WO2025159662A1

WO2025159662A1 - Network, ue and method for ue for joining a cluster in a communication network

Info

Publication number: WO2025159662A1
Application number: PCT/SE2024/050049
Authority: WO
Inventors: Yu Liu; Aitor Hernandez HERRANZ
Original assignee: Telefonaktiebolaget LM Ericsson AB
Current assignee: Telefonaktiebolaget LM Ericsson AB
Priority date: 2024-01-22
Filing date: 2024-01-22
Publication date: 2025-07-31
Anticipated expiration: 2026-07-22

Abstract

Embodiments of the present disclosure provide a network (200) for initiating communication between a first UE (102) and a first cluster (104). The network (200) comprises one or more servers (106) arranged for communication with one or more UEs (102). The first cluster (104) comprises a cluster API server (108) arranged to authenticate the first UE (102) to provide access to the first cluster (104). A first server (106) comprises a joining server (110) arranged to request an authentication key and create a joining token in the cluster API server (108) using the authentication key. The first UE (102) comprises a controlling circuitry configured to cause the UE (102) to join a first cluster (104) from a plurality of clusters (104). Corresponding UE (102) and a method for UE (102) to join a cluster are also disclosed.

Description

NETWORK, UE AND METHOD FOR UE FOR JOINING A CLUSTER IN A COMMUNICATION

NETWORK

TECHNICAL FIELD

The present disclosure relates generally to a field of cloud network platforms. More particularly, it relates to method, computing device and computer program products for enabling a networked mobile device or user equipment, UE, to join a cluster.

BACKGROUND

Currently, integration of communication services, Application Programming Interfaces (APIs), and network capabilities for the development of advanced solutions that leverage strengths of both 5G network and cloud services such as edge computing, network slicing, low latency applications and Internet of Thins (loT) services, which are to be deployed across telecommunications infrastructure and cloud platforms are envisioned through network platforms. Network platforms are used for coordinating networked mobile devices or user terminals/user equipment, UEs, such as a mobile robot fleet by a cluster near the network edge. The network platforms are also expected to provide services beyond connectivity such as computation offloading and workload orchestration, which enables the networked mobile devices or UEs to work collaboratively with each other and distribute workloads across computing (device-edge-cloud) continuum.

A need for a standardized cloud network platform for overseeing distributed computing across networked devices and the network edge has been of significant importance. Typically, many open source systems, for example, Kubernetes, have been recognized as a default orchestration platform for cloud-native clusters to deploy and administer applications. In addition, such orchestration platforms have been the default choice to manage distributed computation in networked mobile devices or UEs as it offers scalable and flexible orchestration in network edge environments.

The current process for enabling a networked mobile UE to join a cluster involves utilizing standard Kubernetes joining process, which supports various authentication methods such as client certificates, bearer tokens, service account tokens, Webhook token authentication, bootstrap tokens, authentication proxy, node authorizer and the like. For example, during a cluster bootstrap process, bootstrap or discovery tokens are used for authentication of network terminals such as UEs and server APIs. The bootstrap or discovery token, known by the cluster administrator, is shared with an UE to facilitate the UE to join a cluster. Subsequently, Transport Layer Security (TLS) bootstrapping occurs to establish secure communication between the UE and the cluster.

SUMMARY

In distributed computing, the bootstrap or discovery tokens are distributed during the cluster bootstrap process by a cluster administrator to the UE to join a cluster. However, an additional interface needs to be defined to provision the bootstrap or discovery tokens to the UE. Also, the complexity of requiring an additional interface becomes a hurdle in large-scale deployments of mobile UEs, such as mobile robot fleets, as each user device or equipment needs to be configured with joining credentials during manufacturing or afterwards by asset owners. This additional step may introduce inefficiencies and potential security risks, especially in scenarios where UEs are in motion, frequently joining and switching clusters, as seen in vehicles or drones.

Consequently, there is a need for an improved network, UE and method to provide cluster joining procedure for networked mobile UEs in distributed computing that alleviates at least some of the above cited problems.

It is therefore an object of the present disclosure to provide a network, UE, and a method implemented in a UE for cluster joining procedure, to mitigate, alleviate, or eliminate all or at least some of the above-discussed drawbacks of presently known solutions.

This and other objects are achieved by means of a UE, a network, and a method implemented in the UE as defined in the appended claims. The term exemplary is in the present context to be understood as serving as an instance, example or illustration.

According to a first aspect of the disclosure, a network for initiating communication between a first User Equipment, UE, and a first cluster from a plurality of clusters is provided. The network comprises one or more servers arranged for communication with one or more UEs. The first cluster comprises a cluster API server arranged to authenticate the UE to join the at least one UE in the first cluster. A first server of the one or more servers comprises a joining server arranged to receive a session establishment request to join the first cluster from said first UE to provide an access to one or more resources of the first cluster to the first UE. The joining server is further arranged to request an authentication key from a Mobile Network Operator, MNO, serving the first UE. The joining server is further arranged to create a joining token in the cluster API server by using the authentication key from the MNO, wherein the joining token is of use to allow the first UE to join the first cluster. The joining server is further arranged to send a response to the first UE for the session establishment request to notify the first UE regarding the creation of the joining token, wherein the response comprises information about at least one unique identifier for the cluster API server. A first UE from the one or more UEs comprises a controlling circuitry configured to create the joining token by using the authentication key, after a response is received from the joining server, wherein the authentication key is received from the MNO. The controlling circuitry of the first UE is further configured to mutually authenticate the first UE and the cluster API server by usingthe joining token. The controlling circuitry of the first UE is further configured to initiate the communication session with the cluster API server, wherein the initiation of the communication session provides an access to one or more resources of the first cluster.

Optionally, the first UE is admitted to the network after the authentication, and wherein the connection of the first UE is secured within the network through one or more session keys provided to the first UE by at least one network function, NF hosted as one of an internal network function or an external network function wherein the authentication for the first UE is derived through the one or more session keys.

Optionally, the session establishment request for joining the first cluster is sent through an edge discovery service, wherein the edge discovery service identifies the edge discovery server.

Optionally, the joining server is arranged to create the joining token through the authentication key along with one or more identifiers of the first UE, and share the joining token along with the one or more identifiers with the cluster API server, wherein the joining token along with the one or more identifiers are authenticated by the cluster API server.

Optionally, the joining token is created in the cluster API server and is associated with an expiration time, wherein the request for joining the first cluster is rejected by the cluster API server after an expiry of the expiration time. Optionally, the joining server is arranged for obtaining the authentication key from a mobile network operator, MNO, serving the first UE when the joining server is managed by the MNO, wherein the authentication key is derived from an AKMA key.

Optionally, the joining server is arranged to request for authentication from a key anchor function through a Network Exposure Function when the joining server is not managed by the MNO.

According to a second aspect of the disclosure, a first User Equipment for joining a first cluster from a plurality of clusters deployed in a network is provided, wherein the network comprises a plurality of servers each in communication the first UE and with at least one of the plurality of clusters. The first UE comprises a controlling circuitry configured to authenticate with the MNO. The controlling circuitry is further configured receive an authentication key to join the first cluster from the MNO, wherein the joining the first cluster provides an access to one or more resources of the first cluster to the first UE. The controlling circuitry is further configured to transmit, to a joining server of a first server among the plurality of severs, a session establishment request for joining the first cluster. The controlling circuitry is further configured to receive, from the joining server, a response for the session establishment request notifying a creation of the joining token through the joining server in the cluster API server, wherein the joining token is created by using the authentication key received by the joining serverfrom the MNO, wherein the response comprises information about at least one unique identifier for a cluster API server implemented in the first cluster. The controlling circuitry is further configured to mutually authenticate the first UE and the cluster API server by using the joining token. The controlling circuitry is further configured to initiate the communication session with the cluster API server, wherein the initiation of the communication session provides an access to one or more resources of the first cluster.

According to a third aspect of the disclosure, method implemented in a first User Equipment, UE, for joining a first cluster from a plurality of clusters deployed in a network is provided, wherein the network comprises a plurality of servers each in communication with one or more UE and with at least one of the plurality of clusters. The method comprising to authenticate with the MNO. The method further comprising to receive an authentication key to join the first cluster from the MNO, wherein the joining the first cluster provides an access to one or more resources of the first cluster to the first UE. The method further comprising to transmit, to a joining server of a first server among the plurality of severs, a session establishment request for joining the first cluster. The method further comprising to receive, from the joining server, a response for the session establishment request notifying a creation of the joining token through the joining server in the cluster API server, wherein the joining token is created by using the authentication key received by the joining server from the MNO, wherein the response comprises information about at least one unique identifierfor a cluster API server implemented in the first cluster. The method further comprising to mutually authenticate the first UE and the cluster API server by using the joining token. The method further comprising to initiate the communication session with the cluster API server, wherein the initiation of the communication session provides an access to one or more resources of the first cluster.

According to a fourth aspect of the disclosure, a network for initiating communication between a first User Equipment, UE, and a first clusterfrom a plurality of clusters is provided. The network comprises one or more servers arranged for communication with the first UE of one or more UEs. The first cluster comprises a cluster API server arranged to authenticate the UE to join the at least one UE in the first cluster. The first cluster further comprises a joining server arranged to receive a session establishment request from the first UE. The joining server is further arranged to obtain an authentication key from the MNO in response to the session establishment request, wherein the authentication key is of use for mutual authentication of the first UE and the cluster API server. The joining server is further arranged to send a response to the first UE for the session establishment request, wherein the response comprises information about at least one unique identifier for the cluster API server. The first UE from the one or more UEs comprise a controlling circuitry is configured to mutually authenticate the first UE along with the cluster API server by using the authentication key obtained from the MNO. The controlling circuitry is further configured to initiate the communication session with the cluster API server, wherein the initiation of the communication session provides an access to one or more resources of the first cluster.

According to a fifth aspect of the disclosure, a first User Equipment for joining a first cluster from a plurality of clusters deployed in a network is provided, wherein the network comprises a plurality of servers each in communication with the first UE and with at least one of the plurality of clusters. The UE comprises a controlling circuitry is configured to authenticate with the MNO. The controlling circuitry is further configured to receive an authentication key to join the first cluster from the MNO, wherein the joining the first cluster provides an access to one or more resources of the first cluster to the first UE. The controlling circuitry is further configured to transmit, to a joining server in the first cluster, a session establishment request for joining the first cluster. The controlling circuitry is further configured to receive, from the joining server, a response for the session establishment request comprising information about at least one unique identifier for a cluster API server implemented in the first cluster. The controlling circuitry is further configured to mutually authenticate the first UE along with the cluster API server by using the authentication key. The controlling circuitry is further configured to initiate the communication session with the cluster API server, wherein the initiation of the communication session provides an access to one or more resources of the first cluster.

According to a sixth aspect of the present disclosure, a method implemented in a first User Equipment, UE, for joining a first cluster from a plurality of clusters deployed in a communication network architecture is provided, wherein the communication network architecture comprises a plurality of servers each in communication with one or more UEs and with at least one of the plurality of clusters. The method comprising to authenticate with the MNO. The method further comprising to receive an authentication key to join the first cluster from the MNO, wherein the joining the first cluster provides an access to one or more resources of the first cluster to the first UE. The method further comprising to transmit, to a joining server in the first cluster, a session establishment request for joining the first cluster. The method further comprising to receive, from the joining server, a response for the session establishment request comprising information about at least one unique identifier for a cluster API server implemented in the first cluster. The method further comprising to mutually authenticate the first UE along with the cluster API server by using the authentication key. The method further comprising to initiate the communication session with the cluster API server, wherein the initiation of the communication session provides an access to one or more resources of the first cluster.

Some embodiments disclosed herein have one or more of the following advantages:

- Improving cluster joining procedure for UE by offloading the bootstrap authentication procedure to the mobile network operator. - Improving cluster joining procedure for UE by removing the need for storing and using bootstrap tokens at the UE.

- Improving cluster switching process for the UE due to a simple single step interaction with the joining server for authentication.

- Improving mobile network operator switching process for the UE due to a simple single step interaction with the joining server.

Other advantages may be readily apparent to one having skill in the art. Certain embodiments may have none, some, or all of the recited advantages.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing will be apparent from the following more particular description of the example embodiments, as illustrated in the accompanying drawings in which like reference characters refer to the same parts throughout the different views. The drawings are not necessarily to scale, emphasis instead being placed upon illustrating the example embodiments.

Fig. 1 discloses a wireless communication network architecture for providing a User Equipment, UE, to join a cluster according to some examples;

Fig. 2 discloses an example network for initiating communication between a first User Equipment, UE, and a first cluster from a plurality of clusters according to some embodiments of the present disclosure;

Fig. 3 discloses a block diagram illustrating examples of communication network architecture for providing a first UE to join a cluster when joining server is outside cluster API server according to some embodiments of the present disclosure;

Fig. 4 is a schematic block diagram illustrating an example first UE according to some embodiments of the present disclosure;

Fig. 5 is a flowchart illustrating example method steps of first UE joining a cluster when joining server is outside cluster API server according to some embodiments of the present disclosure; Fig. 6 discloses a block diagram illustrating examples of communication network architecture for providing a first UE to join a cluster when joining server is a part of cluster API server according to some embodiments of the present disclosure;

Fig. 7 is a flowchart illustrating example method steps of a first UE joining a cluster when joining server is a part of cluster API server according to some embodiments of the present disclosure;

Figs. 8A-8B is a sequence diagram illustrating a first UE joining procedure according to some examples;

Fig. 9 is a sequence diagram illustrating a first UE re-joining a cluster according to some examples; and

Fig. 10 discloses an example computing environment according to some examples.

DETAILED DESCRIPTION

Aspects of the present disclosure will be described more fully hereinafter with reference to the accompanying drawings. The apparatus and method disclosed herein can, however, be realized in many different forms and should not be construed as being limited to the aspects set forth herein. Like numbers in the drawings refer to like elements throughout.

The terminology used herein is for the purpose of describing particular aspects of the disclosure only, and is not intended to limit the invention. It should be emphasized that the term "comprises/comprising" when used in this specification is taken to specify the presence of stated features, integers, steps, or components, but does not preclude the presence or addition of one or more other features, integers, steps, components, or groups thereof. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.

Embodiments of the present disclosure will be described and exemplified more fully hereinafter with reference to the accompanying drawings. The solutions disclosed herein can, however, be realized in many different forms and should not be construed as being limited to the examples set forth herein.

It will be appreciated that when the present disclosure is described in terms of a method, it may also be embodied in one or more processors and one or more memories coupled to the one or more processors, wherein the one or more memories store one or more programs that perform the steps, services and functions disclosed herein when executed by the one or more processors.

In the following description of exemplary embodiments, the same reference numerals denote the same or similar components.

Fig. 1 discloses an example wireless communication system 100. Although the subject matter described herein may be implemented in any appropriate type of system using any suitable components, the embodiments disclosed herein are described in related to a wireless communication system/wireless network, such as the example wireless communication system 100 described in Fig. 1.

The wireless communication system 100 may comprise and/or interface with any type of communication, telecommunication, data, cellular, and/or radio network or other similar type of system. In some embodiments, the wireless communication system 100 may be configured to operate according to specific standards or other types of predefined rules of procedures. Thus, particular embodiments of the wireless communication system 100 may implement communication standards, such as, but are not limited to, global system for mobile communications, GSM, universal mobile telecommunications system, UMTS, long term evolution, LTE, and/or other suitable 2G, 3G, 4G, or 5G standards, wireless local area network, WLAN, standards such as, IEEE 802.11 standards, and/or any other appropriate wireless communication standards, such as, worldwide interoperability for microwave access, WiMax, Bluetooth, Z-Wave and/or ZigBee standards.

For simplicity, as depicted in Fig. 1, the wireless communication system 100 comprises a first User Equipment, UE, 102, a network node 204, and a network 200. The first UE 102 and the network node 204 operate together in order to provide wireless connections in the wireless communication system 100. The network 200 may comprise one or more backhaul networks, core networks, IP networks, public switched telephone networks, PSTNs, packet data networks, optical networks, wide-area networks, WANs, local area networks, LANs, wireless local area networks, WLANs, wired networks, wireless networks, metropolitan area networks, and other networks to enable communication between devices (forexample, wireless devices and network node). The network node 204 may refer to equipment capable, configured, arranged, and/or operable to communicate directly or indirectly with the UE 102 and/or with other network nodes or equipment in the wireless communication system 100 to enable and/or provide wireless access to the first UE 102 and/or to perform other functions (for example, administration) in the wireless communication system 100. Examples of the network node 204 may include, but are not limited to, access points, APs (for example, radio access points), base stations, BSs (for example, radio base stations, nodeBs, evolved NodeBs, eNBs, new radio, NR, nodes (gNBs), or the like). The BSs may be categorized based on an amount of coverage the BSs provide (or, stated different, their transmit power level) and may then also be referred to as femto BSs, pico BSs, micro BSs, macro BSs. The BS may be a relay node or a relay donor node controlling a relay.

The first UE 102 (also be referred to as wireless device) may refer to a device capable, configured, arranged and/or operable to communicate wirelessly with the network node 204 and/or other wireless devices.

In some examples, the first UE 102 may include one or more of: computing devices, wireless devices that operate based on energy harvesting (hereinafter referred to as Zero-Energy, ZE, wireless devices), ultra-low power wireless devices, Internet of Things, loT, devices, and so on.

Examples of the computing devices may include, but are not limited to, a smart phone, a mobile phone, a cell phone, a voice over Internet Protocol, IP, VoIP, phone, a wireless local loop phone, a desktop computer, a personal digital assistant, PDA, a wireless camera, a gaming console or device, a wearable terminal device, a wireless endpoint, a mobile station, a tablet, a laptop, a laptop-embedded equipment, LEE, a laptop-mounted equipment, LME, a smart device, a wireless customer-premise equipment, CPE, a vehicle- mounted wireless terminal device, and so on.

The ZE wireless devices may harvest energy to operate based on ambient sources such as vibrations, solar power, Radio Frequency, RF, or the like. Alternatively, the ZE wireless devices may harvest energy to operate based on back-scattering communication.

It should be understood that the first UE 102 may not need be limited to the above-described wireless devices and may be extended to other wireless devices of different classes or categories providing different services while supporting, for example, Enhanced Mobile Broadband, eMBB, massive Machine-Type Communication, MTC, Ultra-Reliable Low Latency Communication, URLLC, Time Sensitive Networking, TSN, or the like.

Fig. 2 discloses a block diagram illustrating examples of a communication network architecture 200 or simply referred as network 200 for establishing communication between a first mobile networked user equipment, UE, 102 with a first cluster 104 among a plurality of clusters 104. As disclosed in Fig. 2, there may be a plurality of UEs 102 in a communication network architecture 200 arranged to be served by at least one mobile network operator, MNO, 112. The network 200 further comprises a plurality of servers 106 arranged for communication with the plurality of UEs 102. Further, there exists entities such as application function, AF, 101, network exposure function NEF, 103, a first server 106, authentication server function AUSF, 106a, authentication and key management for applications AKMA, anchor function AAnF, 106b, cluster API server 108, joining server 110, and edge discovery server 114.

In some examples, the network 200, for example, may be an informational technology network, an operational technology network, a cloud infrastructure, a software as a service, SaaS, infrastructure or any combination thereof, connected to each of the computing devices.

In some examples, the application function, AF, 101 may include, but is not limited to, any application related function deployed outside the MNO 112, and which may be implemented using containers, wherein the AF 101 provides functionality to an end user or a cluster management server such as Kubernetes. In some examples, information (also referred to as data, data packets, or the like) the container produces may include, but are not limited to, metadata, general logging, sensitive/valuable information, and so on. Further, the containers may include different functions that are provisioned on a set of computing resources. In some examples, the computing resources may include physical computing resources, or virtual computing resources such as virtualized in a data center or multiple data centers or container clustering platforms.

In some examples, the network exposure function, NEF, 103 is a node that provides additional network related functionality to components such as external applications outside network premises based on established policies. The NEF 103 provides standardized Application Programming Interfaces APIs that external applications can use to interact with the network 108, wherein the APIs allow the external applications to request specific services, information, or capabilities from the network 200.

In some examples, the first server 106 may be an exposure server 106, which is a component that provides access to the network nodes for interacting with each other. The exposure server 106 also provides an interface with the AF 101, such as the cluster API server 108 outside the network 200. The exposure server 106 has capabilities of higher abstraction of a network platform (NP) which is an integration of a cloud communications platform with 5G radio services. Thus, exposure server 106 is interchangeably used as -NP in the document.

In some examples, authentication server function, AUSF, 106a and AKMA anchor function AAnF, 106b are network functions that provide support for the Authentication and Key Management of Applications, AKMA, wherein they are deployed as either a standalone function or collocated with NEF 103. AUSF 106a and AAnF 106b interact with other network functions to provide authentication procedures. Further, the AUSF 106a may be used for managing subscription information related to the computing devices.

In some examples, the cluster API server 108 may be responsible for managing and coordinating operations related to clusters in the network 200.

In some examples, the joining server 110 may be a supporting function for exposing functionality to the AF lOl and UE 102 to provide clusterownership information for managing cluster joining.

In some examples, the edge discovery server 114 may be responsible for selecting an edge cluster that may provide additional resources such as physical or virtual computing resources to the UE 102. The edge discovery server 114 serves as an aggregator, allowing UEs to join and be a part of edge clusters from various service providers. Further, the edge discovery server 114 provides UE centric discovery based on UE capabilities, requirements, location, subscription, or network topology, to ensure that the UE is connected to a cluster that best meets the UE's specific needs and conditions. Furthermore, the edge discovery server 114 not only provides the endpoint of the selected edge cluster to the UE 102, but also provides the UE's integration as a member of the cluster, which is achieved by the UE 102 exposing its capabilities to other UEs of the clusters to collaborate and share resources among connected nodes.

Referring to the example(s) illustrated in Fig. 2, the network 200 is configured for initiating communication between a first UE 102 and a first cluster 104 from a plurality of clusters 104, wherein the network 200 comprises one or more UEs 102 arranged to be served by at least one MNO 112.

The proposed network 200 provides the joining server 110 for authenticating the UE 102 to join the first cluster 104.

The joining server 110 may be positioned inside the first cluster 104. The joining server 110 may be positioned inside the first server 106. Each scenario is discussed in detail in subsequent sections of the description.

Fig. 3 is an example schematic diagram showing the network 200. The network 200 is configured for initiating communication between a first UE 102 and a first cluster 104 from a plurality of clusters 104, wherein the network 200 comprises one or more servers (106) arranged for communication with one or more UEs 102.

The first cluster 104 comprises a cluster API server 108 arranged to authenticate the first UE 102 to provide access to one or more resources in the first cluster 104.

The network 200 further comprises one or more servers 106 from a plurality of servers 106 arranged for communication with one or more UEs 102.

A first server 106 of the one or more servers 106 comprises a joining server 110 arranged to receive a session establishment request from the first UE 102 to join the first cluster 104 to provide an access to the one or more resources of the first cluster (104) to the first UE (102).

Optionally, the first UE 102 is admitted to the network after the authentication and wherein the connection of the first UE 102 is secured within the network 200 through one or more session keys provided to the first UE 102 by at least one network function, NF hosted as one of an internal network function or an external network function wherein the authentication for the first UE 102 is derived through the one or more session keys. Optionally, the session establishment request for joining the first cluster 104 is sent through an edge discovery service, wherein the edge discovery service identifies the edge discovery server 114.

The joining server 110 is further arranged to request an authentication key from a Mobile Network Operator, MNO 112, serving the first UE 102.

The joining server 110 is further arranged to create a joining token in the cluster API server 108 by using the authentication key from the MNO 112, wherein the joining token is of use to allow the first UE 102 to join the first cluster 104.

Optionally, the joining server 110 is arranged to create the joining token through the authentication key along with one or more identifiers of the first UE 102, and share the joining token along with the one or more identifiers with the cluster API server 108, wherein the joining token along with the one or more identifiers are authenticated by the cluster API server 108.

Optionally, the joining token is created in the cluster API server 108 and is associated with an expiration time, wherein the request for joining the first cluster 104 is rejected by the cluster API server 108 after an expiry of the expiration time.

Optionally, the joining server 110 is arranged to obtain the authentication key from the MNO 112, serving the first UE 102 when the joining server 110 is managed by the MNO 112, wherein the authentication key is derived from an AKMA key.

Optionally, the joining server 110 is arranged to request for authentication from a key anchor function through a Network Exposure Function when the joining server 110 is not managed by the MNO 112.

The joining server 110 is further arranged to send a response to the first UE 102 for the session establishment request to notify the first UE 102 regarding the creation of the joining token, wherein the response comprises information about at least one unique identifier for the cluster API server 108.

In an example, if the joining token expires and the UE 102 gets rejected by the Cluster API server 108, the UE 102 may ask the joining server 110 to create another valid joining token using the authentication procedure through the joining server 110 as discussed above. Additionally, in case of expiration of the AKMA Application Key (KAF), the UE 102 and the Joining server 110 may re-negotiate a KAF, according to the AKMA specification, which is standardized by 3GPP.

Fig. 4 is an example block diagram of the first UE 102. As shown in Fig. 4, the first UE 102 from the one or more UEs 102 comprises a memory 402, a processor 404, a controlling circuitry 406 and a driver 408.

The controlling circuitry 406 of the UE 102 is configured to create the joining token by using the authentication key, after a response is received from the joining server 110. The authentication key is received from the MNO 112.

The controlling circuitry 406 of the UE 102 is further configured to mutually authenticate the first UE 102 and the cluster API server 108 by using the joining token.

The controlling circuitry 406 of the UE 102 is further configured to initiate the communication session with the cluster API server 108, wherein the initiation of the communication session provides an access to one or more resources of the first cluster 104. Remaining details of the first UE 102 are described in later part of the description.

Again referring to Fig. 3, disclosed is an example implementation of a first UE 102 joining the first cluster 104 when the joining server 110 is located within the first server 106 i.e., the exposure server or NP. As the joining server 110 is a part of the NP, it remains a trusted component and is provided to fetch the AKMA key from the MNO 112 without any interface functions. Also, the joining service of the joining server 110 may be launched after the exposure server 106 receives the UE's 102 request to join the cluster 104, and the joining service may be shut down after the joining procedure is completed. This joining service guarantees enforcement of proper access control.

As illustrated in Fig.3, the example implementation steps of UE 102 when joining server 110 is provided as part of the exposure server 106 is as given below.

In step 1, the UE 102 finishes primary authentication with the network 200. Subsequently, in step 2, the UE 102 acquires the AKMA key. Thereafter, in step 3, the UE 102 requests to join a cluster using the edge discovery service of the edge discovery server 114. Further, in step 4, the UE 102 acquires the joining server's 110 unique identifier such as URL from the edge discovery service. Thereafter, in step 5, the UE 102 initiates an authentication request to the joining server, preparing to mutually authenticate itself with the cluster API server 108, and establish a secure communication session. Now, in step 6, the joining server 110 requests to fetch the AKMA AF key (KAF) from the MNO 112. Subsequently, in step 7, the MNO 112 sends the AKMA AF key (KAF) to the joining server 110 located within the edge discovery server 114. Further, in step 8, the joining server 110 sends the AKMA AF key (KAF) to the cluster API server 108, and creates a joining token using the application AKMA AF key (KAF) in cluster API server 108. Further, in step 9, the cluster API server 108 sends a response or acknowledgement to the joining server 110 about the successful creation of the joining token.

In an example, a bootstrap or joining token is generated by using the AKMA key as a seed or key material, wherein cryptographic operations such as, but not limited to, hash based message authentication code (HMAC) is used for maintaining the bootstrap token's uniqueness and security. This makes the bootstrap or joining token to be compatible with the Kubelet transport layer security (TLS) bootstrapping procedure, thereby enabling the UE 102 to use TLS certificate for secure communication with the cluster API server 108.

In an example, generic bootstrapping architecture (GBA) disclosed in TS.33.220, or GSMA's entitlement service procedure disclosed in GSMA TS.43, or application login using IP multimedia subsystem (IMS), which is still under discussion in 3GPP (discussion paper and study item proposal S3-234579, S3-234578) may be used as alternative bootstrapping techniques other than AKMA.

In an example, the joining server 110 may acquire the UE's 102 unique identifier and use the identifier together with the AKMA key as a seed to generate the bootstrap or joining token. This prevents malicious attackers who acquire the AKMA key from joining the cluster API server 108.

In an example, the joining server 110 may derive the bootstrap or joining token from the AKMA key, but sends the bootstrap or joining token along with UE's unique identifier to the cluster API server, wherein the cluster API server 108 has to authenticate both the bootstrap or joining token and UE's unique identifier.

In an example, the joining server 110 may create the bootstrap or joining token in the cluster

API server 108 such as by executing the "kubeadm token create [token]" command. Further, in step 10, the post creating the joining token at the cluster API server 108, the joining server 110 sends a response or acknowledgement to the UE 102 with necessary information such as the unique identifier of the cluster API server 108 such as the URL of the cluster API server 108. Furthermore, in step 11, the UE 102 uses the AKMA AF key (KAF) to derive the joining token or bootstrap token, and then authenticates itselfwith the cluster API server 108. Finally, in step 12, the UE 102 and the cluster API server 108 establish a secure communication session which enables the UE 102 to join the cluster 104.

In FIG. 4, an example UE 102 is illustrated comprising one or more modules. These modules may e.g. comprise a memory 402, a processor 404, a controlling circuitry 406, and a driver 408. The controlling circuitry 406, may be adapted to control the other modules.

The memory 402, the processor 404 and the driver 408 as well as the controlling circuitry 406, may be operatively connected to each other.

The memory 402 is adapted to store preconfigured address for the one or more servers 106 at the UE 102.

The processor 404 is adapted to identify the availability of the radio resources, and the one or more servers 106 for transmission of the plurality of data packets.

The controlling circuitry 406 may be adapted to control the steps as executed by the UE 102. For example, the controlling circuitry 406 may be adapted to transmit and receive data to/from cluster API server 108 and edge discovery server 114.

The driver 408 may be adapted to process plurality of data packets received and transmitted by the UE 102, and the timing information related to the plurality of radio resources from network nodes of the network 200.

The UE 102 of FIG. 4 is for example the first UE 102 or referred as UE 102 that is provided for joining the first cluster 104 from the plurality of clusters 104 deployed in the communication network architecture 200, or the network 200 wherein the communication network architecture 200 comprises the plurality of servers 106 each in communication with the UE 102 and with at least one of the plurality of clusters 104. The control circuitry 406 is configured to authenticate with the MNO 112. Optionally, the first UE 102 is admitted to the network 200 after the authentication, and wherein the connection of the first UE 102 is secured within the network 200 through one or more session keys provided to the first UE 102 by at least one network function, NF hosted as one of an internal network function or an external network function wherein the authentication for the first UE 102 is derived through the one or more session keys.

The control circuitry 406 of the UE 102 is further configured to receive an authentication key to join the first cluster 104 from the MNO 112, wherein the joining the first cluster provides an access to one or more resources of the first cluster 104 to the first UE 102.

Optionally, the authentication key is of use for creating a joining token to be shared with the cluster API server 108 in the first cluster 104 for authenticating the first UE 102 for joining the first cluster 104.

Optionally, the authentication key is used along with one or more identifiers of the first UE 102 for creating the joining token, wherein the joining token is authenticated along with the one or more identifiers through the cluster API server 108.

Optionally, the authentication key is derived from an AKMA key and is obtained by the joining server 110 from a mobile network operator, MNO 112, serving the first UE 102 when the joining server 110 is managed by the MNO 112.

The control circuitry 406 of the UE 102 is further configured to transmit, to a joining server 110 of a first server 106 among the plurality of severs 106, a session establishment request for joining the first cluster 104.

Optionally, the request for joining the first cluster 104 is sent through an edge discovery service, wherein the edge discovery service identifies the edge discovery server 114.

In an example, the joining server 110 may be a supporting function that utilizes robust security mechanisms established by the 5G network's primary authentication process and reuses authentication mechanisms embedded within the subscriber identity module (SIM) or embedded Universal Integrated Circuit Card (e(UICC)) card of the UE 102. In an example, the joining server 110 may interact with the UE 102 by using the AKMA authentication procedure.

In an example, the AKMA may be based on usage of credentials in (e)UICC.

In an example, the joining server 110 may provide bootstrapping authentication and cluster joining procedure by delegating communication responsibilities of the UE 102 to the cluster API server 108, to achieve seamless inclusion of the UE 102 into the cluster environment using the existing authentication procedures.

In an example, the bootstrapping may be provided using other authentication mechanisms using credentials of (e)UICC.

The control circuitry 406 of the UE 102 is further configured to receive, from the joining server 106, a response for the session establishment request notifying a creation of the joining token through the joining server 110 in the cluster API server 108, wherein the joining token is created by using the authentication key received by the joining server 110 from the MNO 112, wherein the response comprises information about at least one unique identifierfor a cluster API server 108 implemented in the first cluster 104.

The control circuitry 406 of the UE 102 is further configured to mutually authenticate the first UE 102 and the cluster API server 108 by using the joining token.

The control circuitry 406 of the UE 102 is further configured to initiate the communication session with the cluster API server 108, wherein the initiation of the communication session provides an access to one or more resources of the first cluster 104.

In an example, the UE 102 may e.g. be mobile UEs that move across the plurality of clusters 104, which are groups of edge computing resources or network nodes. The plurality of clusters 104 could be geographically distributed or serve specific purposes. As the one or more UEs 102 move, the network 200 dynamically allocates resources to ensure optimal performance and low latency for the UE's 102 applications and services. The UE 102 is capable of joining at least one clusterfrom the plurality of clusters 104 deployed in the communication network architecture 200.

Fig. 5 is a flowchart illustrating example method steps of a method 500 implemented in the first UE 102 or also referred as the UE 102 for joining the first cluster 104 from the plurality of clusters 104 deployed in the network 200, wherein the network 200 comprises a plurality of servers 106 each in communication with one or more UE 102 and with at least one of the plurality of clusters 104.

The method 500 is performed by the UE 102 for joining the first cluster 104 from the plurality of clusters 104 in the network 200 when the joining server 110 is outside the cluster API server 108 according to some examples.

At step 502, the method 500 comprises authenticate with the MNO 112.

Optionally, the first UE 102 is admitted to the network 200 after the authentication, and wherein the connection of the first UE 102 is secured within the network 200 through one or more session keys provided to the first UE 102 by at least one network function, NF hosted as one of an internal network function or an external network function wherein the authentication for the first UE 102 is derived through the one or more session keys.

At step 504, the method 500 comprises receive an authentication key to join the first cluster 104 from the MNO 112, wherein the joining the first cluster provides an access to one or more resources of the first cluster 104 to the first UE 102.

Optionally, the authentication key is derived from an AKMA key and is obtained by the joining server 110 from a mobile network operator, MNO 112, serving the first UE 102 when the joining server 110 is managed by the MNO 112. At step 506, the method 500 comprises transmit, to a joining server 110 of a first server 106 among the plurality of severs 106, a session establishment request for joining the first cluster 104.

Optionally, the request for joining the first cluster 104 is sent through the edge discovery service, wherein the edge discovery service identifies the edge discovery server 114.

In an example, the joining server 110 may interact with the UE 102 using the AKMA authentication procedure.

At step 508, the method 500 comprises receive, from the joining server 106, a response for the session establishment request notifying a creation ofthe joining token through the joining server 110 in the cluster API server 108, wherein the joining token is created by using the authentication key received by the joining server 110 from the MNO 112, wherein the response comprises information about at least one unique identifier for a cluster API server 108 implemented in the first cluster 104.

At step 510, the method 500 comprises mutually authenticate the first UE 102 and the cluster API server 108 by using the joining token.

At step 512, the method 500 comprises initiate the communication session of the first UE 102 with the cluster API server 108, wherein the initiation of the communication session provides an access to one or more resources of the first cluster 104.

Additional details of the method 500 are similar to details of the network 200 and the UE 102 as discussed above and hence are not repeated for the sake of brevity.

Fig. 6 is an example schematic diagram showing the network 200. The network 200 is configured for initiating communication between the first UE 102 and the first cluster 104 from the plurality of clusters 104. The network 200 comprises one or more UEs 102 arranged to be served by at least one MNO 112. The network 200 further comprises one or more servers 106 from a plurality of servers 106 arranged for communication with one or more UEs 102.

The first cluster 104 comprises the cluster API server 108 arranged to authenticate the UE 102 to join the at least one UE 102 in the first cluster 104. The first cluster 104 comprises a joining server 110 arranged to receive a session establishment request from the first UE 102 to provide an access to one or more resources of the first cluster 104 to the first UE 102.

Optionally, the first UE 102 is admitted to the network after the authentication and wherein the connection of the first UE 102 is secured within the network 200 through one or more session keys provided to the first UE 102 by at least one network function, NF hosted as one of an internal network function or an external network function wherein the authentication for the first UE 102 is derived through the one or more session keys.

Optionally, the session establishment request for joining the first cluster 104 is sent through an edge discovery service, wherein the edge discovery service identifies the edge discovery server 114.

The joining server 110 is further arranged to obtain the authentication key to authenticate both the UE 102 and the cluster API server 104.

The joining server 110 is further arranged to obtain an authentication key from the MNO 112 in response to the session establishment request, wherein the authentication key is of use for mutual authentication of the first UE 102 and the cluster API server 108.

Optionally, the joining server 110 is arranged to obtain the authentication key from the MNO 112, serving the first UE 102 when the joining server 110 is managed by the MNO 112, wherein the authentication key is derived from an AKMA key. Optionally, the joining server 110 is arranged to request for authentication from a key anchor function through a Network Exposure Function when the joining server 110 is not managed by the MNO 112.

The joining server 110 is further arranged to send a response to the first UE 102 forthe session establishment request, wherein the response comprises information about at least one unique identifier for the cluster API server 108.

The first UE 102 from the one or more UEs 102 comprises a controlling circuitry 406.

The controlling circuitry 406 of the UE 102 is configured to mutually authenticate the first UE 102 along with the cluster API server (108) by using the authentication key obtained from the MNO 112.

The controlling circuitry 406 of the UE 102 is further configured to initiate the communication session with the cluster API server 108, wherein the initiation of the communication session provides an access to one or more resources of the first cluster 104. authentication key is derived from an AKMA key.

Again referring to Fig. 6, disclosed is an example implementation of the UE 102 joining the cluster 104 when joining server 110 is a part of cluster API server. The joining server 110 belongs to the same cluster 104 that the UE 102 intends to join, wherein the joining server 110 is provided as an extension to the cluster API server 110. As illustrated in Fig. 4, the implementation steps of UE 102 when joining server 110 is provided as an extension to the cluster API server 110 is as given below.

In step 1, the UE 102 finishes 5G primary authentication with the network 200. Subsequently, in step 2, the UE 102 acquires the AKMA key. Thereafter, in step 3, the UE 102 requests to join the cluster 104 using the edge discovery service provided by the edge discovery server 114. Further, in step 4, the UE 102 acquires the unique identifier of the cluster API server 108 from the edge discovery service, and the unique identifier comprises a uniform resource locator (URL) of the cluster API server 108. Thereafter, in step 5, the UE 102 initiates the authentication request to mutually authenticate itself with the cluster API server 108 and establish the secure communication session with the cluster API server 108. Now, in step 6, the joining server 110 of the cluster API server 108 requests to fetch the AKMA AF key from the MNO 112. Subsequently, in step 7, the request for acquiring the AKMA AF key is sent to the MNO 112 through the first server 106. Thereafter, in step 8, the AKMA AF key is provided by the MNO 112 to the first server 106. Further, in step 9, the AKMA AF key is provided by the MNO 112 is sent to the joining server 110 of the cluster API server 108. Finally, in step 10, the cluster API server 108 and the UE 102 finishes mutual authentication using the AKMA AF key, and establish a secure communication session, which enables the UE 102 to join the cluster 104.

According to another example, again referring to Fig. 4 is an example schematic diagram showing, the first UE 102 is provided for joining the first cluster 104 from the plurality of clusters 104 deployed in the communication network architecture 200, wherein the communication network architecture 200 comprises a plurality of servers 106 each in communication with the UE 102 and with at least one of the plurality of clusters 104. Further, the UE 102 comprises a controlling circuitry 406.

The control circuitry 406 of the first UE 102 is configured to authenticate with the MNO 112.

The control circuitry 406 of the first UE 102 is configured to receive an authentication key to join the first cluster 104 from the MNO 112, wherein the joining the first cluster provides an access to one or more resources of the first cluster 104 to the first UE 102.

Optionally, the authentication key is derived from an AKMA key, wherein the authentication key is received from the MNO 112, serving the first UE 102. The control circuitry 406 of the first UE 102 is further configured to transmit, to a joining server 110 in the first cluster 104, a session establishment request for joining the first cluster 104.

Optionally, the request for joining the first cluster 104 is sent through an edge discovery service.

The control circuitry 406 of the first UE 102 is further configured to receive, from the joining server 110, a response for the session establishment request comprising information about at least one unique identifier for a cluster API server 108 implemented in the first cluster 104.

Optionally, the at least one unique identifier is a URL or an IP address of the cluster API server 108.

The control circuitry 406 of the first UE 102 is further configured to mutually authenticate the first UE (102) along with the cluster API server 108 by using the authentication key.

The control circuitry 406 of the first UE 102 is further configured to initiate the communication session with the cluster API server 108, wherein the initiation of the communication session provides an access to one or more resources of the first cluster 104.

Additional details of the first UE 102 are similar to details of the UE 102 as discussed above and hence are not repeated for the sake of brevity.

Fig. 7 is a flowchart illustrating example method steps of a method 700 implemented in the UE 102 for joining the first cluster 104 from a plurality of clusters 104 deployed in the communication network architecture 200, wherein the communication network architecture 200 comprises a plurality of servers 106 each in communication with the one or more UE 102 and with at least one of the plurality of clusters 104. The method 700 is performed by the UE 102 for joining the first cluster 104 from a plurality of clusters in a network 200 when the joining server 110 is a part of the cluster API server 108 according to some examples.

At step 702, the method 700 comprises authenticate with the MNO 112.

At step 704, the method 700 comprises receive an authentication key to join the first cluster 104 from the MNO 112, wherein the joining the first cluster provides an access to one or more resources of the first cluster 104 to the first UE 102.

At step 706, the method 700 comprises transmit, to a joining server 110 in the first cluster 104, a session establishment request for joining the first cluster 104.

At step 708, the method 700 comprises receive, from the joining server 110, a response for the session establishment request comprising information about at least one unique identifier for a cluster API server 108 implemented in the first cluster 104.

In an example, the joining server 110 may be a supporting function that utilizes robust security mechanisms established by the 5G network's primary authentication process and reuses authentication mechanisms embedded within the subscriber identity module (SIM) or embedded Universal Integrated Circuit Card (e(UICC)) card of the UE 102.

In an example, the joining server 110 may interact with the UE 102 using the AKMA authentication procedure. The joining server 110 may provide bootstrapping authentication and cluster joining procedure by delegating communication responsibilities of the UE 102 to the cluster API server 108, to achieve seamless inclusion of the UE 102 into the cluster environment using the existing authentication procedures.

At step 710, the method 700 comprises mutually authenticate the first UE 102 along with the cluster API server 108 by using the authentication key.

Optionally, the authentication key is derived from an AKMA key, wherein the authentication key is received from the MNO 112, serving the first UE 102.

At step 712, the method 700 comprises initiate the communication session with the cluster API server 108, wherein the initiation of the communication session provides an access to one or more resources of the first cluster 104.. Additional details of the method 700 comprise one or more of the details of the network 200 as discussed in Fig. 6 and the UE 102 as discussed in Fig. 2 and hence are not repeated for the sake of brevity.

Fig. 8A-8B discloses a sequence diagram illustrating additional details of the method 500 for joining the first cluster 104 by the first UE 102 according to some examples. As illustrated in Fig. 8A-8B, the steps of first UE 102 for joining the first cluster when the joining server 110 is provided as part of the exposure server 106 are given below.

In step 1, 5G primary authentication is performed between the first UE 102 and the AUSF 106a. Subsequently, after successful primary authentication, the first UE 102 is accepted by network and a connection is established using derived session keys, wherein a root session key KAUSF is managed by AUSF 106a to provide the first UE 102 and the network 200 to derive further keys from the KAUSF. Step 1 may be performed as defined in TS 33.501.

In step 2, the root session key KAUSF is used to generate the authentication key KAKMA at both the first UE 102 and the AUSF 106a. The AUSF 106a distributes the generated KAKMA to AKMA anchor function (AAnF) 106b. Step 2 may be performed as defined in TS 33.535.

In step 3, the first UE 102 sends a request to the first server 106 which is the exposure server or NP through the edge discovery service of the edge discovery server 114 requesting to join the first cluster 104. The first UE 102 may have a preconfigured address for the first server 106 stored in the authentication mechanisms embedded within the first UE 102 such as the e(UICC).

In an example, the first server 106 is either shared by multiple MNOs 112 or specified for each MNO 112.

In some examples, the authentication information required for the bootstrap authentication process for the first UE 102 may be made available by other device management systems.

In step 4, the first UE 102 receives a response regarding a cluster joining server 110 such as the unique identifier i.e., URL or IP address from the first sever 106 i.e., the exposure server 106.

In step 5, the first UE 102 sends an application session establishment request to the joining server 110. In step 6 and 7 , if the joining server 110 is being managed by the MNO 112 itself, then the joining server 110 may be trusted by the network 200. Also, the joining server 110 may directly request the AKMA application key KAF from the AAnF 106b. Thereafter, the AAnF 106b generates a KAF using the KAKMA and then sends the response to the joining server 110.

In steps 8 to 12, if the joining server 110 is being managed by an external entity such as the owner of the first UE 102, then the joining server 110 is not trusted by the network 200. Also, the joining server 110 may request the AKMA application key KAF from the AAnF 106b through network exposure function (NEF) 103. Thereafter, the AAnF 106b generates a KAF using the KAKMAand sends a response to the joining server 110 through NEF 103. Steps 6 to 12 may be performed as defined in section 6.2 and 6.3 of TS 33.535.

In steps 13 and 14, the joining server 110 requests to create a bootstrap or joining token and saves it as a secret object through the cluster API server 108.

In step 15, the joining server 110 sends an application session establishment response to the first UE 102 after getting a KAF and creating a token secret using the KAF or an error in case of any failure. In the same message, the joining server 110 may also include necessary information such as cluster certificate authority (CA) hash, cluster API server URL, etc. At this stage, both the first UE 102 and joining server 110 may have a shared key KAF or a key derived from KAF.

In step 16, the first UE 102 uses the AKMA application key KAF to derive a bootstrap token or joining token and uses the bootstrap token or joining token to authenticate itself with the cluster API server 108.

In steps 17 and 18, the first UE 102 may establish a secure TLS session with the cluster API server 108 using any shared key-based mutual authentication. Steps 17 and 18 may be performed as defined in Annex B 1.2 and B 1.3 of TS 33.535.

In step 19, post bootstrapping authentication to the cluster API server 108, the first UE 102 may have limited credentials to create and retrieve a certificate signing requests (CSR).

In step 20, the cluster API server 108 signs and issues the certificate to the first UE 102.

In step 21, the first UE 102 may start normal operation in the cluster 104 using the issued certificate. Further, when the first UE 102 may want to switch to another cluster in cases such as when the first UE 102 device owner changes subscription of the edge or cloud platform and creates a new cluster, then it may be required that the first UE 102 needs to be migrated to the new cluster.

Fig. 9 discloses a sequence diagram illustrating the first UE 102 re-joining a cluster according to some examples. As disclosed in Fig. 9, the first UE 102 may be triggered to switch a cluster either by the first UE 102 itself, or device management system of the first UE 102, or the edge discovery service of the edge discovery server 114. The steps for the first UE 102 to perform the switching or re-joining of the cluster is as given below.

In steps 1 and 2, the UE 102 may be triggered on-site, such as by pressing reset on the first UE 102. Then, the UE may send the request to the edge discovery server 114 to join a cluster 104.

In steps 4 to 5, the first UE 102 may be triggered by a remote management procedure, such as when the first UE 102 changes ownership or is forced to switch to another cluster by the owner or administrator of the first UE 102.

In some examples, the first UE 102 may be triggered by any device management framework such as Lightweight Machine-to-Machine (LwM2M) protocol for device management and communication.

In some examples, the first UE 102 may be triggered by interface 3rd generation partnership project (3GPP) security assurance level (SEAL) group management.

In step 9, the edge discovery server 114 may obtain metrics such as signal strength from the first server 106 i.e., exposure server or the NP.

In step 10, the edge discovery server 114 decides if a cluster switch may be triggered based on the requirements and current metrics or key performance indicators (KPIs).

In steps 11 to 13, the first UE 102 may be triggered to switch to a new pre-identified cluster by the edge discovery service of the edge discovery server 114.

In some examples, the first UE 102 may be triggered to switch cluster by configured policies such as gaining better signal coverage (e.g., mobility management node (MME) in 4G, or access and mobility management function (AMF) in 5G for cell handover), or fulfilment or service level objectives to get computation offloading or resource sharing, or privacy or compliance or regulatory reasons.

In some examples, the configured policies may be of edge discovery server 114, or the first UE 102, or the cluster 104, or the device management system of the first UE 102.

In some examples, when the owner of the first UE 102 needs to switch to another MNO, the switch may be provided by installing new UICC or downloading the new MNO's profile into the eUlCC of the first UE 102.

In some examples, the first server 106 i.e, the exposure server may aggregate different cloud service providers (CSPs) and MNOs, to provide the first server 106 to reach the right MNO and its NEF when a new request to join a new cluster is received.

Fig. 10 illustrates an example computing environment 1000 implementing the UE 102, as described in Fig. 4, and method as described in Figs. 5 and 7. As depicted in Fig. 10, the computing environment 1000 comprises at least one data processing module 1006 that is equipped with a control module 1002 and an Arithmetic Logic Unit (ALU) 1004, a plurality of networking devices 1008 and a plurality Input output, I/O devices 1010, a memory 1012, a storage 1014. The data processing module 1006 may be responsible for implementing the method described in Figs. 5 and 7. For example, the data processing module 1006 may in some embodiments be equivalent to the CPU/processor of the computing device described above in conjunction with the Fig. 4. The data processing module 1006 is capable of executing software instructions stored in memory 1012. The data processing module 1006 receives commands from the control module 1002 in order to perform its processing. Further, any logical and arithmetic operations involved in the execution of the instructions are computed with the help of the ALU 1004.

The computer program is loadable into the data processing module 1006, which may, for example, be comprised in an electronic apparatus (such as a user equipment). When loaded into the data processing module 1006, the computer program may be stored in the memory 1012 associated with or comprised in the data processing module 1006. According to some embodiments, the computer program may, when loaded into and run by the data processing module 1006, cause execution of method steps according to, for example, any of the method illustrated in Figs. 5 and 7 or otherwise described herein.

The overall computing environment 1000 may be composed of multiple homogeneous and/or heterogeneous cores, multiple CPUs of different kinds, special media and other accelerators. Further, the plurality of data processing modules 1006 may be located on a single chip or over multiple chips.

The algorithm comprising of instructions and codes required for the implementation are stored in either the memory 1012 or the storage 1014 or both. At the time of execution, the instructions may be fetched from the corresponding memory 1012 and/or storage 1014, and executed by the data processing module 1006.

In case of any hardware implementations various networking devices 1008 or external I/O devices 1010 may be connected to the computing environment to support the implementation through the networking devices 1008 and the I/O devices 1010.

The embodiments disclosed herein can be implemented through at least one software program running on at least one hardware device and performing network management functions to control the elements. The elements shown in Fig. 10 include blocks which can be at least one of a hardware device, or a combination of hardware device and software module.

Claims

We claim:

1. A network (200) for initiating communication between a first User Equipment, UE, (102) and a first cluster (104) from a plurality of clusters (104), the network (200) comprising: one or more servers (106) arranged for communication with one or more UEs (102); wherein the first cluster (104) comprises a cluster API server (108) arranged to authenticate the first UE (102) to provide access to the first cluster (104), wherein a first server (106) of the one or more servers (106) comprises a joining server (110) arranged to: receive a session establishment request to join the first cluster (104) from said first UE (102) to provide an access to one or more resources of the first cluster (104) to the first UE (102); request an authentication key from a Mobile Network Operator, MNO (112), serving the first UE (102); create a joining token in the cluster API server (108) by using the authentication key from the MNO (112), wherein the joining token is of use to allow the first UE (102) to join the first cluster (104); send a response to the first UE (102) for the session establishment request to notify the first UE (102) regarding the creation of the joining token, wherein the response comprises information about at least one unique identifier for the cluster API server (108); wherein the first UE (102) comprises: a controlling circuitry configured to: create the joining token by using the authentication key, after a response is received from the joining server (110), wherein the authentication key is received from the MNO (112); mutually authenticate the first UE (102) and the cluster API server (108) by using the joining token; and initiate the communication session with the cluster API server

(108), wherein the initiation of the communication session provides an access to one or more resources of the first cluster (104).

2. The network (200) according to claim 1, wherein the first UE (102) is admitted to the network (200) after the authentication, and wherein the connection of the first UE (102) is secured within the network (200) through one or more session keys provided to the first UE (102) by at least one network function, NF hosted as one of an internal network function or an external network function wherein the authentication for the first UE (102) is derived through the one or more session keys.

3. The network (200) according to any of the claims 1-2, wherein the session establishment request for joining the first cluster (104) is sent through an edge discovery service, wherein the edge discovery service identifies the edge discovery server (114).

4. The network (200) according to any of the preceding claims, wherein the joining server (110) is arranged to: create the joining token through the authentication key along with one or more identifiers of the first UE (102); and share the joining token along with the one or more identifiers with the cluster API server (108), wherein the joining token along with the one or more identifiers are authenticated by the cluster API server (108).

5. The network (200) according to any of the preceding claims, wherein the joining token is created in the cluster API server (108) and is associated with an expiration time, wherein the request for joining the first cluster (104) is rejected by the cluster API server (108) after an expiry of the expiration time.

6. The network (200) according to any of the preceding claims, wherein the joining server (110) is arranged to: obtain the authentication key from the MNO (112), serving the first UE (102) when the joining server (110) is managed by the MNO (112), wherein the authentication key is derived from an AKMA key.

7. The network (200) according to any of the preceding claims, wherein the joining server (110) is arranged to: request for authentication from a key anchor function through a Network Exposure Function when the joining server (110) is not managed by the MNO (112).

8. A first User Equipment (102) for joining a first cluster (104) from a plurality of clusters (104) deployed in a network (200), wherein the communication network architecture (200) comprises a plurality of servers (106) each in communication the first UE (102) and with at least one of the plurality of clusters (104), the first UE (102) comprises a controlling circuitry (406) configured to: authenticate with the MNO (112); receive an authentication key to join the first cluster (104) from the MNO (112), wherein the joining the first cluster provides an access to one or more resources of the first cluster (104) to the first UE (102); transmit, to a joining server (110) of a first server (106) among the plurality of severs (106), a session establishment request for joining the first cluster (104); receive, from the joining server (106), a response for the session establishment request notifying a creation of the joining token through the joining server (110) in the cluster API server (108), wherein the joining token is created by using the authentication key received by the joining server (110) from the MNO (112), wherein the response comprises information about at least one unique identifier for a cluster API server (108) implemented in the first cluster (104); mutually authenticate the first UE (102) and the cluster API server (108) by using the joining token; and initiate the communication session with the cluster API server (108), wherein the initiation of the communication session provides an access to one or more resources of the first cluster (104).

9. The first UE (102) according to claim 8, wherein the first UE (102) is admitted to the network (200) after the authentication, and wherein the connection of the first UE (102) is secured within the network (200) through one or more session keys provided to the first UE (102) by at least one network function, NF hosted as one of an internal network function or an external network function wherein the authentication for the first UE (102) is derived through the one or more session keys.

10. The first UE (102) according to any of the claims 8-9, wherein the session establishment request for joining the first cluster (104) is sent through an edge discovery service, wherein the edge discovery service identifies the edge discovery server (114).

11. The first UE (102) according to claim 8, wherein the authentication key is of use for creating a joining token to be shared with the cluster API server (108) in the first cluster (104) for authenticating the first UE (102) for joining the first cluster (104).

12. The first UE (102) according to any of the claims 8 or 11, wherein the authentication key is used along with one or more identifiers of the first UE (102) for creating the joining token, wherein the joining token is authenticated along with the one or more identifiers through the cluster API server (108).

13. The first UE (102) according to any of the claims 8 or 11-12, wherein the authentication key is derived from an AKMA key and is obtained by the joining server (110) from a mobile network operator, MNO (112), serving the first UE (102) when the joining server (110) is managed by the MNO (112).

14. A method (500) implemented in a first User Equipment, UE, (102) for joining a first cluster (104) from a plurality of clusters (104) deployed in a network (200), wherein the network (200) comprises a plurality of servers (106) each in communication with one or more UE (102) and with at least one of the plurality of clusters (104), the method (500) comprising: authenticate with the MNO (112); receive an authentication key to join the first cluster (104) from the MNO (112), wherein the joining the first cluster provides an access to one or more resources of the first cluster (104) to the first UE (102); transmit, to a joining server (110) of a first server (106) among the plurality of severs (106), a session establishment request for joining the first cluster (104); receive, from the joining server (106), a response for the session establishment request notifying a creation of the joining token through the joining server (110) in the cluster API server (108), wherein the joining token is created by using the authentication key received by the joining server (110) from the MNO (112), wherein the response comprises information about at least one unique identifier for a cluster API server (108) implemented in the first cluster (104); mutually authenticate the first UE (102) and the cluster API server (108) by using the joining token; and initiate the communication session with the cluster API server (108), wherein the initiation of the communication session provides an access to one or more resources of the first cluster (104).

15. The method (500) according to claim 14, wherein the first UE (102) is admitted to the network (200) after the authentication, and wherein the connection of the first UE (102) is secured within the network (200) through one or more session keys provided to the first UE (102) by at least one network function, NF hosted as one of an internal network function or an external network function wherein the authentication for the first UE (102) is derived through the one or more session keys

16. The method (500) according to any of the claims 14-15, wherein the request for joining the first cluster (104) is sent through an edge discovery service, wherein the edge discovery service identifies the edge discovery server (114).

17. The method (500) according to any of the claims 14-16, wherein the authentication key is of use for creating a joining token to be shared with the cluster API server (108) in the first cluster (104) for authenticating the first UE (102) for joining the first cluster (104).

18. The method (500) according to any of the claims 14 or 15, wherein the authentication key is used along with one or more identifiers of the first UE (102) for creating the joining token, wherein the joining token is authenticated along with the one or more identifiers through the cluster API server (108).

19. The method (500) according to any of the claims 14 or 17-18, wherein the authentication key is derived from an AKMA key and is obtained by the joining server (110) from a mobile network operator, MNO (112), serving the first UE (102) when the joining server (110) is managed by the MNO (112).

20. A network (200) for initiating communication between a first User Equipment, UE, (102) and a first cluster (104) from a plurality of clusters (104), the network comprising (200): one or more servers (106) arranged to communication with the first UE (102) of one or more UEs (102); wherein the first cluster (104) comprises a cluster API server (108) arranged to authenticate the first UE (102) to provide access to the first cluster (104), wherein the first cluster (104) comprises a joining server (110) arranged to: receive a session establishment request from the first UE (102); obtain an authentication key from the MNO (112) in response to the session establishment request, wherein the authentication key is of use for mutual authentication of the first UE (102) and the cluster API server (108); send a response to the first UE (102) for the session establishment request, wherein the response comprises information about at least one unique identifier for the cluster API server (108); wherein the first UE (102) from the one or more UEs (102) comprises: a controlling circuitry (406) configured to: mutually authenticate the first UE (102) along with the cluster API server (108) by using the authentication key obtained from the MNO (112); and initiate the communication session with the cluster API server (108), wherein the initiation of the communication session provides an access to one or more resources of the first cluster (104).

21. The network (200) according to claim 20, wherein the first UE (102) is admitted to the network (200) after the authentication, and wherein the connection of the first UE (102) is secured within the network (200) through one or more session keys provided to the first UE (102) by at least one network function, NF hosted as one of an internal network function or an external network function wherein the authentication for the first UE (102) is derived through the one or more session key.

22. The network (200) according to claims 20-21, wherein the plurality of servers (106) comprising: an authentication server function (106a) arranged for: receiving the authentication key from the MNO (112); and transmitting the authentication key to the joining server (110).

23. The network (200) according to any of the claims 20-22, wherein the first UE (102) is arranged to send the session establishment request for joining the first cluster (104) through an edge discovery service.

24. The network (200) according to any of the claims 20-23, wherein the authentication key is derived from an AKMA key.

25. A first User Equipment (102) for joining a first cluster (104) from a plurality of clusters (104) deployed in a network (200), wherein the network (200) comprises a plurality of servers (106) each in communication the first UE (102) and with at least one of the plurality of clusters (104), the first UE (102) comprises a controlling circuitry (406) configured to cause: authenticate with the MNO (112); receive an authentication key to join the first cluster (104) from the MNO (112), wherein the joining the first cluster (104) provides an access to one or more resources of the first cluster (104) to the first UE (102); transmit, to a joining server (110) in the first cluster (104), a session establishment request for joining the first cluster (104); receive, from the joining server (110), a response for the session establishment request comprising information about at least one unique identifier for a cluster API server (108) implemented in the first cluster (104); mutually authenticate the first UE (102) along with the cluster API server (108) by using the authentication key; and initiate the communication session with the cluster API server (108), wherein the initiation of the communication session provides an access to one or more resources of the first cluster (104).

26. The first UE according to claim 25, wherein the first UE (102) is admitted to the network (200) after the authentication, and wherein the connection of the first UE (102) is secured within the network (200) through one or more session keys provided to the first UE (102) by at least one network function, NF hosted as one of an internal network function or an external network function wherein the authentication for the first UE (102) is derived through the one or more session key.

27. The first UE according to any of the claims 25-26, wherein the at least one unique identifier is a URL or an IP address of the cluster API server (108).

28. The first UE according to any of the claims 25-27, wherein the session establishment request for joining the first cluster (104) is sent through an edge discovery service.

29. The first UE according to any of the claims 25-29, wherein the authentication key is derived from an AKMA key.

30. A method (700) implemented in a first User Equipment, UE, (102) for joining a first cluster (104) from a plurality of clusters (104) deployed in a network (200), wherein the network (200) comprises a plurality of servers (106) each in communication with one or more UE (102) and with at least one of the plurality of clusters (104), the method (700) comprising: authenticate with the MNO (112); receive an authentication key to join the first cluster (104) from the MNO (112), wherein the joining the first cluster (104) provides an access to one or more resources of the first cluster (104) to the first UE (102); transmit, to a joining server (110) in the first cluster (104), a session establishment request for joining the first cluster (104); receive, from the joining server (110), a response for the session establishment request comprising information about at least one unique identifier for a cluster API server (108) implemented in the first cluster (104); mutually authenticate the first UE (102) along with the cluster API server (108) by using the authentication key; and initiation of the communication session with the cluster API server (108), wherein the initiation of the communication session provides an access to one or more resources of the first cluster (104).

31. The method (700) according to claim 30, wherein the first UE (102) is network authenticated having a first authentication key obtained from the network (200), wherein the first authentication key enables the first UE (102) to send the session establishment request for joining the first cluster (104).

32. The method (700) according to claims 30-31, wherein the at least one unique identifier is a URL or an IP address of the cluster API server (108).

33. The method (700) according to claims 30-32, wherein the authentication key is derived from an AKMA key.