[go: up one dir, main page]

WO2022021239A1 - Notify network about result of authentication and authorization of terminal device - Google Patents

Notify network about result of authentication and authorization of terminal device Download PDF

Info

Publication number
WO2022021239A1
WO2022021239A1 PCT/CN2020/105937 CN2020105937W WO2022021239A1 WO 2022021239 A1 WO2022021239 A1 WO 2022021239A1 CN 2020105937 W CN2020105937 W CN 2020105937W WO 2022021239 A1 WO2022021239 A1 WO 2022021239A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
authorization
notification
result
unmanned aerial
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2020/105937
Other languages
French (fr)
Inventor
Rainer Liebhart
Peter Leis
Sung Hwan Won
Yang Shen
Anja Jerichow
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Shanghai Bell Co Ltd
Nokia Solutions and Networks Oy
Nokia Technologies Oy
Original Assignee
Nokia Shanghai Bell Co Ltd
Nokia Solutions and Networks Oy
Nokia Technologies Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Shanghai Bell Co Ltd, Nokia Solutions and Networks Oy, Nokia Technologies Oy filed Critical Nokia Shanghai Bell Co Ltd
Priority to CN202080104526.8A priority Critical patent/CN116114002B/en
Priority to PCT/CN2020/105937 priority patent/WO2022021239A1/en
Publication of WO2022021239A1 publication Critical patent/WO2022021239A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G08SIGNALLING
    • G08GTRAFFIC CONTROL SYSTEMS
    • G08G5/00Traffic control systems for aircraft
    • G08G5/20Arrangements for acquiring, generating, sharing or displaying traffic information
    • G08G5/26Transmission of traffic-related information between aircraft and ground stations
    • GPHYSICS
    • G08SIGNALLING
    • G08GTRAFFIC CONTROL SYSTEMS
    • G08G5/00Traffic control systems for aircraft
    • G08G5/20Arrangements for acquiring, generating, sharing or displaying traffic information
    • G08G5/22Arrangements for acquiring, generating, sharing or displaying traffic information located on the ground
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B64AIRCRAFT; AVIATION; COSMONAUTICS
    • B64UUNMANNED AERIAL VEHICLES [UAV]; EQUIPMENT THEREFOR
    • B64U2201/00UAVs characterised by their flight controls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • Embodiments of the present disclosure generally relate to the field of telecommunication and in particular, to methods, devices, apparatuses and computer readable media for notifying a network about a result of authentication and authorization of a terminal device.
  • the 3rd Generation Partnership Project (3GPP) is working on enhancements for control of terminal devices, specifically control of Unmanned Aerial Vehicles (UAV) .
  • the enhancements may include identification, authentication, authorization, tracking of the terminal devices.
  • tracking the terminal devices for example, and being able to report to a UAV domain; allowing one terminal device to advertise itself or send data to other terminal devices in a certain area via the 3GPP network; and allowing authentication and authorization with the help of Unmanned Aerial System (UAS) Traffic Management (UTM) or UAS Service Supplier (USS) which is part of the UTM.
  • UAS Unmanned Aerial System
  • UTM Traffic Management
  • USS UAS Service Supplier
  • One main problem is the authentication and authorization of a terminal device via the 5G system (5GS) .
  • 5GS 5G system
  • 5GS user plane 5GS user plane
  • 5GS control plane 5GS control plane
  • example embodiments of the present disclosure provide a solution for notifying a device about a result of authentication and authorization for another device.
  • a first device comprising at least one processor; and at least one memory including computer program codes; the at least one memory and the computer program codes are configured to, with the at least one processor, cause the first device to: receive a notification from a second device, the notification indicating a result of authentication and authorization performed by the second device for a third device; and update a policy for communication between the third device and a data network based on the result of the authentication and authorization.
  • a second device comprising at least one processor; and at least one memory including computer program codes; the at least one memory and the computer program codes are configured to, with the at least one processor, cause the second device to: perform authentication and authorization for a third device; and transmit a notification to a first device, the notification indicating a result of the authentication and authorization.
  • a method implemented at a first device comprises: receiving a notification at a first device from a second device, the notification indicating a result of authentication and authorization performed by the second device for a third device; and updating a policy for communication between the third device and a data network based on the result of the authentication and authorization.
  • a method implemented at a second device comprises: performing, at a second device, authentication and authorization for a third device; and transmitting a notification to a first device, the notification indicating a result of the authentication and authorization.
  • an apparatus comprising: means for receiving a notification at a first device from a second device, the notification indicating a result of authentication and authorization performed by the second device for a third device; and means for updating a policy for communication between the third device and a data network based on the result of the authentication and authorization.
  • an apparatus comprising: means for performing, at a second device, authentication and authorization for a third device; and means for transmitting a notification to a first device, the notification indicating a result of the authentication and authorization.
  • a computer readable medium comprising a computer program for causing an apparatus to perform at least the method according to the above third or fourth aspect.
  • Fig. 1 shows an example communication network in which embodiments of the present disclosure may be implemented
  • Fig. 2 shows a signaling chart illustrating a process for authentication and authorization for a terminal device in accordance with a conventional solution
  • Fig. 3 shows a signaling chart illustrating a process for notifying a device about a result of authentication and authorization for another device in accordance with some example embodiments of the present disclosure
  • Fig. 4 shows a signaling chart illustrating a process for notifying a device about a result of authentication and authorization for another device in accordance with other example embodiments of the present disclosure
  • Fig. 5 shows a signaling chart illustrating a process for notifying a device about a result of authentication and authorization for another device in accordance with still other example embodiments of the present disclosure
  • Fig. 6 shows a flowchart of a method for notifying a device about a result of authentication and authorization for another device in accordance with some embodiments of the present disclosure
  • Fig. 7 shows a flowchart of a method for notifying a device about a result of authentication and authorization for another device in accordance with other embodiments of the present disclosure
  • Fig. 8 illustrates a simplified block diagram of an apparatus that is suitable for implementing some other embodiments of the present disclosure.
  • Fig. 9 illustrates a block diagram of an example computer readable medium in accordance with some example embodiments of the present disclosure.
  • references in the present disclosure to “one embodiment, ” “an embodiment, ” “an example embodiment, ” and the like indicate that the embodiment described may include a particular feature, structure, or characteristic, but it is not necessary that every embodiment includes the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an example embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
  • first and second etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be termed a second element, and similarly, a second element could be termed a first element, without departing from the scope of example embodiments.
  • the term “and/or” includes any and all combinations of one or more of the listed terms.
  • circuitry may refer to one or more or all of the following:
  • circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware.
  • circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
  • the term “communication network” refers to a network following any suitable communication standards, such as fifth generation (5G) systems, Long Term Evolution (LTE) , LTE-Advanced (LTE-A) , Wideband Code Division Multiple Access (WCDMA) , High-Speed Packet Access (HSPA) , Narrow Band Internet of Things (NB-IoT) and so on.
  • 5G fifth generation
  • LTE Long Term Evolution
  • LTE-A LTE-Advanced
  • WCDMA Wideband Code Division Multiple Access
  • HSPA High-Speed Packet Access
  • NB-IoT Narrow Band Internet of Things
  • the communications between a terminal device and a network device in the communication network may be performed according to any suitable generation communication protocols, including, but not limited to, the first generation (1G) , the second generation (2G) , 2.5G, 2.75G, the third generation (3G) , the fourth generation (4G) , 4.5G, the future fifth generation (5G) new radio (NR) communication protocols, and/or any other protocols either currently known or to be developed in the future.
  • suitable generation communication protocols including, but not limited to, the first generation (1G) , the second generation (2G) , 2.5G, 2.75G, the third generation (3G) , the fourth generation (4G) , 4.5G, the future fifth generation (5G) new radio (NR) communication protocols, and/or any other protocols either currently known or to be developed in the future.
  • Embodiments of the present disclosure may be applied in various communication systems. Given the rapid development in communications, there will of course also be future type communication technologies and systems with which the present disclosure may be embodied. It should not be seen as limiting the
  • the term “network device” refers to a node in a communication network via which a terminal device accesses the network and receives services therefrom.
  • the network device may refer to a base station (BS) or an access point (AP) , for example, a node B (NodeB or NB) , an evolved NodeB (eNodeB or eNB) , a NR Next Generation NodeB (gNB) , a Remote Radio Unit (RRU) , a radio header (RH) , a remote radio head (RRH) , a relay, a low power node such as a femto, a pico, and so forth, depending on the applied terminology and technology.
  • BS base station
  • AP access point
  • NodeB or NB node B
  • eNodeB or eNB evolved NodeB
  • gNB Next Generation NodeB
  • RRU Remote Radio Unit
  • RH radio header
  • RRH remote radio head
  • relay a
  • An RAN split architecture comprises a gNB-CU (Centralized unit, hosting RRC, SDAP and PDCP) controlling a plurality of gNB-DUs (Distributed unit, hosting RLC, MAC and PHY) .
  • the term “network device” may also refer to a network function such as Access and Mobility management Function (AMF) , Session Management Function (SMF) , User Plane Function (UPF) , Unified Data Management (UDM) , Policy Control Function (PCF) , Network Exposure Function (NEF) , Network Slice Selection Function (NSSF) , Network Slice-Specific Authentication and Authorization Function (NSSAAF) , Network Repository Function (NRF) , Unstructured Data Storage Function (UDSF) , or Unified Data Repository (UDR) .
  • AMF Access and Mobility management Function
  • SMF Session Management Function
  • UPF User Plane Function
  • UDM Unified Data Management
  • PCF Policy Control Function
  • NEF Network Exposure Function
  • terminal device refers to any end device that may be capable of wireless communication.
  • a terminal device may also be referred to as a communication device, user equipment (UE) , Unmanned Aerial Vehicle (UAV) , UAV controller (UAVC) , a Subscriber Station (SS) , a Portable Subscriber Station, a Mobile Station (MS) , or an Access Terminal (AT) .
  • UE user equipment
  • UAV Unmanned Aerial Vehicle
  • UAV controller UAV controller
  • SS Subscriber Station
  • MS Mobile Station
  • AT Access Terminal
  • the terminal device may include, but not limited to, a mobile phone, a cellular phone, a smart phone, voice over IP (VoIP) phones, wireless local loop phones, a tablet, a wearable terminal device, a personal digital assistant (PDA) , portable computers, desktop computer, image capture terminal devices such as digital cameras, gaming terminal devices, music storage and playback appliances, vehicle-mounted wireless terminal devices, wireless endpoints, mobile stations, laptop-embedded equipment (LEE) , laptop-mounted equipment (LME) , USB dongles, smart devices, wireless customer-premises equipment (CPE) , an Internet of Things (IoT) device, a watch or other wearable, a head-mounted display (HMD) , a vehicle, a drone, a medical device and applications (e.g., remote surgery) , an industrial device and applications (e.g., a robot and/or other wireless devices operating in an industrial and/or an automated processing chain contexts) , a consumer electronics device, a device operating on commercial and/
  • a user equipment apparatus such as a cell phone or tablet computer or laptop computer or desktop computer or mobile IoT device or fixed IoT device
  • This user equipment apparatus can, for example, be furnished with corresponding capabilities as described in connection with the fixed and/or the wireless network node (s) , as appropriate.
  • the user equipment apparatus may be the user equipment and/or or a control device, such as a chipset or processor, configured to control the user equipment when installed therein. Examples of such functionalities include the bootstrapping server function and/or the home subscriber server, which may be implemented in the user equipment apparatus by providing the user equipment apparatus with software configured to cause the user equipment apparatus to perform from the point of view of these functions/nodes.
  • Fig. 1 shows an example communication network 100 in which embodiments of the present disclosure can be implemented.
  • the network 100 comprises a Network Slice-Specific Authentication and Authorization Function (NSSAAF) 101, a Network Slice Selection Function (NSSF) 102, an Authentication Server Function (AUSF) 103, a Unified Data Management (UDM) 104, an Access and Mobility management Function (AMF) 105, a Session Management Function (SMF) 106, a Policy Control Function (PCF) 107, an Application Function (AF) 108, a terminal device 109, a Radio Access Network (RAN) 110, a User Plane Function (UPF) 111, and a data network (DN) 112.
  • NSSAAF Network Slice-Specific Authentication and Authorization Function
  • NSSF Network Slice Selection Function
  • AUSF Authentication Server Function
  • UDM Unified Data Management
  • AMF Access and Mobility management Function
  • SMF Session Management Function
  • PCF Policy Control Function
  • AF Application Function
  • RAN
  • the UDM 104 may include support for the following functionality: generation of 3GPP Authentication Credentials, User Identification Handling (e, g, storage and management of SUPI for each subscriber in the 5G system) , support of de-concealment of privacy-protected subscription identifier (SUCI) , access authorization based on subscription data (e, g, roaming restrictions) , UE's Serving NF Registration Management (e, g, storing serving AMF for UE, storing serving SMF for UE's PDU Session) , support to service/session continuity e.g., by keeping SMF/Data Network Name (DNN) assignment of ongoing sessions, MT-SMS delivery support, lawful Intercept Functionality (especially in outbound roaming case where UDM is the only point of contact for LI) , subscription management, SMS management, 5GLAN group management handling, support of external parameter provisioning (Expected UE Behaviour parameters or Network Configuration parameters) .
  • 3GPP Authentication Credentials e,
  • the AMF 105 may include the following functionality. Some or all of the AMF 105 functionalities may be supported in a single instance of an AMF: termination of RAN Control Plane interface (N2) , termination of NAS (N1) , NAS ciphering and integrity protection, registration management, connection management, reachability management, Mobility Management, lawful intercept (for AMF events and interface to LI System) , provide transport for SM messages between UE and SMF, transparent proxy for routing SM messages, access Authentication, access Authorization, provide transport for SMS messages between UE and SMSF, security Anchor Functionality (SEAF) , location Services management for regulatory services, provide transport for Location Services messages between UE and LMF as well as between RAN and LMF, EPS Bearer ID allocation for interworking with EPS, UE mobility event notification, support for Control Plane CIoT 5GS Optimisation, support for User Plane CIoT 5GS Optimisation, provisioning of external parameters (Expected UE Behaviour parameters or
  • the SMF 106 may include the following functionality. Some or all functionalities of the SMF 106 may be supported in a single instance of a SMF: session Management e.g., Session Establishment, modify and release, including tunnel maintained between UPF and AN node; UE IP address allocation &management (including optional Authorization) , the UE IP address may be received from a UPF or from an external data network; DHCPv4 (server and client) and DHCPv6 (server and client) functions; functionality to respond to Address Resolution Protocol (ARP) requests and/or IPv6 Neighbour Solicitation requests based on local cache information for the Ethernet PDUs, the SMF responds to the ARP and/or the IPv6 Neighbour Solicitation Request by providing the MAC address corresponding to the IP address sent in the request; selection and control of UP function, including controlling the UPF to proxy ARP or IPv6 Neighbour Discovery, or to forward all ARP/IPv6 Neigh
  • the PCF 107 may include the following functionality: supports unified policy framework to govern network behavior; provides policy rules to Control Plane function (s) to enforce them; and accesses subscription information relevant for policy decisions in a Unified Data Repository (UDR) .
  • UDR Unified Data Repository
  • the AF 108 may support interaction with the 3GPP core network to provide services, such as influencing data routing decisions, policy control functions or providing third-party services to the network.
  • the UPF 111 may include the following functionality. Some or all functionalities of the UPF 111 may be supported in a single instance of a UPF: anchor point for Intra/InterRAT mobility (when applicable) ; allocation of UE IP address/prefix (if supported) in response to SMF request; external PDU Session point of interconnect to Data Network; packet routing &forwarding (e.g., support of Uplink classifier to route traffic flows to an instance of a data network, support of Branching point to support multihomed PDU Session, support of traffic forwarding within a 5G VN group (UPF local switching, via N6, via N19) ) ; packet inspection (e.g., Application detection based on service data flow template and the optional PFDs received from the SMF in addition) ; User Plane part of policy rule enforcement, e.g., Gating, Redirection, Traffic steering) ; lawful intercept (UP collection) ; traffic usage reporting; QoS handling for user plane,
  • anchor point for Intra/InterRAT mobility
  • the UPF 111 may be responsible for forwarding and receiving user data in the terminal device 109.
  • the UPF 111 can receive user data from the DN 112 and transmit it to the terminal device 109 via the RAN 110.
  • the UPF 111 can also receive user data from the terminal device 109 through the RAN 110 and forward it to the DN 112.
  • the transmission resources and scheduling functions in the UPF 111 that serve the terminal device 109 are managed and controlled by the SMF 106.
  • the numbers of network elements and terminal device in the network 100 are only for the purpose of illustration without suggesting any limitations.
  • the network 100 may include any suitable number of network elements and terminal devices adapted for implementing embodiments of the present disclosure.
  • Communications in the communication network 100 may be implemented according to any proper communication protocol (s) , comprising, but not limited to, cellular communication protocols of the first generation (1G) , the second generation (2G) , the third generation (3G) , the fourth generation (4G) and the fifth generation (5G) and on the like, wireless local network communication protocols such as Institute for Electrical and Electronics Engineers (IEEE) 802.11 and the like, and/or any other protocols currently known or to be developed in the future.
  • s cellular communication protocols of the first generation (1G) , the second generation (2G) , the third generation (3G) , the fourth generation (4G) and the fifth generation (5G) and on the like, wireless local network communication protocols such as Institute for Electrical and Electronics Engineers (IEEE) 802.11 and the like, and/or any other protocols currently known or to be developed in the future.
  • IEEE Institute for Electrical and Electronics Engineers
  • the communication may utilize any proper wireless communication technology, comprising but not limited to: Code Division Multiple Access (CDMA) , Frequency Division Multiple Access (FDMA) , Time Division Multiple Access (TDMA) , Frequency Division Duplex (FDD) , Time Division Duplex (TDD) , Multiple-Input Multiple-Output (MIMO) , Orthogonal Frequency Division Multiple (OFDM) , Discrete Fourier Transform spread OFDM (DFT-s-OFDM) and/or any other technologies currently known or to be developed in the future.
  • CDMA Code Division Multiple Access
  • FDMA Frequency Division Multiple Access
  • TDMA Time Division Multiple Access
  • FDD Frequency Division Duplex
  • TDD Time Division Duplex
  • MIMO Multiple-Input Multiple-Output
  • OFDM Orthogonal Frequency Division Multiple
  • DFT-s-OFDM Discrete Fourier Transform spread OFDM
  • Fig. 2 shows a signaling chart illustrating a process 200 for authentication and authorization for the terminal device 109 in accordance with a conventional solution.
  • the authentication and authorization is performed via 5GS user plane, and the terminal device 109 may comprise a UAV or UAVC.
  • the terminal device 109 performs a registration (201) to the network.
  • the terminal device 109 requests (202) a PDU Session establishment or the PCF 107 provides PCC rules for the terminal device 109 via the SMF 106 to the UPF 111.
  • An application on the terminal device 109 starts (203) .
  • the terminal device 109 sends (204-1) a request for authentication and authorization to the UAS AF 113 over the user plane. Accordingly, the UAS AF 113 receives (204-2) the request.
  • the UAS AF 113 requests (205) subscription information specific to the terminal device 109 from the UDM 104 and/or the PCF/BSF 107.
  • the UAS AF 113 checks if the terminal device 109 has a valid aerial subscription based on the subscription information received from the UDM 104. If the check is successful, the UAS AF 113 determines, based on the subscription information, the UTM/USS 114 serving the terminal device 109 and triggers (206-1) authentication and authorization (also referred to as A&A) request towards the UTM/USS 114. Accordingly, the UTM/USS 114 receives (206-2) the request. The request can contain an indication about the used mobile operator and the 3GPP identity of the terminal device 109. If the check is un-successful, a response is sent to the terminal device 109 to reject the request.
  • the UTM/USS 114 checks (207) the request for operation of the terminal device 109 from the UAS AF 113 using the combined information from the terminal device 109 and from the mobile network operator of the terminal device 109.
  • UTM/USS 114 transmits (208-1) an accept response to the UAS AF 113. Accordingly, the UAS AF 113 receives (208-2) the accept response.
  • the response can include information specific to the application on the terminal device 109. For example, the information may include a token to be included for authentication reasons in succeeding application content interactions. If the check is un-successful, a response is sent to the UAS AF to reject the request.
  • the UAS AF 113 forwards (209-1) the response from the UTM/USS 114 to the terminal device 109 as a response to the request for authentication and authorization. Accordingly, the terminal device 109 receives (209-2) the response.
  • the terminal device 109 triggers a set-up of a secure connection to UTM/USS 114 using the token received in the response, for example.
  • the operation of the terminal device 109 can be handled (211) over the secure connection between the terminal device 109 and the UTM/USS 114.
  • the terminal device 109 executes normal 5G registration, establishes a PDU connection and then transmits the request for authentication and authorization to the UAS AF 113. Then, the request is forwarded to UTM/USS 114.
  • the 5G Core Network is not directly involved in the process of authentication and authorization. Thus, the 5G Core Network does not know the result of the authentication and authorization.
  • the network e.g. AMF, gNB
  • the network should be aware of whether the terminal device 109 is authorized in the drone domain. That is, the result of the authentication and authorization from the UTM/USS 114 needs to be provided to the 3GPP system providing connectivity.
  • example embodiments of the present disclosure provide a solution for notifying a device (for example a network device) about a result of authentication and authorization for another device (for example a terminal device) .
  • a first device receives a notification from a second device.
  • the notification indicates a result of authentication and authorization performed by the second device for the third device.
  • the first device updates a policy for communication between the third device and a Data Network based on the result.
  • the solution allows the 5GS to set policies and control the message exchange between UAV (s) via the 5G network (e.g. advertisements sent from a UAV to all other UAVs in a vicinity) or between UAVC and UAV.
  • FIG. 3 shows a signaling chart illustrating a process 300 for notifying a device about a result of authentication and authorization for another device in accordance with some example embodiments of the present disclosure.
  • a second device 302 performs (310) authentication and authorization for a third device.
  • the second device 302 Upon completion of the authentication and authorization, the second device 302 transmits (320) a notification to a first device 301. Accordingly, the first device 301 receives (330) the notification from the second device 302. The notification indicates a result of the authentication and authorization.
  • the first device 301 updates (340) a policy for communication between the third device and a DN based on the result.
  • the notification comprises an identity of the third device.
  • the first device 301 may transmit a subscription request for the result to the second device 302.
  • the subscription request comprises the identity of the third device.
  • the first device 301 may determine whether the result indicates a success of the authentication and authorization. If the result indicates a success of the authentication and authorization, the first device 301 may obtain a first policy for mobility management of the third device and update the policy for communication with the first policy. In some example embodiments, the first device 301 may install the first policy locally so as to update the policy for communication.
  • the notification further indicates an association between the third device and a fourth device.
  • the third device is controlled by the fourth device or the fourth device is controlled by the third device.
  • the third device comprises the terminal device 109 in Fig. 1.
  • the third device comprises a UAV and the fourth device comprises a UAVC.
  • the third device comprises the UAVC and the fourth device comprises the UAV.
  • the first device 301 if the result indicates the success of the authentication and authorization, the first device 301 establishes, based on the association between the third device and the fourth device, a Packet Data Unit (PDU) session for communication between the third device and the fourth device.
  • PDU Packet Data Unit
  • the first device 301 configures, based on the association between the third device and the fourth device, the UPF device 111 to route traffic between the second device 302 and the third device.
  • the first device 301 if the result indicates a failure of the authentication and authorization, the first device 301 terminates a PDU session for communication between the third device and a DN.
  • the first device 301 modifies a policy in the UPF device 111 to enable the third device to only communicate with the second device 302.
  • the first device 301 may receive the notification via a Network Exposure Function (NEF) device, which will be described below with reference to Figs. 4 and 5.
  • NEF Network Exposure Function
  • the first device 301 may receive the notification via a Service Capability Exposure Function (SCEF) device, or a Machine Type Communication Interworking Function (MTC-IWF) device.
  • SCEF Service Capability Exposure Function
  • MTC-IWF Machine Type Communication Interworking Function
  • the first device 301 comprises the AMF device 105. Upon receiving the notification, the first device 301 forwards the notification to at least one of the following: the UDM device 104, the SMF device 105, or a Policy Control Function device, which will be described below with reference to Fig. 4.
  • Fig. 4 shows a signaling chart illustrating a process 400 for notifying a device about a result of authentication and authorization for another device in accordance with other example embodiments of the present disclosure.
  • the process 400 may involve the AMF 105 in Fig. 1 implementing the first device 301 in Fig. 3, a UTM/USS 114 implementing the second device 302 in Fig. 3, and the terminal device 109 in Fig. 1 implementing the third device.
  • the process 400 may also involve the UDM 104, the SMF 106 in Fig. 1 and a NEF 115.
  • the communication process 400 will be described with reference to Fig. 1.
  • the terminal device 109 transmits (401-1) a REGISTRATION REQUEST message to the AMF 105. Accordingly, the AMF 105 receives (401-2) the REGISTRATION REQUEST.
  • the REGISTRATION REQUEST may optionally comprise an indication of a type of the terminal device 109.
  • the message may comprise an indication indicating that the terminal device 109 is a UAV.
  • the message may comprise an indication indicating that the terminal device 109 is a UAVC.
  • the indication of the type of the terminal device 109 may be provided by the terminal device 109 using e.g. a NAS signaling or stored in the UDM 104.
  • the AMF 105 obtains (402) subscriber data from the UDM 104 and the AMF 105 executes an IMEI check.
  • the subscriber data may include the indication of the type of the terminal device 109.
  • the subscriber data may include an identity of a UAS that the terminal device 109 belongs to.
  • the AMF 105 transmits (403-1) a REGISTRATION ACCEPT message to the terminal device 109.
  • the message may optionally comprise the indication of the type of the terminal device 109. Accordingly, the indication of the type of the terminal device 109 receives (403-2) the REGISTRATION ACCEPT message.
  • the AMF 105 transmits (404-1) optionally a SUSBCRIBE REQUEST to the UTM/USS 114 and/or UAS/AF (not shown) to be informed about the result of authentication and authorization for the terminal device 109.
  • the AMF 105 may transmit the SUSBCRIBE REQUEST directly to UTM/USS 114 and/or UAS/AF.
  • the AMF 105 may transmit the SUSBCRIBE REQUEST to UTM/USS 114 and/or UAS/AF via the NEF 115. Accordingly, the UTM/USS 114 receives (404-2) the SUSBCRIBE REQUEST.
  • the NEF 115 may support exposure of capabilities and events.
  • NF capabilities and events may be securely exposed by the NEF 115 for e.g. 3rd party, Application Functions, Edge Computing.
  • the NEF 115 stores/retrieves information as structured data using a standardized interface (Nudr) to the Unified Data Repository (UDR) .
  • Nudr standardized interface
  • UDR Unified Data Repository
  • the NEF 115 may support secure provision of information from external application to 3GPP network.
  • the NEF 115 provides a means for the Application Functions to securely provide information to 3GPP network, e.g. Expected UE Behaviour, 5GLAN group information and service specific information.
  • the NEF 115 may authenticate and authorize and assist in throttling the Application Functions.
  • the NEF 115 may support translation of internal-external information. For example, the NEF 115 translates between information exchanged with the AF and information exchanged with the internal network function. For example, the NEF 115 translates between an AF-Service-Identifier and internal 5G Core information such as DNN, S-NSSAI. In particular, the NEF 115 handles masking of network and user sensitive information to external AF's according to the network policy.
  • the NEF 115 may receive information from other network functions (based on exposed capabilities of other network functions) .
  • the NEF 115 may store the received information as structured data using a standardized interface to a Unified Data Repository (UDR) .
  • UDR Unified Data Repository
  • the stored information can be accessed and "re-exposed" by the NEF 115 to other network functions and Application Functions, and used for other purposes such as analytics.
  • the NEF 115 may also support a PFD Function.
  • the PFD Function in the NEF 115 may store and retrieve PFD (s) in the UDR and shall provide PFD (s) to the SMF on the request of SMF (pull mode) or on the request of PFD management from NEF (push mode) .
  • the NEF 115 may also support a 5GLAN Group Management Function.
  • the 5GLAN Group Management Function in the NEF may store the 5GLAN group information in the UDR via UDM.
  • the NEF 115 may also support exposure of analytics. NWDAF analytics may be securely exposed by NEF for external party.
  • the NEF 115 may also support retrieval of data from external party by NWDAF. Data provided by the external party may be collected by NWDAF via the NEF 115 for analytics generation purpose. The NEF 115 handles and forwards requests and notifications between NWDAF and AF.
  • the NEF 115 may also support Non-IP Data Delivery.
  • the NEF 115 provides a means for management of NIDD configuration and delivery of MO/MT unstructured data by exposing the NIDD APIs on the N33/Nnef reference point.
  • the SUSBCRIBE REQESST message may comprise an identity of the terminal device 109.
  • the identity of the terminal device 109 comprises one of the following: an identity of the UAS that the terminal device 109 belongs to, a Generic Public Subscription Identifier (GPSI) of the terminal device 109, or an Subscription Permanent Identifier (SUPI) of the terminal device 109.
  • GPSI Generic Public Subscription Identifier
  • SUPI Subscription Permanent Identifier
  • the terminal device 109 requests (405) a PDU SESSION ESTABLISHEMENT with the AMF 105, the SMF 106, and the UPF 111.
  • the PCF 107 provides PCC rules for the terminal device 109 via the SMF 106 to the UPF 111.
  • the authentication and authorization procedure 406 for the terminal device 109 is exchanged between the terminal device 109 and the UAS/AF and/or the UTM/USS 114.
  • Control of access to the UTM/USS 114 can be achieved by using a special Data Network Name (DNN) and/or using a special slice or a pre-defined policy in the UPF 111.
  • DNN Data Network Name
  • the UAS/AF and/or UTM/USS 114 transmits (407-1) a notification to the NEF 115.
  • a network address of the UAS/AF and/or UTM/USS 114 may be stored in the UDM 104 per UE or locally in the NEF 115.
  • a network address of the NEF 115 may be pre-configured.
  • the UTM/USS 114 may use other techniques (for example, DNS resolution) to receive the network address of the NEF 115.
  • the notification indicates a result of the authentication and authorization for the terminal device 109. Accordingly, the NEF 115 receives (407-2) the notification.
  • network addresses of the AMF 105, SMF 106 and PCF 107 may be stored in the UDM 104.
  • the NEF 115 may look up the UDM 104 to obtain the network addresses of the AMF 105, SMF 106 and PCF 107 and forwards the notification to one or several of these network functions.
  • the NEF 115 forwards (408-1) the notification to the AMF 105.
  • the AMF 105 receives (408-2) the notification.
  • the AMF 105 forwards (409-1) the notification to the UDM 104. Accordingly, the UDM 104 receives (409-2) the notification.
  • the AMF 105 forwards (410-1) the notification to the SMF 106. Accordingly, the SMF 106 receives (410-2) the notification.
  • the notification comprises the identity of the terminal device 109.
  • the notification comprises additional data relevant to the terminal device 109.
  • the additional data may comprise at least one of the following: allowed flight paths associated with identities of cells serving the third device, tracking areas associated with the terminal device 109, an allowed flight altitude for the terminal device 109, an allowed flight speed for the terminal device 109, an allowed mobility behavior for the terminal device 109, or capabilities of the terminal device 109.
  • the notification further indicates an association between the terminal device 109 and the fourth device controlling the terminal device 109.
  • the notification may indicate an association between a UAV 109 and a UAVC.
  • the AMF 105, the SMF 106 and the PCF 107 may store the result locally as part of the context for the terminal device 109.
  • the AMF 105, the SMF 106 and the PCF 107 may store the result in an Unstructured Data Storage Function (UDSF) .
  • UDSF Unstructured Data Storage Function
  • the AMF 105, the SMF 106 and the PCF 107 may take appropriate actions based on the result.
  • the actions can be pre-configured in the network or the AF or the UTM/USS 114 may instruct the AMF 105, the SMF 106 and the PCF 107 via the NEF 115 about the actions to be taken, either as part of the notification or in an extra message.
  • the AMF 105 may obtain the first policy for mobility management of the terminal device 109 from the PCF 111.
  • the AMF 105 may update the policy for communication between the terminal device 109 and the fourth device controlling the terminal device 109 with the first policy.
  • the first device 301 may install the first policy locally so as to update the policy for the communication. This allows the 5GS to set policies and control the message exchange between UAV (s) via the 5G network (e.g. advertisements sent from a UAV to all other UAVs in a vicinity) or between UAVC and UAV.
  • the first policy may comprise a paging policy for the terminal device 109 or the fourth device controlling the terminal device 109.
  • the paging policy may define paging in certain areas only, or step-wise paging.
  • the AMF 105 or the SMF 106 may determine that a PDU session for communication between the terminal device 109 and the UTM/USS 114 is to be established or modified based on the association between the terminal device 109 and the fourth device.
  • the AMF 105 or the SMF 106 may configure, based on the association, the UPF 111 to route traffic between the UTM/USS 114 and the terminal device 109. In this way, the routing for Command and Control Communication may be optimized.
  • the AMF 105 may terminate a PDU session for communication between the terminal device 109 and the DN 112.
  • the SMF 106 may modify a policy in the UPF 111 in such a way that the terminal device 109 only communicates with the UTM/USS 114 or other servers.
  • the SMF 106 may install (411) one or more policies specific to the terminal device 109 in the UPF 111. For example, the SMF 106 may install the one or more policies with the help of the PCF 107.
  • a network address of the AF or UTM/USS 114 may be stored in the UDM 104 per UE or locally in the NEF 115.
  • a network address of the NEF 115 may be obtained from the UDM 104 by looking up of Network Repository Function (NRF) or locally configured in the AMF 105, SMF 106, or PCF 107.
  • NEF Network Repository Function
  • the communication process 400 may be equally applicable to other communication scenarios.
  • the communication process 400 may be equally applicable to Evolved UMTS Terrestrial Radio Access Network (E-UTRAN) or Evolved Packet Core (EPC) .
  • Applicability to E-UTRAN or EPC may be achieved by replacing the UDM 104 with a Home Subscriber Server (HSS) , the AMF 105 or the SMF 106 with a Mobility Management Entity (MME) , the NEF 115 with a Service Capability Exposure Function (SCEF) and/or MTC-IWF, the UPF 111 with Packet Data Network Gateway (PGW) , the PCF 107 with a Policy Control and Charging Rules Function (PCRF) .
  • HSS Home Subscriber Server
  • MME Mobility Management Entity
  • SCEF Service Capability Exposure Function
  • PCRF Policy Control and Charging Rules Function
  • Fig. 5 shows a signaling chart illustrating a process 500 for notifying a device about a result of authentication and authorization for another device in accordance with other example embodiments of the present disclosure.
  • the process 500 may involve the UDM 104 in Fig. 1 implementing the first device 301 in Fig. 3, a UTM/USS 114 implementing the second device 302 in Fig. 3, and the terminal device 109 in Fig. 1 implementing the third device.
  • the process 500 may also involve the AMF 105, the SMF 106 in Fig. 1 and a NEF 115.
  • the communication process 500 will be described with reference to Fig. 1.
  • the process 500 is similar to the process 400. However, the process 500 is different from the process 400 in that in the process 500, the UTM/USS 114 transmits the notification to the UDM 104 via the NEF 115.
  • the UDM 104 forwards the notification to the AMF 105, and then the AMF 105 forwards the notification to the SMF 106.
  • the NEF 115 receives (407-2) the notification from the UTM/USS 114.
  • the NEF 115 forwards (503-1) the notification to the UDM 104. Accordingly, the UDM 104 receives (503-2) the notification.
  • the UDM 104 forwards (504-1) the notification to the AMF 105. Accordingly, the AMF 105 receives (504-2) the notification.
  • the process 500 is also different from the process 400 in that in the process 500, in order to be informed about the result of authentication and authorization, the AMF 105 transmits (501-1) a SUSBCRIBE REQUEST on behalf of the UDM 104 to the UTM/USS 114 and/or UAS/AF (including the address of the UDM 104) . Accordingly, the UTM/USS 114 receives (501-2) the SUSBCRIBE REQUEST. Alternatively, the UDM 104 transmits (502-1) a SUSBCRIBE REQUEST directly to the UTM/USS 114 and/or UAS/AF. Accordingly, the UTM/USS 114 receives (502-2) the SUSBCRIBE REQUEST.
  • Fig. 6 shows a flowchart of a method 600 for notifying a device about a result of authentication and authorization for another device in accordance with some embodiments of the present disclosure.
  • the method 600 may be implemented at the first device.
  • the first device receives a notification from a second device.
  • the notification indicates a result of authentication and authorization performed by the second device for the third device.
  • the first device updates a policy for communication between the third device and a data network based on the result of the authentication and authorization.
  • the method 600 further comprises transmitting a subscription request for the result from the first device to the second device.
  • the subscription request comprises an identity of the third device.
  • the identity of the third device comprises one of the following: an identity of an unmanned aerial system that the third device belongs to, a generic public subscription identifier of the third device, or a subscription permanent identifier of the third device.
  • the first device updates the policy for communication by: in accordance with a determination that the result indicates a success of the authentication and authorization, obtaining a first policy for mobility management of the third device, and updating the policy for communication with the first policy.
  • the notification further indicates an association between the third device and a fourth device, the third device is controlled by the fourth device or the fourth device is controlled by the third device.
  • the method 600 further comprises: in accordance with a determination that the result indicates a success of the authentication and authorization, establishing a first packet data unit session for communication between the third device and the second device and a second packet data unit session for communication between the fourth device and the second device based on the association.
  • the method 600 further comprises configuring, based on the association, a user plane function device to route traffic between the second device and the third device.
  • the method 600 further comprises: in accordance with a determination that the result indicates a failure of the authentication and authorization, terminating a packet data unit session for communication between the third device and a data network.
  • the method 600 further comprises: in accordance with a determination that the result indicates a failure of the authentication and authorization, modifying a policy in a user plane function device to enable the third device to only communicate with the second device.
  • the first device receives the notification by receiving the notification via one of the following: a network exposure function device, a service capability exposure function device, or a machine type communication interworking function device.
  • the first device comprises an Access and Mobility management Function device
  • the method 600 further comprises forwarding the notification to at least one of the following: a unified data management device, a session management function device, or a policy control function device.
  • the first device comprises a unified data management device
  • the method 600 further comprises forwarding the notification to at least one of the following: an access and mobility management function device, a session management function device via the access and mobility management function device, or a policy control function device via the access and mobility management function device.
  • the second device comprises an unmanned aerial system traffic management device
  • the third device comprises an unmanned aerial vehicle or unmanned aerial vehicle controller
  • the notification further comprises at least one of the following: allowed flight paths associated with identities of cells serving the third device, tracking areas associated with the third device, an allowed flight altitude for the third device, an allowed flight speed for the third device, an allowed mobility behavior for the third device, or capabilities of the third device.
  • Fig. 7 shows a flowchart of a method 700 for notifying a device about a result of authentication and authorization for another device in accordance with some embodiments of the present disclosure.
  • the method 700 may be implemented at the second device.
  • the second device performs authentication and authorization for a third device.
  • the second device transmits a notification to a first device, the notification indicating a result of the authentication and authorization.
  • the method 700 further comprises: receiving a subscription request for the result from the first device, the subscription request comprising an identity of the third device.
  • the identity of the third device comprises one of the following: an identity of an unmanned aerial system that the third device belongs to, a generic public subscription identifier of the third device, or a subscription permanent identifier of the third device.
  • the notification further indicates an association between the third device and a fourth device, the third device is controlled by the fourth device or the fourth device is controlled by the third device.
  • transmitting the notification comprises transmitting the notification via one of the following: a network exposure function device, a service capability exposure function device, or a machine type communication interworking function device.
  • the first device comprises an access and mobility management function device or a unified data management device
  • the second device comprises an unmanned aerial system traffic management device
  • the third device comprises an unmanned aerial vehicle or unmanned aerial vehicle controller.
  • the notification further comprises at least one of the following: allowed flight paths associated with identities of cells serving the third device, tracking areas associated with the third device, an allowed flight altitude for the third device, an allowed flight speed for the third device, an allowed mobility behavior for the third device, or capabilities of the third device.
  • an apparatus capable of performing any of the method 600 may comprise means for performing the respective steps of the method 600.
  • the means may be implemented in any suitable form.
  • the means may be implemented in a circuitry or software module.
  • the apparatus comprises: means for receiving a notification at a first device from a second device, the notification indicating a result of authentication and authorization performed by the second device for the third device; and means for updating a policy for communication between the third device and a data network based on the result of the authentication and authorization.
  • the apparatus further comprises means for transmitting a subscription request for the result from the first device to the second device.
  • the subscription request comprises an identity of the third device.
  • the identity of the third device comprises one of the following: an identity of an unmanned aerial system that the third device belongs to, a generic public subscription identifier of the third device, or a subscription permanent identifier of the third device.
  • the first device updates the policy for communication by: in accordance with a determination that the result indicates a success of the authentication and authorization, obtaining a first policy for mobility management of the third device, and updating the policy for communication with the first policy.
  • the notification further indicates an association between the third device and a fourth device, the third device is controlled by the fourth device or the fourth device is controlled by the third device.
  • the apparatus further comprises: in accordance with a determination that the result indicates a success of the authentication and authorization, means for establishing a first packet data unit session for communication between the third device and the second device and a second packet data unit session for communication between the fourth device and the second device based on the association.
  • the apparatus further comprises means for configuring, based on the association, a user plane function device to route traffic between the second device and the third device.
  • the apparatus further comprises: in accordance with a determination that the result indicates a failure of the authentication and authorization, means for terminating a packet data unit session for communication between the third device and a data network.
  • the apparatus further comprises: in accordance with a determination that the result indicates a failure of the authentication and authorization, means for modifying a policy in a user plane function device to enable the third device to only communicate with the second device.
  • the means for receiving the notification comprises means for receiving the notification via one of the following: a network exposure function device, a service capability exposure function device, or a machine type communication interworking function device.
  • the first device comprises an Access and Mobility management Function device
  • the apparatus further comprises means for forwarding the notification to at least one of the following: a unified data management device, a session management function device, or a policy control function device.
  • the first device comprises a unified data management device
  • the apparatus further comprises means for forwarding the notification to at least one of the following: an access and mobility management function device, a session management function device via the access and mobility management function device, or a policy control function device via the access and mobility management function device.
  • the second device comprises an unmanned aerial system traffic management device
  • the third device comprises an unmanned aerial vehicle or unmanned aerial vehicle controller
  • the notification further comprises at least one of the following: allowed flight paths associated with identities of cells serving the third device, tracking areas associated with the third device, an allowed flight altitude for the third device, an allowed flight speed for the third device, an allowed mobility behavior for the third device, or capabilities of the third device.
  • an apparatus capable of performing any of the method 700 may comprise means for performing the respective steps of the method 700.
  • the means may be implemented in any suitable form.
  • the means may be implemented in a circuitry or software module.
  • the apparatus comprises: means for performing, at a second device, authentication and authorization for a third device; and means for transmitting a notification to a first device, the notification indicating a result of the authentication and authorization.
  • the apparatus further comprises: receiving a subscription request for the result from the first device, the subscription request comprising an identity of the third device.
  • the identity of the third device comprises one of the following: an identity of an unmanned aerial system that the third device belongs to, a generic public subscription identifier of the third device, or a subscription permanent identifier of the third device.
  • the notification further indicates an association between the third device and a fourth device, the third device is controlled by the fourth device or the fourth device is controlled by the third device.
  • means for transmitting the notification comprises means for transmitting the notification via one of the following: a network exposure function device, a service capability exposure function device, or a machine type communication interworking function device.
  • the first device comprises an access and mobility management function device or a unified data management device
  • the second device comprises an unmanned aerial system traffic management device
  • the third device comprises an unmanned aerial vehicle or unmanned aerial vehicle controller.
  • the notification further comprises at least one of the following: allowed flight paths associated with identities of cells serving the third device, tracking areas associated with the third device, an allowed flight altitude for the third device, an allowed flight speed for the third device, an allowed mobility behavior for the third device, or capabilities of the third device.
  • Fig. 8 is a simplified block diagram of a device 800 that is suitable for implementing embodiments of the present disclosure.
  • the device 800 may be provided to implement the communication device, for example the first device 301, the second device 302, the AMF 105, the UDM 104, the SMF 106 or the PCF 107.
  • the device 800 includes one or more processors 810, one or more memories 820 coupled to the processor 810, and one or more communication modules 840 coupled to the processor 810.
  • the communication module 840 is for bidirectional communications.
  • the communication module 840 has at least one antenna to facilitate communication.
  • the communication interface may represent any interface that is necessary for communication with other network elements.
  • the processor 810 may be of any type suitable to the local technical network and may include one or more of the following: general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multicore processor architecture, as non-limiting examples.
  • the device 800 may have multiple processors, such as an application specific integrated circuit chip that is slaved in time to a clock which synchronizes the main processor.
  • the memory 820 may include one or more non-volatile memories and one or more volatile memories.
  • the non-volatile memories include, but are not limited to, a Read Only Memory (ROM) 824, an electrically programmable read only memory (EPROM) , a flash memory, a hard disk, a compact disc (CD) , a digital video disk (DVD) , and other magnetic storage and/or optical storage.
  • the volatile memories include, but are not limited to, a random access memory (RAM) 822 and other volatile memories that will not last in the power-down duration.
  • a computer program 830 includes computer executable instructions that are executed by the associated processor 810.
  • the program 830 may be stored in the ROM 820.
  • the processor 810 may perform any suitable actions and processing by loading the program 830 into the RAM 820.
  • the embodiments of the present disclosure may be implemented by means of the program 830 so that the device 800 may perform any process of the disclosure as discussed with reference to Figs. 6 to 7.
  • the embodiments of the present disclosure may also be implemented by hardware or by a combination of software and hardware.
  • the program 830 may be tangibly contained in a computer readable medium which may be included in the device 800 (such as in the memory 820) or other storage devices that are accessible by the device 800.
  • the device 800 may load the program 830 from the computer readable medium to the RAM 822 for execution.
  • the computer readable medium may include any types of tangible non-volatile storage, such as ROM, EPROM, a flash memory, a hard disk, CD, DVD, and the like.
  • Fig. 9 shows an example of the computer readable medium 900 in form of CD or DVD.
  • the computer readable medium has the program 830 stored thereon.
  • NFV network functions virtualization
  • a virtualized network function may comprise one or more virtual machines running computer program codes using standard or general type servers instead of customized hardware. Cloud computing or data storage may also be utilized.
  • radio communications this may mean node operations to be carried out, at least partly, in a central/centralized unit, CU, (e.g. server, host or node) operationally coupled to distributed unit, DU, (e.g. a radio head/node) . It is also possible that node operations will be distributed among a plurality of servers, nodes or hosts. It should also be understood that the distribution of labour between core network operations and base station operations may vary depending on implementation.
  • the server may generate a virtual network through which the server communicates with the distributed unit.
  • virtual networking may involve a process of combining hardware and software network resources and network functionality into a single, software-based administrative entity, a virtual network.
  • Such virtual network may provide flexible distribution of operations between the server and the radio head/node.
  • any digital signal processing task may be performed in either the CU or the DU and the boundary where the responsibility is shifted between the CU and the DU may be selected according to implementation.
  • a CU-DU architecture is implemented.
  • the device 800 may be comprised in a central unit (e.g. a control unit, an edge cloud server, a server) operatively coupled (e.g. via a wireless or wired network) to a distributed unit (e.g. a remote radio head/node) .
  • the central unit e.g. an edge cloud server
  • the distributed unit may be stand-alone apparatuses communicating with each other via a radio path or via a wired connection. Alternatively, they may be in a same entity communicating via a wired connection, etc.
  • the edge cloud or edge cloud server may serve a plurality of distributed units or a radio access networks.
  • at least some of the described processes may be performed by the central unit.
  • the device 800 may be instead comprised in the distributed unit, and at least some of the described processes may be performed by the distributed unit.
  • the execution of at least some of the functionalities of the device 800 may be shared between two physically separate devices (DU and CU) forming one operational entity. Therefore, the apparatus may be seen to depict the operational entity comprising one or more physically separate devices for executing at least some of the described processes.
  • CU-DU architecture may provide flexible distribution of operations between the CU and the DU. In practice, any digital signal processing task may be performed in either the CU or the DU and the boundary where the responsibility is shifted between the CU and the DU may be selected according to implementation.
  • the device 800 controls the execution of the processes, regardless of the location of the apparatus and regardless of where the processes/functions are carried out.
  • various embodiments of the present disclosure may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. Some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device. While various aspects of embodiments of the present disclosure are illustrated and described as block diagrams, flowcharts, or using some other pictorial representations, it is to be understood that the block, apparatus, system, technique or method described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
  • the present disclosure also provides at least one computer program product tangibly stored on a non-transitory computer readable storage medium.
  • the computer program product includes computer-executable instructions, such as those included in program modules, being executed in a device on a target real or virtual processor, to carry out the method 600 or 700 as described above with reference to Figs. 6-7.
  • program modules include routines, programs, libraries, objects, classes, components, data structures, or the like that perform particular tasks or implement particular abstract data types.
  • the functionality of the program modules may be combined or split between program modules as desired in various embodiments.
  • Machine-executable instructions for program modules may be executed within a local or distributed device. In a distributed device, program modules may be located in both local and remote storage media.
  • Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowcharts and/or block diagrams to be implemented.
  • the program code may execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
  • the computer program codes or related data may be carried by any suitable carrier to enable the device, apparatus or processor to perform various processes and operations as described above.
  • Examples of the carrier include a signal, computer readable medium, and the like.
  • the computer readable medium may be a computer readable signal medium or a computer readable storage medium.
  • a computer readable medium may include but not limited to an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of the computer readable storage medium would include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM) , a read-only memory (ROM) , an erasable programmable read-only memory (EPROM or Flash memory) , an optical fiber, a portable compact disc read-only memory (CD-ROM) , an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Aviation & Aerospace Engineering (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)

Abstract

Embodiments of the present disclosure relate to for notifying a device about a result of authentication and authorization for another device. A first device receives a notification from a second device. The notification indicates a result of authentication and authorization involving the second device and a third device. The first device also updates policies for communication between the third device and a data network or a fourth device based on the result of the authentication and authorization.

Description

[Title established by the ISA under Rule 37.2] NOTIFY NETWORK ABOUT RESULT OF AUTHENTICATION AND AUTHORIZATION OF TERMINAL DEVICE FIELD
Embodiments of the present disclosure generally relate to the field of telecommunication and in particular, to methods, devices, apparatuses and computer readable media for notifying a network about a result of authentication and authorization of a terminal device.
BACKGROUND
The 3rd Generation Partnership Project (3GPP) is working on enhancements for control of terminal devices, specifically control of Unmanned Aerial Vehicles (UAV) . The enhancements may include identification, authentication, authorization, tracking of the terminal devices. In the control, following requirements shall be met: tracking the terminal devices, for example, and being able to report to a UAV domain; allowing one terminal device to advertise itself or send data to other terminal devices in a certain area via the 3GPP network; and allowing authentication and authorization with the help of Unmanned Aerial System (UAS) Traffic Management (UTM) or UAS Service Supplier (USS) which is part of the UTM.
One main problem is the authentication and authorization of a terminal device via the 5G system (5GS) . Although it has been proposed that the authentication and authorization may be performed via 5GS user plane or 5GS control plane, it should be further studied how the network is notified about a result of the authentication and authorization of a terminal device.
SUMMARY
In general, example embodiments of the present disclosure provide a solution for notifying a device about a result of authentication and authorization for another device.
In a first aspect, there is provided a first device. The first device comprises at least one processor; and at least one memory including computer program codes; the at least one memory and the computer program codes are configured to, with the at least one processor, cause the first device to: receive a notification from a second device, the  notification indicating a result of authentication and authorization performed by the second device for a third device; and update a policy for communication between the third device and a data network based on the result of the authentication and authorization.
In a second aspect, there is provided a second device. The second device comprises at least one processor; and at least one memory including computer program codes; the at least one memory and the computer program codes are configured to, with the at least one processor, cause the second device to: perform authentication and authorization for a third device; and transmit a notification to a first device, the notification indicating a result of the authentication and authorization.
In a third aspect, there is provided a method implemented at a first device. The method comprises: receiving a notification at a first device from a second device, the notification indicating a result of authentication and authorization performed by the second device for a third device; and updating a policy for communication between the third device and a data network based on the result of the authentication and authorization.
In a fourth aspect, there is provided a method implemented at a second device. The method comprises: performing, at a second device, authentication and authorization for a third device; and transmitting a notification to a first device, the notification indicating a result of the authentication and authorization.
In a fifth aspect, there is provided an apparatus comprising: means for receiving a notification at a first device from a second device, the notification indicating a result of authentication and authorization performed by the second device for a third device; and means for updating a policy for communication between the third device and a data network based on the result of the authentication and authorization.
In a sixth aspect, there is provided an apparatus comprising: means for performing, at a second device, authentication and authorization for a third device; and means for transmitting a notification to a first device, the notification indicating a result of the authentication and authorization.
In a seventh aspect, there is provided a computer readable medium comprising a computer program for causing an apparatus to perform at least the method according to the above third or fourth aspect.
It is to be understood that the summary section is not intended to identify key or essential features of embodiments of the present disclosure, nor is it intended to be used to  limit the scope of the present disclosure. Other features of the present disclosure will become easily comprehensible through the following description.
BRIEF DESCRIPTION OF THE DRAWINGS
Some example embodiments will now be described with reference to the accompanying drawings, where:
Fig. 1 shows an example communication network in which embodiments of the present disclosure may be implemented;
Fig. 2 shows a signaling chart illustrating a process for authentication and authorization for a terminal device in accordance with a conventional solution;
Fig. 3 shows a signaling chart illustrating a process for notifying a device about a result of authentication and authorization for another device in accordance with some example embodiments of the present disclosure;
Fig. 4 shows a signaling chart illustrating a process for notifying a device about a result of authentication and authorization for another device in accordance with other example embodiments of the present disclosure;
Fig. 5 shows a signaling chart illustrating a process for notifying a device about a result of authentication and authorization for another device in accordance with still other example embodiments of the present disclosure;
Fig. 6 shows a flowchart of a method for notifying a device about a result of authentication and authorization for another device in accordance with some embodiments of the present disclosure;
Fig. 7 shows a flowchart of a method for notifying a device about a result of authentication and authorization for another device in accordance with other embodiments of the present disclosure;
Fig. 8 illustrates a simplified block diagram of an apparatus that is suitable for implementing some other embodiments of the present disclosure; and
Fig. 9 illustrates a block diagram of an example computer readable medium in accordance with some example embodiments of the present disclosure.
Throughout the drawings, the same or similar reference numerals represent the same or similar element.
DETAILED DESCRIPTION
Principle of the present disclosure will now be described with reference to some example embodiments. It is to be understood that these embodiments are described only for the purpose of illustration and help those skilled in the art to understand and implement the present disclosure, without suggesting any limitation as to the scope of the disclosure. The disclosure described herein can be implemented in various manners other than the ones described below.
In the following description and claims, unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skills in the art to which this disclosure belongs.
References in the present disclosure to “one embodiment, ” “an embodiment, ” “an example embodiment, ” and the like indicate that the embodiment described may include a particular feature, structure, or characteristic, but it is not necessary that every embodiment includes the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an example embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
It shall be understood that although the terms “first” and “second” etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be termed a second element, and similarly, a second element could be termed a first element, without departing from the scope of example embodiments. As used herein, the term “and/or” includes any and all combinations of one or more of the listed terms.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments. As used herein, the singular forms “a” , “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” , “comprising” , “has” , “having” , “includes” and/or “including” , when  used herein, specify the presence of stated features, elements, and/or components etc., but do not preclude the presence or addition of one or more other features, elements, components and/or combinations thereof.
As used in this application, the term “circuitry” may refer to one or more or all of the following:
(a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry) and
(b) combinations of hardware circuits and software, such as (as applicable) :
(i) a combination of analog and/or digital hardware circuit (s) with software/firmware and
(ii) any portions of hardware processor (s) with software (including digital signal processor (s) ) , software, and memory (ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions) and
(c) hardware circuit (s) and or processor (s) , such as a microprocessor (s) or a portion of a microprocessor (s) , that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation.
This definition of circuitry applies to all uses of this term in this application, including in any claims. As a further example, as used in this application, the term circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware. The term circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
As used herein, the term “communication network” refers to a network following any suitable communication standards, such as fifth generation (5G) systems, Long Term Evolution (LTE) , LTE-Advanced (LTE-A) , Wideband Code Division Multiple Access (WCDMA) , High-Speed Packet Access (HSPA) , Narrow Band Internet of Things (NB-IoT) and so on. Furthermore, the communications between a terminal device and a network device in the communication network may be performed according to any suitable generation communication protocols, including, but not limited to, the first generation (1G) ,  the second generation (2G) , 2.5G, 2.75G, the third generation (3G) , the fourth generation (4G) , 4.5G, the future fifth generation (5G) new radio (NR) communication protocols, and/or any other protocols either currently known or to be developed in the future. Embodiments of the present disclosure may be applied in various communication systems. Given the rapid development in communications, there will of course also be future type communication technologies and systems with which the present disclosure may be embodied. It should not be seen as limiting the scope of the present disclosure to only the aforementioned system.
As used herein, the term “network device” refers to a node in a communication network via which a terminal device accesses the network and receives services therefrom. The network device may refer to a base station (BS) or an access point (AP) , for example, a node B (NodeB or NB) , an evolved NodeB (eNodeB or eNB) , a NR Next Generation NodeB (gNB) , a Remote Radio Unit (RRU) , a radio header (RH) , a remote radio head (RRH) , a relay, a low power node such as a femto, a pico, and so forth, depending on the applied terminology and technology. An RAN split architecture comprises a gNB-CU (Centralized unit, hosting RRC, SDAP and PDCP) controlling a plurality of gNB-DUs (Distributed unit, hosting RLC, MAC and PHY) . In addition, the term “network device” may also refer to a network function such as Access and Mobility management Function (AMF) , Session Management Function (SMF) , User Plane Function (UPF) , Unified Data Management (UDM) , Policy Control Function (PCF) , Network Exposure Function (NEF) , Network Slice Selection Function (NSSF) , Network Slice-Specific Authentication and Authorization Function (NSSAAF) , Network Repository Function (NRF) , Unstructured Data Storage Function (UDSF) , or Unified Data Repository (UDR) .
The term “terminal device” refers to any end device that may be capable of wireless communication. By way of example rather than limitation, a terminal device may also be referred to as a communication device, user equipment (UE) , Unmanned Aerial Vehicle (UAV) , UAV controller (UAVC) , a Subscriber Station (SS) , a Portable Subscriber Station, a Mobile Station (MS) , or an Access Terminal (AT) . The terminal device may include, but not limited to, a mobile phone, a cellular phone, a smart phone, voice over IP (VoIP) phones, wireless local loop phones, a tablet, a wearable terminal device, a personal digital assistant (PDA) , portable computers, desktop computer, image capture terminal devices such as digital cameras, gaming terminal devices, music storage and playback appliances, vehicle-mounted wireless terminal devices, wireless endpoints, mobile stations,  laptop-embedded equipment (LEE) , laptop-mounted equipment (LME) , USB dongles, smart devices, wireless customer-premises equipment (CPE) , an Internet of Things (IoT) device, a watch or other wearable, a head-mounted display (HMD) , a vehicle, a drone, a medical device and applications (e.g., remote surgery) , an industrial device and applications (e.g., a robot and/or other wireless devices operating in an industrial and/or an automated processing chain contexts) , a consumer electronics device, a device operating on commercial and/or industrial wireless networks, and the like. In the following description, the terms “terminal device” , “communication device” , “terminal” , “UE” , and “UAV” or “UAV controller” may be used interchangeably.
Although functionalities described herein can be performed, in various example embodiments, in a fixed and/or a wireless network node may, in other example embodiments, functionalities may be implemented in a user equipment apparatus (such as a cell phone or tablet computer or laptop computer or desktop computer or mobile IoT device or fixed IoT device) . This user equipment apparatus can, for example, be furnished with corresponding capabilities as described in connection with the fixed and/or the wireless network node (s) , as appropriate. The user equipment apparatus may be the user equipment and/or or a control device, such as a chipset or processor, configured to control the user equipment when installed therein. Examples of such functionalities include the bootstrapping server function and/or the home subscriber server, which may be implemented in the user equipment apparatus by providing the user equipment apparatus with software configured to cause the user equipment apparatus to perform from the point of view of these functions/nodes.
Fig. 1 shows an example communication network 100 in which embodiments of the present disclosure can be implemented. The network 100 comprises a Network Slice-Specific Authentication and Authorization Function (NSSAAF) 101, a Network Slice Selection Function (NSSF) 102, an Authentication Server Function (AUSF) 103, a Unified Data Management (UDM) 104, an Access and Mobility management Function (AMF) 105, a Session Management Function (SMF) 106, a Policy Control Function (PCF) 107, an Application Function (AF) 108, a terminal device 109, a Radio Access Network (RAN) 110, a User Plane Function (UPF) 111, and a data network (DN) 112.
The UDM 104 (also referred to as UDM device 104) may include support for the following functionality: generation of 3GPP Authentication Credentials, User Identification Handling (e, g, storage and management of SUPI for each subscriber in the 5G system) ,  support of de-concealment of privacy-protected subscription identifier (SUCI) , access authorization based on subscription data (e, g, roaming restrictions) , UE's Serving NF Registration Management (e, g, storing serving AMF for UE, storing serving SMF for UE's PDU Session) , support to service/session continuity e.g., by keeping SMF/Data Network Name (DNN) assignment of ongoing sessions, MT-SMS delivery support, lawful Intercept Functionality (especially in outbound roaming case where UDM is the only point of contact for LI) , subscription management, SMS management, 5GLAN group management handling, support of external parameter provisioning (Expected UE Behaviour parameters or Network Configuration parameters) .
The AMF 105 (also referred to as AMF device 105) may include the following functionality. Some or all of the AMF 105 functionalities may be supported in a single instance of an AMF: termination of RAN Control Plane interface (N2) , termination of NAS (N1) , NAS ciphering and integrity protection, registration management, connection management, reachability management, Mobility Management, lawful intercept (for AMF events and interface to LI System) , provide transport for SM messages between UE and SMF, transparent proxy for routing SM messages, access Authentication, access Authorization, provide transport for SMS messages between UE and SMSF, security Anchor Functionality (SEAF) , location Services management for regulatory services, provide transport for Location Services messages between UE and LMF as well as between RAN and LMF, EPS Bearer ID allocation for interworking with EPS, UE mobility event notification, support for Control Plane CIoT 5GS Optimisation, support for User Plane CIoT 5GS Optimisation, provisioning of external parameters (Expected UE Behaviour parameters or Network Configuration parameters) , and support for Network Slice-Specific Authentication and Authorization.
The SMF 106 (also referred to as SMF device 106) may include the following functionality. Some or all functionalities of the SMF 106 may be supported in a single instance of a SMF: session Management e.g., Session Establishment, modify and release, including tunnel maintained between UPF and AN node; UE IP address allocation &management (including optional Authorization) , the UE IP address may be received from a UPF or from an external data network; DHCPv4 (server and client) and DHCPv6 (server and client) functions; functionality to respond to Address Resolution Protocol (ARP) requests and/or IPv6 Neighbour Solicitation requests based on local cache information for the Ethernet PDUs, the SMF responds to the ARP and/or the IPv6 Neighbour Solicitation  Request by providing the MAC address corresponding to the IP address sent in the request; selection and control of UP function, including controlling the UPF to proxy ARP or IPv6 Neighbour Discovery, or to forward all ARP/IPv6 Neighbour Solicitation traffic to the SMF, for Ethernet PDU Sessions; configures traffic steering at UPF to route traffic to proper destination, 5G Virtual Network (VN) group management, e.g., maintain the topology of the involved PDU Session Anchor (PSA) UPFs, establish and release the N19 tunnels between PSA UPFs, configure traffic forwarding at UPF to apply local switching, N6 based forwarding or N19 based forwarding; termination of interfaces towards Policy control functions, Lawful intercept (for SM events and interface to LI System) ; charging data collection and support of charging interfaces, control and coordination of charging data collection at UPF; termination of SM parts of NAS messages; Downlink Data Notification; initiator of AN specific SM information, sent via AMF over N2 to AN; determine SSC mode of a session; support for Control Plane CIoT 5GS Optimisation, support of header compression; act as ISMF in deployments where ISMF can be inserted, removed and relocated; provisioning of external parameters (Expected UE Behaviour parameters or Network Configuration parameters) ; support PCSCF discovery for IMS services; roaming functionality; handle local enforcement to apply QoS SLAs (VPLMN) ; charging data collection and charging interface (VPLMN) ; lawful intercept (in VPLMN for SM events and interface to LI System) ; support for interaction with external DN for transport of signalling for PDU Session authentication/authorization by external DN; and instructs UPF and NGRAN to perform redundant transmission on N3/N9 interfaces.
The PCF 107 (also referred to as PCF device 107) may include the following functionality: supports unified policy framework to govern network behavior; provides policy rules to Control Plane function (s) to enforce them; and accesses subscription information relevant for policy decisions in a Unified Data Repository (UDR) .
The AF 108 may support interaction with the 3GPP core network to provide services, such as influencing data routing decisions, policy control functions or providing third-party services to the network.
The UPF 111 (also referred to as UPF device 111) may include the following functionality. Some or all functionalities of the UPF 111 may be supported in a single instance of a UPF: anchor point for Intra/InterRAT mobility (when applicable) ; allocation of UE IP address/prefix (if supported) in response to SMF request; external PDU Session point of interconnect to Data Network; packet routing &forwarding (e.g., support of  Uplink classifier to route traffic flows to an instance of a data network, support of Branching point to support multihomed PDU Session, support of traffic forwarding within a 5G VN group (UPF local switching, via N6, via N19) ) ; packet inspection (e.g., Application detection based on service data flow template and the optional PFDs received from the SMF in addition) ; User Plane part of policy rule enforcement, e.g., Gating, Redirection, Traffic steering) ; lawful intercept (UP collection) ; traffic usage reporting; QoS handling for user plane, e.g., UL/DL rate enforcement, Reflective QoS marking in DL; Uplink Traffic verification (SDF to QoS Flow mapping) ; transport level packet marking in the uplink and downlink; downlink packet buffering and downlink data notification triggering; sending and forwarding of one or more “end marker” to the source NGRAN node; functionality to respond to Address Resolution Protocol (ARP) requests and/or IPv6 Neighbour Solicitation requests based on local cache information for the Ethernet PDUs, the UPF 111 responds to the ARP and/or the IPv6 Neighbour Solicitation Request by providing the MAC address corresponding to the IP address sent in the request; packet duplication in downlink direction and elimination in uplink direction in GTPU layer; TSN Translator (NWTT) functionality; high latency communication; and ATSSS Steering functionality to steer the MA PDU Session traffic.
In addition, the UPF 111 may be responsible for forwarding and receiving user data in the terminal device 109. The UPF 111 can receive user data from the DN 112 and transmit it to the terminal device 109 via the RAN 110. The UPF 111 can also receive user data from the terminal device 109 through the RAN 110 and forward it to the DN 112. The transmission resources and scheduling functions in the UPF 111 that serve the terminal device 109 are managed and controlled by the SMF 106.
It is to be understood that the numbers of network elements and terminal device in the network 100 are only for the purpose of illustration without suggesting any limitations. The network 100 may include any suitable number of network elements and terminal devices adapted for implementing embodiments of the present disclosure.
Communications in the communication network 100 may be implemented according to any proper communication protocol (s) , comprising, but not limited to, cellular communication protocols of the first generation (1G) , the second generation (2G) , the third generation (3G) , the fourth generation (4G) and the fifth generation (5G) and on the like, wireless local network communication protocols such as Institute for Electrical and Electronics Engineers (IEEE) 802.11 and the like, and/or any other protocols currently  known or to be developed in the future. Moreover, the communication may utilize any proper wireless communication technology, comprising but not limited to: Code Division Multiple Access (CDMA) , Frequency Division Multiple Access (FDMA) , Time Division Multiple Access (TDMA) , Frequency Division Duplex (FDD) , Time Division Duplex (TDD) , Multiple-Input Multiple-Output (MIMO) , Orthogonal Frequency Division Multiple (OFDM) , Discrete Fourier Transform spread OFDM (DFT-s-OFDM) and/or any other technologies currently known or to be developed in the future.
As mentioned above, one main problem is the authentication and authorization of a terminal device via the 5GS. Fig. 2 shows a signaling chart illustrating a process 200 for authentication and authorization for the terminal device 109 in accordance with a conventional solution. In the process 200, the authentication and authorization is performed via 5GS user plane, and the terminal device 109 may comprise a UAV or UAVC.
The terminal device 109 performs a registration (201) to the network. The terminal device 109 requests (202) a PDU Session establishment or the PCF 107 provides PCC rules for the terminal device 109 via the SMF 106 to the UPF 111.
An application on the terminal device 109 starts (203) . The terminal device 109 sends (204-1) a request for authentication and authorization to the UAS AF 113 over the user plane. Accordingly, the UAS AF 113 receives (204-2) the request. The UAS AF 113 requests (205) subscription information specific to the terminal device 109 from the UDM 104 and/or the PCF/BSF 107.
The UAS AF 113 checks if the terminal device 109 has a valid aerial subscription based on the subscription information received from the UDM 104. If the check is successful, the UAS AF 113 determines, based on the subscription information, the UTM/USS 114 serving the terminal device 109 and triggers (206-1) authentication and authorization (also referred to as A&A) request towards the UTM/USS 114. Accordingly, the UTM/USS 114 receives (206-2) the request. The request can contain an indication about the used mobile operator and the 3GPP identity of the terminal device 109. If the check is un-successful, a response is sent to the terminal device 109 to reject the request.
The UTM/USS 114 checks (207) the request for operation of the terminal device 109 from the UAS AF 113 using the combined information from the terminal device 109 and from the mobile network operator of the terminal device 109.
If the result of the check that the terminal device 109 has a valid aerial subscription  is successful, UTM/USS 114 transmits (208-1) an accept response to the UAS AF 113. Accordingly, the UAS AF 113 receives (208-2) the accept response. The response can include information specific to the application on the terminal device 109. For example, the information may include a token to be included for authentication reasons in succeeding application content interactions. If the check is un-successful, a response is sent to the UAS AF to reject the request.
The UAS AF 113 forwards (209-1) the response from the UTM/USS 114 to the terminal device 109 as a response to the request for authentication and authorization. Accordingly, the terminal device 109 receives (209-2) the response.
The terminal device 109 triggers a set-up of a secure connection to UTM/USS 114 using the token received in the response, for example.
The operation of the terminal device 109 can be handled (211) over the secure connection between the terminal device 109 and the UTM/USS 114.
As can be seen from Fig. 2, the terminal device 109 executes normal 5G registration, establishes a PDU connection and then transmits the request for authentication and authorization to the UAS AF 113. Then, the request is forwarded to UTM/USS 114. The 5G Core Network is not directly involved in the process of authentication and authorization. Thus, the 5G Core Network does not know the result of the authentication and authorization.
However, to support UAS regarding connectivity, identification and tracking, the network (e.g. AMF, gNB) should be aware of whether the terminal device 109 is authorized in the drone domain. That is, the result of the authentication and authorization from the UTM/USS 114 needs to be provided to the 3GPP system providing connectivity.
In order to at least in part solve above and other potential problems, example embodiments of the present disclosure provide a solution for notifying a device (for example a network device) about a result of authentication and authorization for another device (for example a terminal device) . In the solution, a first device receives a notification from a second device. The notification indicates a result of authentication and authorization performed by the second device for the third device. In turn, the first device updates a policy for communication between the third device and a Data Network based on the result. The solution allows the 5GS to set policies and control the message exchange between UAV (s) via the 5G network (e.g. advertisements sent from a UAV to all other  UAVs in a vicinity) or between UAVC and UAV.
Principle and implementations of the present disclosure will be described in detail below with reference to Figs. 3 to 5. Fig. 3 shows a signaling chart illustrating a process 300 for notifying a device about a result of authentication and authorization for another device in accordance with some example embodiments of the present disclosure.
second device 302 performs (310) authentication and authorization for a third device.
Upon completion of the authentication and authorization, the second device 302 transmits (320) a notification to a first device 301. Accordingly, the first device 301 receives (330) the notification from the second device 302. The notification indicates a result of the authentication and authorization.
The first device 301 updates (340) a policy for communication between the third device and a DN based on the result.
In some example embodiments, the notification comprises an identity of the third device. In order to receive the result of the authentication and authorization, the first device 301 may transmit a subscription request for the result to the second device 302. The subscription request comprises the identity of the third device.
In some example embodiments, the first device 301 may determine whether the result indicates a success of the authentication and authorization. If the result indicates a success of the authentication and authorization, the first device 301 may obtain a first policy for mobility management of the third device and update the policy for communication with the first policy. In some example embodiments, the first device 301 may install the first policy locally so as to update the policy for communication.
In some example embodiments, the notification further indicates an association between the third device and a fourth device. The third device is controlled by the fourth device or the fourth device is controlled by the third device. In some example embodiments, the third device comprises the terminal device 109 in Fig. 1. In some example embodiments, the third device comprises a UAV and the fourth device comprises a UAVC. Alternatively, the third device comprises the UAVC and the fourth device comprises the UAV.
In some example embodiments, if the result indicates the success of the  authentication and authorization, the first device 301 establishes, based on the association between the third device and the fourth device, a Packet Data Unit (PDU) session for communication between the third device and the fourth device.
In some example embodiments, if the result indicates the success of the authentication and authorization, the first device 301 configures, based on the association between the third device and the fourth device, the UPF device 111 to route traffic between the second device 302 and the third device.
In some example embodiments, if the result indicates a failure of the authentication and authorization, the first device 301 terminates a PDU session for communication between the third device and a DN.
In some example embodiments, if the result indicates the failure of the authentication and authorization, the first device 301 modifies a policy in the UPF device 111 to enable the third device to only communicate with the second device 302.
In some example embodiments, the first device 301 may receive the notification via a Network Exposure Function (NEF) device, which will be described below with reference to Figs. 4 and 5.
In some example embodiments, the first device 301 may receive the notification via a Service Capability Exposure Function (SCEF) device, or a Machine Type Communication Interworking Function (MTC-IWF) device.
In some example embodiments, the first device 301 comprises the AMF device 105. Upon receiving the notification, the first device 301 forwards the notification to at least one of the following: the UDM device 104, the SMF device 105, or a Policy Control Function device, which will be described below with reference to Fig. 4.
Fig. 4 shows a signaling chart illustrating a process 400 for notifying a device about a result of authentication and authorization for another device in accordance with other example embodiments of the present disclosure. As shown in Fig. 4, the process 400 may involve the AMF 105 in Fig. 1 implementing the first device 301 in Fig. 3, a UTM/USS 114 implementing the second device 302 in Fig. 3, and the terminal device 109 in Fig. 1 implementing the third device. In addition, the process 400 may also involve the UDM 104, the SMF 106 in Fig. 1 and a NEF 115. For the purpose of discussion, the communication process 400 will be described with reference to Fig. 1.
The terminal device 109 transmits (401-1) a REGISTRATION REQUEST message to the AMF 105. Accordingly, the AMF 105 receives (401-2) the REGISTRATION REQUEST.
In some example embodiments, the REGISTRATION REQUEST may optionally comprise an indication of a type of the terminal device 109. For example, in the case where the terminal device 109 is a UAV, the message may comprise an indication indicating that the terminal device 109 is a UAV. In the case where the terminal device 109 is a UAVC, the message may comprise an indication indicating that the terminal device 109 is a UAVC.
In some example embodiments, the indication of the type of the terminal device 109 may be provided by the terminal device 109 using e.g. a NAS signaling or stored in the UDM 104.
The AMF 105 obtains (402) subscriber data from the UDM 104 and the AMF 105 executes an IMEI check. In some example embodiments, the subscriber data may include the indication of the type of the terminal device 109. In some example embodiments, the subscriber data may include an identity of a UAS that the terminal device 109 belongs to.
The AMF 105 transmits (403-1) a REGISTRATION ACCEPT message to the terminal device 109. The message may optionally comprise the indication of the type of the terminal device 109. Accordingly, the indication of the type of the terminal device 109 receives (403-2) the REGISTRATION ACCEPT message.
The AMF 105 transmits (404-1) optionally a SUSBCRIBE REQUEST to the UTM/USS 114 and/or UAS/AF (not shown) to be informed about the result of authentication and authorization for the terminal device 109. The AMF 105 may transmit the SUSBCRIBE REQUEST directly to UTM/USS 114 and/or UAS/AF. Alternatively, the AMF 105 may transmit the SUSBCRIBE REQUEST to UTM/USS 114 and/or UAS/AF via the NEF 115. Accordingly, the UTM/USS 114 receives (404-2) the SUSBCRIBE REQUEST.
In some example embodiments, the NEF 115 may support exposure of capabilities and events. For example, NF capabilities and events may be securely exposed by the NEF 115 for e.g. 3rd party, Application Functions, Edge Computing. The NEF 115 stores/retrieves information as structured data using a standardized interface (Nudr) to the Unified Data Repository (UDR) .
The NEF 115 may support secure provision of information from external application to 3GPP network. For example, the NEF 115 provides a means for the Application Functions to securely provide information to 3GPP network, e.g. Expected UE Behaviour, 5GLAN group information and service specific information. In that case the NEF 115 may authenticate and authorize and assist in throttling the Application Functions.
The NEF 115 may support translation of internal-external information. For example, the NEF 115 translates between information exchanged with the AF and information exchanged with the internal network function. For example, the NEF 115 translates between an AF-Service-Identifier and internal 5G Core information such as DNN, S-NSSAI. In particular, the NEF 115 handles masking of network and user sensitive information to external AF's according to the network policy.
The NEF 115 may receive information from other network functions (based on exposed capabilities of other network functions) . The NEF 115 may store the received information as structured data using a standardized interface to a Unified Data Repository (UDR) . The stored information can be accessed and "re-exposed" by the NEF 115 to other network functions and Application Functions, and used for other purposes such as analytics.
The NEF 115 may also support a PFD Function. The PFD Function in the NEF 115 may store and retrieve PFD (s) in the UDR and shall provide PFD (s) to the SMF on the request of SMF (pull mode) or on the request of PFD management from NEF (push mode) .
The NEF 115 may also support a 5GLAN Group Management Function. The 5GLAN Group Management Function in the NEF may store the 5GLAN group information in the UDR via UDM.
The NEF 115 may also support exposure of analytics. NWDAF analytics may be securely exposed by NEF for external party.
The NEF 115 may also support retrieval of data from external party by NWDAF. Data provided by the external party may be collected by NWDAF via the NEF 115 for analytics generation purpose. The NEF 115 handles and forwards requests and notifications between NWDAF and AF.
The NEF 115 may also support Non-IP Data Delivery. The NEF 115 provides a means for management of NIDD configuration and delivery of MO/MT unstructured data by exposing the NIDD APIs on the N33/Nnef reference point.
In some example embodiments, the SUSBCRIBE REQESST message may comprise an identity of the terminal device 109.
In some example embodiments, the identity of the terminal device 109 comprises one of the following: an identity of the UAS that the terminal device 109 belongs to, a Generic Public Subscription Identifier (GPSI) of the terminal device 109, or an Subscription Permanent Identifier (SUPI) of the terminal device 109.
The terminal device 109 requests (405) a PDU SESSION ESTABLISHEMENT with the AMF 105, the SMF 106, and the UPF 111. The PCF 107 provides PCC rules for the terminal device 109 via the SMF 106 to the UPF 111.
The authentication and authorization procedure 406 for the terminal device 109 is exchanged between the terminal device 109 and the UAS/AF and/or the UTM/USS 114. Control of access to the UTM/USS 114 can be achieved by using a special Data Network Name (DNN) and/or using a special slice or a pre-defined policy in the UPF 111.
The UAS/AF and/or UTM/USS 114 transmits (407-1) a notification to the NEF 115. A network address of the UAS/AF and/or UTM/USS 114 may be stored in the UDM 104 per UE or locally in the NEF 115. A network address of the NEF 115 may be pre-configured. Alternatively, the UTM/USS 114 may use other techniques (for example, DNS resolution) to receive the network address of the NEF 115. The notification indicates a result of the authentication and authorization for the terminal device 109. Accordingly, the NEF 115 receives (407-2) the notification.
In some example embodiments, network addresses of the AMF 105, SMF 106 and PCF 107 may be stored in the UDM 104. Thus, the NEF 115 may look up the UDM 104 to obtain the network addresses of the AMF 105, SMF 106 and PCF 107 and forwards the notification to one or several of these network functions. In the process 400, the NEF 115 forwards (408-1) the notification to the AMF 105. Accordingly, the AMF 105 receives (408-2) the notification.
The AMF 105 forwards (409-1) the notification to the UDM 104. Accordingly, the UDM 104 receives (409-2) the notification.
The AMF 105 forwards (410-1) the notification to the SMF 106. Accordingly, the SMF 106 receives (410-2) the notification.
In some example embodiments, the notification comprises the identity of the  terminal device 109.
In some example embodiments, the notification comprises additional data relevant to the terminal device 109. In some example embodiments, the additional data may comprise at least one of the following: allowed flight paths associated with identities of cells serving the third device, tracking areas associated with the terminal device 109, an allowed flight altitude for the terminal device 109, an allowed flight speed for the terminal device 109, an allowed mobility behavior for the terminal device 109, or capabilities of the terminal device 109.
In some example embodiments, the notification further indicates an association between the terminal device 109 and the fourth device controlling the terminal device 109. For example, the notification may indicate an association between a UAV 109 and a UAVC.
Upon receiving the notification, the AMF 105, the SMF 106 and the PCF 107 may store the result locally as part of the context for the terminal device 109. Alternatively, the AMF 105, the SMF 106 and the PCF 107 may store the result in an Unstructured Data Storage Function (UDSF) .
In addition, upon receiving the notification, the AMF 105, the SMF 106 and the PCF 107 may take appropriate actions based on the result.
In some example embodiments, the actions can be pre-configured in the network or the AF or the UTM/USS 114 may instruct the AMF 105, the SMF 106 and the PCF 107 via the NEF 115 about the actions to be taken, either as part of the notification or in an extra message.
In some example embodiments, if the result indicates a success of the authentication and authorization, the AMF 105 may obtain the first policy for mobility management of the terminal device 109 from the PCF 111. The AMF 105 may update the policy for communication between the terminal device 109 and the fourth device controlling the terminal device 109 with the first policy. In some example embodiments, the first device 301 may install the first policy locally so as to update the policy for the communication. This allows the 5GS to set policies and control the message exchange between UAV (s) via the 5G network (e.g. advertisements sent from a UAV to all other UAVs in a vicinity) or between UAVC and UAV.
In some example embodiments, the first policy may comprise a paging policy for the terminal device 109 or the fourth device controlling the terminal device 109. For  example, the paging policy may define paging in certain areas only, or step-wise paging.
In some example embodiments, if the result indicates a success of the authentication and authorization, the AMF 105 or the SMF 106 may determine that a PDU session for communication between the terminal device 109 and the UTM/USS 114 is to be established or modified based on the association between the terminal device 109 and the fourth device.
In some example embodiments, if the result indicates a failure of the authentication and authorization, the AMF 105 or the SMF 106 may configure, based on the association, the UPF 111 to route traffic between the UTM/USS 114 and the terminal device 109. In this way, the routing for Command and Control Communication may be optimized.
In some example embodiments, if the result indicates a failure of the authentication and authorization, the AMF 105 may terminate a PDU session for communication between the terminal device 109 and the DN 112.
In some example embodiments, if the result indicates a failure of the authentication and authorization, the SMF 106 may modify a policy in the UPF 111 in such a way that the terminal device 109 only communicates with the UTM/USS 114 or other servers.
In some example embodiments, if the result indicates a failure of the authentication and authorization, the SMF 106 may install (411) one or more policies specific to the terminal device 109 in the UPF 111. For example, the SMF 106 may install the one or more policies with the help of the PCF 107.
In some example embodiments, a network address of the AF or UTM/USS 114 may be stored in the UDM 104 per UE or locally in the NEF 115. A network address of the NEF 115 may be obtained from the UDM 104 by looking up of Network Repository Function (NRF) or locally configured in the AMF 105, SMF 106, or PCF 107.
It would be appreciated that the communication process 400 may be equally applicable to other communication scenarios. For example, the communication process 400 may be equally applicable to Evolved UMTS Terrestrial Radio Access Network (E-UTRAN) or Evolved Packet Core (EPC) . Applicability to E-UTRAN or EPC may be achieved by replacing the UDM 104 with a Home Subscriber Server (HSS) , the AMF 105 or the SMF 106 with a Mobility Management Entity (MME) , the NEF 115 with a Service  Capability Exposure Function (SCEF) and/or MTC-IWF, the UPF 111 with Packet Data Network Gateway (PGW) , the PCF 107 with a Policy Control and Charging Rules Function (PCRF) .
Fig. 5 shows a signaling chart illustrating a process 500 for notifying a device about a result of authentication and authorization for another device in accordance with other example embodiments of the present disclosure. As shown in Fig. 5, the process 500 may involve the UDM 104 in Fig. 1 implementing the first device 301 in Fig. 3, a UTM/USS 114 implementing the second device 302 in Fig. 3, and the terminal device 109 in Fig. 1 implementing the third device. In addition, the process 500 may also involve the AMF 105, the SMF 106 in Fig. 1 and a NEF 115. For the purpose of discussion, the communication process 500 will be described with reference to Fig. 1.
In summary, the process 500 is similar to the process 400. However, the process 500 is different from the process 400 in that in the process 500, the UTM/USS 114 transmits the notification to the UDM 104 via the NEF 115. The UDM 104 forwards the notification to the AMF 105, and then the AMF 105 forwards the notification to the SMF 106. Specifically, the NEF 115 receives (407-2) the notification from the UTM/USS 114. The NEF 115 forwards (503-1) the notification to the UDM 104. Accordingly, the UDM 104 receives (503-2) the notification. The UDM 104 forwards (504-1) the notification to the AMF 105. Accordingly, the AMF 105 receives (504-2) the notification.
The process 500 is also different from the process 400 in that in the process 500, in order to be informed about the result of authentication and authorization, the AMF 105 transmits (501-1) a SUSBCRIBE REQUEST on behalf of the UDM 104 to the UTM/USS 114 and/or UAS/AF (including the address of the UDM 104) . Accordingly, the UTM/USS 114 receives (501-2) the SUSBCRIBE REQUEST. Alternatively, the UDM 104 transmits (502-1) a SUSBCRIBE REQUEST directly to the UTM/USS 114 and/or UAS/AF. Accordingly, the UTM/USS 114 receives (502-2) the SUSBCRIBE REQUEST.
Fig. 6 shows a flowchart of a method 600 for notifying a device about a result of authentication and authorization for another device in accordance with some embodiments of the present disclosure. The method 600 may be implemented at the first device.
At block 610, the first device receives a notification from a second device. The notification indicates a result of authentication and authorization performed by the second device for the third device.
At block 620, the first device updates a policy for communication between the third device and a data network based on the result of the authentication and authorization.
In some example embodiments, the method 600 further comprises transmitting a subscription request for the result from the first device to the second device. The subscription request comprises an identity of the third device.
In some example embodiments, the identity of the third device comprises one of the following: an identity of an unmanned aerial system that the third device belongs to, a generic public subscription identifier of the third device, or a subscription permanent identifier of the third device.
In some example embodiments, the first device updates the policy for communication by: in accordance with a determination that the result indicates a success of the authentication and authorization, obtaining a first policy for mobility management of the third device, and updating the policy for communication with the first policy.
In some example embodiments, the notification further indicates an association between the third device and a fourth device, the third device is controlled by the fourth device or the fourth device is controlled by the third device.
In some example embodiments, the method 600 further comprises: in accordance with a determination that the result indicates a success of the authentication and authorization, establishing a first packet data unit session for communication between the third device and the second device and a second packet data unit session for communication between the fourth device and the second device based on the association.
In some example embodiments, the method 600 further comprises configuring, based on the association, a user plane function device to route traffic between the second device and the third device.
In some example embodiments, the method 600 further comprises: in accordance with a determination that the result indicates a failure of the authentication and authorization, terminating a packet data unit session for communication between the third device and a data network.
In some example embodiments, the method 600 further comprises: in accordance with a determination that the result indicates a failure of the authentication and authorization, modifying a policy in a user plane function device to enable the third device  to only communicate with the second device.
In some example embodiments, the first device receives the notification by receiving the notification via one of the following: a network exposure function device, a service capability exposure function device, or a machine type communication interworking function device.
In some example embodiments, the first device comprises an Access and Mobility management Function device, and the method 600 further comprises forwarding the notification to at least one of the following: a unified data management device, a session management function device, or a policy control function device.
In some example embodiments, the first device comprises a unified data management device, and the method 600 further comprises forwarding the notification to at least one of the following: an access and mobility management function device, a session management function device via the access and mobility management function device, or a policy control function device via the access and mobility management function device.
In some example embodiments, the second device comprises an unmanned aerial system traffic management device, and the third device comprises an unmanned aerial vehicle or unmanned aerial vehicle controller.
In some example embodiments, the notification further comprises at least one of the following: allowed flight paths associated with identities of cells serving the third device, tracking areas associated with the third device, an allowed flight altitude for the third device, an allowed flight speed for the third device, an allowed mobility behavior for the third device, or capabilities of the third device.
Fig. 7 shows a flowchart of a method 700 for notifying a device about a result of authentication and authorization for another device in accordance with some embodiments of the present disclosure. The method 700 may be implemented at the second device.
At block 710, the second device performs authentication and authorization for a third device.
At block 720, the second device transmits a notification to a first device, the notification indicating a result of the authentication and authorization.
In some example embodiments, the method 700 further comprises: receiving a subscription request for the result from the first device, the subscription request comprising  an identity of the third device.
In some example embodiments, the identity of the third device comprises one of the following: an identity of an unmanned aerial system that the third device belongs to, a generic public subscription identifier of the third device, or a subscription permanent identifier of the third device.
In some example embodiments, the notification further indicates an association between the third device and a fourth device, the third device is controlled by the fourth device or the fourth device is controlled by the third device.
In some example embodiments, transmitting the notification comprises transmitting the notification via one of the following: a network exposure function device, a service capability exposure function device, or a machine type communication interworking function device.
In some example embodiments, the first device comprises an access and mobility management function device or a unified data management device, the second device comprises an unmanned aerial system traffic management device, and the third device comprises an unmanned aerial vehicle or unmanned aerial vehicle controller.
In some example embodiments, the notification further comprises at least one of the following: allowed flight paths associated with identities of cells serving the third device, tracking areas associated with the third device, an allowed flight altitude for the third device, an allowed flight speed for the third device, an allowed mobility behavior for the third device, or capabilities of the third device.
In some example embodiments, an apparatus capable of performing any of the method 600 (for example, the first device) may comprise means for performing the respective steps of the method 600. The means may be implemented in any suitable form. For example, the means may be implemented in a circuitry or software module.
In some example embodiments, the apparatus comprises: means for receiving a notification at a first device from a second device, the notification indicating a result of authentication and authorization performed by the second device for the third device; and means for updating a policy for communication between the third device and a data network based on the result of the authentication and authorization.
In some example embodiments, the apparatus further comprises means for  transmitting a subscription request for the result from the first device to the second device. The subscription request comprises an identity of the third device.
In some example embodiments, the identity of the third device comprises one of the following: an identity of an unmanned aerial system that the third device belongs to, a generic public subscription identifier of the third device, or a subscription permanent identifier of the third device.
In some example embodiments, the first device updates the policy for communication by: in accordance with a determination that the result indicates a success of the authentication and authorization, obtaining a first policy for mobility management of the third device, and updating the policy for communication with the first policy.
In some example embodiments, the notification further indicates an association between the third device and a fourth device, the third device is controlled by the fourth device or the fourth device is controlled by the third device.
In some example embodiments, the apparatus further comprises: in accordance with a determination that the result indicates a success of the authentication and authorization, means for establishing a first packet data unit session for communication between the third device and the second device and a second packet data unit session for communication between the fourth device and the second device based on the association.
In some example embodiments, the apparatus further comprises means for configuring, based on the association, a user plane function device to route traffic between the second device and the third device.
In some example embodiments, the apparatus further comprises: in accordance with a determination that the result indicates a failure of the authentication and authorization, means for terminating a packet data unit session for communication between the third device and a data network.
In some example embodiments, the apparatus further comprises: in accordance with a determination that the result indicates a failure of the authentication and authorization, means for modifying a policy in a user plane function device to enable the third device to only communicate with the second device.
In some example embodiments, the means for receiving the notification comprises means for receiving the notification via one of the following: a network exposure function  device, a service capability exposure function device, or a machine type communication interworking function device.
In some example embodiments, the first device comprises an Access and Mobility management Function device, and the apparatus further comprises means for forwarding the notification to at least one of the following: a unified data management device, a session management function device, or a policy control function device.
In some example embodiments, the first device comprises a unified data management device, and the apparatus further comprises means for forwarding the notification to at least one of the following: an access and mobility management function device, a session management function device via the access and mobility management function device, or a policy control function device via the access and mobility management function device.
In some example embodiments, the second device comprises an unmanned aerial system traffic management device, and the third device comprises an unmanned aerial vehicle or unmanned aerial vehicle controller.
In some example embodiments, the notification further comprises at least one of the following: allowed flight paths associated with identities of cells serving the third device, tracking areas associated with the third device, an allowed flight altitude for the third device, an allowed flight speed for the third device, an allowed mobility behavior for the third device, or capabilities of the third device.
In some example embodiments, an apparatus capable of performing any of the method 700 (for example, the second device) may comprise means for performing the respective steps of the method 700. The means may be implemented in any suitable form. For example, the means may be implemented in a circuitry or software module.
In some example embodiments, the apparatus comprises: means for performing, at a second device, authentication and authorization for a third device; and means for transmitting a notification to a first device, the notification indicating a result of the authentication and authorization.
In some example embodiments, the apparatus further comprises: receiving a subscription request for the result from the first device, the subscription request comprising an identity of the third device.
In some example embodiments, the identity of the third device comprises one of the following: an identity of an unmanned aerial system that the third device belongs to, a generic public subscription identifier of the third device, or a subscription permanent identifier of the third device.
In some example embodiments, the notification further indicates an association between the third device and a fourth device, the third device is controlled by the fourth device or the fourth device is controlled by the third device.
In some example embodiments, means for transmitting the notification comprises means for transmitting the notification via one of the following: a network exposure function device, a service capability exposure function device, or a machine type communication interworking function device.
In some example embodiments, the first device comprises an access and mobility management function device or a unified data management device, the second device comprises an unmanned aerial system traffic management device, and the third device comprises an unmanned aerial vehicle or unmanned aerial vehicle controller.
In some example embodiments, the notification further comprises at least one of the following: allowed flight paths associated with identities of cells serving the third device, tracking areas associated with the third device, an allowed flight altitude for the third device, an allowed flight speed for the third device, an allowed mobility behavior for the third device, or capabilities of the third device.
Fig. 8 is a simplified block diagram of a device 800 that is suitable for implementing embodiments of the present disclosure. The device 800 may be provided to implement the communication device, for example the first device 301, the second device 302, the AMF 105, the UDM 104, the SMF 106 or the PCF 107. As shown, the device 800 includes one or more processors 810, one or more memories 820 coupled to the processor 810, and one or more communication modules 840 coupled to the processor 810.
The communication module 840 is for bidirectional communications. The communication module 840 has at least one antenna to facilitate communication. The communication interface may represent any interface that is necessary for communication with other network elements.
The processor 810 may be of any type suitable to the local technical network and may include one or more of the following: general purpose computers, special purpose  computers, microprocessors, digital signal processors (DSPs) and processors based on multicore processor architecture, as non-limiting examples. The device 800 may have multiple processors, such as an application specific integrated circuit chip that is slaved in time to a clock which synchronizes the main processor.
The memory 820 may include one or more non-volatile memories and one or more volatile memories. Examples of the non-volatile memories include, but are not limited to, a Read Only Memory (ROM) 824, an electrically programmable read only memory (EPROM) , a flash memory, a hard disk, a compact disc (CD) , a digital video disk (DVD) , and other magnetic storage and/or optical storage. Examples of the volatile memories include, but are not limited to, a random access memory (RAM) 822 and other volatile memories that will not last in the power-down duration.
computer program 830 includes computer executable instructions that are executed by the associated processor 810. The program 830 may be stored in the ROM 820. The processor 810 may perform any suitable actions and processing by loading the program 830 into the RAM 820.
The embodiments of the present disclosure may be implemented by means of the program 830 so that the device 800 may perform any process of the disclosure as discussed with reference to Figs. 6 to 7. The embodiments of the present disclosure may also be implemented by hardware or by a combination of software and hardware.
In some embodiments, the program 830 may be tangibly contained in a computer readable medium which may be included in the device 800 (such as in the memory 820) or other storage devices that are accessible by the device 800. The device 800 may load the program 830 from the computer readable medium to the RAM 822 for execution. The computer readable medium may include any types of tangible non-volatile storage, such as ROM, EPROM, a flash memory, a hard disk, CD, DVD, and the like. Fig. 9 shows an example of the computer readable medium 900 in form of CD or DVD. The computer readable medium has the program 830 stored thereon.
It should be appreciated that future networks may utilize network functions virtualization (NFV) which is a network architecture concept that proposes virtualizing network node functions into “building blocks” or entities that may be operationally connected or linked together to provide services. A virtualized network function (VNF) may comprise one or more virtual machines running computer program codes using  standard or general type servers instead of customized hardware. Cloud computing or data storage may also be utilized. In radio communications, this may mean node operations to be carried out, at least partly, in a central/centralized unit, CU, (e.g. server, host or node) operationally coupled to distributed unit, DU, (e.g. a radio head/node) . It is also possible that node operations will be distributed among a plurality of servers, nodes or hosts. It should also be understood that the distribution of labour between core network operations and base station operations may vary depending on implementation.
In an embodiment, the server may generate a virtual network through which the server communicates with the distributed unit. In general, virtual networking may involve a process of combining hardware and software network resources and network functionality into a single, software-based administrative entity, a virtual network. Such virtual network may provide flexible distribution of operations between the server and the radio head/node. In practice, any digital signal processing task may be performed in either the CU or the DU and the boundary where the responsibility is shifted between the CU and the DU may be selected according to implementation.
Therefore, in an embodiment, a CU-DU architecture is implemented. In such case the device 800 may be comprised in a central unit (e.g. a control unit, an edge cloud server, a server) operatively coupled (e.g. via a wireless or wired network) to a distributed unit (e.g. a remote radio head/node) . That is, the central unit (e.g. an edge cloud server) and the distributed unit may be stand-alone apparatuses communicating with each other via a radio path or via a wired connection. Alternatively, they may be in a same entity communicating via a wired connection, etc. The edge cloud or edge cloud server may serve a plurality of distributed units or a radio access networks. In an embodiment, at least some of the described processes may be performed by the central unit. In another embodiment, the device 800 may be instead comprised in the distributed unit, and at least some of the described processes may be performed by the distributed unit.
In an embodiment, the execution of at least some of the functionalities of the device 800 may be shared between two physically separate devices (DU and CU) forming one operational entity. Therefore, the apparatus may be seen to depict the operational entity comprising one or more physically separate devices for executing at least some of the described processes. In an embodiment, such CU-DU architecture may provide flexible distribution of operations between the CU and the DU. In practice, any digital signal processing task may be performed in either the CU or the DU and the boundary where the  responsibility is shifted between the CU and the DU may be selected according to implementation. In an embodiment, the device 800 controls the execution of the processes, regardless of the location of the apparatus and regardless of where the processes/functions are carried out.
Generally, various embodiments of the present disclosure may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. Some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device. While various aspects of embodiments of the present disclosure are illustrated and described as block diagrams, flowcharts, or using some other pictorial representations, it is to be understood that the block, apparatus, system, technique or method described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
The present disclosure also provides at least one computer program product tangibly stored on a non-transitory computer readable storage medium. The computer program product includes computer-executable instructions, such as those included in program modules, being executed in a device on a target real or virtual processor, to carry out the  method  600 or 700 as described above with reference to Figs. 6-7. Generally, program modules include routines, programs, libraries, objects, classes, components, data structures, or the like that perform particular tasks or implement particular abstract data types. The functionality of the program modules may be combined or split between program modules as desired in various embodiments. Machine-executable instructions for program modules may be executed within a local or distributed device. In a distributed device, program modules may be located in both local and remote storage media.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowcharts and/or block diagrams to be implemented. The program code may execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present disclosure, the computer program codes or related data may be carried by any suitable carrier to enable the device, apparatus or processor to perform various processes and operations as described above. Examples of the carrier include a signal, computer readable medium, and the like.
The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable medium may include but not limited to an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of the computer readable storage medium would include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM) , a read-only memory (ROM) , an erasable programmable read-only memory (EPROM or Flash memory) , an optical fiber, a portable compact disc read-only memory (CD-ROM) , an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Further, while operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are contained in the above discussions, these should not be construed as limitations on the scope of the present disclosure, but rather as descriptions of features that may be specific to particular embodiments. Certain features that are described in the context of separate embodiments may also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment may also be implemented in multiple embodiments separately or in any suitable sub-combination.
Although the present disclosure has been described in languages specific to structural features and/or methodological acts, it is to be understood that the present disclosure defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.

Claims (30)

  1. A first device, comprising:
    at least one processor; and
    at least one memory including computer program code;
    the at least one memory and the computer program code configured to, with the at least one processor, cause the first device to:
    receive a notification from a second device, the notification indicating a result of authentication and authorization performed involving the second device and a third device; and
    update policies for communication between the third device and a data network or between the third device and a fourth device based on the result of the authentication and authorization.
  2. The first device of claim 1, wherein the first device is further caused to:
    transmit a subscription request for the result of the authentication and authorization of the third device to the second device, the subscription request comprising an identity of the third device.
  3. The first device of claim 1, wherein the notification further comprises one of the following:
    an identity of the third device,
    an identity of an unmanned aerial system that the third device belongs to,
    an identity of a group of unmanned aerial systems one of which the third device belongs to, or
    information derived from the unmanned aerial system that the third device belongs to.
  4. The first device of claim 2 or 3, wherein the identity of the third device comprises one of the following:
    an identity of an unmanned aerial system that the third device belongs to,
    an identity which can uniquely identify the third device within an unmanned aerial system,
    a generic public subscription identifier of the third device, or
    a subscription permanent identifier of the third device.
  5. The first device of claim 1, wherein the first device is caused to update the policy for communication by:
    in accordance with a determination that the result indicates a success of the authentication and authorization,
    obtaining a first policy for mobility management for the third device, and
    updating the policy for communication with the first policy.
  6. The first device of claim 1, wherein the notification further indicates an association between the third device and the fourth device, the third device is controlled by the fourth device or the fourth device is controlled by the third device.
  7. The first device of claim 6, wherein the first device is further caused to:
    in accordance with a determination that the result indicates a success of the authentication and authorization, forward a request to establish a packet data unit session for communication between the third device and the fourth device based on the association and a second packet data unit session for communication between the third device and a data network.
  8. The first device of claim 6, wherein the first device is further caused to:
    configure, based on the association, a user plane function device to route traffic between the third device and the fourth device.
  9. The first device of claim 1, wherein the first device is further caused to:
    in accordance with a determination that the result indicates a failure of the authentication and authorization, terminate a packet data unit session for communication between the third device and a data network.
  10. The first device of claim 1, wherein the first device is further caused to:
    in accordance with a determination that the result indicates a failure of the authentication and authorization, modify a policy in a user plane function device to enable the third device to only communicate with the second device.
  11. The first device of claim 1, wherein the first device is caused to receive the notification by receiving the notification via one of the following:
    a network exposure function device,
    a service capability exposure function device, or
    a machine type communication interworking function device.
  12. The first device of claim 1, wherein the first device comprises an access and mobility management function device, and the first device is further caused to forward the notification to at least one of the following:
    a unified data management device,
    a session management function device, or
    a policy control function device.
  13. The first device of claim 1, wherein the first device comprises a unified data management device, and the first device is further caused to forward the notification to at least one of the following:
    an access and mobility management function device,
    a session management function device,
    the session management function device via the access and mobility management function device,
    a policy control function device, or
    the policy control function device via the access and mobility management function device.
  14. The first device of claim 1, wherein the second device comprises an unmanned aerial system traffic management device, and the third device comprises an unmanned aerial vehicle or unmanned aerial vehicle controller.
  15. The first device of claim 1, wherein the notification further comprises at least one of the following:
    allowed flight paths associated with identities of cells serving the third device,
    tracking areas associated with the third device,
    an allowed flight altitude for the third device,
    an allowed flight speed for the third device,
    an allowed mobility behavior for the third device, or
    capabilities of the third device.
  16. A second device, comprising:
    at least one processor; and
    at least one memory including computer program code;
    the at least one memory and the computer program code configured to, with the at least one processor, cause the second device to:
    perform authentication and authorization for a third device; and
    transmit a notification to a first device, the notification indicating a result of the authentication and authorization.
  17. The second device of claim 16, wherein the second device is further caused to:
    receive a subscription request for the result from the first device, the subscription request comprising an identity of the third device.
  18. The second device of claim 17, wherein the identity of the third device comprises one of the following:
    an identity of an unmanned aerial system that the third device belongs to,
    a generic public subscription identifier of the third device, or
    a subscription permanent identifier of the third device.
  19. The second device of claim 16, wherein the notification further indicates an association between the third device and a fourth device, the third device is controlled by the fourth device or the fourth device is controlled by the third device.
  20. The second device of claim 16, wherein the second device is caused to transmit the notification by transmitting the notification via one of the following:
    a network exposure function device,
    a service capability exposure function device, or
    a machine type communication interworking function device.
  21. The second device of claim 16, wherein the first device comprises an access and mobility management function device or a unified data management device, the second  device comprises an unmanned aerial system traffic management device, and the third device comprises an unmanned aerial vehicle or unmanned aerial vehicle controller.
  22. The second device of claim 16, wherein the notification further comprises at least one of the following:
    allowed flight paths associated with identities of cells serving the third device,
    tracking areas associated with the third device,
    an allowed flight altitude for the third device,
    an allowed flight speed for the third device,
    an allowed mobility behavior for the third device, or
    capabilities of the third device.
  23. The second device of claim 16, wherein the second device comprises an unmanned aerial system traffic management device, and the third device comprises an unmanned aerial vehicle or unmanned aerial vehicle controller.
  24. The second device of claim 16, wherein the first device comprises one of the following:
    an access and mobility management function device,
    a session management function device,
    a policy control function device, or
    a unified data management device.
  25. A method, comprising:
    receiving a notification at a first device from a second device, the notification indicating a result of authentication and authorization performed by the second device for a third device; and
    updating a policy for communication between the third device and a data network based on the result of the authentication and authorization.
  26. A method, comprising:
    performing, at a second device, authentication and authorization for a third device; and
    transmitting a notification to a first device, the notification indicating a result of the  authentication and authorization.
  27. An apparatus, comprising:
    means for receiving a notification at a first device from a second device, the notification indicating a result of authentication and authorization performed by the second device for a third device; and
    means for updating a policy for communication between the third device and a data network based on the result of the authentication and authorization.
  28. An apparatus, comprising:
    means for performing, at a second device, authentication and authorization for a third device; and
    means for transmitting a notification to a first device, the notification indicating a result of the authentication and authorization.
  29. A non-transitory computer readable medium comprising a computer program for causing an apparatus to perform at least the method of claim 25.
  30. A non-transitory computer readable medium comprising a computer program for causing an apparatus to perform at least the method of claim 26.
PCT/CN2020/105937 2020-07-30 2020-07-30 Notify network about result of authentication and authorization of terminal device Ceased WO2022021239A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202080104526.8A CN116114002B (en) 2020-07-30 2020-07-30 Method, device, apparatus and storage medium for notifying authentication and authorization results
PCT/CN2020/105937 WO2022021239A1 (en) 2020-07-30 2020-07-30 Notify network about result of authentication and authorization of terminal device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/105937 WO2022021239A1 (en) 2020-07-30 2020-07-30 Notify network about result of authentication and authorization of terminal device

Publications (1)

Publication Number Publication Date
WO2022021239A1 true WO2022021239A1 (en) 2022-02-03

Family

ID=80037422

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/105937 Ceased WO2022021239A1 (en) 2020-07-30 2020-07-30 Notify network about result of authentication and authorization of terminal device

Country Status (2)

Country Link
CN (1) CN116114002B (en)
WO (1) WO2022021239A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018178752A1 (en) * 2017-03-31 2018-10-04 Telefonaktiebolaget Lm Ericsson (Publ) Methods and systems for using network location services in a unmanned aircraft systems traffic management framework
CN111433828A (en) * 2017-10-16 2020-07-17 交互数字专利控股公司 Protocol design for Unmanned Aerial System (UAS) service management (UTM)

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100428677C (en) * 2006-01-21 2008-10-22 华为技术有限公司 A method and system for subscribing to presentation information
JP6535382B2 (en) * 2015-03-31 2019-06-26 エスゼット ディージェイアイ テクノロジー カンパニー リミテッドSz Dji Technology Co.,Ltd Method and system for determining the position of an unmanned aerial vehicle
PL3443451T3 (en) * 2016-04-14 2024-03-04 Rhombus Systems Group, Inc. System for verification of integrity of unmanned aerial vehicles
US10338609B2 (en) * 2017-03-31 2019-07-02 T-Mobile Usa, Inc. Authorizing drone access to fulfillment centers
CN110278085A (en) * 2018-03-15 2019-09-24 宗鹏 UAV remote authorization and remote control channel encryption technology
WO2019183858A1 (en) * 2018-03-28 2019-10-03 华为技术有限公司 Unmanned aerial vehicle identification method and device
CN110838245A (en) * 2018-08-16 2020-02-25 华为技术有限公司 A mobile network-based drone monitoring method and device
WO2020091281A1 (en) * 2018-11-02 2020-05-07 엘지전자 주식회사 Method and apparatus for performing proxy authentication for access permission by terminal in wireless communication system
CN111432457A (en) * 2019-01-09 2020-07-17 华为技术有限公司 Communication method and communication device
CN111436050B (en) * 2019-01-11 2022-04-05 华为技术有限公司 Wireless network communication method, network equipment and terminal
CN109756261B (en) * 2019-02-03 2022-03-11 飞牛智能科技(南京)有限公司 Unmanned aerial vehicle identity label alarming and informing method based on mobile operator network

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018178752A1 (en) * 2017-03-31 2018-10-04 Telefonaktiebolaget Lm Ericsson (Publ) Methods and systems for using network location services in a unmanned aircraft systems traffic management framework
CN111433828A (en) * 2017-10-16 2020-07-17 交互数字专利控股公司 Protocol design for Unmanned Aerial System (UAS) service management (UTM)

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
INTERDIGITAL: "Solution for UAV Authentication and Authorization by USS/UTM using key bootstrapping based on 3GPP credentials", 3GPP DRAFT; S2-2004166, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. e-meeting; 20200601 - 20200612, 22 May 2020 (2020-05-22), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051890171 *
INTERDIGITAL: "Solution for UAV Authentication and Authorization by UTM using UTM authorization token", 3GPP DRAFT; S2-2004167, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG2, no. e-meeting; 20200601 - 20200612, 22 May 2020 (2020-05-22), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051890172 *

Also Published As

Publication number Publication date
CN116114002B (en) 2025-02-11
CN116114002A (en) 2023-05-12

Similar Documents

Publication Publication Date Title
US20240205781A1 (en) User equipment trajectory-assisted handover
KR102664128B1 (en) Enhanced NEF features, MEC and 5G integration
ES2925551T3 (en) Apparatus, method and computer program for the control of the user plane function by means of a set of controllers
US11363447B2 (en) Method and device for managing and allocating binding service in a wireless network
WO2022027042A1 (en) Small data exchange handling by a user equipment in inactive state
EP3817453A1 (en) Communication method and apparatus
JP7662133B2 (en) Sixth Generation (6G) System Architecture and Functions
CN115997375A (en) Providing access to localized services (PALS) in fifth generation (5G) systems
JP2024528779A (en) Multi-cell communication with multiple PDSCH/PUSCH scheduling via a single DCI
WO2023016395A1 (en) Method and communication apparatus for secure communication
WO2023018778A1 (en) Radio access network computing service support with distributed units
US11071051B1 (en) Systems and methods for SCEF-assisted MEC traffic breakout
WO2022251115A1 (en) Physical downlink control channel (pdcch) monitoring for cross-carrier scheduling
EP4221445A1 (en) Access traffic steering, switching, and splitting with branching point or uplink classifier on the path
EP4221315A1 (en) Multiple user plane function supporting access traffic steering, switching, and splitting for multi-access packet data unit session
US20240147438A1 (en) Time domain resource allocation for data transmissions
JP2024539804A (en) Techniques for enhanced phase tracking reference signal operation - Patents.com
WO2023212872A1 (en) External ip interface management in 5gs ip router node
US20240236183A1 (en) Remote direct memory access (rdma) support in cellular networks
WO2022021239A1 (en) Notify network about result of authentication and authorization of terminal device
CN118525541A (en) Security architecture between User Equipment (UE) and sixth generation (6G) networks based on 6G Mutual Transport Layer Security (MTLS)
CN115250465A (en) Apparatus for use in a core network
US20250175424A1 (en) Ip routing and forwarding operation and management of ip router node
US20240340772A1 (en) Steering of roaming enhancement during registration reject
WO2025030516A1 (en) User equipment virtual network group management

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20947737

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20947737

Country of ref document: EP

Kind code of ref document: A1

WWG Wipo information: grant in national office

Ref document number: 202080104526.8

Country of ref document: CN