CN116114002A - Informing the network of the result of authentication and authorization of the terminal device - Google Patents
Informing the network of the result of authentication and authorization of the terminal device Download PDFInfo
- Publication number
- CN116114002A CN116114002A CN202080104526.8A CN202080104526A CN116114002A CN 116114002 A CN116114002 A CN 116114002A CN 202080104526 A CN202080104526 A CN 202080104526A CN 116114002 A CN116114002 A CN 116114002A
- Authority
- CN
- China
- Prior art keywords
- notification
- authorization
- authentication
- result
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 106
- 230000006854 communication Effects 0.000 claims abstract description 76
- 238000004891 communication Methods 0.000 claims abstract description 73
- 230000006870 function Effects 0.000 claims description 117
- 238000000034 method Methods 0.000 claims description 69
- 238000007726 management method Methods 0.000 claims description 60
- 230000015654 memory Effects 0.000 claims description 27
- 238000004590 computer program Methods 0.000 claims description 16
- 230000006399 behavior Effects 0.000 claims description 12
- 238000013523 data management Methods 0.000 claims description 12
- 230000009471 action Effects 0.000 claims description 6
- 230000008569 process Effects 0.000 description 31
- 238000010586 diagram Methods 0.000 description 13
- 230000004044 response Effects 0.000 description 10
- 230000011664 signaling Effects 0.000 description 10
- 238000012545 processing Methods 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 230000001413 cellular effect Effects 0.000 description 3
- 238000013480 data collection Methods 0.000 description 3
- 238000013500 data storage Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000005457 optimization Methods 0.000 description 3
- 101100321409 Rattus norvegicus Zdhhc23 gene Proteins 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000012384 transportation and delivery Methods 0.000 description 2
- 102100022734 Acyl carrier protein, mitochondrial Human genes 0.000 description 1
- 101000678845 Homo sapiens Acyl carrier protein, mitochondrial Proteins 0.000 description 1
- 238000003556 assay Methods 0.000 description 1
- 230000003139 buffering effect Effects 0.000 description 1
- 230000010267 cellular communication Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- GVVPGTZRZFNKDS-JXMROGBWSA-N geranyl diphosphate Chemical compound CC(C)=CCC\C(C)=C\CO[P@](O)(=O)OP(O)(O)=O GVVPGTZRZFNKDS-JXMROGBWSA-N 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000000873 masking effect Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000001356 surgical procedure Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G08—SIGNALLING
- G08G—TRAFFIC CONTROL SYSTEMS
- G08G5/00—Traffic control systems for aircraft, e.g. air-traffic control [ATC]
- G08G5/0004—Transmission of traffic-related information to or from an aircraft
- G08G5/0013—Transmission of traffic-related information to or from an aircraft with a ground station
-
- G—PHYSICS
- G08—SIGNALLING
- G08G—TRAFFIC CONTROL SYSTEMS
- G08G5/00—Traffic control systems for aircraft, e.g. air-traffic control [ATC]
- G08G5/0017—Arrangements for implementing traffic-related aircraft activities, e.g. arrangements for generating, displaying, acquiring or managing traffic information
- G08G5/0026—Arrangements for implementing traffic-related aircraft activities, e.g. arrangements for generating, displaying, acquiring or managing traffic information located on the ground
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/72—Subscriber identity
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B64—AIRCRAFT; AVIATION; COSMONAUTICS
- B64U—UNMANNED AERIAL VEHICLES [UAV]; EQUIPMENT THEREFOR
- B64U2201/00—UAVs characterised by their flight controls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
Abstract
Embodiments of the present disclosure relate to informing a device of the outcome of authentication and authorization of another device. The first device receives a notification from the second device. The notification indicates a result related to authentication and authorization of the second device and the third device. The first device also updates a policy for communication between the third device and the data network or the fourth device based on the result of the authentication and authorization.
Description
Technical Field
Embodiments of the present disclosure relate generally to the field of telecommunications, and more particularly, relate to a method, apparatus, device, and computer readable medium for informing a network of the outcome of authentication and authorization of a terminal device.
Background
The third generation partnership project (3 GPP) is working on the enhancement of control of terminal equipment, in particular control of Unmanned Aerial Vehicles (UAVs). Enhancements may include identification, authentication, authorization, tracking of the terminal device. In the control, the following requirements should be satisfied: tracking terminal devices, e.g., capable of reporting to UAV domains; allowing one terminal device to announce itself or send data to other terminal devices in a certain area through a 3GPP network; and allowing authentication and authorization with the aid of Unmanned Air System (UAS) traffic management (UTM) or UAS service providers (USSs) that are part of UTM.
One major problem is authentication and authorization of terminal devices via the 5G system (5 GS). Although it has been proposed that authentication and authorization can be performed via the 5GS user plane or the 5GS control plane, it should also be studied how to inform the network of the result of authentication and authorization of the terminal device.
Disclosure of Invention
In general, example embodiments of the present disclosure provide a scheme for informing a device of the result of authentication and authorization with respect to another device.
In a first aspect, a first device is provided. The first device includes at least one processor; at least one memory including computer program code; the at least one memory and the computer program code are configured to, with the at least one processor, cause the first device to: receiving a notification from the second device, the notification indicating a result of authentication and authorization performed by the second device on the third device; and updating a policy for communication between the third device and the data network based on the result of the authentication and authorization.
In a second aspect, a second device is provided. The second device includes at least one processor; at least one memory including computer program code; the at least one memory and the computer program code are configured to, with the at least one processor, cause the second device to: performing authentication and authorization on the third equipment; and sending a notification to the first device, the notification indicating a result of the authentication and authorization.
In a third aspect, a method implemented at a first device is provided. The method comprises the following steps: receiving, at the first device, a notification from the second device, the notification indicating a result of authentication and authorization performed by the second device on the third device; and updating a policy for communication between the third device and the data network based on the result of the authentication and authorization.
In a fourth aspect, a method implemented at a second device is provided. The method comprises the following steps: performing authentication and authorization of the third device at the second device; and sending a notification to the first device, the notification indicating a result of the authentication and authorization.
In a fifth aspect, there is provided an apparatus comprising: means for receiving, at the first device, a notification from the second device, the notification indicating a result of authentication and authorization performed by the second device on the third device; and means for updating a policy for communication between the third device and the data network based on the result of the authentication and authorization.
In a sixth aspect, there is provided an apparatus comprising: means for performing authentication and authorization of the third device at the second device; and means for sending a notification to the first device, the notification indicating the result of the authentication and authorization.
In a seventh aspect, there is provided a computer readable medium comprising a computer program for causing an apparatus to perform at least the method according to the third or fourth aspect.
It should be understood that the summary is not intended to identify key or essential features of the embodiments of the disclosure, nor is it intended to be used to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
Some example embodiments will now be described with reference to the accompanying drawings, in which:
FIG. 1 illustrates an example communication network in which embodiments of the present disclosure may be implemented;
fig. 2 shows a signaling diagram illustrating an authentication and authorization procedure of a terminal device according to a conventional scheme;
fig. 3 shows a signaling diagram illustrating a process for informing a device of the outcome of authentication and authorization with respect to another device, according to some example embodiments of the present disclosure;
fig. 4 shows a signaling diagram illustrating a process for informing a device of the result of authentication and authorization with respect to another device according to other example embodiments of the present disclosure;
fig. 5 shows a signaling diagram illustrating a process for informing a device of the result of authentication and authorization with respect to another device according to other example embodiments of the present disclosure;
Fig. 6 shows a flowchart illustrating a method for informing a device of the outcome of authentication and authorization of another device in accordance with some embodiments of the present disclosure;
FIG. 7 illustrates a flow chart of a method for informing a device of the outcome of authentication and authorization of another device in accordance with other embodiments of the present disclosure;
FIG. 8 illustrates a simplified block diagram of an apparatus suitable for implementing some other embodiments of the disclosure; and
fig. 9 illustrates a block diagram of an example computer-readable medium, according to some example embodiments of the present disclosure.
The same or similar reference numbers will be used throughout the drawings to refer to the same or like elements.
Detailed Description
Principles of the present disclosure will now be described with reference to some example embodiments. It should be understood that these embodiments are described for illustrative purposes only and to assist those skilled in the art in understanding and practicing the present disclosure without implying any limitation on the scope of the present disclosure. The disclosure described herein may be implemented in various ways other than those described below.
In the following description and claims, unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs.
References in the present disclosure to "one embodiment," "an example embodiment," etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Furthermore, when a particular feature, structure, or characteristic is described in connection with an exemplary embodiment, it is submitted that it is within the knowledge of one skilled in the art to effect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
It will be understood that, although the terms "first" and "second," etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another element. For example, a first element could be termed a second element, and, similarly, a second element could be termed a first element, and, unlike a second element, a second element could be termed a first element. As used herein, the term "and/or" includes any and all combinations of one or more of the listed terms.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises," "comprising," "includes," "including," "having," "containing," and/or "including" when used herein, specify the presence of stated features, elements, and/or components, but do not preclude the presence or addition of one or more other features, elements, components, and/or groups thereof.
As used in this application, the term "circuit" may refer to one or more or all of the following:
(a) Hardware-only circuit implementations (e.g., implementations in analog and/or digital circuits only)
(b) A combination of hardware circuitry and software, for example (as applicable):
(i) Combination of analog and/or digital hardware circuitry and software/firmware
(ii) A hardware processor (including a digital signal processor) having software, any portion of the software and memory that work together to cause a device such as a mobile phone or server to perform various functions), and
(c) Hardware circuitry and/or a processor (e.g., a microprocessor or a portion of a microprocessor) that requires software (e.g., firmware) to operate, but when software is not required to operate, the software may not be present.
This definition of circuit applies to all uses of this term in this application, including in any claims. As another example, as used in this application, the term circuit also encompasses an implementation of only a hardware circuit or processor (or multiple processors) or a portion of a hardware circuit or processor and its (or its) accompanying software and/or firmware. The term circuitry also encompasses, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in a server, a cellular network device, or other computing or network device.
As used herein, the term "communication network" refers to a network that conforms to any suitable communication standard, such as a fifth generation (5G) system, long Term Evolution (LTE), LTE-advanced (LTE-a), wideband Code Division Multiple Access (WCDMA), high Speed Packet Access (HSPA), narrowband internet of things (NB-IoT), and so forth. Furthermore, the communication between the terminal device and the network device in the communication network may be performed according to any suitable generation communication protocol, including, but not limited to, first generation (1G), second generation (2G), 2.5G,2.75G, third generation (3G), fourth generation (4G), 4.5G, future fifth generation (5G) New Radio (NR) communication protocols, and/or any other protocol currently known or to be developed in the future. Embodiments of the present disclosure may be applied in various communication systems. In view of the rapid development of communications, there are of course future types of communication technologies and systems with which the present disclosure may be implemented. It should not be taken as limiting the scope of the invention to only the above-described systems.
As used herein, the term "network device" refers to a node in a communication network via which a terminal device accesses the network and receives services therefrom. Depending on the terminology and technology applied, a network device may refer to a Base Station (BS) or Access Point (AP), e.g., a node B (node B or NB), an evolved node B (eNodeB or eNB), an NR next generation node B (gNB), a Remote Radio Unit (RRU), a Radio Head (RH), a Remote Radio Head (RRH), a relay, a low power node such as a femto base station, pico base station, etc. The RAN split architecture includes a gNB-CU (centralized unit, hosting RRC, SDAP, and PDCP) that controls multiple gNB-DUs (distributed units, hosting RLC, MAC, and PHY). Furthermore, the term "network device" may also refer to network functions such as an access and mobility management function (AMF), a Session Management Function (SMF), a User Plane Function (UPF), a Unified Data Management (UDM), a Policy Control Function (PCF), a network opening function (NEF), a Network Slice Selection Function (NSSF), a Network Slice Specific Authentication and Authorization Function (NSSAAF), a Network Repository Function (NRF), an Unstructured Data Storage Function (UDSF), or a Unified Data Repository (UDR).
The term "terminal device" refers to any terminal device capable of wireless communication. By way of example and not limitation, a terminal device may also be referred to as a communication device, user Equipment (UE), unmanned Aerial Vehicle (UAV), UAV controller (UAVC), subscriber Station (SS), portable subscriber station, mobile Station (MS), or Access Terminal (AT). The terminal devices may include, but are not limited to, mobile phones, cellular phones, smart phones, voice over IP (VoIP) phones, wireless local loop phones, tablet computers, wearable terminal devices, personal Digital Assistants (PDAs), portable computers, desktop computers, image capture terminal devices such as digital cameras, gaming terminal devices, music storage and playback devices, in-vehicle wireless terminal devices, wireless endpoints, mobile stations, laptop embedded devices (LEEs), laptop mounted devices (LMEs), USB dongles, smart devices, wireless client devices (CPE), internet of things (IoT) devices, watches or other wearable devices, head Mounted Displays (HMDs), vehicles, targets, medical devices and applications (e.g., tele-surgery), industrial devices and applications (e.g., robots and/or other wireless devices operating in an industrial and/or automated processing chain environment, consumer electronic devices, devices operating on a commercial and/or industrial wireless network, etc.
Although the functionality described herein may be performed in fixed and/or wireless network nodes in various example embodiments, in other example embodiments, the functionality may be implemented in a user equipment device, such as a cellular telephone or tablet or laptop or desktop or mobile or fixed device. The user equipment device may for example be suitably equipped with the corresponding capabilities described in connection with the fixed and/or radio network nodes. The user equipment device may be a user equipment and/or a control device, such as a chipset or processor, configured to control the user equipment when installed therein. Examples of such functions include a bootstrapping server function and/or a home subscriber server, which may be implemented in a user equipment device by providing the user equipment device with software configured to cause the user equipment device to execute from the point of view of these functions/nodes.
Fig. 1 illustrates an example communication network 100 in which embodiments of the present disclosure may be implemented. The network 100 comprises a Network Slice Specific Authentication and Authorization Function (NSSAAF) 101, a Network Slice Selection Function (NSSF) 102, an authentication server function (AUSF) 103, a Unified Data Management (UDM) 104, an access and mobility management function (AMF) 105, a Session Management Function (SMF) 106, a Policy Control Function (PCF) 107, an Application Function (AF) 108, a terminal device 109, a Radio Access Network (RAN) 110, a User Plane Function (UPF) 111 and a Data Network (DN) 112.
The UDM 104 (also referred to as UDM device 104) may include support for the following functions: the generation of 3GPP authentication credentials, user identification processing (e.g., storage and management of SUPI for each subscriber in a 5G system), unhidden support for privacy protected subscription identifiers (sui), access authorization based on subscription data (e.g., roaming restrictions), service NF registration management for UEs (e.g., storing service AMFs for UEs, storing service SMFs for PDU sessions for UEs), support for service/session continuity (e.g., assigning ongoing sessions by maintaining SMF/Data Network Names (DNNs)), MT-SMS delivery support, lawful interception functions (especially in the case of outbound roaming where UDM is the sole point of contact for LI), subscription management, SMS management, 5GLAN group management processing, support for external parameter provisioning (expected UE behavior parameters or network configuration parameters).
The AMF 105 (also referred to as AMF device 105) may include the following functionality. Some or all of the AMF 105 functions may be supported in a single instance of the AMF: termination of RAN control plane interface (N2), termination of NAS (N1), NAS ciphering and integrity protection, registration management, connection management, reachability management, mobility management, lawful interception (for AMF events and interfaces to LI systems), provision of SM messages for transmission between UE and SMF, transparent proxy for routing SM messages, access authentication, access authorization, provision of transmission of SMs messages between UE and SMSF, security anchor function (SEAF) for management of location services management of services, provision of transmission of location services messages for interworking between UE and LMF and between RAN and LMF, EPS bearer ID allocation for interworking with EPS, UE mobility event notification, support for control plane CIoT 5GS optimization, support for user plane CIoT 5GS optimization, provisioning of external parameters (expected UE behavior parameters or network configuration parameters), and support of network slice specific authentication and authorization.
The SMF 106 (also referred to as an SMF device 106) may include the following functions. Some or all of the functions of SMF 106 may be supported in a single instance of SMF: session management, such as session establishment, modification and release, including tunnels maintained between the UPF and AN nodes; UE IP address assignment and management (including optional authorization), UE IP address may be received from UPF or from external data network; DHCPv4 (server and client) and DHCPv6 (server and client) functions; responding to Address Resolution Protocol (ARP) requests and/or IPv6 neighbor requests based on local cache information of the ethernet PDU, the SMF responding to the ARP and/or IPv6 neighbor requests by providing a MAC address corresponding to the IP address sent in the request; the selection and control of UP functions, including controlling UPF proxy ARP or IPv6 neighbor discovery, or forwarding all ARP/IPv6 neighbor solicitation traffic to SMF for Ethernet PDU sessions; configuring traffic steering at the UPF to route traffic to the appropriate destination, 5G Virtual Network (VN) group management, e.g. maintaining the topology of the involved PDU Session Anchor (PSA) UPFs, establishing and releasing N19 tunnels between the PSA UPFs, configuring traffic forwarding at the UPF to apply local switching, N6 based forwarding or N19 based forwarding; terminating the interface facing the policy control function, lawful interception (for SM events and LI system interfaces); charging data collection and charging interface support, UPF charging data collection control and coordination; termination of SM portion of NAS message; downlink data notification; AN initiator of the AN specific SM information is sent to the AN through AN AMF on N2; determining SSC mode of session; support control plane CIoT 5GS optimization, support header compression; act as an ISMF in a deployment where ISMF can be inserted, removed and relocated; providing external parameters (expected UE behavior parameters or network configuration parameters); PCSCF discovery supporting IMS services; a roaming function; processing a locally enforced application QoS SLA (VPLMN); a billing data collection and billing interface (VPLMN); lawful interception (in VPLMN, SM events and LI system interfaces); support interaction with an external DN to transport signaling of PDU session authentication/authorization through the external DN; and instructs the UPF and NGRAN to perform redundant transmissions over the N3/N9 interface.
PCF 107 (also referred to as PCF device 107) may include the following functionality: supporting a unified policy framework to govern network behavior; providing policy rules to the control plane functions to enforce them; subscription information related to policy decisions in a unified data store (UDR) is accessed.
The AF 108 may support interactions with the 3GPP core network to provide services, such as influencing data routing decisions, policy control functions, or providing third party services to the network.
The UPF111 (also referred to as UPF device 111) can include the following functionality. Some or all of the functionality of the UPF111 can be supported in a single instance of the UPF: anchor points (where applicable) for Intra/inter at mobility; assigning UEIP addresses/prefixes (if supported) in response to the SMF request; the external PDU session interconnect points to the data network; packet routing and forwarding (e.g., support uplink classifier to route traffic flows to instances of data network, support branch points to support multi-homed PDU sessions, support traffic forwarding within 5GN group (UPF local switching, via N6, via N19)); packet inspection (e.g., application detection based on traffic data flow templates and optional PFD received from SMF in addition); policy rules enforcing user plane parts such as Gating (redirection), traffic direction; lawful interception (UP collection); a traffic usage report; qoS treatment for user plane, e.g. UL/DL rate enforcement, reflective QoS marking in DL; uplink traffic verification (SDF to QoS traffic mapping); transmitting a level packet flag in uplink and downlink; downlink packet buffering and downlink data notification triggering; sending and forwarding one or more "end markers" to the source NGRAN node; responding to an Address Resolution Protocol (ARP) request and/or an IPv6 neighbor request based on local cache information of the ethernet PDU, the UPF111 responding to the ARP and/or IPv6 neighbor request by providing a MAC address corresponding to the IP address sent in the request; packet duplication in the downlink direction and cancellation in the uplink direction in the GTPU layer; TSN translation program (NWTT) function; high latency communications; and an ats ss control function for controlling the MAPDU session service.
In addition, the UPF 111 may be responsible for forwarding and receiving user data in the terminal device 109.UPF 111 may receive user data from DN112 and send it to terminal equipment 109 via RAN 110. UPF 111 may also receive user data from terminal device 109 via RAN110 and forward it to DN112. The transmission resources and scheduling functions in the UPF 111 serving the terminal device 109 are managed and controlled by the SMF 106.
It should be understood that the number of network elements and terminal devices in network 100 is for illustration purposes only and does not imply any limitation. Network 100 may include any suitable number of network elements and terminal devices suitable for implementing embodiments of the present disclosure.
Communication in communication network 100 may be implemented in accordance with any suitable communication protocol including, but not limited to, first generation (1G), second generation (2G), third generation (3G), fourth generation (4G), fifth generation (5G), etc. cellular communication protocols, wireless local area network communication protocols such as Institute of Electrical and Electronics Engineers (IEEE) 802.11, etc., and/or any other protocol currently known or developed in the future. Further, the communication may utilize any suitable wireless communication technology including, but not limited to: code Division Multiple Access (CDMA), frequency Division Multiple Access (FDMA), time Division Multiple Access (TDMA), frequency Division Duplex (FDD), time Division Duplex (TDD), multiple Input Multiple Output (MIMO), orthogonal Frequency Division Multiplexing (OFDM), discrete fourier transform spread OFDM (DFT-s-OFDM), and/or any other technique currently known or developed in the future.
As mentioned above, one major problem is authentication and authorization of the terminal device via 5 GS. Fig. 2 shows a signaling diagram of a procedure 200 for authentication and authorization of a terminal device 109 according to a conventional scheme. In process 200, authentication and authorization is performed via a 5GS user plane, and terminal device 109 may include a UAV or UAVC.
The terminal device 109 performs registration with the network (201). Terminal device 109 requests 202 a PDU session establishment or PCF 107 provides UPF 111 with PCC rules for terminal device 109 via SMF 106.
An application on the terminal device 109 is started (203). The terminal device 109 sends (204-1) an authentication and authorization request through the user oriented UASAF 113. Accordingly, UASAF 113 receives (204-2) the request. The UASAF 113 requests 205 subscription information specific to the terminal device 109 from the UDM 104 and/or PCF/BSF 107.
The UASAF 113 checks whether the terminal device 109 has a valid over-the-air subscription based on subscription information received from the UDM 104. If the check is successful, the UASAF 113 determines UTM/USS 114 serving the terminal device 109 based on the subscription information and triggers (206-1) an authentication and authorization (also referred to as A & A) request to UTM/USS 114. Accordingly, UTM/USS 114 receives (206-2) the request. The request may contain an indication of the mobile operator used and a 3GPP identity of the terminal device 109. If the check is unsuccessful, a response rejecting the request is sent to the terminal device 109.
UTM/USS114 uses the combined information from terminal device 109 and the mobile network operator from terminal device 109 to check 207 the request for operation of terminal device 109 from UASAF 113.
If the result of checking that the terminal device 109 has a valid over-the-air subscription is successful, UTM/USS114 sends (208-1) an accept response to UASAF 113. Accordingly, UASAF113 receives (208-2) the accept response. The response may include information specific to the application on the terminal device 109. For example, the information may include tokens included for authentication reasons in subsequent application content interactions. If the check is unsuccessful, a response is sent to the UASAF to reject the request.
The UASAF113 forwards (209-1) the response from the UTM/USS114 to the terminal device 109 as a response to the authentication and authorization request. Accordingly, the terminal device 109 receives (209-2) the response.
For example, the terminal device 109 triggers the establishment of a secure connection to the UTM/USS114 using the token received in the response.
The operation of the terminal device 109 may be handled 211 by a secure connection between the terminal device 109 and the UTM/USS 114.
As shown in fig. 2, the terminal device 109 performs normal 5G registration, establishes a PDU connection, and then transmits an authentication and authorization request to the UASAF 113. The request is then forwarded to UTM/USS 114. The 5G core network is not directly involved in the authentication and authorization process. Accordingly, the 5G core network is unaware of the results of authentication and authorization.
However, to support UAS for connectivity, identification and tracking, the network (e.g., AMF, gNB) should know whether the terminal device 109 is authorized in the target domain. That is, the results of authentication and authorization from UTM/USS 114 need to be provided to the 3GPP system providing connectivity.
To at least partially address the above and other potential problems, example embodiments of the present disclosure provide a scheme for informing a device (e.g., a network device) of the outcome of authentication and authorization with respect to another device (e.g., a terminal device). In this scheme, a first device receives a notification from a second device. The notification indicates a result of authentication and authorization performed by the second device on the third device. The first device in turn updates a policy for communication between the third device and the data network based on the result. This scheme allows the 5GS to set policies and control the exchange of messages between UAVs (e.g., advertisements sent from UAVs to all other UAVs in the vicinity) or between UAVCs and UAVs via the 5G network.
The principles and implementations of the present disclosure will be described in detail below with reference to fig. 3-5. Fig. 3 shows a signaling diagram illustrating a process 300 for informing a device of the outcome of authentication and authorization with respect to another device, according to some example embodiments of the present disclosure.
The second device 302 performs (310) authentication and authorization on the third device.
After authentication and authorization is completed, the second device 302 sends (320) a notification to the first device 301. Accordingly, the first device 301 receives (330) a notification from the second device 302. The notification indicates the result of the authentication and authorization.
The first device 301 updates (340) the policy for communication between the third device and the DN based on the result.
In some example embodiments, the notification includes an identification of the third device. To receive the results of the authentication and authorization, the first device 301 may send a subscription request for the results to the second device 302. The subscription request includes an identification of the third device.
In some example embodiments, the first device 301 may determine whether the result indicates success of authentication and authorization. If the result indicates the success of authentication and authorization, the first device 301 may obtain a first policy for mobility management of the third device and update the above policy for communication with the first policy. In some example embodiments, the first device 301 may locally install the first policy in order to update the policy for communication described above.
In some example embodiments, the notification further indicates an association between the third device and the fourth device. The third device is controlled by the fourth device or the fourth device is controlled by the third device. In some example embodiments, the third device comprises the terminal device 109 in fig. 1. In some example embodiments, the third device comprises a UAV and the fourth device comprises a UAVC. Alternatively, the third device comprises a UAVC and the fourth device comprises a UAV.
In some example embodiments, if the result indicates a success of the authentication and authorization, the first device 301 establishes a Packet Data Unit (PDU) session for communication between the third device and the fourth device based on the association between the third device and the fourth device.
In some example embodiments, if the result indicates a success of the authentication and authorization, the first device 301 configures the UPF device 111 to route traffic between the second device 302 and the third device based on the association between the third device and the fourth device.
In some example embodiments, if the result indicates a failure of authentication and authorization, the first device 301 terminates the PDU session for communication between the third device and the DN.
In some example embodiments, if the result indicates a failure of authentication and authorization, the first device 301 modifies the policy in the UPF device 111 to enable the third device to communicate with only the second device 302.
In some example embodiments, the first device 301 may receive the notification via a network open function (NEF) device, which will be described below with reference to fig. 4 and 5.
In some example embodiments, the first device 301 may receive the notification via a service capability opening function (SCEF) device or a machine type communication interworking function (MTC-IWF) device.
In some example embodiments, the first device 301 includes the AMF device 105. Upon receiving the notification, the first device 301 forwards the notification to at least one of: the UDM device 104, the SMF device 105, or the policy control function device will be described below with reference to fig. 4.
Fig. 4 shows a signaling diagram illustrating a process 400 for informing a device of the outcome of authentication and authorization of another device according to other example embodiments of the present disclosure. As shown in fig. 4, process 400 may involve implementing AMF 105 of fig. 1 of first device 301 of fig. 3, implementing UTM/USS 114 of second device 302 of fig. 3, and implementing terminal device 109 of fig. 1 of a third device. In addition, process 400 may also include UDM 104, smf 106, and NEF 115 in fig. 1. For discussion purposes, the communication process 400 will be described with reference to fig. 1.
The terminal device 109 sends (401-1) a registration request message to the AMF 105. Accordingly, AMF 105 receives (401-2) the registration request.
In some example embodiments, the registration request may optionally include an indication of the type of terminal device 109. For example, where the terminal device 109 is a UAV, the message may include an indication indicating that the terminal device 109 is a UAV. In the case that the terminal device 109 is a UAVC, the message may include an indication that the terminal device 109 is a UAVC.
In some example embodiments, the indication of the type of the terminal device 109 may be provided by the terminal device 109 using, for example, NAS signaling or stored in the UDM 104.
The AMF 105 obtains (402) subscriber data from the UDM 104, and the AMF 105 performs IMEI checking. In some example embodiments, the subscriber data may include an indication of the type of the terminal device 109. In some example embodiments, the subscriber data may include an identification of the UAS to which the terminal device 109 belongs.
The AMF 105 sends (403-1) a registration accept message to the terminal device 109. The message may optionally include an indication of the type of terminal device 109. Accordingly, the type indication of the terminal device 109 receives (403-2) the registration accept message.
The AMF 105 optionally sends (404-1) a subscription request to the UTM/USS 114 and/or UAS/AF (not shown) to be notified of the results of authentication and authorization with respect to the terminal device 109. The AMF 105 may send the subscription request directly to the UTM/USS 114 and/or UAS/AF. Alternatively, AMF 105 may send a subscription request to UTM/USS 114 and/or UAS/AF via NEF 115. Accordingly, UTM/USS 114 receives (404-2) the subscription request.
In some example embodiments, NEF 115 can support the opening of capabilities and events. For example, NF capabilities and events may be securely opened by the NEF 115 for, e.g., third parties, application functions, edge computing. The NEF 115 uses a standardized interface (Nudr) to a unified data store (UDR) to store/retrieve information as structured data.
The NEF 115 may support the conversion of internal-external information. For example, the NEF 115 converts between information exchanged with the AF and information exchanged with an internal network function. For example, NEF 115 translates between AF service identifiers and internal 5G core information such as DNN, S-NSSAI. In particular, NEF 115 handles masking of network and user sensitive information of external AF according to network policies.
The NEF 115 may receive information from other network functions (based on the open capabilities of the other network functions). The NEF 115 may store the received information as structured data using a standardized interface to a unified data store (UDR). The stored information may be accessed and "re-opened" by NEF 115 to other network functions and application functions and used for other purposes such as analysis.
The NEF115 may also support 5GLAN group management functions. The 5GLAN group management function in the NEF may store 5GLAN group information in the UDR through the UDM.
NEF115 can also support the opening of assays. NWDAF analysis can be safely opened to the outside party by NEF.
NEF115 may also support NWDAF to obtain data from outside parties. For analysis generation purposes, NWDAF may collect data provided by external parties through NEF 115. NEF115 processes and forwards requests and notifications between NWDAF and AF.
NEF115 may also support non-IP data delivery. NEF115 provides a means for managing NIDD configuration and delivering MO/MT unstructured data by opening the NIDD API at the N33/Nnef reference point.
In some example embodiments, the subscription request message may include an identification of the terminal device 109.
In some example embodiments, the identification of the terminal device 109 includes one of: the identity of the UAS to which the terminal device 109 belongs, the general public user identity (GPSI) of the terminal device 109 or the user permanent identity (SUPI) of the terminal device 109.
The terminal device 109 requests 405 PDU session establishment from the AMF 105, SMF 106 and UPF 111. PCF 107 provides PCC rules for terminal device 109 to UPF 111 via SMF 106.
Authentication and authorization procedures 406 for the terminal device 109 are exchanged between the terminal device 109 and the UAS/AF and/or UTM/USS 114. Control of access to UTM/USS 114 may be achieved through the use of special Data Network Names (DNNs) and/or the use of special slices or predefined policies in UPF 111.
The UAS/AF and/or UTM/USS 114 sends (407-1) a notification to NEF 115. The network address of the UAS/AF and/or UTM/USS 114 may be stored in the UDM 104 per UE or stored locally in the NEF 115. The network address of NEF 115 can be preconfigured. Alternatively, UTM/USS 114 may use other techniques (e.g., DNS resolution) to receive the network address of NEF 115. The notification indicates the result of authentication and authorization of the terminal device 109. Accordingly, NEF 115 receives (407-2) the notification.
In some example embodiments, network addresses of the AMF 105, SMF 106, and PCF 107 may be stored in UDM 104. Thus, the NEF 115 may look up the UDM 104 to obtain the network addresses of the AMF 105, SMF 106 and PCF 107 and forward the notification to one or more of these network functions. In process 400, NEF 115 forwards (408-1) the notification to AMF 105. Accordingly, AMF 105 receives (408-2) the notification.
The AMF 105 forwards (409-1) the notification to the UDM 104. Accordingly, the UDM 104 receives (409-2) the notification.
In some example embodiments, the notification includes an identification of the terminal device 109.
In some example embodiments, the notification includes additional data related to the terminal device 109. In some example embodiments, the additional data may include at least one of: the allowable flight path associated with the identification of the cell serving the third device, the tracking area associated with the terminal device 109, the allowable flight altitude of the terminal device 109, the allowable flight speed of the terminal device 109, the allowable mobility behavior of the terminal device 109, or the capabilities of the terminal device 109.
In some example embodiments, the notification also indicates an association between the terminal device 109 and a fourth device controlling the terminal device 109. For example, the notification may indicate an association between the UAV109 and UAVC.
Upon receiving the notification, the AMF 105, SMF 106, and PCF 107 may store the results locally as part of the context of the terminal device 109. Alternatively, the AMF 105, SMF 106, and PCF 107 may store the results in an Unstructured Data Storage Function (UDSF).
Further, upon receiving the notification, AMF105, SMF 106, and PCF 107 may take appropriate action based on the results.
In some example embodiments, the actions may be preconfigured in the network, or the AF or UTM/USS 114 may indicate the actions to be taken to the AMF105, SMF 106, and PCF 107 via NEF 115 as part of a notification, or in an additional message.
In some example embodiments, if the result indicates a success of authentication and authorization, AMF105 may obtain a first policy for mobility management of terminal device 109 from PCF 111. The AMF105 may update a policy for communication between the terminal equipment 109 and a fourth equipment controlling the terminal equipment 109 with the first policy. In some example embodiments, the first device 301 may locally install the first policy in order to update the policy for the communication described above. This allows the 5GS to set policies and control the exchange of messages between UAVs (e.g., advertisements sent from UAVs to all other UAVs in the vicinity) or between UAVC and UAVs via the 5G network.
In some example embodiments, the first policy may include a paging policy for the terminal device 109 or a fourth device controlling the terminal device 109. For example, the paging policy may define paging in only certain areas, or stepwise paging.
In some example embodiments, if the result indicates a success of authentication and authorization, the AMF105 or SMF106 may determine to establish or modify a PDU session for communication between the terminal device 109 and UTM/USS114 based on the association between the terminal device 109 and the fourth device.
In some example embodiments, if the result indicates a failure of authentication and authorization, the AMF105 or SMF106 may configure the UPF 111 based on the association to route traffic between the UTM/USS114 and the terminal device 109. In this way, the routes for command and control communications can be optimized.
In some example embodiments, if the result indicates a failure of authentication and authorization, AMF105 may terminate the PDU session for communication between terminal device 109 and DN 112.
In some example embodiments, if the result indicates a failure of authentication and authorization, the SMF106 may modify the policy in the UPF 111 so that the terminal device 109 communicates only with the UTM/USS114 or other server.
In some example embodiments, if the result indicates a failure of authentication and authorization, the SMF106 may install (411) one or more policies for the terminal device 109 in the UPF 111. For example, SMF106 may install one or more policies with the aid of PCF 107.
In some example embodiments, the network address of the AF or UTM/USS 114 may be stored in the UDM 104 per UE or stored locally in the NEF 115. The network address of the NEF 115 may be obtained from the UDM 104 by looking up a Network Repository Function (NRF) or locally configured in the AMF 105, SMF 106 or PCF 107.
It should be appreciated that the communication process 400 is equally applicable to other communication scenarios. For example, the communication procedure 400 may be equally applicable to an evolved UMTS terrestrial radio access network (E-UTRAN) or Evolved Packet Core (EPC). Applicability to E-UTRAN or EPC may be achieved by replacing UDM 104 with a Home Subscriber Server (HSS), AMF 105 or SMF 106 with a Mobility Management Entity (MME), NEF 115 with a service capability open function (SCEF) and/or MTC-IWF, UPF 111 with a packet data network gateway (PGW), PCF 107 with a policy control and charging rules function (PCRF).
Fig. 5 shows a signaling diagram illustrating a process 500 for informing a device of the outcome of authentication and authorization of another device according to other example embodiments of the present disclosure. As shown in fig. 5, process 500 may involve implementing UDM 104 in fig. 1 of first device 301 in fig. 3, implementing UTM/USS 114 of second device 302 in fig. 3, and implementing terminal device 109 in fig. 1 of the third device. In addition, process 500 may also include AMF 105, SMF 106, and NEF 115 of FIG. 1. For discussion purposes, the communication process 500 will be described with reference to fig. 1.
In summary, process 500 is similar to process 400. However, the process 500 differs from the process 400 in that in the process 500, the UTM/USS114 sends notifications to the UDM 104 via the NEF 115. The UDM 104 forwards the notification to the AMF105, and the AMF105 then forwards the notification to the SMF 106. Specifically, NEF 115 receives (407-2) a notification from UTM/USS 114. The NEF 115 forwards (503-1) the notification to the UDM 104. Accordingly, the UDM 104 receives (503-2) the notification. The UDM 104 forwards (504-1) the notification to the AMF105. Accordingly, AMF105 receives (504-2) the notification.
The process 500 also differs from the process 400 in that in process 500, the AMF105 sends (501-1) a subscription request to the UTM/USS114 and/or UAS/AF (including the address of the UDM 104) on behalf of the UDM 104 in order to be informed about the outcome of the authentication and authorization. Accordingly, UTM/USS114 receives (501-2) the subscription request. Alternatively, the UDM 104 sends (502-1) the subscription request directly to the UTM/USS114 and/or UAS/AF. Accordingly, UTM/USS114 receives (502-2) the subscription request.
Fig. 6 illustrates a flow chart of a method 600 for informing a device of the outcome of authentication and authorization of another device in accordance with some embodiments of the present disclosure. The method 600 may be implemented at a first device.
At block 610, the first device receives a notification from the second device. The notification indicates a result of authentication and authorization performed by the second device on the third device.
At block 620, the first device updates a policy for communication between the third device and the data network based on the results of the authentication and authorization.
In some example embodiments, the method 600 further includes transmitting a subscription request for the result from the first device to the second device. The subscription request includes an identification of the third device.
In some example embodiments, the identification of the third device includes one of: an identification of an unmanned aerial system to which the third device belongs, a common public user identification of the third device, or a user permanent identification of the third device.
In some example embodiments, the first device updates the policy for communication described above by: if the result indicates a success of authentication and authorization, a first policy for mobility management of the third device is obtained and the policy for the communication is updated with the first policy.
In some example embodiments, the notification further indicates an association between a third device and a fourth device, the third device being controlled by the fourth device, or the fourth device being controlled by the third device.
In some example embodiments, the method 600 further comprises: if the result indicates success of the authentication and authorization, a first packet data unit session for communication between the third device and the second device and a second packet data unit session for communication between the fourth device and the second device are established based on the association.
In some example embodiments, the method 600 further includes configuring the user plane function device based on the association to route traffic between the second device and the third device.
In some example embodiments, the method 600 further comprises: if the result is determined to indicate a failure of authentication and authorization, terminating the packet data unit session for communication between the third device and the data network.
In some example embodiments, the method 600 further comprises: if it is determined that the result indicates a failure of authentication and authorization, a policy in the user plane function device is modified to enable the third device to communicate only with the second device.
In some example embodiments, the first device receives the notification by receiving the notification via one of: network open function device, service capability open function device or machine type communication interworking function device.
In some example embodiments, the first device comprises an access and mobility management function device, and the method 600 further comprises forwarding the notification to at least one of: unified data management device, session management function device or policy control function device.
In some example embodiments, the first device comprises a unified data management device, and the method 600 further comprises forwarding the notification to at least one of: access and mobility management function devices, via access and mobility management function devices to session management function devices, or via access and mobility management function devices to policy control function devices.
In some example embodiments, the second device comprises a drone system traffic management device and the third device comprises a drone or a drone controller.
In some example embodiments, the notification further comprises at least one of: an allowable flight path associated with an identification of a cell serving the third device, a tracking area associated with the third device, an allowable flight altitude of the third device, an allowable flight speed of the third device, an allowable mobility behavior of the third device, or a capability of the third device.
Fig. 7 illustrates a flow chart of a method 700 for informing a device of the outcome of authentication and authorization of another device in accordance with some embodiments of the present disclosure. The method 700 may be implemented at a second device.
At block 710, the second device performs authentication and authorization for the third device.
At block 720, the second device sends a notification to the first device indicating the result of the authentication and authorization.
In some example embodiments, the method 700 further comprises: a subscription request for a result is received from the first device, the subscription request including an identification of the third device.
In some example embodiments, the identification of the third device includes one of: an identification of an unmanned aerial system to which the third device belongs, a common public user identification of the third device, or a user permanent identification of the third device.
In some example embodiments, the notification further indicates an association between a third device and a fourth device, the third device being controlled by the fourth device, or the fourth device being controlled by the third device.
In some example embodiments, sending the notification includes sending the notification via one of: network open function device, service capability open function device or machine type communication interworking function device.
In some example embodiments, the first device comprises an access and mobility management function device or a unified data management device, the second device comprises a drone system traffic management device, and the third device comprises a drone or a drone controller.
In some example embodiments, the notification further comprises at least one of: an allowable flight path associated with an identification of a cell serving the third device, a tracking area associated with the third device, an allowable flight altitude of the third device, an allowable flight speed of the third device, an allowable mobility behavior of the third device, or a capability of the third device.
In some example embodiments, an apparatus (e.g., a first device) capable of performing any of the methods 600 may include means for performing the respective steps of the methods 600. The component may be implemented in any suitable form. For example, the components may be implemented in circuitry or software modules.
In some example embodiments, the apparatus includes: means for receiving, at the first device, a notification from the second device, the notification indicating a result of authentication and authorization performed by the second device for the third device; and means for updating a policy for communication between the third device and the data network based on the result of the authentication and authorization.
In some example embodiments, the apparatus further comprises means for sending a subscription request for the result from the first device to the second device. The subscription request includes an identification of the third device.
In some example embodiments, the identification of the third device includes one of: an identification of an unmanned aerial system to which the third device belongs, a common public user identification of the third device, or a user permanent identification of the third device.
In some example embodiments, the first device updates the policy for the communication by: if it is determined that the result indicates success of authentication and authorization, a first policy for mobility management of the third device is obtained, and the policy for the communication described above is updated with the first policy.
In some example embodiments, the notification further indicates an association between a third device and a fourth device, the third device being controlled by the fourth device, or the fourth device being controlled by the third device.
In some example embodiments, the apparatus further comprises: means for indicating success of authentication and authorization based on the determination result, establishing a first packet data unit session for communication between the third device and the second device and a second packet data unit session for communication between the fourth device and the second device based on the association.
In some example embodiments, the apparatus further includes means for configuring the user plane function device to route traffic between the second device and the third device based on the association.
In some example embodiments, the apparatus further comprises: means for terminating a packet data unit session for communication between the third device and the data network if the determination indicates a determination that authentication and authorization failed.
In some example embodiments, the apparatus further comprises: and means for modifying a policy in the user plane function device to enable the third device to communicate only with the second device if the result is determined to indicate a determination that authentication and authorization failed.
In some example embodiments, the means for receiving the notification comprises means for receiving the notification via one of: network open function device, service capability open function device or machine type communication interworking function device.
In some example embodiments, the first device comprises an access and mobility management function device, and the apparatus further comprises means for forwarding the notification to at least one of: unified data management device, session management function device or policy control function device.
In some example embodiments, the first device comprises a unified data management device, and the apparatus further comprises means for forwarding the notification to at least one of: access and mobility management function devices, via access and mobility management function devices to session management function devices, or via access and mobility management function devices to policy control function devices.
In some example embodiments, the second device comprises a drone system traffic management device and the third device comprises a drone or a drone controller.
In some example embodiments, the notification further comprises at least one of: an allowable flight path associated with an identification of a cell serving the third device, a tracking area associated with the third device, an allowable flight altitude of the third device, an allowable flight speed of the third device, an allowable mobility behavior of the third device, or a capability of the third device.
In some example embodiments, an apparatus (e.g., a second device) capable of performing any of the methods 700 may include means for performing the various steps of the methods 700. The component may be implemented in any suitable form. For example, the components may be implemented in circuitry or software modules.
In some example embodiments, the apparatus includes: means for performing authentication and authorization of the third device at the second device; and means for sending a notification to the first device, the notification indicating the result of the authentication and authorization.
In some example embodiments, the apparatus further comprises: a subscription request for a result is received from the first device, the subscription request including an identification of the third device.
In some example embodiments, the identification of the third device includes one of: an identification of an unmanned aerial system to which the third device belongs, a common public user identification of the third device, or a user permanent identification of the third device.
In some example embodiments, the notification further indicates an association between a third device and a fourth device, the third device being controlled by the fourth device, or the fourth device being controlled by the third device.
In some example embodiments, the means for sending the notification comprises means for sending the notification via one of: network open function device, service capability open function device or machine type communication interworking function device.
In some example embodiments, the first device comprises an access and mobility management function device or a unified data management device, the second device comprises a drone system traffic management device, and the third device comprises a drone or a drone controller.
In some example embodiments, the notification further comprises at least one of: an allowable flight path associated with an identification of a cell serving the third device, a tracking area associated with the third device, an allowable flight altitude of the third device, an allowable flight speed of the third device, an allowable mobility behavior of the third device, or a capability of the third device.
Fig. 8 is a simplified block diagram of a device 800 suitable for implementing embodiments of the present disclosure. Device 800 may be provided to implement a communication device, such as first device 301, second device 302,AMF 105,UDM 104,SMF 106, or PCF 107. As shown, the device 800 includes one or more processors 810, one or more memories 820 coupled to the processors 810, and one or more communication modules 840 coupled to the processors 810.
The communication module 840 is used for two-way communication. The communication module 840 has at least one antenna to facilitate communication. The communication interface may represent any interface required to communicate with other network elements.
The processor 810 may be of any type suitable for a local technology network and may include one or more of the following: by way of non-limiting example, general purpose computers, special purpose computers, microprocessors, digital Signal Processors (DSPs) and processors based on a multi-core processor architecture. The device 800 may have multiple processors, such as an application specific integrated circuit chip that is temporally slaved to a clock that synchronizes the master processor.
The computer program 830 includes computer-executable instructions that are executed by an associated processor 810. Program 830 may be stored in ROM 820. Processor 810 may perform any suitable actions and processes by loading program 830 into RAM 820.
Embodiments of the present disclosure may be implemented by means of program 830 such that device 800 may perform any of the processes of the present disclosure as discussed with reference to fig. 6-7. Embodiments of the present disclosure may also be implemented in hardware or a combination of software and hardware.
In some embodiments, program 830 may be tangibly embodied in a computer-readable medium, which may be included in device 800 (e.g., in memory 820) or in another storage device accessible by device 800. Device 800 may load program 830 from a computer readable medium into RAM 822 for execution. The computer readable medium may include any type of tangible non-volatile memory, such as ROM, EPROM, flash memory, hard disk, CD, DVD, etc. Fig. 9 shows an example of a computer readable medium 900 in the form of a CD or DVD. The computer readable medium has stored thereon a program 830.
It should be appreciated that future networks may utilize Network Function Virtualization (NFV), which is a network architecture concept that proposes to virtualize network node functions as "building blocks" or entities that may be operatively connected or linked together to provide services. A Virtualized Network Function (VNF) may comprise one or more virtual machines that run computer program code using standard or generic type servers instead of custom hardware. Cloud computing or data storage may also be used. In radio communication, this may mean node operations to be performed at least in part in a central/centralized unit CU (e.g. server, host or node) operatively coupled to the distributed units DU (e.g. radio heads/nodes). Node operations may also be distributed among multiple servers, nodes, or hosts. It should also be appreciated that the allocation of labor between core network operation and base station operation may vary depending on implementation.
In one embodiment, a server may generate a virtual network through which the server communicates with the distributed units. In general, virtual networking may involve the process of combining hardware and software network resources and network functions into a single software-based management entity (virtual network). Such virtual networks may provide a flexible distribution of operations between servers and wireless heads/nodes. In fact, any digital signal processing task may be performed in a CU or DU, and the boundary to transfer responsibility between a CU and a DU may be chosen depending on the implementation.
Accordingly, in one embodiment, a CU-DU architecture is implemented. In this case, the device 800 may be included in a central unit (e.g., control unit, edge cloud server, server) operatively coupled (e.g., via a wireless or wired network) to distributed units (e.g., remote radio heads/nodes). That is, the central unit (e.g., edge cloud server) and the distributed units may be separate devices that communicate with each other via a radio path or via a wired connection. Alternatively, they may be in the same entity that communicates via a wired connection or the like. An edge cloud or edge cloud server may serve multiple distributed units or radio access networks. In one embodiment, at least some of the processes may be performed by a central unit. In another embodiment, the apparatus 800 may alternatively be included in a distributed unit, and at least some of the processes may be performed by the distributed unit.
In one embodiment, the execution of at least some of the functions of device 800 may be shared between two physically separate devices (DU and CU) that form one operational entity. Accordingly, it can be seen that the apparatus describes an operational entity including one or more physically separate devices for performing at least some of the described processes. In one embodiment, such a CU-DU architecture may provide flexible distribution of operations between CUs and DUs. In fact, any digital signal processing task may be performed in a CU or DU, and the boundary to transfer responsibility between a CU and a DU may be chosen depending on the implementation. In one embodiment, the device 800 controls the execution of a process regardless of the location of the device and regardless of where the process/function is performed.
In general, the various embodiments of the disclosure may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. Some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device. While aspects of the embodiments of the present disclosure are illustrated and described as block diagrams, flow charts, or using some other pictorial representation, it is well understood that the blocks, apparatus, systems, techniques or methods described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
The present disclosure also provides at least one computer program product tangibly stored on a non-transitory computer-readable storage medium. The computer program product comprises computer executable instructions, such as instructions included in program modules executed in a device on a target real or virtual processor, to perform the method 600 or 700 as described above with reference to fig. 6-7. Generally, program modules include routines, programs, libraries, objects, classes, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The functionality of the program modules may be combined or separated as desired in various embodiments. Machine-executable instructions of program modules may be executed within local or distributed devices. In distributed devices, program modules may be located in both local and remote memory storage media.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine, partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, computer program code or related data may be carried by any suitable carrier to enable an apparatus, device or processor to perform the various processes and operations described above. Examples of carrier waves include signals, computer readable media, and the like.
The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a computer-readable storage medium would include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Moreover, although operations are described in a particular order, this should not be construed as requiring that these operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In some cases, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these details should not be construed as limitations on the scope of the disclosure, but rather as descriptions of features specific to particular embodiments. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.
Although the disclosure has been described in language specific to structural features and/or methodological acts, it is to be understood that the disclosure defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.
Claims (30)
1. A first device, comprising:
At least one processor; and
at least one memory including computer program code;
the at least one memory and the computer program code are configured to, with the at least one processor, cause the first device to:
receiving a notification from a second device, the notification indicating a result of an authentication and authorization performed involving the second device and a third device; and
based on the result of the authentication and authorization, a policy for communication between the third device and a data network or between the third device and a fourth device is updated.
2. The first device of claim 1, wherein the first device is further caused to:
sending a subscription request to the second device for the result of the authentication and authorization of the third device, the subscription request comprising an identification of the third device.
3. The first device of claim 1, wherein the notification further comprises one of:
the identity of the third device is used to determine,
the identity of the unmanned aerial vehicle system to which the third device belongs,
identification of a group of unmanned aerial vehicle systems, the third device belonging to one unmanned aerial vehicle system of the group, or
Information acquired from the unmanned aerial vehicle system to which the third device belongs.
4. A first device as claimed in claim 2 or 3, wherein the identification of the third device comprises one of:
the identity of the unmanned aerial vehicle system to which the third device belongs,
the identity of said third device within the drone system can be uniquely identified,
a common public user identity of the third device, or
And the user of the third device is permanently identified.
5. The first device of claim 1, wherein the first device is caused to update the policy for communication by:
if it is determined that the result indicates success of the authentication and authorization, then:
obtaining a first policy for mobility management of the third device, and
updating the policy for communication with the first policy.
6. The first device of claim 1, wherein the notification further indicates an association between the third device and the fourth device, the third device being controlled by the fourth device or the fourth device being controlled by the third device.
7. The first device of claim 6, wherein the first device is further caused to:
If it is determined that the result indicates success of the authentication and authorization, forwarding a request for: a packet data unit session for communication between the third device and the fourth device, and a second packet data unit session for communication between the third device and a data network are established based on the association.
8. The first device of claim 6, wherein the first device is further caused to:
a user plane function device is configured to route traffic between the third device and the fourth device based on the association.
9. The first device of claim 1, wherein the first device is further caused to:
if it is determined that the result indicates a failure of the authentication and authorization, terminating a packet data unit session for communication between the third device and the data network.
10. The first device of claim 1, wherein the first device is further caused to:
if it is determined that the result indicates a failure of the authentication and authorization, a policy in the user plane function device is modified to enable the third device to communicate only with the second device.
11. The first device of claim 1, wherein the first device is caused to receive the notification by receiving the notification via one of:
The network is exposed to the action of the functional device,
service capability opening function device, or
A machine type communication interworking function device.
12. The first device of claim 1, wherein the first device comprises an access and mobility management function device, and the first device is further caused to forward the notification to at least one of:
a unified data management device is provided that,
session management function device, or
Policy control function device.
13. The first device of claim 1, wherein the first device comprises a unified data management device, and the first device is further caused to forward the notification to at least one of:
the access and mobility management function device(s),
the session management function device may be configured to,
via the access and mobility management function device to the session management function device,
policy control function device, or
Via the access and mobility management function device to the policy control function device.
14. The first device of claim 1, wherein the second device comprises an unmanned aerial vehicle system traffic management device and the third device comprises an unmanned aerial vehicle or an unmanned aerial vehicle controller.
15. The first device of claim 1, wherein the notification further comprises at least one of:
An allowable flight path associated with an identification of a cell serving the third device,
a tracking area associated with the third device,
the allowable fly height of the third device,
the allowable flying speed of the third device,
allowed mobility behavior of the third device, or
The capabilities of the third device.
16. A second device, comprising:
at least one processor; and
at least one memory including computer program code;
the at least one memory and the computer program code are configured to, with the at least one processor, cause the second device to:
authenticating and authorizing the third device; and
a notification is sent to the first device, the notification indicating a result of the authentication and authorization.
17. The second device of claim 16, wherein the second device is further caused to:
a subscription request for the result is received from the first device, the subscription request including an identification of the third device.
18. The second device of claim 17, wherein the identification of the third device comprises one of:
the identity of the unmanned aerial vehicle system to which the third device belongs,
A common public user identity of the third device, or
And the user of the third device is permanently identified.
19. The second device of claim 16, wherein the notification further indicates an association between the third device and the fourth device, the third device being controlled by the fourth device or the fourth device being controlled by the third device.
20. A second device as claimed in claim 16, wherein the second device is caused to send the notification by sending the notification via one of:
the network is exposed to the action of the functional device,
service capability opening function device, or
A machine type communication interworking function device.
21. The second device of claim 16, wherein the first device comprises an access and mobility management function device, or a unified data management device, the second device comprises an unmanned aerial vehicle system traffic management device, and the third device comprises an unmanned aerial vehicle or unmanned aerial vehicle controller.
22. The second device of claim 16, wherein the notification further comprises at least one of:
an allowable flight path associated with an identification of a cell serving the third device,
A tracking area associated with the third device,
the allowable fly height of the third device,
the allowable flying speed of the third device,
allowed mobility behavior of the third device, or
The capabilities of the third device.
23. The second device of claim 16, wherein the second device comprises an unmanned aerial vehicle system traffic management device and the third device comprises an unmanned aerial vehicle or an unmanned aerial vehicle controller.
24. The second device of claim 16, wherein the first device comprises one of:
the access and mobility management function device(s),
the session management function device may be configured to,
policy control function device, or
Unified data management apparatus.
25. A method, comprising:
receiving, at a first device, a notification from a second device, the notification indicating a result of authentication and authorization performed by the second device for a third device; and
based on the result of the authentication and authorization, a policy for communication between the third device and a data network is updated.
26. A method, comprising:
performing authentication and authorization for a third device at a second device; and
a notification is sent to the first device, the notification indicating a result of the authentication and authorization.
27. An apparatus, comprising:
means for receiving, at a first device, a notification from a second device, the notification indicating a result of authentication and authorization performed by the second device for a third device; and
means for updating a policy for communication between the third device and a data network based on the result of the authentication and authorization.
28. An apparatus, comprising:
means for performing authentication and authorization for a third device at a second device; and
means for sending a notification to the first device, the notification indicating a result of the authentication and authorization.
29. A non-transitory computer readable medium comprising a computer program for causing an apparatus to perform at least the method of claim 25.
30. A non-transitory computer readable medium comprising a computer program for causing an apparatus to perform at least the method of claim 26.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2020/105937 WO2022021239A1 (en) | 2020-07-30 | 2020-07-30 | Notify network about result of authentication and authorization of terminal device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116114002A true CN116114002A (en) | 2023-05-12 |
Family
ID=80037422
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202080104526.8A Pending CN116114002A (en) | 2020-07-30 | 2020-07-30 | Informing the network of the result of authentication and authorization of the terminal device |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN116114002A (en) |
| WO (1) | WO2022021239A1 (en) |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11218840B2 (en) * | 2017-03-31 | 2022-01-04 | Telefonaktiebolaget Lm Ericsson (Publ) | Methods and systems for using network location services in a unmanned aircraft systems traffic management framework |
| WO2019079286A1 (en) * | 2017-10-16 | 2019-04-25 | Interdigital Patent Holdings, Inc. | Protocol design for unmanned aerial system (uas) traffic management (utm) |
-
2020
- 2020-07-30 CN CN202080104526.8A patent/CN116114002A/en active Pending
- 2020-07-30 WO PCT/CN2020/105937 patent/WO2022021239A1/en active Application Filing
Also Published As
| Publication number | Publication date |
|---|---|
| WO2022021239A1 (en) | 2022-02-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10462828B2 (en) | Policy and billing services in a cloud-based access solution for enterprise deployments | |
| EP3673682B1 (en) | Smf, amf and upf relocation during ue registration | |
| KR102387239B1 (en) | Mobile Network Interaction Proxy | |
| US11363447B2 (en) | Method and device for managing and allocating binding service in a wireless network | |
| EP3923625A1 (en) | Data packet latency parameter acquisition method, system and apparatus | |
| CN110324246B (en) | Communication method and device | |
| WO2023280121A1 (en) | Method and apparatus for obtaining edge service | |
| KR102469973B1 (en) | Communication method and device | |
| CN113207191B (en) | Session establishment method, device and equipment based on network slice and storage medium | |
| WO2020048469A1 (en) | Communication method and apparatus | |
| CN114557117A (en) | Transparent relocation of MEC application instances between 5G devices and MEC hosts | |
| WO2018204885A1 (en) | Mobility functionality for a cloud-based access system | |
| CN113382468B (en) | Address allocation method for local network device, electronic device, and storage medium | |
| CN112188608B (en) | Method, device, system and chip for synchronizing PDU session state | |
| WO2022159725A1 (en) | Federated identity management in fifth generation (5g) system | |
| US20220052955A1 (en) | Communications method, apparatus, and system | |
| CN114666859A (en) | Method and apparatus for selecting a session management entity serving a wireless communication device | |
| CN114339688A (en) | Apparatus and method for authentication of a UE with an edge data network | |
| JP2023526542A (en) | Method and apparatus for providing local data network information to terminal in wireless communication system | |
| CN113595911B (en) | Data forwarding method and device, electronic equipment and storage medium | |
| CN113473569A (en) | Discovery method of application server and related device | |
| WO2021063298A1 (en) | Method for implementing external authentication, communication device and communication system | |
| WO2018054272A1 (en) | Data transmission method and device, and computer storage medium | |
| CN116097751A (en) | Re-anchoring with SMF reselection | |
| CN116114002A (en) | Informing the network of the result of authentication and authorization of the terminal device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |