WO2022175198A1 - Procédé et appareil de contrôle d'accès et de restriction de service - Google Patents

Procédé et appareil de contrôle d'accès et de restriction de service Download PDF

Info

Publication number
WO2022175198A1
WO2022175198A1 PCT/EP2022/053491 EP2022053491W WO2022175198A1 WO 2022175198 A1 WO2022175198 A1 WO 2022175198A1 EP 2022053491 W EP2022053491 W EP 2022053491W WO 2022175198 A1 WO2022175198 A1 WO 2022175198A1
Authority
WO
WIPO (PCT)
Prior art keywords
entity
request
access control
terminal devices
communication network
Prior art date
Application number
PCT/EP2022/053491
Other languages
English (en)
Inventor
Ping Chen
Emiliano Merino Vazquez
Juan Manuel FERNANDEZ GALMES
Jingrui TAO
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Publication of WO2022175198A1 publication Critical patent/WO2022175198A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/186Processing of subscriber group data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/02Processing of mobility data, e.g. registration information at HLR [Home Location Register] or VLR [Visitor Location Register]; Transfer of mobility data, e.g. between HLR, VLR or external networks
    • H04W8/06Registration at serving network Location Register, VLR or user mobility server
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W48/00Access restriction; Network selection; Access point selection
    • H04W48/02Access restriction performed under specific conditions

Definitions

  • the present invention generally relates to cellular communication technology. More particularly, the present invention relates to a method for controlling access to a communication network and/or restricting service provided by the communication network. The present invention also relates to apparatus and computer program product adapted for the same purpose.
  • FIG. 1 schematically illustrates a typical 5G network architecture in a non-roaming scenario.
  • Application Function can interact with the 3rd Generation Partnership Project (3GPP) Core Network and allow external parties to use Exposure Application Programming Interface (API)s offered by a network operator.
  • Network Exposure Function can support different functionality, and specifically different Exposure APIs.
  • Unified Data Management includes the following functionality:
  • User Identification Handling e.g., storage and management of Subscription Permanent Identifier (SUPI) for each subscriber in the 5G system.
  • SUPI Subscription Permanent Identifier
  • Access authorization based on subscription data e.g., roaming restriction.
  • UE User Equipment
  • NF Serving Network Function
  • AMF Access & Mobility Function
  • MTC Machine Type Communications
  • the present disclosure describes efficient and universal solutions to handle the above issues.
  • it provides a new API or utilizes existing API to allow AF to request Mobile Network Operator (MNO) through NEF to terminate ongoing 5GC registrations or restrict/forbid 5GC services, and to reject 5GC registrations for a specific range of users/devices on the basis specific policy during a scheduled time period or permanently. It also allows to dynamically set restricted and/or forbidden areas and/or access type restrictions (EPC/5GC restricted) via NEF.
  • MNO Mobile Network Operator
  • EPC/5GC restricted access type restrictions
  • a method for controlling access to a communication network and/or restricting service provided by the communication network comprises the following steps carried out at a first entity configured to expose functionality:
  • AF Application Function
  • an apparatus for controlling access to a communication network and/or restricting service provided by the communication network comprises: a storage device configured to store a computer program comprising computer instructions; and a processor coupled to the storage device and configured to execute the computer instructions to carry out the steps of the method as described above.
  • a method for controlling access to a communication network and/or restricting service provided by the communication network comprises the following steps carried out at a first entity configured to authorize access control and/or service restriction:
  • an apparatus for controlling access to a communication network and restricting service provided by the communication network comprises: a storage device configured to store a computer program comprising computer instructions; and a processor coupled to the storage device and configured to execute the computer instructions to carry out the steps of the method as described.
  • a method for controlling access to a communication network and restricting service provided by the communication network comprises the following steps carried out at an Application Function (AF):
  • AF Application Function
  • AF Application Function
  • Figure 1 schematically illustrates a typical 5G network architecture in a non-roaming scenario.
  • FIG. 2 schematically illustrates a flowchart of a method for controlling access to a communication network and/or restricting service provided by the communication network according to one exemplary embodiment of the present disclosure.
  • Fig. 3 schematically illustrates a flowchart of a method for controlling access to a communication network and/or restricting service provided by the communication network according to another exemplary embodiment of the present disclosure.
  • FIG. 4 is a block diagram illustrating an apparatus for controlling access to a communication network and/or restricting service provided by the communication network according to another exemplary embodiment of the present disclosure.
  • FIG. 5 schematically illustrates a flowchart of a method for controlling access to a communication network and/or restricting service provided by the communication network according to another exemplary embodiment of the present disclosure.
  • FIG. 6 is a block diagram illustrating an apparatus for controlling access to a communication network and/or restricting service provided by the communication network according to another exemplary embodiment of the present disclosure.
  • FIG. 7 schematically illustrates a flowchart of a method for controlling access to a communication network and/or restricting service provided by the communication network according to another exemplary embodiment of the present disclosure.
  • FIG. 8 is a block diagram illustrating an apparatus for controlling access to a communication network and/or restricting service provided by the communication network according to another exemplary embodiment of the present disclosure.
  • Figure 9 is a sequence diagram schematically illustrating a UE de-registration procedure in a scenario where traffic is offloaded from 5GC to EPC according to another exemplary embodiment of the present disclosure.
  • Figure 10 is a sequence diagram schematically illustrating a service area restriction procedure in a scenario where UE context is restricted in a service area but UE tracking/locating shall be maintained according to another exemplary embodiment of the present disclosure.
  • the invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor.
  • these implementations, or any other form that the invention may take, may be referred to as techniques.
  • the order of the steps of disclosed processes may be altered within the scope of the invention.
  • a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task.
  • the term "processor" refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions.
  • terminal device may be referred to as, for example, device, access terminal, user equipment (UE), mobile station, mobile unit, subscriber station, or the like. It may refer to any end device that can access a wireless communication network and receive services therefrom.
  • the terminal device may include a portable computer, an image capture terminal device such as a digital camera, a gaming terminal device, a music storage and playback appliance, a mobile phone, a cellular phone, a smart phone, a tablet, a wearable device, a personal digital assistant (PDA), or the like.
  • PDA personal digital assistant
  • network function/entity/node can be implemented either as a network element on a dedicated hardware, as a software instance running on a dedicated hardware, or as a virtualised function instantiated on an appropriate platform, e.g. on a cloud infrastructure.
  • a given AF with authority has influences on the UE context handling and the associated restrictions. For example, this can be achieved by a new Nnef API which allows AF to request MNO through NEF to, e.g., force a UE to de-register in the 5GC network and transfer traffic towards EPC network in case a specific 5GC area is congested or malfunctioning (including IP/non-IP connectivity).
  • this can be achieved by reusing some existing API with new procedures and options (e.g., existing UDM API for Parameter Provisioning, nudm-pp as defined in 3GPP TS 29.503). Additionally, AF can use the API(s) to adjust the restrictions by scheduling certain restricted areas for certain users for a time period or permanently.
  • existing UDM API for Parameter Provisioning e.g., existing UDM API for Parameter Provisioning, nudm-pp as defined in 3GPP TS 29.503
  • AF can use the API(s) to adjust the restrictions by scheduling certain restricted areas for certain users for a time period or permanently.
  • NEF is configured to produce/expose a new or enhanced service (e.g., Nnef_UECM/ServiceRestrictions) as a 5GC NF Service Producer.
  • AF is configured to request MNO through NEF to define one or more areas as restricted for the UE if they were not already defined for said UE as part of the provisioned information in UDM/ User Data Repository (UDR).
  • UDM/ User Data Repository UDR
  • the service restriction may prescribe that no communication initiated by or terminated at a list of UEs camping in the restricted area(s) is allowed while mobility signaling and events such as location are permitted.
  • it may prescribe term of validity for the service restriction, e.g., the restriction is effective during a time period (possibly scheduled) or permanently.
  • the restriction is effective until it is deleted explicitly by a new AF request or until the configuration has expired (if the AF provided an expiration time).
  • the above and other restrictions may be introduced by triggering a Nnef_UECM/ServiceRestrictions_Create (HTTPS POST) request message at AF.
  • the message e.g., includes the following parameters:
  • AF-ldentifier (ID)/Provider-ID This parameter indicates AF identity (e.g., a police department) and/or provider identity (e.g., National government for regulatory services).
  • the list may include a UE, a group of UEs.
  • the list may be defined by UE-ID, UE-Group-ID
  • This parameter may be presented in form of one or more rules.
  • one of the rules may prescribe an operation of prohibiting traffic for the UEs or terminal devices in the restricted area(s) while maintaining intact mobility signaling or UE context.
  • the message may further include a parameter of Restriction exception.
  • This parameter defines one or more UEs on which no access control or service restriction shall be imposed. For some reasons, UEs of some users, e.g., police officers and the President, shall not be restricted.
  • the exception may be achieved by defining a UE-ID or a UE-Group-ID in Restriction exception.
  • UE context management includes but are not limited to:
  • NEF API e.g., new as described above
  • re-registration required (e.g., to force a UE re-attach in 5GC with reauthentication included).
  • Forbidden areas change via NEF API (e.g., new or enhanced as ones described above)
  • NEF API e.g., new or enhanced ones as described above
  • RAT restriction change e.g. restriction on using Long Term Evolution (LTE) access and only allow 5G New Radio (NR) via NEF API (e.g., new or enhanced ones as described above)
  • LTE Long Term Evolution
  • NR 5G New Radio
  • the dynamic conditions for access control include but are not limited to the following items:
  • MTC provider ID For example, this item may identify an MTC provider so that an MTC device from the MTC provider as identified will be the target under the access control and/or service restriction.
  • Event-based information may comprise an event that a UE or terminal device becomes an inbound roamer or exhibits predefined behavior.
  • this information may comprise an event that a UE or terminal device becomes an inbound roamer or exhibits predefined behavior.
  • the UE or terminal device becomes an inbound roamer or exhibits predefined behavior, it will be the target under the access control and/or service restriction.
  • this information may comprise one or more specific areas. Thus, once a UE or terminal device moves into the specific areas, it will be the target under the access control and/or service restriction.
  • Device type-based information The examples of device type include but are not limited to Internet of Things (loT), enhanced Mobile Broadband (eMBB) and etc. In an illustrative, this item may define to which type of device the access control and/service restriction are applied.
  • LoT Internet of Things
  • eMBB enhanced Mobile Broadband
  • this item may define to which type of device the access control and/service restriction are applied.
  • This item indicates which type of core network is allowable to access. For example, when a specific core network area is congested or malfunctioning, AF may request MNO through NEF to make a UE in the congested area to register in or attach to the type of core network as indicated.
  • Radio Access network This item indicates which type of RAN is allowable or unallowable to access.
  • the message may further comprises a time period during which the dynamic conditions and/or service restriction are applicable. For example, it may define start time and end time of the time period. In case this parameter is not present or defined, it indicates that the dynamic conditions and/or service restriction are effective permanently. For example, the dynamic conditions and/or service restriction may be effective until they are explicitly deleted or cancelled by the AF or until the configuration has expired (if the AF provided an expiration time). Alternatively, the AF may request Mobile Network Operator (MNO) to cancel the dynamic conditions and/or service restriction by sending to NEF a Nnef_UECM/ServiceRestrictions_Delete request.
  • MNO Mobile Network Operator
  • NEF upon receiving from AF a request for access control and/or service restriction, NEF authorizes the request or determines whether the request is valid.
  • the request may include a requester identity, e.g., AF-ID/Provider-ID, a range of terminal devices, along with dynamic conditions and/or service restriction applied to the range as described above.
  • NEF not only verifies AF-ID/Provider-ID, but also determines whether the AF-ID or the provider-ID has grant for an access control operation and/or a service restriction operation as defined by the range of terminal devices along with the dynamic conditions and/or the service restriction.
  • the requester identified by AF-ID/Provider-ID might be allowed to perform service restriction on a group of UEs but not allowed to change/set forbidden areas. Thus, if the AF request intends to specify forbidden areas, it will be rejected. In other words, not only the AF/provider identity but also the matching between the identity and the dynamic conditions (and/or the matching between the identity and the service restriction) in the request need to be authorized.
  • NEF Upon the request is authorized and determined as valid, NEF sends a message to request UDM to authorize control access and service restriction for the affected UE or group of UEs on the basis of the request .
  • UDM may trigger UECM context removal/de-registration for the terminal devices in the range as defined in the request from AF, or may reject registrations with the proper cause code (e.g., 5GC services restricted) or set forbidden/restricted areas for the terminal devices in the range as defined in the request from AF during the scheduled time period or permanently.
  • the proper cause code e.g., 5GC services restricted
  • the service area restriction is part of Access and Mobility Policy (AM) policy which are described in 3GPP TS 29.507 V17.1.0 (2020-12) and can also be potentially exposed.
  • AM Access and Mobility Policy
  • the areas AM policies can only remove provisioned restrictions for the UE (i.e. provisioned restricted areas are temporarily allowed for the UE), but not the addition of new restricted areas (i.e. provisioned allowed areas are temporarily restricted).
  • provisioned restricted areas are temporarily allowed for the UE
  • new restricted areas i.e. provisioned allowed areas are temporarily restricted.
  • UDM can allow/disallow the added restrictions on a per UE basis and other local policy.
  • FIG. 2 schematically illustrates a flowchart of a method for controlling access to a communication network and/or restricting service provided by the communication network according to one exemplary embodiment of the present disclosure.
  • Fig. 2 schematically illustrates a flowchart of a method for controlling access to a communication network and/or restricting service provided by the communication network according to one exemplary embodiment of the present disclosure.
  • NEF Network Exposure Function
  • SCEF Service Capability Exposure Function
  • the NEF or SCEF entity receives from an AF entity a request for access control and/or service restriction for one or more terminal devices.
  • the request includes a requester identity, a range of terminal devices affected by the request along with dynamic conditions for access control and/or service restriction applied to the range.
  • the range of terminal devices is defined by UE-ID, UE-Group-ID, and the dynamic conditions may comprise at least one of the following: Machine Type Communications (MTC) provider ID, event-based information, location-based information and device type-based information.
  • MTC Machine Type Communications
  • the dynamic conditions may further comprise access control for core network indicating which core network is allowable to access or access control for RAN indicating which RAN is allowable to access.
  • the request may further comprise a time period during which the service restriction and/or the dynamic conditions are applied.
  • the NEF or SCEF entity determines whether the request from the AF entity is valid. As described above, the authorization is performed not only on the AF/provider identity but also on the matching between the identity and the dynamic conditions and/or the matching between the identity and the service restriction in the request. If the request is authorized, the flowchart proceeds to step S203; otherwise, to step S204.
  • the NEF or SCEF entity requests a UDM entity or a Home Subscriber Server (HSS) to authorize access control and/or service restriction on the basis of the request, e.g., by sending to the UDM entity or HSS a message including the range of the terminal devices under access control and/or service restriction.
  • HSS Home Subscriber Server
  • step S203 the flowchart proceeds to step S205 where the NEF or SCEF entity receives from the AF entity a request for cancelling provision made based on the request for access control and/or service restriction. Then, at step S206, the NEF or SCEF entity determines whether the request for cancelling provision is valid. If the request for cancelling provision is valid, the flowchart proceeds to step S207, otherwise to step S204. At step S207, if the request for cancelling provision is valid, the NEF or SCEF entity requests the UDM entity or the HSS to cancel the provision.
  • the NEF or SCEF entity receives from the AF entity a request for retrieving provision made based on the request for access control and/or service restriction; at step S206, the NEF or SCEF entity determines whether the request for retrieving provision is valid, if the request for retrieving provision is valid, the flowchart proceeds to step S207, otherwise to step S204; and at step S207, the NEF or SCEF entity requests the UDM entity or the HSS to retrieve the provision.
  • the NEF or SCEF node sends to the AF node a message indicating that the request is invalid.
  • FIG. 3 schematically illustrates a flowchart of a method for controlling access to a communication network and/or restricting service provided by the communication network according to another exemplary embodiment of the present disclosure.
  • the method steps of Fig. 3 may be used for performing steps S202 and S206 of Fig. 2.
  • step S301 the NEF or SCEF entity verifies the requester identity, e.g., AF/provider identity, included in the request. If the identity is verified, the flowchart proceeds to step S302; otherwise, to step S204.
  • the requester identity e.g., AF/provider identity
  • the NEF or SCEF entity determines whether the AF/provider identity has grant for an access control operation and/or a service restriction operation as defined by the range of terminal devices along with the dynamic conditions and/or the service restriction in the request. If the AF/provider identity is authorized, the flowchart proceeds to step S203 of Fig. 2; otherwise, to step S204.
  • FIG. 4 is a block diagram illustrating an apparatus for controlling access to a communication network and/or restricting service provided by the communication network according to another exemplary embodiment of the present disclosure.
  • the apparatus 40 comprises a storage device 410 and a processor 420 coupled to the storage device 410.
  • the storage device 410 is configured to store a computer program 430 comprising computer instructions.
  • the processor 420 is configured to execute the computer instructions to perform some or all of the method steps as shown in Figs. 2 and 3.
  • FIG. 5 schematically illustrates a flowchart of a method for controlling access to a communication network and/or restricting service provided by the communication network according to another exemplary embodiment of the present disclosure. For illustrative purpose, it assumes the method steps as shown in Fig. 5 are carried out at a UDM entity or an HSS.
  • the UDM entity or the HSS receives from a NEF/SCEF entity a message for access control and/or service restriction for one or more terminal devices.
  • the message includes a range of terminal devices affected by the message along with dynamic conditions for access control and/or service restriction applied to the range.
  • the range of terminal devices is defined by UE-ID, UE-Group-ID, and the dynamic conditions may comprise at least one of the following: Machine Type Communications (MTC) provider ID, event-based information, location-based information and device type-based information.
  • MTC Machine Type Communications
  • the dynamic conditions may further comprise access control for core network indicating which core network is allowable to access or access control for RAN indicating which RAN is allowable to access.
  • the message may further comprise a time period during which the service restriction and/or the dynamic conditions are applied.
  • the UDM entity or the HSS authorizes access control to the network and/or service restriction provided by the network on the basis of the message.
  • the UDM entity may trigger UECM context removal/de-registration for the terminal devices in the range as defined in the message, or may reject future UE registrations with the proper cause code (e.g., 5GC services restricted) or set forbidden/restricted areas for the terminal devices in the range during the scheduled time period or permanently.
  • the proper cause code e.g., 5GC services restricted
  • Fig. 6 is a block diagram illustrating an apparatus for controlling access to a communication network and/or restricting service provided by the communication network according to another exemplary embodiment of the present disclosure.
  • the apparatus 60 comprises a storage device 610 and a processor 620 coupled to the storage device 610.
  • the storage device 610 is configured to store a computer program 630 comprising computer instructions.
  • the processor 620 is configured to execute the computer instructions to perform some or all of the method steps as shown in Fig. 5.
  • FIG. 7 schematically illustrates a flowchart of a method for controlling access to a communication network and/or restricting service provided by the communication network according to one exemplary embodiment of the present disclosure. For illustrative purpose, it assumes the method steps as shown in Fig. 7 are carried out at an AF entity.
  • the AF entity sends a request for access control and/or service restriction for one or more terminal devices to a UDM entity or an HSS to authorize access control and/or service restriction via an NEF entity or an SCEF entity.
  • the request is similar to one as described above.
  • the AF entity sends to the UDM entity or the HSS via the NEF or SCEF entity a request for cancelling provision made based on the request for access control and/or service restriction. Then, at step S703, the AF entity receives from the UDM entity or the HSS via NEF or SCEF entity an acknowledgement on the request.
  • Fig. 8 is a block diagram illustrating an apparatus for controlling access to a communication network and/or restricting service provided by the communication network according to another exemplary embodiment of the present disclosure.
  • the apparatus 80 comprises a storage device 810 and a processor 820 coupled to the storage device 810.
  • the storage device 810 is configured to store a computer program 830 comprising computer instructions.
  • the processor 820 is configured to execute the computer instructions to perform some or all of the method steps as shown in Fig. 7.
  • FIG. 9 is a sequence diagram schematically illustrating a UE de-registration procedure in a scenario where traffic is offloaded from 5GC to EPC according to another exemplary embodiment of the present disclosure.
  • the procedure as shown is based on a Nnef Northbound API for UE context management and service restrictions which allows AF to request MNO (through NEF) to de-register UEs or to reject new 5GC registrations for certain users/devices matching certain conditions (e.g., location, type of device to be blocked, roaming users affected only, etc.) during a scheduled time period or permanently.
  • the procedure comprises the following steps:
  • Step S901 AF decides to request UE context de-registration for certain users/devices in a certain location and during a certain time period.
  • Step S902 AF triggers a Nnef_UECM request message or an AF request including the following parameters:
  • AF-I D/Provider-I D This parameter indicates AF identity (e.g., police department) and/or provider identity (e.g., government for regulatory services).
  • the list may include a UE, a group of UEs or any UE meeting one or more criteria which, e.g., are based on location and/or device type.
  • this parameter is represented as a UE-ID.
  • This item identifies the location where the request message is applicable, e.g., a geographical region which can be mapped by NEF to a list of Tracking Area Identifiers (TAIs)/Cell-IDs.
  • TAIs Tracking Area Identifiers
  • Identity of UEs/terminal device(s) for specular user(s) This optional item may be used for terminating UE context for all of the UEs in the area where the specular user(s) reside.
  • the identity may include UE-IDs for VIP users. Alternatively, it further may include a list of exceptional UE-IDs for security personnel.
  • New/current UE contexts allowed This item indicates de-registration of the existing UE contexts (e.g., 5GC registrations) and/or new 5GC registrations.
  • this parameter is set as "5GC network restricted", i.e., UE context is restrictive in 5GC network.
  • This Item may be e.g., a roaming indication for indicating that the AF request is only applicable to inbound roamers.
  • MTC provider name This item identifies the MTC provider to which the AF request is applicable, and thus all devices from the MTC provider as identified are determined as the target of the AF request, e.g., for the purposes of ending the 5GC registrations, applying 5GC core network restriction so as to move them to EPC network.
  • This item identifies the type of devices to which the AF request is applicable (e.g., Tracking Area Code (TAC) in Permanent Equipment Identifier (PEI) or Subscription Permanent Identifier (SUPI)/I nternational Mobile Subscriber Identifier (I MSI) ranges).
  • TAC Tracking Area Code
  • PEI Permanent Equipment Identifier
  • SUPI Subscription Permanent Identifier
  • I MSI I nternational Mobile Subscriber Identifier
  • NWDAF Network Data Analytics Function
  • TimePeriod This item defines the scheduled time period e.g., with start time and stop time to which the AF request is applicable.
  • the period may be one starting immediately and for a duration of 2 hours.
  • Step S903 NEF determines whether AF is allowed to involve API(UE_Context_Management) and whether AF is allowed to request the operation as specified by the conditions in the AF request, e.g., 5GC network restricted.
  • Step S904 Upon the AF request is authorized, NEF sends a
  • Nudm_UE_context_Management request message or an NEF request to UDM In the NEF request,
  • “List of UEs or terminal devices” is represented as a UE-ID, and "New/current UE contexts allowed” is set as “5GC restricted”.
  • “5GC restricted” may include two de-registration modes. To be specific, in one of the modes, it immediately deregisters a UE, but accepts a new registration after that. This mode forces a re-attach in 5GC, involving a new authentication procedure. Thus, it also forces a new re-authentication. For the another de-registration mode, it immediately deregisters a UE and disallows any future registration until further notice.
  • the API as described above may support both of the two modes.
  • Step S905 UDM authorizes the operation for the requested UE as indicated in the NEF request.
  • Step S906 UDM sends to NEF a Nudm_UE_Context_management response indicating the operation is authorized.
  • Step S907 If the requested UE is registered in 5GC, UDM terminates the registration and remove the relevant UE context. To reflect operation of the 5GC network restricted, UDM may include a new de-registration reason, e.g., represented as "re-registration in EPC required", in messages originating therefrom.
  • a new de-registration reason e.g., represented as "re-registration in EPC required"
  • Step S908 UDM sends to Access and Mobility Function (AMF) a
  • Step S909 AMF notifies UE identified with the UE-ID, i.e., the requested UE, of 5GC network restriction and the removal of the UE context in AMF. Then UE performs an EPS attach operation.
  • FIG 10 is a sequence diagram schematically illustrating a service area restriction procedure in a scenario where UE context is restricted in a service area but UE tracking/locating shall be maintained according to another exemplary embodiment of the present disclosure.
  • the procedure as shown is based on a Nnef Northbound API for UE context management and service restrictions which allows AF to request MNO (through NEF) to block signaling related to services while maintaining the UE context.
  • the procedure comprises the following steps:
  • Step S1001 AF decides to request UE service area restriction for certain users/devices in a certain location and during a certain time period.
  • Step S1002 AF triggers a Nnef_UE_Parameter_Provisioning request message or an AF request including the following parameters:
  • AF-I D/Provider-I D This parameter indicates AF identity (e.g., a police department) and/or provider identity (e.g., National government for regulatory services).
  • this parameter is represented as a UE-ID.
  • “Filtering criteria” indicates that UE context associated with the UEs in "List of UEs or terminal devices" is restricted in the serving area but UE tracking/locating shall be maintained.
  • Step S1003 NEF determines whether AF is allowed to involve
  • Step S1004 Upon the AF request is verified, NEF sends a
  • Nudm_UE_Parameter_Provisioning request message or an NEF request to UDM is represented as a UE-ID
  • “Filtering criteria” indicates that UE context associated with the UEs in "List of UEs or terminal devices" is restricted in the serving area but UE tracking/locating shall be maintained.
  • Step S1005 UDM authorizes the operation for the requested UE as indicated in the NEF request.
  • Step S1006 UDM sends to NEF a Nudm_UE_ Parameter_Provisioning response indicating the operation is authorized.
  • Step S1007 If the requested UE is registered in 5GC, UDM generates a Nudm_Subscription_Data_Management_Update message including the UE-ID and "Filtering criteria" indicating that UE context associated with the UE in "List of UEs or terminal devices" is restricted in the serving area but UE tracking/locating shall be maintained.
  • Step S1008 UDM sends to AMF the Nudm_Subscription_Data_Management_Update message.
  • Step S1009 AMF notifies UE identified with the UE-ID, i.e., the requested UE, of 5GC area restriction with maintaining the UE context in AMF. That is, the requested UE is prohibited from sending/receiving any traffic data, but its location is known to AMF and can be requested by AF, e.g., via existing event exposure API in NEF.
  • AF may cancel the procedures by triggering a new message, e.g., Nnef_PDUSession/ServiceRestrictions_Delete request message.
  • Nnef_PDUSession/ServiceRestrictions_Delete request message e.g., Nnef_PDUSession/ServiceRestrictions_Delete request message.
  • new PDU sessions for target users/devices matching the requested conditions e.g., location
  • AF may send a new request, e.g., Nnef_PDUSession/ServiceRestrictions_Query request.
  • the present disclosure allows external parties (e.g., owners of loT devices, government and police) to request mobile network operator to manage the UE context for certain users/devices matching certain conditions (e.g., location, type of device to be blocked, roaming users affected only, etc.) during a scheduled time period or permanently.
  • the present disclosure can be used in a variety of scenarios, for example, including:
  • the present disclosure may provide solutions to de-register these devices from the network automatically and immediately once the problem is detected at the AF, e.g., if the AF is also acting as NWDAF for performing analytics.
  • the present disclosure may provide solutions to quickly steer users to EPC or 5GC so that the service continuity is kept.
  • the present disclosure may provide solutions to make their devices attach to and stay in 5GC (e.g., to be able to use Application Traffic Influence by restricting EPC for a UE or a group of UEs).
  • the present disclosure may provide solutions in which a given AF (via exposure) can subscribe to SUPI-PEI (I M El) association for the related SUPI, then MNO can simply impose service restriction in the whole network for any new UE/IMEI associated the stolen UE. Therefore, the stolen UE is allowed to register but it is not allowed to send/receive any traffic data. On the other hand, since the stolen UE is registered, its location can be tracked.

Landscapes

  • Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne de manière générale des techniques de communication cellulaire. Plus particulièrement, la présente invention concerne un procédé de contrôle d'accès à un réseau central 3GPP. La présente invention concerne également un appareil et un produit-programme d'ordinateur adaptés au même objectif. Selon un aspect de la présente divulgation, un procédé de contrôle d'accès à un réseau central 3GPP comprend les étapes suivantes exécutées par une première entité configurée pour présenter la fonctionnalité du réseau central 3GPP : la réception (S201), en provenance d'une entité de fonction d'application (AF), d'une demande de contrôle d'accès et/ou de restriction de service pour un ou plusieurs dispositifs de terminal ; le fait de déterminer (S202) si la demande est valide ; et si la demande est valide, la demande (S203) à une seconde entité d'autoriser un contrôle d'accès et/ou une restriction de service sur la base de la demande.
PCT/EP2022/053491 2021-02-20 2022-02-14 Procédé et appareil de contrôle d'accès et de restriction de service WO2022175198A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNPCT/CN2021/077005 2021-02-20
CN2021077005 2021-02-20

Publications (1)

Publication Number Publication Date
WO2022175198A1 true WO2022175198A1 (fr) 2022-08-25

Family

ID=80736028

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2022/053491 WO2022175198A1 (fr) 2021-02-20 2022-02-14 Procédé et appareil de contrôle d'accès et de restriction de service

Country Status (1)

Country Link
WO (1) WO2022175198A1 (fr)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200322881A1 (en) * 2019-04-02 2020-10-08 Electronics And Telecommunications Research Institute Non-ip data delivery authorization update method and connection release method for non-ip data delivery, and device for performing the method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200322881A1 (en) * 2019-04-02 2020-10-08 Electronics And Telecommunications Research Institute Non-ip data delivery authorization update method and connection release method for non-ip data delivery, and device for performing the method

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; 5G System; Network Exposure Function Northbound APIs; Stage 3 (Release 17)", vol. CT WG3, no. V17.0.0, 18 December 2020 (2020-12-18), pages 1 - 168, XP051999266, Retrieved from the Internet <URL:https://ftp.3gpp.org/Specs/archive/29_series/29.522/29522-h00.zip 29522-h00.doc> [retrieved on 20201218] *
"3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; 5G System; Unified Data Management Services; Stage 3 (Release 17)", vol. CT WG4, no. V17.1.0, 11 December 2020 (2020-12-11), pages 1 - 381, XP051999226, Retrieved from the Internet <URL:https://ftp.3gpp.org/Specs/archive/29_series/29.503/29503-h10.zip 29503-h10.docx> [retrieved on 20201211] *
3GPP TS 29.507, December 2020 (2020-12-01)

Similar Documents

Publication Publication Date Title
JP7244035B2 (ja) 災害時のネットワーク再選択
US10660016B2 (en) Location based coexistence rules for network slices in a telecommunication network
US11622255B2 (en) Methods, systems, and computer readable media for validating a session management function (SMF) registration request
CN113711288B (zh) 无人机的鉴权方法及装置
US10470154B2 (en) Methods, systems, and computer readable media for validating subscriber location information
EP3471464B1 (fr) Procédé et dispositif permettant d&#39;accorder des droits d&#39;accès à un service de communication
US9088928B2 (en) Local network access control via small wireless cells in wireless networks
CN110583034B (zh) 在移动通信网络中接入与提供网络切片的方法、系统和装置
JP2022502908A (ja) Nasメッセージのセキュリティ保護のためのシステム及び方法
CA3057401A1 (fr) Procedure d&#39;enregistrement amelioree dans un systeme mobile prenant en charge un decoupage de reseau en tranches
WO2014032570A1 (fr) Procédé, équipement d&#39;utilisateur et plate-forme de gestion à distance, pour la commutation du réseau d&#39;un opérateur
CN110324274B (zh) 控制终端接入网络的方法及网元
EP3649761B1 (fr) Données d&#39;utilisateur transportées sur une strate de non accès
CN116671183A (zh) 对第二网络的接入
CN110419248A (zh) 用于用户设备寻呼中的隐私保护的方法和装置
US11792633B2 (en) Device authentication verification for device registration
WO2021180170A1 (fr) Procédé et appareil de transfert intercellulaire
US20220225103A1 (en) Systems and methods for network access security
WO2022175198A1 (fr) Procédé et appareil de contrôle d&#39;accès et de restriction de service
WO2018205145A1 (fr) Procédé et appareil d&#39;attribution de zone d&#39;enregistrement
US20230013118A1 (en) Method and System for Including Dynamic Service Areas in Access &amp; Mobility Restriction Control
EP3580945A1 (fr) Réinitialisation de liste de zones autorisées dynamiquement pour un équipement d&#39;utilisateur
WO2022233030A1 (fr) Procédé de contrôle d&#39;admission de tranche de réseau
US20240196180A1 (en) First Node, Second Node, Communications System and Methods Performed Thereby for Handling One or More Data Sessions

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22709638

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22709638

Country of ref document: EP

Kind code of ref document: A1