Patent Application
20240349045
The present invention relates to a method for operating or for modifying the operation of a user equipment within or as part of a telecommunications network, wherein the operation or the modification of the operation of the user equipment is conducted using a control plane functionality, wherein the user equipment comprises or provides a parameter-related functionality for operating or for modifying the operation of the user equipment upon a request by a requesting entity or a requesting network node external to the user equipment, wherein the requesting entity or the requesting network node is part of the access network or of the core network.
Furthermore, the present invention relates to a user equipment for being operated or for applying a modified operation within or as part of a telecommunications network, wherein the operation or the modification of the operation of the user equipment is conducted using a control plane functionality, wherein the user equipment comprises or provides a parameter-related functionality for operating or for modifying the operation of the user equipment upon a request by a requesting entity or a requesting network node external to the user equipment, wherein the requesting entity or the requesting network node is part of the access network or of the core network.
Additionally, the present invention relates to a system or telecommunications network for operating or for modifying the operation of a user equipment within or as part of the telecommunications network, wherein the operation or the modification of the operation of the user equipment is conducted using a control plane functionality, wherein the user equipment comprises or provides a parameter-related functionality for operating or for modifying the operation of the user equipment upon a request by a requesting entity or a requesting network node external to the user equipment, wherein the requesting entity or the requesting network node is part of the access network or of the core network.
Additionally, the present invention relates to an authorization functionality of a system or telecommunications network according to the present invention.
Furthermore, the present invention relates to a program and to a computer-readable medium for operating or for modifying the operation of a user equipment within or as part of a telecommunications network according to a method according to the invention.
In conventionally known telecommunications networks, the functionality and/or the current or future mode of operation of a user equipment (within or as part of the telecommunications network) is typically accessible—at least regarding some very important or critical configuration parameters-only to the home public land mobile network (or home network) of the user equipment, i.e. only able to be changed or modified by the home network. Other, non-critical, configuration parameters might also be set or changed by either the visited public land mobile network (or visited network) and/or by the user of the user equipment, however, this often involves either only weak authentication or no authentication at all.
In an exemplary embodiment, the present invention provides a method for operating or for modifying the operation of a user equipment within or as part of a telecommunications network. The operation or the modification of the operation of the user equipment is conducted using a control plane functionality. The telecommunications network comprises or is associated or assigned to an access network and to a core network. The core network provides the user equipment with data connectivity towards a data network. The user equipment comprises or provides a parameter-related functionality for operating or for modifying the operation of the user equipment upon a request by a requesting entity or a requesting network node external to the user equipment. The requesting entity or the requesting network node is part of the access network or part of the core network. The parameter-related functionality is related or corresponds to a control plane functionality. The parameter-related functionality, as a control plane functionality or related thereto, communicates with or is accessible to a control plane network element of the telecommunications network, via a control plane channel. The telecommunications network comprises or is assigned to or is able to access an authorization functionality, the authorization functionality being able to provide authorization information regarding or related to the parameter-related functionality of the user equipment. The method comprises the following steps: in a first step, the user equipment receives, from the authorization functionality, at least one piece of authorization information, and the user equipment receives, from the requesting entity or the requesting network node, an authorization request message; and in a second step, the user equipment determines whether the authorization request is valid, and based on the authorization request being valid, processes the received authorization request message according to its content.
Subject matter of the present disclosure will be described in even greater detail below based on the exemplary figures. All features described and/or illustrated herein can be used alone or combined in different combinations. The features and advantages of various embodiments will become apparent by reading the following detailed description with reference to the attached drawings, which illustrate the following:
Exemplary embodiments of the present invention provide a technically simple, effective and cost effective solution for operating or for modifying the operation of a user equipment within or as part of a telecommunications network, wherein the operation or the modification of the operation of the user equipment is conducted using a control plane functionality. Exemplary embodiments of the present invention further provide a corresponding user equipment, system or mobile communication network, authorization functionality, and a corresponding program and computer-readable medium.
Exemplary embodiments of the present invention provide a method for operating or for modifying the operation of a user equipment within or as part of a telecommunications network, wherein the operation or the modification of the operation of the user equipment is conducted using a control plane functionality,
It is thereby advantageously possible according to the present invention that by the user equipment receiving both the at least one piece of authorization information, and the authorization request message, it is possible, for the user equipment, to determine whether the request message (received from the requesting entity or the requesting network node) is legitimate and/or to be trusted or not.
According to the present invention, it is advantageously possible to realize an increased level of security regarding the configuration and/or operation of a user equipment, or the modification of its operation, within or as part of a telecommunications network. According to the present invention, it is especially proposed to apply application programming interface-based delegated authorization (e.g. OAuth) principles in order to modify configuration parameters on the user equipment and/or on the subscriber identity module (such as a universal subscriber identity module, USIM).
In conventionally used or operated telecommunications networks, there are only two categories of access:
According to the present invention, it is advantageously possible to add more flexibility to the interactions between networks. With the introduction of campus networks and network slices, it is expected that the number of networks and the level of relationship with some of them will be more complex than just “V-PLMN or H-PLMN” Additionally agreements may be constrained to certain time durations and/or locations and/or third parties (e.g. enterprises). This is not possible in conventionally known telecommunications networks.
Furthermore according to the present invention, it is advantageously possible to realize or to enable one or a plurality out of the following:
According to the present invention, a control plane functionality is used for configuring or for operating or for modifying the operation of a user equipment within or as part of a telecommunications network.
The telecommunications network typically comprises an access network and a core network. However, the present invention is also related to situations where the telecommunications network does not comprise, strictly speaking, both an access network and a core network, but where the telecommunications network is only associated or assigned to an access network (and especially comprises the core network), or where the telecommunications network is only associated or assigned to a core network (and especially comprises the access network), or where the telecommunications network is only associated or assigned to both an access network and a core network. According to the present invention, the core network especially provides the user equipment with data connectivity towards a data network, hence the core network, at least partly, realizes 5G functionality.
According to the present invention, the user equipment comprises or provides a parameter-related functionality for operating or for modifying the operation of the user equipment upon a request by a requesting entity or a requesting network node external to the user equipment. The parameter-related functionality might be realized as or correspond to a configuration parameter of either the user equipment or a part or component there (such as, e.g., a subscriber identity module such as a SIM card or USIM) wherein the configuration parameter is able to be set or modified. According to the present invention, the parameter-related functionality or functionalities (or each parameter-related functionality) relates to or corresponds to an authorization function or authorization functions. An authorization function is linked to one or a plurality of (configuration) parameters of the user equipment, e.g. in the subscriber identity module (SIM card or USIM) and/or linked to the subscription of a specific network.
Especially, the requesting entity or the requesting network node is part of the access network or of the core network.
According to the present invention, the parameter-related functionality is related or corresponds to a control plane functionality, and parameter-related functionality—as a control plane functionality or related therewith-communicates with or is accessible to a control plane network element (or to a plurality of control plane network elements) of the telecommunications network, via a control plane channel. Especially the control plane element corresponds to an access and mobility management function of the core network, and the control plane channel corresponds to an interface between the user equipment and the control plane element, i.e. a signaling channel. This is in contrast, according to the present invention, to using a user plane functionality. e.g. between a user equipment application and a data network.
Furthermore according to the present invention, the telecommunications network comprises or is assigned to or is able to access an authorization functionality, the authorization functionality being able to provide authorization information regarding or related to the parameter-related functionality of the user equipment, and, in order to operate or to modify the operation of the user equipment, the method comprises the following steps:
According to the present invention, it is advantageously possible that, in a third step, the requesting entity or the requesting network node transmits an initial authorization request message to the authorization functionality, wherein the initial authorization request message comprises a request content, wherein the transmission of the initial authorization request message to the authorization functionality causes the authorization functionality to transmit the at least one piece of authorization information to the user equipment and to transmit further authorization information to the requesting entity or the requesting network node.
It is thereby advantageously possible that prior to the requesting entity or the requesting network node changing the configuration of the user equipment, the authorization functionality is involved such that the intended modification of the configuration of the user equipment is able to be authorized by the authorization functionality.
According to the present invention, it is furthermore advantageously possible and preferred that the third step involves the authorization functionality to determine whether the requesting entity or the requesting network node is allowed to request, from the user equipment, the request content.
It is thereby advantageously possible according to the present invention that the authorization functionality performs the check as to whether the requesting entity or the requesting network node is indeed entitled to request to trigger the intended modification of the configuration of the user equipment.
According to the present invention, it is furthermore advantageously possible and preferred that a control plane channel acts as transport channel for a user plane channel via encapsulation or vice-versa, especially for the transmission of the at least one piece of authorization information and/or for the transmission of the authorization request message.
Furthermore, it is advantageously possible and preferred according to the present invention that
Thereby, it is advantageously possible to apply a method according to the invention for almost any kind of configuration or configuration change of or within the user equipment or of any part or module or component of the user equipment.
Furthermore, it is advantageously possible and preferred according to the present invention that the piece of authorization information is or corresponds to or comprises a token information, wherein the token information or the token information in modified form is also part of the authorization request message.
Thereby, it is advantageously possible that via using a token information as or as part of the authorization information a comparatively high level of security is possible to be realized; especially the token information is able to correspond to an encrypted (and/or signed) version of an information such that only the user equipment is able to decrypt it (and/or to verify its signature).
According to a further preferred embodiment of the present invention, the authorization information comprises security information in order for the user equipment to be able to validate or to determine the integrity of the authorization request message received from the requesting entity or the requesting network node.
Thereby, it is advantageously possible that the level of security is still enhanced.
According to a further preferred embodiment of the present invention, the authorization information and/or the authorization request message comprise additional condition information, the condition information comprising an indication regarding the validity and/or regarding the applicability of the authorization request message with regard to at least one out of the following:
It is thereby advantageously possible to provide for a fine grained implementation when applying any configuration or modification regarding the operation of the user equipment, especially involving different kinds of conditions, e.g. regarding time, location, use of certain services and/or radio access technologies, certain operational states of the user equipment or the like.
According to a further preferred embodiment of the present invention, the requesting entity or the requesting network node corresponds to at least one out of the following components within a 5G system or IP multimedia subsystem, IMS system:
Furthermore, it is advantageously possible and preferred according to the present invention that the parameter-related functionality and/or the specific application programming interface functionality provided by the parameter-related functionality within the user equipment, expose one or more of the following functionalities within a mobile communications system:
Furthermore, the present invention relates to a user equipment for being operated or for applying a modified operation within or as part of a telecommunications network, wherein the operation or the modification of the operation of the user equipment is conducted using a control plane functionality,
Furthermore, the present invention relates to a system or telecommunications network for operating or for modifying the operation of a user equipment within or as part of the telecommunications network, wherein the operation or the modification of the operation of the user equipment is conducted using a control plane functionality.
Still additionally, the present invention relates to an authorization functionality of a system or a telecommunications network according to the invention.
Additionally, the present invention relates to a program comprising a computer readable program code and/or a computer-readable medium comprising instructions, which, when executed on a computer and/or on a user equipment and/or on an authorization functionality and/or on a network node of a telecommunications network, or in part on a user equipment and/or in part on an authorization functionality and/or in part on a network node of a telecommunications network, causes the computer and/or the user equipment and/or the authorization functionality and/or the network node of the telecommunications network to perform a method according to the invention.
These and other characteristics, features and advantages of the present invention will become apparent from the following detailed description, taken in conjunction with the accompanying drawings, which illustrate, by way of example, the principles of the invention. The description is given for the sake of example only, without limiting the scope of the invention. The reference figures quoted below refer to the attached drawings.
The present invention will be described with respect to particular embodiments and with reference to certain drawings, but the invention is not limited thereto but only by the claims. The drawings described are only schematic and are non-limiting. In the drawings, the size of some of the elements may be exaggerated and not drawn on scale for illustrative purposes.
Where an indefinite or definite article is used when referring to a singular noun, e.g. “a”, “an”, “the”, this includes a plural of that noun unless something else is specifically stated.
Furthermore, the terms first, second, third and the like in the description and in the claims are used for distinguishing between similar elements and not necessarily for describing a sequential or chronological order. It is to be understood that the terms so used are interchangeable under appropriate circumstances and that the embodiments of the invention described herein are capable of operation in other sequences than described or illustrated herein.
In
According to the present invention, the user equipment 20 is operated or configured or its operation or mode of operation modified using a control plane functionality of the telecommunications network 100.
According to the present invention—as in conventionally known telecommunications networks—, the telecommunications network 100 realizes a separation of a control plane from a user plane in the communication between the user equipment 20, the access network 110 (or radio access network 110), and the core network 120 of the telecommunications network 100. As in conventionally known telecommunications networks, the telecommunications network 100 comprises different levels of signaling, each with different anchoring (non-access stratum/NI interface between the user equipment 20 and the core network 120, and radio resource control between the user equipment 20 and the radio access network 110 (or access network 110). An access and mobility management function 121 serves as control plane anchor and a user plane function 122 serves as user plane anchor. As interfaces between the core network 120 and the access network 110, the SCTP is used for the control plane 101, and the GTP-U is used for the user plane 102.
According to the present invention, the user equipment 20 comprises or provides a parameter-related functionality 25 for operating or for modifying the operation of the user equipment 20 upon a request by the requesting entity or the requesting network node 190 external to the user equipment 20.
The parameter-related functionality 25 is related or corresponds to a control plane functionality, and the parameter-related functionality 25, as a control plane functionality or related therewith, communicates with or is accessible to a control plane network element (typically an access and mobility management function) of the telecommunications network 100, via a control plane channel.
According to the present invention, the authorization functionality 170 is able to provide authorization information regarding or related to the parameter-related functionality 25 of the user equipment 20.
In
According to the present invention, in order to operate or to modify the operation of the user equipment 20, the method according to the present invention comprises the following steps:
According to a preferred embodiment according to the present invention, in a third step (especially but not necessarily completely preceding the first step), the requesting entity or the requesting network node 190 transmits an initial authorization request message 270 to the authorization functionality 170, wherein the initial authorization request message 270 comprises a request content, wherein the transmission of the initial authorization request message 270 to the authorization functionality 170 causes the authorization functionality 170 to transmit the at least one piece of authorization information 280 to the user equipment 20 and to transmit further authorization information 281 to the requesting entity or the requesting network node 190.
In
In a first processing step 201, the requesting entity or the requesting network node 190 transmits the initial authorization request message 270 to the authorization functionality 170, thereby requesting or triggering the authorization information 280 (especially in the form of or comprising a token information) to be sent to the user equipment 20. Already the initial authorization request message 270 especially relates to a specific one parameter-related functionality 25 (also called ‘parameter X’) of the parameter-related functionalities 25 of the user equipment 20 or to a specific plurality of (or subset) of parameter-related functionalities 25 of the parameter-related functionalities 25 of the user equipment 20. e.g. the initial authorization request message 270) requests a token to write parameter X.
In a second processing step 202, the authorization functionality 170 evaluates whether the requesting entity or the requesting network node 190 (e.g. especially a core network element A (or also network element of another telecommunications network, different from the telecommunications network 100)) is allowed to request the modification or configuration related to the specific one parameter-related functionality 25 or the specific plurality (or subset) of parameter-related functionalities 25 of the user equipment 20. In case this evaluation results in a positive outcome, the flow is continued to the third processing step 203.
In the third processing step 203, the authorization functionality 170 transmits the at least one piece of authorization information 280 to the user equipment 20, thereby informing the user equipment 20 about the authorization of the requesting entity or the requesting network node 190 to access or to write or to configure an information or a parameter related to the specific one parameter-related functionality 25 (‘parameter X’) or the specific plurality (or subset) of parameter-related functionalities 25 of the user equipment 20, e.g. via a message “Token-X allowed access to write parameter X”.
In a fourth processing step 204, the user equipment 20 stores at least part of the authorization information 280 or derives or is able to derive an information from the authorization information 280 (“Token-X configuration stored by the user equipment 20, authorization function (or parameter-related functionality) being configured by the authorization functionality 170 UAF”).
In a fifth processing step 205, the authorization functionality 170 transmits further authorization information 281 to the requesting entity or the requesting network node 190, especially comprising the token information (“Token X”).
In a sixth processing step 206, the requesting entity or the requesting network node 190 transmits the authorization request message 290 to the user equipment 20. The authorization request message 290 comprises the request which parameter or which parameter-related functionality 25 or which authorization function 25 is to be accessed or modified and in which manner (especially which parameter is requested to be changed how). Furthermore, the authorization request message 290 also comprises the authorization information 280 or part thereof. Hence, the authorization request message 290 might be of the form “Write parameter X+Token-X”. The fifth or the fifth and the sixth processing steps 205, 206 could alternatively also occur prior to the third processing step 203.
In a seventh processing step 207, the user equipment 20 evaluates the authorization request message 280, and performs the requested modification of the parameter-related functionality 25 or of the authorization function 25 (“Evaluate request+Token-X Write value in parameter X”).
Hence, via the present invention, it is advantageously possible to provide a very flexible mechanism to transmit configuration information to the user equipment and/or to apply changes in the mode of operation or the configuration of the user equipment in a secure manner, i.e. authorization functionality 170 acts as a gatekeeper (or authorization provider) for other network entities or network elements or requesting entities—be it of the same telecommunications network 100 of the user equipment 20 or of another telecommunications network—to request to apply a certain configuration or a certain configuration change. Especially due to such an enhanced flexibility and adaptability of the user equipment operation, it is advantageously possible according to the present invention the authorization information 280 and/or the authorization request message 290 comprise additional condition information, the condition information comprising an indication regarding the validity and/or regarding the applicability of the authorization request message 290 with regard to at least one out of the following: a specific time period and a specific geographical area. Hence additionally, it is possible to add conditions by either the core network element or the authorization functionality 170 such that the authorization information (especially the token information) has a conditional validity: Besides stipulating an expiration (i.e. a time expiration), mobile-network-specific conditions (i.e. conditions of the telecommunications network 100) such as the following could be added to the token validity (validity of the authorization information) so that:
While subject matter of the present disclosure has been illustrated and described in detail in the drawings and foregoing description, such illustration and description are to be considered illustrative or exemplary and not restrictive. Any statement made herein characterizing the invention is also to be considered illustrative or exemplary and not restrictive as the invention is defined by the claims. It will be understood that changes and modifications may be made, by those of ordinary skill in the art, within the scope of the following claims, which may include any combination of features from different embodiments described above.
The terms used in the claims should be construed to have the broadest reasonable interpretation consistent with the foregoing description. For example, the use of the article “a” or “the” in introducing an element should not be interpreted as being exclusive of a plurality of elements. Likewise, the recitation of “or” should be interpreted as being inclusive, such that the recitation of “A or B” is not exclusive of “A and B,” unless it is clear from the context or the foregoing description that only one of A and B is intended. Further, the recitation of “at least one of A, B and C” should be interpreted as one or more of a group of elements consisting of A, B and C, and should not be interpreted as requiring at least one of each of the listed elements A, B and C, regardless of whether A, B and C are related as categories or otherwise. Moreover, the recitation of “A, B and/or C” or “at least one of A, B or C” should be interpreted as including any singular entity from the listed elements, e.g., A, any subset from the listed elements, e.g., A and B, or the entire list of elements A, B and C.
| Number | Date | Country | Kind |
|---|---|---|---|
| 21189478.7 | Aug 2021 | EP | regional |
This application is a U.S. National Phase application under 35 U.S.C. § 371 of International Application No. PCT/EP2022/071704, filed on Aug. 2, 2022, and claims benefit to European Patent Application No. EP 21189478.7, filed on Aug. 3, 2021. The International Application was published in English on Feb. 9, 2023 as WO 2023/012163 A1 under PCT Article 21(2).
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/EP2022/071704 | 8/2/2022 | WO |
