Secure remote access to a 5G private network through a private network slice
地域:
CA
CA San Jose
摘要
In one illustrative example, a network node may receive, from a user equipment (UE), a message indicating a token authorization request for access to a custom, enterprise private network slice of a 5G network. The message may include a token provided to the UE by an enterprise server of an enterprise private network of the enterprise. The network node may perform a token validation procedure and, based on a successful token validation, send a message for causing a provisioning of one or more rules in a forwarding entity of the 5G network, for causing enterprise user plane (UP) traffic of the UE to be forwarded to an anchor UPF of the private network slice. The enterprise UP traffic communication may be used for the remote control and/or monitoring of elements in a private 5G network of the enterprise.
說明書
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
The present disclosure relates generally to communications in mobile networks, and more particularly to techniques and mechanisms for providing a secure remote access to a private 5G network of an enterprise through a custom enterprise private network slice of a 5G network, which may be facilitated by a Multi-access Edge Computing (MEC) or other suitable service.
An emerging use case for Fifth Generation (5G) networks is “private 5G.” In private 5G, an enterprise private 5G network may be deployed inside the premises of an enterprise. One of the motivations behind private 5G is the support industrial Internet of Things (IoT), where the enterprise has the ability to operate its own network (e.g. in a factory, processing plant, airport, mining facility, etc.).
Some of these deployments may require human communications as well. For example, an enterprise may wish to replace Terrestrial Trunked Radio (TETRA) radio walkie-talkie units with more sophisticated cellular smartphone devices, or links to Unified Communications as a Service (UCaaS) systems. Further, in-house 5G provisioning may allow an enterprise to provide its own security implementations, in lieu of trusting the security provided by a Mobile Network Operator (MNO). This would allow sensitive, proprietary data to stay local, and therefore, more safe.
In such environments, members of an enterprise may have a need to regularly or continuously monitor aspects and conditions of systems in the enterprise private 5G network. For example, conditions or alarms in a factory or manufacturing plant may need to be monitored remotely.
權(quán)利要求
What is claimed is:1. A method comprising:at one or more network nodes of a mobile network,receiving, from a user equipment (UE) in the mobile network, a message indicating a token authorization request for access to a private network slice of an enterprise for communications, the message including a token provided to the UE by an enterprise server of an enterprise private network of the enterprise, the token having a claim which is set to a network slice identifier of the private network slice or an indication representing the network slice identifier; performing a token validation procedure in response to the token authorization request, the token validation procedure being performed based on the token having the claim and stored credentials that are mapped to the network slice identifier that is set or indicated in the claim; and based on a successful token validation of the token having the claim, sending a message for causing a provisioning of one or more rules in a forwarding entity, for causing user plane (UP) traffic of the UE to be forwarded to an anchor user plane function (UPF) of the private network slice. 2. The method of claim 1 , wherein the token is provided to the UE by the enterprise server of the enterprise private network based on validated credentials of the UE, the enterprise server comprising an authentication server. 3. The method of claim 1 , wherein the message indicating the token authorization request is forwarded via a multi-access edge computing (MEC) node having a service for accessing use of the private network slice. 4. The method of claim 1 , wherein the one or more network nodes serve as a token endpoint in an authorization or delegation protocol, operative in connection with the enterprise server of the enterprise private network which serves as an authorization endpoint in the authorization or delegation protocol, and wherein the stored credentials are for use in the authorization or delegation protocol. 5. The method of claim 1 , wherein the forwarding entity comprises one of a router, a gateway, a classifier, a branching point, a Branching Point UPF, or an Uplink (UL) Classifier (UL-CL). 6. The method of claim 4 , wherein performing the token validation procedure further comprises:sending, to the enterprise server of the enterprise private network, a message indicating a request for validating the token; and receiving, from the enterprise server of the enterprise private network, a message indicating a response for validation of the token. 7. The method of claim 1 , wherein the claim which is set to the network slice identifier of the private network slice or the indication representing the network slice identifier further comprises a claim which is set to a network slice instance (NSI) identifier (ID) of the private network slice or an indication representing the NSI ID. 8. The method of claim 1 , further comprising:based on the successful token validation of the token having the claim, sending to the UE a message which includes a session identifier or service path identifier, for inclusion in a header of data packets associated with the UP traffic for causing the UP traffic of the UE to be forwarded to the anchor UPF. 9. The method of claim 1 , wherein sending the message for causing the provisioning of one or more rules in the forwarding entity further comprises:causing the provisioning of the one or more rules in the forwarding entity with one or more values of a 5-tuple for the UP traffic of the UE. 10. The method of claim 1 , further comprising:based on the successful token validation of the token having the claim, providing the UE with access to and use of the private network slice in the mobile network, for a secure remote access to a private 5G network of the enterprise via the anchor UPF of the private network slice. 11. The method of claim 1 , wherein:the message indicating the token authorization request is forwarded via a multi-access edge computing (MEC) node which provides a service for accessing use of the private network slice, the service being locatable through a Service (SRV) record communicated to the UE by the enterprise server. 12. The method of claim 1 , further comprising:after the private network slice is created in the mobile network via a request from the enterprise private network:receiving, from the enterprise private network, the network slice identifier of the private network slice and the stored credentials which include a client identifier (ID) and a secret; and mapping the stored credentials and the network slice identifier. 13. A network node for use in a mobile network, the network node comprising:one or more processors; one or more network interfaces; the one or more processors being configured to:receive, from a user equipment (UE) in the mobile network, a message indicating a token authorization request for access to a private network slice in the mobile network for communications, the message including a token provided to the UE by an enterprise server of an enterprise private network that requested creation of the private network slice of the mobile network, the token having a claim which is set to a network slice identifier of the private network slice or an indication representing the network slice identifier; perform a token validation procedure in response to the token authorization request, the token validation procedure being performed based on the token having the claim and stored credentials that are mapped to the network slice identifier that is set or indicated in the claim; and based on a successful token validation of the token having the claim, send a message for causing a provisioning of one or more rules in a forwarding entity, for causing user plane (UP) traffic of the UE to be forwarded to an anchor user plane function (UPF) of the private network slice. 14. The network node of claim 13 , wherein the one or more processors are further configured to, based on the successful token validation of the token having the claim, send to the UE a message which includes a session identifier or service path identifier, for inclusion in a header of data packets associated with the UP traffic for causing the UP traffic of the UE to be forwarded to the anchor UPF of the private network slice. 15. The network node of claim 13 , wherein the one or more processors are further configured to receive the message indicating the token authorization request that is forwarded via a multi-access edge computing (MEC) node which provides a service for accessing use of the private network slice, the service being locatable through a Service (SRV) record communicated to the UE by the enterprise server. 16. The network node of claim 13 , which serves as a token endpoint in an authorization or delegation protocol, and is operative in connection with the enterprise server of the enterprise private network which serves as an authorization endpoint in the authorization or delegation protocol, and wherein the stored credentials are for use in the authorization or delegation protocol. 17. The network node of claim 16 , wherein the one or more processors are further configured to:after the private network slice is created in the mobile network via a request from the enterprise private network:receive, from the enterprise private network, the network slice identifier of the private network slice and the stored credentials which include a client identifier (ID) and a secret; and map the stored credentials and the network slice identifier. 18. The network node of claim 13 , wherein the one or more processors are further configured to, based on the successful token validation of the token having the claim, provide the UE with access to and use of the private network slice in the mobile network, for a secure remote access to a private 5G network of the enterprise via the anchor UPF of the private network slice. 19. A computer program product, comprising:a non-transitory computer readable medium; computer instructions stored in the non-transitory computer readable medium; the computer instructions being executable by one or more processors of a network node of a mobile network for:receiving, from a user equipment (UE) in the mobile network, a message indicating a token authorization request for access to a private network slice of an enterprise for communications, the message including a token provided to the UE by an enterprise server of an enterprise private network of the enterprise, the token having a claim which is set to a network slice identifier of the private network slice or an indication representing the network slice identifier; performing a token validation procedure in response to the token authorization request, the token validation procedure being performed based on the token having the claim and stored credentials that are mapped to the network slice identifier that is set or indicated in the claim; and based on a successful token validation of the token having the claim, sending a message for causing a provisioning of one or more rules in a forwarding entity, for causing user plane (UP) traffic of the UE to be forwarded to an anchor user plane function (UPF) of the private network slice. 20. The computer program product of claim 19 , wherein the computer instructions are further executable by the one or more processors of the network node for, based on the successful token validation of the token having the claim, providing the UE with access to and use of the private network slice in the mobile network, for a secure remote access to a private 5G network of the enterprise via the anchor UPF of the private network slice.
意見反饋
使用該功能遇到問題