WO2023134876A1 - Système de communication, premier dispositif de point d'extrémité et procédés exécutés par celui-ci pour gérer la sécurité - Google Patents

Système de communication, premier dispositif de point d'extrémité et procédés exécutés par celui-ci pour gérer la sécurité Download PDF

Info

Publication number
WO2023134876A1
WO2023134876A1 PCT/EP2022/052144 EP2022052144W WO2023134876A1 WO 2023134876 A1 WO2023134876 A1 WO 2023134876A1 EP 2022052144 W EP2022052144 W EP 2022052144W WO 2023134876 A1 WO2023134876 A1 WO 2023134876A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
traffic
nodes
indication
communications system
Prior art date
Application number
PCT/EP2022/052144
Other languages
English (en)
Inventor
Miguel Angel MUÑOZ DE LA TORRE
Antonio Iniesta Gonzalez
Antonio CAÑETE MARTINEZ
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Publication of WO2023134876A1 publication Critical patent/WO2023134876A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications

Definitions

  • the present disclosure relates generally to a communications system and methods performed thereby for handling security.
  • the present disclosure also relates generally to a first endpoint device, and methods performed thereby for handling security.
  • the present disclosure also relates generally to computer programs and computer-readable storage mediums, having stored thereon the computer programs to carry out these methods.
  • Computer systems in a communications network may comprise one or more nodes, which may also be referred to simply as nodes.
  • a node may comprise one or more processors which, together with computer program code may perform different functions and actions, a memory, a receiving port and a sending port.
  • a node may be, for example, a server. Nodes may perform their functions entirely on the cloud.
  • the standardization organization 3GPP is currently in the process of specifying a New Radio Interface called Next Generation Radio/New Radio (NR) or 5G-UTRA, as well as a Fifth Generation (5G) Packet Core Network, which may be referred to as 5G Core Network, abbreviated as 5GC.
  • 5G Core Network 5G Core Network
  • a 3GPP system comprising a 5G Access Network (AN), a 5G Core Network and a User Equipment (UE) may be referred to as a 5G system.
  • AN 5G Access Network
  • UE User Equipment
  • Figure 1 is a schematic diagram depicting a particular example of a 5G architecture of policy and charging control framework, which may be used as a reference for the present disclosure.
  • An Application Function (AF) 1 may interact with the 3GPP Core Network, and specifically in the context of this document, may allow external parties to use Exposure Application Programming Interfaces (APIs) that may be offered by the network operator.
  • APIs Exposure Application Programming Interfaces
  • a Network Exposure Function (NEF) 2 may support different functionality and, specifically in the context of this document, the NEF 2 may support different Exposure APIs.
  • a Unified Data Repository (UDR) 3 may store data grouped into distinct collections of subscription-related information, such as subscription data, policy data, structured data for exposure, and application data.
  • a Policy Control Function (PCF) 4 may support a unified policy framework to govern the network behavior. Specifically, the PCF may provide Policy and Charging Control (PCC) rules to the Policy and Charging Enforcement Function (PCEF), that is, the Session Management Function (SMF) 5/User Plane function (UPF) 6 that may enforce policy and charging decisions according to provisioned PCC rules.
  • PCC Policy and Charging Control
  • PCEF Policy and Charging Enforcement Function
  • SMF Session Management Function
  • UPF User Plane function
  • the SMF 5 may support different functionalities, e.g., the SMF 5 may receive PCC rules from the PCF 4 and may configure the UPF 6 accordingly.
  • the UPF 6 may support handling of user plane (UP) traffic based on the rules received from the SMF 5, e.g., packet inspection and different enforcement actions such as Quality of Service (QoS) handling.
  • UP user plane
  • QoS Quality of Service
  • NWDAF 7 Network Data Analytics Function 7
  • the NWDAF 7 may be a part of the 5GC architecture and may use the mechanisms and interfaces specified for 5GC and Operations, Administration and Maintenance (QAM).
  • QAM Operations, Administration and Maintenance
  • the NWDAF 7 may interact with different entities for different purposes, such as: a) data collection based on event subscription, provided by an Access and Mobility Function (AMF) 8, the SMF 5, the PCF 4, a Unified Data Management (UDM), the AF 1 , directly or via the NEF 2, and an QAM; b) retrieval of information from data repositories, e.g., the UDR 3 via the UDM for subscriber- related information; c) retrieval of information about Network Functions (NFs), e.g., Network Repository Function (NRF) for NF-related information, and Network Slice Selection Function (NSSF) for slice-related information; and e) on demand provision of analytics to consumers.
  • AMF Access and Mobility Function
  • UDM Unified Data Management
  • FIG 1 further depicts a Charging Function (CHF) 9.
  • CHF Charging Function
  • Each of the UDR 3, the NEF 2, the NWDAF 7, the AF 1 , the PCF 4, the CHF 9, the AMF 8 and the SMF 5 may have an interface through which they may be accessed, which as depicted in the Figure, may be, respectively: Nudr 10, Nnef 11 , Nnwdaf 12, Naf 13, Npcf 14, Nchf 15, Namf 16 and Nsmf 17.
  • the UPF 6 may have an interface N4 18 with the SMF 5.
  • the communications network may cover a geographical area which may be divided into cell areas, each cell area being served by another type of node, a network node in the Radio Access Network (RAN), radio network node or Transmission Point (TP), for example, an access node such as a Base Station (BS), e.g. a Radio Base Station (RBS), which sometimes may be referred to as e.g., evolved Node B (“eNB”), “eNodeB”, “NodeB”, “B node”, or Base Transceiver Station (BTS), depending on the technology and terminology used.
  • BS Base Station
  • RBS Radio Base Station
  • eNB evolved Node B
  • eNodeB evolved Node B
  • BTS Base Transceiver Station
  • the base stations may be of different classes such as e.g., Wide Area Base Stations, Medium Range Base Stations, Local Area Base Stations and Home Base Stations, based on transmission power and thereby also cell size.
  • a cell is the geographical area where radio coverage is provided by the base station at a base station site.
  • One base station, situated on the base station site, may serve one or several cells. Further, each base station may support one or several communication technologies.
  • the telecommunications network may also comprise network nodes which may serve receiving nodes, such as user equipments, with serving beams.
  • DNS Domain Name Service
  • DNS may be considered as one of the fundamental building blocks of the Internet. DNS may be understood to be used any time a website is visited, an email is sent, an Instant Messageing (IM) conversation is maintained, or any other task is performed online.
  • DNS protocol may be used to retrieve the server Internet Protocol (IP) address/es for the target application domain.
  • IP Internet Protocol
  • DNS protocol today may be usually unencrypted, that is, it may be used as DNS over User Datagram Protocol (UDP)/Transmission Control Protocol (TCP), but there may be different Internet Engineering Task Force (IETF) drafts proposing DNS encryption to prevent middle boxes to detect DNS traffic.
  • IETF Internet Engineering Task Force
  • DNSEC DNS Security Extensions
  • DOH DNS over HTTP/2
  • DNSCrypt Quad9
  • HTTPS Hypertext Transport Protocol Secure
  • QUIC Quick User Datagram Protocol Internet Connection
  • EH Encrypted Client Hello
  • DoH DNS over Transport Layer Security
  • HTTPS may provide some privacy as the Hypertext Transport Protocol (HTTP) layer may be understood to be encrypted, e.g., Uniform Resource Locators (URLs) may not be visible, but the Transport Layer Security (TLS) Client Hello message may include the Server Name Indication (SNI) field, e.g., filmprovider.com, in plaintext, which may allow a potential observer/attacker to know the applications the user may be running.
  • SNI Server Name Indication
  • the Client Hello message may have the SNI encrypted, providing much better privacy.
  • DNS traffic may be easily tracked to identify the sites visited by the user. Even with the DoH/DoT discovery mechanisms now under definition at IETF Adaptive DNS Discovery (ADD) Working Group, the DNS client, at Operating System (OS) or Application client, may have the freedom to choose using plaintext DNS.
  • OS Operating System
  • API Application
  • the end users are not aware of whether the user privacy is in risk for the user plane traffic in the network. For example, the end user is not aware of the encryption level of the traffic generated by his/her mobile device.
  • the end user installs an app, the traffic generated by the app may be encrypted, with different encryption levels, or not. The same happens with the DNS traffic.
  • the end user has no means to ask the operator for any “method” to ensure the privacy is not compromised. It is an object of embodiments herein to improve the handling of security in a communications network.
  • the object is achieved by a method, performed by a communications system.
  • the method is for handling security.
  • the communications system comprises one or more nodes.
  • the communications system obtains, by at least one of the one or more nodes, a first indication.
  • the first indication requests to detect traffic meeting one or more conditions.
  • the one or more conditions are of a level of encryption of data comprised in the traffic.
  • the traffic is exchanged between a first endpoint device and a second endpoint device via the communications system.
  • the first indication requests to initiate one or more actions in response to the one or more conditions being met.
  • the communications system then initiates, by the at least one of the one or more nodes, that the one or more actions, requested in the first indication, are performed in response to detecting the traffic meeting the one or more conditions.
  • the object is achieved by a method, performed by a first endpoint device.
  • the method is for handling security.
  • the first endpoint device sends, towards one or more nodes comprised in the communications system, the first indication.
  • the first indication requests to detect traffic meeting one or more conditions of a level of encryption of data comprised in the traffic.
  • the traffic is exchanged between the first endpoint device and the second endpoint device via the communications system.
  • the first indication also requests to initiate the one or more actions in response to the one or more conditions being met.
  • the first endpoint device also receives a sixth indication, from at least one or the one or more nodes.
  • the sixth indication is received in response to the sent first indication.
  • the sixth indication indicates detection of the traffic meeting the one or more conditions.
  • the object is achieved by the communications system, for handling security.
  • the communications system is configured to comprise the one or more nodes.
  • the communications system is further configured to obtain, by at least one of the one or more nodes, the first indication.
  • the first indication is configured to request to detect traffic meeting the one or more conditions of the level of encryption of data configured to be comprised in the traffic.
  • the traffic is configured to be exchanged between the first endpoint device and the second endpoint device via the communications system.
  • the first indication is also configured to initiate the one or more actions in response to the one or more conditions being met.
  • the communications system is also configured to initiate, by the at least one of the one or more nodes, that the one or more actions configured to be requested in the first indication are performed in response to detecting the traffic meeting the one or more conditions.
  • the object is achieved by the first endpoint device, for handling security.
  • the first endpoint device is configured to send, towards the one or more nodes configured to be comprised in the communications system, the first indication.
  • the first indication is configured to request to detect traffic meeting the one or more conditions of the level of encryption of data configured to be comprised in the traffic.
  • the traffic is configured to be exchanged between the first endpoint device and the second endpoint device via the communications system.
  • the first indication is configured to request to initiate the one or more actions in response to the one or more conditions being met.
  • the first endpoint device is further configured to receive the sixth indication, from at least one or the one or more nodes, in response to the first indication configured to be sent.
  • the sixth indication is configured to indicate detection of the traffic meeting the one or more conditions.
  • the object is achieved by a computer program, comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the method performed, respectively, by the one or more nodes.
  • the object is achieved by a computer-readable storage medium, having stored thereon the computer program, comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the method performed, respectively, by the one or more nodes.
  • the object is achieved by a computer program, comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the method performed by the first endpoint device.
  • the object is achieved by a computer-readable storage medium, having stored thereon the computer program, comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the method performed by the first endpoint device.
  • the communications system may enable the end user of the first endpoint device, such as for example a broadband subscriber, an Enterprise, or Industry, e.g., an loT device, to subscribe to a service to request that a certain encryption level be ensured for the user plane data exchanged between the first endpoint device and the second endpoint device, and to indicate the action/s to apply when the requested encryption level may not be fulfilled.
  • the communications system may thereby enable that the communication between the first endpoint device and the second endpoint device may be secure and, prevent that private information may be accessed by a malicious party.
  • the communications system may then be enabled to comply with the request from the first endpoint device for the desired level of encryption, and enable to provide the security to the traffic the first endpoint device may consider may have to remain private. Accordingly, the security of the communications handled by the communications system may be improved.
  • the first endpoint device may subscribe to the service to request that the desired encryption level be ensured for the user plane data exchanged between the first endpoint device and the second endpoint device, and to indicate the action/s to apply when the requested encryption level may not be fulfilled.
  • the first endpoint device may be notified of any traffic meeting the one or more conditions, thereby enabling that the first endpoint device may take the corresponding actions to remedy any security breach that may have occurred during its communication with the second endpoint device, e.g., uninstall the application for App-ID.
  • Figure 1 is a schematic diagram illustrating a non-limiting example of a 5G Network Architecture.
  • Figure 2 is a schematic diagram illustrating a non-limiting example of a communications system, according to embodiments herein.
  • FIG. 3 is a flowchart depicting embodiments of a method in a communications system, according to embodiments herein.
  • Figure 4 is a flowchart depicting embodiments of a method in a first endpoint device, according to embodiments herein.
  • Figure 5 is a schematic diagram depicting a non-limiting example of signalling between nodes in a communications system, according to embodiments herein.
  • Figure 6 is a schematic diagram depicting another non-limiting example of signalling between nodes in a communications system, according to embodiments herein.
  • Figure 7 is a schematic diagram depicting another non-limiting example of signalling between nodes in a communications system, according to embodiments herein.
  • Figure 8 is a schematic block diagram illustrating two non-limiting examples, a) and b), of a communications system, according to embodiments herein.
  • Figure 9 is a schematic block diagram illustrating two non-limiting examples, a) and b), of a first endpoint device, according to embodiments herein.
  • Embodiments herein may be understood to relate in general to a mechanism to support policies related to user privacy communications, e.g., in 5G networks. Further particularly, embodiments herein may be understood to be related to a mechanism which may allow a network operator to offer a new service to their subscribers related to privacy communications.
  • embodiments herein may be understood to relate to a mechanism that may enable a network operator to offer a new service to their subscribers, the service being related to privacy communications.
  • the mechanism may be based on the capability of the network to detect privacy risk conditions based on the analysis of the characteristic of encryption of user plane traffic, e.g., encryption of key parameters such as SNI and protocol stack used.
  • An end user e.g., a subscriber may explicitly request this new service to the network operator, e.g., through a NEF, by extending the exposure framework, or through the user portal and Business Support System (BSS) of the Mobile Network Operator (MNO). Additionally, the mobile network operator may offer this new service to customers as a new add-on subscription package, therefore if the subscriber opts for the package, the provisioning system may add new information in the UDR, e.g., policy data, for that subscriber.
  • BSS Business Support System
  • MNO Mobile Network Operator
  • the network may request the detection and reporting of a new privacy risk event, and then may apply the corresponding enforcement actions depending on the reported information, e.g., user notification, block the traffic, redirect, etc.
  • a PCF may query a UDR for subscription information or Application data information, e.g., stored by the NEF, and, if privacy related requirements are retrieved for the subscriber, the PCF may download some PCC Rules to the SMF, including new information requesting the detection and reporting of privacy risk events to the SMF.
  • the SMF may notify about those events, the PCF may take different policy actions depending on configured operator policies to, for example, notify the user, block the traffic, redirect, etc.
  • the above mechanism may be applied on a per PDU session, application and/or flow basis.
  • Figure 2 depicts two non-limiting examples, in panels “a” and “b”, respectively, of a communications system 100, in which embodiments herein may be implemented.
  • the communications system 100 may be a computer network.
  • the communications system 100 may be implemented in a telecommunications network, sometimes also referred to as a cellular radio system, cellular network or wireless communications system.
  • the telecommunications network may comprise network nodes which may serve receiving nodes, such as wireless devices, with serving beams.
  • the telecommunications network may for example be a network such as 5G system, or a newer system supporting similar functionality.
  • the telecommunications system may for example be a Fourth Generation (4G) system, such as a Long-Term Evolution (LTE) network, e.g. LTE Frequency Division Duplex (FDD), LTE Time Division Duplex (TDD), LTE Half-Duplex Frequency Division Duplex (HD-FDD), LTE operating in an unlicensed band.
  • 4G Fourth Generation
  • LTE Long-Term Evolution
  • LTE Frequency Division Duplex
  • TDD Time Division Duplex
  • HD-FDD LTE Half-Duplex Frequency Division Duplex
  • the telecommunications system may also support other technologies, such as Wideband Code Division Multiple Access (WCDMA), Universal Terrestrial Radio Access (UTRA) TDD, Global System for Mobile communications (GSM) network, GSM/Enhanced Data Rate for GSM Evolution (EDGE) Radio Access Network (GERAN) network, Ultra-Mobile Broadband (UMB), EDGE network, network comprising of any combination of Radio Access Technologies (RATs) such as e.g.
  • WCDMA Wideband Code Division Multiple Access
  • UTRA Universal Terrestrial Radio Access
  • GSM Global System for Mobile communications
  • EDGE GSM/Enhanced Data Rate for GSM Evolution
  • GERAN GSM/Enhanced Data Rate for GSM Evolution
  • UMB Ultra-Mobile Broadband
  • EDGE Radio Access Technologies
  • the telecommunications system may for example support a Low Power Wide Area Network (LPWAN).
  • LPWAN technologies may comprise Long Range physical layer protocol (LoRa), Haystack, SigFox, LTE-M, and Narrow-Band loT (NB-loT).
  • LTE Long Term Evolution
  • 6G sixth generation
  • the communications system 100 may comprise one or more nodes 110, whereof a first node 111 , a second node 112, one or more third nodes 113 and one or more fourth nodes 114 are depicted in Figure 2.
  • the one or more third nodes 113 may comprise a first third node 115 and a second third node 116.
  • the one or more nodes 110 may further comprise another node 117.
  • any of the first node 111, the second node 112, the one or more third nodes 113, e.g., the first third node 115, the second third node 116, the one or more fourth nodes 114 and the another node 117 may be understood, respectively, as a first computer system, a second computer system, one or more third computer systems, e.g., a first third computer system and a second third computer system, one or more fourth computer systems, and another computer system.
  • any of the first node 111 , the second node 112, the one or more third nodes 113, e.g., the first third node 115, the second third node 116, the one or more fourth nodes 114 and the another node 117 may be implemented as a standalone server in e.g., a host computer in the cloud 120.
  • any of the first node 111, the second node 112, the one or more third nodes 113, e.g., the first third node 115, the second third node 116, the one or more fourth nodes 114 and the another node 117 may in some examples be a distributed node or distributed server, with some of their respective functions being implemented locally, e.g., by a client manager, and some of its functions implemented in the cloud 120, by e.g., a server manager.
  • any of the first node 111 , the second node 112, the one or more third nodes 113, e.g., the first third node 115, the second third node 116, the one or more fourth nodes 114 and the another node 117 may also be implemented as processing resources in a server farm.
  • any of the first node 111 , the second node 112, the one or more third nodes 113, e.g., the first third node 115, the second third node 116, the one or more fourth nodes 114 and the another node 117 may be independent and separated nodes.
  • any of the first node 111 , the second node 112, the one or more third nodes 113, e.g., the first third node 115, the second third node 116, the one or more fourth nodes 114 and the another node 117 may be co-located or be the same node.
  • the another node 117 may, in some examples, be the same as the second node 111. All the possible combinations are not depicted in Figure 2 to simplify the Figure.
  • the communications system 100 may comprise one or more radio network nodes, whereof a radio network node 130 is depicted in Figure 2b.
  • the radio network node 130 may typically be a base station or Transmission Point (TP), or any other network unit capable to serve a wireless device or a machine type node in the communications system 100.
  • the radio network node 130 may be e.g., a 5G gNB, a 4G eNB, or a radio network node in an alternative 5G radio access technology, e.g., fixed or WiFi.
  • the radio network node 130 may be e.g., a Wide Area Base Station, Medium Range Base Station, Local Area Base Station and Home Base Station, based on transmission power and thereby also coverage size.
  • the radio network node 130 may be a stationary relay node or a mobile relay node.
  • the radio network node 130 may support one or several communication technologies, and its name may depend on the technology and terminology used.
  • the radio network node 130 may be directly connected to one or more networks and/or one or more core networks.
  • the communications system 100 covers a geographical area which may be divided into cell areas, wherein each cell area may be served by a radio network node, although, one radio network node may serve one or several cells.
  • Traffic may be exchanged via the communications system between a first endpoint device 131 and a second endpoint device 132.
  • at least one of the first endpoint device 131 and the second endpoint device 132 may be a device, such as one or the one or more devices 140 described below.
  • the other of the first endpoint device 131 and the second endpoint device 132 may be and Application Server (AS) 150.
  • AS Application Server
  • Any of the one or more devices 140 may be also known as e.g., user equipment (UE), a wireless device, mobile terminal, wireless terminal and/or mobile station, mobile telephone, cellular telephone, or laptop with wireless capability, or a Customer Premises Equipment (CPE), just to mention some further examples.
  • UE user equipment
  • CPE Customer Premises Equipment
  • any of the one or more devices 140 in the present context may be, for example, portable, pocket-storable, hand-held, computer- comprised, or a vehicle-mounted mobile device, enabled to communicate voice and/or data, via a RAN, with another entity, such as a server, a laptop, a Personal Digital Assistant (PDA), or a tablet computer, sometimes referred to as a tablet with wireless capability, or simply tablet, a Machine-to-Machine (M2M) device, a device equipped with a wireless interface, such as a printer or a file storage device, modem, Laptop Embedded Equipped (LEE), Laptop Mounted Equipment (LME), USB dongles, CPE or any other radio network unit capable of communicating over a radio link in the communications system 100.
  • M2M Machine-to-Machine
  • LOE Laptop Embedded Equipped
  • LME Laptop Mounted Equipment
  • USB dongles CPE or any other radio network unit capable of communicating over a radio link in the communications system 100.
  • any of the one or more devices 140 may be wireless, i.e., it may be enabled to communicate wirelessly in the communications system 100 and, in some particular examples, may be able support beamforming transmission.
  • the communication may be performed e.g., between two devices, between a device and a radio network node, and/or between a device and a server.
  • the communication may be performed e.g., via a RAN and possibly one or more core networks, comprised, respectively, within the communications system 100.
  • any of the one or more devices may be an loT device, e.g., a NB loT device.
  • the first node 111 may communicate with the second node 112 over a first link 151, e.g., a radio link or a wired link.
  • the first node 111 may communicate with the first third node 115 over a second link 152, e.g., a radio link or a wired link.
  • the first node 111 may communicate with the second third node 116 over a third link 153, e.g., a radio link or a wired link.
  • the first node 111 may communicate with the first endpoint device 131 over a fourth link 154, e.g., a radio link or a wired link.
  • the first third node 115 may communicate with the second third node 116 over a fifth link 155, e.g., a radio link or a wired link.
  • the first third node 115 may communicate with the first endpoint device 131 over a sixth link 156, e.g., a wired link or a radio link.
  • the first third node 115 may communicate with the second endpoint device 132 over a seventh link 157, e.g., a radio link or a wired link.
  • the first third node 115 may communicate with the radio network node 130 over an eighth link 158, e.g., a radio link.
  • Any of the one or more devices may communicate with the radio network node 130 over a respective ninth link 159, e.g., a wired link or a radio link.
  • the first node 111 may communicate with the radio network node 130 over a tenth link 160, e.g., a radio link or a wired link.
  • the first node 111 may communicate with the another node 117 over an eleventh link 161 , e.g., a radio link or a wired link.
  • any of the first link 151, the second link 152, the third link 153, the fourth link 154, the fifth link 155, the sixth link 156, the seventh link 157, the eighth link 158, the ninth link 159, the tenth link 160 and the eleventh link 161 may be a direct link or it may go via one or more computer systems or one or more core networks in the communications system 100, or it may go via an optional intermediate network.
  • the intermediate network may be one of, or a combination of more than one of, a public, private or hosted network; the intermediate network, if any, may be a backbone network or the Internet, which is not shown in Figure 2.
  • the communications system 100 comprises the one or more nodes 110.
  • the method may comprise the actions described below. In some embodiments all the actions may be performed. In some embodiments some of the actions may be performed. In Figure 3, optional actions are indicated with a dashed box. One or more embodiments may be combined, where applicable. All possible combinations are not described to simplify the description. It should be noted that the examples herein are not mutually exclusive.
  • embodiments herein may be understood to enable that the communications system 100 may offer a new service, e.g., to its subscribers, related to privacy communications.
  • the mechanism may be based on the capability of the communications system 100 to detect privacy risk conditions based on the analysis of the characteristic of encryption of user plane traffic, e.g., encryption of key parameters such as, for example, SNI and protocol stack used.
  • an end user or subscriber may have established a PDU session with the second endpoint device 132 via the communications system 100.
  • the end user or subscriber may, e.g., via the first endpoint device 131, require a certain encryption level on the user plane data exchanged between the first endpoint device 131 , e.g., a UE, and the second endpoint device 132, e.g., an AS on the Internet, for a PDU session, possibly on a per Single - Network Slice Selection Assistance Information (S-NSSAI) and/or Data Network Name (DNN) basis, and, for example, for a list of App-IDs and/or for DNS traffic.
  • S-NSSAI Single - Network Slice Selection Assistance Information
  • DNN Data Network Name
  • a UE may have a PDU session established with an AF/AS security, this PDU session over an S- NSSAI/DNN associated to the AF/AS security, and may require the certain encryption level for other traffic for a Data Network, typically related with other applications, e.g., towards another endpoint, e.g., different AFs for different applications which may be within different S- NSSAI/DNNs.
  • the UE may also require the certain encryption level for the complete user data plane towards the Data Network, and not only for some app-lds or DNS.
  • the requirement may be for the complete PDU session, e.g., established towards the Data network identified by the S-NSSAI/DNN, or just for some flows in this session corresponding to some App-lds or DNS traffic.
  • the UE may have several options to identify the traffic subject for privacy: a) all traffic, this may apply to all the traffic for any PDU session established towards any S-NSSAI/DNN, b) all the traffic for a set of S-NSSAI/DNNs, or c) the traffic for some applications, e.g., a list of App-lds, or DNS over a set of S-NSSAI/DNNs.
  • the communications system 100 obtains, by at least one of the one or more nodes 110, a first indication.
  • the first indication requests to detect traffic meeting one or more conditions.
  • the one or more conditions are of a level of encryption of data comprised in the traffic.
  • the traffic is exchanged between the first endpoint device 131 and the second endpoint device 132 via the communications system 100, e.g., during a PDU session.
  • the indication also requests to initiate one or more actions in response to the one or more conditions being met.
  • the level of encryption may be understood as particular one or more characteristics of the encryption, such as for example, e.g., encryption of key parameters such as SNI and protocol stack used.
  • obtaining may comprise retrieving from a memory, e.g., of the communications system 100.
  • obtaining may comprise receiving, directly, e.g., via one hop, or indirectly, via one or more hops or intermediary nodes, e.g., of the one or more nodes 110.
  • the first indication may be obtained by the first node 111 of the one or more nodes 110 from one of: the second node 112, e.g., via the first link 151 , of the one or more nodes 110, and the first endpoint device 131 , e.g., via the fourth link 154. That is, when the first indication is received from the first endpoint device 131 it may be understood to be directly, and when the first indication is received from the second node 112, it may be understood to be indirectly.
  • the first indication may be obtained based on a request by the first endpoint device 131, e.g., a UE managed by a subscriber of the communications system 100.
  • the obtaining of the first indication may be when the first endpoint device 131 may start an application, e.g., a security app, via the application.
  • the request may be to detect the traffic meeting the one or more conditions and to initiate the one or more actions.
  • the first indication may be a subscription request for an event.
  • the event may be of a risk of privacy.
  • the obtaining of the first indication in this Action 301 may be performed when an application client may trigger towards an AS a subscription to the privacy risk event.
  • the one or more conditions may comprise at least one of the following options.
  • a first option may be at least part of the data lacking the level of encryption.
  • a second option may be one or more applications to which the data is to belong.
  • the one or more applications to which the data is to belong may be indicated, for example, with a List of App-IDs parameter. This parameter may indicate the list of applications to which this event may apply to. If no App-ID is included, or is set to Any, it may be understood to refer to the whole traffic in the user session.
  • the NEF may derive the corresponding S- NSSAI/DNN from the App-ID. If no App-ID are provided, an indication about the S-NSSAI/DNN may be provided, which may identify the Data Network to apply the privacy requirements.
  • the PCF may require the actions per PDU session established over such S-NSSAI/DNN.
  • a third option may be a privacy risk type.
  • This condition may be indicated with a PrivacyRiskType parameter.
  • This parameter may indicate the type of privacy risk to be detected and/or reported, e.g., SNI in plaintext.
  • FQDN Fully Qualified Domain Name
  • a fourth option may be one or more sessions, or one or more flows, to which the data is to belong.
  • a fifth option may be one or more types of traffic to which the traffic is to belong, e.g., DNS traffic.
  • a sixth option may be one or more devices 140 to which the data is to pertain, e.g., by indicating it may need to be for a LIE-ID.
  • the end user or subscriber may request a certain encryption level, e.g., SNI encrypted, on the user plane data exchanged between the first endpoint device 131 and the second endpoint device 132, e.g., on the Internet, either for the whole user session or for a list of App-IDs and/or for DNS traffic, indicating the action/s to apply when the requested encryption level may not be fulfilled.
  • This request may be conveyed at application level between the application client and the AS.
  • the one or more conditions may comprise the identification of the traffic subject for the privacy requirements, e.g., any of the second option, the fourth option and the fifth option.
  • the one or more actions may comprise at least one of: a) block the traffic, e.g., by blocking traffic for the application, if not fulfilling the requested encryption level, b) notify at least one of: the first endpoint device 131, the second endpoint device 132 and the another node 117, e.g., notifying the end user, e.g., through short messaging system (SMS), c) steer the traffic, e.g., steering the traffic towards a Security gateway or Firewall Service Function (SF), through service chaining, to improve the security of the traffic which has a lower encryption level, d) trigger a new session, e.g., triggering a new PDU session towards a different DNN/S-NSSAI for the traffic of the App-ID, e.g., not allowing traffic offload to non- 3GPP access; this may be done by a PCF triggering a URSP rule indicating the App-ID and the new DNN/S-NSSAI, and e) upgrade the traffic
  • That the first indication may be obtained based on a request by the first endpoint device 131 may be understood to mean that the obtaining in this Action 301 may not necessarily be performed directly from the request that the first endpoint device 131 may have directly sent, but from a different indication that may indicate the equivalent contents of the indication the first endpoint device 131 may have sent, but repackaged by an intermediate node in the communications system 100.
  • one of the one or more nodes 110 within the communications system 100 such as the AF/AS, may directly receive the request from the first endpoint device 131. This may be, in some examples, the first node 111.
  • This initial node and may then forward the request to a different node of the one or more nodes 110, e.g., the NEF, which may then be the first node 111 in relation to the AF/AS, which may then be second node 112.
  • the request may be received in the first indication as e.g., Nnef_EventExposure API/service subscription request.
  • a same node of the one or more nodes 110 may therefore adopt the role of first node 111 or second node 112 depending on whether it may obtain the first indication or it may relay, respectively, the first indication.
  • the first node 111 may therefore be understood to be any of the one or more nodes 110 comprised in the communications system 100 which may receive the first indication, directly, or indirectly, that is, repackaged, from the first endpoint device 131 , and may then enable to fulfill the request from the first endpoint 131 accordingly.
  • the first node 111 may be, in some examples, a UDR. In such examples, the first node 111 may obtain the first indication from a NEF as second node 112, as a Nudr_DM Request.
  • the first node 111 may obtain the first indication as an Npcf_EventExposure (Subscribe) from the NEF as second node 112.
  • the first node 111 may obtain the first indication as subscriber session management data, e.g., for LIE-ID, and/or application data, which may be extended with data related to privacy risk, by retrieving it from the UDR as second node 112. This information may be included in a new attribute in datatype SmPolicyDnnData according to 3GPP TS 29.519
  • the first node 111 may obtain the first indication as an Npcf_SMPolicyControl_Update Request or as an Npcf_SMPolicyControl_Create Response from the PCF as second node 112.
  • the first node 111 may obtain the first indication as a PFCP Session Modification Request or as a PFCP Session Establishment Request from an SMF as second node 112.
  • the first node 111 may obtain the first indication as a Subscribe Request from the AS, e.g., an app of the AS of the MNO of the communications system 100 as second node 112.
  • the communications system 100 may enable the end user of the first endpoint device 131 , such as for example a broadband subscriber, an Enterprise, or Industry, e.g., an loT device, to subscribe to a service to request that a certain encryption level be ensured for the user plane data exchanged between the first endpoint device 131 and the second endpoint device 132, and to indicate the action/s to apply when the requested encryption level may not be fulfilled.
  • the communications system 100 may thereby enable that the communication between the first endpoint device 131 and the second endpoint device 132 may be secure and, prevent that private information may be accessed by a malicious party.
  • the communications system 100 may detect, by the first third node 115 of the one or more nodes 110, the traffic meeting the one or more conditions of the level of encryption of data. That is, the detecting in this Action 302 may be understood to be based on the obtained first indication.
  • the first third node 115 may be, in embodiments wherein the communications system 100 may be a 5G system, a UPF.
  • the detecting in this Action 302 may be performed by applying a rule, e.g., as generated in Action 305, such as for example by running a Packet Detection Rule (PDR) matching procedure, to detects traffic matching the one or more conditions.
  • a rule e.g., as generated in Action 305
  • PDR Packet Detection Rule
  • the first third node 115 may detect, e.g., on a per application and/or on a per flow basis, the privacy risk event.
  • the first third node 115 may detect a TLS Client Hello message from the first endpoint device 131 including the SNI field in plaintext.
  • the communications system 100 may therefore be enabled to comply with the request from the first endpoint device 131 for the desired level of encryption, and enable the performance of the one or more actions, as indicated by the first endpoint device 131. Security may therefore be provided to traffic the first endpoint device 131 may consider may have to remain private.
  • the communications system 100 may initiate, by the at least one of the one or more nodes 110, that the one or more actions requested in the first indication are performed in response to detecting the traffic meeting the one or more conditions. That is, that the one or more actions are performed in response to the detection of the traffic fulfilling the one or more conditions.
  • Initiating that the one or more actions are performed may be understood as triggering or starting to perform the one or more actions, or enabling or facilitating that another node of the one or more nodes 110 performs the one or more actions.
  • what the one or more actions may be may depend on which of the one or more nodes 110 initiates the performance.
  • the initiating of the performance in this Action 303 may be performed prior to the detection of the traffic meeting the one or more conditions.
  • the initiating in this Action 303 of the performance of the one or more actions may be triggered by the detected traffic meeting the one or more conditions and may comprise performing Action 307. That is, the initiating of the performance in this Action 303 may be performed after to the detection of the traffic meeting the one or more conditions.
  • the communications system 100 may then be enabled to comply with the request from the first endpoint device 131 for the desired level of encryption, and enable to provide the security to the traffic the first endpoint device 131 may consider may have to remain private.
  • the initiating in Action 303 of the performance of the one or more actions may comprise in this Action 304, storing, by the first node 111 of the one or more nodes 110, the obtained first indication.
  • the one or more nodes 110 may comprise the first node 111 , and at least one of the following two options may apply.
  • the communications system 100 may be a 5G network, and at least one of the following additional options may apply.
  • the first node 111 may be a NEF, or a BSS and the second node 112 may be an AF.
  • the NEF may store the first indication in the UDR.
  • the NEF may request the UDR to store the first indication, e.g., as subscription data, with data related to privacy risk.
  • the first node 111 may be the UDR and the second node 112 may be the NEF or the BSS.
  • the first node 111 may be the PCF and the second node 112 may be the NEF or the BSS.
  • the communications system 100 may be a 4G network, and wherein at least one of the following additional options may apply:
  • the first node 111 may be a Service Capability Exposure Function (SCEF), and the second node 112 may be a Services Capabilities Server (SCS), or an AS.
  • the first node 111 may be the Subscription Profile Repository (SPR) and the second node 112 may be the SCEF.
  • the first node 111 may be the PCRF and the second node 112 may be the SCEF.
  • the communications system 100 may be enabled to apply the requested functionality for subsequent PDU sessions of the first endpoint device 131.
  • the initiating in Action 303 of the performance of the one or more actions may comprise in this Action 305, generating, by the first node 111 of the one or more nodes 110, a rule to be applied to traffic based on the obtained first indication.
  • the rule may be, for example, a PCC rule.
  • This Action 305 may be performed, for example, in embodiments wherein the first node 111 may be one of the PCF and the PCRF.
  • the first node 111 may subscribe to the event of risk of privacy, which may be detected and reported by the first third node 115, e.g., a UPF, through the second third node 116, e.g., a SMF, by generating/updating, towards the second third node 116, the rule, e.g., a PCC rule/s, extended with a new parameter requesting detection and reporting of the privacy risk event. This may be performed on a per PDU session basis and/or on a per application basis.
  • the rule e.g., a PCC rule/s
  • the first node 111 may directly instruct the second third node 116 through a new extension of the PCC rule requesting detection of the privacy risk event and when detected, indicating the enforcement action/s to apply.
  • the initiating in Action 303 of the performance of the one or more actions may comprise in this Action 306, sending, by the first node 111 of the one or more nodes 110, a second indication.
  • the second indication may be based on the obtained first indication.
  • the sending in this Action 306 may be towards the one or more third nodes 113 of the one or more nodes 110 to initiate detection of the traffic.
  • To be based on the first indication may be understood as meaning indicating the information comprised in the obtained first indication. That is, relaying the obtained first indication or the contents of the obtained first indication.
  • to be based on the first indication may be understood as meaning being triggered by the obtained first indication.
  • what the second indication may be, in terms of the specific message it may be, may depend on which on the one or more nodes 110 the first node 111 may be.
  • the one or more nodes 110 may comprise the first node 111, and at least one of the following two options may apply.
  • the communications system 100 may be a 5G network, and at least one of the following additional options may apply.
  • the first node 111 may be a NEF, or a BSS
  • the second node 112 may be an AF
  • the one or more third nodes 113 may comprise a UDR.
  • the first node 111 may be the UDR
  • the second node 112 may be the NEF or the BSS
  • the one or more third nodes 113 may comprise a PCF.
  • the first node 111 may be the PCF
  • the second node 112 may be the NEF or the BSS
  • the one or more third nodes 113 may comprise one or more of: an SMF, and a UPF.
  • the communications system 100 may be a 4G network, and wherein at least one of the following additional options may apply:
  • the first node 111 may be a SCEF
  • the second node 112 may be a SCS, or an AS
  • the one or more third nodes 113 may comprise a SPR.
  • the first node 111 may be the SPR
  • the second node 112 may be the SCEF
  • the one or more third nodes 113 may comprise a Policy and Charging Rules Function (PCRF).
  • PCRF Policy and Charging Rules Function
  • the first node 111 may be the PCRF
  • the second node 112 may be the SCEF
  • the one or more third nodes 113 may comprise one or more of: a Packet Data Network Gateway Control plane function (PGW-C) or a Traffic Detection Function Control plane function (TDF-C), and a Packet Data Network Gateway User plane function (PGW-U) or a Traffic Detection Function User plane function (TDF-U).
  • PGW-C Packet Data Network Gateway Control plane function
  • TDF-C Traffic Detection Function Control plane function
  • PGW-U Packet Data Network Gateway User plane function
  • TDF-U Traffic Detection Function User plane function
  • the second indication may indicate to apply the generated rule in Action 305 in response to the traffic meeting the one or more conditions of the level of encryption of data.
  • the second indication may be a Npcf_SMPolicyControl_Create Response or a Npcf_SMPolicyControl_Update Request.
  • the detecting in Action 302 may be based on the second indication indicating the generated rule.
  • the second indication may be the same as the first indication.
  • the first node 111 may be the AF/AS
  • the second indication may be a Nnef_EventExposire (Subscribe).
  • the AF may trigger the request to the MNO, through the NEF, to fulfill the request.
  • a new Nnef API/service may be provided or the existing Nnef_EventExposure API/service may be extended according to embodiments herein as follows.
  • the second indication may indicate the event and the one or more conditions, e.g., at least part of the data lacking the level of encryption, the one or more applications to which the data is to belong, the privacy risk type, the one or more sessions, or one or more flows, to which the data is to belong, the one or more types of traffic to which the traffic is to belong and/or the one or more devices 140 to which the data is to pertain.
  • the one or more conditions e.g., at least part of the data lacking the level of encryption, the one or more applications to which the data is to belong, the privacy risk type, the one or more sessions, or one or more flows, to which the data is to belong, the one or more types of traffic to which the traffic is to belong and/or the one or more devices 140 to which the data is to pertain.
  • the Requested-Actions e.g., notify user, block traffic, etc, indicating the actions to apply by the communications system 100 when the privacy risk may be detected.
  • the second indication may be a Nudr_DM Request or a Npcf_EventExposure (Subscribe).
  • the second indication may be a PFCP Session Modification Request.
  • the SMF may translate the generated rule, e.g., the above extended PCC rules, into PDRs, Forwarding Action Rules (FARs), QoS Enforcement Rules (QERs) and URRs.
  • the URR may be extended to request the UPF to detect and report the privacy risk event for the traffic matching the associated PDR.
  • the SMF may request the UPF on detection of the privacy risk event and when detected, instruct the UPF on the enforcement action/s to apply.
  • the SMF may trigger a PFCP Session Establishment procedure towards the UPF to indicate the PDRs and the corresponding enforcement actions, e.g., FARs, QERs, URRs, etc, for the PDU session.
  • the SMF may include an Uplink (UL)/ Downlink (DL) PDR with Packet Detection Information (PDI) type App- ID, e.g., example.com, which may be associated to a URR which may be extended to request the UPF to detect and report the privacy risk event for the traffic matching the associated PDR.
  • PDI Packet Detection Information
  • the Measurement Information Information Element may be extended at Create/Update URR, as indicated in Table 1 and Table 2 below in bold, underlined font.
  • Table 1 corresponds to Table 7.5.2.4-1 : Create URR IE within Packet Flow Control Protocol (PFCP) Session Establishment Request, from 3GPP TS 29.244, v. 17.3.0.
  • Table 2 corresponds to Table 7.5.4.4-1 : Update URR IE within PFCP Session Modification Request, from 3GPP TS 29.244, v. 17.3.0.
  • PFCP Packet Flow Control Protocol
  • the second indication may be a Subscribe request.
  • the second indication may be a Response.
  • the second indication may be a PFCP Session Establishment Response.
  • the first node 111 may enable to detect the traffic meeting the one or more conditions indicated in the obtained first indication and initiate applying the one or more actions.
  • the communications system 100 may be enabled to comply with the request from the first endpoint device 131 for the desired level of encryption, and enable to provide the security to the traffic the first endpoint device 131 may consider may have to remain private.
  • the initiating in Action 303 of the performance of the one or more actions may be triggered by the detected traffic meeting the one or more conditions and may comprise in this Action 307, sending, by the first third node 115, a third indication.
  • the sending in this Action 307 may be towards at least one of the second third node 116 and the first node 111 of the one or more nodes 110, to indicate detection of the traffic meeting the one or more conditions.
  • the first third node 115 may report the occurrence of the privacy risk event to which the first endpoint device 131 may have subscribed to.
  • the N4 interface may be extended with a new event to report, which may indicate the event and the one or more conditions, e.g., at least part of the data lacking the level of encryption, the one or more applications to which the data is to belong, the privacy risk type, the one or more sessions, or one or more flows, to which the data is to belong, the one or more types of traffic to which the traffic is to belong and/or the one or more devices 140 to which the data is to pertain.
  • Privacy RiskType e.g. TLS Client Hello SNI in plaintext, TCP SYN on port 80 or 8080, a DNS query over port 53
  • the flow information may be conveyed.
  • the third indication may be, for example, a PFCP Session Report Request sent by the UPF to the SMF.
  • the third indication may be an Npcf_SMPolicyControl_Update Request message sent by the SMF to the PCT, relaying the information received from the UPF.
  • the first third node 115 may enable to initiate applying the one or more actions.
  • the communications system 100 may be enabled to comply with the request from the first endpoint device 131 for the desired level of encryption, and enable to provide the security to the traffic the first endpoint device 131 may consider may have to remain private.
  • the communications system 100 may receive, by at least one of the second third node 116 and the first node 111 , the third indication.
  • the second third node 116 may be, e.g., the SMF.
  • the initiating in Action 303 of the performance of the one or more actions may be triggered by the detected traffic meeting the one or more conditions and may comprise, in this Action 309, sending, by the first node 111 , a fourth indication.
  • the sending in this Action 309 may be towards the one or more fourth nodes 114.
  • the fourth indication may instruct the one or more fourth nodes 114 to trigger the performance of the one or more actions.
  • the one or more fourth nodes 114 may be, for example, any nodes that may have the capability to implement at least one of the one or more actions indicated in the first indication.
  • the one or more fourth nodes 114 may be the UPF or the SMF.
  • the first node 111 may perform this Action 309 by updating the PCC rules to perform any of the following.
  • the notification may not be towards the end device, e.g., loT device, but instead towards the another node 117, which may be another entity, e.g., the PCF may trigger an SMS or a REST/SOAP request towards a preconfigured node.
  • the PCF may perform this Action 309 by updating the PCC rules to steer the traffic e.g., through a Security gateway or Firewall SF, through service chaining, to improve the security of the traffic which may have a lower encryption level.
  • the PCF may perform this Action 309 by updating the PCC rules to trigger a new PDU session towards a different DNN/S-NSSAI for the traffic of the App-ID, e.g., not allowing traffic offload to non-3GPP access. This may be done by the PCF triggering a UE Route Selection Policy (LIRSP) rule indicating the App-ID and the new DNN/S-NSSAI.
  • LIRSP UE Route Selection Policy
  • the PCF may perform this Action 309 by updating the PCC rules to upgrade the App-ID/flow not meeting the required encryption level towards the required encryption level, e.g., by the UPF triggering a “301 Moved Permanently” Redirect message to upgrade from HTTP to HTTPS.
  • the first node 111 may enable the performance of the one or more actions.
  • the communications system 100 may be enabled to comply with the request from the first endpoint device 131 for the desired level of encryption, and enable to provide the security to the traffic the first endpoint device 131 may consider may have to remain private.
  • Action 310
  • the communications system 100 may receive, by at least one of the one or more fourth nodes 114, the fourth indication.
  • the initiating in Action 303 of the performance of the one or more actions may comprise in this Action 311 performing, by the one or more fourth nodes 114, the one or more actions based on the received fourth indication.
  • the one or more actions may comprise sending a sixth indication to at least one of the first endpoint device 131 , the second endpoint device 132 and the another node 117.
  • the sixth indication may indicate detection of the traffic meeting the one or more conditions.
  • the notification may not be towards the end device, e.g., loT device, but instead towards the another node 117, which may be another entity, e.g., the PCF may trigger an SMS or a REST/SOAP request towards a preconfigured node.
  • the end device e.g., loT device
  • the another node 117 which may be another entity, e.g., the PCF may trigger an SMS or a REST/SOAP request towards a preconfigured node.
  • the communications system 100 may be a 5G network
  • the first third node 115 may be a UPF
  • the second third node 116 may be an SMF
  • the first node 111 may be a PCF
  • the one or more fourth nodes 114 may comprise at least one of: the SMF and a NEF.
  • the communications system 100 may be a 4G network
  • the first third node 115 may be a PGW-U or a TDF-U
  • the second third node 116 may be a PGW-C or a TDF-C
  • the first node 111 may be a PCRF
  • the one or more fourth nodes 114 may comprise at least one of: the PGW-C or the TDF-C and a SCEF.
  • the first endpoint device 131 may exchange between the first endpoint device 131 and the second endpoint device 132 via the communications system 100.
  • the first endpoint device 131 may be, e.g., a broadband subscriber, an Enterprise, or Industry, e.g., an loT device.
  • the method comprises the following actions.
  • One or more embodiments may be combined, where applicable. All possible combinations are not described to simplify the description. It should be noted that the examples herein are not mutually exclusive. Components from one example or embodiment may be tacitly assumed to be present in another example or embodiment, and it will be obvious to a person skilled in the art how those components may be used in the other examples.
  • the level of encryption may be understood as particular one or more characteristics of the encryption, such as for example, SNI encrypted.
  • the first endpoint device 131 may send, towards the one or more nodes 110 comprised in the communications system 100, the first indication.
  • the first indication requests to detect traffic meeting the one or more conditions of the level of encryption of data comprised in the traffic.
  • the traffic is exchanged between the first endpoint device 131 and the second endpoint device 132 via the communications system 100.
  • the first indication also requests to initiate the one or more actions in response to the one or more conditions being met.
  • the first indication may be sent to the first node 111 or the second node 112 of one or more nodes 110 comprised in the communications system 100.
  • the first indication may be a subscription request for the event, the event being of the risk of privacy.
  • the one or more conditions may comprise at least one of: a) at least part of the data lacking the level of encryption, b) the one or more applications to which the data is to belong, c) the privacy risk type, d) the one or more sessions to which the data is to belong, e) the one or more types of traffic to which the traffic is to belong, and f) the one or more devices 140 to which the data is to pertain.
  • the one or more actions may comprise at least one of: a) block the traffic, b) notify at least one of: the first endpoint device 131, the second endpoint device 132 and the another node 117, c) steer the traffic, d) trigger a new session, and e) upgrade the traffic to the requested level of encryption.
  • the sending in this Action 401 may be understood as transmitting, and may be implemented, for example, via the first sixth 156, or the eighth link 158 and the ninth link 159.
  • the first endpoint device 131 may receive the sixth indication, from at least one or the one or more nodes 110, in response to the sent first indication.
  • the sixth indication indicates the detection of the traffic meeting the one or more conditions.
  • the communications system 100 may be a 5G network
  • One may be AF based, and two particular non-limiting examples are depicted, respectively, in Figure 5 and Figure 6.
  • the other approach is BSS based, and a particular non-limiting example is depicted in Figure 7.
  • an end user or subscriber may request, according to Action 401 , a certain encryption level, e.g., SNI encrypted, on the user plane data exchanged between the first endpoint device 131 , e.g., a UE, and the Internet, either for the whole user session or for a list of App-IDs and/or for DNS traffic, indicating the action/s to apply when the requested encryption level may not be fulfilled.
  • This request may be conveyed at application level between the application client and the application server (AS), which may receive the request according to Action 301.
  • the AS through an AF, may trigger, according to Action 303, a request to an MNO to fulfill the request above.
  • the Requested-Actions e.g., notify user, block traffic, etc, indicating the actions to apply by the communications system 100 when the privacy risk may be detected.
  • the NEF may authorize and, according to Action 303 and 306, forwards the request to the PCF.
  • the request may be stored, according to Action 303 and 304, in permanent storage, e.g., in the UDR as subscription data, which may include new data related to privacy risk. This may be understood to be for the communications system 100 to be able to apply the requested functionality for subsequent PDU sessions of the subscriber.
  • the PCF subscribes to the new privacy risk event, detected, and reported by the UPF, through the SMF, by generating/updating, according to Action 303 and 305, towards the SMF, PCC rule/s extended with a new parameter requesting detection and reporting of the privacy risk event. This may be on a per PDU session basis and/or on a per application basis. Alternatively, in case the PCF may not require to be reported on the privacy risk event, the PCF may directly instruct the SMF through a new extension of the PCC rule requesting detection of the privacy risk event and when detected, indicating the enforcement action/s to apply.
  • the SMF according to Action 303 and 306, translates the above extended PCC rules into PDRs, FARs, QERs and URRs.
  • a new extension of the URR to request UPF to detect and report the privacy risk event for the traffic matching the associated PDR may be provided according to embodiments herein.
  • the SMF may request the UPF on detection of the privacy risk event and when detected, instructing the UPF on the enforcement action/s to apply.
  • the UPF may apply the following logic.
  • the UPF may enable the privacy risk event.
  • the UPF in accordance with Action 302, may run a PDR matching procedure, detect traffic matching a certain App-ID, and based on the associated and extended URR, it may detect, and, in accordance with Action 303 and 307, reports the privacy risk event to the SMF, on a per application and/or on a per flow basis.
  • Event- ID PrivacyRisk
  • the PCF when receiving the privacy risk event, in accordance with Action 303 and 309, may apply the corresponding actions, e.g., by updating the PCC rules to: i) block traffic for App-ID or for the flow/s reported in the event, ii) notify the user, e.g., through SMS or by redirecting to a notification server, to indicate that traffic for App-ID, or DNS traffic, has privacy risk, as described earlier.
  • the notification may not be towards the end device, e.g., loT device, but instead towards another entity, e.g., the PCF may trigger an SMS or a REST/SOAP request towards a preconfigured node, iii) steer the traffic e.g., through a Security gateway or Firewall SF, e.g., through service chaining, to improve the security of the traffic which has a lower encryption level, iv) trigger a new PDU session towards a different DNN/S-NSSAI for the traffic of the App-ID, e.g., not allowing traffic offload to non-3GPP access; this may be done by PCF triggering a URSP rule indicating the App-ID and the new DNN/S-NSSAI, and v) upgrade the App-ID/flow not meeting the required encryption level towards the required encryption level, e.g., by UPF triggering
  • the PCF may, according to Action 303 and 309, forward the privacy risk event to the NEF.
  • the NEF may, according to Action 303 and 311 , forward the privacy risk event to the AF.
  • the AF through the AS, may forward, at application level, the privacy risk event to the application client, so the end user may be notified, e.g., the SNI is in plaintext for App-ID, and the end user may take the corresponding actions, e.g., uninstall the application for App-ID.
  • an end user or subscriber through an MNO app, e.g., Mymobileprovider, may request, according to Action 401 , a certain encryption level, e.g., SNI encrypted, on the user plane data exchanged between the first endpoint device 131 and the Internet, either for the whole user session or for a list of App-IDs and/or for DNS traffic, indicating the action/s to apply when the requested encryption level is not fulfilled.
  • This request may be conveyed at application level between the application client and the application server.
  • the AS of the MNO which may act as user portal of the MNO, communicates with the BSS, according to Action 303 and 306, to provision the information in the request above.
  • the BSS may forward the above information to the PCF and may store it in the UDR, according to Action 303 and 304, as subscription data, which may include (new) data related to privacy risk. This is for MNO to be able to apply the requested functionality for subsequent PDU sessions for the subscriber. From this point, PCF, the same steps as in the AF based approach above may apply.
  • Figure 5 is a signalling diagram depicting a non-limiting example of embodiments herein extending from Figure 5 a), to Figure 5 b) and then Figure 5c).
  • the communications system 100 may not have one first node 111 and one second node 112, but different nodes may be the first node 111 or the second node 112, and the same node may be the first node 111 or the second node 112, in different signalling actions.
  • the first endpoint device 131 is a UE and the second endpoint device 132 is the AS of example.com.
  • the first node 111 may be any of the AF/AS, the NEF, the UDR, the PCF, the SMF or the UPF, based on the particular signalling action.
  • the same may apply to the second node 112, which may be, e.g., the NEF. However, other nodes may be the second node 112. All the possibilities are not indicated to avoid overcrowding the figure.
  • the one or more third nodes 113 may comprise the UPF and the SMF.
  • the UPF may be the first third node 115 and the SMF may be the second third node 116.
  • the one or more fourth nodes 114 may also comprise the UPF and the SMF.
  • Figure 5 shows a sequence diagram describing an example of embodiments that may be based on the AF. In this non-limiting example, a precondition is that a PDU session is already established.
  • the first endpoint device 131 e.g., through a security app, sends the first indication in accordance with Action 401, and requests a certain encryption level, e.g., SNI encrypted, on the user plane data exchanged between the first endpoint device 131 and the Internet, either for the whole user session or for a list of App- IDs and/or for DNS traffic, indicating the action/s to apply when the requested encryption level is not fulfilled.
  • This request may be conveyed at application level between the application client and the application server (AS).
  • Event-ID PrivacyR
  • the AS obtains the first indication in accordance with Action 301.
  • the AS answers the application client indicating successful operation.
  • the AS forwards the request as the second indication to AF, in accordance with Actions 303 and 306.
  • the AF triggers the request to the MNO, through the NEF, to fulfill the request in Step 2 above.
  • Event- ID PrivacyRisk, which may be understood to be the new event related to privacy risk
  • PrivacyRiskType which may indicate the type of privacy risk to be detected/reported, e.g., SNI in plaintext
  • List of App-IDs which may indicate the list of applications to which this
  • the NEF obtains the request in accordance with Action 301.
  • the NEF may authorize the request and answer the AF indicating successful operation.
  • the NEF in accordance with Action 303 and 306, requests the UDR to store the AF request, e.g., as subscription data, with data related to privacy risk. This may be understood to be for MNO to be able to apply the requested functionality for subsequent PDU sessions from the subscriber, see Figure 7.
  • the UDR stores the AF request in accordance with Action 303 and 304.
  • the UDR sends a response to the NEF.
  • the NEF in accordance with Action 303 and 306, forwards the AF request to the PCF by triggering a Npcf_EventExposure subscribe request message including the information in step 5 above.
  • the request message is obtained by the PCF in accordance with Action 301.
  • the PCF answers the NEF indicating successful operation.
  • the PCF in accordance with Action 303 and 304, subscribes to the privacy risk event, detected, and reported by the UPF, through the SMF, by, in accordance with Action 303 and 305, generating/updating, towards the SMF, PCC rule/s extended with a new parameter requesting detection and reporting of the privacy risk event, this on a per PDU session basis and/or on a per application basis.
  • the PCF may directly instruct the SMF through a new extension of the PCC rule requesting detection of the privacy risk event and when detected, indicating the enforcement action/s to apply.
  • the SMF may answer the PCF indicating successful operation.
  • the SMF may translate the generated rule, e.g., the above extended PCC rules, into PDRs, FARs, QERs and URRs.
  • the URR may be extended to request the UPF to detect and report the privacy risk event for the traffic matching the associated PDR.
  • the SMF may request the UPF on detection of the privacy risk event and when detected, instruct the UPF on the enforcement action/s to apply.
  • the SMF may send a PCFP Session Modification Request, which the UPF may receive in accordance with Action 301.
  • the UPF answers the SMF indicating successful operation.
  • the first endpoint device 131 starts an application, e.g., example.com.
  • the UE Application client triggers a TLS Client Hello message including the SNI field in plaintext.
  • the UPF in accordance with Action 302, runs a PDR matching procedure, detects traffic matching the App-ID, example.com, and, based on the associated and extended URR, it detects, on a per application and/or on a per flow basis, the privacy risk event.
  • the UPF detects a TLS Client Hello message including the SNI field in plaintext.
  • the UPF in accordance with Action 303 and 307, reports the privacy risk event.
  • the SMF receives the PFCP Session Report Request in accordance with Action 308.
  • the SMF answers the UPF with a PFCP Session Report Response message.
  • the SMF forwards the above event information to the PCF.
  • the PCF receives the Npcf_SMPolicyControl_Update Request message in accordance with Action 308.
  • the PCF requests the SMF/UPF to apply the corresponding actions, as per the Requested- Actions received in step 5 above, e.g., by updating the PCC rules to: i) block traffic for App-ID or for the flow/s reported in the event, ii) notify the user, e.g., through SMS or by redirecting to a notification server, to indicate that traffic for App-ID, or DNS traffic, has privacy risk, as described earlier.
  • the notification may not be towards the end device, e.g., loT device, but instead towards another entity, e.g., the PCF may trigger an SMS or a REST/SOAP request towards a preconfigured node, iii) steer the traffic e.g., through a Security gateway or Firewall SF, e.g., through service chaining, to improve the security of the traffic which has a lower encryption level, iv) trigger a new PDU session towards a different DNN/S-NSSAI for the traffic of the App-ID, e.g., not allowing traffic offload to non-3GPP access; this may be done by PCF triggering a LIRSP rule indicating the App-ID and the new DNN/S-NSSAI, and v) upgrade the App-ID/flow not meeting the required encryption level towards the required encryption level, e.g., by UPF triggering
  • the PCF sends a Npcf_SMPolicyControl_Update Response message and the SMF receives it in accordance with Action 303, 310.
  • the UPF receives the request message in accordance with Action 303 and 310.
  • the UPF answers the SMF with a PFCP Session Modification Response message.
  • the PCF in accordance with Action 303 and 309, forwards the privacy risk event to the NEF (notify), which the NEF receives in accordance with Action 303 and 310.
  • the NEF answers PCF indicating successful operation.
  • the NEF in accordance with Action 303 and 311 , forwards the privacy risk event to AF (notify), which receives in accordance with Action 303 and 310.
  • the AF answers the NEF indicating successful operation.
  • the AF in accordance with Action 303 and 311 , forwards the notification to the AS.
  • the AS forwards the notification to the application client, e.g., security app.
  • the Application server forwards, at application level, the privacy risk event to the application client, so the first endpoint device 131 is notified, e.g., the SNI is in plaintext for App-ID, and the first endpoint device 131 may take the corresponding actions.
  • the first endpoint device 131 receives the notification in accordance with Action 402.
  • the first endpoint device 131 e.g., an Application client, example.com, may trigger application traffic towards the application server.
  • Figure 6 is a signalling diagram depicting another non-limiting example of embodiments herein extending from Figure 6 a), to Figure 6 b) and then Figure 6 c).
  • the communications system 100 may not have one first node 111 and one second node 112, but different nodes may be the first node 111 or the second node 112, and the same node may be the first node 111 or the second node 112, in different signalling actions.
  • the first endpoint device 131 is a UE and the second endpoint device 132 is the AS of example.com.
  • the first node 111 may be any of the AF/AS, the BSS, the UDR, the PCF, the SMF or the UPF, based on the particular signalling action.
  • the same may apply to the second node 112, which may be, e.g., the BSS. However, other nodes may be the second node 112. All the possibilities are not indicated to avoid overcrowding the figure.
  • the one or more third nodes 113 may comprise the UPF and the SMF.
  • the UPF may be the first third node 115 and the SMF may be the second third node 116.
  • the one or more fourth nodes 114 may also comprise the UPF and the SMF.
  • Figure 6 shows a sequence diagram describing an example of embodiments that may be based on the BSS.
  • step 1 the request is triggered through an MNO's app, e.g., Mymobileserviceprovider, and at steps 4 and 5,
  • MNO's AS which may act as MNO's user portal, communicates with the BSS to provision the information in the request above, instead of going through NEF.
  • Figure 7 is a signalling diagram depicting yet another non-limiting example of embodiments herein extending from Figure 7 a), to Figure 7 b) and then Figure 7 c).
  • the communications system 100 may not have one first node 111 and one second node 112, but different nodes may be the first node 111 or the second node 112, and the same node may be the first node 111 or the second node 112, in different signalling actions.
  • the first endpoint device 131 is a UE and the second endpoint device 132 is the AS of example.com.
  • the first node 111 may be any of the AF/AS, the UDR, the PCF, the SMF or the UPF, based on the particular signalling action.
  • the same may apply to the second node 112, which may be, e.g., the PCF. However, other nodes may be the second node 112. All the possibilities are not indicated to avoid overcrowding the figure.
  • the one or more third nodes 113 may comprise the UPF and the SMF.
  • the UPF may be the first third node 115 and the SMF may be the second third node 116.
  • the one or more fourth nodes 114 may also comprise the UPF and the SMF.
  • Figure 7 shows a sequence diagram describing an example of embodiments that have an add-on subscription package enabled for the subscriber.
  • a precondition is that the UDR, as subscriber data, has stored that the subscriber requires a certain encryption level on the user plane data exchanged between the first endpoint device 131 and the Internet, this stored per S- NSSAI/DNN, for a list of App-IDs and/or for DNS traffic.
  • the first endpoint device 131 triggers a PDU Session Establishment procedure.
  • the SMF creates the policy association with the PCF at Step 3.
  • the PCF in accordance with Action 301, retrieves from the UDR the subscriber session management data for the UE-ID, and/or application data, which may be extended with data related to privacy risk.
  • Event-ID PrivacyRisk, which may be understood to be a new event related to privacy risk
  • PrivacyRiskType which may indicate the type of privacy risk to be detected/reported, e.g., SNI in plaintext
  • iii) List of App-IDs which may indicate the list of applications to which this event applies to
  • the UDR may send this information in accordance with Action 303 and 306.
  • the PCF in accordance with Action 303 and 304, stores the received information and, in accordance with Action 303 and
  • the PCF may directly instruct the SMF, through an extension of the PCC rule, on the enforcement action/s to apply when the privacy risk event is detected, e.g. to block that traffic.
  • the SMF receives the Npcf_SMPolicyControl_Create Response in accordance with Action 301.
  • the SMF in accordance with Action 303 and 306, may trigger a PFCP Session Establishment procedure towards the UPF to indicate the PDRs and the corresponding enforcement actions, e.g., FARs, QERs, URRs, etc, for the PDU session.
  • the SMF may include an Uplink (UL)/ Downlink (DL) PDR with Packet Detection Information (PDI) type App-ID, e.g., example.com, which may be associated to a URR which may be extended to request the UPF to detect and report the privacy risk event for the traffic matching the associated PDR.
  • PDI Packet Detection Information
  • the Measurement Information IE may be extended at Create/Update URR, as indicated earlier in Table 1 and Table 2.
  • the UPF receives the PFCP Session Establishment Request in accordance with Action 301.
  • the PDU session establishment procedure continues.
  • the first endpoint device 131 starts an application, e.g., example.com.
  • the UE Application client triggers a TLS Client Hello message including the SNI field in plaintext.
  • the UPF in accordance with Action 302, runs a PDR matching procedure, detects traffic matching the App-ID, example.com, and, based on the associated and extended URR, it detects, on a per application and/or on a per flow basis, the privacy risk event.
  • the UPF detects a TLS Client Hello message including the SNI field in plaintext.
  • the UPF in accordance with Action 303 and 307, reports the privacy risk event.
  • the SMF receives the PFCP Session Report Request in accordance with Action 308.
  • the SMF answers the UPF with a PFCP Session Report Response message.
  • the SMF forwards the above event information to the PCF.
  • the PCF receives the Npcf_SMPolicyControl_Update Request message in accordance with Action 303 and 308.
  • the PCF in accordance with Action 303 and 309, requests the SMF/UPF to apply the corresponding actions, as per the Requested-Actions received in step 5 above, e.g., by updating the PCC rules to: i) block traffic for App-ID or for the flow/s reported in the event, ii) notify the user, e.g., through SMS or by redirecting to a notification server, to indicate that traffic for App-ID, or DNS traffic, has privacy risk, as described earlier.
  • the notification may not be towards the end device, e.g., loT device, but instead towards another entity, e.g., the PCF may trigger an SMS or a REST/SOAP request towards a preconfigured node, iii) steer the traffic e.g., through a Security gateway or Firewall SF, e.g., through service chaining, to improve the security of the traffic which has a lower encryption level, iv) trigger a new PDU session towards a different DNN/S-NSSAI for the traffic of the App-ID, e.g., not allowing traffic offload to non-3GPP access; this may be done by PCF triggering a LIRSP rule indicating the App-ID and the new DNN/S-NSSAI, and v) upgrade the App-ID/flow not meeting the required encryption level towards the required encryption level, e.g., by UPF triggering
  • the PCF sends a Npcf_SMPolicyControl_Update Response message and the SMF receives it in accordance with Action 303, 310.
  • the UPF receives the request message in accordance with Action 303 and 310.
  • the UPF answers the SMF with a PFCP Session Modification Response message.
  • the first endpoint device 131 e.g., an Application client, example.com, may trigger application traffic towards the application server.
  • Embodiments described herein may be understood to not only apply to 5G network architecture, but the same mechanisms may be applied to 4G, just by replacing AF by SCS/AS, NEF by SCEF, PCF by PCRF, UDR by SPR, AMF by Mobility Management Entity (MME), SMF by PGW-C or TDF-C, and UPF by PGW-U or TDF-U.
  • MME Mobility Management Entity
  • One advantage of embodiments herein is that they allow the operator of the communications system 100 to offer a new service to their subscribers related to privacy communications. This may apply not only to end subscribers, e.g., Mobile Broadband (MBB) subscribers, but also to verticals such as Enterprise or Industry, e.g., loT devices.
  • Another advantage of embodiments herein may be that they may allow the 5GC Control Plane network functions, e.g., SMF, PCF, NWDAF, to retrieve information on the traffic encryption level and/or protocol stack. This information may be useful for use cases other than the privacy communication service mentioned above.
  • Figure 8 depicts two different examples in panels a) and b), respectively, of the arrangement that the communications system 100 may comprise to perform the method actions described above in relation to Figure 3, Figure 5, Figure 6, or Figure 7.
  • the communications system 100 may comprise the following arrangement depicted in Figure 8a.
  • the communications system 100 may be understood to be for handling security.
  • the communications system 100 is configured to comprise the one or more nodes 110.
  • the one or more nodes 110 may comprise the first node 111.
  • the one or more nodes 110 may further comprise one or more of: the second node 112, the one or more third nodes 113 and the one or more fourth nodes 114.
  • the level of encryption may be understood as particular one or more characteristics of the encryption, such as for example, SNI encrypted.
  • the communications system 100 is configured to, e.g. by means of an obtaining unit 801 within at least one of the one or more nodes 110, e.g., the first node 111, configured to, obtain, by at least one of the one or more nodes 110, the first indication.
  • the first indication is configured to request to detect traffic meeting the one or more conditions of the level of encryption of data configured to be comprised in the traffic.
  • the traffic is configured to be exchanged between the first endpoint device 131 and the second endpoint device 132 via the communications system 100.
  • the first indication is also configured to request to initiate the one or more actions in response to the one or more conditions being met.
  • the communications system 100 is also configured to, e.g. by means of an initiating unit 802 within at least one of the one or more nodes 110, e.g., the first node 111, configured to, initiate, by the at least one of the one or more nodes 110, that the one or more actions configured to be requested in the first indication are performed in response to detecting the traffic meeting the one or more conditions.
  • an initiating unit 802 within at least one of the one or more nodes 110, e.g., the first node 111, configured to, initiate, by the at least one of the one or more nodes 110, that the one or more actions configured to be requested in the first indication are performed in response to detecting the traffic meeting the one or more conditions.
  • the first indication may be configured to be obtained by the first node 111 of the one or more nodes 110 from one of: the second node 112 of the one or more nodes 110, and the first endpoint device 131.
  • the first indication may be configured to be obtained based on the request by the first endpoint device 131 to detect the traffic meeting the one or more conditions and initiate the one or more actions.
  • the first indication may be configured to be the subscription request for the event.
  • the event may be of the risk of privacy.
  • the one or more conditions may be configured to comprise at least one of: a) at least part of the data lacking the level of encryption, b) the one or more applications to which the data is to belong, c) the privacy risk type, d) the one or more sessions to which the data is to belong, e) the one or more types of traffic to which the traffic is to belong, and f) the one or more devices 140 to which the data is to pertain.
  • the one or more actions may be configured to comprise at least one of: a) block the traffic, b) notify at least one of: the first endpoint device 131, the second endpoint device 132 and another node 117, c) steer the traffic, d) trigger a new session, and e) upgrade the traffic to the requested level of encryption.
  • the initiating the performance of the one or more actions is configured to comprise, e.g. by means of a sending unit 803 within the first node 111 configured accordingly, sending, by the first node 111 of the one or more nodes 110, the second indication.
  • the second indication is configured to be based on the first indication configured to be obtained towards the one or more third nodes 113 of the one or more nodes 110 to initiate detection of the traffic.
  • the initiating the performance of the one or more actions may be configured to comprise, e.g. by means of a storing unit 804 within the first node 111 configured accordingly, storing, by the first node 111 of the one or more nodes 110, the first indication configured to be obtained.
  • the one or more nodes 110 may be configured to comprise the first node 111 , and at least one of the following options may apply.
  • the communications system 100 may be configured to be a 5G network.
  • at least one of the following additional options may apply.
  • the first node 111 may be configured to be a NEF, or a BSS
  • the second node 112 may be configured to be an AF
  • the one or more third nodes 113 may be configured to comprise a UDR.
  • the first node 111 may be configured to be the UDR
  • the second node 112 may be configured to be the NEF or the BSS
  • the one or more third nodes 113 may be configured to comprise a PCF.
  • the first node 111 may be configured to be the PCF
  • the second node 112 may be configured to be the NEF or the BSS
  • the one or more third nodes 113 may be configured comprise one or more of: a SMF, and a UPF.
  • the communications system 100 may be configured to be a 4G network, and wherein at least one of the following additional options may apply.
  • the first node 111 may be configured to be a SCEF
  • the second node 112 may be configured to be a SCS, or an AS
  • the one or more third nodes 113 may be configured to comprise an SPR
  • the first node 111 may be configured to be the SPR
  • the second node 112 may be configured to be the SCEF
  • the one or more third nodes 113 may be configured to comprise a PCRF.
  • the first node 111 may be configured to be the PCRF
  • the second node 112 may be configured to be the SCEF
  • the one or more third nodes 113 may be configured to comprise one or more of: a PGW-C or a TDF-C, and a PGW-ll or a TDF-ll.
  • the first node 111 may be configured to be one of the PCF and the PCRF, and the initiating the performance of the one or more actions may be configured to comprise, e.g. by means of a generating unit 805 within the first node 111 configured accordingly, generating, by the first node 111 of the one or more nodes 110, the rule to be applied to traffic based on the obtained first indication.
  • the second indication may be configured to indicate to apply the rule configured to be generated, in response to the traffic meeting the one or more conditions of the level of encryption of data.
  • communications system 100 may be also configured to, e.g. by means of a detecting unit 806 within the first third node 115 configured to, detect, by the first third node 115 of the one or more nodes 110, the traffic meeting the one or more conditions of the level of encryption of data.
  • a detecting unit 806 within the first third node 115 configured to, detect, by the first third node 115 of the one or more nodes 110, the traffic meeting the one or more conditions of the level of encryption of data.
  • the initiating the performance of the one or more actions may be configured to be triggered by the traffic configured to be detected, meeting the one or more conditions and may be configured to comprise, e.g. by means of a sending unit 807 within the first third node 115 configured accordingly, sending, by the first third node 115, the third indication towards at least one of the second third node 116 and the first node 111 of the one or more nodes 110, to indicate detection of the traffic meeting the one or more conditions.
  • the detecting may be configured to be based on the second indication configured to indicate the rule configured to be generated.
  • communications system 100 may be also configured to, e.g. by means of a receiving unit 808, 809 within at least one of the second third node 116 and the first node 111 configured to, receive, by at least one of the second third node 116 and the first node 111 , the third indication.
  • the initiating the performance of the one or more actions may be configured to be triggered by the traffic configured to be detected meeting the one or more conditions and may be configured to comprise, e.g. by means of the sending unit 803 within the first node 111 configured accordingly, sending, by the first node 111, the fourth indication towards one or more fourth nodes 114.
  • the fourth indication may be configured to instruct the one or more fourth nodes 114 to trigger the performance of the one or more actions.
  • communications system 100 may be also configured to, e.g. by means of a receiving unit 810 within at least one of the one or more fourth nodes 114 configured to, receive, by at least one of the one or more fourth nodes 114, the fourth indication.
  • the initiating the performance of the one or more actions may be further configured to comprise, e.g. by means of a performing unit 811 within at least one of the one or more fourth nodes 114 configured accordingly, performing, by the one or more fourth nodes 114, the one or more actions based on the fourth indication configured to be received.
  • the one or more actions may be configured to comprise sending the sixth indication to at least one of the first endpoint device 131 , the second endpoint device 132 and the another node 117.
  • the sixth indication may be configured to indicate detection of the traffic meeting the one or more conditions.
  • the communications system 100 may be configured to be a 5G network.
  • at least one of the following additional options may apply.
  • the first third node 115 may be configured to be a UPF
  • the second third node 116 may be configured to be an SMF
  • the first node 111 may be configured to be a PCF
  • the one or more fourth nodes 114 may be configured to comprise at least one of: the SMF and a NEF.
  • the communications system 100 may be configured to be a 4G network. In some of these embodiments, at least one of the following additional options may apply.
  • the first third node 115 may be configured to be a PGW-ll or a TDF-ll
  • the second third node 116 may be configured to be a PGW-C or a TDF-C
  • the first node 111 may be configured to be a PCRF
  • the one or more fourth nodes 114 may be configured to comprise at least one of: the PGW-C or the TDF- C and an SCEF.
  • the embodiments herein may be implemented through one or more processors, such as a processor 812, 813, 814, 815 in the first node 111 , the first third node 115, the second third node 116 and the fourth node 114, respectively, depicted in Figure 8, together with computer program code for performing the functions and actions of the embodiments herein.
  • the program code mentioned above may also be provided as a computer program product, for instance in the form of a data carrier carrying computer program code for performing the embodiments herein when being loaded into the in the communications system 100.
  • One such carrier may be in the form of a CD ROM disc. It is however feasible with other data carriers such as a memory stick.
  • the computer program code may furthermore be provided as pure program code on a server and downloaded to the communications system 100.
  • the communications system 100 may further comprise a memory 816, 817, 818, 819 in the first node 111, the first third node 115, the second third node 116 and the fourth node 114, respectively, comprising one or more memory units.
  • the memory 816, 817, 818, 819 is arranged to be used to store obtained information, store data, configurations, schedulings, and applications etc. to perform the methods herein when being executed in the communications system 100.
  • the one or more nodes 110 may receive information from, e.g., the first node 111, the second node 112, the one or more third nodes 113, the one or more fourth nodes 114, the first third node 115, the second third node 116, the another node 117, the first endpoint device 131, the second endpoint device 132, or another node or device through a receiving port 820, 821, 822, 823 in the first node 111 , the first third node 115, the second third node 116 and the fourth node 114, respectively.
  • the receiving port 820, 821, 822, 823 may be, for example, connected to one or more antennas in the first node 111, the first third node 115, the second third node 116 and the fourth node 114, respectively.
  • the one or more nodes 110 may receive information from another structure in the communications system 100 through the receiving port 820, 821, 822, 823, respectively. Since the receiving port 820, 821 , 822, 823 may be in communication with the respective processor 812, 813, 814, 815 of the respective node of the one or more nodes 110, the receiving port 820, 821 , 822, 823 may then send the received information to the respective processor 812, 813, 814, 815.
  • the receiving port 820, 821, 822, 823 may also be configured to receive other information.
  • the processor 812, 813, 814, 815 in the one or more nodes 110 may be further configured to transmit or send information to e.g., the first node 111 , the second node 112, the one or more third nodes 113, the one or more fourth nodes 114, the first third node 115, the second third node 116, the another node 117, the first endpoint device 131, the second endpoint device 132, another node or device and/or another structure in the communications system 100, through a sending port 824, 825, 826, 827 in the first node 111, the first third node 115, the second third node 116 and the fourth node 114, respectively, which may be in communication with the processor 812, 813, 814, 815, and the memory 816, 817, 818, 819, respectively.
  • any of the units 801-811 described above may refer to a combination of analog and digital circuits, and/or one or more processors configured with software and/or firmware, e.g., stored in memory, that, when executed, respectively, by the one or more processors such as the processor 812, 813, 814, 815, perform as described above.
  • processors such as the processor 812, 813, 814, 815
  • One or more of these processors, as well as the other digital hardware may be included in a single Application-Specific Integrated Circuit (ASIC), or several processors and various digital hardware may be distributed among several separate components, whether individually packaged or assembled into a System-on-a-Chip (SoC).
  • ASIC Application-Specific Integrated Circuit
  • SoC System-on-a-Chip
  • any of the units 801-811 described above may be the respective processor 812, 813, 814, 815 of the one or more nodes 110, or an application running on such processor.
  • the methods according to the embodiments described herein for the communications system 100 may be respectively implemented by means of a computer program 828, 829, 830, 831 product in the first node 111 , the first third node 115, the second third node 116 and the fourth node 114, respectively, comprising instructions, i.e., software code portions, which, when executed on at least one processor 812, 813, 814, 815, cause the at least one processor 812, 813, 814, 815 to carry out the actions described herein, as performed by the in the first node 111 , the first third node 115, the second third node 116 and the fourth node 114, respectively.
  • instructions i.e., software code portions
  • the computer program 828, 829, 830, 831 product may be stored on a respective computer-readable storage medium 832, 833, 834, 835 in the first node 111, the first third node 115, the second third node 116 and the fourth node 114, respectively.
  • the computer-readable storage medium 832, 833, 834, 835, having respectively stored thereon the computer program 828, 829, 830, 831 may comprise instructions which, when respectively executed on at least one processor 812, 813, 814, 815, cause, respectively, the at least one processor 812, 813, 814, 815 to carry out the actions described herein, as performed by the one or more nodes 110.
  • the computer-readable storage medium 832, 833, 834, 835 may be a non-transitory computer-readable storage medium, such as a CD ROM disc, a memory stick, or stored in the cloud space.
  • the computer program 828, 829, 830, 831 product may be stored on a carrier containing the computer program, wherein the carrier is one of an electronic signal, optical signal, radio signal, or the computer-readable storage medium 832, 833, 834, 835, as described above.
  • the one or more nodes 110 may respectively comprise an interface unit to facilitate communications between the respective node of the one or more nodes 110 and other nodes or devices, e.g., the first node 111, the second node 112, the one or more third nodes 113, the one or more fourth nodes 114, the first third node 115, the second third node 116, the another node 117, the first endpoint device 131 , the second endpoint device 132, another node or device and/or another structure in the communications system 100.
  • the interface may, for example, include a transceiver configured to transmit and receive radio signals over an air interface in accordance with a suitable standard.
  • the communications system 100 may comprise the following arrangement depicted in Figure 8b.
  • the communications system 100 may comprise a processing circuitry 812, 813, 814, 815 in the first node 111, the first third node 115, the second third node 116 and the fourth node 114, respectively, e.g., one or more processors such as the processor 812, 813, 814, 815, in the communications system 100 and the memory 816, 817, 818, 819.
  • the communications system 100 may also comprise a radio circuitry 836, 837, 838, 839 in the first node 111, the first third node 115, the second third node 116 and the fourth node 114, respectively, which may comprise e.g., the respective receiving port 820, 821 , 822, 823 and the respective sending port 824, 825, 826, 827.
  • the processing circuitry 812, 813, 814, 815 may be configured to, or operable to, perform the method actions according to Figure 3, Figure 5, Figure 6 and/or Figure 7, in a similar manner as that described in relation to Figure 8a.
  • the radio circuitry 836, 837, 838, 839 may be configured to set up and maintain at least a wireless connection with the first node 111 , the second node 112, the one or more third nodes 113, the one or more fourth nodes 114, the first third node 115, the second third node 116, the another node 117, the first endpoint device 131 , the second endpoint device 132, another node or device and/or another structure in the communications system 100.
  • embodiments herein also relate to the communications system 100 operative to handle security, the communications system 100 being operative to comprise the one or more nodes 110.
  • the communications system 100 may comprise the processing circuitry 812, 813, 814, 815 and the memory 816, 817, 818, 819, said memory 816, 817, 818, 819 containing instructions executable by said processing circuitry 812, 813, 814, 815, whereby the communications system 100 is further operative to perform the actions described herein in relation to the communications system 100, e.g., in Figure 3, Figure 5, Figure 6 and/or Figure 7.
  • Figure 9 depicts two different examples in panels a) and b), respectively, of the arrangement that the first endpoint device 131 may comprise to perform the method actions described above in relation to Figure 4, Figure 5, Figure 6 and/or Figure 7.
  • the first endpoint device 131 may comprise the following arrangement depicted in Figure 9a.
  • the first endpoint device 131 may be understood to be for handling security.
  • the first endpoint device 131 may be exchange traffic with the second endpoint device 132 via the communications system 100.
  • the level of encryption may be understood as particular one or more characteristics of the encryption, such as for example, SNI encrypted.
  • the first endpoint device 131 is configured to, e.g. by means of a sending unit 901 within the first endpoint device 131 configured to, send, towards the one or more nodes 110 configured to be comprised in the communications system 100, the first indication.
  • the first indication is configured to request to detect traffic meeting the one or more conditions of the level of encryption of data configured to be comprised in the traffic.
  • the traffic is configured to be exchanged between the first endpoint device 131 and the second endpoint device 132 via the communications system 100.
  • the first indication is also configured to request to initiate one or more actions in response to the one or more conditions being met.
  • the first endpoint device 131 is also configured to, e.g. by means of a receiving unit 902 within the first endpoint device 131 configured to, receive the sixth indication, from at least one or the one or more nodes 110, in response to the first indication configured to be sent.
  • the sixth indication is configured to indicate detection of the traffic meeting the one or more conditions.
  • the first indication may be configured to be sent to the first node 111 or the second node 112, of the one or more nodes 110 configured to be comprised in the communications system 100.
  • the first indication may be configured to be the subscription request for the event, the event being configured to be of the risk of privacy.
  • the one or more conditions may be configured to comprise at least one of: a) at least part of the data lacking the level of encryption, b) the one or more applications to which the data is to belong, c) the privacy risk type, d) the one or more sessions to which the data is to belong, e) the one or more types of traffic to which the traffic is to belong, and f) the one or more devices 140 to which the data is to pertain.
  • the one or more actions may be configured to comprise at least one of: a) block the traffic, b) notify at least one of: the first endpoint device 131, the second endpoint device 132 and another node 117, c) steer the traffic, d) trigger a new session, and e) upgrade the traffic to the requested level of encryption.
  • the embodiments herein may be implemented through one or more processors, such as a processor 903 in the first endpoint device 131 depicted in Figure 9, together with computer program code for performing the functions and actions of the embodiments herein.
  • the program code mentioned above may also be provided as a computer program product, for instance in the form of a data carrier carrying computer program code for performing the embodiments herein when being loaded into the in the first endpoint device 131.
  • a data carrier may be in the form of a CD ROM disc. It is however feasible with other data carriers such as a memory stick.
  • the computer program code may furthermore be provided as pure program code on a server and downloaded to the first endpoint device 131.
  • the first endpoint device 131 may further comprise a memory 904 comprising one or more memory units.
  • the memory 904 is arranged to be used to store obtained information, store data, configurations, schedulings, and applications etc. to perform the methods herein when being executed in the first endpoint device 131.
  • the first endpoint device 131 may receive information from, e.g., the first node 111, the second node 112, the one or more third nodes 113, the one or more fourth nodes 114, the first third node 115, the second third node 116, the another node 117, the second endpoint device 132, and/or another node or device, through a receiving port 905.
  • the receiving port 905 may be, for example, connected to one or more antennas in the first endpoint device 131.
  • the first endpoint device 131 may receive information from another structure in the communications system 100 through the receiving port 905. Since the receiving port 905 may be in communication with the processor 903, the receiving port 905 may then send the received information to the processor 903.
  • the receiving port 905 may also be configured to receive other information.
  • the processor 903 in the first endpoint device 131 may be further configured to transmit or send information to e.g., the first node 111 , the second node 112, the one or more third nodes 113, the one or more fourth nodes 114, the first third node 115, the second third node 116, the another node 117, the second endpoint device 132, another node or device and/or another structure in the communications system 100, through a sending port 906, which may be in communication with the processor 903, and the memory 904.
  • a sending port 906 which may be in communication with the processor 903, and the memory 904.
  • any of the units 901-902 described above may refer to a combination of analog and digital circuits, and/or one or more processors configured with software and/or firmware, e.g., stored in memory, that, when executed by the one or more processors such as the processor 903, perform as described above.
  • processors as well as the other digital hardware, may be included in a single Application-Specific Integrated Circuit (ASIC), or several processors and various digital hardware may be distributed among several separate components, whether individually packaged or assembled into a System-on-a-Chip (SoC).
  • ASIC Application-Specific Integrated Circuit
  • SoC System-on-a-Chip
  • any of the units 901-902 described above may be the processor 903 of the first endpoint device 131, or an application running on such processor.
  • the methods according to the embodiments described herein for the first endpoint device 131 may be respectively implemented by means of a computer program 907 product, comprising instructions, i.e. , software code portions, which, when executed on at least one processor 903, cause the at least one processor 903 to carry out the actions described herein, as performed by the first endpoint device 131.
  • the computer program 907 product may be stored on a computer-readable storage medium 908.
  • the computer-readable storage medium 908, having stored thereon the computer program 907, may comprise instructions which, when executed on at least one processor 903, cause the at least one processor 903 to carry out the actions described herein, as performed by the first endpoint device 131.
  • the computer-readable storage medium 908 may be a non-transitory computer- readable storage medium, such as a CD ROM disc, a memory stick, or stored in the cloud space.
  • the computer program 907 product may be stored on a carrier containing the computer program, wherein the carrier is one of an electronic signal, optical signal, radio signal, or the computer-readable storage medium 908, as described above.
  • the first endpoint device 131 may comprise an interface unit to facilitate communications between the first endpoint device 131 and other nodes or devices, e.g., the first node 111 , the second node 112, the one or more third nodes 113, the one or more fourth nodes 114, the first third node 115, the second third node 116, the another node 117, the second endpoint device 132, another node or device and/or another structure in the communications system 100.
  • the interface may, for example, include a transceiver configured to transmit and receive radio signals over an air interface in accordance with a suitable standard.
  • the first endpoint device 131 may comprise the following arrangement depicted in Figure 9b.
  • the first endpoint device 131 may comprise a processing circuitry 903, e.g., one or more processors such as the processor 903, in the first endpoint device 131 and the memory 904.
  • the first endpoint device 131 may also comprise a radio circuitry 909, which may comprise e.g., the receiving port 905 and the sending port 906.
  • the processing circuitry 903 may be configured to, or operable to, perform the method actions according to Figure 4, Figure 5, Figure 6 and/or Figure 7, in a similar manner as that described in relation to Figure 9a.
  • the radio circuitry 909 may be configured to set up and maintain at least a wireless connection with the first node 111 , the second node 112, the one or more third nodes 113, the one or more fourth nodes 114, the first third node 115, the second third node 116, the another node 117, the second endpoint device 132, another node or device and/or another structure in the communications system 100.
  • inventions herein also relate to the first endpoint device 131 operative to handle security.
  • the first endpoint device 131 may comprise the processing circuitry 903 and the memory 904, said memory 904 containing instructions executable by said processing circuitry 903, whereby the first endpoint device 131 is further operative to perform the actions described herein in relation to the first endpoint device 131, e.g., in Figure 4, Figure 5, Figure 6 and/or Figure 7.
  • the word "comprise” or “comprising” it shall be interpreted as non- limiting, i.e. meaning "consist at least of”.
  • the expression “at least one of:” followed by a list of alternatives separated by commas, and wherein the last alternative is preceded by the “and” term, may be understood to mean that only one of the list of alternatives may apply, more than one of the list of alternatives may apply or all of the list of alternatives may apply.
  • This expression may be understood to be equivalent to the expression “at least one of:” followed by a list of alternatives separated by commas, and wherein the last alternative is preceded by the “or” term.
  • processor and circuitry may be understood herein as a hardware component.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un procédé mis en œuvre par ordinateur, exécuté par un système de communication (100), pour gérer la sécurité. Le système de communication (100) comprend un ou plusieurs nœuds (110) et obtient (301), par au moins l'un des nœuds (110), une première indication qui demande de détecter un trafic satisfaisant une ou plusieurs conditions d'un niveau de chiffrement de données comprises dans le trafic. Le trafic est échangé entre un premier (131) et un second (132) dispositif de point d'extrémité. La première indication demande d'initier une ou plusieurs actions en réponse à la satisfaction de la ou des conditions. Le système de communication (100) initie également (303), par l'au moins un nœud parmi le ou les nœuds (110), l'exécution de la ou des actions en réponse à la détection du trafic satisfaisant les conditions. La condition peut comprendre le fait que le trafic n'a pas le niveau de chiffrement requis et que l'action doit mettre à niveau le chiffrement.
PCT/EP2022/052144 2022-01-11 2022-01-28 Système de communication, premier dispositif de point d'extrémité et procédés exécutés par celui-ci pour gérer la sécurité WO2023134876A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP22382010 2022-01-11
EP22382010.1 2022-01-11

Publications (1)

Publication Number Publication Date
WO2023134876A1 true WO2023134876A1 (fr) 2023-07-20

Family

ID=79316686

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2022/052144 WO2023134876A1 (fr) 2022-01-11 2022-01-28 Système de communication, premier dispositif de point d'extrémité et procédés exécutés par celui-ci pour gérer la sécurité

Country Status (1)

Country Link
WO (1) WO2023134876A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040250069A1 (en) * 2001-09-25 2004-12-09 Rauno Kosamo Adapting securityparameters of services provided for a user terminal in a communication network and correspondingly secured data communication
US20170346794A1 (en) * 2015-09-28 2017-11-30 At&T Intellectual Property I, L.P. Method and apparatus for encryption of communications over a network
US20190327269A1 (en) * 2018-01-25 2019-10-24 International Business Machines Corporation Context-based adaptive encryption
WO2021058121A1 (fr) * 2019-09-23 2021-04-01 Telefonaktiebolaget Lm Ericsson (Publ) Architecture de réseau de communication
US20210400146A1 (en) * 2018-10-25 2021-12-23 Telefonaktiebolaget Lm Ericsson (Publ) Methods of and devices for executing policy rules on a per application basis in a telecommunications system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040250069A1 (en) * 2001-09-25 2004-12-09 Rauno Kosamo Adapting securityparameters of services provided for a user terminal in a communication network and correspondingly secured data communication
US20170346794A1 (en) * 2015-09-28 2017-11-30 At&T Intellectual Property I, L.P. Method and apparatus for encryption of communications over a network
US20190327269A1 (en) * 2018-01-25 2019-10-24 International Business Machines Corporation Context-based adaptive encryption
US20210400146A1 (en) * 2018-10-25 2021-12-23 Telefonaktiebolaget Lm Ericsson (Publ) Methods of and devices for executing policy rules on a per application basis in a telecommunications system
WO2021058121A1 (fr) * 2019-09-23 2021-04-01 Telefonaktiebolaget Lm Ericsson (Publ) Architecture de réseau de communication

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
3GPP TS 23.503, March 2021 (2021-03-01)
3GPP TS 29.244
3GPP TS 29.519
3GPP TS 29.522, April 2021 (2021-04-01)

Similar Documents

Publication Publication Date Title
US20230045195A1 (en) First Node, Second Node and Methods Performed Thereby for Handling Identification of a Communications Network
US11606683B2 (en) First node, second node, third node and methods performed thereby for handling roaming information
WO2020217224A1 (fr) Comportement amf et scp dans la découverte déléguée de pcf
US20240130001A1 (en) Methods and apparatuses for accessing a service outside a mobile communications network in a multipath connection
Shetty 5G Mobile Core Network
CN113595911B (zh) 数据转发方法、装置、电子设备及存储介质
US20240137891A1 (en) Method for performing onboarding and apparatus
WO2022152616A2 (fr) Procédés et appareils pour modifier une tranche de réseau
EP3949354B1 (fr) Procédé et appareil pour la découverte de services
WO2021064218A1 (fr) Activation dynamique d'accès local lbo avec coordination entre domaine d'application et réseau mobile
US20230379293A1 (en) Methods for Handling Usage of a Domain Name Service and Corresponding Devices
US20230132454A1 (en) Method and apparatus for supporting edge computing service for roaming ue in wireless communication system
WO2023134876A1 (fr) Système de communication, premier dispositif de point d'extrémité et procédés exécutés par celui-ci pour gérer la sécurité
Shetty et al. 5G Overview
US20240073680A1 (en) First Node, Second Node, Third Node and Methods Performed Thereby, for Handling Encrypted Traffic in a Communications Network
WO2023284990A1 (fr) Premier nœud de réseau central, deuxième nœud et troisième nœud, système de communications et procédés effectués par ceux-ci afin de gérer la réalisation d'une action par un dispositif
US11870601B2 (en) Policy control function fallback
WO2023083446A1 (fr) Premier noeud, dispositif, point d'extrémité, second noeud, système de communication et procédés mis en oeuvre pour gérer l'information dans le système de communication
US20240196180A1 (en) First Node, Second Node, Communications System and Methods Performed Thereby for Handling One or More Data Sessions
WO2023174566A1 (fr) Premier nœud, deuxième nœud, troisième nœud et procédés mis en œuvre par ces derniers pour traiter des informations
WO2024046589A1 (fr) Premier nœud, deuxième nœud, quatrième nœud, cinquième nœud, sixième nœud et procédés exécutés par ceux-ci pour gérer des informations concernant un groupe de dispositifs
WO2022207124A1 (fr) Premier nœud, second nœud, système de communication et procédés ainsi mis en œuvre pour gérer une ou plusieurs sessions de données
WO2024008321A1 (fr) Premier nœud, deuxième nœud et procédés mis en oeuvre pour traiter les informations relatives à au moins un dispositif et un troisième nœud
WO2023247060A1 (fr) Premier nœud, deuxième nœud, troisième nœud et procédés mis en œuvre par ces derniers pour gérer le trafic
WO2023020747A1 (fr) Premier nœud, deuxième nœud, troisième nœud, système de communication et procédés ainsi effectués pour gérer une attaque par déni de service (dos)

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22705736

Country of ref document: EP

Kind code of ref document: A1