least one type attribute in combination with the attribute values of the other type attributes not comprised in the respective blacklist profile, is not comprised in any of the stored profiles.
32. The method according to any of claims 30 and 31 , wherein at least one of the blacklist profiles does not comprise any attribute value for at least one of the type attributes, wherein the non-comprising of any attribute value means that an arbitrary attribute value of the respective type attribute in combination with the attribute values of the other type attributes not comprised in the respective blacklist profile is comprised in any of the stored profiles. 35
33. The method according to any of claims 31 and 32, wherein at least one of the blacklist profile comprises a single attribute value for at least one of the type attributes, wherein the single attribute value indicates that the single attribute value in combination with the attribute values of the other type attributes not comprised in the respective blacklist profile is not stored in any of the stored profiles.
34. The method according to any of claims 30 to 33, further comprising: determining, for each of the type attributes, a respective union of the attribute values of all the stored profiles in the local cache; wherein, for at least one of the type attributes, the blacklist profile comprises plural attribute values not comprised in the determined union.
35. The method according to any of claims 30 to 34, wherein the set of the one or more blacklist profiles is stored; and the method further comprises: checking the one or more blacklist profiles whether, for each of the specific type attributes, the respective one or more attribute values of the service producer match one of the one or more blacklist profiles; inhibiting the check whether, for each of the specific type attributes, the respective one or more attribute values comprised by the query match at least one of the one or more stored profiles if all of the one or more respective attribute values of the service producer match one of the blacklist profiles.
36. The method according to any of claims 30 to 35, further comprising: checking whether a predefined trigger occurs; if the predefined trigger occurs: determining an event triggered blacklist profile such that the event triggered blacklist profile does not match any of the stored profiles; storing the event triggered blacklist profile as one of the set of the one or more blacklist profiles.
37. The method according to claim 36, wherein the predefined trigger comprises at least one of the following: lapse of a predefined duration of time after one of the blacklist profiles of the set of blacklist profiles was determined a last time; 36 a trigger which is periodical in time; receiving a notification indicating a change of at least one of the attribute values of at least one of all the service producers; and a registration or deregistration of one of the service producers.
38. The method according to any of claims 30 to 37, wherein at least one of the blacklist profiles of the set defines at least one of the at least one specific type attribute and the respective one or more attribute values comprised in the query.
39. The method according to any of claims 21 to 38, further comprising: checking whether an expiry time is associated to one of the one or more blacklist profiles; removing the one of the one or more blacklist profiles from an apparatus performing the method at the expiry time if the expiry time is associated to the one of the one or more blacklist profiles.
40. The method according to any of claims 21 to 39, wherein at least one of the one or more blacklist profiles stored in an apparatus performing the method and/or at least one of the attribute values defined by one of the one or more blacklist profiles stored in the apparatus performing the method is predefined by an entity, wherein the entity is a network function, or a service communication proxy, or a network repository function.
41. A computer program product comprising a set of instructions which, when executed on an apparatus, is configured to cause the apparatus to carry out the method according to any of claims 21 to 40.
42. The computer program product according to claim 41 , embodied as a computer-readable medium or directly loadable into a computer.
PCT/EP2020/082636 2020-11-19 2020-11-19 Optimizing discovery queries WO2022106001A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2020/082636 WO2022106001A1 (en) 2020-11-19 2020-11-19 Optimizing discovery queries

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2020/082636 WO2022106001A1 (en) 2020-11-19 2020-11-19 Optimizing discovery queries

Publications (1)

Publication Number Publication Date
WO2022106001A1 true WO2022106001A1 (en) 2022-05-27

Family

ID=73543236

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2020/082636 WO2022106001A1 (en) 2020-11-19 2020-11-19 Optimizing discovery queries

Country Status (1)

Country Link
WO (1) WO2022106001A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020038151A1 (en) * 2018-08-20 2020-02-27 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for service discovery
EP3716692A1 (en) * 2019-03-28 2020-09-30 Telefonaktiebolaget LM Ericsson (publ) Methods and apparatuses for service discovery
US10833938B1 (en) * 2019-07-31 2020-11-10 Oracle International Corporation Methods, systems, and computer readable media for network function (NF) topology synchronization

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020038151A1 (en) * 2018-08-20 2020-02-27 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for service discovery
EP3716692A1 (en) * 2019-03-28 2020-09-30 Telefonaktiebolaget LM Ericsson (publ) Methods and apparatuses for service discovery
US10833938B1 (en) * 2019-07-31 2020-11-10 Oracle International Corporation Methods, systems, and computer readable media for network function (NF) topology synchronization

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; 5G System; Network Function Repository Services; Stage 3 (Release 16)", vol. CT WG4, no. V16.5.0, 25 September 2020 (2020-09-25), pages 1 - 195, XP051961081, Retrieved from the Internet <URL:ftp://ftp.3gpp.org/Specs/archive/29_series/29.510/29510-g50.zip 29510-g50.docx> [retrieved on 20200925] *
3GPP REL-15 /16 TS 23.501, TS 23.502, AND TS 29.510
3GPP TS 23.501
3GPP TS 29.500
3GPP TS 29.510
NOKIA ET AL: "NF Discovery procedure enhancements", vol. CT WG4, no. E-Meeting; 20201103 - 20201113, 10 November 2020 (2020-11-10), XP051952793, Retrieved from the Internet <URL:https://ftp.3gpp.org/tsg_ct/WG4_protocollars_ex-CN4/TSGCT4_101e_meeting/Docs/C4-205524.zip C4-205524_29510_Rel17_NF Discovery procedure enhancements.docx> [retrieved on 20201110] *

Similar Documents

Publication Publication Date Title
EP4200999B1 (en) Methods, systems, and computer readable media for optimized network function (nf) discovery and routing using service communications proxy (scp) and nf repository function (nrf)
US11496954B2 (en) Methods, systems, and computer readable media for supporting multiple preferred localities for network function (NF) discovery and selection procedures
WO2022132315A1 (en) Methods, systems, and computer readable media for mitigating 5g roaming attacks for internet of things (iot) devices based on expected user equipment (ue) behavior patterns
WO2022046176A1 (en) Methods, systems, and computer readable media for 5g user equipment (ue) historical mobility tracking and security screening using mobility patterns
CN117099386A (en) Method, system, and computer readable medium for mitigating location tracking and denial of service (DoS) attacks utilizing access and mobility management function (AMF) location services
US11283883B1 (en) Methods, systems, and computer readable media for providing optimized binding support function (BSF) packet data unit (PDU) session binding discovery responses
EP4075847A1 (en) Network function service subscription control
EP3886390A1 (en) Token management
EP4017052A1 (en) Authorization of network request
CN117581522A (en) Methods, systems, and computer readable media for generating Network Function (NF) discovery responses that are aware of NF set load information
WO2021176131A1 (en) Enhanced authorization in communication networks
US11849506B2 (en) Methods, systems, and computer readable media for routing inter-public land mobile network (inter-PLMN) messages related to existing subscriptions with network function (NF) repository function (NRF) using security edge protection proxy (SEPP)
CN116941264A (en) Method, system, and computer readable medium for mitigating denial of service (DoS) attacks at Network Functions (NFs)
WO2022106001A1 (en) Optimizing discovery queries
EP4125241A1 (en) Secure provision of network services
US11758368B2 (en) Methods, systems, and computer readable media for supporting mobile originated data multicasting in a communications network
WO2023038756A1 (en) Reducing likelihood of successful dos attacks by validating overload control information
KR20210122305A (en) Method and apparatus for traffic detection
US20230379690A1 (en) Methods, systems, and computer readable media for facilitating processing of inter-public land mobile network (plmn) messages relating to existing subscriptions
EP4027581A1 (en) Authentication of network request
EP4092982A1 (en) Authentication of network request
US20240007858A1 (en) Methods, systems, and computer readable media for managing network function request messages at a security edge protection proxy
CN114945173B (en) Cross-PLMN signaling forwarding method, electronic equipment and storage medium
EP3852339A1 (en) Enabling quality of service for trusted 3rd party network functions in core networks
EP4181465A1 (en) Network security

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20811262

Country of ref document: EP

Kind code of ref document: A1