WO2023240524A1 - Devices, methods, apparatuses, and computer readable media for network slice with high security - Google Patents

Devices, methods, apparatuses, and computer readable media for network slice with high security Download PDF

Info

Publication number
WO2023240524A1
WO2023240524A1 PCT/CN2022/099112 CN2022099112W WO2023240524A1 WO 2023240524 A1 WO2023240524 A1 WO 2023240524A1 CN 2022099112 W CN2022099112 W CN 2022099112W WO 2023240524 A1 WO2023240524 A1 WO 2023240524A1
Authority
WO
WIPO (PCT)
Prior art keywords
network slice
management
security management
security
slice
Prior art date
Application number
PCT/CN2022/099112
Other languages
French (fr)
Inventor
Rakshesh PRAVINCHANDRA BHATT
Jing PING
Santhosh S B
Ranganathan MAVUREDDI DHANASEKARAN
Original Assignee
Nokia Shanghai Bell Co., Ltd.
Nokia Solutions And Networks Oy
Nokia Technologies Oy
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nokia Shanghai Bell Co., Ltd., Nokia Solutions And Networks Oy, Nokia Technologies Oy filed Critical Nokia Shanghai Bell Co., Ltd.
Priority to PCT/CN2022/099112 priority Critical patent/WO2023240524A1/en
Publication of WO2023240524A1 publication Critical patent/WO2023240524A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security

Definitions

  • Various embodiments relate to devices, methods, apparatuses, and computer readable media for network slice with high security.
  • a network slice which may also be briefly referred to as a slice, can be understood as a logical network on top of a shared infrastructure.
  • An end-to-end (E2E) logical network for security management may be deployed and configured in order to provide Security-as-a-service (SECaaS) .
  • This can allow communication of security management and operations related aspects between the centralized cloud, edge cloud, and radio access network (RAN) network entities (NEs) including user equipments (UEs) and internet of things (IoT) devices.
  • RAN radio access network
  • NEs network entities
  • UEs user equipments
  • IoT internet of things
  • the network slice management producer may include at least one processor and at least one memory.
  • the at least one memory may include computer program code, and the at least one memory and the computer program code may be configured to, with the at least one processor, cause the network slice management producer to perform: receiving, from a network slice management consumer, a request for security management requirements in a network slice; evaluating resources for the security management requirements; and transmitting, to the network slice management consumer, a report for the resources allocated for the security management requirements.
  • the evaluated resources may comprise at least one of transport resources and radio access network resources.
  • the at least one memory and the computer program code may be further configured to, with the at least one processor, cause the network slice management producer to further perform: transmitting, to a transport slice orchestrator, a request for the transport resources for the security management requirements; and receiving, from the transport slice orchestrator, a response with the transport resources allocated for the security management requirements.
  • the at least one memory and the computer program code may be further configured to, with the at least one processor, cause the network slice management producer to further perform: transmitting, to a radio access network slice orchestrator, a request for the radio access network resources for the security management requirements; and receiving, from the radio access network slice orchestrator, a response with the radio access network resources allocated for the security management requirements.
  • the security management requirements may be associated with quality of service and/or service level agreements of the network slice.
  • the request for the security management requirements may comprise at least one of the following: a dedicated slice service type value for the network slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.
  • the at least one network slice type attribute may correspond to at least one service of security management and/or operation, respectively.
  • the network slice management consumer may include at least one processor and at least one memory.
  • the at least one memory may include computer program code, and the at least one memory and the computer program code may be configured to, with the at least one processor, cause the network slice management consumer to perform: transmitting, to a network slice management producer, a request for security management requirements in a network slice; and receiving, from the network slice management producer, a report for resources allocated for the security management requirements.
  • the security management requirements may be associated with quality of service and/or service level agreements of the network slice.
  • the request for the security management requirements may comprise at least one of the following: a dedicated slice service type value for the network slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.
  • the at least one network slice type attribute may correspond to at least one service of security management and/or operation, respectively.
  • a method performed by a network slice management producer may comprise: receiving, from a network slice management consumer, a request for security management requirements in a network slice; evaluating resources for the security management requirements; and transmitting, to the network slice management consumer, a report for the resources allocated for the security management requirements.
  • the evaluated resources may comprise at least one of transport resources and radio access network resources.
  • the method may further comprise: transmitting, to a transport slice orchestrator, a request for the transport resources for the security management requirements; and receiving, from the transport slice orchestrator, a response with the transport resources allocated for the security management requirements.
  • the method may further comprise: transmitting, to a radio access network slice orchestrator, a request for the radio access network resources for the security management requirements; and receiving, from the radio access network slice orchestrator, a response with the radio access network resources allocated for the security management requirements.
  • the security management requirements may be associated with quality of service and/or service level agreements of the network slice.
  • the request for the security management requirements may comprise at least one of the following: a dedicated slice service type value for the network slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.
  • the at least one network slice type attribute may correspond to at least one service of security management and/or operation, respectively.
  • a method performed by a network slice management consumer may comprise: transmitting, to a network slice management producer, a request for security management requirements in a network slice; and receiving, from the network slice management producer, a report for resources allocated for the security management requirements.
  • the security management requirements may be associated with quality of service and/or service level agreements of the network slice.
  • the request for the security management requirements may comprise at least one of the following: a dedicated slice service type value for the network slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.
  • the at least one network slice type attribute may correspond to at least one service of security management and/or operation, respectively.
  • the apparatus as a network slice management producer may comprise: means for receiving, from a network slice management consumer, a request for security management requirements in a network slice; means for evaluating resources for the security management requirements; and means for transmitting, to the network slice management consumer, a report for the resources allocated for the security management requirements.
  • the evaluated resources may comprise at least one of transport resources and radio access network resources.
  • the apparatus may further comprise: means for transmitting, to a transport slice orchestrator, a request for the transport resources for the security management requirements; and means for receiving, from the transport slice orchestrator, a response with the transport resources allocated for the security management requirements.
  • the apparatus may further comprise: means for transmitting, to a radio access network slice orchestrator, a request for the radio access network resources for the security management requirements; and means for receiving, from the radio access network slice orchestrator, a response with the radio access network resources allocated for the security management requirements.
  • the security management requirements may be associated with quality of service and/or service level agreements of the network slice.
  • the request for the security management requirements may comprise at least one of the following: a dedicated slice service type value for the network slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.
  • the at least one network slice type attribute may correspond to at least one service of security management and/or operation, respectively.
  • the apparatus as a network slice management consumer may comprise: means for transmitting, to a network slice management producer, a request for security management requirements in a network slice; and means for receiving, from the network slice management producer, a report for resources allocated for the security management requirements.
  • the security management requirements may be associated with quality of service and/or service level agreements of the network slice.
  • the request for the security management requirements may comprise at least one of the following: a dedicated slice service type value for the network slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.
  • the at least one network slice type attribute may correspond to at least one service of security management and/or operation, respectively.
  • a computer readable medium may include instructions stored thereon for causing a network slice management producer to perform: receiving, from a network slice management consumer, a request for security management requirements in a network slice; evaluating resources for the security management requirements; and transmitting, to the network slice management consumer, a report for the resources allocated for the security management requirements.
  • the evaluated resources may comprise at least one of transport resources and radio access network resources.
  • the computer readable medium may further include instructions stored thereon for causing the network slice management producer to further perform: transmitting, to a transport slice orchestrator, a request for the transport resources for the security management requirements; and receiving, from the transport slice orchestrator, a response with the transport resources allocated for the security management requirements.
  • the computer readable medium may further include instructions stored thereon for causing the network slice management producer to further perform: transmitting, to a radio access network slice orchestrator, a request for the radio access network resources for the security management requirements; and receiving, from the radio access network slice orchestrator, a response with the radio access network resources allocated for the security management requirements.
  • the security management requirements may be associated with quality of service and/or service level agreements of the network slice.
  • the request for the security management requirements may comprise at least one of the following: a dedicated slice service type value for the network slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.
  • the at least one network slice type attribute may correspond to at least one service of security management and/or operation, respectively.
  • a computer readable medium may include instructions stored thereon for causing a network slice management consumer to perform: transmitting, to a network slice management producer, a request for security management requirements in a network slice; and receiving, from the network slice management producer, a report for resources allocated for the security management requirements.
  • the security management requirements may be associated with quality of service and/or service level agreements of the network slice.
  • the request for the security management requirements may comprise at least one of the following: a dedicated slice service type value for the network slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.
  • the at least one network slice type attribute may correspond to at least one service of security management and/or operation, respectively.
  • FIG. 1 shows an exemplary scenario the example embodiments of the present disclosure may achieve.
  • FIG. 2 shows an exemplary sequence diagram for creating a network slice with high security according to the example embodiments of the present disclosure.
  • FIG. 3 shows an exemplary scenario some example embodiments of the present disclosure may achieve.
  • FIG. 4 shows an exemplary scenario some example embodiments of the present disclosure may achieve.
  • FIG. 5 shows an exemplary sequence diagram for secure PDU session establishment for a slice with high security according to the example embodiments of the present disclosure.
  • FIG. 6 shows an exemplary sequence diagram for an example use-case scenario of secured key provisioning according to the example embodiments of the present disclosure.
  • FIG. 7 shows a flow chart illustrating an example method 700 for network slice with high security according to the example embodiments of the present disclosure.
  • FIG. 8 shows a flow chart illustrating an example method 800 for network slice with high security according to the example embodiments of the present disclosure.
  • FIG. 9 shows a block diagram illustrating an example device 900 for network slice with high security according to the example embodiments of the present disclosure.
  • FIG. 10 shows a block diagram illustrating an example device 1000 for network slice with high security according to the example embodiments of the present disclosure.
  • FIG. 11 shows a block diagram illustrating an example apparatus 1100 for network slice with high security according to the example embodiments of the present disclosure.
  • FIG. 12 shows a block diagram illustrating an example apparatus 1200 for network slice with high security according to the example embodiments of the present disclosure.
  • Example embodiments of the present disclosure provide a solution of network slice with high security.
  • the network slice with high security may be created as a network slice dedicated for security management or a network slice with a feature dedicated for security management.
  • FIG. 1 shows an exemplary scenario the example embodiments of the present disclosure may achieve.
  • an E2E network slice with high security of the example embodiments of the present disclosure can provide required resources for reliable and secure security services and operational workflows for various end users such as the end user 1, end user 2, ..., end user n as well as various terminal devices such as the terminal device 1, terminal device 2, ..., terminal device n in various use-cases and/or applications such as certificate management, key distribution, key renewal, security software upgrade, vulnerable patch management, security event log collection, security event analytics.
  • FIG. 2 shows an exemplary sequence diagram for creating the network slice with high security according to the example embodiments of the present disclosure.
  • a RAN slice orchestrator 210 a transport slice orchestrator 220, a central slice orchestrator 230, and an operator 240 are shown as example entities for creating the network slice with high security.
  • the operator 240 which may be a network slice management consumer, may transmit, to the central slice orchestrator 230, which may be a network slice management producer, a request 242 for security management requirements in a network slice.
  • the request 242 may trigger configuring the network slice with high security satisfying the security management requirements.
  • the operator 240 may request to create a network slice with high security for key management.
  • the operator 240 may request to create another network slice with high security for certificate management and patch management.
  • the central slice orchestrator 230 may evaluate resources for the security management requirements.
  • the central slice orchestrator 230 may evaluate at least transport resources and RAN resources required for the security management requirements.
  • the evaluated resources may comprise at least one of the transport resources and RAN resources.
  • the central slice orchestrator 230 may transmit, to the transport slice orchestrator 220, a request 234 for the transport resources for the security management requirements.
  • the transport resources may be the transport resources required for the security management requirements evaluated in the operation 232.
  • the transport slice orchestrator 220 may allocate the required transport resources and then transmit to the central slice orchestrator 230 a response 224 with the transport resources allocated for the security management requirements.
  • the central slice orchestrator 230 may receive, from the transport slice orchestrator 220, the response 224 with the transport resources allocated for the security management requirements.
  • the central slice orchestrator 230 may transmit, to the RAN slice orchestrator 210, a request 236 for the RAN resources for the security management requirements.
  • the RAN resources may be the RAN resources required for the security management requirements evaluated in the operation 232.
  • the RAN slice orchestrator 210 may allocate the required RAN resources and then transmit to the central slice orchestrator 230 a response 216 with the RAN resources allocated for the security management requirements.
  • the central slice orchestrator 230 may receive, from the RAN slice orchestrator 210, the response 216 with the RAN resources allocated for the security management requirements.
  • the central slice orchestrator 230 may transmit, to the operator 240, a report 238 for the resources allocated for the security management requirements.
  • the operator 240 may make use of the network slice with high security for various use-cases as required.
  • the network slice with high security may have configuration for use-cases regarding security management for industrial IoT, home safety, public safety, etc.
  • KAF key for application function
  • AKMA key management for applications
  • key management including short/long-term key distributions for IoT devices and/or UEs, certificate management on IoT devices and/or UEs, security patch management on IoT devices and/or UEs, security software management on IoT devices and/or UEs, Security logs collection from IoT devices and/or UEs, etc.
  • the security management requirements may be associated with quality of service (QoS) and/or service level agreements (SLA) of the network slice.
  • QoS quality of service
  • SLA service level agreements
  • the security management requirements may associated with different levels of QoSs.
  • the QoS of the network slice may be e.g. ensuring high throughput for security log collection, patch download, secure software download and integrity protection, etc. kind of use-cases.
  • the security management requirements may be associated with different SLA requirements for E2E security management and/or operation for the network slice.
  • the SLA requirements may be for example at least one of the following: enhanced slice isolation requirement, support network authorization by UE, authenticity of application function (AF) , E2E replay protection requirement, E2E confidentiality protection requirement, E2E integrity protection requirement, security policy on N6, which may be an interface between a user plane function (UPF) of a core network (CN) and data network (DN) , etc.
  • UPF user plane function
  • CN core network
  • DN data network
  • the request 242 for the security management requirements may comprise at least one of the following: a dedicated slice service type (SST) value for the network slice, at least one service differentiator (SD) specific to the network slice, and at least one network slice type (NEST) attribute specific to the network slice.
  • SST dedicated slice service type
  • SD service differentiator
  • NEST network slice type
  • the network slice with high security may be created as a network slice dedicated for security management.
  • a SST value “6” may be introduced for a slice/service type of security with the characteristic of slice suitable for the handling of security services.
  • the network slice dedicated for security management may be created for security service (s) .
  • At least one SD specific to the network slice may be included in the request 234.
  • the network slice dedicated for security management may share the SST value with other slice/service type.
  • the SST value may have at least one proprietary SD defined for at least one security service.
  • the network slice dedicated for security management may be created for the corresponding security service (s) .
  • At least one NEST attribute specific to the network slice may be included in the request 234.
  • different values of NEST attributes may be predefined and configured on the network slices with high security sharing the same security SST but having different SDs.
  • the at least one NEST attribute may correspond to at least one service of security management and/or operation, respectively.
  • the NEST attributes corresponding to the services of security management and/or operation may be, for example, use-case specific attributes, e.g. key management related attributes, certificate management related attributes, and/or security log management related attributes.
  • the certificate management related attributes may be, for example, least acceptable certificate expiry time would mean that all certificate renewals must happen before this time.
  • the security log management related attributes may be, for example, periodicity of security event log transfers from UEs/IoT devices to the network, security monitoring and log analysis function configurations at the network, etc.
  • the NEST attributes may also be the attributes, for example, SLA defined in service profiles, isolation level could be physical isolation, availability should be ensured to 99.9999%, session and service continuity support, etc.
  • the network slice dedicated for security management or the network slice with a feature dedicated for security management may be created for the corresponding service (s) of security management and/or operation. In a case where the network slice with high security is used for E2E security management, E2E encryption may be required.
  • FIG. 3 shows an exemplary scenario some example embodiments of the present disclosure may achieve.
  • a E2E network slicing comprises a UE slice, a RAN slice, a transport slice, and a CN slice.
  • a slice 1 dedicated for enhanced mobile broadband (eMBB) a slice 2 dedicated for ultra-reliable low latency communications (URLLC) and a slice 3 dedicated for security management are used by a UE 1, and a slice 3 dedicated for security management and a slice 4 dedicated for mobile internet of things (MIoT) are used by a UE 2.
  • the RAN slice provides RAN eMBB for slice 1, RAN URLLC for slice 2, RAN security for slice 3, and RAN MIoT for slice 4.
  • the CN slice provides CN eMBB for slice 1, CN URLLC for slice 2, CN security for slice 3, and CN MIoT for slice 4.
  • the transport slice provides N2 and/or N3 interface between the RAN slice and the corresponding CN slice.
  • the slice 3 dedicated for security management used by the UE 1 and the UE 2 is highly secure, and mobile network operator (MNO) may make use of the slice 3 for security operations.
  • MNO mobile network operator
  • FIG. 4 shows an exemplary scenario some example embodiments of the present disclosure may achieve.
  • no network slice dedicated for security management is created, but a network slice with a feature dedicated for security management is created.
  • a slice 1, a slice 2, and a slice 3 are used by a UE.
  • the slice 3 is created for a slice tenant, and two packet data unit (PDU) sessions are established in the slice 3.
  • the PDU session 1 is for MIoT, and the PDU session 2 is dedicated for security management and is highly secure.
  • the tenant of the slice 3 may make use of the PDU session 2 in the slice 3 for security operations.
  • FIG. 5 shows an exemplary sequence diagram for secure PDU session establishment for a slice with high security according to the example embodiments of the present disclosure.
  • a UE 510, a RAN 520, a session management function (SMF) 530, a UPF 540, AF 550, an access and mobility management function (AMF) 560, and a unified data management (UDM) 570 are shown as entities for establishing a secure PDU session for the slice with high security.
  • the slice with high security may be for example the network slice dedicated for security management e.g., the slice 3 shown in the FIG. 3 or the network slice with a feature dedicated for security management e.g. the slice 3 shown in the FIG. 4.
  • the AF 550 may be controlled by an operator.
  • the UE 510 may register in a slice with high security through a UE registration process. Then, the UE 510 may transmit a PDU session establishment request 514 to the SMF 530 via the AMF 560. Receiving the request 514, the SMF 530 may get, from the UDM 570, security policy satisfying security management requirements in the slice with high security.
  • the UDM 570 is shown as an example of a policy device, and it may be appreciated that a network slice selection function (NSSF) and/or a policy control function (PCF) may also be used as a policy device for storing and providing the security policy.
  • NSSF network slice selection function
  • PCF policy control function
  • the SMF 530 may configure a routing in the UPF 540 according to the security policy, and in an operation 522, the SMF 530 may create a PUD session via the AMF 560 with the RAN 520 according to the security policy such that the created PUD session may satisfy the security management requirements in the slice.
  • the SMF 530 may transmit a PDU session establishment response 536 with the security policy via the AMF 560 to the UE 510.
  • the created PUD session in the slice may provide highly secure E2E protection with enhanced security in e.g., encryption and/or integrity.
  • the algorithm used for integrity and ciphering in the created PUD session may be with higher E2E security level.
  • FIG. 6 shows an exemplary sequence diagram for an example use-case scenario of secured key provisioning according to the example embodiments of the present disclosure.
  • a PDU session is established in a slice with high security.
  • the PUD session may be created according to the exemplary sequence shown in e.g., the FIG. 5 to provide highly secure E2E protection with enhanced security in e.g., encryption and/or integrity compared with other slices or other PDU sessions.
  • the AF 550 may, for example, update home network public keys. Then, the AF 550 may transmit the updated set of home network public keys and identifiers in a downlink (DL) packet 654 to the UE 510 via the UPF 540 and the RAN 520. In an operation 614, the UE 510 may store the updated set of home network public keys and identifiers in e.g., a universal subscriber identity module (USIM) .
  • USIM universal subscriber identity module
  • the AF 550 may perform other security updates in the USIM with protection scheme identifiers list. After the successful security updates, in an operation 616, the PDU session may be released.
  • FIG. 7 shows a flow chart illustrating an example method 700 for network slice with high security according to the example embodiments of the present disclosure.
  • the example method 700 may be performed for example at a network slice management producer such as the central slice orchestrator 230.
  • the example method 700 may include an operation 710 of receiving, from a network slice management consumer, a request for security management requirements in a network slice; an operation 720 of evaluating resources for the security management requirements; and an operation 730 of transmitting, to the network slice management consumer, a report for the resources allocated for the security management requirements.
  • the evaluated resources may comprise at least one of transport resources and RAN resources.
  • the example method 700 may further include an operation of transmitting, to a transport slice orchestrator, a request for the transport resources for the security management requirements; and an operation of receiving, from the transport slice orchestrator, a response with the transport resources allocated for the security management requirements.
  • the example method 700 may further include an operation of transmitting, to a RAN slice orchestrator, a request for the RAN resources for the security management requirements; and an operation of receiving, from the RAN slice orchestrator, a response with the RAN resources allocated for the security management requirements.
  • the security management requirements may be associated with QoS and/or SLA of the network slice.
  • the request for the security management requirements may comprise at least one of the following: a dedicated SST value for the network slice, at least one SD specific to the network slice, and at least one NEST attribute specific to the network slice.
  • the at least one NEST attribute may correspond to at least one service of security management and/or operation, respectively.
  • FIG. 8 shows a flow chart illustrating an example method 800 for network slice with high security according to the example embodiments of the present disclosure.
  • the example method 800 may be performed for example at a network slice management consumer such as the operator 240.
  • the example method 800 may include an operation 810 of transmitting, to a network slice management producer, a request for security management requirements in a network slice; and an operation 820 of receiving, from the network slice management producer, a report for resources allocated for the security management requirements.
  • the security management requirements may be associated with QoS and/or SLA of the network slice.
  • the request for the security management requirements may comprise at least one of the following: a dedicated SST value for the network slice, at least one SD specific to the network slice, and at least one NEST attribute specific to the network slice.
  • the at least one NEST attribute may correspond to at least one service of security management and/or operation, respectively.
  • FIG. 9 shows a block diagram illustrating an example device 900 for network slice with high security according to the example embodiments of the present disclosure.
  • the device for example, may be at least part of a network slice management producer such as the central slice orchestrator 230 in the above examples.
  • the example device 900 may include at least one processor 910 and at least one memory 920 that may include computer program code 930.
  • the at least one memory 920 and the computer program code 930 may be configured to, with the at least one processor 910, cause the device 900 at least to perform the example method 700 described above.
  • the at least one processor 910 in the example device 900 may include, but not limited to, at least one hardware processor, including at least one microprocessor such as a central processing unit (CPU) , a portion of at least one hardware processor, and any other suitable dedicated processor such as those developed based on for example Field Programmable Gate Array (FPGA) and Application Specific Integrated Circuit (ASIC) . Further, the at least one processor 910 may also include at least one other circuitry or element not shown in the FIG. 9.
  • at least one hardware processor including at least one microprocessor such as a central processing unit (CPU) , a portion of at least one hardware processor, and any other suitable dedicated processor such as those developed based on for example Field Programmable Gate Array (FPGA) and Application Specific Integrated Circuit (ASIC) .
  • FPGA Field Programmable Gate Array
  • ASIC Application Specific Integrated Circuit
  • the at least one memory 920 in the example device 900 may include at least one storage medium in various forms, such as a volatile memory and/or a non-volatile memory.
  • the volatile memory may include, but not limited to, for example, a random-access memory (RAM) , a cache, and so on.
  • the non-volatile memory may include, but not limited to, for example, a read only memory (ROM) , a hard disk, a flash memory, and so on.
  • the at least memory 920 may include, but are not limited to, an electric, a magnetic, an optical, an electromagnetic, an infrared, or a semiconductor system, apparatus, or device or any combination of the above.
  • the example device 900 may also include at least one other circuitry, element, and interface, for example at least one I/O interface, at least one antenna element, and the like.
  • the circuitries, parts, elements, and interfaces in the example device 900 may be coupled together via any suitable connections including, but not limited to, buses, crossbars, wiring and/or wireless lines, in any suitable ways, for example electrically, magnetically, optically, electromagnetically, and the like.
  • the structure of the device on the side of the network slice management producer is not limited to the above example device 900.
  • FIG. 10 shows a block diagram illustrating an example device 1000 for network slice with high security according to the example embodiments of the present disclosure.
  • the device for example, may be at least part of a network slice management consumer such as the operator 240 in the above examples.
  • the example device 1000 may include at least one processor 1010 and at least one memory 1020 that may include computer program code 1030.
  • the at least one memory 1020 and the computer program code 1030 may be configured to, with the at least one processor 1010, cause the device 1000 at least to perform the example method 800 described above.
  • the at least one processor 1010 in the example device 1000 may include, but not limited to, at least one hardware processor, including at least one microprocessor such as a central processing unit (CPU) , a portion of at least one hardware processor, and any other suitable dedicated processor such as those developed based on for example Field Programmable Gate Array (FPGA) and Application Specific Integrated Circuit (ASIC) . Further, the at least one processor 1010 may also include at least one other circuitry or element not shown in the FIG. 10.
  • at least one hardware processor including at least one microprocessor such as a central processing unit (CPU) , a portion of at least one hardware processor, and any other suitable dedicated processor such as those developed based on for example Field Programmable Gate Array (FPGA) and Application Specific Integrated Circuit (ASIC) .
  • FPGA Field Programmable Gate Array
  • ASIC Application Specific Integrated Circuit
  • the at least one memory 1020 in the example device 1000 may include at least one storage medium in various forms, such as a volatile memory and/or a non-volatile memory.
  • the volatile memory may include, but not limited to, for example, a random-access memory (RAM) , a cache, and so on.
  • the non-volatile memory may include, but not limited to, for example, a read only memory (ROM) , a hard disk, a flash memory, and so on.
  • the at least memory 1020 may include, but are not limited to, an electric, a magnetic, an optical, an electromagnetic, an infrared, or a semiconductor system, apparatus, or device or any combination of the above.
  • the example device 1000 may also include at least one other circuitry, element, and interface, for example at least one I/O interface, at least one antenna element, and the like.
  • the circuitries, parts, elements, and interfaces in the example device 1000 may be coupled together via any suitable connections including, but not limited to, buses, crossbars, wiring and/or wireless lines, in any suitable ways, for example electrically, magnetically, optically, electromagnetically, and the like.
  • the structure of the device on the side of the network slice management consumer is not limited to the above example device 1000.
  • FIG. 11 shows a block diagram illustrating an example apparatus 1100 for network slice with high security according to the example embodiments of the present disclosure.
  • the apparatus may be at least part of a network slice management producer such as the central slice orchestrator 230 in the above examples.
  • the example apparatus 1100 may include means 1110 for performing the operation 710 of the example method 700, means 1120 for performing the operation 720 of the example method 700, and means 1130 for performing the operation 730 of the example method 700.
  • at least one I/O interface, at least one antenna element, and the like may also be included in the example apparatus 1100.
  • examples of means in the example apparatus 1100 may include circuitries.
  • an example of means 1110 may include a circuitry configured to perform the operation 710 of the example method 700
  • an example of means 1120 may include a circuitry configured to perform the operation 720 of the example method 700
  • an example of means 1130 may include a circuitry configured to perform the operation 730 of the example method 700.
  • examples of means may also include software modules and any other suitable function entities.
  • FIG. 12 shows a block diagram illustrating an example apparatus 1200 for network slice with high security according to the example embodiments of the present disclosure.
  • the apparatus for example, may be at least part of a network slice management consumer such as the operator 240 in the above examples.
  • the example apparatus 1200 may include means 1210 for performing the operation 810 of the example method 800, and means 1220 for performing the operation 820 of the example method 800.
  • at least one I/O interface, at least one antenna element, and the like may also be included in the example apparatus 1200.
  • examples of means in the example apparatus 1200 may include circuitries.
  • an example of means 1210 may include a circuitry configured to perform the operation 810 of the example method 800
  • an example of means 1220 may include a circuitry configured to perform the operation 820 of the example method 800.
  • examples of means may also include software modules and any other suitable function entities.
  • circuitry throughout this disclosure may refer to one or more or all of the following: (a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry) ; (b) combinations of hardware circuits and software, such as (as applicable) (i) a combination of analog and/or digital hardware circuit (s) with software/firmware and (ii) any portions of hardware processor (s) with software (including digital signal processor (s) ) , software, and memory (ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions) ; and (c) hardware circuit (s) and or processor (s) , such as a microprocessor (s) or a portion of a microprocessor (s) , that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation.
  • hardware-only circuit implementations such as implementations in only analog and/or digital circuitry
  • combinations of hardware circuits and software such as (as applicable) (i) a
  • circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware.
  • circuitry also covers, for example and if applicable to the claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
  • Another example embodiment may relate to computer program codes or instructions which may cause an apparatus to perform at least respective methods described above.
  • Another example embodiment may be related to a computer readable medium having such computer program codes or instructions stored thereon.
  • a computer readable medium may include at least one storage medium in various forms such as a volatile memory and/or a non-volatile memory.
  • the volatile memory may include, but not limited to, for example, a RAM, a cache, and so on.
  • the non-volatile memory may include, but not limited to, a ROM, a hard disk, a flash memory, and so on.
  • the non-volatile memory may also include, but are not limited to, an electric, a magnetic, an optical, an electromagnetic, an infrared, or a semiconductor system, apparatus, or device or any combination of the above.
  • the words “comprise, ” “comprising, ” and the like are to be construed in an inclusive sense, as opposed to an exclusive or exhaustive sense; that is to say, in the sense of “including, but not limited to. ”
  • the word “coupled” refers to two or more elements that may be either directly connected, or connected by way of one or more intermediate elements.
  • the word “connected” refers to two or more elements that may be either directly connected, or connected by way of one or more intermediate elements.
  • conditional language used herein such as, among others, “can, ” “could, ” “might, ” “may, ” “e.g., ” “for example, ” “such as” and the like, unless specifically stated otherwise, or otherwise understood within the context as used, is generally intended to convey that certain embodiments include, while other embodiments do not include, certain features, elements and/or states.
  • conditional language is not generally intended to imply that features, elements and/or states are in any way required for one or more embodiments or that one or more embodiments necessarily include logic for deciding, with or without author input or prompting, whether these features, elements and/or states are included or are to be performed in any particular embodiment.
  • the term "determine/determining” can include, not least: calculating, computing, processing, deriving, measuring, investigating, looking up (for example, looking up in a table, a database or another data structure) , ascertaining and the like. Also, “determining” can include receiving (for example, receiving information) , accessing (for example, accessing data in a memory) , obtaining and the like. Also, “determine/determining” can include resolving, selecting, choosing, establishing, and the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed are devices, methods, apparatuses, and computer readable media for network slice with high security. An example network slice management producer may include at least one processor and at least one memory. The at least one memory may include computer program code, and the at least one memory and the computer program code may be configured to,with the at least one processor, cause the network slice management producer to perform: receiving, from a network slice management consumer, a request for security management requirements in a network slice; evaluating resources for the security management requirements; and transmitting, to the network slice management consumer, a report for the resources allocated for the security management requirements.

Description

DEVICES, METHODS, APPARATUSES, AND COMPUTER READABLE MEDIA FOR NETWORK SLICE WITH HIGH SECURITY TECHNICAL FIELD
Various embodiments relate to devices, methods, apparatuses, and computer readable media for network slice with high security.
BACKGROUND
A network slice, which may also be briefly referred to as a slice, can be understood as a logical network on top of a shared infrastructure. An end-to-end (E2E) logical network for security management may be deployed and configured in order to provide Security-as-a-service (SECaaS) . This can allow communication of security management and operations related aspects between the centralized cloud, edge cloud, and radio access network (RAN) network entities (NEs) including user equipments (UEs) and internet of things (IoT) devices. With millions of NEs in the fifth generation (5G) wireless telecommunications systems, ensuring the security of each of the devices would be a huge challenge. Existing wireless networks have various limitations with respect to E2E automation of security operations and services. For example, no dedicated resource allocation mechanism exists to ensure reliable execution of various security services. Existing systems do not have dedicated and secure resources to ensure E2E fail-proof executions of operations. Due to lack of dedicated resources for security services, the E2E automation of security event log collection, security log analysis and risk mitigation steps cannot be reliably executed for a complex and massive system, e.g. the 5G wireless networks. Moreover, sharing or exchanging any security sensitive material like keys over the air may be vulnerable to Man-in-the-Middle (MITM) attacks, etc.
SUMMARY
A brief summary of exemplary embodiments is provided below to provide basic understanding of some aspects of various embodiments. It should be noted that this summary is not intended to identify key features of essential elements or define scopes of the embodiments, and its sole purpose is to introduce some concepts in a simplified form as a preamble for a  more detailed description provided below.
In a first aspect, disclosed is a network slice management producer. The network slice management producer may include at least one processor and at least one memory. The at least one memory may include computer program code, and the at least one memory and the computer program code may be configured to, with the at least one processor, cause the network slice management producer to perform: receiving, from a network slice management consumer, a request for security management requirements in a network slice; evaluating resources for the security management requirements; and transmitting, to the network slice management consumer, a report for the resources allocated for the security management requirements.
In some example embodiments, the evaluated resources may comprise at least one of transport resources and radio access network resources.
In some example embodiments, the at least one memory and the computer program code may be further configured to, with the at least one processor, cause the network slice management producer to further perform: transmitting, to a transport slice orchestrator, a request for the transport resources for the security management requirements; and receiving, from the transport slice orchestrator, a response with the transport resources allocated for the security management requirements.
In some example embodiments, the at least one memory and the computer program code may be further configured to, with the at least one processor, cause the network slice management producer to further perform: transmitting, to a radio access network slice orchestrator, a request for the radio access network resources for the security management requirements; and receiving, from the radio access network slice orchestrator, a response with the radio access network resources allocated for the security management requirements.
In some example embodiments, the security management requirements may be associated with quality of service and/or service level agreements of the network slice.
In some example embodiments, the request for the security management requirements may comprise at least one of the following: a dedicated slice service type value for the network slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.
In some example embodiments, the at least one network slice type attribute may correspond to at least one service of security management and/or operation, respectively.
In a second aspect, disclosed is a network slice management consumer. The network slice management consumer may include at least one processor and at least one memory. The at least one memory may include computer program code, and the at least one memory and the computer program code may be configured to, with the at least one processor, cause the network slice management consumer to perform: transmitting, to a network slice management producer, a request for security management requirements in a network slice; and receiving, from the network slice management producer, a report for resources allocated for the security management requirements.
In some example embodiments, the security management requirements may be associated with quality of service and/or service level agreements of the network slice.
In some example embodiments, the request for the security management requirements may comprise at least one of the following: a dedicated slice service type value for the network slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.
In some example embodiments, the at least one network slice type attribute may correspond to at least one service of security management and/or operation, respectively.
In a third aspect, disclosed is a method performed by a network slice management producer. The method may comprise: receiving, from a network slice management consumer, a request for security management requirements in a network slice; evaluating resources for the security management requirements; and transmitting, to the network slice management consumer, a report for the resources allocated for the security management requirements.
In some example embodiments, the evaluated resources may comprise at least one of transport resources and radio access network resources.
In some example embodiments, the method may further comprise: transmitting, to a transport slice orchestrator, a request for the transport resources for the security management requirements; and receiving, from the transport slice orchestrator, a response with the transport resources allocated for the security management requirements.
In some example embodiments, the method may further comprise: transmitting, to a  radio access network slice orchestrator, a request for the radio access network resources for the security management requirements; and receiving, from the radio access network slice orchestrator, a response with the radio access network resources allocated for the security management requirements.
In some example embodiments, the security management requirements may be associated with quality of service and/or service level agreements of the network slice.
In some example embodiments, the request for the security management requirements may comprise at least one of the following: a dedicated slice service type value for the network slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.
In some example embodiments, the at least one network slice type attribute may correspond to at least one service of security management and/or operation, respectively.
In a fourth aspect, disclosed is a method performed by a network slice management consumer. The method may comprise: transmitting, to a network slice management producer, a request for security management requirements in a network slice; and receiving, from the network slice management producer, a report for resources allocated for the security management requirements.
In some example embodiments, the security management requirements may be associated with quality of service and/or service level agreements of the network slice.
In some example embodiments, the request for the security management requirements may comprise at least one of the following: a dedicated slice service type value for the network slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.
In some example embodiments, the at least one network slice type attribute may correspond to at least one service of security management and/or operation, respectively.
In a fifth aspect, disclosed is an apparatus. The apparatus as a network slice management producer may comprise: means for receiving, from a network slice management consumer, a request for security management requirements in a network slice; means for evaluating resources for the security management requirements; and means for transmitting, to the network slice management consumer, a report for the resources allocated for the security  management requirements..
In some example embodiments, the evaluated resources may comprise at least one of transport resources and radio access network resources.
In some example embodiments, the apparatus may further comprise: means for transmitting, to a transport slice orchestrator, a request for the transport resources for the security management requirements; and means for receiving, from the transport slice orchestrator, a response with the transport resources allocated for the security management requirements.
In some example embodiments, the apparatus may further comprise: means for transmitting, to a radio access network slice orchestrator, a request for the radio access network resources for the security management requirements; and means for receiving, from the radio access network slice orchestrator, a response with the radio access network resources allocated for the security management requirements.
In some example embodiments, the security management requirements may be associated with quality of service and/or service level agreements of the network slice.
In some example embodiments, the request for the security management requirements may comprise at least one of the following: a dedicated slice service type value for the network slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.
In some example embodiments, the at least one network slice type attribute may correspond to at least one service of security management and/or operation, respectively.
In a sixth aspect, disclosed is an apparatus. The apparatus as a network slice management consumer may comprise: means for transmitting, to a network slice management producer, a request for security management requirements in a network slice; and means for receiving, from the network slice management producer, a report for resources allocated for the security management requirements.
In some example embodiments, the security management requirements may be associated with quality of service and/or service level agreements of the network slice.
In some example embodiments, the request for the security management requirements may comprise at least one of the following: a dedicated slice service type value for the network  slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.
In some example embodiments, the at least one network slice type attribute may correspond to at least one service of security management and/or operation, respectively.
In a seventh aspect, a computer readable medium is disclosed. The computer readable medium may include instructions stored thereon for causing a network slice management producer to perform: receiving, from a network slice management consumer, a request for security management requirements in a network slice; evaluating resources for the security management requirements; and transmitting, to the network slice management consumer, a report for the resources allocated for the security management requirements.
In some example embodiments, the evaluated resources may comprise at least one of transport resources and radio access network resources.
In some example embodiments, the computer readable medium may further include instructions stored thereon for causing the network slice management producer to further perform: transmitting, to a transport slice orchestrator, a request for the transport resources for the security management requirements; and receiving, from the transport slice orchestrator, a response with the transport resources allocated for the security management requirements.
In some example embodiments, the computer readable medium may further include instructions stored thereon for causing the network slice management producer to further perform: transmitting, to a radio access network slice orchestrator, a request for the radio access network resources for the security management requirements; and receiving, from the radio access network slice orchestrator, a response with the radio access network resources allocated for the security management requirements.
In some example embodiments, the security management requirements may be associated with quality of service and/or service level agreements of the network slice.
In some example embodiments, the request for the security management requirements may comprise at least one of the following: a dedicated slice service type value for the network slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.
In some example embodiments, the at least one network slice type attribute may  correspond to at least one service of security management and/or operation, respectively.
In an eighth aspect, a computer readable medium is disclosed. The computer readable medium may include instructions stored thereon for causing a network slice management consumer to perform: transmitting, to a network slice management producer, a request for security management requirements in a network slice; and receiving, from the network slice management producer, a report for resources allocated for the security management requirements.
In some example embodiments, the security management requirements may be associated with quality of service and/or service level agreements of the network slice.
In some example embodiments, the request for the security management requirements may comprise at least one of the following: a dedicated slice service type value for the network slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.
In some example embodiments, the at least one network slice type attribute may correspond to at least one service of security management and/or operation, respectively.
Other features and advantages of the example embodiments of the present disclosure will also be apparent from the following description of specific embodiments when read in conjunction with the accompanying drawings, which illustrate, by way of example, the principles of example embodiments of  the present disclosure.
BRIEF DESCRIPTION OF THE DRAWINGS
Some example embodiments will now be described, by way of non-limiting examples, with reference to the accompanying drawings.
FIG. 1 shows an exemplary scenario the example embodiments of the present disclosure may achieve.
FIG. 2 shows an exemplary sequence diagram for creating a network slice with high security according to the example embodiments of the present disclosure.
FIG. 3 shows an exemplary scenario some example embodiments of the present disclosure may achieve.
FIG. 4 shows an exemplary scenario some example embodiments of the present  disclosure may achieve.
FIG. 5 shows an exemplary sequence diagram for secure PDU session establishment for a slice with high security according to the example embodiments of the present disclosure.
FIG. 6 shows an exemplary sequence diagram for an example use-case scenario of secured key provisioning according to the example embodiments of the present disclosure.
FIG. 7 shows a flow chart illustrating an example method 700 for network slice with high security according to the example embodiments of the present disclosure.
FIG. 8 shows a flow chart illustrating an example method 800 for network slice with high security according to the example embodiments of  the present disclosure.
FIG. 9 shows a block diagram illustrating an example device 900 for network slice with high security according to the example embodiments of the present disclosure.
FIG. 10 shows a block diagram illustrating an example device 1000 for network slice with high security according to the example embodiments of the present disclosure.
FIG. 11 shows a block diagram illustrating an example apparatus 1100 for network slice with high security according to the example embodiments of the present disclosure.
FIG. 12 shows a block diagram illustrating an example apparatus 1200 for network slice with high security according to the example embodiments of the present disclosure.
Throughout the drawings, same or similar reference numbers indicate same or similar elements. A repetitive description on the same elements would be omitted.
DETAILED DESCRIPTION
Herein below, some example embodiments are described in detail with reference to the accompanying drawings. The following description includes specific details for the purpose of providing a thorough understanding of various concepts. However, it will be apparent to those skilled in the art that these concepts may be practiced without these specific details. In some instances, well known circuits, techniques and components are shown in block diagram form to avoid obscuring the described concepts and features.
Example embodiments of the present disclosure provide a solution of network slice with high security. According to the example embodiments of the present disclosure, the network slice with high security may be created as a network slice dedicated for security  management or a network slice with a feature dedicated for security management.
FIG. 1 shows an exemplary scenario the example embodiments of the present disclosure may achieve. Referring to the FIG. 1, an E2E network slice with high security of the example embodiments of the present disclosure can provide required resources for reliable and secure security services and operational workflows for various end users such as the end user 1, end user 2, ..., end user n as well as various terminal devices such as the terminal device 1, terminal device 2, ..., terminal device n in various use-cases and/or applications such as certificate management, key distribution, key renewal, security software upgrade, vulnerable patch management, security event log collection, security event analytics.
FIG. 2 shows an exemplary sequence diagram for creating the network slice with high security according to the example embodiments of the present disclosure. In the FIG. 2, a RAN slice orchestrator 210, a transport slice orchestrator 220, a central slice orchestrator 230, and an operator 240 are shown as example entities for creating the network slice with high security.
Referring to the FIG. 2, the operator 240, which may be a network slice management consumer, may transmit, to the central slice orchestrator 230, which may be a network slice management producer, a request 242 for security management requirements in a network slice. The request 242 may trigger configuring the network slice with high security satisfying the security management requirements. In some embodiments, the operator 240 may request to create a network slice with high security for key management. Alternatively or additionally, in some embodiments, the operator 240 may request to create another network slice with high security for certificate management and patch management.
Receiving, from the operator 240, the request 242 for security management requirements in the network slice, in an operation 232, the central slice orchestrator 230 may evaluate resources for the security management requirements. In an embodiment, the central slice orchestrator 230 may evaluate at least transport resources and RAN resources required for the security management requirements. In this embodiment, the evaluated resources may comprise at least one of the transport resources and RAN resources.
The central slice orchestrator 230 may transmit, to the transport slice orchestrator 220, a request 234 for the transport resources for the security management requirements. For example, the transport resources may be the transport resources required for the security  management requirements evaluated in the operation 232. Receiving the request 234, the transport slice orchestrator 220 may allocate the required transport resources and then transmit to the central slice orchestrator 230 a response 224 with the transport resources allocated for the security management requirements. And the central slice orchestrator 230 may receive, from the transport slice orchestrator 220, the response 224 with the transport resources allocated for the security management requirements.
Before, in parallel with, or after the transmission of the request 234 and the reception of the response 224, the central slice orchestrator 230 may transmit, to the RAN slice orchestrator 210, a request 236 for the RAN resources for the security management requirements. For example, the RAN resources may be the RAN resources required for the security management requirements evaluated in the operation 232. Receiving the request 236, the RAN slice orchestrator 210 may allocate the required RAN resources and then transmit to the central slice orchestrator 230 a response 216 with the RAN resources allocated for the security management requirements. And the central slice orchestrator 230 may receive, from the RAN slice orchestrator 210, the response 216 with the RAN resources allocated for the security management requirements.
Then, the central slice orchestrator 230 may transmit, to the operator 240, a report 238 for the resources allocated for the security management requirements. Receiving, from the central slice orchestrator 230, the report 238 for the resources allocated for the security management requirements, the operator 240 may make use of the network slice with high security for various use-cases as required. The network slice with high security may have configuration for use-cases regarding security management for industrial IoT, home safety, public safety, etc. of security services, for example, refreshing key for application function (KAF) for authentication and key management for applications (AKMA) , key management including short/long-term key distributions for IoT devices and/or UEs, certificate management on IoT devices and/or UEs, security patch management on IoT devices and/or UEs, security software management on IoT devices and/or UEs, Security logs collection from IoT devices and/or UEs, etc.
In an embodiment, the security management requirements may be associated with quality of service (QoS) and/or service level agreements (SLA) of the network slice. For  example, the security management requirements may associated with different levels of QoSs. The QoS of the network slice may be e.g. ensuring high throughput for security log collection, patch download, secure software download and integrity protection, etc. kind of use-cases.
Alternatively or additionally, the security management requirements may be associated with different SLA requirements for E2E security management and/or operation for the network slice. The SLA requirements may be for example at least one of the following: enhanced slice isolation requirement, support network authorization by UE, authenticity of application function (AF) , E2E replay protection requirement, E2E confidentiality protection requirement, E2E integrity protection requirement, security policy on N6, which may be an interface between a user plane function (UPF) of a core network (CN) and data network (DN) , etc.
In an embodiment, the request 242 for the security management requirements may comprise at least one of the following: a dedicated slice service type (SST) value for the network slice, at least one service differentiator (SD) specific to the network slice, and at least one network slice type (NEST) attribute specific to the network slice.
For example, in a case where a dedicated SST value is introduced for a network slice dedicated for security management, if the dedicated SST value is included in the request 234, the network slice with high security may be created as a network slice dedicated for security management. For example, a SST value “6” may be introduced for a slice/service type of security with the characteristic of slice suitable for the handling of security services. With the dedicated SST value in the request 234, the network slice dedicated for security management may be created for security service (s) .
Alternatively or additionally, in an embodiment, at least one SD specific to the network slice may be included in the request 234. For example, for the same SST value, there may be different SDs corresponding to different security services such as security patch updates, software download and integrity protection, security log transfers, security analytics services, key distributions, etc. In this embodiment, as an option, the network slice dedicated for security management may share the SST value with other slice/service type. In a case where the SST value is not dedicated for security service type, the SST value may have at least one proprietary SD defined for at least one security service. With the at least one SD specific to the  network slice in the request 234, the network slice dedicated for security management may be created for the corresponding security service (s) .
Alternatively or additionally, in an embodiment, at least one NEST attribute specific to the network slice may be included in the request 234. For example, different values of NEST attributes may be predefined and configured on the network slices with high security sharing the same security SST but having different SDs. In an embodiment, the at least one NEST attribute may correspond to at least one service of security management and/or operation, respectively. The NEST attributes corresponding to the services of security management and/or operation may be, for example, use-case specific attributes, e.g. key management related attributes, certificate management related attributes, and/or security log management related attributes. The certificate management related attributes may be, for example, least acceptable certificate expiry time would mean that all certificate renewals must happen before this time. For example, if the least acceptable certificate expiry time is set to 7 days, the certificate management must ensure that all certificates expiring within 7 days are renewed immediately. The security log management related attributes may be, for example, periodicity of security event log transfers from UEs/IoT devices to the network, security monitoring and log analysis function configurations at the network, etc. The NEST attributes may also be the attributes, for example, SLA defined in service profiles, isolation level could be physical isolation, availability should be ensured to 99.9999%, session and service continuity support, etc. With the at least one NEST attribute specific to the network slice included in the request 234, the network slice dedicated for security management or the network slice with a feature dedicated for security management may be created for the corresponding service (s) of security management and/or operation. In a case where the network slice with high security is used for E2E security management, E2E encryption may be required.
FIG. 3 shows an exemplary scenario some example embodiments of the present disclosure may achieve. In the scenario of the FIG. 3, a E2E network slicing comprises a UE slice, a RAN slice, a transport slice, and a CN slice. A slice 1 dedicated for enhanced mobile broadband (eMBB) , a slice 2 dedicated for ultra-reliable low latency communications (URLLC) and a slice 3 dedicated for security management are used by a UE 1, and a slice 3 dedicated for security management and a slice 4 dedicated for mobile internet of things (MIoT) are used by a  UE 2. The RAN slice provides RAN eMBB for slice 1, RAN URLLC for slice 2, RAN security for slice 3, and RAN MIoT for slice 4. The CN slice provides CN eMBB for slice 1, CN URLLC for slice 2, CN security for slice 3, and CN MIoT for slice 4. The transport slice provides N2 and/or N3 interface between the RAN slice and the corresponding CN slice. The slice 3 dedicated for security management used by the UE 1 and the UE 2 is highly secure, and mobile network operator (MNO) may make use of the slice 3 for security operations.
FIG. 4 shows an exemplary scenario some example embodiments of the present disclosure may achieve. Compared with the FIG. 3, in the scenario of the FIG. 4, no network slice dedicated for security management is created, but a network slice with a feature dedicated for security management is created. In the FIG. 4, a slice 1, a slice 2, and a slice 3 are used by a UE. The slice 3 is created for a slice tenant, and two packet data unit (PDU) sessions are established in the slice 3. The PDU session 1 is for MIoT, and the PDU session 2 is dedicated for security management and is highly secure. The tenant of the slice 3 may make use of the PDU session 2 in the slice 3 for security operations.
FIG. 5 shows an exemplary sequence diagram for secure PDU session establishment for a slice with high security according to the example embodiments of the present disclosure. Referring to the FIG. 5, a UE 510, a RAN 520, a session management function (SMF) 530, a UPF 540, AF 550, an access and mobility management function (AMF) 560, and a unified data management (UDM) 570 are shown as entities for establishing a secure PDU session for the slice with high security. The slice with high security may be for example the network slice dedicated for security management e.g., the slice 3 shown in the FIG. 3 or the network slice with a feature dedicated for security management e.g. the slice 3 shown in the FIG. 4. The AF 550 may be controlled by an operator.
In an operation 512, the UE 510 may register in a slice with high security through a UE registration process. Then, the UE 510 may transmit a PDU session establishment request 514 to the SMF 530 via the AMF 560. Receiving the request 514, the SMF 530 may get, from the UDM 570, security policy satisfying security management requirements in the slice with high security. Here, the UDM 570 is shown as an example of a policy device, and it may be appreciated that a network slice selection function (NSSF) and/or a policy control function (PCF) may also be used as a policy device for storing and providing the security policy.
Getting the security policy, in an operation 534, the SMF 530 may configure a routing in the UPF 540 according to the security policy, and in an operation 522, the SMF 530 may create a PUD session via the AMF 560 with the RAN 520 according to the security policy such that the created PUD session may satisfy the security management requirements in the slice.
Then, the SMF 530 may transmit a PDU session establishment response 536 with the security policy via the AMF 560 to the UE 510. Compared with other slices or other PDU sessions, the created PUD session in the slice may provide highly secure E2E protection with enhanced security in e.g., encryption and/or integrity. For example, compared to other slices or other PUD sessions, the algorithm used for integrity and ciphering in the created PUD session may be with higher E2E security level.
FIG. 6 shows an exemplary sequence diagram for an example use-case scenario of secured key provisioning according to the example embodiments of the present disclosure.
In an operation 612, a PDU session is established in a slice with high security. For example, the PUD session may be created according to the exemplary sequence shown in e.g., the FIG. 5 to provide highly secure E2E protection with enhanced security in e.g., encryption and/or integrity compared with other slices or other PDU sessions.
In an operation 652, the AF 550 may, for example, update home network public keys. Then, the AF 550 may transmit the updated set of home network public keys and identifiers in a downlink (DL) packet 654 to the UE 510 via the UPF 540 and the RAN 520. In an operation 614, the UE 510 may store the updated set of home network public keys and identifiers in e.g., a universal subscriber identity module (USIM) .
In an operation 656, the AF 550 may perform other security updates in the USIM with protection scheme identifiers list. After the successful security updates, in an operation 616, the PDU session may be released.
FIG. 7 shows a flow chart illustrating an example method 700 for network slice with high security according to the example embodiments of the present disclosure. The example method 700 may be performed for example at a network slice management producer such as the central slice orchestrator 230.
Referring to the FIG. 7, the example method 700 may include an operation 710 of receiving, from a network slice management consumer, a request for security management  requirements in a network slice; an operation 720 of evaluating resources for the security management requirements; and an operation 730 of transmitting, to the network slice management consumer, a report for the resources allocated for the security management requirements.
Details of the operation 710 have been described in the above descriptions with respect to at least the request 242, and repetitive descriptions thereof are omitted here.
Details of the operation 720 have been described in the above descriptions with respect to at least the operation 232, and repetitive descriptions thereof are omitted here.
Details of the operation 730 have been described in the above descriptions with respect to at least the report 238, and repetitive descriptions thereof are omitted here.
In an embodiment, the evaluated resources may comprise at least one of transport resources and RAN resources. The more details have been described in the above descriptions with respect to at least the operation 232, the request 234, and the request 236, and repetitive descriptions thereof are omitted here.
In an embodiment, the example method 700 may further include an operation of transmitting, to a transport slice orchestrator, a request for the transport resources for the security management requirements; and an operation of receiving, from the transport slice orchestrator, a response with the transport resources allocated for the security management requirements. The more details have been described in the above descriptions with respect to at least the request 234 and the response 224, and repetitive descriptions thereof are omitted here.
In an embodiment, the example method 700 may further include an operation of transmitting, to a RAN slice orchestrator, a request for the RAN resources for the security management requirements; and an operation of receiving, from the RAN slice orchestrator, a response with the RAN resources allocated for the security management requirements. The more details have been described in the above descriptions with respect to at least the request 236 and the response 216, and repetitive descriptions thereof are omitted here.
In an embodiment, the security management requirements may be associated with QoS and/or SLA of the network slice.
In an embodiment, the request for the security management requirements may comprise at least one of the following: a dedicated SST value for the network slice, at least one  SD specific to the network slice, and at least one NEST attribute specific to the network slice. The more details have been described in the above descriptions with respect to at least the request 242, and repetitive descriptions thereof are omitted here.
In an embodiment, the at least one NEST attribute may correspond to at least one service of security management and/or operation, respectively.
FIG. 8 shows a flow chart illustrating an example method 800 for network slice with high security according to the example embodiments of the present disclosure. The example method 800 may be performed for example at a network slice management consumer such as the operator 240.
Referring to the FIG. 8, the example method 800 may include an operation 810 of transmitting, to a network slice management producer, a request for security management requirements in a network slice; and an operation 820 of receiving, from the network slice management producer, a report for resources allocated for the security management requirements.
Details of the operation 810 have been described in the above descriptions with respect to at least the request 242, and repetitive descriptions thereof are omitted here.
Details of the operation 820 have been described in the above descriptions with respect to at least the report 238, and repetitive descriptions thereof are omitted here.
In an embodiment, the security management requirements may be associated with QoS and/or SLA of the network slice.
In an embodiment, the request for the security management requirements may comprise at least one of the following: a dedicated SST value for the network slice, at least one SD specific to the network slice, and at least one NEST attribute specific to the network slice. The more details have been described in the above descriptions with respect to at least the request 242, and repetitive descriptions thereof are omitted here.
In an embodiment, the at least one NEST attribute may correspond to at least one service of security management and/or operation, respectively.
FIG. 9 shows a block diagram illustrating an example device 900 for network slice with high security according to the example embodiments of the present disclosure. The device, for example, may be at least part of a network slice management producer such as the central  slice orchestrator 230 in the above examples.
As shown in the FIG. 9, the example device 900 may include at least one processor 910 and at least one memory 920 that may include computer program code 930. The at least one memory 920 and the computer program code 930 may be configured to, with the at least one processor 910, cause the device 900 at least to perform the example method 700 described above.
In various example embodiments, the at least one processor 910 in the example device 900 may include, but not limited to, at least one hardware processor, including at least one microprocessor such as a central processing unit (CPU) , a portion of at least one hardware processor, and any other suitable dedicated processor such as those developed based on for example Field Programmable Gate Array (FPGA) and Application Specific Integrated Circuit (ASIC) . Further, the at least one processor 910 may also include at least one other circuitry or element not shown in the FIG. 9.
In various example embodiments, the at least one memory 920 in the example device 900 may include at least one storage medium in various forms, such as a volatile memory and/or a non-volatile memory. The volatile memory may include, but not limited to, for example, a random-access memory (RAM) , a cache, and so on. The non-volatile memory may include, but not limited to, for example, a read only memory (ROM) , a hard disk, a flash memory, and so on. Further, the at least memory 920 may include, but are not limited to, an electric, a magnetic, an optical, an electromagnetic, an infrared, or a semiconductor system, apparatus, or device or any combination of the above.
Further, in various example embodiments, the example device 900 may also include at least one other circuitry, element, and interface, for example at least one I/O interface, at least one antenna element, and the like.
In various example embodiments, the circuitries, parts, elements, and interfaces in the example device 900, including the at least one processor 910 and the at least one memory 920, may be coupled together via any suitable connections including, but not limited to, buses, crossbars, wiring and/or wireless lines, in any suitable ways, for example electrically, magnetically, optically, electromagnetically, and the like.
It is appreciated that the structure of the device on the side of the network slice  management producer is not limited to the above example device 900.
FIG. 10 shows a block diagram illustrating an example device 1000 for network slice with high security according to the example embodiments of the present disclosure. The device, for example, may be at least part of a network slice management consumer such as the operator 240 in the above examples.
As shown in the FIG. 10, the example device 1000 may include at least one processor 1010 and at least one memory 1020 that may include computer program code 1030. The at least one memory 1020 and the computer program code 1030 may be configured to, with the at least one processor 1010, cause the device 1000 at least to perform the example method 800 described above.
In various example embodiments, the at least one processor 1010 in the example device 1000 may include, but not limited to, at least one hardware processor, including at least one microprocessor such as a central processing unit (CPU) , a portion of at least one hardware processor, and any other suitable dedicated processor such as those developed based on for example Field Programmable Gate Array (FPGA) and Application Specific Integrated Circuit (ASIC) . Further, the at least one processor 1010 may also include at least one other circuitry or element not shown in the FIG. 10.
In various example embodiments, the at least one memory 1020 in the example device 1000 may include at least one storage medium in various forms, such as a volatile memory and/or a non-volatile memory. The volatile memory may include, but not limited to, for example, a random-access memory (RAM) , a cache, and so on. The non-volatile memory may include, but not limited to, for example, a read only memory (ROM) , a hard disk, a flash memory, and so on. Further, the at least memory 1020 may include, but are not limited to, an electric, a magnetic, an optical, an electromagnetic, an infrared, or a semiconductor system, apparatus, or device or any combination of the above.
Further, in various example embodiments, the example device 1000 may also include at least one other circuitry, element, and interface, for example at least one I/O interface, at least one antenna element, and the like.
In various example embodiments, the circuitries, parts, elements, and interfaces in the example device 1000, including the at least one processor 1010 and the at least one memory  1020, may be coupled together via any suitable connections including, but not limited to, buses, crossbars, wiring and/or wireless lines, in any suitable ways, for example electrically, magnetically, optically, electromagnetically, and the like.
It is appreciated that the structure of the device on the side of the network slice management consumer is not limited to the above example device 1000.
FIG. 11 shows a block diagram illustrating an example apparatus 1100 for network slice with high security according to the example embodiments of the present disclosure. The apparatus, for example, may be at least part of a network slice management producer such as the central slice orchestrator 230 in the above examples.
As shown in FIG. 11, the example apparatus 1100 may include means 1110 for performing the operation 710 of the example method 700, means 1120 for performing the operation 720 of the example method 700, and means 1130 for performing the operation 730 of the example method 700. In one or more another example embodiments, at least one I/O interface, at least one antenna element, and the like may also be included in the example apparatus 1100.
In some example embodiments, examples of means in the example apparatus 1100 may include circuitries. For example, an example of means 1110 may include a circuitry configured to perform the operation 710 of the example method 700, an example of means 1120 may include a circuitry configured to perform the operation 720 of the example method 700, and an example of means 1130 may include a circuitry configured to perform the operation 730 of the example method 700. In some example embodiments, examples of means may also include software modules and any other suitable function entities.
FIG. 12 shows a block diagram illustrating an example apparatus 1200 for network slice with high security according to the example embodiments of the present disclosure. The apparatus, for example, may be at least part of a network slice management consumer such as the operator 240 in the above examples.
As shown in FIG. 12, the example apparatus 1200 may include means 1210 for performing the operation 810 of the example method 800, and means 1220 for performing the operation 820 of the example method 800. In one or more another example embodiments, at least one I/O interface, at least one antenna element, and the like may also be included in the  example apparatus 1200.
In some example embodiments, examples of means in the example apparatus 1200 may include circuitries. For example, an example of means 1210 may include a circuitry configured to perform the operation 810 of the example method 800, and an example of means 1220 may include a circuitry configured to perform the operation 820 of the example method 800. In some example embodiments, examples of means may also include software modules and any other suitable function entities.
The term “circuitry” throughout this disclosure may refer to one or more or all of the following: (a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry) ; (b) combinations of hardware circuits and software, such as (as applicable) (i) a combination of analog and/or digital hardware circuit (s) with software/firmware and (ii) any portions of hardware processor (s) with software (including digital signal processor (s) ) , software, and memory (ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions) ; and (c) hardware circuit (s) and or processor (s) , such as a microprocessor (s) or a portion of a microprocessor (s) , that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation. This definition of circuitry applies to one or all uses of this term in this disclosure, including in any claims. As a further example, as used in this disclosure, the term circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware. The term circuitry also covers, for example and if applicable to the claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.
Another example embodiment may relate to computer program codes or instructions which may cause an apparatus to perform at least respective methods described above. Another example embodiment may be related to a computer readable medium having such computer program codes or instructions stored thereon. In some embodiments, such a computer readable medium may include at least one storage medium in various forms such as a volatile memory and/or a non-volatile memory. The volatile memory may include, but not limited to, for  example, a RAM, a cache, and so on. The non-volatile memory may include, but not limited to, a ROM, a hard disk, a flash memory, and so on. The non-volatile memory may also include, but are not limited to, an electric, a magnetic, an optical, an electromagnetic, an infrared, or a semiconductor system, apparatus, or device or any combination of the above.
Unless the context clearly requires otherwise, throughout the description and the claims, the words “comprise, ” “comprising, ” and the like are to be construed in an inclusive sense, as opposed to an exclusive or exhaustive sense; that is to say, in the sense of “including, but not limited to. ” The word “coupled” , as generally used herein, refers to two or more elements that may be either directly connected, or connected by way of one or more intermediate elements. Likewise, the word “connected” , as generally used herein, refers to two or more elements that may be either directly connected, or connected by way of one or more intermediate elements. Additionally, the words “herein, ” “above, ” “below, ” and words of similar import, when used in this application, shall refer to this application as a whole and not to any particular portions of this application. Where the context permits, words in the description using the singular or plural number may also include the plural or singular number respectively. The word “or” in reference to a list of two or more items, that word covers all of the following interpretations of the word: any of the items in the list, all of the items in the list, and any combination of the items in the list.
Moreover, conditional language used herein, such as, among others, “can, ” “could, ” “might, ” “may, ” “e.g., ” “for example, ” “such as” and the like, unless specifically stated otherwise, or otherwise understood within the context as used, is generally intended to convey that certain embodiments include, while other embodiments do not include, certain features, elements and/or states. Thus, such conditional language is not generally intended to imply that features, elements and/or states are in any way required for one or more embodiments or that one or more embodiments necessarily include logic for deciding, with or without author input or prompting, whether these features, elements and/or states are included or are to be performed in any particular embodiment.
As used herein, the term "determine/determining" (and grammatical variants thereof) can include, not least: calculating, computing, processing, deriving, measuring, investigating, looking up (for example, looking up in a table, a database or another data structure) ,  ascertaining and the like. Also, "determining" can include receiving (for example, receiving information) , accessing (for example, accessing data in a memory) , obtaining and the like. Also, "determine/determining" can include resolving, selecting, choosing, establishing, and the like.
While some embodiments have been described, these embodiments have been presented by way of example, and are not intended to limit the scope of the disclosure. Indeed, the apparatus, methods, and systems described herein may be embodied in a variety of other forms; furthermore, various omissions, substitutions, and changes in the form of the methods and systems described herein may be made without departing from the spirit of the disclosure. For example, while blocks are presented in a given arrangement, alternative embodiments may perform similar functionalities with different components and/or circuit topologies, and some blocks may be deleted, moved, added, subdivided, combined, and/or modified. At least one of these blocks may be implemented in a variety of different ways. The order of these blocks may also be changed. Any suitable combination of the elements and actions of some embodiments described above can be combined to provide further embodiments. The accompanying claims and their equivalents are intended to cover such forms or modifications as would fall within the scope and spirit of the disclosure.
Abbreviations used in the description and/or in the figures are defined as follows:
AF          application function
AKMA        authentication and key management for applications
AMF         access and mobility management function
CN          core network
DL          downlink
DN          data network
eMBB        enhanced mobile broadband
E2E         end-to-end
IoT         internet of things
KAF         key for application function
MIoT        mobile internet of things
MITM        Man-in-the-Middle
MNO         mobile network operator
NE           network entity
NEST         network slice type
NSSF         network slice selection function
PCF          policy control function
PDU          packet data unit
QoS          quality of service
RAN          radio access network
SD           service differentiator
SECaaS       Security-as-a-service
SLA          service level agreements
SMF          session management function
SST          slice service type
UDM          unified data management
UE           user equipment
UPF          user plane function
URLLC        ultra-reliable low latency communications
USIM         universal subscriber identity module
5G           the fifth generation

Claims (26)

  1. A network slice management producer, comprising:
    at least one processor; and
    at least one memory comprising computer program code, the at least one memory and the computer program code being configured to, with the at least one processor, cause the network slice management producer to perform:
    receiving, from a network slice management consumer, a request for security management requirements in a network slice;
    evaluating resources for the security management requirements; and
    transmitting, to the network slice management consumer, a report for the resources allocated for the security management requirements.
  2. The network slice management producer of claim 1, wherein the evaluated resources comprises at least one of transport resources and radio access network resources.
  3. The network slice management producer of claim 2, wherein the at least one memory and the computer program code are further configured to, with the at least one processor, cause the network slice management producer to further perform:
    transmitting, to a transport slice orchestrator, a request for the transport resources for the security management requirements; and
    receiving, from the transport slice orchestrator, a response with the transport resources allocated for the security management requirements.
  4. The network slice management producer of claim 2 or 3, wherein the at least one memory and the computer program code are further configured to, with the at least one processor, cause the network slice management producer to further perform:
    transmitting, to a radio access network slice orchestrator, a request for the radio access network resources for the security management requirements; and
    receiving, from the radio access network slice orchestrator, a response with the radio  access network resources allocated for the security management requirements.
  5. The network slice management producer of any of claims 1 to 4, wherein the security management requirements are associated with quality of service and/or service level agreements of the network slice.
  6. The network slice management producer of any of claims 1 to 5, wherein the request for security management requirements comprises at least one of the following: a dedicated slice service type value for the network slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.
  7. The network slice management producer of claim 6, wherein the at least one network slice type attribute corresponds to at least one service of security management and/or operation, respectively.
  8. A network slice management consumer, comprising:
    at least one processor; and
    at least one memory comprising computer program code, the at least one memory and the computer program code being configured to, with the at least one processor, cause the network slice management consumer to perform:
    transmitting, to a network slice management producer, a request for security management requirements in a network slice; and
    receiving, from the network slice management producer, a report for resources allocated for the security management requirements.
  9. The network slice management consumer of claim 8, wherein the security management requirements are associated with quality of service and/or service level agreements of the network slice.
  10. The network slice management consumer of claim 8 or 9, wherein the request for  security management requirements comprises at least one of the following: a dedicated slice service type value for the network slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.
  11. The network slice management consumer of claim 10, wherein the at least one network slice type attribute corresponds to at least one service of security management and/or operation, respectively.
  12. A method performed by a network slice management producer, comprising:
    receiving, from a network slice management consumer, a request for security management requirements in a network slice;
    evaluating resources for the security management requirements; and
    transmitting, to the network slice management consumer, a report for the resources allocated for the security management requirements.
  13. The method of claim 12, wherein the evaluated resources comprises at least one of transport resources and radio access network resources.
  14. The method of claim 13, further comprising:
    transmitting, to a transport slice orchestrator, a request for the transport resources for the security management requirements; and
    receiving, from the transport slice orchestrator, a response with the transport resources allocated for the security management requirements.
  15. The method of claim 13 or 14, further comprising:
    transmitting, to a radio access network slice orchestrator, a request for the radio access network resources for the security management requirements; and
    receiving, from the radio access network slice orchestrator, a response with the radio access network resources allocated for the security management requirements.
  16. The method of any of claims 12 to 15, wherein the security management requirements are associated with quality of service and/or service level agreements of the network slice.
  17. The method of any of claims 12 to 16, wherein the request for security management requirements comprises at least one of the following: a dedicated slice service type value for the network slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.
  18. The method of claim 17, wherein the at least one network slice type attribute corresponds to at least one service of security management and/or operation, respectively.
  19. A method performed by a network slice management consumer, comprising:
    transmitting, to a network slice management producer, a request for security management requirements in a network slice; and
    receiving, from the network slice management producer, a report for resources allocated for the security management requirements.
  20. The method of claim 19, wherein the security management requirements are associated with quality of service and/or service level agreements of the network slice.
  21. The method of claim 19 or 20, wherein the request for security management requirements comprises at least one of the following: a dedicated slice service type value for the network slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.
  22. The method of claim 21, wherein the at least one network slice type attribute corresponds to at least one service of security management and/or operation, respectively.
  23. An apparatus as a network slice management producer, comprising:
    means for receiving, from a network slice management consumer, a request for security  management requirements in a network slice;
    means for evaluating resources for the security management requirements; and
    means for transmitting, to the network slice management consumer, a report for the resources allocated for the security management requirements.
  24. An apparatus as a network slice management consumer, comprising:
    means for transmitting, to a network slice management producer, a request for security management requirements in a network slice; and
    means for receiving, from the network slice management producer, a report for resources allocated for the security management requirements.
  25. A computer readable medium comprising program instructions for causing a network slice management producer to perform:
    receiving, from a network slice management consumer, a request for security management requirements in a network slice;
    evaluating resources for the security management requirements; and
    transmitting, to the network slice management consumer, a report for the resources allocated for the security management requirements.
  26. A computer readable medium comprising program instructions for causing a network slice management consumer to perform:
    transmitting, to a network slice management producer, a request for security management requirements in a network slice; and
    receiving, from the network slice management producer, a report for resources allocated for the security management requirements.
PCT/CN2022/099112 2022-06-16 2022-06-16 Devices, methods, apparatuses, and computer readable media for network slice with high security WO2023240524A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/099112 WO2023240524A1 (en) 2022-06-16 2022-06-16 Devices, methods, apparatuses, and computer readable media for network slice with high security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/099112 WO2023240524A1 (en) 2022-06-16 2022-06-16 Devices, methods, apparatuses, and computer readable media for network slice with high security

Publications (1)

Publication Number Publication Date
WO2023240524A1 true WO2023240524A1 (en) 2023-12-21

Family

ID=89192764

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/099112 WO2023240524A1 (en) 2022-06-16 2022-06-16 Devices, methods, apparatuses, and computer readable media for network slice with high security

Country Status (1)

Country Link
WO (1) WO2023240524A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021174439A1 (en) * 2020-03-04 2021-09-10 Nokia Shanghai Bell Co., Ltd. Allocation resource of network slice
CN114363052A (en) * 2021-12-31 2022-04-15 北京海泰方圆科技股份有限公司 Method, device, equipment and medium for configuring security policy in network slice
US20220141255A1 (en) * 2019-02-18 2022-05-05 Nokia Technologies Oy Security status of security slices

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220141255A1 (en) * 2019-02-18 2022-05-05 Nokia Technologies Oy Security status of security slices
WO2021174439A1 (en) * 2020-03-04 2021-09-10 Nokia Shanghai Bell Co., Ltd. Allocation resource of network slice
CN114363052A (en) * 2021-12-31 2022-04-15 北京海泰方圆科技股份有限公司 Method, device, equipment and medium for configuring security policy in network slice

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ITU-T SG17: "LS on draft ITU-T X.nsom-sec ‘Security requirements and architecture for network slice management and orchestration’", 3GPP DRAFT; S3-202859, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. e-meeting; 20201109 - 20201120, 29 October 2020 (2020-10-29), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France , XP051948545 *

Similar Documents

Publication Publication Date Title
CN111901135B (en) Data analysis method and device
EP2648392A1 (en) Application programming interface routing system and method of operating the same
US20150281964A1 (en) Method for configuring profile of subscriber authenticating module embedded and installed in terminal device, and apparatus using same
CN110881185B (en) Communication method and device
US11337065B1 (en) Fifth generation (5G) edge application authentication
CN113785532B (en) Method and apparatus for managing and verifying certificates
US20140109209A1 (en) Hosted ims instance with authentication framework for network-based applications
CN110519750B (en) Message processing method, device and system
US20230362199A1 (en) Mechanism for dynamic authorization
US11553328B2 (en) Methods, devices, and computer programs for provisioning or controlling operator profiles in terminals
US11516071B2 (en) Method and system for root cause analysis across multiple network systems
CN114365527A (en) Apparatus and method for network automation in a wireless communication system
CN115701162A (en) Managing mutually exclusive access to network slices
AU2014256198A1 (en) Terminal, network side device, terminal application control method, and system
CN107426109B (en) Traffic scheduling method, VNF module and traffic scheduling server
WO2023240524A1 (en) Devices, methods, apparatuses, and computer readable media for network slice with high security
US20220360586A1 (en) Apparatus, methods, and computer programs
CN114503632A (en) Adaptive mutual trust model for dynamic and diverse multi-domain networks
CN113038467A (en) Event information reporting method and communication device
CN109729515B (en) Method for realizing machine-card binding, user identification card and Internet of things terminal
US20220174490A1 (en) System, method, storage medium and equipment for mobile network access
US20230199499A1 (en) Core network node, mec server, external server, communication system, control method, program, and non-transitory recording medium having recorded thereon program
CN114691734A (en) Cache control method and device, computer readable medium and electronic device
US20230308440A1 (en) Establishment of Secure Communication
US11381562B2 (en) Detection of a user equipment type related to access, services authorization and/or authentication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22946218

Country of ref document: EP

Kind code of ref document: A1