[go: up one dir, main page]

WO2024234176A1 - Enhancement of network management services - Google Patents

Enhancement of network management services Download PDF

Info

Publication number
WO2024234176A1
WO2024234176A1 PCT/CN2023/094037 CN2023094037W WO2024234176A1 WO 2024234176 A1 WO2024234176 A1 WO 2024234176A1 CN 2023094037 W CN2023094037 W CN 2023094037W WO 2024234176 A1 WO2024234176 A1 WO 2024234176A1
Authority
WO
WIPO (PCT)
Prior art keywords
network device
nfc
nfp
information
network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/CN2023/094037
Other languages
French (fr)
Inventor
Jing PING
Anja Jerichow
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Shanghai Bell Co Ltd
Nokia Solutions and Networks Oy
Nokia Technologies Oy
Original Assignee
Nokia Shanghai Bell Co Ltd
Nokia Solutions and Networks Oy
Nokia Technologies Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Shanghai Bell Co Ltd, Nokia Solutions and Networks Oy, Nokia Technologies Oy filed Critical Nokia Shanghai Bell Co Ltd
Priority to PCT/CN2023/094037 priority Critical patent/WO2024234176A1/en
Publication of WO2024234176A1 publication Critical patent/WO2024234176A1/en
Anticipated expiration legal-status Critical
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1073Registration or de-registration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • H04L67/303Terminal profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/51Discovery or management thereof, e.g. service location protocol [SLP] or web services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/24Negotiation of communication capabilities

Definitions

  • Various example embodiments generally relate to the field of communication, and in particular, to network devices, methods, apparatuses and a computer readable storage medium for enhancement of network management services.
  • NF network function
  • NFc network function service consumer
  • PCF policy control function
  • example embodiments of the present disclosure provide network devices, methods, apparatuses and a computer readable storage medium for enhancing network management services.
  • the solution provided by the example embodiments of the present disclosure can configure an NRF and other fifth generation (5G) core network (5GC) NFs to allow dynamically authorize an NFc to access the 5G NF services.
  • 5G fifth generation
  • 5GC fifth generation core network
  • the first network device may comprise at least one processor and at least one memory storing instructions that, when executed by the at least one processor, cause the first network device at least to: determine, for an NFc service consumer, NFc information of the NFc to be registered in a second network device; and transmit the NFc information to the second network device or the NFc.
  • a second network device may comprise at least one processor and at least one memory storing instructions that, when executed by the at least one processor, cause the second network device at least to: receive, from a first network device or an NF service producer (NFp) , configuration information for provisioning at least one authorization policy on the second network device or an NF information comprising at least one authorization policy on the NFp to enable an access control on at least one service of the second network device or of the NFp; receive, from the first network device or an NFc, NFc information of the NFc to be registered in the second network device; and authorize a service request from the NFc based on the registered NFc information and the at least one authorization policy on the second network device or on the NFp.
  • NFp NF service producer
  • the method may comprise: determining, at a first network device, for an NFc, NFc information of the NFc to be registered in a second network device; and transmitting, at the first network device, the NFc information to the second network device or the NFc.
  • a method may comprise: receiving, at a second network device and from a first network device or an NFp, configuration information for provisioning at least one authorization policy on the second network device or an NF information comprising at least one authorization policy on the NFp to enable an access control on at least one service of the second network device or of the NFp; receiving, at the second network device, from the first network device or an NFc, NFc information of the NFc to be registered in the second network device; and authorizing, at the second network device, a service request from the NFc based on the registered NFc information and the at least one authorization policy on the second network device or on the NFp.
  • an apparatus may comprise: means for determining, for an NFc, NFc information of the NFc to be registered in a second network device; and means for transmitting the NFc information to the second network device or the NFc.
  • an apparatus may comprise: means for receiving, from a first network device or an NFp, configuration information for provisioning at least one authorization policy on the second network device or an NF information comprising at least one authorization policy on the NFp to enable an access control on at least one service of the second network device or of the NFp; means for receiving, from the first network device or an NFc, NFc information of the NFc to be registered in the second network device; and means for authorizing a service request from the NFc based on the registered NFc information and the at least one authorization policy on the second network device or on the NFp.
  • a non-transitory computer readable medium comprising program instructions for causing an apparatus to perform at least the method according to the third or fourth aspect.
  • a computer program comprising instructions, which, when executed by an apparatus, cause the apparatus at least to: determine, for an NFc service consumer, NFc information of the NFc to be registered in a second network device; and transmit the NFc information to the second network device or the NFc.
  • a computer program comprising instructions, which, when executed by an apparatus, cause the apparatus at least to: receive, from a first network device or an NFp, configuration information for provisioning at least one authorization policy on the second network device or an NF information comprising at least one authorization policy on the NFp to enable an access control on at least one service of the second network device or of the NFp; receive, from the first network device or an NFc, NFc information of the NFc to be registered in the second network device; and authorize a service request from the NFc based on the registered NFc information and the at least one authorization policy on the second network device or on the NFp.
  • the first network device may comprise a determining circuitry configured to determine, for an NFc service consumer, NFc information of the NFc to be registered in a second network device; and a transmitting circuitry configured to transmit the NFc information to the second network device or the NFc.
  • the second network device may comprise a first receiving circuitry configured to receive, from a first network device or an NFp, configuration information for provisioning at least one authorization policy on the second network device or an NF information comprising at least one authorization policy on the NFp to enable an access control on at least one service of the second network device or of the NFp; a second receiving circuitry configured to receive, from the first network device or an NFc, NFc information of the NFc to be registered in the second network device; and an authorizing circuitry configured to authorize a service request from the NFc based on the registered NFc information and the at least one authorization policy on the second network device or on the NFp.
  • FIG. 1A illustrates an example communication network environment in which example embodiments of the present disclosure may be implemented
  • FIG. 1B illustrates another example communication network environment in which example embodiments of the present disclosure may be implemented
  • FIG. 1C illustrates an example registration procedure of an NFc to an NRF related to some example embodiments of the present disclosure
  • FIG. 1D illustrates an example operation and maintenance (O&M) registering an NFc to an NRF related to some example embodiments of the present disclosure
  • FIG. 1E illustrates an example lifecycle of a network slice management related to some example embodiments of the present disclosure
  • FIG. 2 illustrates an example signaling process for an enhancement of network management services in accordance with some example embodiments of the present disclosure
  • FIGS. 3A and 3B illustrate example signaling processes for provision an untrusted NFc information to an NRF by an operations, administration and management (OAM) in accordance with some example embodiments of the present disclosure
  • FIGS. 4A and 4B illustrate example signaling processes for provision a trusted NFc information to an NRF by an OAM in accordance with some example embodiments of the present disclosure
  • FIG. 5 illustrates an example flowchart of an enhancement of network management services in accordance with some example embodiments of the present disclosure
  • FIG. 6 illustrates another example flowchart of an enhancement of network management services in accordance with some example embodiments of the present disclosure
  • FIG. 7 illustrates an example simplified block diagram of a device that is suitable for implementing embodiments of the present disclosure.
  • FIG. 8 illustrates an example block diagram of an example computer readable medium in accordance with some example embodiments of the present disclosure.
  • references in the present disclosure to “one embodiment, ” “an embodiment, ” “an example embodiment, ” and the like indicate that the embodiment described may include a particular feature, structure, or characteristic, but it is not necessary that every embodiment includes the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
  • first and second etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be termed a second element, and similarly, a second element could be termed a first element, without departing from the scope of example embodiments.
  • the term “and/or” includes any and all combinations of one or more of the listed terms.
  • circuitry may refer to one or more or all of the following:
  • circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware.
  • circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
  • the term “communication network” refers to a network following any suitable communication standards, such as long term evolution (LTE) , LTE-advanced (LTE-A) , wideband code division multiple access (WCDMA) , high-speed packet access (HSPA) , narrow band Internet of things (NB-IoT) and so on.
  • LTE long term evolution
  • LTE-A LTE-advanced
  • WCDMA wideband code division multiple access
  • HSPA high-speed packet access
  • NB-IoT narrow band Internet of things
  • the communications between a terminal device and a network device in the communication network may be performed according to any suitable generation communication protocols, including, but not limited to, the third generation (3G) , the fourth generation (4G) , 4.5G, the fifth generation (5G) communication protocols, and/or beyond.
  • Embodiments of the present disclosure may be applied in various communication systems. Given the rapid development in communications, there will of course also be future type communication technologies and systems with which the present disclosure may be
  • the term “network device” refers to a node in a communication network via which a terminal device accesses the network and receives services therefrom or refers to a node in network management system.
  • the network device may refer to a base station (BS) or an access point (AP) , for example, a node B (NodeB or NB) , an evolved NodeB (eNodeB or eNB) , an New Radio (NR) NB (also referred to as a gNB) , a remote radio unit (RRU) , a radio header (RH) , a remote radio head (RRH) , a relay, a low power node such as a femto, a pico, a management function (MnF) and so forth, depending on the applied terminology and technology.
  • BS base station
  • AP access point
  • NB node B
  • eNodeB or eNB evolved NodeB
  • NR New Radio
  • RRU remote radio
  • terminal device refers to any end device that may be capable of wireless communication.
  • a terminal device may also be referred to as a communication device, user equipment (UE) , a subscriber station (SS) , a portable subscriber station, a mobile station (MS) , or an access terminal (AT) .
  • UE user equipment
  • SS subscriber station
  • MS mobile station
  • AT access terminal
  • the terminal device may include, but not limited to, a mobile phone, a cellular phone, a smart phone, voice over IP (VoIP) phones, wireless local loop phones, a tablet, a wearable terminal device, a personal digital assistant (PDA) , portable computers, desktop computer, image capture terminal devices such as digital cameras, gaming terminal devices, music storage and playback appliances, vehicle-mounted wireless terminal devices, wireless endpoints, mobile stations, laptop-embedded equipment (LEE) , laptop-mounted equipment (LME) , USB dongles, smart devices, wireless customer-premises equipment (CPE) , an Internet of things (loT) device, a watch or other wearable, a head-mounted display (HMD) , a vehicle, a drone, a medical device and applications (e.g., remote surgery) , an industrial device and applications (e.g., a robot and/or other wireless devices operating in an industrial and/or an automated processing chain contexts) , a consumer electronics device, a device operating on commercial,
  • the term “resource” , “transmission resource” , “resource block” , “physical resource block” (PRB) , “uplink (UL) resource” or “downlink (DL) resource” may refer to any resource for performing a communication, for example, a communication between a terminal device and a network device, such as a resource in time domain, a resource in frequency domain, a resource in space domain, a resource in code domain, a resource in a combination of more than one domain or any other resource enabling a communication, and the like.
  • a resource in time domain (such as, a subframe) will be used as an example of a transmission resource for describing some example embodiments of the present disclosure. It is noted that example embodiments of the present disclosure are equally applicable to other resources in other domains.
  • an NRF may be used as an authorization server.
  • TR 33.875 discussed NRF validation of NFc.
  • table 1 summarizes problems (such as Key issue #11) which have been discussed in TR 33.875.
  • TSs 28. xxx From TSs on O&M in SA5 specifications TSs 28. xxx, a series of management and orchestration related TSs (28. xxx) were defined in 3GPP SA5 to enable 5G network and network slice deployment and operation automation. For example, these are summarized in table 4.
  • the NFc needs to be known to the NRF as an open authorization (OAuth) 2.0 client in order to request an authorization token for using services of other NFs.
  • OAuth open authorization
  • example embodiments of the present disclosure provide a solution for enhancement of network management services. With this solution, it can extend the 5G network management services and procedures, which allows to manage an NFc'a ccess control related information automatically and dynamically during network deployment and runtime.
  • the solution provided by the present disclosure allows to properly authorize an access request on any 5GC NFs, including an NRF, in a fine grain level.
  • FIG. 1A illustrates an example communication network environment 100A in which example embodiments of the present disclosure may be implemented.
  • the communication network environment 100A which may be a part of a communication network, includes a first network device 102 and a second network device 104.
  • the first network device 102 may also be referred as an OAM 102 or an MnF 102.
  • the second network device 104 may also be referred as an NRF 104 (such as an OAuth 2.0 Authorization server) .
  • the first network device 102 and the second network device 104 can communicate with each other.
  • the first network 102 may call a third party entity (such as a cloud manager) to instantiate the second network device 104.
  • the first network 102 may configure the second network device 104.
  • the first network 102 may transmit configuration information to the second network device 104.
  • the configuration information can enable an access control on the NRF services (such as registration, deregistration, update, discovery, and getting an access token) .
  • the first network 102 may activate the second network device 104.
  • FIG. 1B illustrates another example communication network environment 100B in which example embodiments of the present disclosure may be implemented.
  • the communication network environment 100B may comprise an NRF 112 (which may correspond to the second device 104 as shown in FIG. 1A) .
  • NRF 112 may support the corresponding functionalities, such as receiving an NF discovery request from an NF instance, providing the information of the discovered NF instances (be discovered) to the NF instance and maintaining the NF profile of available NF instances and their supported services.
  • the communication network environment 100B may comprise multiple NFs having capabilities for providing one or more specific services.
  • the communication network environment 100B may comprise an NFp 114 and an NFc 110.
  • the NFc 110 may request a specific service provided from the NFp 114.
  • the NFp 114 can be registered to the NRF 112.
  • the communication network environment 100B may also comprise an OAM 106 (which may correspond to the first device 102 as shown in FIG. 1A) .
  • the OAM 106 may be considered as a network management node.
  • the OAM 106 may manage multiple NFs, such as the NFp 114 and the NFc 110.
  • the OAM 106 may also manage the NRF 112.
  • the OAM 106 may further communicate to a cloud manager 108.
  • the cloud manager 108 may be used to instantiate an NF or an NRF.
  • the NRF 112 may store NF profile or NF service profile.
  • the NRF 112 may store parameters, authorization policies and any attributes or information related to an NF or NF service received from the OAM 106, the NFc 110 or the NFp 114.
  • FIG. 1C illustrates an example registration procedure 100C of an NFc to an NRF related to some example embodiments of the present disclosure.
  • an OAuth 2.0 client 116 may transmit (120) a request 124 to an authorization sever 118.
  • the request 124 may be an N NRF _AccessToken_ClientRegister request.
  • the authorization sever 118 may receive the request 124.
  • the authorization sever 118 may store (126) information about the OAuth 2.0 client 116.
  • the authorization sever 118 may transmit (130) a response 132 to the OAuth 2.0 client 116.
  • the response 132 may be an N NRF _AccessToken_ClientRegister response.
  • FIG. 1C describes a secure way of registering an OAuth 2.0 client profile to the NRF that protects against an NFc impersonating another NFc.
  • FIG. 1C requires modification in conventional implementations of NF consumers, NRF, and O&M.
  • FIG. 1D illustrates an example (100D) O&M registering an NFc to an NRF related to some example embodiments of the present disclosure.
  • FIG. 1D depicts a high-level O&M-based mechanism for an O&M registering the NF consumer to the NRF.
  • an O&M may be configured with OAuth 2.0 client information of the NFc 142.
  • An O&M and orchestration 136 may provision the NFc 142 with necessary information.
  • the O&M and orchestration 136 may register the NFc 142 to the NRF 144.
  • FIG. 1D leaves the secure provisioning of the OAuth 2.0 client profile to the security system between the O&M and NRF.
  • FIG. 1D requires modification in conventional implementations of NF consumers, NRF, and O&M.
  • FIG. 1E illustrates an example lifecycle 100E of a network slice management related to some example embodiments of the present disclosure.
  • FIG. 1E depicts example concepts, use cases and requirement, including automatic slice management during its lifecycle 100E.
  • preparation 146 may comprise design 148, on-boarding 150 and network environment preparation 152.
  • Lifecycle of a network slice instance 154 may comprise commissioning 156, operation 162 and decommissioning 172.
  • the commissioning 156 may comprise creation 158.
  • the operation 162 may comprise activation 160, supervision 164, reporting 166, modification 168 and deactivation 170.
  • the decommissioning 172 may comprise termination 174.
  • FIG. 2 illustrates an example signaling process 200 for an enhancement of network management services in accordance with some example embodiments of the present disclosure.
  • FIG. 2 will be described with reference to FIG. 1A.
  • the first network device 102 determines NFc information 204.
  • the first network device 102 may determine (202) an NF which has been instantiated or registered as the NFc, and determine the NFc information 204.
  • the NFc is to be registered in the second network device 104) .
  • the first network device 102 transmits (206) the NFc information 204 to the second network device 104 or the NFc.
  • the second network device 104 receives (208) the NFc information 204 from the first network device 102 or the NFc.
  • the first network device 102 may transmit (210) configuration information 212 to the second network device 104.
  • the configuration information 212 provisions at least one authorization policy on the second network device 104 or authorization policy on the NFp.
  • the second network device 104 receives (216) the configuration information 212 from the first network device 102.
  • the second network device 104 receives (216) NF information comprising at least one authorization policy on the NFp from the NFp.
  • the at least one authorization policy on the second network device 104 enables an access control on at least one service of the second network device 104 .
  • the at least one authorization policy on the NFp enables an access control on at least one service of the second network device 104 or of the NFp.
  • the second network device 104 authorizes (218) a service request from the NFc based on the registered NFc information 204 and the at least one authorization policy on the second network device 104 or on the NFp.
  • it can configure an NRF and other 5GC NFs to allow dynamically authorize an NFc to access the 5G NF services.
  • FIG. 3A illustrates an example signaling process 300A at a deployment phase 302 for provision an untrusted NFc information to an NRF by an OAM in accordance with some example embodiments of the present disclosure.
  • FIG. 3A will be described with reference to FIG. 1B.
  • the signaling process 300A in FIG. 3A describes the provisioning an NFc to an NRF with enhancement of a network resource model (NRM) of an NRF. It can include authorization policies to allow the NRF to be automatically provisioned by the management system, and to enable to dynamically grant access permissions to an NRF service consumer.
  • the signaling process 300A is proposed for an NFc which is untrusted to an NRF by the 3GPP management system.
  • an "untrusted" NFc may be a non-3GPP NF, e.g., application function which plays only the role of NF service consumer.
  • the signaling shows the OAM 106 may call the cloud manager 108 to instantiate an NRF 112.
  • the OAM 106 may configure (312A) parameters 314 on the NRF 112.
  • the parameters 314 may include configuration information for provisioning authorization policies on the NRF 112 to allow access control on the NRF services (e.g., registration, update, deregistration, discovery, getting an access token, etc. ) .
  • the NRF 112 may receive (312B) the parameters 314 from the OAM 106.
  • the OAM 106 may activate the NRF 112.
  • the authorization policies may be any combination of, e.g., allowed NF types, allowed public land mobile network (PLMNs) , allowed single network slice selection assistance information (S-NSSAIs) , allowed domains, allowed operations, allowed times, allowed serving areas, etc., on the NRF services instance.
  • PLMNs public land mobile network
  • S-NSSAIs single network slice selection assistance information
  • the signaling (316A, 316B and 318) shows the OAM 106 may call the cloud manager 108 to instantiate an NF as an NFp 114.
  • the OAM 106 may configure (324A) parameters 326 on the NFp 114.
  • the parameters 326 may include NF Profile which contains at least authorization policies to allow access control on the NF services.
  • the OAM 106 may activate the NFp 114.
  • the authorization policies may be any combination of, e.g. allowed NF types, allowed PLMNs, allowed S-NSSAIs, allowed domains, allowed operations (allowed to be discovered can be one of operations) , allowed times, allowed serving areas, etc., on the NF services instance.
  • the NFp 114 may transmit (328B) a registration 330 to the NRF 112 with NF profile.
  • the NRF may receive (328A) the registration 330 from the NFp 114.
  • the NRF 112 may have the information of NF profile of the NFp 114.
  • the OAM 106 may update (332A) configuration 334 of the NRF 112 to add information of the NFc 110 to the NRF 112.
  • the NRF 112 may receive (332B) the updated configuration 334.
  • the OAM 106 may deploy and configure the NFc 110.
  • the NFc 110 may be deployed by a 3 rd party. In this case, the NFc 110 may register to business support system (BSS) /operation support system (OSS) of operator via a portal.
  • BSS business support system
  • OSS operation support system
  • FIG. 3B illustrates an example signaling process 300B at an operation phase 336 for how the NRF enforces the access control polices on the NFc when the NFc accesses NRF or NFp services in accordance with some example embodiments of the present disclosure.
  • FIG. 3B will be described with reference to FIG. 1B.
  • the NFc 110 may transmit (338A) an NF service discovery request 340 to the NRF 112.
  • the NRF 112 may receive (338B) the NF service discovery request 340 from the NFc 110.
  • the NRF 112 may authenticate the NFc 110. After the authentication, the NRF 112 may get registered NFc information locally based on the ID of the NFc 110.
  • the NRF 112 may authorize the request 340 based on the registered NFc information and authorization policies (for NRF (discovery) services and NF services to be discovered) configured locally.
  • the NRF 112 may transmit (344B) discovery response 346 to the NFc 110 with discovered services.
  • the NFc 110 may receive (344A) the discovery response 346.
  • the NFc 110 may transmit (348A) access token request 350 for an NF service to the NRF 112.
  • the NRF 112 may authorize (352) the access token request 350 based on the registered NFc information and authorization policies (for NRF (access token) services and NF services to be accessed) stored locally.
  • the NRF 112 may generate access token if the request is permitted.
  • the NRF 112 may transmit (354B) a response 356 to the NFc 110 with the access token.
  • the NFc 110 may receive (354A) the response 356.
  • the NFc 110 may transmit (358A) a request 360 to the targeted NF service with access token to the NFp 114.
  • the NFp 114 may receive (358B) the request 360 from the NFc 110.
  • the NFp 114 may validate (362) the access token.
  • the NFp 114 may transmit (364B) a response 366 to the NFc 110 with required NF services if the access token is valid.
  • the NFc 110 may receive (364A) the response 366.
  • the signaling processes in loop 368 may be performed iteratively.
  • the OAM 106 may continue monitor (370A) the status 372 of NFp 114.
  • the OAM 106 may update authorization policies if it detects anomaly of NFp 114.
  • the OAM 106 may update (374A) the status 376 of the NFc 110 in the NRF 112.
  • the NRF 112 may receive authorization policies from the OAM 106 or the NFp 114.
  • the authorization policies may be related to service provided by the NRF 112 (such as NF management services. e.g., NFc registration, update, deregistration, etc. ) or related to service provided by the NFp 114 (e.g., discovery, getting access token to access NF service, etc. ) .
  • the first kind of policies may be configured by the OAM 106
  • the second kind of polices may be configured by the OAM 106, or provided by the NFp 114 when the NFp 114 registered to the NRF 112.
  • the NRF 112 may authorize the NFc 110 request for NRF 112 service (e.g., NF registration request) based on the NRF 112 service related authorization policies and NFc information.
  • the NRF 112 may authorize the NFc 110 request for NF services (e.g., discovery, get access token request for access NF service) based on the NF service related authorization policies and NFc information.
  • the information from the OAM 106 may be the configuration information.
  • the information from the NFp 114 may be an NF profile which includes authorization policies on the NFp 114.
  • FIG. 4A illustrates an example signaling process 400A at a deployment phase 402 for provision a trusted NFc information to an NRF by an OAM in accordance with some example embodiments of the present disclosure.
  • FIG. 4A will be described with reference to FIG. 1B.
  • the signaling process 400A in FIG. 4A describes the provisioning an NFc to an NRF with enhancement of an NRM of general network function to include NFc information, to allow the NFc to be automatically provisioned by 3GPP management system, then register to NRF by itself and enable the NRF to authorize the access request from the NFc.
  • the signaling process 400A is proposed for an NFc that is trusted to an NRF by the 3GPP management system.
  • a "trusted" NFc may be a 3GPP defined or compliance NF which plays the role of NF service consumer, and it may take the role of NF service producer in parallel.
  • the signaling (404A, 404B and 406) shows the OAM 106 may call the cloud manager 108 to instantiate an NRF 112.
  • the OAM 106 may configure (412A) parameters 414 on the NRF 112.
  • the parameters 414 may include configuration information for provisioning authorization policies on the NRF 112 to allow access control on the NRF services (e.g., registration, update, deregistration, discovery, getting an access token, etc. ) .
  • the NRF 112 may receive (412B) the parameters 414 from the OAM 106.
  • the OAM 106 may activate the NRF 112.
  • the authorization policies may be any combination of, e.g., allowed NF types, allowed PLMNs, allowed S-NSSAIs, allowed domains, allowed operations, allowed times, allowed serving areas, etc., on the NRF services instance.
  • the signaling (416A, 416B and 418) shows the OAM 106 may call the cloud manager 108 to instantiate an NF as an NFp 114.
  • the signaling (420A, 420B and 422) shows the cloud manager 108 may have successfully instantiated the NF as the NFp 114.
  • the OAM 106 may configure (424A) parameters 426 on the NFp 114.
  • the parameters 426 may include NF Profile which contains at least authorization policies to allow access control on the NF services.
  • the OAM 106 may activate the NFp 114.
  • the authorization policies may be any combination of, e.g. allowed NF types, allowed PLMNs, allowed S-NSSAIs, allowed domains, allowed operations (allowed to be discovered can be one of operations) , allowed times, allowed serving areas, etc., on the NF services instance.
  • the NFp 114 may transmit (428B) a registration 430 to the NRF 112 with NF profile.
  • the NRF may receive (428A) the registration 430 from the NFp 114.
  • the NRF 112 may have the information of NF profile of the NFp 114.
  • the signaling (432A, 432B and 434) shows the OAM 106 may call the cloud manager 108 to instantiate an NF as the NFc 110.
  • the signaling (436A, 436B and 438) shows the cloud manager 108 may have successfully instantiated the NF as the NFc 110.
  • the OAM 106 may configure (440A) parameters 442 on the NFc 110.
  • the parameters 442 may comprise NFc 110 related information.
  • the OAM 106 may activate the NFc 110.
  • the NFc 110 may register to the NRF 112 with the NFc 110 information.
  • FIG. 4B illustrates an example signaling process 400B at an operation phase 448 for how the NRF enforces the access control polices on the NFc when the NFc accesses NRF or NFp services.
  • FIG. 4B will be described with reference to FIG. 1B.
  • the NFc 110 may transmit (450A) an NF service discovery request 452 to the NRF 112.
  • the NRF 112 may receive (450B) the NF service discovery request 452 from the NFc 110.
  • the NRF 112 may authenticate the NFc 110. After the authentication, the NRF 112 may get registered NFc information locally based on the ID of the NFc 110.
  • the NRF 112 may authorize the request 452 based on the registered NFc information and authorization policies (for NRF (discovery) services and NF services to be discovered) configured locally.
  • the NRF 112 may transmit (456B) discovery response 458 to the NFc 110 with discovered services.
  • the NFc 110 may receive (456A) the discovery response 458.
  • the NFc 110 may transmit (460A) access token request 462 for an NF service to the NRF 112.
  • the NRF 112 may authorize (464) the access token request 462 based on the registered NFc information and authorization policies (for NRF (access token) services and NF services to be accessed) configured locally.
  • the NRF 112 may generate access token if the request is permitted.
  • the NRF 112 may transmit (466B) a response 468 to the NFc 110 with the access token.
  • the NFc 110 may receive (466A) the response 468.
  • the NFc 110 may transmit (470A) a request 472 to the targeted NF service with access token to the NFp 114.
  • the NFc 110 may receive (470B) the request 472 from the NFc 110.
  • the NFp 114 may validate (474) the access token.
  • the NFp 114 may transmit (476B) a response 478 to the NFc 110 with required NF services if the access token is valid.
  • the NFc 110 may receive (476A) the response 478.
  • the signaling processes in loop 480 may be performed iteratively.
  • the OAM 106 may continue monitor (482A) the status 484 of NFc 110.
  • the OAM 106 may continue monitor (486A) the status 488 of NFp 114.
  • the OAM 106 may update authorization policies if it detects anomaly of NFp 114 or the NFc 110.
  • the OAM 106 may update (490A) the status 492 of the NFc 110 in the NRF 112.
  • a new data type in an NRM is proposed to support NFc information.
  • the NFc information may be e.g., an NFc Instance Id, an NFc Type, an NFc group (such as a PLMN ID, Slice, etc. ) , an OAuth or OAuth 2.0 client property (client type, uniform resource identifier (URI) ) , etc.
  • the NFc information may be generalized to an NF information.
  • a concrete NRM definition may be shown in table 6.
  • the elements of the NFc Group may be also separate attributes.
  • the new data type in an NRF to support NFc information may be part of one NF registry entry, if the NF is both an NFC and an NFp. Otherwise, an NRF may maintain a separate registry for NFs acting solely as NFc that only need to register their OAuth client properties.
  • the NRF and other 5GC NFs can configure an NRF and other 5GC NFs to allow dynamically authorize an NFc to access the 5G NF services. It can extend the 5G network management services and procedures, which allows to manage an NFc'a ccess control related information automatically and dynamically during network deployment and runtime. By this implementation, it can allow to properly authorize an access request on any 5GC NFs, including an NRF, in fine grain level.
  • FIG. 5 illustrates an example flowchart 500 of an enhancement of network management services in accordance with some example embodiments of the present disclosure.
  • FIG. 5 will be described with reference to FIG. 1A.
  • the first network device 102 determines, for an NFc, NFc information of the NFc to be registered in a second network device 104.
  • the first network device 102 transmits the NFc information to the second network device 104 or the NFc.
  • the first network device 102 may transmit configuration information to the second network device 104.
  • the configuration information may be for provisioning at least one authorization policy on the second network device 104.
  • configuration information may be for provisioning at least one authorization policy on an NFp.
  • the configuration information may be used to enable an access control on at least one service of the second network device 104 or of the NFp.
  • the NFc information may comprise an NFc instance ID associated with the NFc. In some example embodiments, the NFc information may comprise an NFc type associated with the NFc. In some example embodiments, the NFc information may comprise an NFc group associated with the NFc. In some example embodiments, the NFc information may comprise an OAuth or OAuth 2.0 client property associated with the NFc. In some example embodiments, the NFc information may comprise any combination of the above items.
  • the first network device 102 may transmit the NFc information to the second network device 104 by transmitting, to the second network device 104, a configuration of the second network device 104 for adding the NFc information into the second network device 104.
  • the first network device 102 may transmit the NFc information to the NFc by transmitting, to the NFc, at least one configured parameter comprising the NFc information.
  • the first network device 102 may monitor a status of the NFc. If detecting a change in the status of the NFc, the first network device 102 may update the status of the NFc in the second network device 104.
  • the first network device 102 may monitor at least one of a status of the NFc and a status of the NFp. If detecting an anomaly of at least one of the NFc or the NFp, the first network device 102 may update the at least one authorization policy on the second network device 104 or the NFp. The first network device 102 may transmit the updated at least one authorization policy to the second network device 104.
  • the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed NF type. In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed PLMN. In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed S-NSSAI.
  • the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed domain. In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed operation. In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed time. In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed serving area. In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise any combination of the above items.
  • the second network device 104 may provide an NRF, and the NFc information may be included in at least one attribute in an NRM of one of the NRF and the NFc.
  • the at least one authorization policy on the second network device or on the NFp may be included in attributes of the NRM of the NRF.
  • the attribute may be part of an NF registry entry for the NF. In some example embodiments, if the NF is an NFc but not an NFp, the attribute may be a registry for the NF separated from the NF registry entry.
  • FIG. 6 illustrates another example flowchart 600 of an enhancement of network management services in accordance with some example embodiments of the present disclosure.
  • FIG. 6 will be described with reference to FIG. 1A.
  • the second network device 104 receives configuration information for provisioning at least one authorization policy on the second network device 104 or an NF information comprising at least one authorization policy on the NFp.
  • the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp enables an access control on at least one service of the second network device 104 or of the NFp.
  • the second network device 104 receives, from the first network device 102 or an NFc, NFc information of the NFc to be registered in the second network device 104.
  • the second network device 104 authorizes a service request from the NFc based on the registered NFc information and the at least one authorization policy on the second network device 104 or on the NFp.
  • the authorization policy for the second network device 104 may be always provided by the second network device 104.
  • the authorization policy for NF service can be provided by both the NFp (when it registers to the second network device 104 with NF profile) and the first network device 102 (provision or configure corresponding attributes to the second network device 104) .
  • the at least one authorization policy on the NFp may be further provided by the first network device 102.
  • the NFc information may comprise an NFc instance ID associated with the NFc. In some example embodiments, the NFc information may comprise an NFc type associated with the NFc. In some example embodiments, the NFc information may comprise an NFc group associated with the NFc. In some example embodiments, the NFc information may comprise an OAuth client property associated with the NFc. In some example embodiments, the NFc information may comprise any combination of the above items.
  • the service request may be for an NF management service provided by the second network device 104.
  • the second network device 104 may authorize the service request from the NFc by after authenticating the NFc, obtaining the registered NFc information of the NFc; and authorizing the service request based on the registered NFc information and an authorization policy on the second network device.
  • the service request may be for an NF service of the NFp.
  • the second network device 104 may authorize the service request from the NFc by authorizing the service request based on the registered NFc information and an authorization policy on the NFp.
  • the second network device 104 may receive the NFc information from the first network device 102 by receiving a configuration of the second network device for adding the NFc information into the second network device 104.
  • the second network device 104 may receive the NFc information from the NFc by receiving at least one configured parameter comprising the NFc information.
  • the second network device 104 may receive, from the first network device 102, at least one updated authorization policy on the second network device 104 or on the NFp based on an anomaly of at least one of the NFc or the NFp is detected.
  • the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed NF type. In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed PLMN. In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed S-NSSAI.
  • the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed domain. In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed operation. In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed time. In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed serving area. In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise any combination of the above items.
  • the second network device 104 may provide an NRF, and the NFc information may be included in at least one attribute in an NRM of one of the NRF and the NFc.
  • the at least one authorization policy on the second network device or on the NFp may be included in attributes of the NRM of the NRF.
  • the attribute may be part of an NF registry entry for the NF. In some example embodiments, if the NF is an NFc but not an NFp, the attribute may be a registry for the NF separated from the NF registry entry.
  • the methods 500 and/or 600 can configure an NRF and other 5GC NFs to allow dynamically authorize an NFc to access the 5G NF services. It can extend the 5G network management services and procedures, which allows to manage an NFc' access control related information automatically and dynamically during network deployment and runtime. By the implementations of methods 500 or 600, it can allow to properly authorize an access request on any 5GC NFs, including an NRF, in fine grain level.
  • an apparatus capable of performing the method 500 may comprise means for performing the respective steps of the method 500.
  • the means may be implemented in any suitable form.
  • the means may be implemented in a circuitry or software module.
  • the apparatus may comprise means for determining, for an NFc, NFc information of the NFc to be registered in a second network device; and means for transmitting the NFc information to the second network device or the NFc.
  • the apparatus may comprise means for transmitting, to the second network device, configuration information for provisioning at least one authorization policy on the second network device or on an NFp to enable an access control on at least one service of the second network device or of the NFp.
  • the NFc information may comprise at least one of the following associated with the NFc: an NFc instance ID, an NFc type, an NFc group or an OAuth client property.
  • the means for transmitting the NFc information to the second network device may comprise means for transmitting, to the second network device, a configuration of the second network device for adding the NFc information into the second network device.
  • the means for transmitting the NFc information to the NFc may comprise means for transmitting, to the NFc, at least one configured parameter comprising the NFc information.
  • the apparatus may comprise means for monitoring a status of the NFc; and means for updating the status of the NFc in the second network device based on detecting a change in the status of the NFc.
  • the apparatus may comprise means for monitoring at least one of a status of the NFc and a status of the NFp; means for updating the at least one authorization policy on the second network device or the NFp based on detecting an anomaly of at least one of the NFc or the NFp; and means for transmit the updated at least one authorization policy to the second network device.
  • the at least one authorization policy on the second network device or the at least one authorization policy on the NFp comprises at least one of the following: at least one allowed NF type, at least one allowed PLMN, at least one allowed S-NSSAI, at least one allowed domain, at least one allowed operation, at least one allowed time; or at least one allowed serving area.
  • the second network device may provide an NRF, and the NFc information may be included in at least one attribute in an NRM of one of the NRF and the NFc.
  • the at least one authorization policy on the second network device or on the NFp may be included in attributes of the NRM of the NRF.
  • the attribute in the event that an NF is both an NFc and an NFp, the attribute may be part of an NF registry entry for the NF. In some example embodiments, in the event that the NF is an NFc but not an NFp, the attribute may be a registry for the NF separated from the NF registry entry.
  • the apparatus may further comprise means for performing other steps in some example embodiments of the method 500.
  • the means comprises at least one processor and at least one memory including computer program code, the at least one memory and computer program code configured to, with the at least one processor, cause the performance of the apparatus.
  • an apparatus capable of performing the method 600 may comprise means for performing the respective steps of the method 600.
  • the means may be implemented in any suitable form.
  • the means may be implemented in a circuitry or software module.
  • the apparatus may comprise means for receiving, from a first network device or an NFp, configuration information for provisioning at least one authorization policy on the second network device or an NF information comprising at least one authorization policy on the NFp to enable an access control on at least one service of the second network device or of the NFp; means for receiving, from the first network device or an NFc, NFc information of the NFc to be registered in the second network device; and means for authorizing a service request from the NFc based on the registered NFc information and the at least one authorization policy on the second network device or on the NFp.
  • the at least one authorization policy on the NFp may be further provided by the first network device.
  • the NFc information may comprise at least one of the following associated with the NFc: an NFc instance ID, an NFc type, an NFc group or an OAuth client property.
  • the service request may be for an NF management service provided by the second network device.
  • the means for authorizing a service request may comprise means for obtaining the registered NFc information of the NFc after authenticating the NFc; and means for authorizing the service request based on the registered NFc information and an authorization policy on the second network device.
  • the service request may be for an NF service of the NFp.
  • the means for authorizing a service request may comprise means for authorizing the service request based on the registered NFc information and an authorization policy on the NFp.
  • the means for receiving the NFc information from the first network device may comprise means for receiving, from the NFc, at least one configured parameter comprising the NFc information.
  • the means for receiving the NFc information from the NFc may comprise means for receiving, from the NFc, at least one configured parameter comprising the NFc information.
  • the apparatus may comprise means for receiving, from the first network device, at least one updated authorization policy on the second network device or on the NFp based on an anomaly of at least one of the NFc or the NFp is detected.
  • the at least one authorization policy on the second network device or the at least one authorization policy on the NFp comprises at least one of the following: at least one allowed NF type, at least one allowed PLMN, at least one allowed S-NSSAI, at least one allowed domain, at least one allowed operation, at least one allowed time; or at least one allowed serving area.
  • the second network device may provide an NRF, and the NFc information may be included in at least one attribute in an NRM of one of the NRF and the NFc.
  • the at least one authorization policy on the second network device or on the NFp may be included in attributes of the NRM of the NRF.
  • the attribute in the event that an NF is both an NFc and an NFp, the attribute may be part of an NF registry entry for the NF. In some example embodiments, in the event that the NF is an NFc but not an NFp, the attribute may be a registry for the NF separated from the NF registry entry.
  • the apparatus may further comprise means for performing other steps in some example embodiments of the method 600.
  • the means comprises at least one processor and at least one memory including computer program code, the at least one memory and computer program code configured to, with the at least one processor, cause the performance of the apparatus.
  • FIG. 7 illustrates an example simplified block diagram of a device that is suitable for implementing embodiments of the present disclosure.
  • the device 700 may be provided to implement the communication device, for example the first network device 102 as shown in FIG. 1A.
  • the device 700 includes one or more processors 710, one or more memories 720 may couple to the processor 710, and one or more communication modules 740 may couple to the processor 710.
  • the communication module 740 is for bidirectional communications.
  • the communication module 740 has at least one antenna to facilitate communication.
  • the communication interface may represent any interface that is necessary for communication with other network elements, for example the communication interface may be wireless or wireline to other network elements, or software based interface for communication.
  • the processor 710 may be of any type suitable to the local technical network and may include one or more of the following: general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multicore processor architecture, as non-limiting examples.
  • the device 700 may have multiple processors, such as an application specific integrated circuit chip that is slaved in time to a clock which synchronizes the main processor.
  • the memory 720 may include one or more non-volatile memories and one or more volatile memories.
  • the non-volatile memories include, but are not limited to, a read only memory (ROM) 724, an electrically programmable read only memory (EPROM) , a flash memory, a hard disk, a compact disc (CD) , a digital video disk (DVD) , and other magnetic storage and/or optical storage.
  • the volatile memories include, but are not limited to, a random access memory (RAM) 722 and other volatile memories that will not last in the power-down duration.
  • a computer program 730 includes computer executable instructions that are executed by the associated processor 710.
  • the program 730 may be stored in the ROM 724.
  • the processor 710 may perform any suitable actions and processing by loading the program 730 into the RAM 722.
  • the embodiments of the present disclosure may be implemented by means of the program so that the device 700 may perform any process of the disclosure as discussed with reference to FIG. 2 to FIG. 6.
  • the embodiments of the present disclosure may also be implemented by hardware or by a combination of software and hardware.
  • the program 730 may be tangibly contained in a computer readable medium which may be included in the device 700 (such as in the memory 720) or other storage devices that are accessible by the device 700.
  • the device 700 may load the program 730 from the computer readable medium to the RAM 722 for execution.
  • the computer readable medium may include any types of tangible non-volatile storage, such as ROM, EPROM, a flash memory, a hard disk, CD, DVD, and the like.
  • FIG. 10 shows an example of the computer readable medium 800 in form of CD or DVD.
  • the computer readable medium has the program 730 stored thereon.
  • various embodiments of the present disclosure may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. Some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device. While various aspects of embodiments of the present disclosure are illustrated and described as block diagrams, flowcharts, or using some other pictorial representations, it is to be understood that the block, apparatus, system, technique or method described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
  • the present disclosure also provides at least one computer program product tangibly stored on a non-transitory computer readable storage medium.
  • the computer program product includes computer-executable instructions, such as those included in program modules, being executed in a device on a target real or virtual processor, to carry out the methods 500 or 600 as described above with reference to FIG. 5 or FIG. 6.
  • program modules include routines, programs, libraries, objects, classes, components, data structures, or the like that perform particular tasks or implement particular abstract data types.
  • the functionality of the program modules may be combined or split between program modules as desired in various embodiments.
  • Machine-executable instructions for program modules may be executed within a local or distributed device. In a distributed device, program modules may be located in both local and remote storage media.
  • Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowcharts and/or block diagrams to be implemented.
  • the program code may execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
  • the computer program codes or related data may be carried by any suitable carrier to enable the device, apparatus or processor to perform various processes and operations as described above.
  • Examples of the carrier include a signal, computer readable medium, and the like.
  • the computer readable medium may be a computer readable signal medium or a computer readable storage medium.
  • a computer readable medium may include but not limited to an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of the computer readable storage medium would include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM) , a read-only memory (ROM) , an erasable programmable read-only memory (EPROM or Flash memory) , an optical fiber, a portable compact disc read-only memory (CD-ROM) , an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
  • non-transitory is a limitation of the medium itself (i.e., tangible, not a signal) as opposed to a limitation on data storage persistency (e.g., RAM vs. ROM) .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Multimedia (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Embodiments of the present disclosure relate to an enhancement of network management services. In an aspect, a first network device determines, for a network function (NF) service consumer (NFc), NFc information of the NFc to be registered in a second network device. The first network device further transmits the NFc information to the second network device or the NFc. By implementing the embodiments of the present disclosure, it can configure a network repository function (NRF) and other fifth generation (5G) core network (5GC) NFs to allow dynamically authorize an NFc to access the 5G NF services.

Description

ENHANCEMENT OF NETWORK MANAGEMENT SERVICES FIELD
Various example embodiments generally relate to the field of communication, and in particular, to network devices, methods, apparatuses and a computer readable storage medium for enhancement of network management services.
BACKGROUND
When a network function (NF) service consumer (NFc) (e.g., a session management function, SMF) wants to access a service (e.g., a service provided by a policy control function, PCF) , it may be required to request an access token to access the service. Requests for access tokens may be received and handled by an authorization server. The authorization server may be implemented by another network function, for instance a network repository function (NRF) .
SUMMARY
In general, example embodiments of the present disclosure provide network devices, methods, apparatuses and a computer readable storage medium for enhancing network management services. For example, the solution provided by the example embodiments of the present disclosure can configure an NRF and other fifth generation (5G) core network (5GC) NFs to allow dynamically authorize an NFc to access the 5G NF services.
In a first aspect, there is provided a first network device. The first network device may comprise at least one processor and at least one memory storing instructions that, when executed by the at least one processor, cause the first network device at least to: determine, for an NFc service consumer, NFc information of the NFc to be registered in a second network device; and transmit the NFc information to the second network device or the NFc.
In a second aspect, there is provided a second network device. The second network device may comprise at least one processor and at least one memory storing instructions that, when executed by the at least one processor, cause the second network device at least to: receive, from a first network device or an NF service producer (NFp) , configuration  information for provisioning at least one authorization policy on the second network device or an NF information comprising at least one authorization policy on the NFp to enable an access control on at least one service of the second network device or of the NFp; receive, from the first network device or an NFc, NFc information of the NFc to be registered in the second network device; and authorize a service request from the NFc based on the registered NFc information and the at least one authorization policy on the second network device or on the NFp.
In a third aspect, there is provided a method. The method may comprise: determining, at a first network device, for an NFc, NFc information of the NFc to be registered in a second network device; and transmitting, at the first network device, the NFc information to the second network device or the NFc.
In a fourth aspect, there is provided a method. The method may comprise: receiving, at a second network device and from a first network device or an NFp, configuration information for provisioning at least one authorization policy on the second network device or an NF information comprising at least one authorization policy on the NFp to enable an access control on at least one service of the second network device or of the NFp; receiving, at the second network device, from the first network device or an NFc, NFc information of the NFc to be registered in the second network device; and authorizing, at the second network device, a service request from the NFc based on the registered NFc information and the at least one authorization policy on the second network device or on the NFp.
In a fifth aspect, there is provided an apparatus. The apparatus may comprise: means for determining, for an NFc, NFc information of the NFc to be registered in a second network device; and means for transmitting the NFc information to the second network device or the NFc.
In a sixth aspect, there is provided an apparatus. The apparatus may comprise: means for receiving, from a first network device or an NFp, configuration information for provisioning at least one authorization policy on the second network device or an NF information comprising at least one authorization policy on the NFp to enable an access control on at least one service of the second network device or of the NFp; means for receiving, from the first network device or an NFc, NFc information of the NFc to be registered in the second network device; and means for authorizing a service request from  the NFc based on the registered NFc information and the at least one authorization policy on the second network device or on the NFp.
In a seventh aspect, there is provided a non-transitory computer readable medium comprising program instructions for causing an apparatus to perform at least the method according to the third or fourth aspect.
In an eighth aspect, there is provided a computer program comprising instructions, which, when executed by an apparatus, cause the apparatus at least to: determine, for an NFc service consumer, NFc information of the NFc to be registered in a second network device; and transmit the NFc information to the second network device or the NFc.
In a ninth aspect, there is provided a computer program comprising instructions, which, when executed by an apparatus, cause the apparatus at least to: receive, from a first network device or an NFp, configuration information for provisioning at least one authorization policy on the second network device or an NF information comprising at least one authorization policy on the NFp to enable an access control on at least one service of the second network device or of the NFp; receive, from the first network device or an NFc, NFc information of the NFc to be registered in the second network device; and authorize a service request from the NFc based on the registered NFc information and the at least one authorization policy on the second network device or on the NFp.
In a tenth aspect, there is provided a first network device. The first network device may comprise a determining circuitry configured to determine, for an NFc service consumer, NFc information of the NFc to be registered in a second network device; and a transmitting circuitry configured to transmit the NFc information to the second network device or the NFc.
In an eleventh aspect, there is provided a second network device. The second network device may comprise a first receiving circuitry configured to receive, from a first network device or an NFp, configuration information for provisioning at least one authorization policy on the second network device or an NF information comprising at least one authorization policy on the NFp to enable an access control on at least one service of the second network device or of the NFp; a second receiving circuitry configured to receive, from the first network device or an NFc, NFc information of the NFc to be registered in the second network device; and an authorizing circuitry configured to authorize a service  request from the NFc based on the registered NFc information and the at least one authorization policy on the second network device or on the NFp.
It is to be understood that the summary section is not intended to identify key or essential features of embodiments of the present disclosure, nor is it intended to be used to limit the scope of the present disclosure. Other features of the present disclosure will become easily comprehensible through the following description.
BRIEF DESCRIPTION OF THE DRAWINGS
Some example embodiments will now be described with reference to the accompanying drawings, in which:
FIG. 1A illustrates an example communication network environment in which example embodiments of the present disclosure may be implemented;
FIG. 1B illustrates another example communication network environment in which example embodiments of the present disclosure may be implemented;
FIG. 1C illustrates an example registration procedure of an NFc to an NRF related to some example embodiments of the present disclosure;
FIG. 1D illustrates an example operation and maintenance (O&M) registering an NFc to an NRF related to some example embodiments of the present disclosure;
FIG. 1E illustrates an example lifecycle of a network slice management related to some example embodiments of the present disclosure;
FIG. 2 illustrates an example signaling process for an enhancement of network management services in accordance with some example embodiments of the present disclosure;
FIGS. 3A and 3B illustrate example signaling processes for provision an untrusted NFc information to an NRF by an operations, administration and management (OAM) in accordance with some example embodiments of the present disclosure;
FIGS. 4A and 4B illustrate example signaling processes for provision a trusted NFc information to an NRF by an OAM in accordance with some example embodiments of the present disclosure;
FIG. 5 illustrates an example flowchart of an enhancement of network management services in accordance with some example embodiments of the present disclosure;
FIG. 6 illustrates another example flowchart of an enhancement of network management services in accordance with some example embodiments of the present disclosure;
FIG. 7 illustrates an example simplified block diagram of a device that is suitable for implementing embodiments of the present disclosure; and
FIG. 8 illustrates an example block diagram of an example computer readable medium in accordance with some example embodiments of the present disclosure.
Throughout the drawings, the same or similar reference numerals represent the same or similar element.
DETAILED DESCRIPTION
Principles of the present disclosure will now be described with reference to some example embodiments. It is to be understood that these embodiments are described only for the purpose of illustration and help those skilled in the art to understand and implement the present disclosure, without suggesting any limitation as to the scope of the disclosure. The disclosure described herein may be implemented in various manners other than the ones described below.
In the following description and claims, unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skills in the art to which the present disclosure belongs.
References in the present disclosure to “one embodiment, ” “an embodiment, ” “an example embodiment, ” and the like indicate that the embodiment described may include a particular feature, structure, or characteristic, but it is not necessary that every embodiment includes the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
It may be understood that although the terms “first” and “second” etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be termed a second element, and similarly, a second element could be termed a first element, without departing from the scope of example embodiments. As used herein, the term “and/or” includes any and all combinations of one or more of the listed terms.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments. As used herein, the singular forms “a” , “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” , “comprising” , “has” , “having” , “includes” and/or “including” , when used herein, specify the presence of stated features, elements, and/or components etc., but do not preclude the presence or addition of one or more other features, elements, components and/or combinations thereof. As used herein, “at least one of the following: <a list of two or more elements>” and “at least one of <a list of two or more elements>” and similar wording, where the list of two or more elements are joined by “and” or “or” , mean at least any one of the elements, or at least any two or more of the elements, or at least all the elements.
As used in this application, the term “circuitry” may refer to one or more or all of the following:
(a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry) and
(b) combinations of hardware circuits and software, such as (as applicable) :
(i) a combination of analog and/or digital hardware circuit (s) with software/firmware and
(ii) any portions of hardware processor (s) with software (including digital signal processor (s) ) , software, and memory (ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions) and
(c) hardware circuit (s) and or processor (s) , such as a microprocessor (s) or a portion of a microprocessor (s) that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation.
This definition of circuitry applies to all uses of this term in this application, including in any claims. As a further example, as used in this application, the term circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware. The term circuitry also covers, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
As used herein, the term “communication network” refers to a network following any suitable communication standards, such as long term evolution (LTE) , LTE-advanced (LTE-A) , wideband code division multiple access (WCDMA) , high-speed packet access (HSPA) , narrow band Internet of things (NB-IoT) and so on. Furthermore, the communications between a terminal device and a network device in the communication network may be performed according to any suitable generation communication protocols, including, but not limited to, the third generation (3G) , the fourth generation (4G) , 4.5G, the fifth generation (5G) communication protocols, and/or beyond. Embodiments of the present disclosure may be applied in various communication systems. Given the rapid development in communications, there will of course also be future type communication technologies and systems with which the present disclosure may be embodied. It should not be seen as limiting the scope of the present disclosure to only the aforementioned system.
As used herein, the term “network device” refers to a node in a communication network via which a terminal device accesses the network and receives services therefrom or refers to a node in network management system. The network device may refer to a base station (BS) or an access point (AP) , for example, a node B (NodeB or NB) , an evolved NodeB (eNodeB or eNB) , an New Radio (NR) NB (also referred to as a gNB) , a remote radio unit (RRU) , a radio header (RH) , a remote radio head (RRH) , a relay, a low power node such as a femto, a pico, a management function (MnF) and so forth, depending on the applied terminology and technology.
The term “terminal device” refers to any end device that may be capable of wireless communication. By way of example rather than limitation, a terminal device may also be referred to as a communication device, user equipment (UE) , a subscriber station (SS) , a portable subscriber station, a mobile station (MS) , or an access terminal (AT) . The terminal device may include, but not limited to, a mobile phone, a cellular phone, a smart  phone, voice over IP (VoIP) phones, wireless local loop phones, a tablet, a wearable terminal device, a personal digital assistant (PDA) , portable computers, desktop computer, image capture terminal devices such as digital cameras, gaming terminal devices, music storage and playback appliances, vehicle-mounted wireless terminal devices, wireless endpoints, mobile stations, laptop-embedded equipment (LEE) , laptop-mounted equipment (LME) , USB dongles, smart devices, wireless customer-premises equipment (CPE) , an Internet of things (loT) device, a watch or other wearable, a head-mounted display (HMD) , a vehicle, a drone, a medical device and applications (e.g., remote surgery) , an industrial device and applications (e.g., a robot and/or other wireless devices operating in an industrial and/or an automated processing chain contexts) , a consumer electronics device, a device operating on commercial, a relay node, an integrated access and backhaul (IAB) node, and/or industrial wireless networks, and the like. In the following description, the terms “terminal device” , “communication device” , “terminal” , “user equipment” and “UE” may be used interchangeably.
As used herein, the term “resource” , “transmission resource” , “resource block” , “physical resource block” (PRB) , “uplink (UL) resource” or “downlink (DL) resource” may refer to any resource for performing a communication, for example, a communication between a terminal device and a network device, such as a resource in time domain, a resource in frequency domain, a resource in space domain, a resource in code domain, a resource in a combination of more than one domain or any other resource enabling a communication, and the like. In the following, a resource in time domain (such as, a subframe) will be used as an example of a transmission resource for describing some example embodiments of the present disclosure. It is noted that example embodiments of the present disclosure are equally applicable to other resources in other domains.
As discussed above, an NRF may be used as an authorization server. TR 33.875 discussed NRF validation of NFc. For example, the following table 1 summarizes problems (such as Key issue #11) which have been discussed in TR 33.875.


TABLE 1
There is a solution to Key Issue #11 based on Nnrf_AccesToken Service. This has been discussed in S3-230313 as shown in table 2.

TABLE 2
However, this solution does not yet address the case of using service mesh to register an NF consumer to an NRF, nor address the context of using hierarchical NRFs.
There is a solution to Key Issue #11 as shown in table 1 based on O&M Provisioning NRF with NFc Profile. This has been discussed in S3-230313 as shown in table 3.

TABLE 3
However, this solution does not yet address the case of using service mesh to register an NF consumer to an NRF, nor address the context of using hierarchical NRFs.
From TSs on O&M in SA5 specifications TSs 28. xxx, a series of management and orchestration related TSs (28. xxx) were defined in 3GPP SA5 to enable 5G network and network slice deployment and operation automation. For example, these are summarized in table 4.
TABLE 4
From TR 33.875, there is a conclusion on KI#11, which is shown in table 5.

TABLE 5
Therefore, as described above and with reference with the tables 1-5 (problems pointed out by KI#11) , there is an open issue in R18 service based architecture (SBA) security study regarding how to authorize access token requests from an NFc by the NRF, due to lack of the NFc's information and access control policies in an NRF.
That is, because the NF that is not acting as a service producer has no service profile registered in the NRF. Nevertheless, the NFc needs to be known to the NRF as an open authorization (OAuth) 2.0 client in order to request an authorization token for using services of other NFs.
There are two solutions which were proposed in SA3#109ah meeting. One solution suggested (2.2) registering an NFc to an NRF by itself. Another solution suggested registering an NFc to an NRF by an OAM (2.3) . However, neither solution can work properly and automatically without enhancement of management services and procedures.
In addition, there is also gap in standardization regarding how to granularly authorize access request for NRF registration and discovery services. Currently, the authorization is only based on NF or NF service type of general an NF service producer (NFp) , but the NRF services are not covered.
Therefore, example embodiments of the present disclosure provide a solution for enhancement of network management services. With this solution, it can extend the 5G network management services and procedures, which allows to manage an NFc'a ccess control related information automatically and dynamically during network deployment and runtime. The solution provided by the present disclosure allows to properly authorize an access request on any 5GC NFs, including an NRF, in a fine grain level.
For illustrative purposes, principles and example embodiments of the present disclosure for enhancement of network management services will be described below with reference to FIG. 1A-FIG. 8. However, it is to be noted that these embodiments are given to enable the skilled in the art to understand inventive concepts of the present disclosure and implement the solution as proposed herein, and not intended to limit scope of the present application in any way.
Reference is made to FIG. 1A, which illustrates an example communication network environment 100A in which example embodiments of the present disclosure may be implemented. The communication network environment 100A, which may be a part of a communication network, includes a first network device 102 and a second network device 104.
As illustrated in FIG. 1A, the first network device 102 may also be referred as an OAM 102 or an MnF 102. The second network device 104 may also be referred as an NRF 104 (such as an OAuth 2.0 Authorization server) . The first network device 102 and the second network device 104 can communicate with each other.
The first network 102 may call a third party entity (such as a cloud manager) to instantiate the second network device 104. The first network 102 may configure the second network device 104. For example, the first network 102 may transmit configuration information to the second network device 104. The configuration information can enable an access control on the NRF services (such as registration, deregistration, update, discovery, and getting an access token) . Further, the first network 102 may activate the second network device 104.
Reference is made to FIG. 1B, which illustrates another example communication network environment 100B in which example embodiments of the present disclosure may be implemented. The communication network environment 100B may comprise an NRF 112 (which may correspond to the second device 104 as shown in FIG. 1A) . In 5GC SBA, to be discovered and consumed by other NFs, each NF instance needs to be registered to the NRF 112. For example, the NRF 112 may support the corresponding functionalities, such as receiving an NF discovery request from an NF instance, providing the information of the discovered NF instances (be discovered) to the NF instance and maintaining the NF profile of available NF instances and their supported services.
The communication network environment 100B may comprise multiple NFs having capabilities for providing one or more specific services. For example, the communication network environment 100B may comprise an NFp 114 and an NFc 110. In general, the NFc 110 may request a specific service provided from the NFp 114. In the communication network environment 100B, the NFp 114 can be registered to the NRF 112.
Furthermore, the communication network environment 100B may also comprise an OAM 106 (which may correspond to the first device 102 as shown in FIG. 1A) . The  OAM 106 may be considered as a network management node. The OAM 106 may manage multiple NFs, such as the NFp 114 and the NFc 110. The OAM 106 may also manage the NRF 112. The OAM 106 may further communicate to a cloud manager 108. The cloud manager 108 may be used to instantiate an NF or an NRF.
The NRF 112 may store NF profile or NF service profile. For example, the NRF 112 may store parameters, authorization policies and any attributes or information related to an NF or NF service received from the OAM 106, the NFc 110 or the NFp 114.
Reference is made to FIG. 1C, which illustrates an example registration procedure 100C of an NFc to an NRF related to some example embodiments of the present disclosure. As shown in FIG. 1C, an OAuth 2.0 client 116 may transmit (120) a request 124 to an authorization sever 118. The request 124 may be an NNRF_AccessToken_ClientRegister request. The authorization sever 118 may receive the request 124.
The authorization sever 118 may store (126) information about the OAuth 2.0 client 116. The authorization sever 118 may transmit (130) a response 132 to the OAuth 2.0 client 116. The response 132 may be an NNRF_AccessToken_ClientRegister response.
FIG. 1C describes a secure way of registering an OAuth 2.0 client profile to the NRF that protects against an NFc impersonating another NFc. FIG. 1C requires modification in conventional implementations of NF consumers, NRF, and O&M.
Reference is made to FIG. 1D, which illustrates an example (100D) O&M registering an NFc to an NRF related to some example embodiments of the present disclosure. FIG. 1D depicts a high-level O&M-based mechanism for an O&M registering the NF consumer to the NRF.
At 134, an O&M may be configured with OAuth 2.0 client information of the NFc 142. An O&M and orchestration 136 may provision the NFc 142 with necessary information. The O&M and orchestration 136 may register the NFc 142 to the NRF 144. FIG. 1D leaves the secure provisioning of the OAuth 2.0 client profile to the security system between the O&M and NRF. FIG. 1D requires modification in conventional implementations of NF consumers, NRF, and O&M.
Reference is made to FIG. 1E, which illustrates an example lifecycle 100E of a network slice management related to some example embodiments of the present disclosure. FIG. 1E depicts example concepts, use cases and requirement, including automatic slice management during its lifecycle 100E. As shown in FIG. 1E, preparation 146 may comprise  design 148, on-boarding 150 and network environment preparation 152. Lifecycle of a network slice instance 154 may comprise commissioning 156, operation 162 and decommissioning 172.
The commissioning 156 may comprise creation 158. The operation 162 may comprise activation 160, supervision 164, reporting 166, modification 168 and deactivation 170. The decommissioning 172 may comprise termination 174.
Reference is made to FIG. 2, which illustrates an example signaling process 200 for an enhancement of network management services in accordance with some example embodiments of the present disclosure. FIG. 2 will be described with reference to FIG. 1A.
As shown in FIG. 2, the first network device 102 determines NFc information 204. For example, the first network device 102 may determine (202) an NF which has been instantiated or registered as the NFc, and determine the NFc information 204. The NFc is to be registered in the second network device 104) . The first network device 102 transmits (206) the NFc information 204 to the second network device 104 or the NFc. The second network device 104 receives (208) the NFc information 204 from the first network device 102 or the NFc.
The first network device 102 may transmit (210) configuration information 212 to the second network device 104. The configuration information 212 provisions at least one authorization policy on the second network device 104 or authorization policy on the NFp. The second network device 104 receives (216) the configuration information 212 from the first network device 102. The second network device 104 receives (216) NF information comprising at least one authorization policy on the NFp from the NFp.
The at least one authorization policy on the second network device 104 enables an access control on at least one service of the second network device 104 . The at least one authorization policy on the NFp enables an access control on at least one service of the second network device 104 or of the NFp.
The second network device 104 authorizes (218) a service request from the NFc based on the registered NFc information 204 and the at least one authorization policy on the second network device 104 or on the NFp.
By implementing the example embodiment shown in FIG. 2, it can configure an NRF and other 5GC NFs to allow dynamically authorize an NFc to access the 5G NF services.
Reference is made to FIG. 3A, which illustrates an example signaling process 300A at a deployment phase 302 for provision an untrusted NFc information to an NRF by an OAM in accordance with some example embodiments of the present disclosure. FIG. 3A will be described with reference to FIG. 1B.
The signaling process 300A in FIG. 3A describes the provisioning an NFc to an NRF with enhancement of a network resource model (NRM) of an NRF. It can include authorization policies to allow the NRF to be automatically provisioned by the management system, and to enable to dynamically grant access permissions to an NRF service consumer. The signaling process 300A is proposed for an NFc which is untrusted to an NRF by the 3GPP management system. For example, an "untrusted" NFc may be a non-3GPP NF, e.g., application function which plays only the role of NF service consumer.
As shown in FIG. 3A, the signaling (304A, 304B and 306) shows the OAM 106 may call the cloud manager 108 to instantiate an NRF 112. The signaling (308A, 308B and 310) shows the cloud manager 108 may have successfully instantiated the NRF 112.
The OAM 106 may configure (312A) parameters 314 on the NRF 112. The parameters 314 may include configuration information for provisioning authorization policies on the NRF 112 to allow access control on the NRF services (e.g., registration, update, deregistration, discovery, getting an access token, etc. ) . The NRF 112 may receive (312B) the parameters 314 from the OAM 106. The OAM 106 may activate the NRF 112. The authorization policies may be any combination of, e.g., allowed NF types, allowed public land mobile network (PLMNs) , allowed single network slice selection assistance information (S-NSSAIs) , allowed domains, allowed operations, allowed times, allowed serving areas, etc., on the NRF services instance.
The signaling (316A, 316B and 318) shows the OAM 106 may call the cloud manager 108 to instantiate an NF as an NFp 114. The signaling (320A, 320B and 322) shows the cloud manager 108 may have successfully instantiated the NF as the NFp 114.
The OAM 106 may configure (324A) parameters 326 on the NFp 114. The parameters 326 may include NF Profile which contains at least authorization policies to allow access control on the NF services. The OAM 106 may activate the NFp 114. The authorization policies may be any combination of, e.g. allowed NF types, allowed PLMNs, allowed S-NSSAIs, allowed domains, allowed operations (allowed to be discovered can be one of operations) , allowed times, allowed serving areas, etc., on the NF services instance.
The NFp 114 may transmit (328B) a registration 330 to the NRF 112 with NF profile. The NRF may receive (328A) the registration 330 from the NFp 114. The NRF 112 may have the information of NF profile of the NFp 114. The OAM 106 may update (332A) configuration 334 of the NRF 112 to add information of the NFc 110 to the NRF 112. The NRF 112 may receive (332B) the updated configuration 334. In some example embodiments, the OAM 106 may deploy and configure the NFc 110. In some example embodiments, the NFc 110 may be deployed by a 3rd party. In this case, the NFc 110 may register to business support system (BSS) /operation support system (OSS) of operator via a portal.
Reference is made to FIG. 3B, which illustrates an example signaling process 300B at an operation phase 336 for how the NRF enforces the access control polices on the NFc when the NFc accesses NRF or NFp services in accordance with some example embodiments of the present disclosure. FIG. 3B will be described with reference to FIG. 1B.
As shown in FIG. 3B, the NFc 110 may transmit (338A) an NF service discovery request 340 to the NRF 112. The NRF 112 may receive (338B) the NF service discovery request 340 from the NFc 110. The NRF 112 may authenticate the NFc 110. After the authentication, the NRF 112 may get registered NFc information locally based on the ID of the NFc 110. The NRF 112 may authorize the request 340 based on the registered NFc information and authorization policies (for NRF (discovery) services and NF services to be discovered) configured locally.
If the NFc 110's request 340 is allowed, the NRF 112 may transmit (344B) discovery response 346 to the NFc 110 with discovered services. The NFc 110 may receive (344A) the discovery response 346. The NFc 110 may transmit (348A) access token request 350 for an NF service to the NRF 112. The NRF 112 may authorize (352) the access token request 350 based on the registered NFc information and authorization policies (for NRF (access token) services and NF services to be accessed) stored locally. The NRF 112 may generate access token if the request is permitted.
The NRF 112 may transmit (354B) a response 356 to the NFc 110 with the access token. The NFc 110 may receive (354A) the response 356. The NFc 110 may transmit (358A) a request 360 to the targeted NF service with access token to the NFp 114. The NFp 114 may receive (358B) the request 360 from the NFc 110. The NFp 114 may validate (362)  the access token. The NFp 114 may transmit (364B) a response 366 to the NFc 110 with required NF services if the access token is valid. The NFc 110 may receive (364A) the response 366.
In some example embodiments, the signaling processes in loop 368 may be performed iteratively. The OAM 106 may continue monitor (370A) the status 372 of NFp 114. The OAM 106 may update authorization policies if it detects anomaly of NFp 114. The OAM 106 may update (374A) the status 376 of the NFc 110 in the NRF 112.
In some example embodiments, the NRF 112 may receive authorization policies from the OAM 106 or the NFp 114. The authorization policies may be related to service provided by the NRF 112 (such as NF management services. e.g., NFc registration, update, deregistration, etc. ) or related to service provided by the NFp 114 (e.g., discovery, getting access token to access NF service, etc. ) . Generally, the first kind of policies may be configured by the OAM 106, and the second kind of polices may be configured by the OAM 106, or provided by the NFp 114 when the NFp 114 registered to the NRF 112.
In some example embodiments, the NRF 112 may authorize the NFc 110 request for NRF 112 service (e.g., NF registration request) based on the NRF 112 service related authorization policies and NFc information. The NRF 112 may authorize the NFc 110 request for NF services (e.g., discovery, get access token request for access NF service) based on the NF service related authorization policies and NFc information.
In some example embodiments, the information from the OAM 106 may be the configuration information. In some example embodiments, the information from the NFp 114 may be an NF profile which includes authorization policies on the NFp 114.
Reference is made to FIG. 4A, which illustrates an example signaling process 400A at a deployment phase 402 for provision a trusted NFc information to an NRF by an OAM in accordance with some example embodiments of the present disclosure. FIG. 4A will be described with reference to FIG. 1B.
The signaling process 400A in FIG. 4A describes the provisioning an NFc to an NRF with enhancement of an NRM of general network function to include NFc information, to allow the NFc to be automatically provisioned by 3GPP management system, then register to NRF by itself and enable the NRF to authorize the access request from the NFc.
The signaling process 400A is proposed for an NFc that is trusted to an NRF by the 3GPP management system. For example, a "trusted" NFc may be a 3GPP defined or compliance NF which plays the role of NF service consumer, and it may take the role of NF service producer in parallel.
As shown in FIG. 4A, the signaling (404A, 404B and 406) shows the OAM 106 may call the cloud manager 108 to instantiate an NRF 112. The signaling (408A, 408B and 410) shows the cloud manager 108 may have successfully instantiated the NRF 112.
The OAM 106 may configure (412A) parameters 414 on the NRF 112. The parameters 414 may include configuration information for provisioning authorization policies on the NRF 112 to allow access control on the NRF services (e.g., registration, update, deregistration, discovery, getting an access token, etc. ) . The NRF 112 may receive (412B) the parameters 414 from the OAM 106. The OAM 106 may activate the NRF 112. The authorization policies may be any combination of, e.g., allowed NF types, allowed PLMNs, allowed S-NSSAIs, allowed domains, allowed operations, allowed times, allowed serving areas, etc., on the NRF services instance.
The signaling (416A, 416B and 418) shows the OAM 106 may call the cloud manager 108 to instantiate an NF as an NFp 114. The signaling (420A, 420B and 422) shows the cloud manager 108 may have successfully instantiated the NF as the NFp 114.
The OAM 106 may configure (424A) parameters 426 on the NFp 114. The parameters 426 may include NF Profile which contains at least authorization policies to allow access control on the NF services. The OAM 106 may activate the NFp 114. The authorization policies may be any combination of, e.g. allowed NF types, allowed PLMNs, allowed S-NSSAIs, allowed domains, allowed operations (allowed to be discovered can be one of operations) , allowed times, allowed serving areas, etc., on the NF services instance.
The NFp 114 may transmit (428B) a registration 430 to the NRF 112 with NF profile. The NRF may receive (428A) the registration 430 from the NFp 114. The NRF 112 may have the information of NF profile of the NFp 114. The signaling (432A, 432B and 434) shows the OAM 106 may call the cloud manager 108 to instantiate an NF as the NFc 110. The signaling (436A, 436B and 438) shows the cloud manager 108 may have successfully instantiated the NF as the NFc 110.
The OAM 106 may configure (440A) parameters 442 on the NFc 110. The parameters 442 may comprise NFc 110 related information. The OAM 106 may activate the NFc 110. The NFc 110 may register to the NRF 112 with the NFc 110 information.
Reference is made to FIG. 4B, which illustrates an example signaling process 400B at an operation phase 448 for how the NRF enforces the access control polices on the NFc when the NFc accesses NRF or NFp services. FIG. 4B will be described with reference to FIG. 1B.
As shown in FIG. 4B, the NFc 110 may transmit (450A) an NF service discovery request 452 to the NRF 112. The NRF 112 may receive (450B) the NF service discovery request 452 from the NFc 110. The NRF 112 may authenticate the NFc 110. After the authentication, the NRF 112 may get registered NFc information locally based on the ID of the NFc 110. The NRF 112 may authorize the request 452 based on the registered NFc information and authorization policies (for NRF (discovery) services and NF services to be discovered) configured locally.
If the NFc 110's request 452 is allowed, the NRF 112 may transmit (456B) discovery response 458 to the NFc 110 with discovered services. The NFc 110 may receive (456A) the discovery response 458. The NFc 110 may transmit (460A) access token request 462 for an NF service to the NRF 112. The NRF 112 may authorize (464) the access token request 462 based on the registered NFc information and authorization policies (for NRF (access token) services and NF services to be accessed) configured locally. The NRF 112 may generate access token if the request is permitted.
The NRF 112 may transmit (466B) a response 468 to the NFc 110 with the access token. The NFc 110 may receive (466A) the response 468. The NFc 110 may transmit (470A) a request 472 to the targeted NF service with access token to the NFp 114. The NFc 110 may receive (470B) the request 472 from the NFc 110. The NFp 114 may validate (474) the access token. The NFp 114 may transmit (476B) a response 478 to the NFc 110 with required NF services if the access token is valid. The NFc 110 may receive (476A) the response 478.
In some example embodiments, the signaling processes in loop 480 may be performed iteratively. The OAM 106 may continue monitor (482A) the status 484 of NFc 110. The OAM 106 may continue monitor (486A) the status 488 of NFp 114. The OAM  106 may update authorization policies if it detects anomaly of NFp 114 or the NFc 110. The OAM 106 may update (490A) the status 492 of the NFc 110 in the NRF 112.
In some example embodiments, a new data type in an NRM is proposed to support NFc information. The NFc information may be e.g., an NFc Instance Id, an NFc Type, an NFc group (such as a PLMN ID, Slice, etc. ) , an OAuth or OAuth 2.0 client property (client type, uniform resource identifier (URI) ) , etc. In some example embodiments, the NFc information may be generalized to an NF information. In some example embodiments, a concrete NRM definition may be shown in table 6.
TABLE 6
In some example embodiments, instead of the NFc Group, the elements of the NFc Group may be also separate attributes. For example, the new data type in an NRF to support NFc information may be part of one NF registry entry, if the NF is both an NFC and an NFp. Otherwise, an NRF may maintain a separate registry for NFs acting solely as NFc that only need to register their OAuth client properties.
By implementing the example embodiment shown in FIG. 3A to FIG. 4B, it can configure an NRF and other 5GC NFs to allow dynamically authorize an NFc to access the 5G NF services. It can extend the 5G network management services and procedures, which allows to manage an NFc'a ccess control related information automatically and dynamically  during network deployment and runtime. By this implementation, it can allow to properly authorize an access request on any 5GC NFs, including an NRF, in fine grain level.
Reference is made to FIG. 5, which illustrates an example flowchart 500 of an enhancement of network management services in accordance with some example embodiments of the present disclosure. FIG. 5 will be described with reference to FIG. 1A.
At 502, the first network device 102 determines, for an NFc, NFc information of the NFc to be registered in a second network device 104. At 504, the first network device 102 transmits the NFc information to the second network device 104 or the NFc.
In some example embodiments, the first network device 102 may transmit configuration information to the second network device 104. The configuration information may be for provisioning at least one authorization policy on the second network device 104. In some example embodiments, configuration information may be for provisioning at least one authorization policy on an NFp. The configuration information may be used to enable an access control on at least one service of the second network device 104 or of the NFp.
In some example embodiments, the NFc information may comprise an NFc instance ID associated with the NFc. In some example embodiments, the NFc information may comprise an NFc type associated with the NFc. In some example embodiments, the NFc information may comprise an NFc group associated with the NFc. In some example embodiments, the NFc information may comprise an OAuth or OAuth 2.0 client property associated with the NFc. In some example embodiments, the NFc information may comprise any combination of the above items.
In some example embodiments, if the NFc is not trusted by the second network device 104, the first network device 102 may transmit the NFc information to the second network device 104 by transmitting, to the second network device 104, a configuration of the second network device 104 for adding the NFc information into the second network device 104.
In some example embodiments, if the NFc is trusted by the second network device 104, the first network device 102 may transmit the NFc information to the NFc by transmitting, to the NFc, at least one configured parameter comprising the NFc information.
In some example embodiments, the first network device 102 may monitor a status of the NFc. If detecting a change in the status of the NFc, the first network device 102 may update the status of the NFc in the second network device 104.
In some example embodiments, the first network device 102 may monitor at least one of a status of the NFc and a status of the NFp. If detecting an anomaly of at least one of the NFc or the NFp, the first network device 102 may update the at least one authorization policy on the second network device 104 or the NFp. The first network device 102 may transmit the updated at least one authorization policy to the second network device 104.
In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed NF type. In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed PLMN. In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed S-NSSAI.
In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed domain. In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed operation. In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed time. In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed serving area. In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise any combination of the above items.
In some example embodiments, the second network device 104 may provide an NRF, and the NFc information may be included in at least one attribute in an NRM of one of the NRF and the NFc. In some example embodiments, the at least one authorization policy on the second network device or on the NFp may be included in attributes of the NRM of the NRF.
In some example embodiments, if an NF is both an NFc and an NFp, the attribute may be part of an NF registry entry for the NF. In some example embodiments, if the NF is  an NFc but not an NFp, the attribute may be a registry for the NF separated from the NF registry entry.
Reference is made to FIG. 6, which illustrates another example flowchart 600 of an enhancement of network management services in accordance with some example embodiments of the present disclosure. FIG. 6 will be described with reference to FIG. 1A.
At 602, the second network device 104 receives configuration information for provisioning at least one authorization policy on the second network device 104 or an NF information comprising at least one authorization policy on the NFp. The at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp enables an access control on at least one service of the second network device 104 or of the NFp.
At 604, the second network device 104 receives, from the first network device 102 or an NFc, NFc information of the NFc to be registered in the second network device 104. At 606, the second network device 104 authorizes a service request from the NFc based on the registered NFc information and the at least one authorization policy on the second network device 104 or on the NFp.
In some example embodiments, the authorization policy for the second network device 104 may be always provided by the second network device 104. In some example embodiments, the authorization policy for NF service can be provided by both the NFp (when it registers to the second network device 104 with NF profile) and the first network device 102 (provision or configure corresponding attributes to the second network device 104) . In some example embodiments, the at least one authorization policy on the NFp may be further provided by the first network device 102.
In some example embodiments, the NFc information may comprise an NFc instance ID associated with the NFc. In some example embodiments, the NFc information may comprise an NFc type associated with the NFc. In some example embodiments, the NFc information may comprise an NFc group associated with the NFc. In some example embodiments, the NFc information may comprise an OAuth client property associated with the NFc. In some example embodiments, the NFc information may comprise any combination of the above items.
In some example embodiments, the service request may be for an NF management service provided by the second network device 104. The second network device 104 may  authorize the service request from the NFc by after authenticating the NFc, obtaining the registered NFc information of the NFc; and authorizing the service request based on the registered NFc information and an authorization policy on the second network device.
In some example embodiments, the service request may be for an NF service of the NFp. The second network device 104 may authorize the service request from the NFc by authorizing the service request based on the registered NFc information and an authorization policy on the NFp.
In some example embodiments, if the NFc is not trusted by the second network device 104, the second network device 104 may receive the NFc information from the first network device 102 by receiving a configuration of the second network device for adding the NFc information into the second network device 104.
In some example embodiments, if the NFc is trusted by the second network device 104, the second network device 104 may receive the NFc information from the NFc by receiving at least one configured parameter comprising the NFc information.
In some example embodiments, the second network device 104 may receive, from the first network device 102, at least one updated authorization policy on the second network device 104 or on the NFp based on an anomaly of at least one of the NFc or the NFp is detected.
In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed NF type. In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed PLMN. In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed S-NSSAI.
In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed domain. In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed operation. In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed time. In some example embodiments,  the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise at least one allowed serving area. In some example embodiments, the at least one authorization policy on the second network device 104 or the at least one authorization policy on the NFp may comprise any combination of the above items.
In some example embodiments, the second network device 104 may provide an NRF, and the NFc information may be included in at least one attribute in an NRM of one of the NRF and the NFc. In some example embodiments, the at least one authorization policy on the second network device or on the NFp may be included in attributes of the NRM of the NRF.
In some example embodiments, if an NF is both an NFc and an NFp, the attribute may be part of an NF registry entry for the NF. In some example embodiments, if the NF is an NFc but not an NFp, the attribute may be a registry for the NF separated from the NF registry entry.
By implementing the methods 500 and/or 600, it can configure an NRF and other 5GC NFs to allow dynamically authorize an NFc to access the 5G NF services. It can extend the 5G network management services and procedures, which allows to manage an NFc' access control related information automatically and dynamically during network deployment and runtime. By the implementations of methods 500 or 600, it can allow to properly authorize an access request on any 5GC NFs, including an NRF, in fine grain level.
In some example embodiments, an apparatus capable of performing the method 500 (for example, the first network device 102) may comprise means for performing the respective steps of the method 500. The means may be implemented in any suitable form. For example, the means may be implemented in a circuitry or software module.
In some example embodiments, the apparatus may comprise means for determining, for an NFc, NFc information of the NFc to be registered in a second network device; and means for transmitting the NFc information to the second network device or the NFc.
In some example embodiments, the apparatus may comprise means for transmitting, to the second network device, configuration information for provisioning at  least one authorization policy on the second network device or on an NFp to enable an access control on at least one service of the second network device or of the NFp.
In some example embodiments, the NFc information may comprise at least one of the following associated with the NFc: an NFc instance ID, an NFc type, an NFc group or an OAuth client property.
In some example embodiments, the means for transmitting the NFc information to the second network device may comprise means for transmitting, to the second network device, a configuration of the second network device for adding the NFc information into the second network device.
In some example embodiments, the means for transmitting the NFc information to the NFc may comprise means for transmitting, to the NFc, at least one configured parameter comprising the NFc information.
In some example embodiments, the apparatus may comprise means for monitoring a status of the NFc; and means for updating the status of the NFc in the second network device based on detecting a change in the status of the NFc.
In some example embodiments, the apparatus may comprise means for monitoring at least one of a status of the NFc and a status of the NFp; means for updating the at least one authorization policy on the second network device or the NFp based on detecting an anomaly of at least one of the NFc or the NFp; and means for transmit the updated at least one authorization policy to the second network device.
In some example embodiments, the at least one authorization policy on the second network device or the at least one authorization policy on the NFp comprises at least one of the following: at least one allowed NF type, at least one allowed PLMN, at least one allowed S-NSSAI, at least one allowed domain, at least one allowed operation, at least one allowed time; or at least one allowed serving area.
In some example embodiments, the second network device may provide an NRF, and the NFc information may be included in at least one attribute in an NRM of one of the NRF and the NFc.
In some example embodiments, the at least one authorization policy on the second network device or on the NFp may be included in attributes of the NRM of the NRF. In some example embodiments, in the event that an NF is both an NFc and an NFp, the  attribute may be part of an NF registry entry for the NF. In some example embodiments, in the event that the NF is an NFc but not an NFp, the attribute may be a registry for the NF separated from the NF registry entry.
In some example embodiments, the apparatus may further comprise means for performing other steps in some example embodiments of the method 500. In some example embodiments, the means comprises at least one processor and at least one memory including computer program code, the at least one memory and computer program code configured to, with the at least one processor, cause the performance of the apparatus.
In some example embodiments, an apparatus capable of performing the method 600 (for example, the second network device 104) may comprise means for performing the respective steps of the method 600. The means may be implemented in any suitable form. For example, the means may be implemented in a circuitry or software module.
In some example embodiments, the apparatus may comprise means for receiving, from a first network device or an NFp, configuration information for provisioning at least one authorization policy on the second network device or an NF information comprising at least one authorization policy on the NFp to enable an access control on at least one service of the second network device or of the NFp; means for receiving, from the first network device or an NFc, NFc information of the NFc to be registered in the second network device; and means for authorizing a service request from the NFc based on the registered NFc information and the at least one authorization policy on the second network device or on the NFp.
In some example embodiments, the at least one authorization policy on the NFp may be further provided by the first network device. In some example embodiments, the NFc information may comprise at least one of the following associated with the NFc: an NFc instance ID, an NFc type, an NFc group or an OAuth client property.
In some example embodiments, the service request may be for an NF management service provided by the second network device. The means for authorizing a service request may comprise means for obtaining the registered NFc information of the NFc after authenticating the NFc; and means for authorizing the service request based on the registered NFc information and an authorization policy on the second network device.
In some example embodiments, the service request may be for an NF service of the NFp. The means for authorizing a service request may comprise means for authorizing  the service request based on the registered NFc information and an authorization policy on the NFp.
In some example embodiments, the means for receiving the NFc information from the first network device may comprise means for receiving, from the NFc, at least one configured parameter comprising the NFc information.
In some example embodiments, the means for receiving the NFc information from the NFc may comprise means for receiving, from the NFc, at least one configured parameter comprising the NFc information.
In some example embodiments, the apparatus may comprise means for receiving, from the first network device, at least one updated authorization policy on the second network device or on the NFp based on an anomaly of at least one of the NFc or the NFp is detected.
In some example embodiments, the at least one authorization policy on the second network device or the at least one authorization policy on the NFp comprises at least one of the following: at least one allowed NF type, at least one allowed PLMN, at least one allowed S-NSSAI, at least one allowed domain, at least one allowed operation, at least one allowed time; or at least one allowed serving area.
In some example embodiments, the second network device may provide an NRF, and the NFc information may be included in at least one attribute in an NRM of one of the NRF and the NFc.
In some example embodiments, the at least one authorization policy on the second network device or on the NFp may be included in attributes of the NRM of the NRF. In some example embodiments, in the event that an NF is both an NFc and an NFp, the attribute may be part of an NF registry entry for the NF. In some example embodiments, in the event that the NF is an NFc but not an NFp, the attribute may be a registry for the NF separated from the NF registry entry.
In some example embodiments, the apparatus may further comprise means for performing other steps in some example embodiments of the method 600. In some example embodiments, the means comprises at least one processor and at least one memory including computer program code, the at least one memory and computer program code configured to, with the at least one processor, cause the performance of the apparatus.
Reference is made to FIG. 7, which illustrates an example simplified block diagram of a device that is suitable for implementing embodiments of the present disclosure. The device 700 may be provided to implement the communication device, for example the first network device 102 as shown in FIG. 1A. As shown, the device 700 includes one or more processors 710, one or more memories 720 may couple to the processor 710, and one or more communication modules 740 may couple to the processor 710.
The communication module 740 is for bidirectional communications. The communication module 740 has at least one antenna to facilitate communication. The communication interface may represent any interface that is necessary for communication with other network elements, for example the communication interface may be wireless or wireline to other network elements, or software based interface for communication.
The processor 710 may be of any type suitable to the local technical network and may include one or more of the following: general purpose computers, special purpose computers, microprocessors, digital signal processors (DSPs) and processors based on multicore processor architecture, as non-limiting examples. The device 700 may have multiple processors, such as an application specific integrated circuit chip that is slaved in time to a clock which synchronizes the main processor.
The memory 720 may include one or more non-volatile memories and one or more volatile memories. Examples of the non-volatile memories include, but are not limited to, a read only memory (ROM) 724, an electrically programmable read only memory (EPROM) , a flash memory, a hard disk, a compact disc (CD) , a digital video disk (DVD) , and other magnetic storage and/or optical storage. Examples of the volatile memories include, but are not limited to, a random access memory (RAM) 722 and other volatile memories that will not last in the power-down duration.
A computer program 730 includes computer executable instructions that are executed by the associated processor 710. The program 730 may be stored in the ROM 724. The processor 710 may perform any suitable actions and processing by loading the program 730 into the RAM 722.
The embodiments of the present disclosure may be implemented by means of the program so that the device 700 may perform any process of the disclosure as discussed with reference to FIG. 2 to FIG. 6. The embodiments of the present disclosure may also be implemented by hardware or by a combination of software and hardware.
In some example embodiments, the program 730 may be tangibly contained in a computer readable medium which may be included in the device 700 (such as in the memory 720) or other storage devices that are accessible by the device 700. The device 700 may load the program 730 from the computer readable medium to the RAM 722 for execution. The computer readable medium may include any types of tangible non-volatile storage, such as ROM, EPROM, a flash memory, a hard disk, CD, DVD, and the like. FIG. 10 shows an example of the computer readable medium 800 in form of CD or DVD. The computer readable medium has the program 730 stored thereon.
Generally, various embodiments of the present disclosure may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. Some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device. While various aspects of embodiments of the present disclosure are illustrated and described as block diagrams, flowcharts, or using some other pictorial representations, it is to be understood that the block, apparatus, system, technique or method described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
The present disclosure also provides at least one computer program product tangibly stored on a non-transitory computer readable storage medium. The computer program product includes computer-executable instructions, such as those included in program modules, being executed in a device on a target real or virtual processor, to carry out the methods 500 or 600 as described above with reference to FIG. 5 or FIG. 6. Generally, program modules include routines, programs, libraries, objects, classes, components, data structures, or the like that perform particular tasks or implement particular abstract data types. The functionality of the program modules may be combined or split between program modules as desired in various embodiments. Machine-executable instructions for program modules may be executed within a local or distributed device. In a distributed device, program modules may be located in both local and remote storage media.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose  computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowcharts and/or block diagrams to be implemented. The program code may execute entirely on a machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present disclosure, the computer program codes or related data may be carried by any suitable carrier to enable the device, apparatus or processor to perform various processes and operations as described above. Examples of the carrier include a signal, computer readable medium, and the like.
The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable medium may include but not limited to an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of the computer readable storage medium would include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM) , a read-only memory (ROM) , an erasable programmable read-only memory (EPROM or Flash memory) , an optical fiber, a portable compact disc read-only memory (CD-ROM) , an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. The term “non-transitory, ” as used herein, is a limitation of the medium itself (i.e., tangible, not a signal) as opposed to a limitation on data storage persistency (e.g., RAM vs. ROM) .
Further, while operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are contained in the above discussions, these should not be construed as limitations on the scope of the present disclosure, but rather as descriptions of features that may be specific to particular embodiments. Certain features that are described in the context of separate embodiments may also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment may also be implemented in multiple embodiments separately or in any suitable sub-combination.
Although the present disclosure has been described in languages specific to structural features and/or methodological acts, it is to be understood that the present disclosure defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.

Claims (26)

  1. A first network device comprising:
    at least one processor; and
    at least one memory storing instructions that, when executed by the at least one processor, cause the first network device at least to:
    determine, for a network function (NF) service consumer (NFc) , NFc information of the NFc to be registered in a second network device; and
    transmit the NFc information to the second network device or the NFc.
  2. The first network device of claim 1, wherein the first network device is further caused to:
    transmit, to the second network device, configuration information for provisioning at least one authorization policy on the second network device or on a network function service producer (NFp) to enable an access control on at least one service of the second network device or of the NFp.
  3. The first network device of claim 1 or 2, wherein the NFc information comprises at least one of the following associated with the NFc:
    an NFc instance identifier (ID) ;
    an NFc type;
    an NFc group; or
    an open authorization (OAuth) client property.
  4. The first network device of any of claims 1-3, wherein the first network device is further caused to transmit the NFc information to the second network device by:
    transmitting, to the second network device, a configuration of the second network device for adding the NFc information into the second network device.
  5. The first network device of any of claims 1-3, wherein the first network device is caused to transmit the NFc information to the NFc by:
    transmitting, to the NFc, at least one configured parameter comprising the NFc information.
  6. The first network device of claim 5, wherein the first network device is further caused to:
    monitor a status of the NFc; and
    based on detecting a change in the status of the NFc, update the status of the NFc in the second network device.
  7. The first network device of any of claims 2-5, wherein the first network device is further caused to:
    monitor at least one of a status of the NFc and a status of the NFp;
    based on detecting an anomaly of at least one of the NFc or the NFp, update the at least one authorization policy on the second network device or the NFp; and
    transmit the updated at least one authorization policy to the second network device.
  8. The first network device of any of claims 1-7, wherein the at least one authorization policy on the second network device or the at least one authorization policy on the NFp comprises at least one of the following:
    at least one allowed NF type;
    at least one allowed public land mobile network (PLMN) ;
    at least one allowed single network slice selection assistance information (S-NSSAI) ;
    at least one allowed domain;
    at least one allowed operation;
    at least one allowed time; or
    at least one allowed serving area.
  9. The first network device of any of claims 1-8, wherein the second network device provides a network repository function (NRF) , and the NFc information is included in at least one attribute in a network resource model (NRM) of one of the NRF and the NFc.
  10. The first network device of claim 9, wherein the at least one authorization policy on the second network device or on the NFp is included in attributes of the NRM of the NRF.
  11. The first network device of claim 9 or 10, wherein:
    in the event that an NF is both an NFc and an NFp, the attribute is part of an NF registry entry for the NF; or
    in the event that the NF is an NFc but not an NFp, the attribute is a registry for the NF separated from the NF registry entry.
  12. A second network device comprising:
    at least one processor; and
    at least one memory storing instructions that, when executed by the at least one processor, cause the second network device at least to:
    receive, from a first network device or a network function (NF) service producer (NFp) , configuration information for provisioning at least one authorization policy on the second network device or an NF information comprising at least one authorization policy on the NFp to enable an access control on at least one service of the second network device or of the NFp;
    receive, from the first network device or an NF service consumer (NFc) , NFc information of the NFc to be registered in the second network device; and
    authorize a service request from the NFc based on the registered NFc information and the at least one authorization policy on the second network device or on the NFp.
  13. The second network device of claim 12, wherein the at least one authorization policy on the NFp is further provided by the first network device.
  14. The second network device of claim 12 or 13, wherein the NFc information comprises at least one of the following associated with the NFc:
    an NFc instance identifier (ID) ;
    an NFc type;
    an NFc group; or
    an open authorization (OAuth) client property.
  15. The second network device of any of claims 12-14, wherein the service request is for an NF management service provided by the second network device, and the second network device is caused to authorize the service request from the NFc by:
    after authenticating the NFc, obtaining the registered NFc information of the NFc; and
    authorizing the service request based on the registered NFc information and an authorization policy on the second network device.
  16. The second network device of any of claims 12-14, wherein the service request is for an NF service of the NFp, and the second network device is caused to authorize the service request from the NFc by:
    authorizing the service request based on the registered NFc information and an authorization policy on the NFp.
  17. The second network device of any of claims 12-16, wherein the second network device is caused to receive the NFc information from the first network device by:
    receiving, from the first network device, a configuration of the second network device for adding the NFc information into the second network device.
  18. The second network device of any of claims 12-16, the second network device is caused to receive the NFc information from the NFc by:
    receiving, from the NFc, at least one configured parameter comprising the NFc information.
  19. The second network device of claim 17 or 18, wherein the second network device is further caused to:
    receive, from the first network device, at least one updated authorization policy on the second network device or on the NFp based on an anomaly of at least one of the NFc or the NFp is detected.
  20. The second network device of any of claims 12-19, wherein the at least one authorization policy on the second network device or the at least one authorization policy on the NFp comprises at least one of the following:
    at least one allowed NF type;
    at least one allowed public land mobile network (PLMN) ;
    at least one allowed single network slice selection assistance information (S-NSSAI) ;
    at least one allowed domain;
    at least one allowed operation;
    at least one allowed time; or
    at least one allowed serving area.
  21. The second network device of any of claims 12-20, wherein the second network device provides a network repository function (NRF) , and the NFc information is included in at least one attribute in a network resource model (NRM) of one of the NRF and the NFc.
  22. The second network device of claim 21, wherein the at least one authorization policy on the second network device or on the NFp is included in attributes of the NRM of the NRF.
  23. The second network device of claim 20 or 21, wherein:
    in the event that an NF is both an NFc and an NFp, the attribute is part of an NF registry entry for the NF; or
    in the event that the NF is an NFc but not an NFp, the attribute is a registry for the NF separated from the NF registry entry.
  24. A method comprising:
    determining, at a first network device, for a network function (NF) service consumer (NFc) , NFc information of the NFc to be registered in a second network device; and
    transmitting, at the first network device, the NFc information to the second network device or the NFc.
  25. A method comprising:
    receiving, at a second network device and from a first network device or a network function (NF) service producer (NFp) , configuration information for provisioning at least one authorization policy on the second network device or an NF information comprising at least one authorization policy on the NFp to enable an access control on at least one service of the second network device or of the NFp;
    receiving, at the second network device, from the first network device or a network function (NF) service consumer (NFc) , NFc information of the NFc to be registered in the second network device; and
    authorizing, at the second network device, a service request from the NFc based on the registered NFc information and the at least one authorization policy on the second network device or on the NFp.
  26. A non-transitory computer readable medium comprising program instructions for causing an apparatus to perform at least a method of claim 24 or 25.
PCT/CN2023/094037 2023-05-12 2023-05-12 Enhancement of network management services Pending WO2024234176A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2023/094037 WO2024234176A1 (en) 2023-05-12 2023-05-12 Enhancement of network management services

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2023/094037 WO2024234176A1 (en) 2023-05-12 2023-05-12 Enhancement of network management services

Publications (1)

Publication Number Publication Date
WO2024234176A1 true WO2024234176A1 (en) 2024-11-21

Family

ID=93518390

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/094037 Pending WO2024234176A1 (en) 2023-05-12 2023-05-12 Enhancement of network management services

Country Status (1)

Country Link
WO (1) WO2024234176A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109688586A (en) * 2017-10-19 2019-04-26 中兴通讯股份有限公司 A kind of method, apparatus and computer readable storage medium of network function certification
US20190251241A1 (en) * 2018-02-15 2019-08-15 Nokia Technologies Oy Security management for service authorization in communication systems with service-based architecture
CN111435932A (en) * 2019-01-14 2020-07-21 华为技术有限公司 A token processing method and device
WO2022000155A1 (en) * 2020-06-29 2022-01-06 Nokia Shanghai Bell Co., Ltd. Access control of service based management framework
CN114145031A (en) * 2019-07-26 2022-03-04 瑞典爱立信有限公司 Registering and requesting services in a service-based architecture

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109688586A (en) * 2017-10-19 2019-04-26 中兴通讯股份有限公司 A kind of method, apparatus and computer readable storage medium of network function certification
US20190251241A1 (en) * 2018-02-15 2019-08-15 Nokia Technologies Oy Security management for service authorization in communication systems with service-based architecture
CN111435932A (en) * 2019-01-14 2020-07-21 华为技术有限公司 A token processing method and device
CN114145031A (en) * 2019-07-26 2022-03-04 瑞典爱立信有限公司 Registering and requesting services in a service-based architecture
WO2022000155A1 (en) * 2020-06-29 2022-01-06 Nokia Shanghai Bell Co., Ltd. Access control of service based management framework

Similar Documents

Publication Publication Date Title
US12446060B2 (en) Efficient discovery of edge computing servers
US12401690B2 (en) Mechanism for dynamic authorization
US10299123B2 (en) Entitlement based Wi-Fi authentication
WO2022000155A1 (en) Access control of service based management framework
US12439246B2 (en) Security communication in prose U2N relay
WO2024234176A1 (en) Enhancement of network management services
US12477337B2 (en) Access token revocation in security management
EP4322039A1 (en) Network function validation
WO2024092844A1 (en) Using routing indicator
US12408214B2 (en) Caching configuration profiles associated with capability ID
WO2023015482A1 (en) Management data isolation
CN116939789A (en) Transmitting power determining method, transmitting power determining device, terminal, network equipment and storage medium
WO2025200027A1 (en) Access control on internet protocol multimedia subsystem data channel service exposure
EP4325772B1 (en) Usage of access token in service based architecture
WO2025030344A1 (en) Isolation enforcement for application traffic steering
US20240314557A1 (en) Network repository function services access authorization
WO2025217818A1 (en) Sharing of energy consumption data
CN110268784A (en) Method and device for user equipment to process multiple scheduling request processes
US20250274358A1 (en) Network repository function policy control for different public land mobile networks
WO2025171502A1 (en) Access control in centralized unit split architecture
WO2025231876A1 (en) Public land mobile network protection
WO2025107655A1 (en) Policy rule for aiot data transmission
US20240340772A1 (en) Steering of roaming enhancement during registration reject
WO2025065987A1 (en) Method, apparatus and system for managing mission instance
WO2024148532A1 (en) Methods and apparatus for physical layer (l1) measurements on neighboring cells without gap

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23936869

Country of ref document: EP

Kind code of ref document: A1