[go: up one dir, main page]

WO2024098177A1 - Authentication procedure for network slice - Google Patents

Authentication procedure for network slice Download PDF

Info

Publication number
WO2024098177A1
WO2024098177A1 PCT/CN2022/130237 CN2022130237W WO2024098177A1 WO 2024098177 A1 WO2024098177 A1 WO 2024098177A1 CN 2022130237 W CN2022130237 W CN 2022130237W WO 2024098177 A1 WO2024098177 A1 WO 2024098177A1
Authority
WO
WIPO (PCT)
Prior art keywords
network slice
identity
authentication
message
revoke
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2022/130237
Other languages
French (fr)
Inventor
Jing PING
Ranganathan MAVUREDDI DHANASEKARAN
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Shanghai Bell Co Ltd
Nokia Solutions and Networks Oy
Nokia Technologies Oy
Original Assignee
Nokia Shanghai Bell Co Ltd
Nokia Solutions and Networks Oy
Nokia Technologies Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Shanghai Bell Co Ltd, Nokia Solutions and Networks Oy, Nokia Technologies Oy filed Critical Nokia Shanghai Bell Co Ltd
Priority to CN202280101674.3A priority Critical patent/CN120188446A/en
Priority to PCT/CN2022/130237 priority patent/WO2024098177A1/en
Publication of WO2024098177A1 publication Critical patent/WO2024098177A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/71Hardware identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/72Subscriber identity

Definitions

  • Various example embodiments of the present disclosure generally relate to the field of telecommunication and in particular, to methods, devices, apparatuses and computer readable storage medium for authentication procedure for network slice.
  • Network slicing is a type of virtual networking architecture in the same family as software-defined networking (SDN) and network functions virtualization (NFV) .
  • SDN and NFV are two closely related network virtualization technologies that are moving modern networks toward software-based automation.
  • a first apparatus comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the first apparatus at least to perform: receiving, from a second apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice; and transmitting, to a third apparatus, a message that comprises the validity timer associated with the network slice, and wherein the authenticate request and the message also comprise at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • a second apparatus comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the second apparatus at least to perform: transmitting, to a first apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice, and wherein the authenticate request also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • a third apparatus comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the third apparatus at least to perform: receiving, from a first apparatus, a message that comprises a validity timer associated with a network slice, and wherein the message also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • a method comprises: receiving, at a first apparatus and from a second apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice; and transmitting, to a third apparatus, a message that comprises the validity timer associated with the network slice, and wherein the authenticate request and the message also comprise at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • a method comprises: transmitting, at a second apparatus and to a first apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice, and wherein the authenticate request also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • a method comprises: receiving, at a third apparatus and from a first apparatus, a message that comprises a validity timer associated with a network slice, and wherein the message also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • a first apparatus comprises: means for receiving, from a second apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice; and means for transmitting, to a third apparatus, a message that comprises the validity timer associated with the network slice, and wherein the authenticate request and the message also comprise at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • a second apparatus comprises: means for transmitting, to a first apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice, and wherein the authenticate request also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • a third apparatus comprises: means for receiving, from a first apparatus, a message that comprises a validity timer associated with a network slice, and wherein the message also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • a computer readable medium comprises instructions stored thereon for causing an apparatus to perform at least the method according to the first aspect.
  • a computer readable medium comprises instructions stored thereon for causing an apparatus to perform at least the method according to the second aspect.
  • a computer readable medium comprises instructions stored thereon for causing an apparatus to perform at least the method according to the second aspect.
  • FIG. 1 illustrates an example communication environment in which example embodiments of the present disclosure can be implemented
  • FIG. 2 illustrates a signaling chart for communication according to some example embodiments of the present disclosure
  • FIG. 3 illustrates a signaling chart for communication according to some example embodiments of the present disclosure
  • FIG. 4 illustrates a signaling chart for communication according to an example embodiment of the present disclosure
  • FIG. 5 illustrates a signaling chart for communication according to another example embodiment of the present disclosure
  • FIG. 6 illustrates a flowchart of a method implemented at a first apparatus according to some example embodiments of the present disclosure
  • FIG. 7 illustrates a flowchart of a method implemented at a second apparatus according to some example embodiments of the present disclosure
  • FIG. 8 illustrates a flowchart of a method implemented at a third apparatus according to some example embodiments of the present disclosure
  • FIG. 9 illustrates a simplified block diagram of a device that is suitable for implementing example embodiments of the present disclosure.
  • FIG. 10 illustrates a block diagram of an example computer readable medium in accordance with some example embodiments of the present disclosure.
  • references in the present disclosure to “one embodiment, ” “an embodiment, ” “an example embodiment, ” and the like indicate that the embodiment described may include a particular feature, structure, or characteristic, but it is not necessary that every embodiment includes the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
  • first, ” “second” and the like may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be termed a second element, and similarly, a second element could be termed a first element, without departing from the scope of example embodiments.
  • the term “and/or” includes any and all combinations of one or more of the listed terms.
  • performing a step “in response to A” does not indicate that the step is performed immediately after “A” occurs and one or more intervening steps may be included.
  • circuitry may refer to one or more or all of the following:
  • circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware.
  • circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
  • the term “communication network” refers to a network following any suitable communication standards, such as New Radio (NR) , Long Term Evolution (LTE) , LTE-Advanced (LTE-A) , Wideband Code Division Multiple Access (WCDMA) , High-Speed Packet Access (HSPA) , Narrow Band Internet of Things (NB-IoT) and so on.
  • NR New Radio
  • LTE Long Term Evolution
  • LTE-A LTE-Advanced
  • WCDMA Wideband Code Division Multiple Access
  • HSPA High-Speed Packet Access
  • NB-IoT Narrow Band Internet of Things
  • the communications between a terminal device and a network device in the communication network may be performed according to any suitable generation communication protocols, including, but not limited to, the first generation (1G) , the second generation (2G) , 2.5G, 2.75G, the third generation (3G) , the fourth generation (4G) , 4.5G, the fifth generation (5G) communication protocols, and/or any other protocols either currently known or to be developed in the future.
  • suitable generation communication protocols including, but not limited to, the first generation (1G) , the second generation (2G) , 2.5G, 2.75G, the third generation (3G) , the fourth generation (4G) , 4.5G, the fifth generation (5G) communication protocols, and/or any other protocols either currently known or to be developed in the future.
  • Embodiments of the present disclosure may be applied in various communication systems. Given the rapid development in communications, there will of course also be future type communication technologies and systems with which the present disclosure may be embodied. It should not be seen as limiting the scope of the present disclosure to only the aforementioned system
  • the term “network device” refers to a node in a communication network via which a terminal device accesses the network and receives services therefrom.
  • the network device may refer to a base station (BS) or an access point (AP) , for example, a node B (NodeB or NB) , an evolved NodeB (eNodeB or eNB) , an NR NB (also referred to as a gNB) , a Remote Radio Unit (RRU) , a radio header (RH) , a remote radio head (RRH) , a relay, an Integrated Access and Backhaul (IAB) node, a low power node such as a femto, a pico, a non-terrestrial network (NTN) or non-ground network device such as a satellite network device, a low earth orbit (LEO) satellite and a geosynchronous earth orbit (GEO) satellite, an aircraft network device, and so forth, depending on the applied terminology and technology
  • radio access network (RAN) split architecture comprises a Centralized Unit (CU) and a Distributed Unit (DU) at an IAB donor node.
  • An IAB node comprises a Mobile Terminal (IAB-MT) part that behaves like a UE toward the parent node, and a DU part of an IAB node behaves like a base station toward the next-hop IAB node.
  • IAB-MT Mobile Terminal
  • terminal device refers to any end device that may be capable of wireless communication.
  • a terminal device may also be referred to as a communication device, user equipment (UE) , a Subscriber Station (SS) , a Portable Subscriber Station, a Mobile Station (MS) , or an Access Terminal (AT) .
  • UE user equipment
  • SS Subscriber Station
  • MS Mobile Station
  • AT Access Terminal
  • the terminal device may include, but not limited to, a mobile phone, a cellular phone, a smart phone, voice over IP (VoIP) phones, wireless local loop phones, a tablet, a wearable terminal device, a personal digital assistant (PDA) , portable computers, desktop computer, image capture terminal devices such as digital cameras, gaming terminal devices, music storage and playback appliances, vehicle-mounted wireless terminal devices, wireless endpoints, mobile stations, laptop-embedded equipment (LEE) , laptop-mounted equipment (LME) , USB dongles, smart devices, wireless customer-premises equipment (CPE) , an Internet of Things (loT) device, a watch or other wearable, a head-mounted display (HMD) , a vehicle, a drone, a medical device and applications (e.g., remote surgery) , an industrial device and applications (e.g., a robot and/or other wireless devices operating in an industrial and/or an automated processing chain contexts) , a consumer electronics device, a device operating on commercial and/
  • the terminal device may also correspond to a Mobile Termination (MT) part of an IAB node (e.g., a relay node) .
  • MT Mobile Termination
  • IAB node e.g., a relay node
  • the terms “terminal device” , “communication device” , “terminal” , “user equipment” and “UE” may be used interchangeably.
  • network slice may refer to network resources that can provide or support services.
  • a network slice may be an isolated end-to-end network tailored to satisfy varied requirements asked for by a particular application.
  • the network slice may be an equipment-vendor agnostic and can span across a radio network from vendor one, to the core from vendor two and so on.
  • the term “extensible authentication” used herein may extensibility for authentication methods for commonly used protected network access technologies.
  • EAP Extensible Authentication Protocol
  • temporary network slice does not only mean that the network slices are decommissions and created as per the timing information, but also the network slices are not meant to be available for use by the UE.
  • resource may refer to any resource for performing a communication, for example, a communication between a terminal device and a network device, such as a resource in time domain, a resource in frequency domain, a resource in space domain, a resource in code domain, or any other resource enabling a communication, and the like.
  • a resource in both frequency domain and time domain will be used as an example of a transmission resource for describing some example embodiments of the present disclosure. It is noted that example embodiments of the present disclosure are equally applicable to other resources in other domains.
  • Network Slices are deployed for services over an Area of Service which may match the conventional tracking areas (TAs) or for which the Area of Service can be different.
  • TAs tracking areas
  • the network slice availability i.e. where the network slices are defined to be supported
  • the UEs and network configuration can be impacted when network slices are deployed and decommissioned over certain time interval (e.g. the Configured Network Slice Specific Assistance Information (NSSAI) can change when a network slice is no longer available or becomes available, this can affect the Allowed NSSAI and other parameters may need to change, etc. ) .
  • NSSAI Configured Network Slice Specific Assistance Information
  • Timing Information can be used to track the start time, end time, and periodicity of the availability of the network slice, including any related temporary TA. It is proposed to specify that the UE can be updated with timing information about the configured/allowed slices and this same timing information can also be provided from the RAN to the AMF when the serving PLMN RAN is configured with the timing information.
  • the timing information can be associated to TAs, S-NSSAIs for temporary slices that also require deployment/support of temporary TAs. If the termination of a network slice is Home Public Land Mobile Network (HPLMN) initiated, then this information is passed to UE and Radio Access Network (RAN) UE context in addition to Access and Mobility Function (AMF) and Session Management Function (SMF) .
  • HPLMN Home Public Land Mobile Network
  • AMF Access and Mobility Function
  • SMF Session Management Function
  • the most constraining timing determines a slice availability.
  • S-NSSAI single-NSSAI
  • Temporary slices are expected to be made known to UE during configuration or other network slicing procedures impacting Configured NSSAI or Allowed NSSAI.
  • the UE and network removes the S-NSSAI locally from the allowed NSSAI if the S-NSSAI present in the allowed NSSAI.
  • NSSAA Network Slice Specific Authentication and Authorization
  • AAA-S Authentication, Authorization, and Accounting Server
  • NSSAAF may still keep the authentication status of the S-NSSAI for the UE if they are not aware the timeout of the temporary slice. Comparing to normal slice, the number of temporary slices could be high.
  • AAA-S memory/database
  • NSSAAF Network Slice Specific Authentication and Authorization Function
  • the AAA-S server may trigger re-authentication/authorization on the timeout slice of the UE, that further waste network and computing resources, and may also cause confusion on AMF. Therefore, the NSSAA procedure for the network slice needs to be enhanced.
  • a validity timer for a network slice is exchanged between network devices.
  • a network device for example, AAA server, AMF, SMF
  • PDU protocol data unit
  • the network devices are allowed to clean up authentication state, thereby avoiding unexpected re-authentication and authorization.
  • FIG. 1 illustrates an example communication environment 100 in which example embodiments of the present disclosure can be implemented.
  • a plurality of devices including a first device 110, a second device 120, and a third device 130 can communicate with each other.
  • the first device 110 may include a device that can implement Network Slice Specific Authentication and Authorization (NSSAA)
  • the second device 120 may include an AMF entity
  • the third device 130 may include a device that can implement Authentication, Authorization, and Accounting function (such as, AAA server) .
  • NSSAA Network Slice Specific Authentication and Authorization
  • AAA Authentication, Authorization, and Accounting function
  • the communication environment 100 may include a fourth device 140 that may be an Authentication, Authorization, and Accounting Proxy (AAA-P) .
  • the communication environment 100 may also include a terminal device 150.
  • the communication environment 100 may include any suitable number of devices configured to implementing example embodiments of the present disclosure.
  • Communications in the communication environment 100 may be implemented according to any proper communication protocol (s) , comprising, but not limited to, cellular communication protocols of the first generation (1G) , the second generation (2G) , the third generation (3G) , the fourth generation (4G) , the fifth generation (5G) , the sixth generation (6G) , and the like, wireless local network communication protocols such as Institute for Electrical and Electronics Engineers (IEEE) 802.11 and the like, and/or any other protocols currently known or to be developed in the future.
  • s cellular communication protocols of the first generation (1G) , the second generation (2G) , the third generation (3G) , the fourth generation (4G) , the fifth generation (5G) , the sixth generation (6G) , and the like
  • wireless local network communication protocols such as Institute for Electrical and Electronics Engineers (IEEE) 802.11 and the like, and/or any other protocols currently known or to be developed in the future.
  • the communication may utilize any proper wireless communication technology, comprising but not limited to: Code Division Multiple Access (CDMA) , Frequency Division Multiple Access (FDMA) , Time Division Multiple Access (TDMA) , Frequency Division Duplex (FDD) , Time Division Duplex (TDD) , Multiple-Input Multiple-Output (MIMO) , Orthogonal Frequency Division Multiple (OFDM) , Discrete Fourier Transform spread OFDM (DFT-s-OFDM) and/or any other technologies currently known or to be developed in the future.
  • CDMA Code Division Multiple Access
  • FDMA Frequency Division Multiple Access
  • TDMA Time Division Multiple Access
  • FDD Frequency Division Duplex
  • TDD Time Division Duplex
  • MIMO Multiple-Input Multiple-Output
  • OFDM Orthogonal Frequency Division Multiple
  • DFT-s-OFDM Discrete Fourier Transform spread OFDM
  • FIG. 2 shows a signaling chart 200 for communication according to some example embodiments of the present disclosure.
  • the signaling chart 200 involves a first device 110, a second device 120, and a third device 130.
  • FIG. 1 shows the signaling chart 200.
  • first device 110, on second device 120 and one third device 130 are illustrated in FIG. 2, it would be appreciated that there may be a plurality of first device performing similar operations as described with respect to the first device 110 below, a plurality of second device performing similar operations as described with respect to the second device 120 below and a plurality of third device performing similar operations as described with respect to the third device 130 below.
  • the second device 120 transmits (2010) an authenticate request for a network slice to the first device 110.
  • the authenticate request includes a validity timer of the network slice.
  • a duration of the validity timer may be a couple of days.
  • the duration of the validity timer may be a couple of hours or minutes. It is noted that the duration of the validity timer can be any suitable value.
  • the duration of the validity timer may be same as or similar to a duration of a timer for the network slice configured at the terminal device 150.
  • the authenticate request may include a first identity for the network slice.
  • the second device 120 may obtain the first identity from a terminal device (for example, the terminal device 150) .
  • the first identity may be signaled by the terminal device to the network, in order to assist the network in selecting a particular Network Slice instance.
  • the first identity may be S-NSSAI of the network slice.
  • the S-NSSAI may refer to an identifier for a Network Slice across the 5GC, 5G-RAN and the UE.
  • the S-NSSAI may be associated with a PLMN (e.g., PLMN ID) and have network-specific values or have standard values.
  • a S-NSSAI is used by the UE in access network in the PLMN that the S-NSSAI is associated with.
  • a S-NSSAI may include Slice/Service type (SST) and Slice Differentiator (SD) . It is noted that the first identity may be any proper type of identity that can uniquely identify the network slice.
  • S-NSSAI may be subjected to NSSAA.
  • the authenticate request may include a second identity for a terminal device that is configured with network slice for an extensible authentication.
  • the authenticate request may include the second identity of the terminal device 150 for extensible authentication.
  • the second identity may be an EAP ID. It is noted that the second identity may be any proper type of identity that can identify the terminal device for the extensible authentication.
  • the authenticate request may include a third identity associated with the subscription of the terminal device.
  • the third identity may be a Generic Public Subscription Identifier (GPSI) .
  • GPSI Generic Public Subscription Identifier
  • the GPSI may be used as a means of addressing a 3GPP subscription in data networks outside the realms of a 3GPP system.
  • the second device 120 may use any GPSI in the list provided by the UDM for NSSAA procedures.
  • the third identity may be any proper type of identity that can address subscriptions.
  • the first device 110 transmits (2020) a message that includes the validity timer to the third device 130.
  • the message may include the first identity for the network slice.
  • the message may include the second identity for a terminal device that is configured with network slice for an extensible authentication.
  • the message may include the third identity associated with the subscription of the terminal device.
  • the first device 110 may transmit the message to the third device 130.
  • the first device may transmit the message to the fourth device 140.
  • the fourth device may further forward the message to the third device 130.
  • the third device 130 may store (2030) the validity timer associated with the network slice.
  • the third device 130 may store the validity timer together with the first identity for the network slice and the third identity associated with the subscription of the terminal device, and optional the second identity for the extensible authentication.
  • the third device 130 may trigger (2040) a revocation of the authentication and authorization.
  • the third device 130 may trigger the revocation of the NSSAA based on the validity timer. For example, if the validity timer expires, the third device 130 may trigger the revocation of the NSSAA. It is noted that the third device 130 may trigger the revocation of the NSSAA based on other condition.
  • the third device 130 may transmit (2050) a revoke authentication request for the network slice to the first device 110.
  • the revoke authentication request may include the first identity for the network slice and the third identity associated with the subscription of the terminal device.
  • the revoke authentication request may also include an indication of an expiration of the validity timer.
  • the third device 130 may transmit the revoke authentication request for the network slice to the first device 110.
  • the third device 130 may transmit the revoke authentication request for the network slice to the fourth device 140.
  • the fourth device 140 may then forward the revoke authentication request for the network slice to the first device 110.
  • the first device 110 may clean up (2060) a local status related to the third identity and the first identity.
  • the “clean up the local status” may refer to one of: remove the local status, delete the local status, or set the local status to a predefined status. For example, if the revoke authentication request includes the indication of the expiration of the validity timer, the first device 110 may clean up the local status. In this case, the first device may transmit (2070) a revoke authentication response to the third device 130 without further notifying the second device 120. In this case, it can avoid unexpected re-authentication and authorization. Example embodiments of cleaning up the local status are described with reference to FIG. 5 later.
  • the first device 110 may transmit the revoke authentication response to the third device 130.
  • the first device 110 may transmit the revoke authentication response to the fourth device 140.
  • the fourth device 140 may then forward the revoke authentication response to the third device 130.
  • the first device 110 may transmit (2080) a revocation notification to the second device 120.
  • the first device 110 may transmit revocation notification to the second device 120.
  • the revocation notification may include the first identity for the network slice and the third identity associated with subscription of the terminal device.
  • the second device 120 may determine whether the network slice is a temporary network slice. For example, the second device 120 may determine whether the first identity is associated to a temporary network slice. If the network slice is a temporary network slice, the second device 120 may drop (2090) the revocation notification. In other words, instead of transmitting a configuration update to the terminal device, the second device 120 may cause the revocation notification to be dropped. In this case, it can avoid unexpected re-authentication and authorization. Example embodiments of dropping the revocation notification are described with reference to FIG. 4 later.
  • the second device 120 may transmit a configuration that includes the validity timer associated with the network slice and the first identity for the network slice to the terminal device 140 after a NSSAA of the network slice.
  • an EAP framework used for the NSSAA between the terminal device 150 and the third device 130 i.e., the AAA server
  • the second device may perform the role of the EAP Authenticator and communicates with the third device 130 via the first device 110 (i.e., NSSAAF) .
  • the first device 110 may undertake any AAA protocol interworking with the third device 130. Multiple EAP methods may be possible for NSSAA. If the third device 130 belongs to a third party the first device 110 contacts the third device 130 via a fourth device 140 (i.e., AAA-P. ) In some example embodiments, the first device 110 and the fourth device 140 may be co-located.
  • FIG. 3 shows a signaling chart 300 for communication according to an example embodiment of the present disclosure.
  • the second device 120 may trigger (301) to perform slice-specific authentication and authorization.
  • the second device 120 may trigger the start of the Network Slice Specific Authentication and Authorization procedure.
  • the second device 120 may determine, based on UE Context in the AMF, that for some or all S-NSSAI (s) subject to Network Slice Specific Authentication and Authorization, the UE has already been authenticated following a Registration procedure on a first access.
  • Network Slice Specific Authentication and Authorization result e.g. success/failure
  • the second device 120 may decide, based on Network policies, to skip Network Slice Specific Authentication and Authorization for these S-NSSAIs during the Registration on a second access.
  • the second device 120 may select an Access Type to be used to perform the Network Slice Specific Authentication and Authorization procedure based on network policies.
  • the second device 120 transmit (302) an EAP Identity Request for the S-NSSAI in a NAS MM Transport message including the S-NSSAI. This is the S-NSSAI of the H-PLMN, not the locally mapped S-NSSAI value.
  • the terminal device 150 may transmit (303) the EAP Identity Response for the S-NSSAI alongside the S-NSSAI in an NAS MM Transport message towards the second device 120.
  • the second device 120 may transmit (304) the EAP Identity Response to the first device 110 in a Nnssaaf_NSSAA_Authenticate Request (EAP Identity Response, GPSI, S-NSSAI and optionally validity or termination timer) .
  • EAP Identity Response GPSI
  • S-NSSAI S-NSSAI
  • optionally validity or termination timer if the UE subscription includes multiple GPSIs, the second device 120 may use any GPSI in the list provided by the UDM for NSSAA procedures.
  • the first device 110 may transmit (305) the EAP ID Response message, together with optionally validity or termination timer from the second device 120, to the third device 130.
  • the first device 110 may transmit the message to the third device 130.
  • the first device 110 may be responsible to send the NSSAA requests to the appropriate third device 130 based on local configuration of AAA-S address per S-NSSAI.
  • the first device 110 uses towards the AAA-P or the AAA-S an AAA protocol message of the same protocol supported by the AAA-S.
  • the fourth device 140 may transmit (306) the EAP Identity message to the third device 130 addressable by the AAA-S address together with S-NSSAI, GPSI and optionally validity or termination timer.
  • the third device 130 may store the GPSI and S-NSSAI to create an association with the EAP Identity in the EAP ID response message, so the third device 130 can later use it to revoke authorization or to trigger reauthentication.
  • the third device 130 may also store the validity or termination timer, together with the GPSI and S-NSSAI.
  • the third device 130 may trigger authentication revocation on the S-NSSAI of the GPSI when the timer expired.
  • the third device 130 may transmit (307) an AAA protocol message to the fourth device 140.
  • the AAA protocol message may include EAP message, GPSI and S-NSSAI.
  • the fourth device 140 may the transmit (308) the AAA protocol message to the first device 110.
  • the first device 110 may transmit (309) Nnssaaf_NSSAA_Authenticate Request that includes EAP message, GPSI and S-NSSAI to the second device 120.
  • the second device 120 may transmit (310) a NAS MM transport that includes EAP message and S-NSSAI to the terminal device 150.
  • the terminal device 150 may transmit (311) the NAS MM transport that includes EAP message and S-NSSAI to the second device 120.
  • the second device 120 may transmit (312) a Nnssaaf_NSSAA_Authenticate Request that includes EAP message, GPSI and S-NSSAI to the first device 110.
  • the first device 110 may transmit (313) AAA protocol message that includes EAP message, AAA-S address, GPSI and S-NSSAI to the fourth device 140.
  • the fourth device 140 may transmit (314) an AAA protocol message that includes EAP message, GPSI and S-NSSAI to the third device 130. It is noted that one or more interactions of the operations 307-314 may occur.
  • the third device 130 may store the S-NSSAI for which the authorization has been granted. The third device 130 may decide to trigger reauthentication and reauthorization based on its local policies. An EAP-Success/Failure message is delivered to the fourth device 140 (or if the fourth device 140 is not present, to the first device 110) with GPSI and S-NSSAI. For example, the third device 130 may transmit (315) an AAA protocol message that includes EAP success/failure, GPSI, S-NSSAI to the fourth device 140.
  • the fourth device 140 may transmit (316) an AAA protocol message that includes EAP success/failure, GPSI, and S-NSSAI to the first device 110.
  • the first device 110 may transmit (317) a Nnssaaf_NSSAA_Authenticate Request that includes EAP success/failure, GPSI, S-NSSAI to the second device 120.
  • the second device 120 may transmit (318) a NAS MM Transport message (including EAP-Success/Failure) to the terminal device 150.
  • the second device 120 may store the EAP result for each S-NSSAI for which the NSSAA procedure in operations 301-317 was executed.
  • the second device 120 may perform (319a) the UE configuration update procedure with the validity timer. For example, in some example embodiments, if one or more conditions are fulfilled, the second device 120 may initiate the UE Configuration Update procedure, for each Access Type. The second device 120 may also add the validity/termination timer of the network slice in the UE configuration update message together with the allowed S-NSSAI.
  • the conditions may comprise: (1) a new Allowed NSSAI (i.e.
  • the second device 120 may initiate the PDU Session Release procedure release the PDU sessions with the appropriate cause value.
  • the second device 120 may perform (319b) the network imitated deregistration procedure.
  • the second device 120 may execute the Network-initiated Deregistration procedure and it may include in the explicit De-Registration Request the list of Rejected S-NSSAIs, each of them with the appropriate rejection cause value.
  • validity/termination timer of the temporary slice can be added in NSSAA authentication request. If the validity timer exists, AAA-S store the timer together with the S-NSSAI per UE. AMF also add the validity/termination timer of the temporary slice in the UE configuration update message together with the allowed S-NSSAI.
  • FIG. 4 shows a signaling chart 400 for revocation of the authentication and authorization according to an example embodiment of the present disclosure.
  • the third device 130 may transmit (401) an AAA protocol revoke authorization request to the fourth device 140 if the fourth device 140 is used.
  • the third device 130 may request the revocation of authorization for the Network Slice specified by the S-NSSAI in the AAA protocol Revoke Auth Request message, for the UE identified by the GPSI in this message.
  • the fourth device 140 may transmit (402) the AAA protocol revoke authorization request to the first device 110.
  • the first device 110 may obtain AMF ID from unified data management (UDM) 410 using Nudm_UECM_Get with the GPSI in the received AAA message. If two different AMF addresses are received, the first device 110 may initiate the operation 404 towards both AMFs. For example, the first device 110 may transmit (403a) a Nudm_UECM_Get request that includes GPSI and AMF registration to the UDM 410. The UDM 410 may transmit (403b) a Nudm_UECM_Get response that includes AMF ID to the first device 110.
  • UDM unified data management
  • the first device 110 may transmit (403c) an AAA protocol revoke authorization response to the third device 130.
  • the first device 110 may provide an acknowledgement to the AAA protocol Re-Auth Request message. If the second device 120is not registered in UDM the procedure is stopped here.
  • the first device 110 may transmit (404) a Nnssaaf_NSSAA_RevocationNotification that includes GPSI and S-NSSAI to the second device 120, which can notify the second device 120 to revoke the S-NSSAI authorization for the UE.
  • the second device 120 may drop (405) the NSSAA revocation notification from the first device 110, if the S-NSSAI is associated to a temporary slice.
  • FIG. 5 shows a signaling chart 500 for revocation of the network slice according to another example embodiment of the present disclosure.
  • the third device 130 may transmit (501) an AAA protocol revoke authorization request to the fourth device 140 if the fourth device 140 is used.
  • the third device 130 may request the revocation of authorization for the Network Slice specified by the S-NSSAI in the AAA protocol Revoke Auth Request message, for the UE identified by the GPSI in this message.
  • the AAA protocol revoke authorization request may include GPSI, S-NSSAI and the slice time out indication.
  • the fourth device 140 may transmit (502) the AAA protocol revoke authorization request to the first device 110.
  • the first device 110 may clean up (503) a local status related to the GPSI and S-NSSAI.
  • the first device 110 may transmit (504) an AAA protocol revoke authorization response to the third device 130 without further notifying the second device 120.
  • FIG. 6 shows a flowchart of an example method 600 implemented at a first device in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 600 will be described from the perspective of the first device 110 in FIG. 1.
  • the first device 110 receives an authenticate request for a network slice that comprises a validity timer associated with the network slice from the second device 120.
  • the authenticate request may comprise one or more of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • the first device 110 transmits a message that comprises the validity timer associated with the network slice to the third device 130.
  • the message may comprise one or more of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • the first device 110 may receive from the third device 130 a revoke authentication request for the network slice that comprises an indication of an expiration of the validity timer, the first identity, and the third identity.
  • the first device 110 may clean up a local status related to the third identity and the first identity.
  • the first device 110 may transmit to the third device 130 a revoke authentication response.
  • the first device 110 may receive the revoke authentication request from the third device 130.
  • the first device 110 may receive the revoked authentication request from a fourth device 140 which receives the revoke authentication request from the third device 130.
  • the first device 110 may transmit the revoke authentication response to the third device 130.
  • the first device 110 may transmit the revoke authentication response to the fourth device 140 which then forwards the revoke authentication response to the third device 130.
  • the first device 110 may transmit the message to the third 130.
  • the first device 110 may transmit the message to the fourth device 140 which then forwards the message to the third device 130.
  • FIG. 7 shows a flowchart of an example method 700 implemented at a second device in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 700 will be described from the perspective of the second device 120 in FIG. 1.
  • the second device 120 transmits to the first device 110 an authenticate request for a network slice that comprises a validity timer associated with the network slice.
  • the authenticate request also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • the second device 120 may transmit, to a terminal device, a configuration that comprises the validity timer associated with the network slice and the first identity for the network slice after a network slice specific authentication and authorization.
  • the second device 120 may receive from the first device 110 a revocation notification that comprises the first identity for the network slice and the third identity associated with subscription of the terminal device.
  • the second device 120 may determine whether the network slice is a temporary network slice.
  • the second device 120 may cause the revocation notification to be dropped based on determining that the network slice is a temporary network slice.
  • FIG. 8 shows a flowchart of an example method 800 implemented at a second device in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 800 will be described from the perspective of the third device 130 in FIG. 1.
  • the third device 130 receives the first device 110 a message that comprises a validity timer associated with a network slice.
  • the message also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • the third device 130 may store the validity timer associated with the network slice. In some example embodiments, if the validity timer expires, the third device 130 may trigger a revocation of authentication and authorization of the network slice.
  • the third device 130 may transmit to the first device 110, a revoke authentication request for the network slice that comprises the first identity, and the third identity.
  • the third device 130 may receive from the first device 110, a revoke authentication response.
  • the revoke authentication request also comprises an indication of an expiration of the validity timer.
  • the third device 130 may transmit the revoke authentication request to the first apparatus.
  • the third device 130 may transmit the revoked authentication request to the fourth device 140 which forwards the revoke authentication request to the third device 130.
  • the third device 130 may receive the revoke authentication response from the first device 110.
  • the third device 130 may receive the revoke authentication response from the fourth device 140 which receives the revoke authentication response from the first device 110.
  • the third device 130 may receive the message from the first device 110.
  • the third device 130 may receive the message from the fourth device 140 which receives the message from the first device 110.
  • a first apparatus capable of performing any of the method 600 may comprise means for performing the respective operations of the method 600.
  • the means may be implemented in any suitable form.
  • the means may be implemented in a circuitry or software module.
  • the first apparatus may be implemented as or included in the first device 110 in FIG. 1.
  • the first apparatus comprises means for receiving, from a second apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice; and means for transmitting, to a third apparatus, a message that comprises the validity timer associated with the network slice, and wherein the authenticate request and the message also comprise at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • the first apparatus comprises means for receiving, from the third apparatus, a revoke authentication request for the network slice that comprises an indication of an expiration of the validity timer, the first identity, and the third identity; means for cleaning up a local status related to the third identity and the first identity; and means for transmitting, to the third apparatus, a revoke authentication response.
  • the means for receiving the revoke authentication request comprises means for receiving the revoke authentication request from the third apparatus; or means for receiving the revoked authentication request from a fourth apparatus which receives the revoke authentication request from the third apparatus.
  • the means for transmitting the revoke authentication response to the third apparatus comprises: means for transmitting the revoke authentication response to the third apparatus; or means for transmitting the revoke authentication response to a fourth apparatus which then forwards the revoke authentication response to the third apparatus.
  • the means for transmitting the message to the third apparatus comprises one of: means for transmitting the message to the third apparatus; or means for transmitting the message to a fourth apparatus which then forwards the message to the third apparatus.
  • the first apparatus comprises a apparatus on which a Network Slice Specific Authentication and Authorization Function is implemented
  • the second apparatus comprises a core network device
  • the third apparatus comprises an Authentication, Authorization, and Accounting Server.
  • the first apparatus further comprises means for performing other operations in some example embodiments of the method 600 or the first device 110.
  • the means comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the performance of the first apparatus.
  • a second apparatus capable of performing any of the method 700 may comprise means for performing the respective operations of the method 700.
  • the means may be implemented in any suitable form.
  • the means may be implemented in a circuitry or software module.
  • the second apparatus may be implemented as or included in the second device 120 in FIG. 1.
  • the second apparatus comprises means for transmitting, to a first apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice, and wherein the authenticate request also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • the second apparatus comprises means for transmitting, to a terminal device, a configuration that comprises the validity timer associated with the network slice and the first identity for the network slice after a network slice specific authentication and authorization.
  • the second apparatus comprises means for receiving, from the first apparatus, a revocation notification that comprises the first identity for the network slice and the third identity associated with subscription of the terminal device; means for determining whether the network slice is a temporary network slice; and means for based on determining that the network slice is a temporary network slice, causing the revocation notification to be dropped.
  • the first apparatus comprises a apparatus on which a Network Slice Specific Authentication and Authorization Function is implemented
  • the second apparatus comprises a core network device.
  • the second apparatus further comprises means for performing other operations in some example embodiments of the method 700 or the second device 120.
  • the means comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the performance of the second apparatus.
  • a third apparatus capable of performing any of the method 800 may comprise means for performing the respective operations of the method 800.
  • the means may be implemented in any suitable form.
  • the means may be implemented in a circuitry or software module.
  • the second apparatus may be implemented as or included in the third device 130 in FIG. 1.
  • the third apparatus comprises means for receiving, from a first apparatus, a message that comprises a validity timer associated with a network slice, and the message also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
  • the third apparatus comprises means for storing the validity timer associated with the network slice; and in accordance with a determination that the validity timer expires, triggering a revocation of authentication and authorization of the network slice.
  • the third apparatus comprises means for transmitting, to the first apparatus, a revoke authentication request for the network slice that comprises the first identity, and the third identity; and receiving, from the first apparatus, a revoke authentication response.
  • the revoke authentication request also comprises an indication of an expiration of the validity timer.
  • the means for transmitting the revoke authentication request comprises: means for transmitting the revoke authentication request to the first apparatus; or means for transmitting the revoked authentication request to a fourth apparatus which forwards the revoke authentication request to the third apparatus.
  • the means for receiving the revoke authentication response from the first apparatus comprises: means for receiving the revoke authentication response from the first apparatus; or means for receiving the revoke authentication response from a fourth apparatus which receives the revoke authentication response from the first apparatus.
  • the means for receiving the message from the first apparatus comprises one of: means for receiving the message from the first apparatus; or means for receiving the message from a fourth apparatus which receives the message from the first apparatus.
  • the first apparatus comprises a apparatus on which a Network Slice Specific Authentication and Authorization Function is implemented
  • the third apparatus comprises an Authentication, Authorization, and Accounting Server.
  • the third apparatus further comprises means for performing other operations in some example embodiments of the method 800 or the third device 130.
  • the means comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the performance of the third apparatus.
  • FIG. 9 is a simplified block diagram of a device 900 that is suitable for implementing example embodiments of the present disclosure.
  • the device 900 may be provided to implement a communication device, for example, the first device 110 or the second device 120 as shown in FIG. 1.
  • the device 900 includes one or more processors 910, one or more memories 920 coupled to the processor 910, and one or more communication modules 940 coupled to the processor 910.
  • the communication module 940 is for bidirectional communications.
  • the communication module 940 has one or more communication interfaces to facilitate communication with one or more other modules or devices.
  • the communication interfaces may represent any interface that is necessary for communication with other network elements.
  • the communication module 940 may include at least one antenna.
  • the processor 910 may be of any type suitable to the local technical network and may include one or more of the following: general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multicore processor architecture, as non-limiting examples.
  • the device 900 may have multiple processors, such as an application specific integrated circuit chip that is slaved in time to a clock which synchronizes the main processor.
  • the memory 920 may include one or more non-volatile memories and one or more volatile memories.
  • the non-volatile memories include, but are not limited to, a Read Only Memory (ROM) 924, an electrically programmable read only memory (EPROM) , a flash memory, a hard disk, a compact disc (CD) , a digital video disk (DVD) , an optical disk, a laser disk, and other magnetic storage and/or optical storage.
  • ROM Read Only Memory
  • EPROM electrically programmable read only memory
  • flash memory a hard disk
  • CD compact disc
  • DVD digital video disk
  • optical disk a laser disk
  • RAM random access memory
  • a computer program 930 includes computer executable instructions that are executed by the associated processor 910.
  • the instructions of the program 930 may include instructions for performing operations/acts of some example embodiments of the present disclosure.
  • the program 930 may be stored in the memory, e.g., the ROM 924.
  • the processor 910 may perform any suitable actions and processing by loading the program 930 into the RAM 922.
  • the example embodiments of the present disclosure may be implemented by means of the program 930 so that the device 900 may perform any process of the disclosure as discussed with reference to FIG. 2 to FIG. 8.
  • the example embodiments of the present disclosure may also be implemented by hardware or by a combination of software and hardware.
  • the program 930 may be tangibly contained in a computer readable medium which may be included in the device 900 (such as in the memory 920) or other storage devices that are accessible by the device 900.
  • the device 900 may load the program 930 from the computer readable medium to the RAM 922 for execution.
  • the computer readable medium may include any types of non-transitory storage medium, such as ROM, EPROM, a flash memory, a hard disk, CD, DVD, and the like.
  • the term “non-transitory, ” as used herein, is a limitation of the medium itself (i.e., tangible, not a signal) as opposed to a limitation on data storage persistency (e.g., RAM vs. ROM) .
  • FIG. 10 shows an example of the computer readable medium 1000 which may be in form of CD, DVD or other optical storage disk.
  • the computer readable medium 1000 has the program 930 stored thereon.
  • various embodiments of the present disclosure may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. Some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device. While various aspects of embodiments of the present disclosure are illustrated and described as block diagrams, flowcharts, or using some other pictorial representations, it is to be understood that the block, apparatus, system, technique or method described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
  • Some example embodiments of the present disclosure also provides at least one computer program product tangibly stored on a computer readable medium, such as a non-transitory computer readable medium.
  • the computer program product includes computer-executable instructions, such as those included in program modules, being executed in a device on a target physical or virtual processor, to carry out any of the methods as described above.
  • program modules include routines, programs, libraries, objects, classes, components, data structures, or the like that perform particular tasks or implement particular abstract data types.
  • the functionality of the program modules may be combined or split between program modules as desired in various embodiments.
  • Machine-executable instructions for program modules may be executed within a local or distributed device. In a distributed device, program modules may be located in both local and remote storage media.
  • Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages.
  • the program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program code, when executed by the processor or controller, cause the functions/operations specified in the flowcharts and/or block diagrams to be implemented.
  • the program code may execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
  • the computer program code or related data may be carried by any suitable carrier to enable the device, apparatus or processor to perform various processes and operations as described above.
  • Examples of the carrier include a signal, computer readable medium, and the like.
  • the computer readable medium may be a computer readable signal medium or a computer readable storage medium.
  • a computer readable medium may include but not limited to an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of the computer readable storage medium would include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM) , a read-only memory (ROM) , an erasable programmable read-only memory (EPROM or Flash memory) , an optical fiber, a portable compact disc read-only memory (CD-ROM) , an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Example embodiments of the present disclosure relate to authentication procedure for network slice. According to some example embodiments of the present disclosure, a validity timer for a network device is exchanged between network devices. In this case, a network device (for example, AAA server) knows the timeout of the network slice based on the validity timer. In this way, it can support gracefully terminate a network slice and avoid abrupt protocol data unit (PDU) Session release. Moreover, the network devices are allowed to clean up authentication state, thereby avoiding unexpected re-authentication and authorization.

Description

AUTHENTICATION PROCEDURE FOR NETWORK SLICE FIELD
Various example embodiments of the present disclosure generally relate to the field of telecommunication and in particular, to methods, devices, apparatuses and computer readable storage medium for authentication procedure for network slice.
BACKGROUND
In the telecommunication industry, technologies have been proposed to improve performance of telecommunication systems. For example, network slicing has been proposed. Network slicing is a type of virtual networking architecture in the same family as software-defined networking (SDN) and network functions virtualization (NFV) . SDN and NFV are two closely related network virtualization technologies that are moving modern networks toward software-based automation.
SUMMARY
In a first aspect of the present disclosure, there is provided a first apparatus. The apparatus device comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the first apparatus at least to perform: receiving, from a second apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice; and transmitting, to a third apparatus, a message that comprises the validity timer associated with the network slice, and wherein the authenticate request and the message also comprise at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
In a second aspect of the present disclosure, there is provided a second apparatus. The second apparatus comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the second apparatus at least to perform: transmitting, to a first apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice, and wherein the authenticate request also comprises at least one of: a first identity for the network slice, a second identity  for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
In a third aspect of the present disclosure, there is provided a third apparatus. The third apparatus comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the third apparatus at least to perform: receiving, from a first apparatus, a message that comprises a validity timer associated with a network slice, and wherein the message also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
In a fourth aspect of the present disclosure, there is provided a method. The method comprises: receiving, at a first apparatus and from a second apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice; and transmitting, to a third apparatus, a message that comprises the validity timer associated with the network slice, and wherein the authenticate request and the message also comprise at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
In a fifth aspect of the present disclosure, there is provided a method. The method comprises: transmitting, at a second apparatus and to a first apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice, and wherein the authenticate request also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
In a sixth aspect of the present disclosure, there is provided a method. The method comprises: receiving, at a third apparatus and from a first apparatus, a message that comprises a validity timer associated with a network slice, and wherein the message also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
In a seventh aspect of the present disclosure, there is provided a first apparatus.  The first apparatus comprises: means for receiving, from a second apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice; and means for transmitting, to a third apparatus, a message that comprises the validity timer associated with the network slice, and wherein the authenticate request and the message also comprise at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
In an eighth aspect of the present disclosure, there is provided a second apparatus. The second apparatus comprises: means for transmitting, to a first apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice, and wherein the authenticate request also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
In a ninth aspect of the present disclosure, there is provided a third apparatus. The third apparatus comprises: means for receiving, from a first apparatus, a message that comprises a validity timer associated with a network slice, and wherein the message also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
In a tenth aspect of the present disclosure, there is provided a computer readable medium. The computer readable medium comprises instructions stored thereon for causing an apparatus to perform at least the method according to the first aspect.
In an eleventh aspect of the present disclosure, there is provided a computer readable medium. The computer readable medium comprises instructions stored thereon for causing an apparatus to perform at least the method according to the second aspect.
In a twelfth aspect of the present disclosure, there is provided a computer readable medium. The computer readable medium comprises instructions stored thereon for causing an apparatus to perform at least the method according to the second aspect.
It is to be understood that the Summary section is not intended to identify key or essential features of embodiments of the present disclosure, nor is it intended to be used to limit the scope of the present disclosure. Other features of the present disclosure will  become easily comprehensible through the following description.
BRIEF DESCRIPTION OF THE DRAWINGS
Some example embodiments will now be described with reference to the accompanying drawings, where:
FIG. 1 illustrates an example communication environment in which example embodiments of the present disclosure can be implemented;
FIG. 2 illustrates a signaling chart for communication according to some example embodiments of the present disclosure;
FIG. 3 illustrates a signaling chart for communication according to some example embodiments of the present disclosure;
FIG. 4 illustrates a signaling chart for communication according to an example embodiment of the present disclosure;
FIG. 5 illustrates a signaling chart for communication according to another example embodiment of the present disclosure;
FIG. 6 illustrates a flowchart of a method implemented at a first apparatus according to some example embodiments of the present disclosure;
FIG. 7 illustrates a flowchart of a method implemented at a second apparatus according to some example embodiments of the present disclosure;
FIG. 8 illustrates a flowchart of a method implemented at a third apparatus according to some example embodiments of the present disclosure;
FIG. 9 illustrates a simplified block diagram of a device that is suitable for implementing example embodiments of the present disclosure; and
FIG. 10 illustrates a block diagram of an example computer readable medium in accordance with some example embodiments of the present disclosure.
Throughout the drawings, the same or similar reference numerals represent the same or similar element.
DETAILED DESCRIPTION
Principle of the present disclosure will now be described with reference to some  example embodiments. It is to be understood that these embodiments are described only for the purpose of illustration and help those skilled in the art to understand and implement the present disclosure, without suggesting any limitation as to the scope of the disclosure. Embodiments described herein can be implemented in various manners other than the ones described below.
In the following description and claims, unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skills in the art to which this disclosure belongs.
References in the present disclosure to “one embodiment, ” “an embodiment, ” “an example embodiment, ” and the like indicate that the embodiment described may include a particular feature, structure, or characteristic, but it is not necessary that every embodiment includes the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
It shall be understood that although the terms “first, ” “second” and the like may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be termed a second element, and similarly, a second element could be termed a first element, without departing from the scope of example embodiments. As used herein, the term “and/or” includes any and all combinations of one or more of the listed terms.
As used herein, unless stated explicitly, performing a step “in response to A” does not indicate that the step is performed immediately after “A” occurs and one or more intervening steps may be included.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments. As used herein, the singular forms “a” , “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” , “comprising” , “has” , “having” , “includes” and/or “including” , when used herein, specify the presence of stated features, elements, and/or components etc., but do not preclude the presence or addition of one or more other features, elements, components and/or  combinations thereof.
As used in this application, the term “circuitry” may refer to one or more or all of the following:
(a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry) and
(b) combinations of hardware circuits and software, such as (as applicable) :
(i) a combination of analog and/or digital hardware circuit (s) with software/firmware and
(ii) any portions of hardware processor (s) with software (including digital signal processor (s) ) , software, and memory (ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions) and
(c) hardware circuit (s) and or processor (s) , such as a microprocessor (s) or a portion of a microprocessor (s) , that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation.
This definition of circuitry applies to all uses of this term in this application, including in any claims. As a further example, as used in this application, the term circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware. The term circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
As used herein, the term “communication network” refers to a network following any suitable communication standards, such as New Radio (NR) , Long Term Evolution (LTE) , LTE-Advanced (LTE-A) , Wideband Code Division Multiple Access (WCDMA) , High-Speed Packet Access (HSPA) , Narrow Band Internet of Things (NB-IoT) and so on. Furthermore, the communications between a terminal device and a network device in the communication network may be performed according to any suitable generation communication protocols, including, but not limited to, the first generation (1G) , the second generation (2G) , 2.5G, 2.75G, the third generation (3G) , the fourth generation (4G) , 4.5G, the fifth generation (5G) communication protocols, and/or any other protocols either currently known or to be  developed in the future. Embodiments of the present disclosure may be applied in various communication systems. Given the rapid development in communications, there will of course also be future type communication technologies and systems with which the present disclosure may be embodied. It should not be seen as limiting the scope of the present disclosure to only the aforementioned system.
As used herein, the term “network device” refers to a node in a communication network via which a terminal device accesses the network and receives services therefrom. The network device may refer to a base station (BS) or an access point (AP) , for example, a node B (NodeB or NB) , an evolved NodeB (eNodeB or eNB) , an NR NB (also referred to as a gNB) , a Remote Radio Unit (RRU) , a radio header (RH) , a remote radio head (RRH) , a relay, an Integrated Access and Backhaul (IAB) node, a low power node such as a femto, a pico, a non-terrestrial network (NTN) or non-ground network device such as a satellite network device, a low earth orbit (LEO) satellite and a geosynchronous earth orbit (GEO) satellite, an aircraft network device, and so forth, depending on the applied terminology and technology. In some example embodiments, radio access network (RAN) split architecture comprises a Centralized Unit (CU) and a Distributed Unit (DU) at an IAB donor node. An IAB node comprises a Mobile Terminal (IAB-MT) part that behaves like a UE toward the parent node, and a DU part of an IAB node behaves like a base station toward the next-hop IAB node.
The term “terminal device” refers to any end device that may be capable of wireless communication. By way of example rather than limitation, a terminal device may also be referred to as a communication device, user equipment (UE) , a Subscriber Station (SS) , a Portable Subscriber Station, a Mobile Station (MS) , or an Access Terminal (AT) . The terminal device may include, but not limited to, a mobile phone, a cellular phone, a smart phone, voice over IP (VoIP) phones, wireless local loop phones, a tablet, a wearable terminal device, a personal digital assistant (PDA) , portable computers, desktop computer, image capture terminal devices such as digital cameras, gaming terminal devices, music storage and playback appliances, vehicle-mounted wireless terminal devices, wireless endpoints, mobile stations, laptop-embedded equipment (LEE) , laptop-mounted equipment (LME) , USB dongles, smart devices, wireless customer-premises equipment (CPE) , an Internet of Things (loT) device, a watch or other wearable, a head-mounted display (HMD) , a vehicle, a drone, a medical device and applications (e.g., remote surgery) , an industrial device and applications (e.g., a robot and/or other wireless devices operating in an industrial and/or an automated  processing chain contexts) , a consumer electronics device, a device operating on commercial and/or industrial wireless networks, and the like. The terminal device may also correspond to a Mobile Termination (MT) part of an IAB node (e.g., a relay node) . In the following description, the terms “terminal device” , “communication device” , “terminal” , “user equipment” and “UE” may be used interchangeably.
As used herein, the term “network slice” may refer to network resources that can provide or support services. A network slice may be an isolated end-to-end network tailored to satisfy varied requirements asked for by a particular application. The network slice may be an equipment-vendor agnostic and can span across a radio network from vendor one, to the core from vendor two and so on. The term “extensible authentication” used herein may extensibility for authentication methods for commonly used protected network access technologies. The term “Extensible Authentication Protocol (EAP) ” an architectural framework that provides extensibility for authentication methods for commonly used protected network access technologies. The term “temporary network slice” does not only mean that the network slices are decommissions and created as per the timing information, but also the network slices are not meant to be available for use by the UE.
As used herein, the term “resource, ” “transmission resource, ” “resource block, ” “physical resource block” (PRB) , “uplink resource, ” or “downlink resource” may refer to any resource for performing a communication, for example, a communication between a terminal device and a network device, such as a resource in time domain, a resource in frequency domain, a resource in space domain, a resource in code domain, or any other resource enabling a communication, and the like. In the following, unless explicitly stated, a resource in both frequency domain and time domain will be used as an example of a transmission resource for describing some example embodiments of the present disclosure. It is noted that example embodiments of the present disclosure are equally applicable to other resources in other domains.
As mentioned above, network slicing has been proposed. Network Slices are deployed for services over an Area of Service which may match the conventional tracking areas (TAs) or for which the Area of Service can be different. Currently, the network slice availability (i.e. where the network slices are defined to be supported) is designed to match deployed TA boundaries. In addition, the UEs and network configuration can be impacted when network slices are deployed and decommissioned over certain time interval (e.g. the Configured Network Slice Specific Assistance Information (NSSAI) can change when a  network slice is no longer available or becomes available, this can affect the Allowed NSSAI and other parameters may need to change, etc. ) .
Timing Information can be used to track the start time, end time, and periodicity of the availability of the network slice, including any related temporary TA. It is proposed to specify that the UE can be updated with timing information about the configured/allowed slices and this same timing information can also be provided from the RAN to the AMF when the serving PLMN RAN is configured with the timing information. The timing information can be associated to TAs, S-NSSAIs for temporary slices that also require deployment/support of temporary TAs. If the termination of a network slice is Home Public Land Mobile Network (HPLMN) initiated, then this information is passed to UE and Radio Access Network (RAN) UE context in addition to Access and Mobility Function (AMF) and Session Management Function (SMF) . If both Visited Public Land Mobile Network (VPLMN) and HPLMN timing information applies, the most constraining timing determines a slice availability. When the timer associated with a single-NSSAI (S-NSSAI) expires, then the UE and network removes the S-NSSAI locally from the allowed NSSAI if the S-NSSAI present in the allowed NSSAI.
Temporary slices are expected to be made known to UE during configuration or other network slicing procedures impacting Configured NSSAI or Allowed NSSAI. When the timer associated with a S-NSSAI expires, the UE and network removes the S-NSSAI locally from the allowed NSSAI if the S-NSSAI present in the allowed NSSAI. However, if a S-NSSAI is subjected to Network Slice Specific Authentication and Authorization (NSSAA) , the Authentication, Authorization, and Accounting Server (AAA-S) and NSSAAF may still keep the authentication status of the S-NSSAI for the UE if they are not aware the timeout of the temporary slice. Comparing to normal slice, the number of temporary slices could be high. If data and state of those slices are not cleaned timely, memory/database (DB) of AAA-S and Network Slice Specific Authentication and Authorization Function (NSSAAF) may be unnecessarily occupied with "ownerless garbage" . The AAA-S server may trigger re-authentication/authorization on the timeout slice of the UE, that further waste network and computing resources, and may also cause confusion on AMF. Therefore, the NSSAA procedure for the network slice needs to be enhanced.
According to some example embodiments of the present disclosure, there is provided a solution for authentication procedure for network slice. According to some example embodiments of the present disclosure, a validity timer for a network slice is  exchanged between network devices. In this case, a network device (for example, AAA server, AMF, SMF) knows the timeout of the network slice based on the validity timer. In this way, the network slice can be terminated gracefully and abrupt protocol data unit (PDU) Session release can be avoided. Moreover, the network devices are allowed to clean up authentication state, thereby avoiding unexpected re-authentication and authorization.
FIG. 1 illustrates an example communication environment 100 in which example embodiments of the present disclosure can be implemented. In the communication environment 100, a plurality of devices, including a first device 110, a second device 120, and a third device 130 can communicate with each other.
In the example of FIG. 1, the first device 110 may include a device that can implement Network Slice Specific Authentication and Authorization (NSSAA) , the second device 120 may include an AMF entity, and the third device 130 may include a device that can implement Authentication, Authorization, and Accounting function (such as, AAA server) .
In some example embodiments, the communication environment 100 may include a fourth device 140 that may be an Authentication, Authorization, and Accounting Proxy (AAA-P) . In some other example embodiments, the communication environment 100 may also include a terminal device 150.
It is to be understood that the number of devices and their connections shown in FIG. 1 are only for the purpose of illustration without suggesting any limitation. The communication environment 100 may include any suitable number of devices configured to implementing example embodiments of the present disclosure.
Communications in the communication environment 100 may be implemented according to any proper communication protocol (s) , comprising, but not limited to, cellular communication protocols of the first generation (1G) , the second generation (2G) , the third generation (3G) , the fourth generation (4G) , the fifth generation (5G) , the sixth generation (6G) , and the like, wireless local network communication protocols such as Institute for Electrical and Electronics Engineers (IEEE) 802.11 and the like, and/or any other protocols currently known or to be developed in the future. Moreover, the communication may utilize any proper wireless communication technology, comprising but not limited to: Code Division Multiple Access (CDMA) , Frequency Division Multiple Access (FDMA) , Time Division Multiple Access (TDMA) , Frequency Division Duplex (FDD) , Time Division Duplex (TDD) ,  Multiple-Input Multiple-Output (MIMO) , Orthogonal Frequency Division Multiple (OFDM) , Discrete Fourier Transform spread OFDM (DFT-s-OFDM) and/or any other technologies currently known or to be developed in the future.
Example embodiments of the present disclosure will be described in detail below with reference to the accompanying drawings.
Reference is now made to FIG. 2, which shows a signaling chart 200 for communication according to some example embodiments of the present disclosure. As shown in FIG. 2, the signaling chart 200 involves a first device 110, a second device 120, and a third device 130. For the purpose of discussion, reference is made to FIG. 1 to describe the signaling chart 200. Although one first device 110, on second device 120 and one third device 130 are illustrated in FIG. 2, it would be appreciated that there may be a plurality of first device performing similar operations as described with respect to the first device 110 below, a plurality of second device performing similar operations as described with respect to the second device 120 below and a plurality of third device performing similar operations as described with respect to the third device 130 below.
The second device 120 transmits (2010) an authenticate request for a network slice to the first device 110. The authenticate request includes a validity timer of the network slice. In some example embodiments, a duration of the validity timer may be a couple of days. Alternatively, the duration of the validity timer may be a couple of hours or minutes. It is noted that the duration of the validity timer can be any suitable value. In some example embodiments, the duration of the validity timer may be same as or similar to a duration of a timer for the network slice configured at the terminal device 150.
The authenticate request may include a first identity for the network slice. In some example embodiments, the second device 120 may obtain the first identity from a terminal device (for example, the terminal device 150) . For example, the first identity may be signaled by the terminal device to the network, in order to assist the network in selecting a particular Network Slice instance. For example, the first identity may be S-NSSAI of the network slice. The S-NSSAI may refer to an identifier for a Network Slice across the 5GC, 5G-RAN and the UE. The S-NSSAI may be associated with a PLMN (e.g., PLMN ID) and have network-specific values or have standard values. A S-NSSAI is used by the UE in access network in the PLMN that the S-NSSAI is associated with. A S-NSSAI may include Slice/Service type (SST) and Slice Differentiator (SD) . It is noted that the first identity may  be any proper type of identity that can uniquely identify the network slice. A S-NSSAI may be subjected to NSSAA.
Alternatively, or in addition, the authenticate request may include a second identity for a terminal device that is configured with network slice for an extensible authentication. For example, if the terminal device 150 is configured with the network slice, the authenticate request may include the second identity of the terminal device 150 for extensible authentication. In some example embodiments, the second identity may be an EAP ID. It is noted that the second identity may be any proper type of identity that can identify the terminal device for the extensible authentication.
Additionally, the authenticate request may include a third identity associated with the subscription of the terminal device. For example, the third identity may be a Generic Public Subscription Identifier (GPSI) . The GPSI may be used as a means of addressing a 3GPP subscription in data networks outside the realms of a 3GPP system. In some example embodiments, if the UE subscription includes multiple GPSIs, the second device 120 may use any GPSI in the list provided by the UDM for NSSAA procedures. It is noted that the third identity may be any proper type of identity that can address subscriptions.
The first device 110 transmits (2020) a message that includes the validity timer to the third device 130. The message may include the first identity for the network slice. Alternatively, or in addition, the message may include the second identity for a terminal device that is configured with network slice for an extensible authentication. Additionally, the message may include the third identity associated with the subscription of the terminal device.
In some example embodiments, the first device 110 may transmit the message to the third device 130. Alternatively, the first device may transmit the message to the fourth device 140. In this case, the fourth device may further forward the message to the third device 130.
The third device 130 may store (2030) the validity timer associated with the network slice. For example, the third device 130 may store the validity timer together with the first identity for the network slice and the third identity associated with the subscription of the terminal device, and optional the second identity for the extensible authentication.
The third device 130 may trigger (2040) a revocation of the authentication and authorization. In some example embodiments, if the third device 130 stores the validity  timer, the third device 130 may trigger the revocation of the NSSAA based on the validity timer. For example, if the validity timer expires, the third device 130 may trigger the revocation of the NSSAA. It is noted that the third device 130 may trigger the revocation of the NSSAA based on other condition.
The third device 130 may transmit (2050) a revoke authentication request for the network slice to the first device 110. The revoke authentication request may include the first identity for the network slice and the third identity associated with the subscription of the terminal device. In some example embodiments, the revoke authentication request may also include an indication of an expiration of the validity timer.
In some example embodiments, the third device 130 may transmit the revoke authentication request for the network slice to the first device 110. Alternatively, the third device 130 may transmit the revoke authentication request for the network slice to the fourth device 140. In this case, the fourth device 140 may then forward the revoke authentication request for the network slice to the first device 110.
In some example embodiments, the first device 110 may clean up (2060) a local status related to the third identity and the first identity. The “clean up the local status” may refer to one of: remove the local status, delete the local status, or set the local status to a predefined status. For example, if the revoke authentication request includes the indication of the expiration of the validity timer, the first device 110 may clean up the local status. In this case, the first device may transmit (2070) a revoke authentication response to the third device 130 without further notifying the second device 120. In this case, it can avoid unexpected re-authentication and authorization. Example embodiments of cleaning up the local status are described with reference to FIG. 5 later.
In some example embodiments, the first device 110 may transmit the revoke authentication response to the third device 130. Alternatively, the first device 110 may transmit the revoke authentication response to the fourth device 140. In this case, the fourth device 140 may then forward the revoke authentication response to the third device 130.
Alternatively, the first device 110 may transmit (2080) a revocation notification to the second device 120. For example, in some example embodiments, if the revoke authentication request does not include the indication of the expiration of the validity timer, the first device 110 may transmit revocation notification to the second device 120. The revocation notification may include the first identity for the network slice and the third  identity associated with subscription of the terminal device.
The second device 120 may determine whether the network slice is a temporary network slice. For example, the second device 120 may determine whether the first identity is associated to a temporary network slice. If the network slice is a temporary network slice, the second device 120 may drop (2090) the revocation notification. In other words, instead of transmitting a configuration update to the terminal device, the second device 120 may cause the revocation notification to be dropped. In this case, it can avoid unexpected re-authentication and authorization. Example embodiments of dropping the revocation notification are described with reference to FIG. 4 later.
In some example embodiments, the second device 120 may transmit a configuration that includes the validity timer associated with the network slice and the first identity for the network slice to the terminal device 140 after a NSSAA of the network slice.
Some example embodiments are described in detail with reference to FIG. 3 to FIG. 5 below. By way of example, as shown in FIG. 3 to FIG. 5, an EAP framework used for the NSSAA between the terminal device 150 and the third device 130 (i.e., the AAA server) . The second device may perform the role of the EAP Authenticator and communicates with the third device 130 via the first device 110 (i.e., NSSAAF) . The first device 110 may undertake any AAA protocol interworking with the third device 130. Multiple EAP methods may be possible for NSSAA. If the third device 130 belongs to a third party the first device 110 contacts the third device 130 via a fourth device 140 (i.e., AAA-P. ) In some example embodiments, the first device 110 and the fourth device 140 may be co-located.
FIG. 3 shows a signaling chart 300 for communication according to an example embodiment of the present disclosure.
The second device 120 may trigger (301) to perform slice-specific authentication and authorization. For S-NSSAIs that are requiring Network Slice-Specific Authentication and Authorization, based on change of subscription information, or triggered by the AAA-S, the second device 120 may trigger the start of the Network Slice Specific Authentication and Authorization procedure.
If Network Slice Specific Authentication and Authorization is triggered as a result of Registration procedure, the second device 120 may determine, based on UE Context in the AMF, that for some or all S-NSSAI (s) subject to Network Slice Specific Authentication and Authorization, the UE has already been authenticated following a Registration procedure on  a first access. Depending on Network Slice Specific Authentication and Authorization result (e.g. success/failure) from the previous Registration, the second device 120 may decide, based on Network policies, to skip Network Slice Specific Authentication and Authorization for these S-NSSAIs during the Registration on a second access.
If the Network Slice Specific Authentication and Authorization procedure corresponds to a re-authentication and re-authorization procedure triggered as a result of AAA Server-triggered UE re-authentication and re-authorization for one or more S-NSSAIs, or triggered by the AMF based on operator policy or a subscription change and if S-NSSAIs that are requiring Network Slice-Specific Authentication and Authorization are included in the Allowed NSSAI for each Access Type, the second device 120 may select an Access Type to be used to perform the Network Slice Specific Authentication and Authorization procedure based on network policies.
The second device 120 transmit (302) an EAP Identity Request for the S-NSSAI in a NAS MM Transport message including the S-NSSAI. This is the S-NSSAI of the H-PLMN, not the locally mapped S-NSSAI value.
The terminal device 150 may transmit (303) the EAP Identity Response for the S-NSSAI alongside the S-NSSAI in an NAS MM Transport message towards the second device 120.
The second device 120 may transmit (304) the EAP Identity Response to the first device 110 in a Nnssaaf_NSSAA_Authenticate Request (EAP Identity Response, GPSI, S-NSSAI and optionally validity or termination timer) . In some example embodiments, if the UE subscription includes multiple GPSIs, the second device 120 may use any GPSI in the list provided by the UDM for NSSAA procedures.
In some example embodiments, if the fourth device 140 is present (e.g. because the third device 130 belongs to a third party and the operator deploys a proxy towards third parties) , the first device 110 may transmit (305) the EAP ID Response message, together with optionally validity or termination timer from the second device 120, to the third device 130. Alternative, the first device 110 may transmit the message to the third device 130. The first device 110 may be responsible to send the NSSAA requests to the appropriate third device 130 based on local configuration of AAA-S address per S-NSSAI. The first device 110 uses towards the AAA-P or the AAA-S an AAA protocol message of the same protocol supported by the AAA-S.
The fourth device 140 may transmit (306) the EAP Identity message to the third device 130 addressable by the AAA-S address together with S-NSSAI, GPSI and optionally validity or termination timer. The third device 130 may store the GPSI and S-NSSAI to create an association with the EAP Identity in the EAP ID response message, so the third device 130 can later use it to revoke authorization or to trigger reauthentication. The third device 130 may also store the validity or termination timer, together with the GPSI and S-NSSAI. The third device 130 may trigger authentication revocation on the S-NSSAI of the GPSI when the timer expired.
EAP-messages are exchanged with the terminal device 150. The third device 130 may transmit (307) an AAA protocol message to the fourth device 140. The AAA protocol message may include EAP message, GPSI and S-NSSAI. The fourth device 140 may the transmit (308) the AAA protocol message to the first device 110. The first device 110 may transmit (309) Nnssaaf_NSSAA_Authenticate Request that includes EAP message, GPSI and S-NSSAI to the second device 120. The second device 120 may transmit (310) a NAS MM transport that includes EAP message and S-NSSAI to the terminal device 150. The terminal device 150 may transmit (311) the NAS MM transport that includes EAP message and S-NSSAI to the second device 120. The second device 120 may transmit (312) a Nnssaaf_NSSAA_Authenticate Request that includes EAP message, GPSI and S-NSSAI to the first device 110. The first device 110 may transmit (313) AAA protocol message that includes EAP message, AAA-S address, GPSI and S-NSSAI to the fourth device 140. The fourth device 140 may transmit (314) an AAA protocol message that includes EAP message, GPSI and S-NSSAI to the third device 130. It is noted that one or more interactions of the operations 307-314 may occur.
The third device 130 may store the S-NSSAI for which the authorization has been granted. The third device 130 may decide to trigger reauthentication and reauthorization based on its local policies. An EAP-Success/Failure message is delivered to the fourth device 140 (or if the fourth device 140 is not present, to the first device 110) with GPSI and S-NSSAI. For example, the third device 130 may transmit (315) an AAA protocol message that includes EAP success/failure, GPSI, S-NSSAI to the fourth device 140.
In the fourth device 140 is sued, the fourth device 140 may transmit (316) an AAA protocol message that includes EAP success/failure, GPSI, and S-NSSAI to the first device 110. The first device 110 may transmit (317) a Nnssaaf_NSSAA_Authenticate Request that includes EAP success/failure, GPSI, S-NSSAI to the second device 120.
The second device 120 may transmit (318) a NAS MM Transport message (including EAP-Success/Failure) to the terminal device 150. The second device 120 may store the EAP result for each S-NSSAI for which the NSSAA procedure in operations 301-317 was executed.
The second device 120 may perform (319a) the UE configuration update procedure with the validity timer. For example, in some example embodiments, if one or more conditions are fulfilled, the second device 120 may initiate the UE Configuration Update procedure, for each Access Type. The second device 120 may also add the validity/termination timer of the network slice in the UE configuration update message together with the allowed S-NSSAI. The conditions may comprise: (1) a new Allowed NSSAI (i.e. including any new S-NSSAIs in a Requested NSSAI for which the NSSAA procedure succeeded and/or excluding any S-NSSAI (s) in the existing Allowed NSSAI for the UE for which the procedure has failed, or including default S-NSSAI (s) if all S-NSSAIs in a Requested NSSAI or in the existing Allowed NSSAI are subject to NSSAA and, due to failure of the NSSAA procedures, they cannot be in the Allowed NSSAI) ) ; (2) new Rejected S-NSSAIs (i.e. including any S-NSSAI (s) in the existing Allowed NSSAI for the UE for which the procedure has failed; (3) any new requested S-NSSAI (s) for which the NSSAA procedure failed) need to be delivered to the UE; (4) the AMF re-allocation is required. In some example embodiments, if the Network Slice-Specific Re-Authentication and Re-Authorization fails and there are PDU session (s) established that are associated with the S-NSSAI for which the NSSAA procedure failed, the second device 120 may initiate the PDU Session Release procedure release the PDU sessions with the appropriate cause value.
The second device 120 may perform (319b) the network imitated deregistration procedure. In some example embodiments, if the Network Slice-Specific Authentication and Authorization fails for all S-NSSAIs (if any) in the existing Allowed NSSAI for the UE and (if any) for all S-NSSAIs in the Requested NSSAI and no default S-NSSAI could be added in the Allowed NSSAI, the second device 120 may execute the Network-initiated Deregistration procedure and it may include in the explicit De-Registration Request the list of Rejected S-NSSAIs, each of them with the appropriate rejection cause value.
According to embodiments described with reference to FIG. 5, in NSSAA procedure, validity/termination timer of the temporary slice can be added in NSSAA authentication request. If the validity timer exists, AAA-S store the timer together with the S-NSSAI per UE. AMF also add the validity/termination timer of the temporary slice in the UE  configuration update message together with the allowed S-NSSAI.
FIG. 4 shows a signaling chart 400 for revocation of the authentication and authorization according to an example embodiment of the present disclosure.
The third device 130 may transmit (401) an AAA protocol revoke authorization request to the fourth device 140 if the fourth device 140 is used. The third device 130 may request the revocation of authorization for the Network Slice specified by the S-NSSAI in the AAA protocol Revoke Auth Request message, for the UE identified by the GPSI in this message. The fourth device 140 may transmit (402) the AAA protocol revoke authorization request to the first device 110.
The first device 110 may obtain AMF ID from unified data management (UDM) 410 using Nudm_UECM_Get with the GPSI in the received AAA message. If two different AMF addresses are received, the first device 110 may initiate the operation 404 towards both AMFs. For example, the first device 110 may transmit (403a) a Nudm_UECM_Get request that includes GPSI and AMF registration to the UDM 410. The UDM 410 may transmit (403b) a Nudm_UECM_Get response that includes AMF ID to the first device 110.
The first device 110 may transmit (403c) an AAA protocol revoke authorization response to the third device 130. For example, the first device 110 may provide an acknowledgement to the AAA protocol Re-Auth Request message. If the second device 120is not registered in UDM the procedure is stopped here.
If the second device 120 is registered in UDM, the first device 110 may transmit (404) a Nnssaaf_NSSAA_RevocationNotification that includes GPSI and S-NSSAI to the second device 120, which can notify the second device 120 to revoke the S-NSSAI authorization for the UE.
Instead of sending configuration update to UE, the second device 120 may drop (405) the NSSAA revocation notification from the first device 110, if the S-NSSAI is associated to a temporary slice.
FIG. 5 shows a signaling chart 500 for revocation of the network slice according to another example embodiment of the present disclosure.
The third device 130 may transmit (501) an AAA protocol revoke authorization request to the fourth device 140 if the fourth device 140 is used. The third device 130 may request the revocation of authorization for the Network Slice specified by the S-NSSAI in  the AAA protocol Revoke Auth Request message, for the UE identified by the GPSI in this message. The AAA protocol revoke authorization request may include GPSI, S-NSSAI and the slice time out indication. The fourth device 140 may transmit (502) the AAA protocol revoke authorization request to the first device 110.
After receiving the revoke authorization request with slice timeout indication, the first device 110 may clean up (503) a local status related to the GPSI and S-NSSAI. The first device 110 may transmit (504) an AAA protocol revoke authorization response to the third device 130 without further notifying the second device 120.
FIG. 6 shows a flowchart of an example method 600 implemented at a first device in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 600 will be described from the perspective of the first device 110 in FIG. 1.
At block 610, the first device 110 receives an authenticate request for a network slice that comprises a validity timer associated with the network slice from the second device 120. The authenticate request may comprise one or more of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
At block 620, the first device 110 transmits a message that comprises the validity timer associated with the network slice to the third device 130. The message may comprise one or more of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
In some example embodiments, the first device 110 may receive from the third device 130 a revoke authentication request for the network slice that comprises an indication of an expiration of the validity timer, the first identity, and the third identity. The first device 110 may clean up a local status related to the third identity and the first identity. The first device 110 may transmit to the third device 130 a revoke authentication response.
In some example embodiments, the first device 110 may receive the revoke authentication request from the third device 130. Alternatively, the first device 110 may receive the revoked authentication request from a fourth device 140 which receives the revoke authentication request from the third device 130.
In some example embodiments, the first device 110 may transmit the revoke authentication response to the third device 130. Alternatively, the first device 110 may transmit the revoke authentication response to the fourth device 140 which then forwards the revoke authentication response to the third device 130.
In some example embodiments, the first device 110 may transmit the message to the third 130. Alternatively, the first device 110 may transmit the message to the fourth device 140 which then forwards the message to the third device 130.
FIG. 7 shows a flowchart of an example method 700 implemented at a second device in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 700 will be described from the perspective of the second device 120 in FIG. 1.
At block 710, the second device 120 transmits to the first device 110 an authenticate request for a network slice that comprises a validity timer associated with the network slice. The authenticate request also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
In some example embodiments, the second device 120 may transmit, to a terminal device, a configuration that comprises the validity timer associated with the network slice and the first identity for the network slice after a network slice specific authentication and authorization.
In some example embodiments, at block 720, the second device 120 may receive from the first device 110 a revocation notification that comprises the first identity for the network slice and the third identity associated with subscription of the terminal device. The second device 120 may determine whether the network slice is a temporary network slice. At block 730, the second device 120 may cause the revocation notification to be dropped based on determining that the network slice is a temporary network slice.
FIG. 8 shows a flowchart of an example method 800 implemented at a second device in accordance with some example embodiments of the present disclosure. For the purpose of discussion, the method 800 will be described from the perspective of the third device 130 in FIG. 1.
At block 810, the third device 130 receives the first device 110 a message that  comprises a validity timer associated with a network slice. The message also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
In some example embodiments, at block 820, the third device 130 may store the validity timer associated with the network slice. In some example embodiments, if the validity timer expires, the third device 130 may trigger a revocation of authentication and authorization of the network slice.
In some example embodiments, the third device 130 may transmit to the first device 110, a revoke authentication request for the network slice that comprises the first identity, and the third identity. The third device 130 may receive from the first device 110, a revoke authentication response. In some example embodiments, the revoke authentication request also comprises an indication of an expiration of the validity timer.
In some example embodiments, the third device 130 may transmit the revoke authentication request to the first apparatus. Alternatively, the third device 130 may transmit the revoked authentication request to the fourth device 140 which forwards the revoke authentication request to the third device 130.
In some example embodiments, the third device 130 may receive the revoke authentication response from the first device 110. Alternatively, the third device 130 may receive the revoke authentication response from the fourth device 140 which receives the revoke authentication response from the first device 110.
In some example embodiments, the third device 130 may receive the message from the first device 110. Alternatively, the third device 130 may receive the message from the fourth device 140 which receives the message from the first device 110.
In some example embodiments, a first apparatus capable of performing any of the method 600 (for example, the first device 110 in FIG. 1) may comprise means for performing the respective operations of the method 600. The means may be implemented in any suitable form. For example, the means may be implemented in a circuitry or software module. The first apparatus may be implemented as or included in the first device 110 in FIG. 1.
In some example embodiments, the first apparatus comprises means for receiving, from a second apparatus, an authenticate request for a network slice that comprises a validity  timer associated with the network slice; and means for transmitting, to a third apparatus, a message that comprises the validity timer associated with the network slice, and wherein the authenticate request and the message also comprise at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
In some example embodiments, the first apparatus comprises means for receiving, from the third apparatus, a revoke authentication request for the network slice that comprises an indication of an expiration of the validity timer, the first identity, and the third identity; means for cleaning up a local status related to the third identity and the first identity; and means for transmitting, to the third apparatus, a revoke authentication response.
In some example embodiments, the means for receiving the revoke authentication request comprises means for receiving the revoke authentication request from the third apparatus; or means for receiving the revoked authentication request from a fourth apparatus which receives the revoke authentication request from the third apparatus.
In some example embodiments, the means for transmitting the revoke authentication response to the third apparatus comprises: means for transmitting the revoke authentication response to the third apparatus; or means for transmitting the revoke authentication response to a fourth apparatus which then forwards the revoke authentication response to the third apparatus.
In some example embodiments, the means for transmitting the message to the third apparatus comprises one of: means for transmitting the message to the third apparatus; or means for transmitting the message to a fourth apparatus which then forwards the message to the third apparatus.
In some example embodiments, the first apparatus comprises a apparatus on which a Network Slice Specific Authentication and Authorization Function is implemented, the second apparatus comprises a core network device, and the third apparatus comprises an Authentication, Authorization, and Accounting Server.
In some example embodiments, the first apparatus further comprises means for performing other operations in some example embodiments of the method 600 or the first device 110. In some example embodiments, the means comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor,  cause the performance of the first apparatus.
In some example embodiments, a second apparatus capable of performing any of the method 700 (for example, the second device 120 in FIG. 1) may comprise means for performing the respective operations of the method 700. The means may be implemented in any suitable form. For example, the means may be implemented in a circuitry or software module. The second apparatus may be implemented as or included in the second device 120 in FIG. 1.
In some example embodiments, the second apparatus comprises means for transmitting, to a first apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice, and wherein the authenticate request also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
In some example embodiments, the second apparatus comprises means for transmitting, to a terminal device, a configuration that comprises the validity timer associated with the network slice and the first identity for the network slice after a network slice specific authentication and authorization.
In some example embodiments, the second apparatus comprises means for receiving, from the first apparatus, a revocation notification that comprises the first identity for the network slice and the third identity associated with subscription of the terminal device; means for determining whether the network slice is a temporary network slice; and means for based on determining that the network slice is a temporary network slice, causing the revocation notification to be dropped.
In some example embodiments, the first apparatus comprises a apparatus on which a Network Slice Specific Authentication and Authorization Function is implemented, the second apparatus comprises a core network device.
In some example embodiments, the second apparatus further comprises means for performing other operations in some example embodiments of the method 700 or the second device 120. In some example embodiments, the means comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the performance of the second apparatus.
In some example embodiments, a third apparatus capable of performing any of the  method 800 (for example, the third device 130 in FIG. 1) may comprise means for performing the respective operations of the method 800. The means may be implemented in any suitable form. For example, the means may be implemented in a circuitry or software module. The second apparatus may be implemented as or included in the third device 130 in FIG. 1.
In some example embodiments, the third apparatus comprises means for receiving, from a first apparatus, a message that comprises a validity timer associated with a network slice, and the message also comprises at least one of: a first identity for the network slice, a second identity for a terminal device that is configured with the network slice for an extensible authentication, or a third identity associated with subscription of the terminal device.
In some example embodiments, the third apparatus comprises means for storing the validity timer associated with the network slice; and in accordance with a determination that the validity timer expires, triggering a revocation of authentication and authorization of the network slice.
In some example embodiments, the third apparatus comprises means for transmitting, to the first apparatus, a revoke authentication request for the network slice that comprises the first identity, and the third identity; and receiving, from the first apparatus, a revoke authentication response.
In some example embodiments, the revoke authentication request also comprises an indication of an expiration of the validity timer.
In some example embodiments, the means for transmitting the revoke authentication request comprises: means for transmitting the revoke authentication request to the first apparatus; or means for transmitting the revoked authentication request to a fourth apparatus which forwards the revoke authentication request to the third apparatus.
In some example embodiments, the means for receiving the revoke authentication response from the first apparatus comprises: means for receiving the revoke authentication response from the first apparatus; or means for receiving the revoke authentication response from a fourth apparatus which receives the revoke authentication response from the first apparatus.
In some example embodiments, the means for receiving the message from the first apparatus comprises one of: means for receiving the message from the first apparatus; or  means for receiving the message from a fourth apparatus which receives the message from the first apparatus.
In some example embodiments, the first apparatus comprises a apparatus on which a Network Slice Specific Authentication and Authorization Function is implemented, and the third apparatus comprises an Authentication, Authorization, and Accounting Server.
In some example embodiments, the third apparatus further comprises means for performing other operations in some example embodiments of the method 800 or the third device 130. In some example embodiments, the means comprises at least one processor; and at least one memory storing instructions that, when executed by the at least one processor, cause the performance of the third apparatus.
FIG. 9 is a simplified block diagram of a device 900 that is suitable for implementing example embodiments of the present disclosure. The device 900 may be provided to implement a communication device, for example, the first device 110 or the second device 120 as shown in FIG. 1. As shown, the device 900 includes one or more processors 910, one or more memories 920 coupled to the processor 910, and one or more communication modules 940 coupled to the processor 910.
The communication module 940 is for bidirectional communications. The communication module 940 has one or more communication interfaces to facilitate communication with one or more other modules or devices. The communication interfaces may represent any interface that is necessary for communication with other network elements. In some example embodiments, the communication module 940 may include at least one antenna.
The processor 910 may be of any type suitable to the local technical network and may include one or more of the following: general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multicore processor architecture, as non-limiting examples. The device 900 may have multiple processors, such as an application specific integrated circuit chip that is slaved in time to a clock which synchronizes the main processor.
The memory 920 may include one or more non-volatile memories and one or more volatile memories. Examples of the non-volatile memories include, but are not limited to, a Read Only Memory (ROM) 924, an electrically programmable read only memory (EPROM) , a flash memory, a hard disk, a compact disc (CD) , a digital video disk (DVD) , an  optical disk, a laser disk, and other magnetic storage and/or optical storage. Examples of the volatile memories include, but are not limited to, a random access memory (RAM) 922 and other volatile memories that will not last in the power-down duration.
computer program 930 includes computer executable instructions that are executed by the associated processor 910. The instructions of the program 930 may include instructions for performing operations/acts of some example embodiments of the present disclosure. The program 930 may be stored in the memory, e.g., the ROM 924. The processor 910 may perform any suitable actions and processing by loading the program 930 into the RAM 922.
The example embodiments of the present disclosure may be implemented by means of the program 930 so that the device 900 may perform any process of the disclosure as discussed with reference to FIG. 2 to FIG. 8. The example embodiments of the present disclosure may also be implemented by hardware or by a combination of software and hardware.
In some example embodiments, the program 930 may be tangibly contained in a computer readable medium which may be included in the device 900 (such as in the memory 920) or other storage devices that are accessible by the device 900. The device 900 may load the program 930 from the computer readable medium to the RAM 922 for execution. In some example embodiments, the computer readable medium may include any types of non-transitory storage medium, such as ROM, EPROM, a flash memory, a hard disk, CD, DVD, and the like. The term “non-transitory, ” as used herein, is a limitation of the medium itself (i.e., tangible, not a signal) as opposed to a limitation on data storage persistency (e.g., RAM vs. ROM) .
FIG. 10 shows an example of the computer readable medium 1000 which may be in form of CD, DVD or other optical storage disk. The computer readable medium 1000 has the program 930 stored thereon.
Generally, various embodiments of the present disclosure may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. Some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device. While various aspects of embodiments of the present disclosure are illustrated and described as block diagrams, flowcharts, or using some other pictorial  representations, it is to be understood that the block, apparatus, system, technique or method described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
Some example embodiments of the present disclosure also provides at least one computer program product tangibly stored on a computer readable medium, such as a non-transitory computer readable medium. The computer program product includes computer-executable instructions, such as those included in program modules, being executed in a device on a target physical or virtual processor, to carry out any of the methods as described above. Generally, program modules include routines, programs, libraries, objects, classes, components, data structures, or the like that perform particular tasks or implement particular abstract data types. The functionality of the program modules may be combined or split between program modules as desired in various embodiments. Machine-executable instructions for program modules may be executed within a local or distributed device. In a distributed device, program modules may be located in both local and remote storage media.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. The program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program code, when executed by the processor or controller, cause the functions/operations specified in the flowcharts and/or block diagrams to be implemented. The program code may execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present disclosure, the computer program code or related data may be carried by any suitable carrier to enable the device, apparatus or processor to perform various processes and operations as described above. Examples of the carrier include a signal, computer readable medium, and the like.
The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable medium may include but not limited to an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of the computer readable storage medium would include an electrical connection  having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM) , a read-only memory (ROM) , an erasable programmable read-only memory (EPROM or Flash memory) , an optical fiber, a portable compact disc read-only memory (CD-ROM) , an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Further, while operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are contained in the above discussions, these should not be construed as limitations on the scope of the present disclosure, but rather as descriptions of features that may be specific to particular embodiments. Unless explicitly stated, certain features that are described in the context of separate embodiments may also be implemented in combination in a single embodiment. Conversely, unless explicitly stated, various features that are described in the context of a single embodiment may also be implemented in a plurality of embodiments separately or in any suitable sub-combination.
Although the present disclosure has been described in languages specific to structural features and/or methodological acts, it is to be understood that the present disclosure defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.

Claims (36)

  1. A first apparatus comprising:
    at least one processor; and
    at least one memory storing instructions that, when executed by the at least one processor, cause the first apparatus at least to perform:
    receiving, from a second apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice; and
    transmitting, to a third apparatus, a message that comprises the validity timer associated with the network slice, and
    wherein the authenticate request and the message further comprise at least one of:
    a first identity for the network slice,
    a second identity for a terminal device that is configured with the network slice for an extensible authentication, or
    a third identity associated with subscription of the terminal device.
  2. The first apparatus of claim 1, wherein the first apparatus is caused to perform:
    receiving, from the third apparatus, a revoke authentication request for the network slice that comprises an indication of an expiration of the validity timer, the first identity, and the third identity;
    cleaning up a local status related to the third identity and the first identity; and
    transmitting, to the third apparatus, a revoke authentication response.
  3. The first apparatus of claim 2, wherein receiving the revoke authentication request comprises:
    receiving the revoke authentication request from the third apparatus; or
    receiving the revoked authentication request from a fourth apparatus which receives the revoke authentication request from the third apparatus, and
    wherein transmitting the revoke authentication response to the third apparatus comprises:
    transmitting the revoke authentication response to the third apparatus; or
    transmitting the revoke authentication response to a fourth apparatus which then forwards the revoke authentication response to the third apparatus.
  4. The first apparatus of any of claims 1-3, wherein transmitting the message to the third apparatus comprises one of:
    transmitting the message to the third apparatus; or
    transmitting the message to a fourth apparatus which then forwards the message to the third apparatus.
  5. The first apparatus of any of claims 1-4, wherein the first apparatus comprises an apparatus on which a Network Slice Specific Authentication and Authorization Function is implemented, the second apparatus comprises a core network device, and the third apparatus comprises an Authentication, Authorization, and Accounting Server.
  6. A second apparatus comprising:
    at least one processor; and
    at least one memory storing instructions that, when executed by the at least one processor, cause the second apparatus at least to perform:
    transmitting, to a first apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice, and wherein the authenticate request also comprises at least one of:
    a first identity for the network slice,
    a second identity for a terminal device that is configured with the network slice for an extensible authentication, or
    a third identity associated with subscription of the terminal device.
  7. The second apparatus of claim 6, wherein the second apparatus is further caused to perform:
    transmitting, to a terminal device, a configuration that comprise the validity timer associated with the network slice and the first identity for the network slice after a network slice specific authentication and authorization.
  8. The second apparatus of claim 6 or 7, wherein the second apparatus is also caused to perform:
    receiving, from the first apparatus, a revocation notification that comprises the first identity for the network slice and the third identity associated with subscription of the terminal device;
    determining whether the network slice is a temporary network slice; and
    based on determining that the network slice is a temporary network slice, causing the revocation notification to be dropped.
  9. The second apparatus of any of claims 6-8, wherein the first apparatus comprises an apparatus on which a Network Slice Specific Authentication and Authorization Function is implemented, the second apparatus comprises a core network device.
  10. A third apparatus comprising:
    at least one processor; and
    at least one memory storing instructions that, when executed by the at least one processor, cause the third apparatus at least to perform:
    receiving, from a first apparatus, a message that comprises a validity timer associated with a network slice, and
    wherein the message also comprises at least one of:
    a first identity for the network slice,
    a second identity for a terminal device that is configured with the network slice for an extensible authentication, or
    a third identity associated with subscription of the terminal device.
  11. The third apparatus of claim 10, wherein the third apparatus is caused to perform:
    storing the validity timer associated with the network slice; and
    if the validity timer expires, triggering a revocation of authentication and authorization of the network slice.
  12. The third apparatus of claim 10 or 11, wherein the third apparatus is caused to perform:
    transmitting, to the first apparatus, a revoke authentication request for the network slice that comprises the first identity, and the third identity; and
    receiving, from the first apparatus, a revoke authentication response.
  13. The third apparatus of claim 12, wherein the revoke authentication request also comprises an indication of an expiration of the validity timer.
  14. The third apparatus of claim 12, wherein transmitting the revoke authentication request comprises:
    transmitting the revoke authentication request to the first apparatus; or
    transmitting the revoked authentication request to a fourth apparatus which forwards the revoke authentication request to the third apparatus, and
    wherein receiving the revoke authentication response from the first apparatus comprises:
    receiving the revoke authentication response from the first apparatus; or
    receiving the revoke authentication response from a fourth apparatus which receives the revoke authentication response from the first apparatus.
  15. The third apparatus of any of claims 10-14, wherein receiving the message from the first apparatus comprises one of:
    receiving the message from the first apparatus; or
    receiving the message from a fourth apparatus which receives the message from the first apparatus.
  16. The third apparatus of any of claims 10-15, wherein the first apparatus comprises a apparatus on which a Network Slice Specific Authentication and Authorization Function is implemented, and the third apparatus comprises an Authentication, Authorization, and Accounting Server.
  17. A method, comprising:
    receiving, at a first apparatus from a second apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice; and
    transmitting, to a third apparatus, a message that comprises the validity timer associated with the network slice, and
    wherein the authenticate request and the message also comprise at least one of:
    a first identity for the network slice,
    a second identity for a terminal device that is configured with the network slice for an extensible authentication, or
    a third identity associated with subscription of the terminal device.
  18. The method of claim 17, further comprising:
    receiving, from the third apparatus, a revoke authentication request for the network slice that comprises an indication of an expiration of the validity timer, the first identity, and the third identity;
    cleaning up a local status related to the third identity and the first identity; and
    transmitting, to the third apparatus, a revoke authentication response.
  19. The method of claim 18, wherein receiving the revoke authentication request comprises:
    receiving the revoke authentication request from the third apparatus; or
    receiving the revoked authentication request from a fourth apparatus which receives the revoke authentication request from the third apparatus, and
    wherein transmitting the revoke authentication response to the third apparatus comprises:
    transmitting the revoke authentication response to the third apparatus; or
    transmitting the revoke authentication response to a fourth apparatus which then forwards the revoke authentication response to the third apparatus.
  20. The method of any of claims 17-19, wherein transmitting the message to the third apparatus comprises one of:
    transmitting the message to the third apparatus; or
    transmitting the message to a fourth apparatus which then forwards the message to the third apparatus.
  21. The method of any of claims 17-20, wherein the first apparatus comprises an apparatus on which a Network Slice Specific Authentication and Authorization Function is implemented, the second apparatus comprises a core network device, and the third apparatus comprises an Authentication, Authorization, and Accounting Server.
  22. A method, comprising:
    transmitting, at a second apparatus and to a first apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice, and
    wherein the authenticate request also comprises at least one of:
    a first identity for the network slice,
    a second identity for a terminal device that is configured with the network  slice for an extensible authentication, or
    a third identity associated with subscription of the terminal device.
  23. The method of claim 22, further comprising:
    transmitting, to a terminal device, a configuration that comprise the validity timer associated with the network slice and the first identity for the network slice after a network slice specific authentication and authorization.
  24. The method of claim 22 or 23, further comprising:
    receiving, from the first apparatus, a revocation notification that comprises the first identity for the network slice and the third identity associated with subscription of the terminal device;
    determining whether the network slice is a temporary network slice; and
    based on determining that the network slice is a temporary network slice, causing the revocation notification to be dropped.
  25. The method of any of claims 22-24, wherein the first apparatus comprises an apparatus on which a Network Slice Specific Authentication and Authorization Function is implemented, the second apparatus comprises a core network device.
  26. A method, comprising:
    receiving, at a third apparatus and from a first apparatus, a message that comprises a validity timer associated with a network slice, and
    wherein the message also comprises at least one of:
    a first identity for the network slice,
    a second identity for a terminal device that is configured with the network slice for an extensible authentication, or
    a third identity associated with subscription of the terminal device.
  27. The method of claim 26, further comprising:
    storing the validity timer associated with the network slice; and
    if the validity timer expires, triggering a revocation of authentication and authorization of the network slice.
  28. The method of claim 26 or 27, further comprising:
    transmitting, to the first apparatus, a revoke authentication request for the network slice that comprises the first identity, and the third identity; and
    receiving, from the first apparatus, a revoke authentication response.
  29. The method of claim 28, wherein the revoke authentication request also comprises an indication of an expiration of the validity timer.
  30. The method of claim 28, wherein transmitting the revoke authentication request comprises:
    transmitting the revoke authentication request to the first apparatus; or
    transmitting the revoked authentication request to a fourth apparatus which forwards the revoke authentication request to the third apparatus, and
    wherein receiving the revoke authentication response from the first apparatus comprises:
    receiving the revoke authentication response from the first apparatus; or
    receiving the revoke authentication response from a fourth apparatus which receives the revoke authentication response from the first apparatus.
  31. The method of any of claims 26-30, wherein receiving the message from the first apparatus comprises one of:
    receiving the message from the first apparatus; or
    receiving the message from a fourth apparatus which receives the message from the first apparatus.
  32. The method of any of claims 26-21, wherein the first apparatus comprises a apparatus on which a Network Slice Specific Authentication and Authorization Function is implemented, and the third apparatus comprises an Authentication, Authorization, and Accounting Server.
  33. A first apparatus comprising:
    means for receiving, a second apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice; and
    means for transmitting, to a third apparatus, a message that comprises the validity  timer associated with the network slice, and
    wherein the authenticate request and the message also comprise at least one of:
    a first identity for the network slice,
    a second identity for a terminal device that is configured with the network slice for an extensible authentication, or
    a third identity associated with subscription of the terminal device.
  34. A second apparatus comprising:
    means for transmitting, to a first apparatus, an authenticate request for a network slice that comprises a validity timer associated with the network slice, and
    wherein the authenticate request also comprises at least one of:
    a first identity for the network slice,
    a second identity for a terminal device that is configured with the network slice for an extensible authentication, or
    a third identity associated with subscription of the terminal device.
  35. A third apparatus comprising:
    means for receiving, from a first apparatus, a message that comprises a validity timer associated with a network slice, and
    wherein the message also comprises at least one of:
    a first identity for the network slice,
    a second identity for a terminal device that is configured with the network slice for an extensible authentication, or
    a third identity associated with subscription of the terminal device.
  36. A computer readable medium comprising instructions stored thereon for causing an apparatus at least to perform any of claims 17-21 or any of claims 22-25 or any of claims 26-32.
PCT/CN2022/130237 2022-11-07 2022-11-07 Authentication procedure for network slice Ceased WO2024098177A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202280101674.3A CN120188446A (en) 2022-11-07 2022-11-07 Certification process for network slicing
PCT/CN2022/130237 WO2024098177A1 (en) 2022-11-07 2022-11-07 Authentication procedure for network slice

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/130237 WO2024098177A1 (en) 2022-11-07 2022-11-07 Authentication procedure for network slice

Publications (1)

Publication Number Publication Date
WO2024098177A1 true WO2024098177A1 (en) 2024-05-16

Family

ID=91031658

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/130237 Ceased WO2024098177A1 (en) 2022-11-07 2022-11-07 Authentication procedure for network slice

Country Status (2)

Country Link
CN (1) CN120188446A (en)
WO (1) WO2024098177A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111654862A (en) * 2019-03-04 2020-09-11 华为技术有限公司 Method and device for registering terminal equipment
US20220110050A1 (en) * 2019-02-08 2022-04-07 Nokia Technologies Oy Apparatus, method and computer program
US20220312307A1 (en) * 2020-05-22 2022-09-29 Apple Inc. Network slice specific authentication and authorization (nssaa) 5g new radio (nr) procedures

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220110050A1 (en) * 2019-02-08 2022-04-07 Nokia Technologies Oy Apparatus, method and computer program
CN111654862A (en) * 2019-03-04 2020-09-11 华为技术有限公司 Method and device for registering terminal equipment
US20220312307A1 (en) * 2020-05-22 2022-09-29 Apple Inc. Network slice specific authentication and authorization (nssaa) 5g new radio (nr) procedures

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
APPLE: "AMF to trigger Configuration Update Command Procedure indicating pending NSSAI", 3GPP DRAFT; C1-205030, vol. CT WG1, 13 August 2020 (2020-08-13), pages 1 - 16, XP051919529 *

Also Published As

Publication number Publication date
CN120188446A (en) 2025-06-20

Similar Documents

Publication Publication Date Title
US12446060B2 (en) Efficient discovery of edge computing servers
US12401690B2 (en) Mechanism for dynamic authorization
US11290868B2 (en) Subscription information configuration
US20180063111A1 (en) Entitlement Based Wi-Fi Authentication
US20240129710A1 (en) Methods and apparatus for subscription authorization enhancement
US20220174557A1 (en) Exchanging capability information
WO2021204361A1 (en) Apparatus, method and computer program
US12439246B2 (en) Security communication in prose U2N relay
JP2020061732A (en) Uplink bearer binding in handover
WO2024098177A1 (en) Authentication procedure for network slice
US20240022906A1 (en) Method of wireless communication of network element, apparatus for wireless communication of network element, and method of wireless communication of user equipment
WO2024036462A1 (en) Registration enhancement for multi-access
WO2025112008A1 (en) Secure communication in non-terrestrial network store and forward system
EP4325772B1 (en) Usage of access token in service based architecture
US20240340772A1 (en) Steering of roaming enhancement during registration reject
WO2024077582A1 (en) Security counter measure for distributed network slice admission control
WO2024065209A1 (en) Mobile terminated early data transmission for internet of things
WO2024227300A1 (en) Completing a non-access-stratum procedure in store &forward architecture
WO2025175539A1 (en) Akma authentication with device information
WO2024243782A1 (en) Mechanism for determining edge computing and network resources for application
WO2025231777A1 (en) User equipment dynamic compute offload
WO2025030344A1 (en) Isolation enforcement for application traffic steering
US20250274358A1 (en) Network repository function policy control for different public land mobile networks
WO2022021239A1 (en) Notify network about result of authentication and authorization of terminal device
WO2025149158A1 (en) Random access channel reporting

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22964656

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 202280101674.3

Country of ref document: CN

WWE Wipo information: entry into national phase

Ref document number: 202547053410

Country of ref document: IN

NENP Non-entry into the national phase

Ref country code: DE

WWP Wipo information: published in national office

Ref document number: 202547053410

Country of ref document: IN

WWP Wipo information: published in national office

Ref document number: 202280101674.3

Country of ref document: CN

122 Ep: pct application non-entry in european phase

Ref document number: 22964656

Country of ref document: EP

Kind code of ref document: A1