WO2024098177A1 - Procédure d'authentification pour tranche de réseau - Google Patents

Procédure d'authentification pour tranche de réseau Download PDF

Info

Publication number
WO2024098177A1
WO2024098177A1 PCT/CN2022/130237 CN2022130237W WO2024098177A1 WO 2024098177 A1 WO2024098177 A1 WO 2024098177A1 CN 2022130237 W CN2022130237 W CN 2022130237W WO 2024098177 A1 WO2024098177 A1 WO 2024098177A1
Authority
WO
WIPO (PCT)
Prior art keywords
network slice
identity
authentication
message
revoke
Prior art date
Application number
PCT/CN2022/130237
Other languages
English (en)
Inventor
Jing PING
Ranganathan MAVUREDDI DHANASEKARAN
Original Assignee
Nokia Shanghai Bell Co., Ltd.
Nokia Solutions And Networks Oy
Nokia Technologies Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Shanghai Bell Co., Ltd., Nokia Solutions And Networks Oy, Nokia Technologies Oy filed Critical Nokia Shanghai Bell Co., Ltd.
Priority to PCT/CN2022/130237 priority Critical patent/WO2024098177A1/fr
Publication of WO2024098177A1 publication Critical patent/WO2024098177A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • Various example embodiments of the present disclosure generally relate to the field of telecommunication and in particular, to methods, devices, apparatuses and computer readable storage medium for authentication procedure for network slice.
  • Network slicing is a type of virtual networking architecture in the same family as software-defined networking (SDN) and network functions virtualization (NFV) .
  • SDN and NFV are two closely related network virtualization technologies that are moving modern networks toward software-based automation.
  • a first apparatus comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the first apparatus at least to perform: receiving, from a second apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice; and transmitting, to a third apparatus, a message that comprises the validity timer associated with the network slice, and wherein the authenticate request and the message also comprise at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • a second apparatus comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the second apparatus at least to perform: transmitting, to a first apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice, and wherein the authenticate request also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • a third apparatus comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the third apparatus at least to perform: receiving, from a first apparatus, a message that comprises a validity timer associated with a network slice, and wherein the message also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • a method comprises: receiving, at a first apparatus and from a second apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice; and transmitting, to a third apparatus, a message that comprises the validity timer associated with the network slice, and wherein the authenticate request and the message also comprise at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • a method comprises: transmitting, at a second apparatus and to a first apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice, and wherein the authenticate request also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • a method comprises: receiving, at a third apparatus and from a first apparatus, a message that comprises a validity timer associated with a network slice, and wherein the message also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • a first apparatus comprises: means for receiving, from a second apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice; and means for transmitting, to a third apparatus, a message that comprises the validity timer associated with the network slice, and wherein the authenticate request and the message also comprise at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • a second apparatus comprises: means for transmitting, to a first apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice, and wherein the authenticate request also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • a third apparatus comprises: means for receiving, from a first apparatus, a message that comprises a validity timer associated with a network slice, and wherein the message also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • a computer readable medium comprises instructions stored thereon for causing an apparatus to perform at least the method according to the first aspect.
  • a computer readable medium comprises instructions stored thereon for causing an apparatus to perform at least the method according to the second aspect.
  • a computer readable medium comprises instructions stored thereon for causing an apparatus to perform at least the method according to the second aspect.
  • FIG. 1 illustrates an example communication environment in which example embodiments of the present disclosure can be implemented
  • FIG. 2 illustrates a signaling chart for communication according to some example embodiments of the present disclosure
  • FIG. 3 illustrates a signaling chart for communication according to some example embodiments of the present disclosure
  • FIG. 4 illustrates a signaling chart for communication according to an example embodiment of the present disclosure
  • FIG. 5 illustrates a signaling chart for communication according to another example embodiment of the present disclosure
  • FIG. 6 illustrates a flowchart of a method implemented at a first apparatus according to some example embodiments of the present disclosure
  • FIG. 7 illustrates a flowchart of a method implemented at a second apparatus according to some example embodiments of the present disclosure
  • FIG. 8 illustrates a flowchart of a method implemented at a third apparatus according to some example embodiments of the present disclosure
  • FIG. 9 illustrates a simplified block diagram of a device that is suitable for implementing example embodiments of the present disclosure.
  • FIG. 10 illustrates a block diagram of an example computer readable medium in accordance with some example embodiments of the present disclosure.
  • references in the present disclosure to “one embodiment, ” “an embodiment, ” “an example embodiment, ” and the like indicate that the embodiment described may include a particular feature, structure, or characteristic, but it is not necessary that every embodiment includes the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
  • first, ” “second” and the like may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be termed a second element, and similarly, a second element could be termed a first element, without departing from the scope of example embodiments.
  • the term “and/or” includes any and all combinations of one or more of the listed terms.
  • performing a step “in response to A” does not indicate that the step is performed immediately after “A” occurs and one or more intervening steps may be included.
  • circuitry may refer to one or more or all of the following:
  • circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware.
  • circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
  • the term “communication network” refers to a network following any suitable communication standards, such as New Radio (NR) , Long Term Evolution (LTE) , LTE-Advanced (LTE-A) , Wideband Code Division Multiple Access (WCDMA) , High-Speed Packet Access (HSPA) , Narrow Band Internet of Things (NB-IoT) and so on.
  • NR New Radio
  • LTE Long Term Evolution
  • LTE-A LTE-Advanced
  • WCDMA Wideband Code Division Multiple Access
  • HSPA High-Speed Packet Access
  • NB-IoT Narrow Band Internet of Things
  • the communications between a terminal device and a network device in the communication network may be performed according to any suitable generation communication protocols, including, but not limited to, the first generation (1G) , the second generation (2G) , 2.5G, 2.75G, the third generation (3G) , the fourth generation (4G) , 4.5G, the fifth generation (5G) communication protocols, and/or any other protocols either currently known or to be developed in the future.
  • suitable generation communication protocols including, but not limited to, the first generation (1G) , the second generation (2G) , 2.5G, 2.75G, the third generation (3G) , the fourth generation (4G) , 4.5G, the fifth generation (5G) communication protocols, and/or any other protocols either currently known or to be developed in the future.
  • Embodiments of the present disclosure may be applied in various communication systems. Given the rapid development in communications, there will of course also be future type communication technologies and systems with which the present disclosure may be embodied. It should not be seen as limiting the scope of the present disclosure to only the aforementioned system
  • the term “network device” refers to a node in a communication network via which a terminal device accesses the network and receives services therefrom.
  • the network device may refer to a base station (BS) or an access point (AP) , for example, a node B (NodeB or NB) , an evolved NodeB (eNodeB or eNB) , an NR NB (also referred to as a gNB) , a Remote Radio Unit (RRU) , a radio header (RH) , a remote radio head (RRH) , a relay, an Integrated Access and Backhaul (IAB) node, a low power node such as a femto, a pico, a non-terrestrial network (NTN) or non-ground network device such as a satellite network device, a low earth orbit (LEO) satellite and a geosynchronous earth orbit (GEO) satellite, an aircraft network device, and so forth, depending on the applied terminology and technology
  • radio access network (RAN) split architecture comprises a Centralized Unit (CU) and a Distributed Unit (DU) at an IAB donor node.
  • An IAB node comprises a Mobile Terminal (IAB-MT) part that behaves like a UE toward the parent node, and a DU part of an IAB node behaves like a base station toward the next-hop IAB node.
  • IAB-MT Mobile Terminal
  • terminal device refers to any end device that may be capable of wireless communication.
  • a terminal device may also be referred to as a communication device, user equipment (UE) , a Subscriber Station (SS) , a Portable Subscriber Station, a Mobile Station (MS) , or an Access Terminal (AT) .
  • UE user equipment
  • SS Subscriber Station
  • MS Mobile Station
  • AT Access Terminal
  • the terminal device may include, but not limited to, a mobile phone, a cellular phone, a smart phone, voice over IP (VoIP) phones, wireless local loop phones, a tablet, a wearable terminal device, a personal digital assistant (PDA) , portable computers, desktop computer, image capture terminal devices such as digital cameras, gaming terminal devices, music storage and playback appliances, vehicle-mounted wireless terminal devices, wireless endpoints, mobile stations, laptop-embedded equipment (LEE) , laptop-mounted equipment (LME) , USB dongles, smart devices, wireless customer-premises equipment (CPE) , an Internet of Things (loT) device, a watch or other wearable, a head-mounted display (HMD) , a vehicle, a drone, a medical device and applications (e.g., remote surgery) , an industrial device and applications (e.g., a robot and/or other wireless devices operating in an industrial and/or an automated processing chain contexts) , a consumer electronics device, a device operating on commercial and/
  • the terminal device may also correspond to a Mobile Termination (MT) part of an IAB node (e.g., a relay node) .
  • MT Mobile Termination
  • IAB node e.g., a relay node
  • the terms “terminal device” , “communication device” , “terminal” , “user equipment” and “UE” may be used interchangeably.
  • network slice may refer to network resources that can provide or support services.
  • a network slice may be an isolated end-to-end network tailored to satisfy varied requirements asked for by a particular application.
  • the network slice may be an equipment-vendor agnostic and can span across a radio network from vendor one, to the core from vendor two and so on.
  • the term “extensible authentication” used herein may extensibility for authentication methods for commonly used protected network access technologies.
  • EAP Extensible Authentication Protocol
  • temporary network slice does not only mean that the network slices are decommissions and created as per the timing information, but also the network slices are not meant to be available for use by the UE.
  • resource may refer to any resource for performing a communication, for example, a communication between a terminal device and a network device, such as a resource in time domain, a resource in frequency domain, a resource in space domain, a resource in code domain, or any other resource enabling a communication, and the like.
  • a resource in both frequency domain and time domain will be used as an example of a transmission resource for describing some example embodiments of the present disclosure. It is noted that example embodiments of the present disclosure are equally applicable to other resources in other domains.
  • Network Slices are deployed for services over an Area of Service which may match the conventional tracking areas (TAs) or for which the Area of Service can be different.
  • TAs tracking areas
  • the network slice availability i.e. where the network slices are defined to be supported
  • the UEs and network configuration can be impacted when network slices are deployed and decommissioned over certain time interval (e.g. the Configured Network Slice Specific Assistance Information (NSSAI) can change when a network slice is no longer available or becomes available, this can affect the Allowed NSSAI and other parameters may need to change, etc. ) .
  • NSSAI Configured Network Slice Specific Assistance Information
  • Timing Information can be used to track the start time, end time, and periodicity of the availability of the network slice, including any related temporary TA. It is proposed to specify that the UE can be updated with timing information about the configured/allowed slices and this same timing information can also be provided from the RAN to the AMF when the serving PLMN RAN is configured with the timing information.
  • the timing information can be associated to TAs, S-NSSAIs for temporary slices that also require deployment/support of temporary TAs. If the termination of a network slice is Home Public Land Mobile Network (HPLMN) initiated, then this information is passed to UE and Radio Access Network (RAN) UE context in addition to Access and Mobility Function (AMF) and Session Management Function (SMF) .
  • HPLMN Home Public Land Mobile Network
  • AMF Access and Mobility Function
  • SMF Session Management Function
  • the most constraining timing determines a slice availability.
  • S-NSSAI single-NSSAI
  • Temporary slices are expected to be made known to UE during configuration or other network slicing procedures impacting Configured NSSAI or Allowed NSSAI.
  • the UE and network removes the S-NSSAI locally from the allowed NSSAI if the S-NSSAI present in the allowed NSSAI.
  • NSSAA Network Slice Specific Authentication and Authorization
  • AAA-S Authentication, Authorization, and Accounting Server
  • NSSAAF may still keep the authentication status of the S-NSSAI for the UE if they are not aware the timeout of the temporary slice. Comparing to normal slice, the number of temporary slices could be high.
  • AAA-S memory/database
  • NSSAAF Network Slice Specific Authentication and Authorization Function
  • the AAA-S server may trigger re-authentication/authorization on the timeout slice of the UE, that further waste network and computing resources, and may also cause confusion on AMF. Therefore, the NSSAA procedure for the network slice needs to be enhanced.
  • a validity timer for a network slice is exchanged between network devices.
  • a network device for example, AAA server, AMF, SMF
  • PDU protocol data unit
  • the network devices are allowed to clean up authentication state, thereby avoiding unexpected re-authentication and authorization.
  • FIG. 1 illustrates an example communication environment 100 in which example embodiments of the present disclosure can be implemented.
  • a plurality of devices including a first device 110, a second device 120, and a third device 130 can communicate with each other.
  • the first device 110 may include a device that can implement Network Slice Specific Authentication and Authorization (NSSAA)
  • the second device 120 may include an AMF entity
  • the third device 130 may include a device that can implement Authentication, Authorization, and Accounting function (such as, AAA server) .
  • NSSAA Network Slice Specific Authentication and Authorization
  • AAA Authentication, Authorization, and Accounting function
  • the communication environment 100 may include a fourth device 140 that may be an Authentication, Authorization, and Accounting Proxy (AAA-P) .
  • the communication environment 100 may also include a terminal device 150.
  • the communication environment 100 may include any suitable number of devices configured to implementing example embodiments of the present disclosure.
  • Communications in the communication environment 100 may be implemented according to any proper communication protocol (s) , comprising, but not limited to, cellular communication protocols of the first generation (1G) , the second generation (2G) , the third generation (3G) , the fourth generation (4G) , the fifth generation (5G) , the sixth generation (6G) , and the like, wireless local network communication protocols such as Institute for Electrical and Electronics Engineers (IEEE) 802.11 and the like, and/or any other protocols currently known or to be developed in the future.
  • s cellular communication protocols of the first generation (1G) , the second generation (2G) , the third generation (3G) , the fourth generation (4G) , the fifth generation (5G) , the sixth generation (6G) , and the like
  • wireless local network communication protocols such as Institute for Electrical and Electronics Engineers (IEEE) 802.11 and the like, and/or any other protocols currently known or to be developed in the future.
  • the communication may utilize any proper wireless communication technology, comprising but not limited to: Code Division Multiple Access (CDMA) , Frequency Division Multiple Access (FDMA) , Time Division Multiple Access (TDMA) , Frequency Division Duplex (FDD) , Time Division Duplex (TDD) , Multiple-Input Multiple-Output (MIMO) , Orthogonal Frequency Division Multiple (OFDM) , Discrete Fourier Transform spread OFDM (DFT-s-OFDM) and/or any other technologies currently known or to be developed in the future.
  • CDMA Code Division Multiple Access
  • FDMA Frequency Division Multiple Access
  • TDMA Time Division Multiple Access
  • FDD Frequency Division Duplex
  • TDD Time Division Duplex
  • MIMO Multiple-Input Multiple-Output
  • OFDM Orthogonal Frequency Division Multiple
  • DFT-s-OFDM Discrete Fourier Transform spread OFDM
  • FIG. 2 shows a signaling chart 200 for communication according to some example embodiments of the present disclosure.
  • the signaling chart 200 involves a first device 110, a second device 120, and a third device 130.
  • FIG. 1 shows the signaling chart 200.
  • first device 110, on second device 120 and one third device 130 are illustrated in FIG. 2, it would be appreciated that there may be a plurality of first device performing similar operations as described with respect to the first device 110 below, a plurality of second device performing similar operations as described with respect to the second device 120 below and a plurality of third device performing similar operations as described with respect to the third device 130 below.
  • the second device 120 transmits (2010) an authenticate request for a network slice to the first device 110.
  • the authenticate request includes a validity timer of the network slice.
  • a duration of the validity timer may be a couple of days.
  • the duration of the validity timer may be a couple of hours or minutes. It is noted that the duration of the validity timer can be any suitable value.
  • the duration of the validity timer may be same as or similar to a duration of a timer for the network slice configured at the terminal device 150.
  • the authenticate request may include a first identity for the network slice.
  • the second device 120 may obtain the first identity from a terminal device (for example, the terminal device 150) .
  • the first identity may be signaled by the terminal device to the network, in order to assist the network in selecting a particular Network Slice instance.
  • the first identity may be S-NSSAI of the network slice.
  • the S-NSSAI may refer to an identifier for a Network Slice across the 5GC, 5G-RAN and the UE.
  • the S-NSSAI may be associated with a PLMN (e.g., PLMN ID) and have network-specific values or have standard values.
  • a S-NSSAI is used by the UE in access network in the PLMN that the S-NSSAI is associated with.
  • a S-NSSAI may include Slice/Service type (SST) and Slice Differentiator (SD) . It is noted that the first identity may be any proper type of identity that can uniquely identify the network slice.
  • S-NSSAI may be subjected to NSSAA.
  • the authenticate request may include a second identity for a terminal device that is configured with network slice for an extensible authentication.
  • the authenticate request may include the second identity of the terminal device 150 for extensible authentication.
  • the second identity may be an EAP ID. It is noted that the second identity may be any proper type of identity that can identify the terminal device for the extensible authentication.
  • the authenticate request may include a third identity associated with the subscription of the terminal device.
  • the third identity may be a Generic Public Subscription Identifier (GPSI) .
  • GPSI Generic Public Subscription Identifier
  • the GPSI may be used as a means of addressing a 3GPP subscription in data networks outside the realms of a 3GPP system.
  • the second device 120 may use any GPSI in the list provided by the UDM for NSSAA procedures.
  • the third identity may be any proper type of identity that can address subscriptions.
  • the first device 110 transmits (2020) a message that includes the validity timer to the third device 130.
  • the message may include the first identity for the network slice.
  • the message may include the second identity for a terminal device that is configured with network slice for an extensible authentication.
  • the message may include the third identity associated with the subscription of the terminal device.
  • the first device 110 may transmit the message to the third device 130.
  • the first device may transmit the message to the fourth device 140.
  • the fourth device may further forward the message to the third device 130.
  • the third device 130 may store (2030) the validity timer associated with the network slice.
  • the third device 130 may store the validity timer together with the first identity for the network slice and the third identity associated with the subscription of the terminal device, and optional the second identity for the extensible authentication.
  • the third device 130 may trigger (2040) a revocation of the authentication and authorization.
  • the third device 130 may trigger the revocation of the NSSAA based on the validity timer. For example, if the validity timer expires, the third device 130 may trigger the revocation of the NSSAA. It is noted that the third device 130 may trigger the revocation of the NSSAA based on other condition.
  • the third device 130 may transmit (2050) a revoke authentication request for the network slice to the first device 110.
  • the revoke authentication request may include the first identity for the network slice and the third identity associated with the subscription of the terminal device.
  • the revoke authentication request may also include an indication of an expiration of the validity timer.
  • the third device 130 may transmit the revoke authentication request for the network slice to the first device 110.
  • the third device 130 may transmit the revoke authentication request for the network slice to the fourth device 140.
  • the fourth device 140 may then forward the revoke authentication request for the network slice to the first device 110.
  • the first device 110 may clean up (2060) a local status related to the third identity and the first identity.
  • the “clean up the local status” may refer to one of: remove the local status, delete the local status, or set the local status to a predefined status. For example, if the revoke authentication request includes the indication of the expiration of the validity timer, the first device 110 may clean up the local status. In this case, the first device may transmit (2070) a revoke authentication response to the third device 130 without further notifying the second device 120. In this case, it can avoid unexpected re-authentication and authorization. Example embodiments of cleaning up the local status are described with reference to FIG. 5 later.
  • the first device 110 may transmit the revoke authentication response to the third device 130.
  • the first device 110 may transmit the revoke authentication response to the fourth device 140.
  • the fourth device 140 may then forward the revoke authentication response to the third device 130.
  • the first device 110 may transmit (2080) a revocation notification to the second device 120.
  • the first device 110 may transmit revocation notification to the second device 120.
  • the revocation notification may include the first identity for the network slice and the third identity associated with subscription of the terminal device.
  • the second device 120 may determine whether the network slice is a temporary network slice. For example, the second device 120 may determine whether the first identity is associated to a temporary network slice. If the network slice is a temporary network slice, the second device 120 may drop (2090) the revocation notification. In other words, instead of transmitting a configuration update to the terminal device, the second device 120 may cause the revocation notification to be dropped. In this case, it can avoid unexpected re-authentication and authorization. Example embodiments of dropping the revocation notification are described with reference to FIG. 4 later.
  • the second device 120 may transmit a configuration that includes the validity timer associated with the network slice and the first identity for the network slice to the terminal device 140 after a NSSAA of the network slice.
  • an EAP framework used for the NSSAA between the terminal device 150 and the third device 130 i.e., the AAA server
  • the second device may perform the role of the EAP Authenticator and communicates with the third device 130 via the first device 110 (i.e., NSSAAF) .
  • the first device 110 may undertake any AAA protocol interworking with the third device 130. Multiple EAP methods may be possible for NSSAA. If the third device 130 belongs to a third party the first device 110 contacts the third device 130 via a fourth device 140 (i.e., AAA-P. ) In some example embodiments, the first device 110 and the fourth device 140 may be co-located.
  • FIG. 3 shows a signaling chart 300 for communication according to an example embodiment of the present disclosure.
  • the second device 120 may trigger (301) to perform slice-specific authentication and authorization.
  • the second device 120 may trigger the start of the Network Slice Specific Authentication and Authorization procedure.
  • the second device 120 may determine, based on UE Context in the AMF, that for some or all S-NSSAI (s) subject to Network Slice Specific Authentication and Authorization, the UE has already been authenticated following a Registration procedure on a first access.
  • Network Slice Specific Authentication and Authorization result e.g. success/failure
  • the second device 120 may decide, based on Network policies, to skip Network Slice Specific Authentication and Authorization for these S-NSSAIs during the Registration on a second access.
  • the second device 120 may select an Access Type to be used to perform the Network Slice Specific Authentication and Authorization procedure based on network policies.
  • the second device 120 transmit (302) an EAP Identity Request for the S-NSSAI in a NAS MM Transport message including the S-NSSAI. This is the S-NSSAI of the H-PLMN, not the locally mapped S-NSSAI value.
  • the terminal device 150 may transmit (303) the EAP Identity Response for the S-NSSAI alongside the S-NSSAI in an NAS MM Transport message towards the second device 120.
  • the second device 120 may transmit (304) the EAP Identity Response to the first device 110 in a Nnssaaf_NSSAA_Authenticate Request (EAP Identity Response, GPSI, S-NSSAI and optionally validity or termination timer) .
  • EAP Identity Response GPSI
  • S-NSSAI S-NSSAI
  • optionally validity or termination timer if the UE subscription includes multiple GPSIs, the second device 120 may use any GPSI in the list provided by the UDM for NSSAA procedures.
  • the first device 110 may transmit (305) the EAP ID Response message, together with optionally validity or termination timer from the second device 120, to the third device 130.
  • the first device 110 may transmit the message to the third device 130.
  • the first device 110 may be responsible to send the NSSAA requests to the appropriate third device 130 based on local configuration of AAA-S address per S-NSSAI.
  • the first device 110 uses towards the AAA-P or the AAA-S an AAA protocol message of the same protocol supported by the AAA-S.
  • the fourth device 140 may transmit (306) the EAP Identity message to the third device 130 addressable by the AAA-S address together with S-NSSAI, GPSI and optionally validity or termination timer.
  • the third device 130 may store the GPSI and S-NSSAI to create an association with the EAP Identity in the EAP ID response message, so the third device 130 can later use it to revoke authorization or to trigger reauthentication.
  • the third device 130 may also store the validity or termination timer, together with the GPSI and S-NSSAI.
  • the third device 130 may trigger authentication revocation on the S-NSSAI of the GPSI when the timer expired.
  • the third device 130 may transmit (307) an AAA protocol message to the fourth device 140.
  • the AAA protocol message may include EAP message, GPSI and S-NSSAI.
  • the fourth device 140 may the transmit (308) the AAA protocol message to the first device 110.
  • the first device 110 may transmit (309) Nnssaaf_NSSAA_Authenticate Request that includes EAP message, GPSI and S-NSSAI to the second device 120.
  • the second device 120 may transmit (310) a NAS MM transport that includes EAP message and S-NSSAI to the terminal device 150.
  • the terminal device 150 may transmit (311) the NAS MM transport that includes EAP message and S-NSSAI to the second device 120.
  • the second device 120 may transmit (312) a Nnssaaf_NSSAA_Authenticate Request that includes EAP message, GPSI and S-NSSAI to the first device 110.
  • the first device 110 may transmit (313) AAA protocol message that includes EAP message, AAA-S address, GPSI and S-NSSAI to the fourth device 140.
  • the fourth device 140 may transmit (314) an AAA protocol message that includes EAP message, GPSI and S-NSSAI to the third device 130. It is noted that one or more interactions of the operations 307-314 may occur.
  • the third device 130 may store the S-NSSAI for which the authorization has been granted. The third device 130 may decide to trigger reauthentication and reauthorization based on its local policies. An EAP-Success/Failure message is delivered to the fourth device 140 (or if the fourth device 140 is not present, to the first device 110) with GPSI and S-NSSAI. For example, the third device 130 may transmit (315) an AAA protocol message that includes EAP success/failure, GPSI, S-NSSAI to the fourth device 140.
  • the fourth device 140 may transmit (316) an AAA protocol message that includes EAP success/failure, GPSI, and S-NSSAI to the first device 110.
  • the first device 110 may transmit (317) a Nnssaaf_NSSAA_Authenticate Request that includes EAP success/failure, GPSI, S-NSSAI to the second device 120.
  • the second device 120 may transmit (318) a NAS MM Transport message (including EAP-Success/Failure) to the terminal device 150.
  • the second device 120 may store the EAP result for each S-NSSAI for which the NSSAA procedure in operations 301-317 was executed.
  • the second device 120 may perform (319a) the UE configuration update procedure with the validity timer. For example, in some example embodiments, if one or more conditions are fulfilled, the second device 120 may initiate the UE Configuration Update procedure, for each Access Type. The second device 120 may also add the validity/termination timer of the network slice in the UE configuration update message together with the allowed S-NSSAI.
  • the conditions may comprise: (1) a new Allowed NSSAI (i.e.
  • the second device 120 may initiate the PDU Session Release procedure release the PDU sessions with the appropriate cause value.
  • the second device 120 may perform (319b) the network imitated deregistration procedure.
  • the second device 120 may execute the Network-initiated Deregistration procedure and it may include in the explicit De-Registration Request the list of Rejected S-NSSAIs, each of them with the appropriate rejection cause value.
  • validity/termination timer of the temporary slice can be added in NSSAA authentication request. If the validity timer exists, AAA-S store the timer together with the S-NSSAI per UE. AMF also add the validity/termination timer of the temporary slice in the UE configuration update message together with the allowed S-NSSAI.
  • FIG. 4 shows a signaling chart 400 for revocation of the authentication and authorization according to an example embodiment of the present disclosure.
  • the third device 130 may transmit (401) an AAA protocol revoke authorization request to the fourth device 140 if the fourth device 140 is used.
  • the third device 130 may request the revocation of authorization for the Network Slice specified by the S-NSSAI in the AAA protocol Revoke Auth Request message, for the UE identified by the GPSI in this message.
  • the fourth device 140 may transmit (402) the AAA protocol revoke authorization request to the first device 110.
  • the first device 110 may obtain AMF ID from unified data management (UDM) 410 using Nudm_UECM_Get with the GPSI in the received AAA message. If two different AMF addresses are received, the first device 110 may initiate the operation 404 towards both AMFs. For example, the first device 110 may transmit (403a) a Nudm_UECM_Get request that includes GPSI and AMF registration to the UDM 410. The UDM 410 may transmit (403b) a Nudm_UECM_Get response that includes AMF ID to the first device 110.
  • UDM unified data management
  • the first device 110 may transmit (403c) an AAA protocol revoke authorization response to the third device 130.
  • the first device 110 may provide an acknowledgement to the AAA protocol Re-Auth Request message. If the second device 120is not registered in UDM the procedure is stopped here.
  • the first device 110 may transmit (404) a Nnssaaf_NSSAA_RevocationNotification that includes GPSI and S-NSSAI to the second device 120, which can notify the second device 120 to revoke the S-NSSAI authorization for the UE.
  • the second device 120 may drop (405) the NSSAA revocation notification from the first device 110, if the S-NSSAI is associated to a temporary slice.
  • FIG. 5 shows a signaling chart 500 for revocation of the network slice according to another example embodiment of the present disclosure.
  • the third device 130 may transmit (501) an AAA protocol revoke authorization request to the fourth device 140 if the fourth device 140 is used.
  • the third device 130 may request the revocation of authorization for the Network Slice specified by the S-NSSAI in the AAA protocol Revoke Auth Request message, for the UE identified by the GPSI in this message.
  • the AAA protocol revoke authorization request may include GPSI, S-NSSAI and the slice time out indication.
  • the fourth device 140 may transmit (502) the AAA protocol revoke authorization request to the first device 110.
  • the first device 110 may clean up (503) a local status related to the GPSI and S-NSSAI.
  • the first device 110 may transmit (504) an AAA protocol revoke authorization response to the third device 130 without further notifying the second device 120.
  • FIG. 6 shows a flowchart of an example method 600 implemented at a first device in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 600 will be described from the perspective of the first device 110 in FIG. 1.
  • the first device 110 receives an authenticate request for a network slice that comprises a validity timer associated with the network slice from the second device 120.
  • the authenticate request may comprise one or more of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • the first device 110 transmits a message that comprises the validity timer associated with the network slice to the third device 130.
  • the message may comprise one or more of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • the first device 110 may receive from the third device 130 a revoke authentication request for the network slice that comprises an indication of an expiration of the validity timer, the first identity, and the third identity.
  • the first device 110 may clean up a local status related to the third identity and the first identity.
  • the first device 110 may transmit to the third device 130 a revoke authentication response.
  • the first device 110 may receive the revoke authentication request from the third device 130.
  • the first device 110 may receive the revoked authentication request from a fourth device 140 which receives the revoke authentication request from the third device 130.
  • the first device 110 may transmit the revoke authentication response to the third device 130.
  • the first device 110 may transmit the revoke authentication response to the fourth device 140 which then forwards the revoke authentication response to the third device 130.
  • the first device 110 may transmit the message to the third 130.
  • the first device 110 may transmit the message to the fourth device 140 which then forwards the message to the third device 130.
  • FIG. 7 shows a flowchart of an example method 700 implemented at a second device in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 700 will be described from the perspective of the second device 120 in FIG. 1.
  • the second device 120 transmits to the first device 110 an authenticate request for a network slice that comprises a validity timer associated with the network slice.
  • the authenticate request also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • the second device 120 may transmit, to a terminal device, a configuration that comprises the validity timer associated with the network slice and the first identity for the network slice after a network slice specific authentication and authorization.
  • the second device 120 may receive from the first device 110 a revocation notification that comprises the first identity for the network slice and the third identity associated with subscription of the terminal device.
  • the second device 120 may determine whether the network slice is a temporary network slice.
  • the second device 120 may cause the revocation notification to be dropped based on determining that the network slice is a temporary network slice.
  • FIG. 8 shows a flowchart of an example method 800 implemented at a second device in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 800 will be described from the perspective of the third device 130 in FIG. 1.
  • the third device 130 receives the first device 110 a message that comprises a validity timer associated with a network slice.
  • the message also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • the third device 130 may store the validity timer associated with the network slice. In some example embodiments, if the validity timer expires, the third device 130 may trigger a revocation of authentication and authorization of the network slice.
  • the third device 130 may transmit to the first device 110, a revoke authentication request for the network slice that comprises the first identity, and the third identity.
  • the third device 130 may receive from the first device 110, a revoke authentication response.
  • the revoke authentication request also comprises an indication of an expiration of the validity timer.
  • the third device 130 may transmit the revoke authentication request to the first apparatus.
  • the third device 130 may transmit the revoked authentication request to the fourth device 140 which forwards the revoke authentication request to the third device 130.
  • the third device 130 may receive the revoke authentication response from the first device 110.
  • the third device 130 may receive the revoke authentication response from the fourth device 140 which receives the revoke authentication response from the first device 110.
  • the third device 130 may receive the message from the first device 110.
  • the third device 130 may receive the message from the fourth device 140 which receives the message from the first device 110.
  • a first apparatus capable of performing any of the method 600 may comprise means for performing the respective operations of the method 600.
  • the means may be implemented in any suitable form.
  • the means may be implemented in a circuitry or software module.
  • the first apparatus may be implemented as or included in the first device 110 in FIG. 1.
  • the first apparatus comprises means for receiving, from a second apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice; and means for transmitting, to a third apparatus, a message that comprises the validity timer associated with the network slice, and wherein the authenticate request and the message also comprise at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • the first apparatus comprises means for receiving, from the third apparatus, a revoke authentication request for the network slice that comprises an indication of an expiration of the validity timer, the first identity, and the third identity; means for cleaning up a local status related to the third identity and the first identity; and means for transmitting, to the third apparatus, a revoke authentication response.
  • the means for receiving the revoke authentication request comprises means for receiving the revoke authentication request from the third apparatus; or means for receiving the revoked authentication request from a fourth apparatus which receives the revoke authentication request from the third apparatus.
  • the means for transmitting the revoke authentication response to the third apparatus comprises: means for transmitting the revoke authentication response to the third apparatus; or means for transmitting the revoke authentication response to a fourth apparatus which then forwards the revoke authentication response to the third apparatus.
  • the means for transmitting the message to the third apparatus comprises one of: means for transmitting the message to the third apparatus; or means for transmitting the message to a fourth apparatus which then forwards the message to the third apparatus.
  • the first apparatus comprises a apparatus on which a Network Slice Specific Authentication and Authorization Function is implemented
  • the second apparatus comprises a core network device
  • the third apparatus comprises an Authentication, Authorization, and Accounting Server.
  • the first apparatus further comprises means for performing other operations in some example embodiments of the method 600 or the first device 110.
  • the means comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the performance of the first apparatus.
  • a second apparatus capable of performing any of the method 700 may comprise means for performing the respective operations of the method 700.
  • the means may be implemented in any suitable form.
  • the means may be implemented in a circuitry or software module.
  • the second apparatus may be implemented as or included in the second device 120 in FIG. 1.
  • the second apparatus comprises means for transmitting, to a first apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice, and wherein the authenticate request also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • the second apparatus comprises means for transmitting, to a terminal device, a configuration that comprises the validity timer associated with the network slice and the first identity for the network slice after a network slice specific authentication and authorization.
  • the second apparatus comprises means for receiving, from the first apparatus, a revocation notification that comprises the first identity for the network slice and the third identity associated with subscription of the terminal device; means for determining whether the network slice is a temporary network slice; and means for based on determining that the network slice is a temporary network slice, causing the revocation notification to be dropped.
  • the first apparatus comprises a apparatus on which a Network Slice Specific Authentication and Authorization Function is implemented
  • the second apparatus comprises a core network device.
  • the second apparatus further comprises means for performing other operations in some example embodiments of the method 700 or the second device 120.
  • the means comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the performance of the second apparatus.
  • a third apparatus capable of performing any of the method 800 may comprise means for performing the respective operations of the method 800.
  • the means may be implemented in any suitable form.
  • the means may be implemented in a circuitry or software module.
  • the second apparatus may be implemented as or included in the third device 130 in FIG. 1.
  • the third apparatus comprises means for receiving, from a first apparatus, a message that comprises a validity timer associated with a network slice, and the message also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • the third apparatus comprises means for storing the validity timer associated with the network slice; and in accordance with a determination that the validity timer expires, triggering a revocation of authentication and authorization of the network slice.
  • the third apparatus comprises means for transmitting, to the first apparatus, a revoke authentication request for the network slice that comprises the first identity, and the third identity; and receiving, from the first apparatus, a revoke authentication response.
  • the revoke authentication request also comprises an indication of an expiration of the validity timer.
  • the means for transmitting the revoke authentication request comprises: means for transmitting the revoke authentication request to the first apparatus; or means for transmitting the revoked authentication request to a fourth apparatus which forwards the revoke authentication request to the third apparatus.
  • the means for receiving the revoke authentication response from the first apparatus comprises: means for receiving the revoke authentication response from the first apparatus; or means for receiving the revoke authentication response from a fourth apparatus which receives the revoke authentication response from the first apparatus.
  • the means for receiving the message from the first apparatus comprises one of: means for receiving the message from the first apparatus; or means for receiving the message from a fourth apparatus which receives the message from the first apparatus.
  • the first apparatus comprises a apparatus on which a Network Slice Specific Authentication and Authorization Function is implemented
  • the third apparatus comprises an Authentication, Authorization, and Accounting Server.
  • the third apparatus further comprises means for performing other operations in some example embodiments of the method 800 or the third device 130.
  • the means comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the performance of the third apparatus.
  • FIG. 9 is a simplified block diagram of a device 900 that is suitable for implementing example embodiments of the present disclosure.
  • the device 900 may be provided to implement a communication device, for example, the first device 110 or the second device 120 as shown in FIG. 1.
  • the device 900 includes one or more processors 910, one or more memories 920 coupled to the processor 910, and one or more communication modules 940 coupled to the processor 910.
  • the communication module 940 is for bidirectional communications.
  • the communication module 940 has one or more communication interfaces to facilitate communication with one or more other modules or devices.
  • the communication interfaces may represent any interface that is necessary for communication with other network elements.
  • the communication module 940 may include at least one antenna.
  • the processor 910 may be of any type suitable to the local technical network and may include one or more of the following: general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multicore processor architecture, as non-limiting examples.
  • the device 900 may have multiple processors, such as an application specific integrated circuit chip that is slaved in time to a clock which synchronizes the main processor.
  • the memory 920 may include one or more non-volatile memories and one or more volatile memories.
  • the non-volatile memories include, but are not limited to, a Read Only Memory (ROM) 924, an electrically programmable read only memory (EPROM) , a flash memory, a hard disk, a compact disc (CD) , a digital video disk (DVD) , an optical disk, a laser disk, and other magnetic storage and/or optical storage.
  • ROM Read Only Memory
  • EPROM electrically programmable read only memory
  • flash memory a hard disk
  • CD compact disc
  • DVD digital video disk
  • optical disk a laser disk
  • RAM random access memory
  • a computer program 930 includes computer executable instructions that are executed by the associated processor 910.
  • the instructions of the program 930 may include instructions for performing operations/acts of some example embodiments of the present disclosure.
  • the program 930 may be stored in the memory, e.g., the ROM 924.
  • the processor 910 may perform any suitable actions and processing by loading the program 930 into the RAM 922.
  • the example embodiments of the present disclosure may be implemented by means of the program 930 so that the device 900 may perform any process of the disclosure as discussed with reference to FIG. 2 to FIG. 8.
  • the example embodiments of the present disclosure may also be implemented by hardware or by a combination of software and hardware.
  • the program 930 may be tangibly contained in a computer readable medium which may be included in the device 900 (such as in the memory 920) or other storage devices that are accessible by the device 900.
  • the device 900 may load the program 930 from the computer readable medium to the RAM 922 for execution.
  • the computer readable medium may include any types of non-transitory storage medium, such as ROM, EPROM, a flash memory, a hard disk, CD, DVD, and the like.
  • the term “non-transitory, ” as used herein, is a limitation of the medium itself (i.e., tangible, not a signal) as opposed to a limitation on data storage persistency (e.g., RAM vs. ROM) .
  • FIG. 10 shows an example of the computer readable medium 1000 which may be in form of CD, DVD or other optical storage disk.
  • the computer readable medium 1000 has the program 930 stored thereon.
  • various embodiments of the present disclosure may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. Some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device. While various aspects of embodiments of the present disclosure are illustrated and described as block diagrams, flowcharts, or using some other pictorial representations, it is to be understood that the block, apparatus, system, technique or method described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
  • Some example embodiments of the present disclosure also provides at least one computer program product tangibly stored on a computer readable medium, such as a non-transitory computer readable medium.
  • the computer program product includes computer-executable instructions, such as those included in program modules, being executed in a device on a target physical or virtual processor, to carry out any of the methods as described above.
  • program modules include routines, programs, libraries, objects, classes, components, data structures, or the like that perform particular tasks or implement particular abstract data types.
  • the functionality of the program modules may be combined or split between program modules as desired in various embodiments.
  • Machine-executable instructions for program modules may be executed within a local or distributed device. In a distributed device, program modules may be located in both local and remote storage media.
  • Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages.
  • the program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program code, when executed by the processor or controller, cause the functions/operations specified in the flowcharts and/or block diagrams to be implemented.
  • the program code may execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
  • the computer program code or related data may be carried by any suitable carrier to enable the device, apparatus or processor to perform various processes and operations as described above.
  • Examples of the carrier include a signal, computer readable medium, and the like.
  • the computer readable medium may be a computer readable signal medium or a computer readable storage medium.
  • a computer readable medium may include but not limited to an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of the computer readable storage medium would include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM) , a read-only memory (ROM) , an erasable programmable read-only memory (EPROM or Flash memory) , an optical fiber, a portable compact disc read-only memory (CD-ROM) , an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Des exemples de modes de réalisation de la présente divulgation concernent une procédure d'authentification pour une tranche de réseau. Selon certains modes de réalisation donnés à titre d'exemple de la présente divulgation, un temporisateur de validité pour un dispositif réseau est échangé entre des dispositifs réseau. Dans ce cas, un dispositif réseau (par exemple, un serveur AAA) connaît la temporisation de la tranche de réseau sur la base du temporisateur de validité. De cette manière, il peut permettre de mettre fin en douceur à une tranche de réseau et éviter une libération brutale de session d'unité de données de protocole (PDU). De plus, les dispositifs réseau sont autorisés à nettoyer un état d'authentification, ce qui permet d'éviter une ré-authentification et une autorisation inattendues.
PCT/CN2022/130237 2022-11-07 2022-11-07 Procédure d'authentification pour tranche de réseau WO2024098177A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/130237 WO2024098177A1 (fr) 2022-11-07 2022-11-07 Procédure d'authentification pour tranche de réseau

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/130237 WO2024098177A1 (fr) 2022-11-07 2022-11-07 Procédure d'authentification pour tranche de réseau

Publications (1)

Publication Number Publication Date
WO2024098177A1 true WO2024098177A1 (fr) 2024-05-16

Family

ID=91031658

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/130237 WO2024098177A1 (fr) 2022-11-07 2022-11-07 Procédure d'authentification pour tranche de réseau

Country Status (1)

Country Link
WO (1) WO2024098177A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111654862A (zh) * 2019-03-04 2020-09-11 华为技术有限公司 终端设备的注册方法及装置
US20220110050A1 (en) * 2019-02-08 2022-04-07 Nokia Technologies Oy Apparatus, method and computer program
US20220312307A1 (en) * 2020-05-22 2022-09-29 Apple Inc. Network slice specific authentication and authorization (nssaa) 5g new radio (nr) procedures

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220110050A1 (en) * 2019-02-08 2022-04-07 Nokia Technologies Oy Apparatus, method and computer program
CN111654862A (zh) * 2019-03-04 2020-09-11 华为技术有限公司 终端设备的注册方法及装置
US20220312307A1 (en) * 2020-05-22 2022-09-29 Apple Inc. Network slice specific authentication and authorization (nssaa) 5g new radio (nr) procedures

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
APPLE: "AMF to trigger Configuration Update Command Procedure indicating pending NSSAI", 3GPP DRAFT; C1-205030, vol. CT WG1, 13 August 2020 (2020-08-13), pages 1 - 16, XP051919529 *

Similar Documents

Publication Publication Date Title
US11723056B2 (en) Efficient discovery of edge computing servers
US10299123B2 (en) Entitlement based Wi-Fi authentication
US11290868B2 (en) Subscription information configuration
US20230362199A1 (en) Mechanism for dynamic authorization
WO2018076553A1 (fr) Procédé et dispositif d'accès à un réseau
WO2015128880A2 (fr) Procédé et système pour assurer la continuité de services dans un réseau sans fil
US20240129710A1 (en) Methods and apparatus for subscription authorization enhancement
JP7013423B2 (ja) ハンドオーバーでのアップリンクベアラーバインディング
WO2021204361A1 (fr) Appareil, procédé et programme d'ordinateur
WO2024098177A1 (fr) Procédure d'authentification pour tranche de réseau
US20220174557A1 (en) Exchanging capability information
WO2024077582A1 (fr) Contre-mesure de sécurité pour contrôle d'admission de tranche de réseau distribué
WO2024065209A1 (fr) Transmission de données précoce à destination d'un mobile pour internet des objets
WO2023216032A1 (fr) Communication de sécurité dans un relais u2n prose
EP4325772A1 (fr) Utilisation d'un jeton d'accès dans une architecture basée sur un service
WO2024036462A1 (fr) Amélioration d'enregistrement pour accès multiple
US20240022906A1 (en) Method of wireless communication of network element, apparatus for wireless communication of network element, and method of wireless communication of user equipment
WO2022021239A1 (fr) Notification de réseau concernant le résultat d'authentification et d'autorisation d'un dispositif terminal
US20230058943A1 (en) Apparatus, Method and Computer Program
WO2024092844A1 (fr) Utilisation d'un indicateur de routage
EP4322039A1 (fr) Validation de fonction de réseau
EP4270870A1 (fr) Procédé, dispositif et support lisible par ordinateur pour des communications
US20230413052A1 (en) Access token revocation in security management
WO2022048265A1 (fr) Procédé de détermination de clé de couche application, terminal, dispositif côté réseau et appareil
WO2024033785A1 (fr) Authentification pour dispositif avec accès non cellulaire

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22964656

Country of ref document: EP

Kind code of ref document: A1