WO2021115388A1

WO2021115388A1 - Method and apparatus for user plane function selection

Info

Publication number: WO2021115388A1
Application number: PCT/CN2020/135304
Authority: WO
Inventors: Wei Luo; Neda FARHAND; Abhay DS; Ziquan PAN; Daniel Nilsson
Original assignee: Telefonaktiebolaget LM Ericsson AB
Current assignee: Telefonaktiebolaget LM Ericsson AB
Priority date: 2019-12-12
Filing date: 2020-12-10
Publication date: 2021-06-17
Anticipated expiration: 2022-06-12

Abstract

Embodiments of the present disclosure provide method and apparatus for user plane function selection. A method at a session management function of a first network comprises obtaining information related to at least one first user plane function of the first network. Said information includes an information element indicating whether the at least one first user plane function has an inter network user plane security capability. The method further comprises selecting a first user plane function for a session based on the information related to at least one first user plane function of the first network.

Description

METHOD AND APPARATUS FOR USER PLANE FUNCTION SELECTION

TECHNICAL FIELD

The non-limiting and exemplary embodiments of the present disclosure generally relate to the technical field of communications, and specifically to methods and apparatuses for user plane function selection.

BACKGROUND

This section introduces aspects that may facilitate a better understanding of the disclosure. Accordingly, the statements of this section are to be read in this light and are not to be understood as admissions about what is in the prior art or what is not in the prior art.

An architecture of control and user plane separation has been introduced in a communication network. For example, 3rd Generation Partnership Project (3GPP) TS 23.501 V16.2.0, the disclosures of which are incorporated by reference herein in their entirety, has introduced the control plane function such as session management function (SMF) and the user plane function such as user plane function (UPF) . N9 is a reference point between two UPFs. The selection and reselection of the UPF may be performed by the SMF by considering user plane function deployment scenarios such as centrally located user plane function and distributed user plane function located close to or at the access network site.

3GPP TS 33.501 V16.0.0, the disclosures of which are incorporated by reference herein in their entirety, specifies the security architecture for the fifth generation (5G) system (5GS) and the 5G core network (5GC) . 3GPP TS 33.501 V16.0.0 contains security features, security mechanisms, and the security procedures performed for the 5GS and the 5GC.

SUMMARY

This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.

The N9 roaming interface of the UPF needs to be protected from traffic which is there either due to attack, misconfiguration or due to network transient conditions. However, in the existing solutions, there is no efficient method for the SMF to automatically determine a) which UPF has the N9 firewall function built into it, b) what are the available UPF instances which can provide the firewall service if the UPF instance does not have the N9 firewall function built into it, c) whether the VPLMN (Visited Public Land Mobile Network) N9 firewall and the HPLMN (Home Public Land Mobile Network) N9 firewall are allowed or not to communicate at some point in the time with their respective UPFs, and d) whether the two UPFs/IPUPS (Inter PLMN (Public Land Mobile Network) UP (user plane) Security) in different PLMNs need to be identified with each other, such that they can list each other and update their load and capabilities at runtime via the NRF (Network Repository Function) . Therefore the SMF cannot select the UPF having the N9 firewall function built into it.

Without the automatic detection of relevant UPF selection by the SMF, there needs to be excessive modelling of configuration on SMF in terms of both VPLMN and HPLMN regarding how to choose the relevant UPF to perform the N9 firewall function and there could be SMF being connecting to UPF or IPUPS which are not compatible in load which results in overloading of the UPF and N9 firewall due to inefficient provisioning, including the possibility of N9 firewall serving UPF which it is not authorized to serve.

To overcome or mitigate at least one of above mentioned problems or other problems, the embodiments of the present disclosure propose an improved solution of user plane function selection.

In an embodiment, the user plane function may send the capabilities of the user plane function including IPUPS capability or IPUPS+UPF capability as a part of a single network function registration request towards the NRF.

In an embodiment, a standalone IPUPS may send a list of UPFs that it is allowed to serve as a part of a single network function registration request towards the NRF.

In an embodiment, the user plane function may update its profile in the NRF when the UPF capabilities is changed or modified.

In an embodiment, the UPF selection algorithm in SMF for roaming traffic is applied such that depending on the capabilities of the UPF (s) and its connection information, SMF may select the UPF with IPUPS capability or the UPF followed by a dedicated IPUPS.

In an embodiment, the user plane function may update the load and/or priority of the user plane function to the NRF when the load and/or priority changes on the UPF/IPUPS.

In an embodiment, NRF can subscribe to network function from a local PLMN or a different PLMN.

In a first aspect of the disclosure, there is provided a method at a session management function of a first network. The method comprises obtaining information related to at least one first user plane function of the first network. Said information includes an information element indicating whether the at least one first user plane function has an inter network user plane security capability. The method further comprises selecting a first user plane function for a session based on the information related to at least one first user plane function of the first network.

In an embodiment, obtaining information related to at least one first user plane function of the first network may comprise at least one of locally obtaining the information related to at least one first user plane function of the first network when the information related to at least one first user plane function of the first network is locally configured in the session management function; obtaining the information related to at least one first user plane function of the first network from a network repository function when the information related to at least one first user plane function of the first network is stored in the network repository function.

In an embodiment, the information element may include a first information element indicating that the at least one first user plane function has user plane function capability and inter network user plane security capability; or the information element includes a second information element indicating that the at least one first user plane function has the inter network user plane security capability without user plane function capability; or when the first information element and the second information element are not presented in the information related to the at least one first user plane function, it indicates that the at least one first user plane function has user plane function capability without user plane security capability.

In an embodiment, the information related to the at least one first user plane function may further include information related to at least one second user plane function to which the at least one first user plane function is attached, at least one of the at least one second user plane function is located in a second network.

In an embodiment, the information related to the at least one second user plane function may include an information element indicating whether the at least one second user plane function has inter network user plane security capability.

In an embodiment, in a roaming scenario, selecting a first user plane function for a session based on the information related to at least one first user plane function of the first network may comprise a) selecting a first user plane function of the first network having user plane function capability and inter network user plane security capability; or b) selecting a first user plane function of the first network having the inter network user plane security capability without user plane function capability and a first user plane function of the first network having user plane function capability without inter network user plane security capability when a) is not fulfilled; or c) selecting a default first user plane function when a) and b) are not fulfilled.

In an embodiment, selecting a user plane function for a session based on the information related to at least one first user plane function of the first network may comprise when there are two or more first user plane functions can be selected, selecting the first user plane function for the session based on respective load and/or respective priority of the two or more first user plane functions.

In an embodiment, the information related to at least one first user plane function of the first network may be updated information related to at least one first user plane function of the first network.

In an embodiment, the information related to the at least one first user plane function of the first network may further include an information element indicating a load and/or a priority of the at least one first user plane function.

In a second aspect of the disclosure, there is provided a method at a first user plane function of a first network. The method comprises sending a network function register request including a network function profile of the first user plane function to a network repository function. The network function profile of the first user plane function includes an information element indicating whether the first user plane function has an inter network user plane security capability. The method further comprises receiving a network function register response from the network repository function.

In an embodiment, the information element may include a first information element indicating that the first user plane function has user plane function capability and inter network user plane security capability; or the information element includes a second information element indicating that the first user plane function has the inter network user plane security capability without user plane function capability; or when the first information element and the second information element are not presented in the network function profile of the first user plane function, it indicates that the first user plane function has user plane function capability without user plane security capability.

In an embodiment, the network function profile of the first user plane function may further include information related to at least one second user plane function to which the first user plane function is attached, at least one of the at least one second user plane function is located in a second network.

In an embodiment, the information related to at least one second user plane function may include an information element indicating whether the at least one second user plane function has inter network user plane security capability.

In an embodiment, the method further comprise sending a network function update request including an updated network function profile of the first user plane function to the network repository function, wherein the updated network function profile includes an information element indicating whether the first user plane function has an inter network user plane security capability; and receiving a network function update response from the network repository function.

In an embodiment, the network function profile of the first user plane function may further include an information element indicating a load and/or a priority of the first user plane function.

In a third aspect of the disclosure, there is provided a method at a network repository function. The method comprises receiving a network function register request including a network function profile of a first user plane function of a first network from the first user plane function of the first network, wherein the network function profile of the first user plane function includes an information element indicating whether the first user plane function has an inter network user plane security capability. The method further comprises sending a network function register response to the first user plane function of the first network.

In an embodiment, the method may further comprise receiving a network function update request including an updated network function profile of the first user plane function from the first user plane function of the first network, wherein the updated network function profile includes an information element indicating whether the first user plane function has the inter network user plane security capability; and sending a network function update response to the first user plane function of the first network.

In an embodiment, the method may further comprise receiving a network function discovery request for discovering user plane function from a session management function of the first network; determining at least one first network function of the first network matching the network function discovery request; and sending a network function discovery response including respective network function profile of the at least one first network function to the session management function of the first network.

In a fourth aspect of the disclosure, there is provided an apparatus implemented in a session management function of a first network. The apparatus comprises a processor; and a memory coupled to the processor, said memory containing instructions executable by said processor, whereby said apparatus is operative to obtain information related to at least one first user plane function of the first network. Said information includes an information element indicating whether the at least one first user plane function has an inter network user plane security capability. Said apparatus is further operative to select a first user plane function for a session based on the information related to at least one first user plane function of the first network.

In a fifth aspect of the disclosure, there is provided an apparatus implemented in a first user plane function of a first network. The apparatus comprises a processor; and a memory coupled to the processor, said memory containing instructions executable by said processor, whereby said apparatus is operative to send a network function register request including a network function profile of the first user plane function to a network repository function. The network function profile of the first user plane function includes an information element indicating whether the first user plane function has an inter network user plane security capability. Said apparatus is further operative to receive a network function register response from the network repository function.

In a sixth aspect of the disclosure, there is provided an apparatus implemented in a network repository function. The apparatus comprises a processor; and a memory coupled to the processor, said memory containing instructions executable by said processor, whereby said apparatus is operative to receive a network function register request including a network function profile of a first user plane function of a first network from the first user plane function of the first network. The network function profile of the first user plane function includes an information element indicating whether the first user plane function has an inter network user plane security capability. Said apparatus is further operative to send a network function register response to the first user plane function of the first network.

In a seventh aspect of the disclosure, there is provided a session management function of a first network. The session management function may be SMF of 5GS. The session management function comprises an obtaining module configured to obtain information related to at least one first user plane function of the first network, wherein said information includes an information element indicating whether the at least one first user plane function has an inter network user plane security capability. The session management function further comprises a selecting module configured to select a first user plane function for a session based on the information related to at least one first user plane function of the first network.

In an eighth aspect of the disclosure, there is provided a first user plane function of a first network. The first user plane function may be UPF of 5GS. The first user plane function comprises a sending module configured to send a network function register request including a network function profile of the first user plane function to a network repository function, wherein the network function profile of the first user plane function includes an information element indicating whether the first user plane function has an inter network user plane security capability. The first user plane function further comprises a receiving module configured to receive a network function register response from the network repository function.

In a ninth aspect of the disclosure, there is provided a network repository function. The network repository function may be NRF of 5GS. The network repository function comprises a receiving module configured to receive a network function register request including a network function profile of a first user plane function of a first network from the first user plane function of the first network, wherein the network function profile of the first user plane function includes an information element indicating whether the first user plane function has an inter network user plane security capability. The network repository function further comprises a sending module configured to send a network function register response to the first user plane function of the first network.

In a tenth aspect of the disclosure, there is provided a computer program product comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the method according to the first aspect of the disclosure.

In an eleventh aspect of the disclosure, there is provided a computer program product comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the method according to the second aspect of the disclosure.

In a twelfth aspect of the disclosure, there is provided a computer program product comprising instructions which, when executed on at least one processor, cause the at least one processor to carry out the method according to the third aspect of the disclosure.

In a thirteenth aspect of the disclosure, there is provided a computer-readable storage medium storing instructions which, when executed on at least one processor, cause the at least one processor to carry out the method according to the first aspect of the disclosure.

In fourteenth aspect of the disclosure, there is provided a computer-readable storage medium storing instructions which, when executed on at least one processor, cause the at least one processor to carry out the method according to the second aspect of the disclosure.

In fifteenth aspect of the disclosure, there is provided a computer-readable storage medium storing instructions which, when executed on at least one processor, cause the at least one processor to carry out the method according to the third aspect of the disclosure.

Embodiments herein afford many advantages, of which a non-exhaustive list of examples follows. Some embodiments herein may automatically detect the UPF or UPF+IPUPS or IPUPS in a 3GPP system and select the same for different types of roaming traffic and subsequent N4 session establishment from the SMF to the UPF such that all UPF roaming traffic may be protected via the N9 firewall. Some embodiments herein may not overload the IPUPS by selecting another IPUPS to perform the firewall function. In some embodiments herein, SMF can efficiently choose the UPF+IPUPS or the IPUPS in order to keep the network stable and keep the UPF load stable during an DDOS (distributed denial-of-service ) attack. The embodiments herein are not limited to the features and advantages mentioned above. A person skilled in the art will recognize additional features and advantages upon reading the following detailed description.

BRIEF DESCRIPTION OF THE DRAWINGS

The above and other aspects, features, and benefits of various embodiments of the present disclosure will become more fully apparent, by way of example, from the following detailed description with reference to the accompanying drawings, in which like reference numerals or letters are used to designate like or equivalent elements. The drawings are illustrated for facilitating better understanding of the embodiments of the disclosure and not necessarily drawn to scale, in which:

FIG. 1 schematically shows a high level architecture in the fifth generation network;

FIG. 2 shows a flowchart of a method according to an embodiment of the present disclosure;

FIG. 3 shows a flowchart of a method according to another embodiment of the present disclosure;

FIG. 4 shows a flowchart of a method according to another embodiment of the present disclosure;

FIG. 5 shows a flowchart of a method according to another embodiment of the present disclosure;

FIG. 6 shows a flowchart of a method according to another embodiment of the present disclosure;

FIG. 7 shows a flowchart of a method according to another embodiment of the present disclosure;

FIG. 8 is a block diagram showing an apparatus suitable for use in practicing some embodiments of the disclosure;

FIG. 9 illustrates a simplified block diagram of a session management function of a first network according to an embodiment of the present disclosure;

FIG. 10 illustrates a simplified block diagram of a first user plane function of a first network according to an embodiment of the present disclosure; and

FIG. 11 illustrates a simplified block diagram of a network repository function according to an embodiment of the present disclosure.

DETAILED DESCRIPTION

The embodiments of the present disclosure are described in detail with reference to the accompanying drawings. It should be understood that these embodiments are discussed only for the purpose of enabling those skilled persons in the art to better understand and thus implement the present disclosure, rather than suggesting any limitations on the scope of the present disclosure. Reference throughout this specification to features, advantages, or similar language does not imply that all of the features and advantages that may be realized with the present disclosure should be or are in any single embodiment of the disclosure. Rather, language referring to the features and advantages is understood to mean that a specific feature, advantage, or characteristic described in connection with an embodiment is included in at least one embodiment of the present disclosure. Furthermore, the described features, advantages, and characteristics of the disclosure may be combined in any suitable manner in one or more embodiments. One skilled in the relevant art will recognize that the disclosure may be practiced without one or more of the specific features or advantages of a particular embodiment. In other instances, additional features and advantages may be recognized in certain embodiments that may not be present in all embodiments of the disclosure.

As used herein, the term “network” refers to a network following any suitable wireless communication standards such as new radio (NR) , long term evolution (LTE) , LTE-Advanced, wideband code division multiple access (WCDMA) , high-speed packet access (HSPA) , Code Division Multiple Access (CDMA) , Time Division Multiple Address (TDMA) , Frequency Division Multiple Access (FDMA) , Orthogonal Frequency-Division Multiple Access (OFDMA) , Single carrier frequency division multiple access (SC-FDMA) and other wireless networks. A CDMA network may implement a radio technology such as Universal Terrestrial Radio Access (UTRA) , etc. UTRA includes WCDMA and other variants of CDMA. A TDMA network may implement a radio technology such as Global System for Mobile Communications (GSM) . An OFDMA network may implement a radio technology such as Evolved UTRA (E-UTRA) , Ultra Mobile Broadband (UMB) , IEEE 802.11 (Wi-Fi) , IEEE 802.16 (WiMAX) , IEEE 802.20, Flash-OFDMA, Ad-hoc network, wireless sensor network, etc. In the following description, the terms “network” and “system” can be used interchangeably. Furthermore, the communications between two devices in the network may be performed according to any suitable communication protocols, including, but not limited to, the communication protocols as defined by a standard organization such as 3GPP. For example, the communication protocols as may comprise the first generation (1G) , 2G, 3G, 4G, 4.5G, 5G communication protocols, and/or any other protocols either currently known or to be developed in the future.

The term “network entity” used herein refers to a network device or function such as a core network device in a communication network. For example, in a wireless communication network such as a 3GPP-type cellular network, the network entity may include user plane function and control plane function, etc., which may offer numerous services to customers who are interconnected by an access network device. Each access network device is connectable to the core network device over a wired or wireless connection.

The term “network function (NF) ” refers to any suitable function which can be implemented in a network entity (physical or virtual) such as a core network device of a communication network. For example, the 5G system (5GS) may comprise a plurality of NFs such as AMF (Access and mobility Function) , SMF (Session Management Function) , AUSF (Authentication Service Function) , UDM (Unified Data Management) , PCF (Policy Control Function) , AF (Application Function) , NEF (Network Exposure Function) , UPF (User plane Function) and NRF (Network Repository Function) , RAN (radio access network) , SCP (service communication proxy) , etc. In other embodiments, the network function may comprise different types of NFs for example depending on a specific type of network.

The term “terminal device” refers to any end device that can access a communication network and receive services therefrom. By way of example and not limitation, the terminal device refers to a mobile terminal, user equipment (UE) , or other suitable devices. The UE may be, for example, a Subscriber Station (SS) , a Portable Subscriber Station, a Mobile Station (MS) , or an Access Terminal (AT) . The terminal device may include, but not limited to, a portable computer, an image capture terminal device such as a digital camera, a gaming terminal device, a music storage and a playback appliance, a mobile phone, a cellular phone, a smart phone, a voice over IP (VoIP) phone, a wireless local loop phone, a tablet, a wearable device, a personal digital assistant (PDA) , a portable computer, a desktop computer, a wearable terminal device, a vehicle-mounted wireless terminal device, a wireless endpoint, a mobile station, a laptop-embedded equipment (LEE) , a laptop-mounted equipment (LME) , a USB dongle, a smart device, a wireless customer-premises equipment (CPE) and the like. In the following description, the terms “terminal device” , “terminal” , “user equipment” and “UE” may be used interchangeably. As one example, a terminal device may represent a UE configured for communication in accordance with one or more communication standards promulgated by the 3GPP, such as 3GPP’ LTE standard or NR standard. As used herein, a “user equipment” or “UE” may not necessarily have a “user” in the sense of a human user who owns and/or operates the relevant device. In some embodiments, a terminal device may be configured to transmit and/or receive information without direct human interaction. For instance, a terminal device may be designed to transmit information to a network on a predetermined schedule, when triggered by an internal or external event, or in response to requests from the communication network. Instead, a UE may represent a device that is intended for sale to, or operation by, a human user but that may not initially be associated with a specific human user.

As yet another example, in an Internet of Things (IOT) scenario, a terminal device may represent a machine or other device that performs monitoring and/or measurements, and transmits the results of such monitoring and/or measurements to another terminal device and/or network equipment. The terminal device may in this case be a machine-to-machine (M2M) device, which may in a 3GPP context be referred to as a machine-type communication (MTC) device. As one particular example, the terminal device may be a UE implementing the 3GPP narrow band internet of things (NB-IoT) standard. Particular examples of such machines or devices are sensors, metering devices such as power meters, industrial machinery, or home or personal appliances, for example refrigerators, televisions, personal wearables such as watches etc. In other scenarios, a terminal device may represent a vehicle or other equipment that is capable of monitoring and/or reporting on its operational status or other functions associated with its operation.

References in the specification to “one embodiment, ” “an embodiment, ” “an example embodiment, ” and the like indicate that the embodiment described may include a particular feature, structure, or characteristic, but it is not necessary that every embodiment includes the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.

It shall be understood that although the terms “first” and “second” etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be termed a second element, and similarly, a second element could be termed a first element, without departing from the scope of example embodiments. As used herein, the term “and/or” includes any and all combinations of one or more of the associated listed terms.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments. As used herein, the singular forms “a” , “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” , “comprising” , “has” , “having” , “includes” and/or “including” , when used herein, specify the presence of stated features, elements, and/or components etc., but do not preclude the presence or addition of one or more other features, elements, components and/or combinations thereof.

It is noted that these terms as used in this document are used only for ease of description and differentiation among nodes, devices or networks etc. With the development of the technology, other terms with the similar/same meanings may also be used.

In the following description and claims, unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skills in the art to which this disclosure belongs.

Although the subject matter described herein may be implemented in any appropriate type of system using any suitable components, the embodiments disclosed herein are described in relation to a communication system complied with the exemplary system architecture illustrated in FIG. 1. For simplicity, the system architecture of FIG. 1 only depicts some exemplary elements. In practice, a communication system may further include any additional elements suitable to support communication between terminal devices or between a wireless device and another communication device, such as a landline telephone, a service provider, or any other network node or terminal device. The communication system may provide communication and various types of services to one or more terminal devices to facilitate the terminal devices’ access to and/or use of the services provided by, or via, the communication system.

FIG. 1 schematically shows a high level architecture in the fifth generation network. The system architecture of FIG. 1 may comprise some exemplary elements such as AUSF, AMF, DN (data network) , NEF, NRF, NSSF, PCF, SMF, UDM, UPF, AF, UE, (R) AN, SCP, UE, Intermediate NEF (I-NEF) , visited Security Edge Protection Proxy (vSEPP) , home Security Edge Protection Proxy (hSEPP) , etc.

In accordance with an exemplary embodiment, the UE can establish a signaling connection with the AMF over the reference point N1, as illustrated in FIG. 1. This signaling connection may enable NAS (Non-access stratum) signaling exchange between the UE and the core network, comprising a signaling connection between the UE and the (R) AN and the N2 connection for this UE between the (R) AN and the AMF. The (R) AN can communicate with the UPF over the reference point N3. The UE can establish a protocol data unit (PDU) session to the DN (data network, e.g. an operator network or Internet) through the UPF over the reference point N6.

As further illustrated in FIG. 1, the exemplary system architecture also contains the service-based interfaces such as Nnrf, Nnef, Nausf, Nudm, Npcf, Namf and Nsmf exhibited by NFs such as the NRF, the NEF, the AUSF, the UDM, the PCF, the AMF and the SMF. In addition, FIG. 1 also shows some reference points such as N1, N2, N3, N4, N6 and N9, which can support the interactions between NF services in the NFs. For example, these reference points may be realized through corresponding NF service-based interfaces and by specifying some NF service consumers and providers as well as their interactions in order to perform a particular system procedure.

Various NFs shown in Fig. 1 may be responsible for functions such as session management, mobility management, authentication, security, etc. The AUSF, AMF, DN, NEF, NRF, NSSF, PCF, SMF, UDM, UPF, AF, UE, (R) AN, SCP, SEPP, etc. may include the functionality for example as defined in 3GPP TS23.501 V16.2.0 and 3GPP TS 33.501 V16.0.0.

Clause 6.3.3.3 of 3GPP TS23.501 V16.2.0 describes some parameter (s) and information which may be considered by the SMF for UPF selection and re-selection. However, by considering those parameter (s) and information, the SMF cannot automatically determine a) which UPF has the N9 firewall function built into it, b) what are the available UPF instances which can provide the firewall service if the UPF instance does not have the N9 firewall function built into it, c) whether the VPLMN N9 firewall and the HPLMN N9 firewall are allowed or not to communicate at some point in the time with their respective UPFs, and d) whether the two UPFs/IPUPSes in different PLMNs need to be identified with each other, such that they can list each other and update their load and capabilities at runtime via the NRF (Network Repository Function) . Therefore the SMF cannot select the UPF having the N9 firewall function built into it for example in a roaming scenario.

To overcome or mitigate at least one of above mentioned problems or other problems, the embodiments of the present disclosure propose an improved solution of user plane function selection which will be described in FIGs. 2-11.

FIG. 2 shows a flowchart of a method according to an embodiment of the present disclosure, which may be performed by an apparatus implemented in/as or communicatively coupled to a session management function of a first network. As such, the apparatus may provide means or modules for accomplishing various parts of the method 200 as well as means or modules for accomplishing other processes in conjunction with other components. The session management function may be any suitable entity or node which can implement the session management function. For example, the session management function may be SMF of 5G network. The first network may be any network such as VPLMN or HPLMN, etc.

At block 202, the session management function obtains information related to at least one first user plane function of the first network. Said information may include an information element indicating whether the at least one first user plane function has an inter network user plane security capability. The first user plane function may be any suitable entity or node which can implement the user plane function. For example, the user plane function may be UPF of 5G network. The session management function may obtain the information related to at least one first user plane function of the first network in various ways. As a first example, when this information is locally configured in the session management function e.g. by a network device such as OA&M (operations, administration, and management) system when the first user plane function is instantiated or removed or changed, the session management function may locally obtain this information for example from its local storage. The information related to at least one first user plane function of the first network can be updated e.g. by OA&M system any time, or the at least one first user plane function itself updates this information to the session management function any time after the node level interaction between the session management function and the at least one first user plane function is established. As a second example, the session management function may optionally utilize a network repository function to discover the first user plane function instance (s) . In this case, the session management function may issue a request to the network repository function such as NRF. In its answer, the network repository function may provide the first user plane function NF profile (s) to the session management function. The network repository function may be configured by OA&M with information on the available first user plane function (s) or the first user plane function instance (s) may register its/their NF profile (s) in the network repository function.

In an embodiment, the session management function may locally obtain the information related to at least one first user plane function of the first network when the information related to at least one first user plane function of the first network is locally configured in the session management function.

In an embodiment, the session management function may obtain the information related to at least one first user plane function of the first network from a network repository function when the information related to at least one first user plane function of the first network is stored in the network repository function. For example, in 5GS, the session management function such as SMF may use Nnrf_NFDiscovery service as described in clause 5.2.7.3 of 3GPP TS 23.502 V16.1.1, the disclosures of which are incorporated by reference herein in their entirety, to obtain the information related to at least one first user plane function of the first network from a network repository function. Nnrf_NFDiscovery service may enable one NF service consumer or SCP to discover a set of NF instances with specific NF service or a target NF type and also enable one NF service or SCP to discover a specific NF service.

As described above, the information related to the at least one first user plane function of the first network may include an information element indicating whether the at least one first user plane function has an inter network user plane security capability. The inter network user plane security capability may refer to whether the user plane function supports a security mechanism using for protecting data over a link between two user plane functions in two networks. For example, the inter network user plane security capability may be inter PLMN UP security capability (IPUPS) in 5GS.

In an embodiment, the information element may include a first information element indicating that the at least one first user plane function has user plane function capability and inter network user plane security capability. For example, the first information element may be of a data type of boolean for confirming if the first user plane function has user plane function capability and inter network user plane security capability. When the first information element is presented and set to true, it indicates that the first user plane function has user plane function capability and inter network user plane security capability. Otherwise, it may indicate that the first user plane function just has the user plane function capability without the inter network user plane security capability.

In an embodiment, the information element may include a second information element indicating that the at least one first user plane function has the inter network user plane security capability without user plane function capability. For example, the second information element may be of a data type of boolean for confirming if the first user plane function has the inter network user plane security capability without user plane function capability. When the second information element is presented and set to true, it indicates that the first user plane function has the inter network user plane security capability without user plane function capability. Otherwise, it may indicate that the first user plane function just has the user plane function capability without the inter network user plane security capability.

In an embodiment, when the first information element and the second information element are not presented in the information related to the at least one first user plane function, it indicates that the at least one first user plane function has user plane function capability without user plane security capability.

In an embodiment, Table 1 shows an example of the first information element (i.e., upfIPSCapability) and the second information element (i.e., IPUPSCapability) in 5GS. P denotes presence. O denotes optional.

Table 1

In an embodiment, the information related to the at least one first user plane function further includes information related to at least one second user plane function to which the at least one first user plane function is attached, at least one of the at least one second user plane function is located in a second network. The information related to the at least one second user plane function may include an information element indicating whether the at least one second user plane function has inter network user plane security capability.

In an embodiment, the information related to the at least one first user plane function may be a NF profile of the at least one first user plane function. For example, when the first user plane function is UPF in 5GS, the NF profile of the first user plane function may be the NF profile of UPF as described in 6.1.6.2.2 of 3GPP TS 29.510 V16.0.0, the disclosures of which are incorporated by reference herein in their entirety. The NF profile of UPF may include upfInfo and upfInfoExt. It is noted that the upfInfo may include the information element indicating whether the first user plane function has an inter network user plane security capability and the upfInfoExt may include information related to at least one second user plane function to which the first user plane function is attached.

At block 204, the session management function selects a first user plane function for a session based on the information related to at least one first user plane function of the first network. For example, the session management function may select or reselect the first user plane function by considering some parameter (s) and information as described in clause 6.3.3.3 of 3GPP TS23.501 V16.2.0 and the information element indicating whether the at least one first user plane function has an inter network user plane security capability.

In an embodiment, in a roaming scenario, the session management function may a) select a first user plane function of the first network having user plane function capability and inter network user plane security capability; or b) select a first user plane function of the first network having the inter network user plane security capability without user plane function capability and a first user plane function of the first network having user plane function capability without inter network user plane security capability when a) is not fulfilled; or c) select a default first user plane function when a) and b) are not fulfilled.

For example, in 5GS, when an UPF profile is updated, SMF can subscribe to the UPF and check if the UPF gained some capabilities or has a change in its load factor and/or priority. When a UPF has to be selected for a VPLMN to HPLMN session anchoring, SMF may do the following:

- Create a candidate set A: collect NFProfile (i.e., NF profile) of all UPFs with UPF+IPUPS capability and has the UpfInfoExt array from the UPF profile of each UPF which matches at least one entry of the remote NFProfile of the respective PLMN’s UPF (s) . Each UPF profile has an array of attached UPF (s) . One of the UPF (s) in the UpfInfoExt array may exactly match the UpfInfo of the UPF in the remote PLMN’s UPF.

- Create a candidate set B: collect a list of NF profile with only IPUPS capability and has the UpfInfoExt array from the UPF profile of each UPF which matches at least one of the entry of the remote NFProfile of the remote PLMN UPF (s) . Each IPUPS profile has an array of attached UPF (s) . One of the UPF (s) in the UpfInfoExt array may exactly match the UpfInfo of the UPF in the remote PLMN’s UPF.

- Create a candidate set C: select all local UPFs which are pure UPFs and match their UpfInfoExt from UpfInfo of each UPF which matches at least one of the entry of the remote NFProfile of the remote PLMN’s UPF. Each UPF profile has an array of attached UPFs. One of the UPFs in the UpfInfoExt array may exactly match the UpfInfo of UPF in the remote PLMN’s UPF.

Regarding classification, for all candidates to be housed in candidate sets A, B and C, each UPF may contain the UpfInfoExt which contains a list of all its connected UPFs, and this UPF can be found on the NF profile of a remote PLMN UPF as an entry in the remote PLMN UPF’s UpfInfoExt. The candidate sets A, B and C can be updated on SMF. For candidate set A, the UPF should have an inbuilt IPUPS function. For candidate set C, the UPF should be a pure UPF. For candidate set B, the UPF should be a pure IPUPS without user plane function.

In this way, it allows SMF to first form three candidates sets: candidates set A for UPF+IPUPS, candidates set B for IPUPS only without UPF and candidates set C for pure UPF without any IPUPS function. For each update from NRF, SMF updates the candidates sets as per their classification, and then SMF selects from candidates set A the UPF+IPUPS by checking the UpfInfoExt array of UPF which describes the remotely connected UPFs in order to make sure that there is an authorized connection on the N9 interfaces between the two UPFs in two networks such as HPLMN and VPLMN. If there is no entry in candidate set A, SMF looks at candidate set C and selects a pure UPF. If no entries in candidate set C, then SMF chooses a default configured UPF or IPUPS. If a UPF was selected from candidates set C, then SMF selects a UPF from candidates set B which has pure IPUPS. If candidates set B has no entries, a default configured IPUPS is selected.

In an embodiment, when there are two or more first user plane functions can be selected, SMF may select the first user plane function for the session based on respective load and/or respective priority of the two or more first user plane functions. For example, at any selection from candidate sets A, B or C, the least load UPF may be selected. If the load is nearly same, then the UPF with a high priority may be selected.

FIG. 3 shows a flowchart of a method according to another embodiment of the present disclosure, which may be performed by an apparatus implemented in/as or communicatively coupled to a first user plane function of a first network. As such, the apparatus may provide means or modules for accomplishing various parts of the method 300 as well as means or modules for accomplishing other processes in conjunction with other components. The first user plane function may be any suitable entity or node which can implement the user plane function. For example, the first user plane function may be UPF in 5GS. For some parts which have been described in the above embodiments, the description thereof is omitted here for brevity.

At block 302, the first user plane function may send a network function register request including a network function profile of the first user plane function to a network repository function. The network function profile of the first user plane function may include an information element indicating whether the first user plane function has an inter network user plane security capability. The network repository function may provide the same or similar functionality as described in clause 6.2.6 of 3GPP TS23.501 V16.2.0. In an embodiment, the network repository function may be NRF in 5GS. The network function register request may be similar to the Nnrf_NFManagement_NFRegister Request message as described in clause 4.17.1 of 3GPP TS 23.502 V16.1.1 except that the network function profile of the first user plane function may include an information element indicating whether the first user plane function has an inter network user plane security capability.

In an embodiment, the information element may include a first information element indicating that the first user plane function has user plane function capability and inter network user plane security capability or include a second information element indicating that the first user plane function has the inter network user plane security capability without user plane function capability or when the first information element and the second information element are not presented in the network function profile of the first user plane function, it indicates that the first user plane function has user plane function capability without user plane security capability.

In an embodiment, the network function profile of the first user plane function further includes information related to at least one second user plane function to which the first user plane function is attached, at least one of the at least one second user plane function is located in a second network.

In an embodiment, the information related to at least one second user plane function includes an information element indicating whether the at least one second user plane function has inter network user plane security capability.

In an embodiment, the network function profile of the first user plane function further includes an information element indicating a load and/or a priority of the first user plane function.

At block 304, the first user plane function may receive a network function register response from the network repository function. For example, the network repository function may acknowledge the network function register request is accepted via the network function register response. In an embodiment, the network function register response may be similar to the Nnrf_NFManagement_NFRegister response as described in clause 4.17.1 of 3GPP TS 23.502 V16.1.1.

At block 306, optionally, the first user plane function may send a network function update request including an updated network function profile of the first user plane function to the network repository function. The updated network function profile includes an information element indicating whether the first user plane function has an inter network user plane security capability. In an embodiment, the network function update request may be similar to the Nnrf_NFManagement_NFUpdate Request message as described in clause 4.17.2 of 3GPP TS 23.502 V16.1.1 except that the updated network function profile includes an information element indicating whether the first user plane function has an inter network user plane security capability.

At block 308, optionally, the first user plane function may receive a network function update response from the network repository function. For example, the network repository function may acknowledge the network function update request is accepted via the network function update response. In an embodiment, the network function update response may be similar to the Nnrf_NFManagement_NFUpdate response as described in clause 4.17.2 of 3GPP TS 23.502 V16.1.1.

FIG. 4 shows a flowchart of a method according to another embodiment of the present disclosure, which may be performed by an apparatus implemented in/as or communicatively coupled to a network repository function. As such, the apparatus may provide means or modules for accomplishing various parts of the method 400 as well as means or modules for accomplishing other processes in conjunction with other components. The network repository function may be any suitable entity or node which can implement the network repository function. For example, the network repository function may be NRF in 5GS. For some parts which have been described in the above embodiments, the description thereof is omitted here for brevity.

At block 402, the network repository function may receive a network function register request including a network function profile of a first user plane function of a first network from the first user plane function of the first network. The network function profile of the first user plane function includes an information element indicating whether the first user plane function has an inter network user plane security capability. For example, the first user plane function may send the network function register request at block 302 of FIG. 3, and then the network repository function may receive the network function register request. The network repository function may store the network function profile of the first user plane function and mark the first user plane function available.

In an embodiment, the information element includes a first information element indicating that the first user plane function has user plane function capability and inter network user plane security capability; or the information element includes a second information element indicating that the first user plane function has the inter network user plane security capability without user plane function capability; or when the first information element and the second information element are not presented in the network function profile of the first user plane function, it indicates that the first user plane function has user plane function capability without user plane security capability.

In an embodiment, the information related to the at least one second user plane function includes an information element indicating whether the at least one second user plane function has inter network user plane security capability.

In an embodiment, the network function profile of the first user plane function further includes an information element indicating a load and/or a priority of the first network function.

At block 404, the network repository function may send a network function register response to the first user plane function of the first network.

At block 406, optionally, the network repository function may receive a network function update request including an updated network function profile of the first user plane function from the first user plane function of the first network. The updated network function profile includes an information element indicating whether the first user plane function has the inter network user plane security capability. For example, the first user plane function may send the network function update request at block 306 of FIG. 3, and then the network repository function may receive the network function update request. The network repository function may update the network function profile of the first user plane function.

At block 408, optionally, the network repository function may send a network function update response to the first user plane function of the first network.

FIG. 5 shows a flowchart of a method according to another embodiment of the present disclosure, which may be performed by an apparatus implemented in/as or communicatively coupled to a network repository function. As such, the apparatus may provide means or modules for accomplishing various parts of the method 500 as well as means or modules for accomplishing other processes in conjunction with other components. The network repository function may be any suitable entity or node which can implement the network repository function. For example, the network repository function may be NRF in 5GS. For some parts which have been described in the above embodiments, the description thereof is omitted here for brevity.

At block 502, the network repository function may receive a network function discovery request for discovering user plane function from a session management function of the first network. For example, as described above, the session management function may obtain the information related to at least one first user plane function of the first network from the network repository function when the information related to at least one first user plane function of the first network is stored in the network repository function. In this case, the session management function may send the network function discovery request to the network repository function and then the network repository function may receive the network function discovery request. The network function discovery request may be similar to the Nnrf_NFDiscovery_Request as described in clause 4.17.4 of 3GPP TS 23.502 V16.1.1. The network repository function may authorizes the Nnrf_NFDiscovery_Request as described in clause 4.17.4 of 3GPP TS 23.502 V16.1.1.

At block 504, the network repository function may determine at least one first network function of the first network matching the network function discovery request.

At block 506, the network repository function may send a network function discovery response including respective network function profile of the at least one first network function to the session management function of the first network. As described above, the respective network function profile of the at least one first network function may include an information element indicating whether the at least one first user plane function has an inter network user plane security capability.

FIG. 6 shows a flowchart of a method according to another embodiment of the present disclosure. This method is implemented in 5GS. As shown in FIG. 6, a UPF could have IPUPS with UPF or just IPUPS capability, the NF profile of the UPF is registered or updated by using two new information elements (IEs) inside the UpfInfo. UpfInfo is a part of the Network Function Profile (NFProfile) .

At step 1) , UPF registers with NRF or updates NRF with new capabilities and load factor at runtime, this operation keeps occurring as update if the capabilities change or the load factor changes on the UPF. The UpfInfo may include two new IEs upfIPSCapability or IPUPSCapability as described in Table 1. The UpfInfoExt may include one or more remote attached UPF NF profiles.

At step 2) , NRF notifies changes for the UPF to SMF by using NF/NF service status subscribe/notify service operations as described in clause 4.17.7 of GPP TS 23.502 V16.1.1.

At step 3) , SMF can get the NF profiles of the UPF either by using NF/NF service discovery service operation or NF/NF service status subscribe/notify service operations.

At step 4) , SMF can get a list of UPFs with UPIPS+UPF capability.

FIG. 7 shows a flowchart of a method according to another embodiment of the present disclosure. This method is implemented in 5GS. As shown in FIG. 7, NRF updates SMF with NF profiles of the remote and/or local UPFs. AMF sends the session create requests to SMF. SMF updates the candidate sets A, B and C. For every session create request from AMF, if candidate set A has entries, then SMF chooses UPF+IPUPS with least load followed by high priority. If candidate set A has no entries, then SMF chooses from candidate set C. If candidate set C is empty, then SMF chooses a default configured UPF or IPUPS. If candidate set C has entries, then SMF chooses a UPF with least load followed by high priority, then SMF selects a UPF from candidates set B which has pure IPUPS. If there are no candidates in candidate set B, then SMF chooses a default configured UPF or IPUPS. If there are candidates in candidate set B, then SMF chooses IPUPS with least load, followed by high priority.

According to various embodiments, there is provided an efficient method of UPF classification for the IPUPS firewall in build function or standalone function in a runtime method by introducing two new IEs for the UpfInfo in the NFProfile. Some embodiments herein also allow the UpfInfoExt to include the NF profiles of the attached UPFs, which can create a whole connected map of the attached UPFs which may have IPUPS function or may be a pure IPUPS or just a pure UPF. In some embodiments herein, the UPIPS may be considered as a subset of UPF or the UPIPS has a relationship with UPF.

FIG. 8 is a block diagram showing an apparatus suitable for use in practicing some embodiments of the disclosure. For example, any one of the session management function, the first user plane function and the network repository function described above may be implemented through the apparatus 800.

The apparatus 800 comprises at least one processor 821, such as a DP, and at least one MEM 822 coupled to the processor 821. The apparatus 820 may further comprise a transmitter TX and receiver RX 823 coupled to the processor 821. The MEM 822 stores a PROG 824. The PROG 824 may include instructions that, when executed on the associated processor 821, enable the apparatus 820 to operate in accordance with the embodiments of the present disclosure. A combination of the at least one processor 821 and the at least one MEM 822 may form processing means 825 adapted to implement various embodiments of the present disclosure.

Various embodiments of the present disclosure may be implemented by computer program executable by one or more of the processor 821, software, firmware, hardware or in a combination thereof.

The MEM 822 may be of any type suitable to the local technical environment and may be implemented using any suitable data storage technology, such as semiconductor based memory devices, magnetic memory devices and systems, optical memory devices and systems, fixed memories and removable memories, as non-limiting examples.

The processor 821 may be of any type suitable to the local technical environment, and may include one or more of general purpose computers, special purpose computers, microprocessors, digital signal processors DSPs and processors based on multicore processor architecture, as non-limiting examples.

In an embodiment where the apparatus is implemented as or at the session management function, the memory 822 contains instructions executable by the processor 821, whereby the session management function operates according to the method 200 as described in reference to FIG. 2.

In an embodiment where the apparatus is implemented as or at the first user plane function, the memory 822 contains instructions executable by the processor 821, whereby the first user plane function operates according to the method 300 as described in reference to FIG. 3.

In an embodiment where the apparatus is implemented as or at the network repository function, the memory 822 contains instructions executable by the processor 821, whereby the network repository function operates according to any one of the

methods

400 and 500 as described in reference to FIGs. 4-5.

FIG. 9 illustrates a simplified block diagram of a session management function of a first network according to an embodiment of the present disclosure. The session management function may be SMF of 5GS. The session management function 900 comprises an obtaining module 902 configured to obtain information related to at least one first user plane function of the first network, wherein said information includes an information element indicating whether the at least one first user plane function has an inter network user plane security capability. The session management function 900 further comprises a selecting module 904 configured to select a first user plane function for a session based on the information related to at least one first user plane function of the first network.

FIG. 10 illustrates a simplified block diagram of a first user plane function of a first network according to an embodiment of the present disclosure. The first user plane function may be UPF of 5GS. The first user plane function 1000 comprises a sending module 1002 configured to send a network function register request including a network function profile of the first user plane function to a network repository function, wherein the network function profile of the first user plane function includes an information element indicating whether the first user plane function has an inter network user plane security capability. The first user plane function 1000 further comprises a receiving module 1004 configured to receive a network function register response from the network repository function.

FIG. 11 illustrates a simplified block diagram of a network repository function according to an embodiment of the present disclosure. The network repository function may be NRF of 5GS. The network repository function 1100 comprises a receiving module 1102 configured to receive a network function register request including a network function profile of a first user plane function of a first network from the first user plane function of the first network, wherein the network function profile of the first user plane function includes an information element indicating whether the first user plane function has an inter network user plane security capability. The network repository function 1100 further comprises a sending module 1104 configured to send a network function register response to the first user plane function of the first network.

According to an aspect of the disclosure it is provided a computer program product being tangibly stored on a computer readable storage medium and including instructions which, when executed on at least one processor, cause the at least one processor to carry out the method related to the session management function as described above.

According to an aspect of the disclosure it is provided a computer program product being tangibly stored on a computer readable storage medium and including instructions which, when executed on at least one processor, cause the at least one processor to carry out the method related to the first user plane function as described above.

According to an aspect of the disclosure it is provided a computer program product being tangibly stored on a computer readable storage medium and including instructions which, when executed on at least one processor, cause the at least one processor to carry out the method related to the network repository function as described above.

According to an aspect of the disclosure it is provided a computer-readable storage medium storing instructions which when executed by at least one processor, cause the at least one processor to perform the method related to the session management function as described above.

According to an aspect of the disclosure it is provided a computer-readable storage medium storing instructions which when executed by at least one processor, cause the at least one processor to perform the method related to the first user plane function as described above.

According to an aspect of the disclosure it is provided a computer-readable storage medium storing instructions which when executed by at least one processor, cause the at least one processor to perform the method related to the network repository function as described above.

In addition, the present disclosure may also provide a carrier containing the computer program as mentioned above, wherein the carrier is one of an electronic signal, optical signal, radio signal, or computer readable storage medium. The computer readable storage medium can be, for example, an optical compact disk or an electronic memory device like a RAM (random access memory) , a ROM (read only memory) , Flash memory, magnetic tape, CD-ROM, DVD, Blue-ray disc and the like.

The techniques described herein may be implemented by various means so that an apparatus implementing one or more functions of a corresponding apparatus described with an embodiment comprises not only prior art means, but also means for implementing the one or more functions of the corresponding apparatus described with the embodiment and it may comprise separate means for each separate function, or means that may be configured to perform two or more functions. For example, these techniques may be implemented in hardware (one or more apparatuses) , firmware (one or more apparatuses) , software (one or more modules) , or combinations thereof. For a firmware or software, implementation may be made through modules (e.g., procedures, functions, and so on) that perform the functions described herein.

Exemplary embodiments herein have been described above with reference to block diagrams and flowchart illustrations of methods and apparatuses. It will be understood that each block of the block diagrams and flowchart illustrations, and combinations of blocks in the block diagrams and flowchart illustrations, respectively, can be implemented by various means including computer program instructions. These computer program instructions may be loaded onto a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions which execute on the computer or other programmable data processing apparatus create means for implementing the functions specified in the flowchart block or blocks.

Further, while operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are contained in the above discussions, these should not be construed as limitations on the scope of the subject matter described herein, but rather as descriptions of features that may be specific to particular embodiments. Certain features that are described in the context of separate embodiments may also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment may also be implemented in multiple embodiments separately or in any suitable sub-combination.

While this specification contains many specific implementation details, these should not be construed as limitations on the scope of any implementation or of what may be claimed, but rather as descriptions of features that may be specific to particular embodiments of particular implementations. Certain features that are described in this specification in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable sub-combination. Moreover, although features may be described above as acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination may be directed to a sub-combination or variation of a sub-combination.

It will be obvious to a person skilled in the art that, as the technology advances, the inventive concept can be implemented in various ways. The above described embodiments are given for describing rather than limiting the disclosure, and it is to be understood that modifications and variations may be resorted to without departing from the spirit and scope of the disclosure as those skilled in the art readily understand. Such modifications and variations are considered to be within the scope of the disclosure and the appended claims. The protection scope of the disclosure is defined by the accompanying claims.

Claims

A method (200) at a session management function of a first network, comprising:

obtaining (202) information related to at least one first user plane function of the first network, wherein said information includes an information element indicating whether the at least one first user plane function has an inter network user plane security capability; and

selecting (204) a first user plane function for a session based on the information related to at least one first user plane function of the first network.
The method according to claim 1, wherein obtaining information related to at least one first user plane function of the first network comprises at least one of:

locally obtaining the information related to at least one first user plane function of the first network when the information related to at least one first user plane function of the first network is locally configured in the session management function;

obtaining the information related to at least one first user plane function of the first network from a network repository function when the information related to at least one first user plane function of the first network is stored in the network repository function.
The method according to claim 1 or 2, wherein:

the information element includes a first information element indicating that the at least one first user plane function has user plane function capability and inter network user plane security capability; or

the information element includes a second information element indicating that the at least one first user plane function has the inter network user plane security capability without user plane function capability; or

when the first information element and the second information element are not presented in the information related to the at least one first user plane function, it indicates that the at least one first user plane function has user plane function capability without user plane security capability.
The method according to any of claims 1-3, wherein the information related to the at least one first user plane function further includes information related to at least one second user plane function to which the at least one first user plane function is attached, at least one of the at least one second user plane function is located in a second network.
The method according to claim 4, wherein the information related to the at least one second user plane function includes an information element indicating whether the at least one second user plane function has inter network user plane security capability.
The method according to any of claims 1-5, wherein in a roaming scenario, selecting a first user plane function for a session based on the information related to at least one first user plane function of the first network comprises:

a) selecting a first user plane function of the first network having user plane function capability and inter network user plane security capability; or

b) selecting a first user plane function of the first network having the inter network user plane security capability without user plane function capability and a first user plane function of the first network having user plane function capability without inter network user plane security capability when a) is not fulfilled; or

c) selecting a default first user plane function when a) and b) are not fulfilled.
The method according to any of claims 1-6, wherein selecting a user plane function for a session based on the information related to at least one first user plane function of the first network comprises:

when there are two or more first user plane functions can be selected, selecting the first user plane function for the session based on respective load and/or respective priority of the two or more first user plane functions.
The method according to any of claims 1-7, wherein the information related to at least one first user plane function of the first network is updated information related to at least one first user plane function of the first network.
The method according to any of claims 1-8, wherein the information related to the at least one first user plane function of the first network further includes an information element indicating a load and/or a priority of the at least one first user plane function.
A method (300) at a first user plane function of a first network, comprising:

sending (302) a network function register request including a network function profile of the first user plane function to a network repository function, wherein the network function profile of the first user plane function includes an information element indicating whether the first user plane function has an inter network user plane security capability; and

receiving (304) a network function register response from the network repository function.
The method according to claim 10, wherein:

the information element includes a first information element indicating that the first user plane function has user plane function capability and inter network user plane security capability; or

the information element includes a second information element indicating that the first user plane function has the inter network user plane security capability without user plane function capability; or

when the first information element and the second information element are not presented in the network function profile of the first user plane function, it indicates that the first user plane function has user plane function capability without user plane security capability.
The method according to any of claims 10-11, wherein the network function profile of the first user plane function further includes information related to at least one second user plane function to which the first user plane function is attached, at least one of the at least one second user plane function is located in a second network.
The method according to claim 12, wherein the information related to at least one second user plane function includes an information element indicating whether the at least one second user plane function has inter network user plane security capability.
The method according to any of claims 10-13, further comprising:

sending (306) a network function update request including an updated network function profile of the first user plane function to the network repository function, wherein the updated network function profile includes an information element indicating whether the first user plane function has an inter network user plane security capability; and

receiving (308) a network function update response from the network repository function.
The method according to any of claims 10-14, wherein the network function profile of the first user plane function further includes an information element indicating a load and/or a priority of the first user plane function.
A method (400) at a network repository function, comprising:

receiving (402) a network function register request including a network function profile of a first user plane function of a first network from the first user plane function of the first network, wherein the network function profile of the first user plane function includes an information element indicating whether the first user plane function has an inter network user plane security capability; and

sending (404) a network function register response to the first user plane function of the first network.
The method according to claim 16, wherein:

the information element includes a first information element indicating that the first user plane function has user plane function capability and inter network user plane security capability; or

the information element includes a second information element indicating that the first user plane function has the inter network user plane security capability without user plane function capability; or

when the first information element and the second information element are not presented in the network function profile of the first user plane function, it indicates that the first user plane function has user plane function capability without user plane security capability.
The method according to any of claims 16-17, wherein the network function profile of the first user plane function further includes information related to at least one second user plane function to which the first user plane function is attached, at least one of the at least one second user plane function is located in a second network.
The method according to claim 18, wherein the information related to the at least one second user plane function includes an information element indicating whether the at least one second user plane function has inter network user plane security capability.
The method according to any of claims 16-19, further comprising:

receiving (406) a network function update request including an updated network function profile of the first user plane function from the first user plane function of the first network, wherein the updated network function profile includes an information element indicating whether the first user plane function has the inter network user plane security capability; and

sending (408) a network function update response to the first user plane function of the first network.
The method according to any of claims 16-20, further comprising:

receiving (502) a network function discovery request for discovering user plane function from a session management function of the first network;

determining (504) at least one first network function of the first network matching the network function discovery request; and

sending (506) a network function discovery response including respective network function profile of the at least one first network function to the session management function of the first network.
The method according to any of claims 16-21, wherein the network function profile of the first user plane function further includes an information element indicating a load and/or a priority of the first network function.
An apparatus (800) implemented in a session management function of a first network, comprising:

a processor (821) ; and

a memory (822) coupled to the processor (821) , said memory (822) containing instructions executable by said processor (821) , whereby said apparatus (800) is operative to:

obtain information related to at least one first user plane function of the first network, wherein said information includes an information element indicating whether the at least one first user plane function has an inter network user plane security capability; and

select a first user plane function for a session based on the information related to at least one first user plane function of the first network.
The apparatus according to claim 23, wherein the apparatus is further operative to perform the method of any one of claims 2 to 9.
An apparatus (800) implemented in a first user plane function of a first network, comprising:

a processor (821) ; and

a memory (822) coupled to the processor (821) , said memory (822) containing instructions executable by said processor (821) , whereby said apparatus (800) is operative to:

send a network function register request including a network function profile of the first user plane function to a network repository function, wherein the network function profile of the first user plane function includes an information element indicating whether the first user plane function has an inter network user plane security capability; and

receive a network function register response from the network repository function.
The apparatus according to claim 25, wherein the apparatus is further operative to perform the method of any one of claims 11 to 15.
An apparatus (800) implemented in a network repository function, comprising:

a processor (821) ; and

a memory (822) coupled to the processor (821) , said memory (822) containing instructions executable by said processor (821) , whereby said apparatus (800) is operative to:

receive a network function register request including a network function profile of a first user plane function of a first network from the first user plane function of the first network, wherein the network function profile of the first user plane function includes an information element indicating whether the first user plane function has an inter network user plane security capability; and

send a network function register response to the first user plane function of the first network.
The apparatus according to claim 27, wherein the apparatus is further operative to perform the method of any one of claims 17 to 22.
A computer-readable storage medium storing instructions which when executed by at least one processor, cause the at least one processor to perform the method according to any one of claims 1 to 22.
A computer program product comprising instructions which when executed by at least one processor, cause the at least one processor to perform the method according to any of claims 1 to 22.