Patent Grant
12108245
This application is a 35 U.S.C. § 371 National Stage of International Patent Application No. PCT/CN2020/107334, filed Aug. 6, 2020, which claims priority to International Patent Application No. PCT/CN2019/101387, filed Aug. 19, 2019. The above-identified applications are incorporated by this reference.
The present application generally relates to wireless communication technology. More particularly, the present application relates to a method and an apparatus for performing protection control in a core network with separation between control plane and user plane. The present application also relates to computer program product adapted for the same purpose.
Interfaces internal to the 5G Core such as N4 and N9 and roaming interfaces between PLMNs such as N9, can be used to transport signaling data as well as privacy sensitive material, such as user and subscription data, or other parameters, such as security keys. Therefore, confidentiality and integrity protection are required.
Currently, the security architecture, i.e., the security features and the security mechanisms for the 5G System and the 5G Core, and the security procedures performed within the 5G System including the 5G Core and the 5G New Radio are specified. See 3GPP TS 33.501, which is incorporated herein by reference in its entirety.
However, the current security architecture is limited to control plane and does not specify User Plane security functions on N9 roaming interface for home routed scenario.
One of the objects is to provide methods and apparatus for performing protection control in a core network with separation between control plane and user plane, which could reduce resources used for protection control.
According to one embodiment, a method for performing protection control in a core network with separation between control plane and user plane comprises the following steps performed on the user plane:
According to another embodiment, a method for performing protection control in a core network with separation between control plane and user plane comprises the following steps performed on the control plane:
According to another embodiment, an apparatus for performing protection control in a core network with separation between control plane and user plane comprises:
According to another embodiment, a core network with separation between control plane and user plane comprises:
According to another embodiment, a computer program product for performing protection control in a core network with separation between control plane and user plane, the computer program product being embodied in a computer readable storage medium and comprising computer instructions for perform the method as described above.
Preferably, the at least one of the UPSFs is a User Plane Firewall (UPFw) or a user plane component of a Security Edge Protection Proxy (SEPP-UP), and the CPF is a Session Management Function (SMF) or a Service Communication Proxy (SCP).
Preferably, the core network further comprises a Packet Core Gateway (PCG), and the at least one of the UPSF and the UPF are paired by including them into the PCG or binding them to the PCG.
Preferably, the at least one of the UPSF and the UPF are paired by integrating the UPSF into the UPF.
Preferably, the at least one of the UPSF and the UPF are configured to notify their pairing relationship to a Network Repository Function (NRF) during a service registration procedure or a service update procedure.
Preferably, the at least one of the UPSF and the UPF are configured to notify the pairing relationship by transmitting to the NRF a UPF profile from the UPF and a UPSF profile from the UPSF, the UPF profile from the UPF and the UPSF profile from the UPSF include IDs for the UPF and the UPSF.
Preferably, the SMF is configured to obtain the pairing relationship during a discovery procedure.
Preferably, the SMF is configured to selects a UPSF for the UPF on the basis of the pairing relationship during a Protocol Data Unit (PDU) session establishment procedure.
The solution of the present disclosure has the following advantages:
The foregoing and other objects, features, and advantages would be apparent from the following more particular description of preferred embodiments as illustrated in the accompanying drawings in which:
The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention. Unless stated otherwise, a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. As used herein, the term “processor” refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting. As used herein, the singular forms “a”, “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” “comprising,” “includes” and/or “including” when used herein, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
Also, use of ordinal terms such as “first,” “second,” “third,” etc., in the claims to modify a claim element does not by itself connote any priority, precedence, or order of one claim element over another or the temporal order in which acts of a method are performed, but are used merely as labels to distinguish one claim element having a certain name from another element having a same name (but for use of the ordinal term) to distinguish the claim elements.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood. It will be further understood that terms used herein should be interpreted as having a meaning that is consistent with their meaning in the context of this specification and the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured.
As shown in
In the architecture as shown in
As shown in
Alternatively, the UPFw and the UPF are paired by integrating the UPFw into the UPF. That is, the UPF is equipped with capability to perform function of the UPFw.
In order to have knowledge that the UPFw and the UPF are paired, UP notifies a pairing relationship between the UPFw and the UPF to UP, e.g., the SMF. The SMF will select a UPFw as indicated in the pairing relationship as a preferred one for the UPF.
Preferably, the pairing relationship is included in a NfProfile transmitted to a Network Repository Function (NRF) during UPF service registration procedure or UPF service update procedure. In an illustrative example, this can be achieved by modifying a NfProfile as defined in 3GPP TS 29.510, which is incorporated herein by reference in its entirety. In particular, 3GPP TS 29.510 v15.3.0 and v16.0.0 defines a structure of the NfProfile which allows the setting of NF-Type specific information in ‘info’ fields. For NFType ‘UPF’, Data Type ‘UpfInfo’ is defined as follows:
For illustrative purpose, the following attribute can be added in this field with a unique reference to the UPFw instance. This can be e.g. by adding a field ‘preferred UP-FW instance’ with the UUID of the collocated UPFw:
In case a UPF instance has more than one optimal UPFw instances, e.g., due to multiple co-deployed UPFw instances, a list of NfInstanceIDs can be provided for Attribute ‘preferredUpfwInstId’.
During UPF selection procedure, the SMF (or SCP in case of delegated discovery) can select a UPF depending on its capabilities by doing standard NF Discovery procedure and filtering the received NfProfiles to select a UPFw as indicated in the NfProfiles for the UPF.
In case where the SMF (or SCP in case of delegated discovery) identifies a need for roaming, e.g., between the hPLMN) and vPLMN as shown in
As described above, the UPFw and the UPF can be paired by integrating the UPFw into the UPF. In such case, the NfProfile for UPF may include an indicator to describe whether UPF instance has the capabilities to execute UPFw function or not. In an illustrative example, this can be achieved by modifying a NfProfile as defined in 3GPP TS 29.510, which is incorporated herein by reference in its entirety. In particular, 3GPP TS 29.510 v15.3.0 and v16.0.0 defines a structure of the NfProfile which allows the setting of NF-Type specific information in ‘info’ fields. For illustrative purpose, the following attribute can be added in this field:
Note that due to the attribute being an array type, it is possible to list multiple capabilities within the same NfProfile.
The field can then list the functional capabilities of a specific UPF instance defined in the NfProfile. For example, the enumeration value can be defined as follows:
It shall be noted that the operation of the above improved Architecture as shown in
A flowchart of a method 400 for performing protection control in a core network according to another embodiment of the present invention is shown in
As shown in
In this embodiment, preferably, the at least one of the UPSFs and the UPF are paired by including them into a Packet Core Gateway (PCG) or binding them to the PCG, or the at least one of the UPSFs and the UPF are paired by integrating the UPSF into the UPF.
In this embodiment, preferably, the notifying is performed during a service registration procedure or a service update procedure associated with a Network Repository Function (NRF).
In this embodiment, preferably, the notifying is performed by separately transmitting profiles of the UPF and the UPSF to the NRF. In other words, the UPF and the UPSF transmit their respective profiles, e.g. NfProfiles, to the NRF.
With reference to
A flowchart of a method 600 for performing protection control in a core network according to another embodiment of the present invention is shown in
As shown in
Step 601: selecting at least one UPSF for a UPF on the basis of a pairing relationship; and
Step 602: controlling the UPF and the UPSF by a CPF, e.g., SMF or SCP, via the same reference point, e.g., N4.
In this embodiment, preferably, control plane receives the pairing relationship during a service registration procedure or a service update procedure associated with a NRF.
In this embodiment, preferably, the pairing relationship is obtained by the CPF, e.g., SMF, during a discovery procedure.
With reference to
As described above, the pairing relationship may be included in a NfProfile transmitted to a Network Repository Function (NRF) during UPF service registration procedure or UPF service update procedure. In an illustrative example, this can be achieved by modifying a UPF service registration procedure as defined in 3GPP TS 23.502 4.17.1, which is incorporated herein by reference in its entirety.
As shown in
Afterwards, UPF and UPFw can be discovered and selected by SMF for new session creation requests.
In this embodiment, UPF and UPFw register independently in NRF. Therefore, the procedure as shown in
As described above, the NfProfiles of UPF and UPFw may include a pairing relationship between UPF and UPFw, which allows an optimized selection for UPF and UPFw. That is, with the pairing relationship, a CPF could select a preferred ‘partner’ for UPF instance or UPFw instance.
As described above, the pairing relationship may be obtained by SMF during a discovery procedure.
As shown in
Afterwards, SMF has profiles for UPF and UPFw, which include connectivity details and PFCP endpoint information. In this embodiment, PFCP session is established with PCG, i.e., the same session can be used for UPF and UPFw. This saves resources in SMF and avoids a need to send duplicated information from SMF. Moreover, connectivity between UPFw and UPF can be PCG internal and implementation specific.
Step 4: When the V-SMF selects a UPF for the PDU session, it selects a UPF with a PreferredUpfwInstance. If none of the UPFs that satisfy the other criteria of the establishment request, any other UPFw that can server the request is selected.
In either case the NfProfile of the UPF and UPFw include the connectivity information that is needed to establish N9 between UPF and UPFw.
Steps 5a-5b: V-SMF triggers N4 Session Establishment Request towards PCG. This session is used to control both, the UPF and the UPFw. Therefore, the request message contains an indicator that this session is intended for control of UPF and UPFw and the needed connectivity information to establish N9. Note that in some cases where the UPF and UPFw are in the same deployable Software (SW) entity, the connectivity information might not be needed as this is internal in the deployable unit.
Steps 10 and 12a-12b: The same modification as described above is applicable to the Home network. Note that it is possible to have the UP-FW only in either home or visited network. There is no interaction.
Step 12d: At that stage the home network has an established Control plane session and the TEIDs are successfully transferred to the H-UPFw. Thus, the UPFw allows uplink and downlink data to flow. However, since the V-UPFw has not received yet the confirmation of the successful CP session establishment, the downlink data will not pass the V-UPFw.
Step 19c: At this stage the final update with TEID of the H-UPF is sent to V-UPF and V-UPFw. This is indication for the UPFw that a successful CP session is established, and the downlink data flow is enabled.
It should be noted that the aforesaid embodiments are illustrative instead of restricting, substitute embodiments may be designed by those skilled in the art without departing from the scope of the claims enclosed. The wordings such as “include”, “including”, “comprise” and “comprising” do not exclude elements or steps which are present but not listed in the description and the claims. It also shall be noted that as used herein and in the appended claims, the singular forms “a”, “an”, and “the” include plural referents unless the context clearly dictates otherwise. Embodiments can be achieved by means of hardware including several different elements or by means of a suitably programmed computer. In the unit claims that list several means, several ones among these means can be specifically embodied in the same hardware item. The use of such words as first, second, third does not represent any order, which can be simply explained as names.
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/CN2020/107334 | 8/6/2020 | WO |
| Publishing Document | Publishing Date | Country | Kind |
|---|---|---|---|
| WO2021/031864 | 2/25/2021 | WO | A |
| Number | Name | Date | Kind |
|---|---|---|---|
| 11765608 | Yao | Sep 2023 | B2 |
| 20190068625 | Alfano et al. | Feb 2019 | A1 |
| 20190253885 | Bykampadi et al. | Aug 2019 | A1 |
| Number | Date | Country |
|---|---|---|
| 104335553 | Feb 2015 | CN |
| 109617865 | Apr 2019 | CN |
| 110048873 | Jul 2019 | CN |
| 1020190011302 | Feb 2019 | KR |
| 10-2019-0050835 | May 2019 | KR |
| 2018167307 | Sep 2018 | WO |
| 2018208371 | Nov 2018 | WO |
| 2019078888 | Apr 2019 | WO |
| Entry |
|---|
| Deutsche Telekom AG et al., “TS 23.501: Introduction of Security Edge Protection Proxy”, S2-178990 (was S2-178930), SA WG2 Meeting #124, Nov. 27-Dec. 1, 2017, Reno, USA (20 pages). |
| Nokia et al., “Solution to KI #27—UP Gateway function for protection of inter-PLMN N9 interface”, S3-191525 (revision of S3-19xabc), 3GPP TSG SA WG3 (Security) Meeting #95, Reno, NV, USA, May 6-10, 2019, XP051721688 (3 pages). |
| Ericsson, “Deployment options for the UP gateways”, S3-193082 (revision of S3-192818), 3GPP TSG-SA WG3 Meeting #96, Wroclaw (Poland), Aug. 26-30, 2019, XP051760477 (6 pages). |
| International Search Report and Written Opinion dated Nov. 11, 2020 in International Application No. PCT/CN2020/107334 (6 pages total). |
| 3GPP TS 33.501 V1.0.0, Mar. 31, 2018, 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Security architecture and procedures for 5G system (Release 15) (128 pages total). |
| 3GPP TS 29.500 V16.1.0, Sep. 2019, 3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; 5G System; Technical Realization of Service Based Architecture; Stage 3 (Release 16) (43 pages total). |
| 3GPP TS 33.501 V16.0.0, Sep. 2019, 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Security architecture and procedures for 5G system (Release 16) (196 pages total). |
| 3GPP TS 29.244 V16.1.0, Sep. 2019, 3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; Interface between the Control Plane and the User Plane Nodes; Stage 3 (Release 16) (243 pages total). |
| 3GPP TS 23.502 V16.2.0, Sep. 2019, 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Procedures for the 5G System (5GS); Stage 2 (Release 16) (525 pages total). |
| 3GPP TS 23.503 V16.2.0, Sep. 2019, 3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Policy and Charging Control Framework for the 5G System (5GS); Stage 2 (Release 16) (104 pages total). |
| 3GPP TS 29.573 V16.0.0, Sep. 2019, 3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; 5G System; Public Land Mobile Network (PLMN) Interconnection; Stage 3 (Release 16) (79 pages total). |
| Number | Date | Country | |
|---|---|---|---|
| 20220295270 A1 | Sep 2022 | US |
