WO2024088552A1 - Amélioration des performances de fonction de plan utilisateur dans un réseau de communication sans fil - Google Patents

Amélioration des performances de fonction de plan utilisateur dans un réseau de communication sans fil Download PDF

Info

Publication number
WO2024088552A1
WO2024088552A1 PCT/EP2022/085159 EP2022085159W WO2024088552A1 WO 2024088552 A1 WO2024088552 A1 WO 2024088552A1 EP 2022085159 W EP2022085159 W EP 2022085159W WO 2024088552 A1 WO2024088552 A1 WO 2024088552A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
cipher suite
null
transceiver
remote device
Prior art date
Application number
PCT/EP2022/085159
Other languages
English (en)
Inventor
Andreas Kunz
Apostolis Salkintzis
Sheeba Backia Mary BASKARAN
Original Assignee
Lenovo (Singapore) Pte. Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lenovo (Singapore) Pte. Ltd. filed Critical Lenovo (Singapore) Pte. Ltd.
Publication of WO2024088552A1 publication Critical patent/WO2024088552A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/037Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic

Definitions

  • the subject matter disclosed herein relates generally to the field of improving user plane function performance in a wireless communication network.
  • This document defines an apparatus, e.g. a user plane function, and a method.
  • the QUIC protocol (more information regarding which may be found, for example, in IETF RFC 9000: "QUIC: A UDP-Based Multiplexed and Secure Transport”) may be used as a multipath protocol between a user equipment apparatus (UE) and a user plane function (UPF).
  • UE user equipment apparatus
  • UPF user plane function
  • the QUIC protocol may be used, for example, in solution #2.2 in TR 23.700-53, “Study on access traffic steering, switching and splitting support in the 5G system architecture; Phase 3”, VI.1.0, Oct. 2022.
  • QUIC may require the usage of Transport Layer Security (TLS) 1.3 with encryption according to IETF RFC 8446 “The Transport Layer Security (TLS) Protocol Version 1.3”.
  • an apparatus comprising a transceiver and a processor coupled to the transceiver.
  • the processor and the transceiver are configured to cause the apparatus to: receive, from a network function on another apparatus, a security policy for a Protocol Data Unit, PDU, session; receive, from a remote device, a first message, the first message indicating supported cipher suites including a NULL cipher suite, the NULL cipher suite defining that no encryption, or no integrity protection, or a combination thereof is to be applied; select the NULL cipher suite based on the received security policy; and send, to the remote device, a second message, the second message indicating the selected NULL cipher suite.
  • the method comprises: receiving, by a transceiver, from a network function on another apparatus, a security policy for a Protocol Data Unit, PDU, session; receiving, by the transceiver, from a remote device, a first message, the first message indicating supported cipher suites including a NULL cipher suite, the NULL cipher suite defining that no encryption, or no integrity protection, or a combination thereof is to be applied; selecting, by a processor, the NULL cipher suite based on the received security policy; and sending, by the transceiver, to the remote device, a second message, the second message indicating the selected NULL cipher suite.
  • Figure 1 illustrates a wireless communication system in which methods and apparatus for improving UPF performance may be implemented.
  • Figure 2 depicts a user equipment apparatus that may be used for implementing the methods described herein.
  • Figure 3 depicts further details of the network node that may be used for implementing the methods described herein.
  • Figure 4 is a process flow chart showing a method for improving UPF performance in a wireless communication network.
  • Figure 5 illustrates a process flow chart showing certain steps of the method for performance by an apparatus, such as a UPF, in a wireless communication network.
  • aspects of this disclosure may be embodied as a system, apparatus, method, or program product. Accordingly, arrangements described herein may be implemented in an entirely hardware form, an entirely software form (including firmware, resident software, micro-code, etc.) or a form combining software and hardware aspects.
  • the disclosed methods and apparatus may be implemented as a hardware circuit comprising custom very-large-scale integration (“VLSI”) circuits or gate arrays, off-the-shelf semiconductors such as logic chips, transistors, or other discrete components.
  • VLSI very-large-scale integration
  • the disclosed methods and apparatus may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices, or the like.
  • the disclosed methods and apparatus may include one or more physical or logical blocks of executable code which may, for instance, be organized as an object, procedure, or function.
  • the methods and apparatus may take the form of a program product embodied in one or more computer readable storage devices storing machine readable code, computer readable code, and/ or program code, referred hereafter as code.
  • the storage devices may be tangible, non-transitory, and/ or non-transmission.
  • the storage devices may not embody signals. In certain arrangements, the storage devices only employ signals for accessing code.
  • the computer readable medium may be a computer readable storage medium.
  • the computer readable storage medium may be a storage device storing the code.
  • the storage device may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, holographic, micromechanical, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing.
  • a storage device More specific examples (a non-exhaustive list) of the storage device would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random-access memory (“RAM”), a read-only memory (“ROM”), an erasable programmable read-only memory (“EPROM” or Flash memory), a portable compact disc read-only memory (“CD-ROM”), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
  • a computer readable storage medium may be any tangible medium that can contain, or store, a program for use by or in connection with an instruction execution system, apparatus, or device.
  • references throughout this specification to an example of a particular method or apparatus, or similar language means that a particular feature, structure, or characteristic described in connection with that example is included in at least one implementation of the method and apparatus described herein.
  • reference to features of an example of a particular method or apparatus, or similar language may, but do not necessarily, all refer to the same example, but mean “one or more but not all examples” unless expressly specified otherwise.
  • the terms “a”, “an”, and “the” also refer to “one or more”, unless expressly specified otherwise.
  • a list with a conjunction of “and/ or” includes any single item in the list or a combination of items in the list.
  • a list of A, B and/ or C includes only A, only B, only C, a combination of A and B, a combination of B and C, a combination of A and C or a combination of A, B and C.
  • a list using the terminology “one or more of’ includes any single item in the list or a combination of items in the list.
  • one or more of A, B and C includes only A, only B, only C, a combination of A and B, a combination of B and C, a combination of A and C or a combination of A, B and C.
  • a list using the terminology “one of’ includes one, and only one, of any single item in the list.
  • “one of A, B and C” includes only A, only B or only C and excludes combinations of A, B and C.
  • a member selected from the group consisting of A, B, and C includes one and only one of A, B, or C, and excludes combinations of A, B, and C.”
  • “a member selected from the group consisting of A, B, and C and combinations thereof’ includes only A, only B, only C, a combination of A and B, a combination of B and C, a combination of A and C or a combination of A, B and C.
  • the code may also be stored in a storage device that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the storage device produce an article of manufacture including instructions which implement the function/ act specified in the schematic flowchart diagrams and/or schematic block diagrams.
  • the code may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus, or other devices to produce a computer implemented process such that the code which executes on the computer or other programmable apparatus provides processes for implementing the functions /acts specified in the schematic flowchart diagrams and/ or schematic block diagram.
  • each block in the schematic flowchart diagrams and/or schematic block diagrams may represent a module, segment, or portion of code, which includes one or more executable instructions of the code for implementing the specified logical function(s).
  • Figure 1 depicts an embodiment of a wireless communication system in which methods and apparatus for improving UPF performance may be implemented.
  • the wireless communication system 100 includes remote units 102 and network units 104. Even though a specific number of remote units 102 and network units 104 are depicted in Figure 1, one of skill in the art will recognize that any number of remote units 102 and network units 104 may be included in the wireless communication system 100.
  • the remote units 102 may include computing devices, such as desktop computers, laptop computers, personal digital assistants (“PDAs”), tablet computers, smart phones, smart televisions (e.g., televisions connected to the Internet), set-top boxes, game consoles, security systems (including security cameras), vehicle onboard computers, network devices (e.g., routers, switches, modems), aerial vehicles, drones, or the like.
  • the remote units 102 include wearable devices, such as smartwatches, fitness bands, optical head-mounted displays, or the like.
  • the remote units 102 may be referred to as subscriber units, mobiles, mobile stations, users, terminals, mobile terminals, fixed terminals, subscriber stations, UE, user terminals, a device, or by other terminology used in the art.
  • the remote units 102 may communicate directly with one or more of the network units 104 via UL communication signals. In certain embodiments, the remote units 102 may communicate directly with other remote units 102 via sidelink communication.
  • the network units 104 may be distributed over a geographic region.
  • a network unit 104 may also be referred to as an access point, an access terminal, a base, a base station, a Node-B, an eNB, a gNB, a Home Node-B, a relay node, a device, a core network, an aerial server, a radio access node, an AT, NR, a network entity, an Access and Mobility Management Function (“AMF”), a Unified Data Management Function (“UDM”), a Unified Data Repository (“UDR”), a UDM/UDR, a Policy Control Function (“PCF”), a Radio Access Network (“RAN”), an Network Slice Selection Function (“NSSF”), an operations, administration, and management (“OAM”), a session management function (“SMF”), a user plane function (“UPF”), an application function, an authentication server function (“AUSF”), security anchor functionality (“SEAF”), trusted non-3GPP gateway function (“TNGF”), an application
  • AMF Access and
  • the network units 104 are generally part of a radio access network that includes one or more controllers communicab ly coupled to one or more corresponding network units 104.
  • the radio access network is generally communicably coupled to one or more core networks, which may be coupled to other networks, like the Internet and public switched telephone networks, among other networks. These and other elements of radio access and core networks are not illustrated but are well known generally by those having ordinary skill in the art.
  • the wireless communication system 100 is compliant with New Radio (NR) protocols standardized in 3GPP, wherein the network unit 104 transmits using an Orthogonal Frequency Division Multiplexing (“OFDM”) modulation scheme on the downlink (DL) and the remote units 102 transmit on the uplink (UL) using a Single Carrier Frequency Division Multiple Access (“SC-FDMA”) scheme or an OFDM scheme.
  • OFDM Orthogonal Frequency Division Multiplexing
  • SC-FDMA Single Carrier Frequency Division Multiple Access
  • the wireless communication system 100 may implement some other open or proprietary communication protocol, for example, WiMAX, IEEE 802.11 variants, GSM, GPRS, UMTS, LTE variants, CDMA2000, Bluetooth®, ZigBee, Sigfoxx, among other protocols.
  • WiMAX WiMAX
  • IEEE 802.11 variants GSM
  • GPRS Global System for Mobile communications
  • UMTS Long Term Evolution
  • LTE Long Term Evolution
  • CDMA2000 Code Division Multiple Access 2000
  • Bluetooth® Zi
  • the network units 104 may serve a number of remote units 102 within a serving area, for example, a cell or a cell sector via a wireless communication link.
  • the network units 104 transmit DL communication signals to serve the remote units 102 in the time, frequency, and/ or spatial domain.
  • Figure 2 depicts a user equipment apparatus 200 that may be used for implementing the methods described herein.
  • the user equipment apparatus 200 is used to implement one or more of the solutions described herein.
  • the user equipment apparatus 200 is in accordance with one or more of the user equipment apparatuses described in embodiments herein.
  • the user equipment apparatus 200 may be in accordance with the remote units 102 of Figure 1.
  • the user equipment apparatus 200 includes a processor 205, a memory 210, an input device 215, an output device 220, and a transceiver 225.
  • the input device 215 and the output device 220 may be combined into a single device, such as a touchscreen.
  • the user equipment apparatus 200 does not include any input device 215 and/ or output device 220.
  • the user equipment apparatus 200 may include one or more of: the processor 205, the memory 210, and the transceiver 225, and may not include the input device 215 and/ or the output device 220.
  • the transceiver 225 includes at least one transmitter 230 and at least one receiver 235.
  • the transceiver 225 may communicate with one or more cells (or wireless coverage areas) supported by one or more base units.
  • the transceiver 225 may be operable on unlicensed spectrum.
  • the transceiver 225 may include multiple UE panels supporting one or more beams.
  • the transceiver 225 may support at least one network interface 240 and/ or application interface 245.
  • the application interface(s) 245 may support one or more APIs.
  • the network interface(s) 240 may support 3GPP reference points, such as Uu, Nl, PC5, etc. Other network interfaces 240 may be supported, as understood by one of ordinary skill in the art.
  • the processor 205 may include any known controller capable of executing computer-readable instructions and/ or capable of performing logical operations.
  • the processor 205 may be a microcontroller, a microprocessor, a central processing unit (“CPU”), a graphics processing unit (“GPU”), an auxiliary processing unit, a field programmable gate array (“FPGA”), or similar programmable controller.
  • the processor 205 may execute instructions stored in the memory 210 to perform the methods and routines described herein.
  • the processor 205 is communicatively coupled to the memory 210, the input device 215, the output device 220, and the transceiver 225.
  • the processor 205 may control the user equipment apparatus 200 to implement the user equipment apparatus behaviors described herein.
  • the processor 205 may include an application processor (also known as “main processor”) which manages application-domain and operating system (“OS”) functions and a baseband processor (also known as “baseband radio processor”) which manages radio functions.
  • OS application-domain and operating system
  • baseband radio processor also known as “
  • the memory 210 may be a computer readable storage medium.
  • the memory 210 may include volatile computer storage media.
  • the memory 210 may include a RAM, including dynamic RAM (“DRAM”), synchronous dynamic RAM (“SDRAM”), and/ or static RAM (“SRAM”).
  • the memory 210 may include non-volatile computer storage media.
  • the memory 210 may include a hard disk drive, a flash memory, or any other suitable non-volatile computer storage device.
  • the memory 210 may include both volatile and non-volatile computer storage media.
  • the memory 210 may store data related to implement a traffic category field as described herein.
  • the memory 210 may also store program code and related data, such as an operating system or other controller algorithms operating on the apparatus 200.
  • the input device 215 may include any known computer input device including a touch panel, a button, a keyboard, a stylus, a microphone, or the like.
  • the input device 215 may be integrated with the output device 220, for example, as a touchscreen or similar touch-sensitive display.
  • the input device 215 may include a touchscreen such that text may be input using a virtual keyboard displayed on the touchscreen and/ or by handwriting on the touchscreen.
  • the input device 215 may include two or more different devices, such as a keyboard and a touch panel.
  • the output device 220 may be designed to output visual, audible, and/ or haptic signals.
  • the output device 220 may include an electronically controllable display or display device capable of outputting visual data to a user.
  • the output device 220 may include, but is not limited to, a Liquid Crystal Display (“LCD”), a Light- Emitting Diode (“LED”) display, an Organic LED (“OLED”) display, a projector, or similar display device capable of outputting images, text, or the like to a user.
  • LCD Liquid Crystal Display
  • LED Light- Emitting Diode
  • OLED Organic LED
  • the output device 220 may include a wearable display separate from, but communicatively coupled to, the rest of the user equipment apparatus 200, such as a smart watch, smart glasses, a heads-up display, or the like.
  • the output device 220 may be a component of a smart phone, a personal digital assistant, a television, a table computer, a notebook (laptop) computer, a personal computer, a vehicle dashboard, or the like.
  • the output device 220 may include one or more speakers for producing sound.
  • the output device 220 may produce an audible alert or notification (e.g., a beep or chime).
  • the output device 220 may include one or more haptic devices for producing vibrations, motion, or other haptic feedback. All, or portions, of the output device 220 may be integrated with the input device 215.
  • the input device 215 and output device 220 may form a touchscreen or similar touch-sensitive display.
  • the output device 220 may be located near the input device 215.
  • the transceiver 225 communicates with one or more network functions of a mobile communication network via one or more access networks.
  • the transceiver 225 operates under the control of the processor 205 to transmit messages, data, and other signals and also to receive messages, data, and other signals.
  • the processor 205 may selectively activate the transceiver 225 (or portions thereof) at particular times in order to send and receive messages.
  • the transceiver 225 includes at least one transmitter 230 and at least one receiver 235.
  • the one or more transmitters 230 may be used to provide uplink communication signals to a base unit of a wireless communication network.
  • the one or more receivers 235 may be used to receive downlink communication signals from the base unit.
  • the user equipment apparatus 200 may have any suitable number of transmitters 230 and receivers 235.
  • the trans mi tter(s) 230 and the receiver(s) 235 may be any suitable type of transmitters and receivers.
  • the transceiver 225 may include a first transmitter/receiver pair used to communicate with a mobile communication network over licensed radio spectrum and a second transmitter/receiver pair used to communicate with a mobile communication network over unlicensed radio spectrum.
  • the first transmitter/ receiver pair may be used to communicate with a mobile communication network over licensed radio spectrum and the second transmitter/ receiver pair used to communicate with a mobile communication network over unlicensed radio spectrum may be combined into a single transceiver unit, for example a single chip performing functions for use with both licensed and unlicensed radio spectrum.
  • the first transmitter/receiver pair and the second transmitter/receiver pair may share one or more hardware components.
  • certain transceivers 225, transmitters 230, and receivers 235 may be implemented as physically separate components that access a shared hardware resource and/ or software resource, such as for example, the network interface 240.
  • One or more transmitters 230 and/ or one or more receivers 235 may be implemented and/ or integrated into a single hardware component, such as a multitransceiver chip, a system-on-a-chip, an Application-Specific Integrated Circuit (“ASIC”), or other type of hardware component.
  • One or more transmitters 230 and/ or one or more receivers 235 may be implemented and/ or integrated into a multi-chip module.
  • Other components such as the network interface 240 or other hardware components/ circuits may be integrated with any number of transmitters 230 and/ or receivers 235 into a single chip.
  • the transmitters 230 and receivers 235 may be logically configured as a transceiver 225 that uses one more common control signals or as modular transmitters 230 and receivers 235 implemented in the same hardware chip or in a multi-chip module.
  • FIG. 3 depicts further details of the network node 300 that may be used for implementing the methods described herein.
  • the network node 300 may be one implementation of an entity in the wireless communication network, e.g. in one or more of the wireless communication networks described herein.
  • the network node 300 may be, for example, the UE 200 described above, or a Network Function (NF) or Application Function (AF), or another entity, of one or more of the wireless communications networks of embodiments described herein, e.g. the UPF 408 of Figure 4.
  • the network node 300 includes a processor 305, a memory 310, an input device 315, an output device 320, and a transceiver 325.
  • the input device 315 and the output device 320 may be combined into a single device, such as a touchscreen.
  • the network node 300 does not include any input device 315 and/ or output device 320.
  • the network node 300 may include one or more of: the processor 305, the memory 310, and the transceiver 325, and may not include the input device 315 and/ or the output device 320.
  • the transceiver 325 includes at least one transmitter 330 and at least one receiver 335.
  • the transceiver 325 communicates with one or more remote units 200.
  • the transceiver 325 may support at least one network interface 340 and/ or application interface 345.
  • the application interface(s) 345 may support one or more APIs.
  • the network interface(s) 340 may support 3GPP reference points, such as Uu, Nl, N2 and N3. Other network interfaces 340 may be supported, as understood by one of ordinary skill in the art.
  • the processor 305 may include any known controller capable of executing computer-readable instructions and/ or capable of performing logical operations.
  • the processor 305 may be a microcontroller, a microprocessor, a CPU, a GPU, an auxiliary processing unit, a FPGA, or similar programmable controller.
  • the processor 305 may execute instructions stored in the memory 310 to perform the methods and routines described herein.
  • the processor 305 is communicatively coupled to the memory 310, the input device 315, the output device 320, and the transceiver 325.
  • the memory 310 may be a computer readable storage medium.
  • the memory 310 may include volatile computer storage media.
  • the memory 310 may include a RAM, including dynamic RAM (“DRAM”), synchronous dynamic RAM (“SDRAM”), and/ or static RAM (“SRAM”).
  • the memory 310 may include non-volatile computer storage media.
  • the memory 310 may include a hard disk drive, a flash memory, or any other suitable non-volatile computer storage device.
  • the memory 310 may include both volatile and non-volatile computer storage media.
  • the memory 310 may store data related to establishing a multipath unicast link and/ or mobile operation.
  • the memory 310 may store parameters, configurations, resource assignments, policies, and the like, as described herein.
  • the memory 310 may also store program code and related data, such as an operating system or other controller algorithms operating on the network node 300.
  • the input device 315 may include any known computer input device including a touch panel, a button, a keyboard, a stylus, a microphone, or the like.
  • the input device 315 may be integrated with the output device 320, for example, as a touchscreen or similar touch-sensitive display.
  • the input device 315 may include a touchscreen such that text may be input using a virtual keyboard displayed on the touchscreen and/ or by handwriting on the touchscreen.
  • the input device 315 may include two or more different devices, such as a keyboard and a touch panel.
  • the output device 320 may be designed to output visual, audible, and/ or haptic signals.
  • the output device 320 may include an electronically controllable display or display device capable of outputting visual data to a user.
  • the output device 320 may include, but is not limited to, an LCD display, an LED display, an OLED display, a projector, or similar display device capable of outputting images, text, or the like to a user.
  • the output device 320 may include a wearable display separate from, but communicatively coupled to, the rest of the network node 300, such as a smart watch, smart glasses, a heads-up display, or the like.
  • the output device 320 may be a component of a smart phone, a personal digital assistant, a television, a table computer, a notebook (laptop) computer, a personal computer, a vehicle dashboard, or the like.
  • the output device 320 may include one or more speakers for producing sound.
  • the output device 320 may produce an audible alert or notification (e.g., a beep or chime).
  • the output device 320 may include one or more haptic devices for producing vibrations, motion, or other haptic feedback. All, or portions, of the output device 320 may be integrated with the input device 315.
  • the input device 315 and output device 320 may form a touchscreen or similar touch-sensitive display.
  • the output device 320 may be located near the input device 315.
  • the transceiver 325 includes at least one transmitter 330 and at least one receiver 335.
  • the one or more transmitters 330 may be used to communicate with the UE, as described herein.
  • the one or more receivers 335 may be used to communicate with network functions in the PLMN and/ or RAN, as described herein.
  • the network node 300 may have any suitable number of transmitters 330 and receivers 335.
  • the transmitter(s) 330 and the receiver(s) 335 may be any suitable type of transmitters and receivers.
  • the present disclosure introduces a NULL cipher suite, e.g. for use in TLS 1.3.
  • the UE may indicate this capability to the UPF, e.g. in a TLS exchange when setting up the QUIC session.
  • the UPF can decide whether to use encryption or not for this session, under consideration of the security policy for the AS layer (UE - gNB), i.e. UP protection (integrity and/or confidentiality).
  • the SMF shall provide UP security policy for a PDU session to the ng-eNB/gNB during the PDU session establishment procedure as specified in TS 23.502.
  • the UP security policy shall indicate whether UP confidentiality and/ or UP integrity protection shall be activated or not for all Data Radio Bearers (DRB) belonging to that PDU session.
  • DRB Data Radio Bearers
  • the UP security policy shall be used to activate UP confidentiality and/ or UP integrity for all DRBs belonging to the PDU session.”
  • the security policy is known by the UPF, so that the UPF can make a decision on whether to select NULL cipher suite for use, when the UE includes a NULL cipher suite in the TLS message for the QUIC session.
  • the TLS 1.3 protocol is profiled with the NULL cipher suite option for the ciphering and integrity protection algorithms.
  • the support cipher suites in clause B.4 of RFC 8446 may be enhanced, or an integrity protection only algorithm of IETF RFC 9150 may be used, or IETF RFC 9150 may be enhanced to support a NULL cipher suite option.
  • a (symmetric) cipher suite typically defines the pair of the Authenticated Encryption with Associated Data (AEAD) algorithm and hash algorithm to be used with Hash-based Message Authentication Code (HMAC) -based Extract-and-Expand Key Derivation Function (HKDF).
  • AEAD Authenticated Encryption with Associated Data
  • HMAC Hash-based Message Authentication Code
  • HKDF Extract-and-Expand Key Derivation Function
  • Cipher suite names typically follow the following naming convention:
  • CipherSuite TLS_AEAD_HASH VALUE
  • This disclosure defines the following cipher suites for use with TLS 1.3.
  • the TLS 1.3 cipher suites are enhanced or expanded to include a NULL cipher suite, in particular the cipher suite TLS_NULL_NULL in this embodiment.
  • TLS_NULL_NULL When using the cipher suite TLS_NULL_NULL, the data is not encrypted, and the message authentication code (MAC) size is zero, implying that no MAC is used. This may be similar to TLS 1.2 (see, for example, IETF RFC 5346 “The Transport Layer Security (TLS) Protocol Version 1.2”).
  • a cipher suite such as that defined in IETF RFC 9150 "TLS 1.3 Authentication and Integrity-Only Cipher Suites”, in clause 4 “Cryptographic Negotiation Using Integrity-Only Cipher Suites”, can be used. That is to say, a cipher suite that provides for no encryption, but does provide integrity protection, may be implemented as the NULL cipher suite.
  • the UE may include the NULL cipher suite in the Client Hello message to the UPF, for example as follows: uintl6 ProtocolVersion; opaque Random[32]; uint8 CipherSuite [2]; /* Cryptographic suite selector */ struct ⁇
  • ProtocolVersion legacy_version 0x0303; /* TLS vl.2 */ Random random; opaque legacy_session_id ⁇ 0..32>;
  • CipherSuite cipher_suites ⁇ 2. ,2 Z 16-2> ; opaque legacy_compression_methods ⁇ 1..2 ⁇ 8-1 >;
  • the cipher_suite parameter indicates the single cipher suite selected by the UPF from the list in ClientHello. cipher_suites.
  • the UPF decides, based on the security policy of this PDU session, whether to select the NULL cipher suite or a different cipher suite (e.g. that provides encryption and integrity protection).
  • Figure 4 is a process flow chart showing an embodiment of a method 400 for improving UPF performance in a wireless communication network.
  • the method 400 illustrates the overall changes implemented to enable the NULL cipher suite for a QUIC session.
  • the method 400 may involve a UE 402, an SMF 404, a PCF 406, and a UPF 408.
  • the UE 402, SMF 404, the PCF 406, and/ or the UPF 408 may be the same as or in accordance with any of the UEs described herein.
  • the UE 402 may be the same as the UE 200 shown in Figure 2 and described in more detail earlier above.
  • the SMF 404, the PCF 406, and/ or the UPF 408 may be the same as or in accordance with any network entity, function, or node described herein.
  • the SMF 404, the PCF 406, and/ or the UPF 408 may be the same as the network node 300 shown in Figure 3 and described in more detail earlier above.
  • the UE 402 establishes a PDU session.
  • This PDU session may be established in any appropriate way, such as in accordance with the procedure presented in TS 23.502, clause 4.3.2.2.L
  • the SMF 404 provides a security policy for the PDU Session to the UPF 408.
  • the UE 402 establishes a QUIC session.
  • This QUIC session may be established in any appropriate way, such as in accordance with the solution #2.2 in TR 23.700-53.
  • the UE 402 includes the NULL cipher suite (e.g. TLS_NULL_NULL) in the CipherSuite list of the Client Hello message.
  • the NULL cipher suite e.g. TLS_NULL_NULL
  • a cipher suite such as that defined in IETF RFC 9150 "TLS 1.3 Authentication and Integrity-Only Cipher Suites”, in clause 4 “Cryptographic Negotiation Using Integrity-Only Cipher Suites” can be included in the CipherSuite list of the Client Hello message.
  • Such cipher suites may provide for no encryption, but may provide for integrity protection.
  • the UE 402 sends a Client Hello message including the NULL cipher suite in the CipherSuite list to the UPF 408.
  • the UPF 408 checks whether the security policy of the PDU session (received at step 412) is set to a first value (which, in this embodiment, is the value “required”, or an equivalent).
  • the UPF 408 selects the NULL cipher suite from the CipherSuite list.
  • the security policy is related to the encryption and/ or integrity on the radio layer.
  • the security policy being set to the first value indicates that security (e.g. encryption and/ or integrity protection) over the radio is provided.
  • the UPF 408 may determine or infer that security is not needed on the application layer, since the communication is 3GPP internal between UE and UPF, and accordingly may select the NULL cipher suite.
  • the UPF 408 may select the NULL cipher suite from the CipherSuite list.
  • the security policy being set to the second value may indicate that security on the application layer is optional, and accordingly the UPF 408 may optionally select the NULL cipher suite from the CipherSuite list, or alternatively may selected a different cipher suite with encryption and integrity protection.
  • the UPF 408 selects, from the CipherSuite list, a cipher suite with encryption and integrity protection other than the NULL cipher suite.
  • the security policy being set to the third value may indicate that security on the radio layer is not provided.
  • the UPF 408 may determine or infer that security on the application layer should be provided, and accordingly the UPF 408 selects a cipher suite that provides encryption and integrity protection.
  • the UPF 408 sends a Server Hello message with the selected cipher suite. If the UPF 408 selected the NULL cipher suite, then this may be included in the Server Hello message.
  • the Server Hello message may be sent from the UPF 408 to the UE 402.
  • the UE 402 and the UPF 408 can exchange messages. If the NULL cipher suite was selected, these exchanged messages may be unencrypted messages and/ or may include no integrity protection. Additional TLS messages may be exchanged between the UE 402 and the UPF 408.
  • an apparatus comprising a transceiver, and a processor coupled to the transceiver.
  • the processor and the transceiver are configured to cause the apparatus to: receive, from a network function on another apparatus (e.g. the SMF), a security policy for a PDU session; receive, from a remote device (e.g. a UE), a first message (e.g. the Client Hello message), the first message indicating, comprising, specifying, or defining supported cipher suites including a NULL cipher suite, the NULL cipher suite defining that no encryption, or no integrity protection, or a combination thereof is to be applied (e.g.
  • the remote device selects the NULL cipher suite based on the received security policy; and send, to the remote device, a second message (e.g. the Server Hello response message), the second message indicating, comprising, specifying, or defining the selected NULL cipher suite.
  • a second message e.g. the Server Hello response message
  • the processor and the transceiver may be further configured to cause the apparatus to, via the PDU session, send to and/ or receive from the remote device one or more messages protected (e.g., encrypted and/ or integrity protected) using the NULL cipher suite, for example in the application layer.
  • messages protected e.g., encrypted and/ or integrity protected
  • the first message may be a Client Hello message such as defined in TLS 1.3.
  • the second message may be a Server Hello response message, such as defined in TLS 1.3.
  • the first message and the second message may be sent between the apparatus and the remote device as part of a TLS handshake process, such as that defined by TLS 1.3.
  • the first message and the second message may be sent between the apparatus and the remote device as part of setting up a QUIC session between the apparatus and the remote device.
  • the NULL cipher suite may provide that no key exchange between the apparatus and the remote device is performed (e.g. in the application layer), i.e. it may define NULL key exchange.
  • the NULL cipher suite may provide that no authentication between the apparatus and the remote device is performed (e.g. in the application layer), i.e. it may define NULL authentication.
  • the NULL cipher suite may provide that no encryption of messages between the apparatus and the remote device is performed (e.g. in the application layer), i.e. it may define NULL encryption.
  • the processor and the transceiver may be further configured to cause the apparatus to select the NULL cipher suite in response to the received security policy specifying a first value.
  • the first value may indicate that security (e.g. protection, which may include encryption and/ or integrity protection) on a radio layer is required or mandatory.
  • the first value may be the value “required”.
  • the apparatus may determine or infer that protection, e.g. encryption and/ or integrity protection, on the application layer is not needed, since the communication is 3GPP internal between the UE and the UPF, and accordingly may select the NULL cipher suite.
  • the apparatus may be a User Plane Function, UPF, such as the UPF 408 described in more detail earlier above with reference to Figure 4.
  • the network function may be a Session Management Function, SMF, such as the SMF 404 described in more detail earlier above with reference to Figure 4.
  • SMF Session Management Function
  • the remote device may be a user equipment, UE, apparatus, such as the UE 402 described in more detail earlier above with reference to Figure 4, or the UE 200 described in more detail earlier above with reference to Figure 2.
  • FIG. 5 illustrates a process flow chart showing certain steps of the method 500 for performance by an apparatus in a wireless communication network.
  • the method 500 may be performed by a User Plane Function, UPF, such as the UPF 408 described in more detail earlier above with reference to Figure 4.
  • the method 500 may be performed by a processor executing program code, for example, a microcontroller, a microprocessor, a CPU, a GPU, an auxiliary processing unit, a FPGA, or the like.
  • the method 500 comprises: receiving 502, by a transceiver, from a network function on another apparatus (e.g. the SMF), a security policy for a PDU session; receiving 504, by the transceiver, from a remote device (e.g. the UE), a first message (e.g. the Client Hello message), the first message indicating, comprising, specifying, or defining supported cipher suites including a NULL cipher suite, the NULL cipher suite defining that no encryption, or no integrity protection, or a combination thereof is to be applied (e.g.
  • the apparatus selects 506, by a processor, the NULL cipher suite based on the received security policy; and sending 508, by the transceiver, to the remote device, a second message (e.g. the Server Hello response message), the second message indicating, comprising, specifying, or defining the selected NULL cipher suite.
  • a second message e.g. the Server Hello response message
  • the method may further comprise sending to the remote device and/ or receiving from 510 the remote device one or more message via the PDU session, the one or more messages being protected using the NULL cipher suite.
  • the performance of the UPF may be 3-4 times less compared to if there was no security activation on the QUIC layer.
  • the UPF is provisioned with the security policy of the PDU session and can decide, based on the security policy, whether to use NULL cipher suite to disable certain protections, or not.
  • Embodiments described herein introduce a NULL cipher suite, e.g. for TLS 1.3.
  • the UE may indicate this capability in the TLS exchange when setting up the QUIC session.
  • the UPF can decide whether to use encryption or not for the session, under consideration of the security policy for the AS layer (UE - gNB), i.e. UP protection (integrity and/ or confidentiality).
  • the method may also be embodied in a set of instructions, stored on a computer readable medium, which when loaded into a computer processor, Digital Signal Processor (DSP) or similar, causes the processor to carry out the hereinbefore described methods.
  • DSP Digital Signal Processor

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un appareil (408) comprenant : un émetteur/récepteur (325); et un processeur (305) couplé à l'émetteur/récepteur (325), le processeur (305) et l'émetteur/récepteur (325) étant conçus pour amener l'appareil (408) à : recevoir, en provenance d'une fonction de réseau (404) sur un autre appareil, une politique de sécurité pour une session d'unité de données de protocole, PDU, (412) ; recevoir, en provenance d'un dispositif distant (402), un premier message (414), le premier message indiquant des suites de chiffrement prises en charge comprenant une suite de chiffrement NULL, la suite de chiffrement NULL définissant qu'aucun chiffrement ou aucune protection d'intégrité, ou une combinaison de ceux-ci, ne doit être appliquée ; sélectionner la suite de chiffrement NULL sur la base de la politique de sécurité reçue ; et envoyer, au dispositif distant (402), un second message (418), le second message indiquant la suite de chiffrement NULL sélectionnée.
PCT/EP2022/085159 2022-11-03 2022-12-09 Amélioration des performances de fonction de plan utilisateur dans un réseau de communication sans fil WO2024088552A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GR20220100894 2022-11-03
GR20220100894 2022-11-03

Publications (1)

Publication Number Publication Date
WO2024088552A1 true WO2024088552A1 (fr) 2024-05-02

Family

ID=84767021

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2022/085159 WO2024088552A1 (fr) 2022-11-03 2022-12-09 Amélioration des performances de fonction de plan utilisateur dans un réseau de communication sans fil

Country Status (1)

Country Link
WO (1) WO2024088552A1 (fr)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022069825A1 (fr) * 2020-09-29 2022-04-07 Orange Procedes de configuration d'un equipement utilisateur, de negociation avec une entite du reseau, et de gestion d'une connexion, et dispositifs associes.

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022069825A1 (fr) * 2020-09-29 2022-04-07 Orange Procedes de configuration d'un equipement utilisateur, de negociation avec une entite du reseau, et de gestion d'une connexion, et dispositifs associes.

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"Security architecture and procedures for 5G system", 3GPP TS 33.501, September 2022 (2022-09-01)
BANKS MICROSOFT CORPORATION N: "QUIC Disable Encryption; draft-banks-quic-disable-encryption-00.txt", 11 August 2020 (2020-08-11), pages 1 - 5, XP015141079, Retrieved from the Internet <URL:https://tools.ietf.org/html/draft-banks-quic-disable-encryption-00> [retrieved on 20200811] *
HUAWEI ET AL: "KI #2, Sol #8: Update QUIC solution to solve ENs", vol. SA WG2, no. e-meeting; 20200819 - 20200901, 2 September 2020 (2020-09-02), XP051928821, Retrieved from the Internet <URL:https://ftp.3gpp.org/tsg_sa/WG2_Arch/TSGS2_140e_Electronic/Docs/S2-2006287.zip S2-2006287 - Revision of S2-2005473 - KI #2, Sol #8 - Update QUIC solution to solve ENs-r05.docx> [retrieved on 20200902] *

Similar Documents

Publication Publication Date Title
US20230232198A1 (en) Method to authenticate with a mobile communication network
US20230269797A1 (en) Accessing a 5g network via a non-3gpp access network
EP4128858B1 (fr) Relocalisation d&#39;une passerelle d&#39;accès
US20230388788A1 (en) Key-based authentication for a mobile edge computing network
US20230262455A1 (en) Determining an authentication type
US20240121088A1 (en) Provisioning server selection in a cellular network
US20220116769A1 (en) Notification in eap procedure
US20230262463A1 (en) Mobile network authentication using a concealed identity
US20230156650A1 (en) Relocating an access gateway
US20230136693A1 (en) Enabling roaming with authentication and key management for applications
US20240056313A1 (en) Selecting a data connection based on digital certificate information
US20240031969A1 (en) Control-plane and user-plane trusted non-3gpp gateway function
WO2024088552A1 (fr) Amélioration des performances de fonction de plan utilisateur dans un réseau de communication sans fil
US20240187856A1 (en) Registration authentication based on a capability
US20230199483A1 (en) Deriving a key based on an edge enabler client identifier
WO2022130065A1 (fr) Enregistrement d&#39;application avec un réseau
US20240129723A1 (en) Key identification for mobile edge computing functions
WO2023175541A1 (fr) Authentification et enregistrement d&#39;éléments de réseau de l&#39;internet des objets personnels
WO2024088582A1 (fr) Intégration de dispositifs ambiants dans un réseau de communication sans fil
WO2024088605A1 (fr) Fourniture d&#39;autorisation de communiquer avec des dispositifs ambiants à des dispositifs de communication sans fil
KR20240089074A (ko) 항공 시스템 보안 정보의 통신 및 저장
WO2023147888A1 (fr) Mise à jour de règles de politique de sélection d&#39;itinéraire contenant des informations de certificat numérique
WO2024032915A1 (fr) Connexion à un réseau d&#39;accès wlan à l&#39;aide d&#39;une authentification basée sur 3gpp
WO2024027944A1 (fr) Procédé de sélection d&#39;un réseau d&#39;accès non-3gpp dans un réseau de communication sans fil
WO2023175461A1 (fr) Établissement d&#39;une session d&#39;application correspondant à un élément de broche

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22834976

Country of ref document: EP

Kind code of ref document: A1