WO2023147888A1 - Mise à jour de règles de politique de sélection d'itinéraire contenant des informations de certificat numérique - Google Patents

Mise à jour de règles de politique de sélection d'itinéraire contenant des informations de certificat numérique Download PDF

Info

Publication number
WO2023147888A1
WO2023147888A1 PCT/EP2022/056350 EP2022056350W WO2023147888A1 WO 2023147888 A1 WO2023147888 A1 WO 2023147888A1 EP 2022056350 W EP2022056350 W EP 2022056350W WO 2023147888 A1 WO2023147888 A1 WO 2023147888A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
updated
route selection
digital certificate
selection policy
Prior art date
Application number
PCT/EP2022/056350
Other languages
English (en)
Inventor
Andreas Kunz
Genadi Velev
Dimitrios Karampatsis
Sheeba Backia Mary BASKARAN
Apostolis Salkintzis
Original Assignee
Lenovo (Singapore) Pte. Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo (Singapore) Pte. Ltd filed Critical Lenovo (Singapore) Pte. Ltd
Publication of WO2023147888A1 publication Critical patent/WO2023147888A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W40/00Communication routing or communication path finding

Definitions

  • the subject matter disclosed herein relates generally to the field of updating route selection policy rules having digital certificate information therein.
  • This document defines at least one apparatus, at least one network node, at least one method in an apparatus, and at least one method in a network node.
  • UE User Equipment
  • URSP Route Selection Policy
  • 3GPP TS 23.502 Procedures for the 5G System (5GS); Stage 2 (Release 17)” vl7.3.0 (2021-12) and 3GPP TS 23.503 “Policy and charging control framework for the 5G System (5GS); Stage 2 (Release 17)” vl7.3.0 (2021-12).
  • the URSP rules contain a Traffic Descriptor that allows the UE to determine if a URSP rule matches application traffic.
  • Traffic Descriptors include Application Descriptors which may define the operating system identity (OSID) and the application identity (OSAppID). Traffic Descriptors also include IP flow descriptors such as the target address of application traffic, a requested Data Network Name by the application, and/ or a connection capability requested by an application (e.g. an IMS connection).
  • OSID operating system identity
  • OSAppID application identity
  • Traffic Descriptors also include IP flow descriptors such as the target address of application traffic, a requested Data Network Name by the application, and/ or a connection capability requested by an application (e.g. an IMS connection).
  • PCT/EP2021/050099 describes selecting a data connection based on digital certificate information.
  • An apparatus receives a request to send a data packet and determines a first application identity used by a first application and finds a first policy rule in the apparatus that matches the first application identity and determines whether the first application matches a digital certificate information.
  • the first policy rule contains the digital certificate information.
  • the apparatus Upon determining that the first application matches the digital certificate information, the apparatus applies the first policy rule to select a first set of data connection parameters and transmits the data packet via a data connection using the first set of data connection parameters.
  • a problem with assigning route selection policy rules to traffic associated with particular applications is that it can be difficult to correctly identify the application.
  • a malicious application might attempt to spoof the identity of another application so as to take advantage of a route selection policy rule meant for the other application.
  • an apparatus comprising a processor and a transceiver.
  • the processor is arranged to perform an update to a first application installed on the apparatus, the first application signed with a digital certificate.
  • the processor is further arranged to determine that the first application has been updated.
  • the transceiver is arranged, in response to determining that the first application has been updated, to send a policy provisioning request and, as a result thereof, receive an updated route selection policy rule, the updated route selection policy rule identifying the updated first application and an updated digital certificate information.
  • the processor is further arranged to execute the updated first application, and to apply the updated route selection policy rule to traffic associated with the updated first application.
  • a method in an apparatus comprising performing an update to a first application installed on the apparatus, the first application signed with a digital certificate.
  • the method further comprises determining that the first application has been updated.
  • the method further comprises, in response to determining that the first application has been updated, sending a policy provisioning request and, as a result thereof, receiving an updated route selection policy rule, the updated route selection policy rule identifying the updated first application and an updated digital certificate information.
  • the method further comprises executing the updated first application.
  • the method further comprises applying the updated route selection policy rule to traffic associated with the updated first application.
  • a network node arranged to communicate with a user equipment, wherein a first application is installed on the user equipment, the first application signed with a first digital certificate.
  • the network node comprises a transceiver arranged to receive from the user equipment a policy provisioning request, and as a result thereof, send an updated route selection policy rule to the user equipment, the updated route selection policy rule identifying the updated first application and an updated digital certificate information.
  • a method in a network node the network node arranged to communicate with a user equipment, wherein a first application is installed on the user equipment, the first application signed with a first digital certificate. The method comprises receiving from the user equipment a policy provisioning request, and as a result thereof, sending an updated route selection policy rule to the user equipment, the updated route selection policy rule identifying the updated first application and an updated digital certificate information.
  • a network node comprising a processor and a transceiver.
  • the processor is arranged to determine an update is available for a first application, wherein the first application signed with a first digital certificate.
  • the transceiver is arranged to communicate with the user equipment, wherein in response to the processor determining an update is available for a first application, the transceiver is arranged to send an updated route selection policy rule to the user equipment, the updated route selection policy rule identifying the updated first application and including an updated digital certificate information.
  • the updated route selection policy rule is arranged to be applied by the user equipment to traffic associated with the updated first application.
  • an apparatus comprising a transceiver and a processor.
  • the transceiver is arranged to receive an updated route selection policy rule from a network node, the updated route selection policy rule identifying the updated first application and an updated digital certificate information.
  • the processor is arranged to execute the updated first application and apply the updated route selection policy rule to traffic associated with the updated first application.
  • the method comprises receiving an updated route selection policy rule from a network node, the updated route selection policy rule identifying the updated first application and an updated digital certificate information.
  • the method further comprises executing the updated first application and applying the updated route selection policy rule to traffic associated with the updated first application.
  • Figure 1 depicts a wireless communication system
  • Figure 2 depicts a user equipment apparatus
  • Figure 3 depicts a network node
  • Figure 4 illustrates a method in an apparatus, the method for updating a route selection policy rule
  • Figure 5 illustrates a method in a network node, the method for updating a route selection policy rule
  • Figure 6 illustrates another method in a network node, the method for updating a route selection policy rule
  • Figure 7 illustrates another method in an apparatus, the method for updating a route selection policy rule
  • Figure 8 illustrates a method of updating a route selection policy rule in response to an application being updated at a user equipment
  • Figure 9 illustrates a method of updating a route selection policy rule in response to an application being updated at a user equipment.
  • aspects of this disclosure may be embodied as a system, apparatus, method, or program product. Accordingly, arrangements described herein may be implemented in an entirely hardware form, an entirely software form (including firmware, resident software, micro-code, etc.) or a form combining software and hardware aspects.
  • the disclosed methods and apparatus may be implemented as a hardware circuit comprising custom very-large-scale integration (“VLSI”) circuits or gate arrays, off-the-shelf semiconductors such as logic chips, transistors, or other discrete components.
  • VLSI very-large-scale integration
  • the disclosed methods and apparatus may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices, or the like.
  • the disclosed methods and apparatus may include one or more physical or logical blocks of executable code which may, for instance, be organized as an object, procedure, or function.
  • methods and apparatus may take the form of a program product embodied in one or more computer readable storage devices storing machine readable code, computer readable code, and/ or program code, referred hereafter as code.
  • the storage devices may be tangible, non-transitory, and/ or non-transmission.
  • the storage devices may not embody signals. In certain arrangements, the storage devices only employ signals for accessing code.
  • the computer readable medium may be a computer readable storage medium.
  • the computer readable storage medium may be a storage device storing the code.
  • the storage device may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, holographic, micromechanical, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing.
  • a storage device More specific examples (a non-exhaustive list) of the storage device would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random-access memory (“RAM”), a read-only memory (“ROM”), an erasable programmable read-only memory (“EPROM” or Flash memory), a portable compact disc read-only memory (“CD-ROM”), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
  • a computer readable storage medium may be any tangible medium that can contain, or store, a program for use by or in connection with an instruction execution system, apparatus, or device.
  • references throughout this specification to an example of a particular method or apparatus, or similar language means that a particular feature, structure, or characteristic described in connection with that example is included in at least one implementation of the method and apparatus described herein.
  • reference to features of an example of a particular method or apparatus, or similar language may, but do not necessarily, all refer to the same example, but mean “one or more but not all examples” unless expressly specified otherwise.
  • the terms “including,” “comprising,” “having,” and variations thereof mean “including but not limited to,” unless expressly specified otherwise. An enumerated listing of items does not imply that any or all of the items are mutually exclusive, unless expressly specified otherwise.
  • a list with a conjunction of “and/ or” includes any single item in the list or a combination of items in the list.
  • a list of A, B and/ or C includes only A, only B, only C, a combination of A and B, a combination of B and C, a combination of A and C or a combination of A, B and C.
  • a list using the terminology “one or more of’ includes any single item in the list or a combination of items in the list.
  • one or more of A, B and C includes only A, only B, only C, a combination of A and B, a combination of B and C, a combination of A and C or a combination of A, B and C.
  • a list using the terminology “one of’ includes one and only one of any single item in the list.
  • “one of A, B and C” includes only A, only B or only C and excludes combinations of A, B and C.
  • a member selected from the group consisting of A, B, and C includes one and only one of A, B, or C, and excludes combinations of A, B, and C.”
  • a member selected from the group consisting of A, B, and C and combinations thereof includes only A, only B, only C, a combination of A and B, a combination of B and C, a combination of A and C or a combination of A, B and C.
  • the code may also be stored in a storage device that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the storage device produce an article of manufacture including instructions which implement the function/ act specified in the schematic flowchart diagrams and/or schematic block diagrams.
  • the code may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus, or other devices to produce a computer implemented process such that the code which execute on the computer or other programmable apparatus provide processes for implementing the functions /acts specified in the schematic flowchart diagrams and/ or schematic block diagram.
  • each block in the schematic flowchart diagrams and/or schematic block diagrams may represent a module, segment, or portion of code, which includes one or more executable instructions of the code for implementing the specified logical function(s).
  • the functions noted in the block may occur out of the order noted in the Figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. Other steps and methods may be conceived that are equivalent in function, logic, or effect to one or more blocks, or portions thereof, of the illustrated Figures.
  • a 5G-capable User Equipment may have a plurality of UE Route Selection Policy (URSP) rules, each one containing a traffic descriptor component and a route selection descriptor component, see also TS 23.503 vl7.3.0.
  • the route selection descriptor component identifies the data connection that must be used to transmit the traffic that matches the traffic descriptor component.
  • a data connection is identified with a set of data connection parameters, wherein a data connection parameter can identify (a) the name of the external data network (Data Network Name, DNN) reachable via the data connection, (b) a network slice utilized by the data connection (Single Network Slice Selection Assistance Information, S-NSSAI), (c) the radio access network type utilized by the data connection (3GPP access or non- 3GPP access), (d) the Internet Protocol (IP) type utilized by the data connection (e.g. IPv4 or IPv6), (e) the session and service continuity type (SSC type) provided by the data connection, etc.
  • IP Internet Protocol
  • SSC session and service continuity type
  • the URSP rules map the different traffic flows generated in the UE into different data connections, each one utilizing different data connection parameters.
  • the UE may establish multiple data connections with a mobile communication network.
  • a URSP rule can map the traffic generated by a first application into a data connection utilizing a first set of data connection parameters.
  • the traffic descriptor component of the URSP rule comprises the identity of the first application. Note, however, that the identity of an application is not a secure identifier, i.e. it cannot uniquely identify an application. It is feasible that a second application could be (maliciously) designed to have the same identifier as the identifier of a first application. This way, the second application pretends to be the first application and can cause the UE to transmit traffic of the second application based on a URSP rule that was designed to be applied for the traffic of the first application.
  • the traffic descriptor component of a URSP rule may be extended to comprise also digital certificate information, which contains information that uniquely identifies a digital certificate, e.g. a certificate fingerprint.
  • the UE applies a URSP rule for the traffic of an application only when this application is signed with the certificate identified by the digital certificate information in the URSP rule.
  • Identifying an application based on the certificate fingerprint has the disadvantage that the same publisher may use the same certificate for other applications; the digital certificate information such as the digital fingerprint of the same certificate would be the same for a plurality of applications and thus not a unique identifier.
  • the fingerprint would be extended also including or only using the signature of the application, so as to be unique to the application build as well, then a genuine application would be identified as malicious once the application in the UE is updated and the signature in the rule, associated with the non-updated application no longer matches the updated application. Given that applications installed on a UE are often updated, then in practice the UE has no chance to map the traffic according to the modified USRP rule that uses digital certificate information.
  • 3GPP specifications define how the UE applies a URSP rule when this URSP rule matches an application identity.
  • a URSP rule with digital certificate information has been discussed, together with how the UE applies a URSP rule that contains an application identity and digital certificate information.
  • the present disclosure describes systems, methods, and apparatus for updating route selection policy rules having digital certificate information therein. Said procedures may be implemented by an apparatus such as a user equipment or a network node.
  • Figure 1 depicts a wireless communication system 100 that includes at least one remote unit 105, a 5G-RAN 115, and a mobile core network 140.
  • the 5G-RAN 115 and the mobile core network 140 form a mobile communication network.
  • the 5G-RAN 115 may be composed of a 3GPP access network 120 containing at least one cellular base unit 121 and/ or a non-3GPP access network 130 containing at least one access point 131.
  • the remote unit 105 communicates with the 3GPP access network 120 using 3GPP communication links 123 and communicates with the non-3GPP access network 130 using non-3GPP communication links 133.
  • remote units 105, 3GPP access networks 120, cellular base units 121, 3GPP communication links 123, non-3GPP access networks 130, access points 131, non-3GPP communication links 133, and mobile core networks 140 are depicted in Figure 1, one of skill in the art will recognize that any number of remote units 105, 3GPP access networks 120, cellular base units 121, 3GPP communication links 123, non-3GPP access networks 130, access points 131, non-3GPP communication links 133, and mobile core networks 140 may be included in the wireless communication system 100.
  • the wireless communication system 100 is compliant with the 5G system specified in the 3GPP specifications. More generally, however, the wireless communication system 100 may implement some other open or proprietary communication network, for example, LTE or WiMAX, among other networks.
  • LTE Long Term Evolution
  • WiMAX Worldwide Interoperability for Microwave Access
  • the remote units 105 may include computing devices, such as desktop computers, laptop computers, personal digital assistants (“PDAs”), tablet computers, smart phones, smart televisions (e.g., televisions connected to the Internet), smart appliances (e.g., appliances connected to the Internet), set-top boxes, game consoles, security systems (including security cameras), vehicle on-board computers, network devices (e.g., routers, switches, modems), or the like.
  • the remote units 105 may include wearable devices, such as smart watches, fitness bands, optical head-mounted displays, or the like.
  • the remote units 105 may be referred to as UEs, subscriber units, mobiles, mobile stations, users, terminals, mobile terminals, fixed terminals, subscriber stations, user terminals, wireless transmit/ receive unit (”WTRU”), a device, or by other terminology used in the art.
  • WTRU wireless transmit/ receive unit
  • the remote units 105 may communicate directly with one or more of the cellular base units 121 in the 3GPP access network 120 via uplink (“UL”) and downlink (“DL”) communication signals. Furthermore, the UL and DL communication signals may be carried over the 3GPP communication links 123. Similarly, the remote units 105 may communicate with one or more access points 131 in the non-3GPP access network(s) 130 via UL and DL communication signals carried over the non-3GPP communication links 133.
  • the access networks 120 and 130 are intermediate networks that provide the remote units 105 with access to the mobile core network 140.
  • a remote unit 105 may have multiple network interfaces, each one using either a 3GPP access (e.g., 5G radio access) or a non-3GPP access (e.g., WLAN radio access, satellite radio access, etc.).
  • a remote unit 105 transfers data traffic via a network connection between the remote unit 105 and the mobile core network 140, such as a PDU session, which is established either over 3GPP access or non-3GPP access.
  • a PDU session which is established over both 3GPP access and non-3GPP access is referred to as a “multi-access” PDU session.
  • the remote unit 105 may offload data traffic directly over a non-3GPP access network, e.g., to a local server instance.
  • the remote units 105 may communicate with a remote host 155 via a network connection with the mobile core network 140.
  • a mobile application e.g., web browser, media client, telephone/VoIP application, mobile application client 109 in the remote unit 105 may trigger the remote unit 105 to establish a PDU session (or other data connection) with the mobile core network 140 using the 5G-RAN 115 (e.g., a 3GPP access network 120 and/or a non-3GPP access network 130).
  • the mobile core network 140 then relays traffic between the remote unit 105 and the data network 150 (e.g., remote host 155) using the PDU session.
  • the PDU session represents a logical connection between the remote unit 105 and the UPF 141. In order to establish the PDU session, the remote unit 105 must be registered with the mobile core network.
  • Each PDU session is essentially a virtual data connection between the UE and the mobile communication network that is explicitly established by the UE.
  • the PDU session has certain attributes negotiated by the UE and the mobile communication network when the PDU session is established. These attributes remain the same throughout the lifetime of the PDU session.
  • a PDU session may be established via 3GPP access or via non-3GPP access.
  • the remote unit 105 may establish one or more PDU sessions (or other data connections) with the mobile core network 140. As such, the remote unit 105 may have at least one PDU session for communicating with the data network 150. The remote unit 105 may establish additional PDU sessions for communicating with other data network and/ or other remote hosts. The remote unit 105 may be configured with UE Route Selection Policy rules 110 for directing traffic of a mobile application to a specific PDU session.
  • the cellular base units 121 may be distributed over a geographic region.
  • a cellular base unit 121 may also be referred to as an access terminal, a base, a base station, a Node-B, an eNB, a gNB, a Home Node-B, a relay node, a device, or by any other terminology used in the art.
  • the cellular base units 121 are generally part of a radio access network (“RAN”), such as the 3GPP access network 120, that may include one or more controllers communicably coupled to one or more corresponding cellular base units 121. These and other elements of radio access network are not illustrated but are well known generally by those having ordinary skill in the art.
  • the cellular base units 121 connect to the mobile core network 140 via the 3GPP access network 120.
  • the cellular base units 121 may serve a number of remote units 105 within a serving area, for example, a cell or a cell sector, via a 3GPP communication link 123.
  • the cellular base units 121 may communicate directly with one or more of the remote units 105 via communication signals.
  • the cellular base units 121 transmit DL communication signals to serve the remote units 105 in the time, frequency, and/or spatial domain.
  • the DL communication signals may be carried over the 3GPP communication links 123.
  • the 3GPP communication links 123 may be any suitable carrier in licensed or unlicensed radio spectrum.
  • the 3GPP communication links 123 facilitate communication between one or more of the remote units 105 and/or one or more of the cellular base units 121.
  • the non-3GPP access networks 130 may be distributed over a geographic region. Each non-3GPP access network 130 may serve a number of remote units 105 with a serving area. An access point 131 in a non-3GPP access network 130 may communicate directly with one or more remote units 105 by receiving UL communication signals and transmitting DL communication signals to serve the remote units 105 in the time, frequency, and/ or spatial domain. Both DL and UL communication signals are carried over the non-3GPP communication links 133.
  • the 3GPP communication links 123 and non-3GPP communication links 133 may employ different frequencies and/or different communication protocols.
  • An access point 131 may communicate using unlicensed radio spectrum.
  • the mobile core network 140 may provide services to a remote unit 105 via the non-3GPP access networks 130, as described in greater detail herein.
  • a non-3GPP access network 130 connects to the mobile core network 140 via an interworking function 135.
  • the interworking function 135 provides interworking between the remote unit 105 and the mobile core network 140.
  • the interworking function 135 may be a Non-3GPP Interworking Function (“N3IWF”) or a Trusted Non-3GPP Gateway Function (“TNGF”).
  • N3IWF supports the connection of "untrusted" non-3GPP access networks to the mobile core network (e.g., 5GC), whereas the TNGF supports the connection of "trusted" non-3GPP access networks to the mobile core network.
  • the interworking function 135 supports connectivity to the mobile core network 140 via the “N2” and “N3” interfaces, and it relays “Nl” signaling between the remote unit 105 and the AMF 143. Both the 3GPP access network 120 and the interworking function 135 communicate with the AMF 143 using a “N2” interface. The interworking function 135 also communicates with the UPF 141 using a “N3” interface.
  • a non-3GPP access network 130 may be controlled by an operator of the mobile core network 140 and may have direct access to the mobile core network 140. Such a non-3GPP AN deployment is referred to as a “trusted non-3GPP access network.”
  • a non-3GPP access network 130 is considered as “trusted” when it is operated by the 3GPP operator, or a trusted partner, and supports certain security features, such as strong air-interface encryption.
  • a non-3GPP AN deployment that is not controlled by an operator (or trusted partner) of the mobile core network 140 does not have direct access to the mobile core network 140, or does not support the certain security features is referred to as a “non-trusted” non-3GPP access network.
  • the mobile core network 140 may be a 5G core (“5GC”) or the evolved packet core (“EPC”), which may be coupled to a data network (e.g., the data network 150, such as the Internet and private data networks, among other data networks.
  • a remote unit 105 may have a subscription or other account with the mobile core network 140.
  • Each mobile core network 140 belongs to a single public land mobile network (“PLMN”).
  • PLMN public land mobile network
  • the mobile core network 140 includes several network functions (“NFs”). As depicted, the mobile core network 140 includes at least a UPF 141 that serves the 3GPP access network 120 and the non-3GPP access network 130. Note that in certain arrangements, the mobile core network may contain one or more intermediate UPFs, for example a first intermediate UPF that serves the non-3GPP access network 130 and the second intermediate UPF that serves the 3GPP access network 120. The UPF 141 would be an anchor UPF receiving UP traffic of both intermediate UPFs.
  • NFs network functions
  • the mobile core network 140 also includes multiple control plane functions including, but not limited to, an Access and Mobility Management Function (“AMF”) 143 that serves both the 3GPP access network 120 and the non-3GPP access network 130, a Session Management Function (“SMF”) 145, a Policy Control Function (“PCF”) 147, and a Unified Data Management function (“UDM”) 149.
  • the mobile core network 140 may also include an Authentication Server Function (“AUSF”), a Network Repository Function (“NRF”) (used by the various NFs to discover and communicate with each other over APIs), or other NFs defined for the 5GC.
  • AUSF Authentication Server Function
  • NRF Network Repository Function
  • the mobile core network 140 supports different types of mobile data connections and different types of network slices, wherein each mobile data connection utilizes a specific network slice.
  • a “network slice” refers to a portion of the mobile core network 140 optimized for a certain traffic type or communication service.
  • Each slice may be identified using a S-NSSAI.
  • the various network slices may include separate instances of network functions, such as the SMF 145 and UPF 141.
  • the different network slices may share some common network functions, such as the AMF 143.
  • the different network slices are not shown in Fig. 1 for ease of illustration, but their support is assumed.
  • FIG. 1 Although specific numbers and types of network functions are depicted in Figure 1, one of skill in the art will recognize that any number and type of network functions may be included in the mobile core network 140. Moreover, where the mobile core network 140 is an EPC, the depicted network functions may be replaced with appropriate EPC entities, such as an MME, S-GW, P-GW, HSS, and the like.
  • a remote unit 105 may connect to the mobile core network (e.g., to a 5G mobile communication network) via two types of accesses: (1) via 3GPP access network 120 and (2) via a non-3GPP access network 130.
  • the first type of access e.g., 3GPP access network 120
  • uses a 3GPP-defmed type of wireless communication e.g., NG-RAN
  • the second type of access e.g., non-3GPP access network 130
  • uses a non-3GPP-defined type of wireless communication e.g., WLAN.
  • the 5G-RAN 115 refers to any type of 5G access network that can provide access to the mobile core network 140, including the 3GPP access network 120 and the non-3GPP access network 130.
  • a 5G-capable UE may have a plurality of URSP rules, each one containing a traffic descriptor component and a route selection descriptor component.
  • the route selection descriptor component identifies the data connection that must be used to transmit the traffic that matches the traffic descriptor component.
  • a data connection is identified with a set of data connection parameters, wherein a data connection parameter can identify (a) the name of the external data network (e.g., Data Network Name) reachable via the data connection, (b) a network slice utilized by the data connection (e.g., identified by a S-NSSAI), (c) the radio access network type utilized by the data connection (e.g., 3GPP access or non-3GPP access), (d) the IP type utilized by the data connection (e.g., IPv4 or IPv6), (e) the session and service continuity type (“SSC type”) provided by the data connection, etc.
  • a data connection parameter can identify (a) the name of the external data network (e.g., Data Network Name) reachable via the data connection, (b) a network slice utilized by the data connection (e.g., identified by a S-NSSAI), (c) the radio access network type utilized by the data connection (e.g., 3GPP access or non-3GPP access), (d) the IP
  • Figure 1 depicts components of a 5G RAN and a 5G core network
  • the described solutions apply to other types of communication networks and RATs, including IEEE 802.11 variants, GSM, GPRS, UMTS, LTE variants, CDMA 2000, Bluetooth, ZigBee, Sigfoxx, and the like.
  • the AMF 143 may be mapped to an MME
  • the SMF 145 may be mapped to a control plane portion of a PGW and/ or to an MME
  • the UPF 141 may be mapped to an SGW and a user plane portion of the PGW
  • the UDM/UDR 149 may be mapped to an HSS, etc.
  • the operations are described mainly in the context of 5G systems, the proposed solutions/methods are also equally applicable to other mobile communication systems supporting a data connection selection based on digital certificate information.
  • the UE communicates with a mobile communication network (e.g. 5G network) comprising a radio access network (e.g. 5G-RAN 115) and a core network (e.g. 5G core network 140).
  • the radio access network can comprise multiple types of radio access networks, e.g. 3GPP access network 120 and non-3GPP access network 130.
  • the mobile communication network supports a plurality of data connections (PDU Sessions), each data connection utilizing a set of data connection parameters.
  • a data connection parameter can identify (a) the name of the external data network (Data Network Name, DNN) reachable via the data connection, such as the data network 150, (b) a network slice utilized by the data connection (S-NSSAI), (c) the radio access network type utilized by the data connection (3GPP access or non-3GPP access), (d) the IP type utilized by the data connection (e.g. IPv4 or IPv6), (e) the session and service continuity type (SSC type) provided by the data connection, etc.
  • the data connection 125 utilizes a 3GPP access network type
  • the data connection 135 utilizes a non-3GPP access network type.
  • the UE may have one or multiple data connections with the mobile communication network.
  • the UE has a plurality of URSP rules stored in a memory, each one containing a traffic descriptor component and a route selection descriptor component (as per TS 23.503 vl7.3.0).
  • the route selection descriptor component indicates the data connection parameters that must be used to transmit the traffic that matches the traffic descriptor component.
  • the URSP rules map the different traffic flows generated in the UE into different data connections, each one utilizing different data connection parameters.
  • Every UE application installed on the UE is signed with a unique digital certificate, which typically contains a validity period, the publisher of the application, the public key of the publisher, etc.
  • a unique digital certificate typically contains a validity period, the publisher of the application, the public key of the publisher, etc.
  • the application Before the application is published (e.g. to a mobile marketplace), it is cryptographically signed by using the private key of the publisher, which is a unique key only known by the publisher.
  • the generated digital signature and the digital certificate that can be used to validate the authenticity of the application are both included in the application package, which can be published and distributed.
  • the mobile OS in the UE uses the public key and the cryptographic algorithms contained in the embedded digital certificate to validate the authenticity of the application, i.e. to confirm that the application was signed by the corresponding private key that only the publisher knows. If this validation is successful, then the UE knows that the application is authentic, i.e. it has not been modified in any way. It also knows the name of the application publisher.
  • a hash from the genuine application information can be provided within the URSP rule.
  • the UE compares this fingerprint with the ones of the applications installed. Since any change in the application or in the certificate will result in a different fingerprint, the UE can authenticate the application when the fingerprint information matches.
  • FIG. 2 depicts a user equipment apparatus 200 that may be used for implementing the methods described herein.
  • the user equipment apparatus 200 is used to implement one or more of the solutions described above.
  • the user equipment apparatus 200 may be a remote unit 105, a UE 805 or a UE 905 as described herein.
  • the user equipment apparatus 200 includes a processor 205, a memory 210, an input device 215, an output device 220, and a transceiver 225.
  • the input device 215 and the output device 220 may be combined into a single device, such as a touchscreen.
  • the user equipment apparatus 200 does not include any input device 215 and/ or output device 220.
  • the user equipment apparatus 200 may include one or more of: the processor 205, the memory 210, and the transceiver 225, and may not include the input device 215 and/ or the output device 220.
  • the transceiver 225 includes at least one transmitter 230 and at least one receiver 235.
  • the transceiver 225 may communicate with one or more cells (or wireless coverage areas) supported by one or more base units.
  • the transceiver 225 may be operable on unlicensed spectrum.
  • the transceiver 225 may include multiple UE panels supporting one or more beams.
  • the transceiver 225 may support at least one network interface 240 and/ or application interface 245.
  • the application interface(s) 245 may support one or more APIs.
  • the network interface(s) 240 may support 3GPP reference points, such as Uu, Nl, PC5, etc. Other network interfaces 240 may be supported, as understood by one of ordinary skill in the art.
  • the processor 205 may include any known controller capable of executing computer-readable instructions and/ or capable of performing logical operations.
  • the processor 205 may be a microcontroller, a microprocessor, a central processing unit (“CPU”), a graphics processing unit (“GPU”), an auxiliary processing unit, a field programmable gate array (“FPGA”), or similar programmable controller.
  • the processor 205 may execute instructions stored in the memory 210 to perform the methods and routines described herein.
  • the processor 205 is communicatively coupled to the memory 210, the input device 215, the output device 220, and the transceiver 225.
  • the processor 205 may control the user equipment apparatus 200 to implement the above-described UE behaviors.
  • the processor 205 may include an application processor (also known as “main processor”) which manages application-domain and operating system (“OS”) functions and a baseband processor (also known as “baseband radio processor”) which manages radio functions.
  • OS application-domain and operating system
  • baseband radio processor also known as “
  • the memory 210 may be a computer readable storage medium.
  • the memory 210 may include volatile computer storage media.
  • the memory 210 may include a RAM, including dynamic RAM (“DRAM”), synchronous dynamic RAM (“SDRAM”), and/ or static RAM (“SRAM”).
  • the memory 210 may include non-volatile computer storage media.
  • the memory 210 may include a hard disk drive, a flash memory, or any other suitable non-volatile computer storage device.
  • the memory 210 may include both volatile and non-volatile computer storage media.
  • the memory 210 may store data related to implement a traffic category field as describe above.
  • the memory 210 may also store program code and related data, such as an operating system or other controller algorithms operating on the apparatus 200.
  • the input device 215 may include any known computer input device including a touch panel, a button, a keyboard, a stylus, a microphone, or the like.
  • the input device 215 may be integrated with the output device 220, for example, as a touchscreen or similar touch-sensitive display.
  • the input device 215 may include a touchscreen such that text may be input using a virtual keyboard displayed on the touchscreen and/ or by handwriting on the touchscreen.
  • the input device 215 may include two or more different devices, such as a keyboard and a touch panel.
  • the output device 220 may be designed to output visual, audible, and/ or haptic signals.
  • the output device 220 may include an electronically controllable display or display device capable of outputting visual data to a user.
  • the output device 220 may include, but is not limited to, a Liquid Crystal Display (“LCD”), a Light- Emitting Diode (“LED”) display, an Organic LED (“OLED”) display, a projector, or similar display device capable of outputting images, text, or the like to a user.
  • LCD Liquid Crystal Display
  • LED Light- Emitting Diode
  • OLED Organic LED
  • the output device 220 may include a wearable display separate from, but communicatively coupled to, the rest of the user equipment apparatus 200, such as a smart watch, smart glasses, a heads-up display, or the like.
  • the output device 220 may be a component of a smart phone, a personal digital assistant, a television, a table computer, a notebook (laptop) computer, a personal computer, a vehicle dashboard, or the like.
  • the output device 220 may include one or more speakers for producing sound.
  • the output device 220 may produce an audible alert or notification (e.g., a beep or chime).
  • the output device 220 may include one or more haptic devices for producing vibrations, motion, or other haptic feedback. All, or portions, of the output device 220 may be integrated with the input device 215.
  • the input device 215 and output device 220 may form a touchscreen or similar touch-sensitive display.
  • the output device 220 may be located near the input device 215.
  • the transceiver 225 communicates with one or more network functions of a mobile communication network via one or more access networks.
  • the transceiver 225 operates under the control of the processor 205 to transmit messages, data, and other signals and also to receive messages, data, and other signals.
  • the processor 205 may selectively activate the transceiver 225 (or portions thereof) at particular times in order to send and receive messages.
  • the transceiver 225 includes at least one transmitter 230 and at least one receiver 235.
  • the one or more transmitters 230 may be used to provide UL communication signals to a base unit of a wireless communications network.
  • the one or more receivers 235 may be used to receive DL communication signals from the base unit.
  • the user equipment apparatus 200 may have any suitable number of transmitters 230 and receivers 235.
  • the trans mi tter(s) 230 and the receiver(s) 235 may be any suitable type of transmitters and receivers.
  • the transceiver 225 may include a first transmitter/receiver pair used to communicate with a mobile communication network over licensed radio spectrum and a second transmitter/receiver pair used to communicate with a mobile communication network over unlicensed radio spectrum.
  • the first transmitter/ receiver pair may be used to communicate with a mobile communication network over licensed radio spectrum and the second transmitter/ receiver pair used to communicate with a mobile communication network over unlicensed radio spectrum may be combined into a single transceiver unit, for example a single chip performing functions for use with both licensed and unlicensed radio spectrum.
  • the first transmitter/receiver pair and the second transmitter/receiver pair may share one or more hardware components.
  • certain transceivers 225, transmitters 230, and receivers 235 may be implemented as physically separate components that access a shared hardware resource and/ or software resource, such as for example, the network interface 240.
  • One or more transmitters 230 and/ or one or more receivers 235 may be implemented and/ or integrated into a single hardware component, such as a multitransceiver chip, a system-on-a-chip, an Application-Specific Integrated Circuit (“ASIC”), or other type of hardware component.
  • ASIC Application-Specific Integrated Circuit
  • One or more transmitters 230 and/ or one or more receivers 235 may be implemented and/ or integrated into a multi-chip module.
  • transmitters 230 and/ or receivers 235 may be integrated with any number of transmitters 230 and/ or receivers 235 into a single chip.
  • the transmitters 230 and receivers 235 may be logically configured as a transceiver 225 that uses one more common control signals or as modular transmitters 230 and receivers 235 implemented in the same hardware chip or in a multi-chip module.
  • FIG. 3 depicts further details of the network node 300 that may be used for implementing the methods described herein.
  • the network node 300 may be one implementation of an entity in the wireless communications network.
  • the network node 300 may be a cellular base station 121, an access point 131, or a mobile communication network 830, 930 as described herein.
  • the network node 300 includes a controller 305, a memory 310, an input device 315, an output device 320, and a transceiver 325.
  • the input device 315 and the output device 320 may be combined into a single device, such as a touchscreen.
  • the network node 300 does not include any input device 315 and/ or output device 320.
  • the network node 300 may include one or more of: the controller 305, the memory 310, and the transceiver 325, and may not include the input device 315 and/ or the output device 320.
  • the transceiver 325 includes at least one transmitter 330 and at least one receiver 335.
  • the transceiver 325 communicates with one or more remote units 200.
  • the transceiver 325 may support at least one network interface 340 and/ or application interface 345.
  • the application interface(s) 345 may support one or more APIs.
  • the network interface(s) 340 may support 3GPP reference points, such as Uu, Nl, N2 and N3. Other network interfaces 340 may be supported, as understood by one of ordinary skill in the art.
  • the controller 305 may include any known controller capable of executing computer-readable instructions and/ or capable of performing logical operations.
  • the controller 305 may be a microcontroller, a microprocessor, a CPU, a GPU, an auxiliary processing unit, a FPGA, or similar programmable controller.
  • the controller 305 may execute instructions stored in the memory 310 to perform the methods and routines described herein.
  • the controller 305 is communicatively coupled to the memory 310, the input device 315, the output device 320, and the transceiver 325.
  • the memory 310 may be a computer readable storage medium.
  • the memory 310 may include volatile computer storage media.
  • the memory 310 may include a RAM, including dynamic RAM (“DRAM”), synchronous dynamic RAM (“SDRAM”), and/ or static RAM (“SRAM”).
  • the memory 310 may include non-volatile computer storage media.
  • the memory 310 may include a hard disk drive, a flash memory, or any other suitable non-volatile computer storage device.
  • the memory 310 may include both volatile and non-volatile computer storage media.
  • the memory 310 may store data related to establishing a multipath unicast link and/ or mobile operation.
  • the memory 310 may store parameters, configurations, resource assignments, policies, and the like, as described above.
  • the memory 310 may also stores program code and related data, such as an operating system or other controller algorithms operating on the network node 300.
  • the input device 315 may include any known computer input device including a touch panel, a button, a keyboard, a stylus, a microphone, or the like.
  • the input device 315 may be integrated with the output device 320, for example, as a touchscreen or similar touch-sensitive display.
  • the input device 315 may include a touchscreen such that text may be input using a virtual keyboard displayed on the touchscreen and/ or by handwriting on the touchscreen.
  • the input device 315 may include two or more different devices, such as a keyboard and a touch panel.
  • the output device 320 may be designed to output visual, audible, and/ or haptic signals.
  • the output device 320 may include an electronically controllable display or display device capable of outputting visual data to a user.
  • the output device 320 may include, but is not limited to, an LCD display, an LED display, an OLED display, a projector, or similar display device capable of outputting images, text, or the like to a user.
  • the output device 320 may include a wearable display separate from, but communicatively coupled to, the rest of the network node 300, such as a smart watch, smart glasses, a heads-up display, or the like.
  • the output device 320 may be a component of a smart phone, a personal digital assistant, a television, a table computer, a notebook (laptop) computer, a personal computer, a vehicle dashboard, or the like.
  • the output device 320 may include one or more speakers for producing sound.
  • the output device 320 may produce an audible alert or notification (e.g., a beep or chime).
  • the output device 320 may include one or more haptic devices for producing vibrations, motion, or other haptic feedback. All, or portions, of the output device 320 may be integrated with the input device 315.
  • the input device 315 and output device 320 may form a touchscreen or similar touch-sensitive display.
  • the output device 320 may be located near the input device 315.
  • the transceiver 325 includes at least one transmitter 330 and at least one receiver 335.
  • the one or more transmitters 330 may be used to communicate with the UE, as described herein.
  • the one or more receivers 335 may be used to communicate with network functions in the PLMN and/ or RAN, as described herein.
  • the network node 300 may have any suitable number of transmitters 330 and receivers 335.
  • the transmitter(s) 330 and the receiver(s) 335 may be any suitable type of transmitters and receivers.
  • the apparatus may be the apparatus 200, comprising a processor 205 and a transceiver 225.
  • the processor 205 is arranged to determine that the first application has been updated.
  • the transceiver 225 is arranged, in response to determining that the first application has been updated, to send a policy provisioning request and, as a result thereof, receive an updated route selection policy rule, the updated route selection policy rule identifying the updated first application and an updated digital certificate information.
  • the processor 225 is further arranged to execute the updated first application, and to apply the updated route selection policy rule to traffic associated with the updated first application.
  • Such an apparatus 200 thus uses a route selection policy rule that is linked to the first application by way of digital certificate information in a manner which accommodates updates to the first application being issued and installed at the apparatus 200.
  • the updated first application is the first application after the update has been applied thereto.
  • the updated first application may have a build number that is greater than that of the first application.
  • the apparatus 200 may be a mobile communications device.
  • the apparatus 200 may be a user equipment.
  • the processor 205 may be further arranged to execute the first application.
  • the processor 205 may be further arranged to determine that an update to the first application has been performed based on the digital certificate information of the updated first application being different to the digital certificate information identified by a route selection policy rule saved at the apparatus.
  • the processor 205 may be further arranged to determine that an update to the first application has been performed when the updated first application is executed.
  • the processor 205 may be further arranged to determine that an update to the first application has been performed when the updated first application is executed and requests a data connection.
  • the apparatus 200 including a processor 205 and a transceiver 225 may be arranged as follows.
  • the processor 205 may be arranged to perform an update to a first application installed on the apparatus, the first application signed with a digital certificate, and the updated first application signed with an updated digital certificate.
  • the processor 205 may be further arranged to execute the updated first application, and, upon the updated first application requesting a data connection, the processor 205 may be further arranged to determine that an update to the first application has been performed based on the digital certificate information of the updated first application being different to the digital certificate information identified by a route selection policy rule saved at the apparatus and associated with the first application.
  • the transceiver 225 may be arranged, in response to the determination that the first application has been updated, to send a policy provisioning request and, as a result thereof, receive an updated route selection policy rule, the updated route selection policy rule identifying the updated first application and an updated digital certificate information.
  • the processor 205 may be further arranged to apply the updated route selection policy rule to traffic associated with the updated first application.
  • the digital certificate information may comprise the output of a hash function with the input of one or more of the following parameters: certificate, application, application signature, build number, trusted application store.
  • the hash function may comprise any of SHA-1, SHA-2, SHA-3.
  • the processor 205 may be further arranged to apply the updated route selection policy rule to traffic associated with the updated first application by determining the identity of the application that sent a request for traffic to be carried by a network connection.
  • the processor 205 may be further arranged to apply the updated route selection policy rule to traffic associated with the updated first application by matching an application identifier associated with the updated route selection policy rule to the identity of the first updated application when the first updated application sends a request for traffic to be carried by a network connection.
  • the processor 205 may be arranged to apply an updated route selection policy rule to traffic associated with an updated application by matching an application identifier associated with the updated route selection policy rule to the identity of the updated application. This matching may be performed when the updated application sends a request for traffic to be carried by a network connection.
  • the processor 205 is further arranged to verify whether the updated digital certificate information identified by the updated route selection policy rule matches the digital certificate information associated with the updated first application.
  • the processor 205 may be arranged to apply an updated route selection policy rule to traffic associated with an updated application by matching an application identifier and digital certificate information associated with the updated route selection policy rule to the identity of the updated application and the digital certificate associated therewith. This matching may be performed when the updated application sends a request for traffic to be carried by a network connection.
  • the updated first application may have a different build number to the first application.
  • the digital certificate information may include a build number of the first application.
  • the updated digital certificate information may include a build number of the updated first application.
  • the processor 205 may determine that an update to the first application has been performed based on the build number of the digital certificate information of the updated first application being different to a build number of the digital certificate information identified by a route selection policy rule saved at the apparatus 200.
  • the processor 205 may be further arranged to determine that an update to the first application has been performed based on the build number of the digital certificate information of the updated first application being greater than a build number of the digital certificate information identified by a route selection policy rule saved at the apparatus.
  • the policy provisioning request may comprise an identity of the updated first application and a build number of the updated first application.
  • Figure 4 illustrates a method 400 in an apparatus, the method for updating route selection policy rules.
  • the apparatus may be a remote unit 105, user equipment apparatus 200, a UE 805 or a UE 905.
  • the method comprises performing 410 an update to a first application installed on the apparatus, the first application signed with a digital certificate.
  • the method further comprises determining 420 that the first application has been updated.
  • the method further comprises, in response to determining that the first application has been updated, sending 420 a policy provisioning request and, as a result thereof, receiving 430 an updated route selection policy rule, the updated route selection policy rule identifying the updated first application and an updated digital certificate information.
  • the method further comprises executing 440 the updated first application.
  • the method further comprises applying 450 the updated route selection policy rule to traffic associated with the updated first application.
  • the method 400 thus provides a route selection policy rule that is linked to the first application by way of digital certificate information in a manner which accommodates updates to the first application being issued and installed at the apparatus.
  • the updated first application is the first application after the update has been applied thereto.
  • the updated first application may have a build number that is greater than that of the first application.
  • the apparatus may be a mobile communications device.
  • the apparatus may be a user equipment.
  • the method may further comprise executing the first application.
  • Determining that an update to the first application has been performed may be based on the digital certificate information of the updated first application being different to the digital certificate information identified by a route selection policy rule saved at the apparatus.
  • the determination that an update to the first application has been performed may be made when the updated first application is executed.
  • the determination that an update to the first application has been performed may be made when the updated first application is executed and requests a data connection.
  • an alternative method in an apparatus comprising: performing an update to a first application installed on the apparatus, the first application signed with a digital certificate, and the updated first application signed with an updated digital certificate.
  • the method further comprises executing the updated first application, and, upon the updated first application requesting a data connection, determining that an update to the first application has been performed based on the digital certificate information of the updated first application being different to the digital certificate information identified by a route selection policy rule saved at the apparatus and associated with the first application; the method further comprises, in response to determining that the first application has been updated, sending a policy provisioning request and, as a result thereof, receiving an updated route selection policy rule, the updated route selection policy rule identifying the updated first application and an updated digital certificate information.
  • the method further comprises applying the updated route selection policy rule to traffic associated with the updated first application.
  • the digital certificate information comprises the output of a hash function with the input of one or more of the following parameters: certificate, application, application signature, build number, trusted application store.
  • the hash function may comprise any of SHA-1, SHA-2, SHA-3.
  • the method 400 may further comprise applying the updated route selection policy rule to traffic associated with the updated first application by determining the identity of the application that sent a request for traffic to be carried by a network connection.
  • the method 400 may further comprising applying the updated route selection policy rule to traffic associated with the updated first application by matching an application identifier associated with the updated route selection policy rule to the identity of the first updated application when the first updated application sends a request for traffic to be carried by a network connection.
  • the method may comprise applying an updated route selection policy rule to traffic associated with an updated application by matching an application identifier associated with the updated route selection policy rule to the identity of the updated application. This matching may be performed when the updated application sends a request for traffic to be carried by a network connection.
  • the method 400 may further comprise verifying whether the updated digital certificate information identified by the updated route selection policy rule matches the digital certificate information associated with the updated first application.
  • the method may comprise applying an updated route selection policy rule to traffic associated with an updated application by matching an application identifier and digital certificate information associated with the updated route selection policy rule to the identity of the updated application and the digital certificate associated therewith. This matching may be performed when the updated application sends a request for traffic to be carried by a network connection.
  • the updated first application may have a different build number to the first application.
  • the digital certificate information may include a build number of the first application.
  • the updated digital certificate information may include a build number of the updated first application.
  • the method 400 may further comprise determining that an update to the first application has been performed based on the build number of the digital certificate information of the updated first application being different to a build number of the digital certificate information identified by a route selection policy rule saved at the apparatus.
  • Determining that an update to the first application has been performed may be based on the build number of the digital certificate information of the updated first application being greater than a build number of the digital certificate information identified by a route selection policy rule saved at the apparatus.
  • the policy provisioning request may comprise an identity of the updated first application and a build number of the updated first application.
  • a network node arranged to communicate with a user equipment, wherein a first application is installed on the user equipment, the first application signed with a first digital certificate.
  • the network node may be a cellular base station 121, an access point 131, a network node 300, or a mobile communication network 830, 930.
  • the network node 300 comprises a transceiver 325 arranged to receive from the user equipment a policy provisioning request, and as a result thereof, send an updated route selection policy rule to the user equipment, the updated route selection policy rule identifying the updated first application and an updated digital certificate information.
  • the network node thus applies a route selection policy rule that is linked to the first application by way of digital certificate information in a manner which accommodates updates to the first application being issued and installed at the user equipment.
  • Figure 5 illustrates a method 500 in a network node, the method for updating a route selection policy rule.
  • the network node may be a cellular base station 121, an access point 131, a network node 300, or a mobile communication network 830, 930.
  • the network node is arranged to communicate with a user equipment, wherein a first application is installed on the user equipment, the first application signed with a first digital certificate.
  • the method 500 comprises receiving 510 from the user equipment a policy provisioning request, and as a result thereof, sending 520 an updated route selection policy rule to the user equipment, the updated route selection policy rule identifying the updated first application and an updated digital certificate information.
  • the method 500 may provide a route selection policy rule that is linked to the first application by way of digital certificate information in a manner which accommodates updates to the first application being issued and installed at the user equipment.
  • a network node comprising a processor and a transceiver.
  • the network node may be a cellular base station 121, an access point 131, a network node 300, a mobile communication network 830, 930.
  • the processor is arranged to determine an update is available for a first application, wherein the first application signed with a first digital certificate.
  • the transceiver is arranged to communicate with the user equipment, wherein in response to the processor determining an update is available for a first application, the transceiver is arranged to send an updated route selection policy rule to the user equipment, the updated route selection policy rule identifying the updated first application and including an updated digital certificate information.
  • the updated route selection policy rule is arranged to be applied by the user equipment to traffic associated with the updated first application.
  • the network node thus applies a route selection policy rule that is linked to the first application by way of digital certificate information in a manner which accommodates updates to the first application being issued and installed at the user equipment.
  • the network node may be a policy control function.
  • the updated first application is the first application after the update has been applied thereto.
  • the updated first application may have a build number that is greater than that of the first application.
  • the network node may determine the first application has an available update from an indication given by an application source.
  • the application source may be a third-party application store, or a network operator, for example.
  • the network node may be arranged to poll the application source for first application update availability. The polling may be periodic.
  • the network node may be arranged to poll for updates being made available for a plurality of applications. Alternatively, the network node may subscribe to updates to one or a plurality of applications from the application source and may retrieve the updated information from the application source when it becomes available.
  • the plurality of applications may be some or all of the applications for which the network node has at least one route selection policy rule that identifies said application.
  • the digital certificate information comprises the output of a hash function with the input of one or more of the following parameters: certificate, application, application signature, build number, trusted application store.
  • the hash function may comprise any of SHA-1, SHA-2, SHA-3.
  • the updated first application may have a different build number to the first application.
  • the updated digital certificate information may include a build number of the updated first application.
  • the processor may be arranged to determine an update to the first application is available based on a build number of the digital certificate information of the updated first application being different to a build number of the digital certificate information identified by a route selection policy rule saved at the apparatus.
  • the processor may determine an update to the first application is available based on the build number of the digital certificate information of the updated first application being greater than a build number of the digital certificate information identified by a route selection policy rule saved at the apparatus.
  • the request for an updated route selection policy rule may comprise an identity of the updated first application and a build number of the updated first application.
  • Figure 6 illustrates a method 600 in a network node, the method for updating a route selection policy rule.
  • the network node may be a cellular base station 121, an access point 131, a network node 300, a mobile communication network 830, or a mobile communication network 930.
  • the method 600 comprises determining 610 an update is available for a first application, the first application signed with a first digital certificate.
  • the method 600 further comprises in response to determining an update is available for a first application, sending 620 an updated route selection policy rule to the user equipment, the updated route selection policy rule identifying the updated first application and including an updated digital certificate information.
  • the updated route selection policy rule is arranged to be applied by the user equipment to traffic associated with the updated first application.
  • the method 600 thus provides a route selection policy rule that is linked to the first application by way of digital certificate information in a manner which accommodates updates to the first application being issued and installed at the user equipment.
  • the method may further comprise determining the first application has an available update from an indication given by an application source.
  • the application source may be a third-party application store, or a network operator, for example.
  • the method may comprise polling the application source for first application update availability.
  • the polling may be periodic.
  • the method may comprise polling for updates being made available for a plurality of applications.
  • the method may comprise subscribing to updates to one or a plurality of applications from the application source and retrieving the updated information from the application source when it becomes available.
  • the plurality of applications may be some or all of the applications for which the network node has at least one route selection policy rule that identifies said application.
  • the digital certificate information may comprise the output of a hash function with the input of one or more of the following parameters: certificate, application, application signature, build number, trusted application store.
  • the hash function may comprise any of SHA-1, SHA-2, SHA-3.
  • the updated first application may have a different build number to the first application.
  • the updated digital certificate information may include a build number of the updated first application.
  • the method may further comprise determining an update to the first application is available based on a build number of the digital certificate information of the updated first application being different to a build number of the digital certificate information identified by a route selection policy rule saved at the apparatus.
  • Determining an update to the first application is available may be based on the build number of the digital certificate information of the updated first application being greater than a build number of the digital certificate information identified by a route selection policy rule saved at the apparatus.
  • the request for an updated route selection policy rule may comprise an identity of the updated first application and a build number of the updated first application.
  • an apparatus comprising a transceiver and a processor.
  • the apparatus may be a remote unit 105, user equipment apparatus 200, a UE 805 or a UE 905.
  • the transceiver is arranged to receive an updated route selection policy rule from a network node, the updated route selection policy rule identifying the updated first application and an updated digital certificate information.
  • the processor is arranged to execute the updated first application and apply the updated route selection policy rule to traffic associated with the updated first application.
  • a route selection policy rule may be saved in a memory of the apparatus. If an installed application is updated, or an updated version of the application is installed in the absence of the non-updated version of the application having been installed, then the route selection policy rule saved at the apparatus may include digital certificate information that does not match the updated application.
  • the apparatus described herein thus applies a route selection policy rule that is linked to the first application by way of digital certificate information in a manner which accommodates updates to the first application being issued.
  • the apparatus may be a user equipment.
  • the network node may be a policy control function.
  • the updated first application is the first application after the update has been applied thereto.
  • the updated first application may have a build number that is greater than that of the first application.
  • the apparatus may be a mobile communications device.
  • the digital certificate information comprises the output of a hash function with the input of one or more of the following parameters: certificate, application, application signature, build number, trusted application store.
  • the hash function may comprise any of SHA-1, SHA-2, SHA-3.
  • the processor may be further arranged to update the first application in response to the transceiver receiving an updated route selection policy rule from a network node, the updated route selection policy rule identifying the updated first application and an updated digital certificate information.
  • the processor may be further arranged to determine whether the first application is installed on the apparatus, and if it is installed, then to initiate an update of the first application.
  • the first application may be identified as the updated first application in the updated route selection policy rule.
  • the updated first application may have a different build number to the first application.
  • the updated digital certificate information may include a build number of the updated first application.
  • the processor may be further arranged to determine an update to the first application is available based on a build number of the digital certificate information identified by the received route selection policy rule being greater than a build number of the first application.
  • the processor may be further arranged to initiate retrieval of an update to the first application and install the updated first application on the apparatus.
  • Figure 7 illustrates a method 700 in an apparatus, the method for updating a route selection policy rule.
  • the apparatus may be a remote unit 105, user equipment apparatus 200, a UE 805 or a UE 905.
  • the method 700 comprises receiving 710 an updated route selection policy rule from a network node, the updated route selection policy rule identifying the updated first application and an updated digital certificate information.
  • the method 700 further comprises executing 720 the updated first application; and applying 730 the updated route selection policy rule to traffic associated with the updated first application.
  • the method thus provides for the application of a route selection policy rule that is linked to the first application by way of digital certificate information in a manner which accommodates updates to the first application being issued and installed at the apparatus.
  • a route selection policy rule may be saved in a memory of the apparatus. If an installed application is updated, or an updated version of the application is installed in the absence of the non-updated version of the application having been installed, then the route selection policy rule saved at the apparatus may include digital certificate information that does not match the updated application.
  • the apparatus may be a user equipment.
  • the network node may be a policy control function.
  • the updated first application is the first application after the update has been applied thereto.
  • the updated first application may have a build number that is greater than that of the first application.
  • the apparatus may be a mobile communications device.
  • the digital certificate information may comprise the output of a hash function with the input of one or more of the following parameters: certificate, application, application signature, build number, trusted application store.
  • the hash function may comprise any of SHA-1, SHA-2, SHA-3.
  • the method may further comprise updating the first application in response to receiving an updated route selection policy rule from a network node, the updated route selection policy rule identifying the updated first application and an updated digital certificate information.
  • the method may further comprise determining whether the first application is installed on the apparatus, and if it is installed, then to initiate an update of the first application.
  • the first application may be identified as the updated first application in the updated route selection policy rule.
  • the updated first application may have a different build number to the first application.
  • the updated digital certificate information may include a build number of the updated first application.
  • the determination that an update to the first application is available may be based on a build number of the digital certificate information identified by the received route selection policy rule being greater than a build number of the first application.
  • the processor may be further arranged to initiate retrieval of an update to the first application and install the updated first application on the apparatus.
  • Figure 8 illustrates a method of updating a route selection policy rule in response to an application being updated at a user equipment.
  • Figure 8 illustrates a UE 805 and a mobile communication network 830.
  • the UE 805 comprises a first application 810 signed with a first digital certificate, a plurality of route selection policy rules 815, a mobile operating system 820 and a transceiver 825.
  • the plurality of route selection policy rules 815 may comprise URSP rules.
  • the transceiver 825 is arranged to communicate with the mobile communication network 830.
  • the first application 810 has a specific application build number.
  • the first application 810 is cryptographically signed with a private key that corresponds to the public key in the first digital certificate, and that the public key in the first digital certificate can be used to validate the authenticity of the application of that specific build number.
  • the first application 810 in the UE 805 is updated to another build number.
  • the corresponding digital certificate information is changed compared to the previous version of the first application 810.
  • the digital certificate information may be the output of a hash function (e.g. SHA-1, SHA-2, SHA-3) with the input of one or more of the following parameters: certificate, application, application signature, build number, or trusted application store.
  • the mobile OS 820 in the UE 805 receives a request to send a data packet.
  • a component outside the mobile OS 820 may receive this request, e.g. another application in the UE 805 or a component in a modem of the UE 805.
  • the mobile OS 820 determines a first application identity used by a first application, i.e. determines the identity of the application that sent the request, e.g. “com.example.first-app”.
  • the request may contain the build number of the first application 810.
  • the mobile OS 820 finds a first URSP rule 815 in the UE 805 matching the first application identity.
  • the following example URSP rule 815 matches the first application identity because it contains a traffic descriptor with an application identity equal to the first application identity “com.example.first-app”.
  • Certificate fingerprint SHA-1: d7268d869be7d87cb797e8f7449bf24
  • the mobile OS 820 determines that the first URSP rule 815 contains digital certificate information, e.g. a certificate fingerprint and the corresponding application build number.
  • a certificate fingerprint consists of a value that uniquely identifies a digital certificate and the application build and the hash function used to generate this value, e.g.
  • Certificate fingerprint SHA-1 (contents of a digital certificate, application signature, application, build number), where SHA-1 is the hash function.
  • the digital certificate information is contained in the traffic descriptor component of the URSP rule and consists of a certificate fingerprint. Except a certificate fingerprint, the first URSP rule can contain other types of digital certificate information, e.g. the publisher name or application build number.
  • the mobile OS 820 determines whether the first application 810 matches the digital certificate information contained in the traffic descriptor component of the URSP rule 815. For example, when the first digital certificate associated with the first application 810 contains a certificate fingerprint (e.g.
  • the mobile OS 820 uses the hash function in this certificate fingerprint and the contents of the first digital certificate to generate a hash value. If this hash value is equal to the certificate fingerprint value in the URSP rule, then the UE 805 determines that the first application 810 matches the digital certificate information contained in the traffic descriptor component of the URSP rule 815.
  • the first application matches the digital certificate information when publisher name in the first URSP rule is the same with the publisher name in the first digital certificate associated with the installed first application 810.
  • the mobile OS 820 detects that the first application 810 was updated based on the change of the build number and the accordant mismatch of the digital certificate information.
  • the mobile OS 820 sends an URSP Update Request to the mobile communication network 830 (e.g. the PCF thereof), the request contains the application identity and the updated build number.
  • the mobile communication network 830 fetches the digital certificate information for the updated build number of the first application 810 and provides it back to the mobile OS 820 in an updated URSP rule 815 for that application identity with the new build number and the new digital certificate information.
  • the URSP rule contains additional to the existing/ previous build number and digital certificate information, the updated digital certificate information and the updated build number as new entries within the URSP rule 815.
  • the mobile OS 820 updates the URSP rule 815 with the digital certificate information for the updated build number of the updated first application.
  • the URSP rule 815 contains additionally to the existing build number and digital certificate information the updated digital certificate information and the updated build number.
  • the mobile OS 820 applies the first URSP rule 815 to select a first set of data connection parameters, if determining that the first application matches the digital certificate information.
  • the mobile OS 820 applies the first URSP rule 815, it selects the data connection parameters (access type, DNN, etc.) in the route selection descriptor of the first URSP rule 815. If the first application 810 does not match the digital certificate information in the first URSP rule 815, then the first URSP rule 815 is not applied and the UE 805 attempts find another URSP rule 815 that matches the first application identity (i.e. step 873 is executed again).
  • the mobile OS 820 transmits the data packet for the first application 810 via a data connection using the first set of data connection parameters.
  • Figure 9 illustrates a method of updating a route selection policy rule in response to an application being updated at a user equipment.
  • Figure 9 illustrates a UE 905 and a mobile communication network 930.
  • the UE 905 comprises a first application 910 signed with a first digital certificate, a plurality of route selection policy rules 915, a mobile operating system 920 and a transceiver 925.
  • the plurality of route selection policy rules 915 may comprise URSP rules.
  • the transceiver 925 is arranged to communicate with the mobile communication network 930.
  • the procedure is executed in a mobile communication network 930 that contains updated digital certificate information of an updated first application 910 having a specific build number.
  • the mobile communication network 930 detects that a first application 910, which is subject to be controlled with URSP rules 915, has an available update, e.g. in the operator or 3 rd party application store.
  • the mobile communication network fetches the updated information of the application, i.e. the new build number and the new digital certificate information.
  • the digital certificate information may be the output of a hash function (e.g. SHA-1, SHA-2, SHA-3) with the input of one or more of the following parameters: certificate, application, application signature, build number, trusted application store.
  • the mobile communication network identifies the UEs subject to the URSP rule 915 of that particular application identity and provides to the mobile OS 920 an updated URSP rule 915 for that application identity with the new build number and the new digital certificate information.
  • the URSP rule 915 contains additionally to the existing/ previous build number and digital certificate information as new entries the updated digital certificate information and the updated build number.
  • the mobile OS 920 updates the URSP rule 915 accordingly with the digital certificate information for the updated build number of the first application 910.
  • the URSP rule 915 contains additionally to the existing build number and digital certificate information the updated digital certificate information and the updated build number.
  • the mobile OS 920 acknowledges the URSP rule update.
  • the mobile OS 920 sends an Update request to the first application identified with the application identity.
  • the mobile OS does not send an update and just stores the updated URSP rule until the updated first application sends a request for data transmission. Until then the previous active build number and digital certificate information is kept as the active setting.
  • the first application 910 is updated either automatically or after the first application 910 is executed and requests a data connection from the mobile OS 920.
  • Using a certificate fingerprint based on the application identity has the disadvantage that the same publisher may use the same certificate for other applications thus the fingerprint of the same certificate would be the same for those and thus is not 100% unique. If the fingerprint would be extended also including or only using the signature of the application to be unique to the application build as well, then a genuine application would be identified as malicious once the application in the UE is updated and the signature in the rule does not match anymore.
  • the proposed method may also take the signature and, for example, the build number into account, the certificate fingerprint is then specific to a version/build number of the application. For that reason any change/update of the application and thus in the certificate fingerprint may triggering an update of the corresponding URSP rule.
  • the application may be updated in the UE, the mobile OS detects the update and requests a new certificate fingerprint corresponding to the updated application version.
  • an apparatus which may comprise a UE, the apparatus comprising: a transceiver; and a processor coupled to the transceiver, the processor and the transceiver configured to cause the apparatus to: perform an update of a first application; generate a first request message to establish an application session with an application server on another apparatus, the first request message including an application identifier corresponding to the updated first application, a build number identifying the version of the updated first application and digital certificate information of the updated first application; transmit, to the mobile operating system, the first request message; determine at the mobile OS that, corresponding to the application identifier, an URSP rule is available matching the application identifier; detect that the build number information received from the first application does not match the build number and digital certificate information stored in the URSP rule, matching the application identifier; generate a second (URSP rule) request message to the mobile communication network, including an application identifier corresponding to the updated first application and a build number identifying the version of the updated first application; receive, from the mobile
  • the mobile communication network detects the availability of a new version of an application, subject to URSP rules and pushes the new certificate fingerprint to the UE.
  • the UE may use the previous certificate fingerprint until the application is updated to the new version.
  • an apparatus which may comprise a UE, the apparatus comprising: a transceiver; and a processor coupled to the transceiver, the processor and the transceiver configured to cause the apparatus to: receive, from the mobile communication network, a first request message including an (URSP rule with an) application identifier corresponding to an updated first application, a build number identifying the version of the updated first application and digital certificate information of the updated first application; store the updated URSP rule corresponding to the application identifier; generate a response message to the mobile communication network, including an application identifier corresponding to the updated first application (and a build number identifying the version of the updated first application), acknowledging the update of the URSP rule; generate a second request message to the first application identified with the application identifier to indicate that an update is available; perform an update of the first application.
  • a first request message including an (URSP rule with an) application identifier corresponding to an updated first application, a build number identifying the version of the updated first application and digital certificate information of the updated
  • the method may also be embodied in a set of instructions, stored on a computer readable medium, which when loaded into a computer processor, Digital Signal Processor (DSP) or similar, causes the processor to carry out the hereinbefore described methods.
  • DSP Digital Signal Processor

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un appareil comprenant un processeur et un émetteur-récepteur. Le processeur est conçu pour effectuer une mise à jour sur une première application installée sur l'appareil, la première application étant signée à l'aide d'un certificat numérique. Le processeur est en outre conçu pour déterminer que la première application a été mise à jour. L'émetteur-récepteur est conçu, en réponse à la détermination du fait que la première application a été mise à jour, pour envoyer une demande de fourniture de politique et, en conséquence, pour recevoir une règle de politique de sélection d'itinéraire mise à jour, la règle de politique de sélection d'itinéraire mise à jour identifiant la première application mise à jour et des informations de certificat numérique mises à jour. Le processeur est en outre conçu pour exécuter la première application mise à jour, et pour appliquer la règle de politique de sélection d'itinéraire mise à jour au trafic associé à la première application mise à jour.
PCT/EP2022/056350 2022-02-04 2022-03-11 Mise à jour de règles de politique de sélection d'itinéraire contenant des informations de certificat numérique WO2023147888A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GR20220100116 2022-02-04
GR20220100116 2022-02-04

Publications (1)

Publication Number Publication Date
WO2023147888A1 true WO2023147888A1 (fr) 2023-08-10

Family

ID=81074154

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2022/056350 WO2023147888A1 (fr) 2022-02-04 2022-03-11 Mise à jour de règles de politique de sélection d'itinéraire contenant des informations de certificat numérique

Country Status (1)

Country Link
WO (1) WO2023147888A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020037666A1 (fr) * 2018-08-24 2020-02-27 Nokia Technologies Oy Configuration de politiques de sélection de route
WO2021155494A1 (fr) * 2020-02-04 2021-08-12 Qualcomm Incorporated Descripteurs d'application basés sur un certificat pour sélection de tranche de réseau
WO2021164125A1 (fr) * 2020-02-21 2021-08-26 北京紫光展锐通信技术有限公司 Procédé de création de session et dispositif associé

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020037666A1 (fr) * 2018-08-24 2020-02-27 Nokia Technologies Oy Configuration de politiques de sélection de route
WO2021155494A1 (fr) * 2020-02-04 2021-08-12 Qualcomm Incorporated Descripteurs d'application basés sur un certificat pour sélection de tranche de réseau
WO2021164125A1 (fr) * 2020-02-21 2021-08-26 北京紫光展锐通信技术有限公司 Procédé de création de session et dispositif associé

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
3GPP TS 23.502
3GPP TS 23.503

Similar Documents

Publication Publication Date Title
US20230216852A1 (en) User authentication using connection information provided by a blockchain network
US20230262593A1 (en) Access network selection for a ue not supporting nas over non-3gpp access
US20230247704A1 (en) Multi-access data connection in a mobile network
US20210329541A1 (en) Determining a type of network connection from an os-specific connection capability
US20230269797A1 (en) Accessing a 5g network via a non-3gpp access network
US20230292130A1 (en) Encrypted traffic detection
US20220116769A1 (en) Notification in eap procedure
US20240056313A1 (en) Selecting a data connection based on digital certificate information
US20230136693A1 (en) Enabling roaming with authentication and key management for applications
WO2023147888A1 (fr) Mise à jour de règles de politique de sélection d'itinéraire contenant des informations de certificat numérique
WO2018170744A1 (fr) Stockage et identification de contexte d'ue
US20240129723A1 (en) Key identification for mobile edge computing functions
WO2024088582A1 (fr) Intégration de dispositifs ambiants dans un réseau de communication sans fil
US20240114335A1 (en) Network security based on routing information
US20230199483A1 (en) Deriving a key based on an edge enabler client identifier
US20240098500A1 (en) Managing end-to-end data protection
WO2024088583A1 (fr) Exigences de transmission de dispositifs ambiants dans un réseau de communication sans fil
WO2024088552A1 (fr) Amélioration des performances de fonction de plan utilisateur dans un réseau de communication sans fil
WO2024027944A1 (fr) Procédé de sélection d'un réseau d'accès non-3gpp dans un réseau de communication sans fil
WO2022130065A1 (fr) Enregistrement d'application avec un réseau
WO2024088592A1 (fr) Établissement d'une connexion de données à accès multiples dans un système de communication sans fil
EP4189994A1 (fr) Attribution d'identifiant d'équipement utilisateur dynamique
WO2024088605A1 (fr) Fourniture d'autorisation de communiquer avec des dispositifs ambiants à des dispositifs de communication sans fil
WO2024088598A1 (fr) Mappage réseau de sections de règles dans un réseau de communication sans fil
WO2023274567A1 (fr) Établissement d'une relation de confiance entre une entité d'application et un réseau de communication sans fil

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22714164

Country of ref document: EP

Kind code of ref document: A1