WO2023240524A1

WO2023240524A1 - Devices, methods, apparatuses, and computer readable media for network slice with high security

Info

Publication number: WO2023240524A1
Application number: PCT/CN2022/099112
Authority: WO
Inventors: Rakshesh PRAVINCHANDRA BHATT; Jing PING; Santhosh S B; Ranganathan MAVUREDDI DHANASEKARAN
Original assignee: Nokia Shanghai Bell Co Ltd; Nokia Solutions and Networks Oy; Nokia Technologies Oy
Current assignee: Nokia Shanghai Bell Co Ltd; Nokia Solutions and Networks Oy; Nokia Technologies Oy
Priority date: 2022-06-16
Filing date: 2022-06-16
Publication date: 2023-12-21
Anticipated expiration: 2024-12-16
Also published as: CN119452683A

Abstract

Disclosed are devices, methods, apparatuses, and computer readable media for network slice with high security. An example network slice management producer may include at least one processor and at least one memory. The at least one memory may include computer program code, and the at least one memory and the computer program code may be configured to,with the at least one processor, cause the network slice management producer to perform: receiving, from a network slice management consumer, a request for security management requirements in a network slice; evaluating resources for the security management requirements; and transmitting, to the network slice management consumer, a report for the resources allocated for the security management requirements.

Description

DEVICES, METHODS, APPARATUSES, AND COMPUTER READABLE MEDIA FOR NETWORK SLICE WITH HIGH SECURITY

TECHNICAL FIELD

Various embodiments relate to devices, methods, apparatuses, and computer readable media for network slice with high security.

BACKGROUND

A network slice, which may also be briefly referred to as a slice, can be understood as a logical network on top of a shared infrastructure. An end-to-end (E2E) logical network for security management may be deployed and configured in order to provide Security-as-a-service (SECaaS) . This can allow communication of security management and operations related aspects between the centralized cloud, edge cloud, and radio access network (RAN) network entities (NEs) including user equipments (UEs) and internet of things (IoT) devices. With millions of NEs in the fifth generation (5G) wireless telecommunications systems, ensuring the security of each of the devices would be a huge challenge. Existing wireless networks have various limitations with respect to E2E automation of security operations and services. For example, no dedicated resource allocation mechanism exists to ensure reliable execution of various security services. Existing systems do not have dedicated and secure resources to ensure E2E fail-proof executions of operations. Due to lack of dedicated resources for security services, the E2E automation of security event log collection, security log analysis and risk mitigation steps cannot be reliably executed for a complex and massive system, e.g. the 5G wireless networks. Moreover, sharing or exchanging any security sensitive material like keys over the air may be vulnerable to Man-in-the-Middle (MITM) attacks, etc.

SUMMARY

A brief summary of exemplary embodiments is provided below to provide basic understanding of some aspects of various embodiments. It should be noted that this summary is not intended to identify key features of essential elements or define scopes of the embodiments, and its sole purpose is to introduce some concepts in a simplified form as a preamble for a more detailed description provided below.

In a first aspect, disclosed is a network slice management producer. The network slice management producer may include at least one processor and at least one memory. The at least one memory may include computer program code, and the at least one memory and the computer program code may be configured to, with the at least one processor, cause the network slice management producer to perform: receiving, from a network slice management consumer, a request for security management requirements in a network slice; evaluating resources for the security management requirements; and transmitting, to the network slice management consumer, a report for the resources allocated for the security management requirements.

In some example embodiments, the evaluated resources may comprise at least one of transport resources and radio access network resources.

In some example embodiments, the at least one memory and the computer program code may be further configured to, with the at least one processor, cause the network slice management producer to further perform: transmitting, to a transport slice orchestrator, a request for the transport resources for the security management requirements; and receiving, from the transport slice orchestrator, a response with the transport resources allocated for the security management requirements.

In some example embodiments, the at least one memory and the computer program code may be further configured to, with the at least one processor, cause the network slice management producer to further perform: transmitting, to a radio access network slice orchestrator, a request for the radio access network resources for the security management requirements; and receiving, from the radio access network slice orchestrator, a response with the radio access network resources allocated for the security management requirements.

In some example embodiments, the security management requirements may be associated with quality of service and/or service level agreements of the network slice.

In some example embodiments, the request for the security management requirements may comprise at least one of the following: a dedicated slice service type value for the network slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.

In some example embodiments, the at least one network slice type attribute may correspond to at least one service of security management and/or operation, respectively.

In a second aspect, disclosed is a network slice management consumer. The network slice management consumer may include at least one processor and at least one memory. The at least one memory may include computer program code, and the at least one memory and the computer program code may be configured to, with the at least one processor, cause the network slice management consumer to perform: transmitting, to a network slice management producer, a request for security management requirements in a network slice; and receiving, from the network slice management producer, a report for resources allocated for the security management requirements.

In a third aspect, disclosed is a method performed by a network slice management producer. The method may comprise: receiving, from a network slice management consumer, a request for security management requirements in a network slice; evaluating resources for the security management requirements; and transmitting, to the network slice management consumer, a report for the resources allocated for the security management requirements.

In some example embodiments, the method may further comprise: transmitting, to a transport slice orchestrator, a request for the transport resources for the security management requirements; and receiving, from the transport slice orchestrator, a response with the transport resources allocated for the security management requirements.

In some example embodiments, the method may further comprise: transmitting, to a radio access network slice orchestrator, a request for the radio access network resources for the security management requirements; and receiving, from the radio access network slice orchestrator, a response with the radio access network resources allocated for the security management requirements.

In a fourth aspect, disclosed is a method performed by a network slice management consumer. The method may comprise: transmitting, to a network slice management producer, a request for security management requirements in a network slice; and receiving, from the network slice management producer, a report for resources allocated for the security management requirements.

In a fifth aspect, disclosed is an apparatus. The apparatus as a network slice management producer may comprise: means for receiving, from a network slice management consumer, a request for security management requirements in a network slice; means for evaluating resources for the security management requirements; and means for transmitting, to the network slice management consumer, a report for the resources allocated for the security management requirements..

In some example embodiments, the apparatus may further comprise: means for transmitting, to a transport slice orchestrator, a request for the transport resources for the security management requirements; and means for receiving, from the transport slice orchestrator, a response with the transport resources allocated for the security management requirements.

In some example embodiments, the apparatus may further comprise: means for transmitting, to a radio access network slice orchestrator, a request for the radio access network resources for the security management requirements; and means for receiving, from the radio access network slice orchestrator, a response with the radio access network resources allocated for the security management requirements.

In a sixth aspect, disclosed is an apparatus. The apparatus as a network slice management consumer may comprise: means for transmitting, to a network slice management producer, a request for security management requirements in a network slice; and means for receiving, from the network slice management producer, a report for resources allocated for the security management requirements.

In a seventh aspect, a computer readable medium is disclosed. The computer readable medium may include instructions stored thereon for causing a network slice management producer to perform: receiving, from a network slice management consumer, a request for security management requirements in a network slice; evaluating resources for the security management requirements; and transmitting, to the network slice management consumer, a report for the resources allocated for the security management requirements.

In some example embodiments, the computer readable medium may further include instructions stored thereon for causing the network slice management producer to further perform: transmitting, to a transport slice orchestrator, a request for the transport resources for the security management requirements; and receiving, from the transport slice orchestrator, a response with the transport resources allocated for the security management requirements.

In some example embodiments, the computer readable medium may further include instructions stored thereon for causing the network slice management producer to further perform: transmitting, to a radio access network slice orchestrator, a request for the radio access network resources for the security management requirements; and receiving, from the radio access network slice orchestrator, a response with the radio access network resources allocated for the security management requirements.

In an eighth aspect, a computer readable medium is disclosed. The computer readable medium may include instructions stored thereon for causing a network slice management consumer to perform: transmitting, to a network slice management producer, a request for security management requirements in a network slice; and receiving, from the network slice management producer, a report for resources allocated for the security management requirements.

Other features and advantages of the example embodiments of the present disclosure will also be apparent from the following description of specific embodiments when read in conjunction with the accompanying drawings, which illustrate, by way of example, the principles of example embodiments of the present disclosure.

BRIEF DESCRIPTION OF THE DRAWINGS

Some example embodiments will now be described, by way of non-limiting examples, with reference to the accompanying drawings.

FIG. 1 shows an exemplary scenario the example embodiments of the present disclosure may achieve.

FIG. 2 shows an exemplary sequence diagram for creating a network slice with high security according to the example embodiments of the present disclosure.

FIG. 3 shows an exemplary scenario some example embodiments of the present disclosure may achieve.

FIG. 4 shows an exemplary scenario some example embodiments of the present disclosure may achieve.

FIG. 5 shows an exemplary sequence diagram for secure PDU session establishment for a slice with high security according to the example embodiments of the present disclosure.

FIG. 6 shows an exemplary sequence diagram for an example use-case scenario of secured key provisioning according to the example embodiments of the present disclosure.

FIG. 7 shows a flow chart illustrating an example method 700 for network slice with high security according to the example embodiments of the present disclosure.

FIG. 8 shows a flow chart illustrating an example method 800 for network slice with high security according to the example embodiments of the present disclosure.

FIG. 9 shows a block diagram illustrating an example device 900 for network slice with high security according to the example embodiments of the present disclosure.

FIG. 10 shows a block diagram illustrating an example device 1000 for network slice with high security according to the example embodiments of the present disclosure.

FIG. 11 shows a block diagram illustrating an example apparatus 1100 for network slice with high security according to the example embodiments of the present disclosure.

FIG. 12 shows a block diagram illustrating an example apparatus 1200 for network slice with high security according to the example embodiments of the present disclosure.

Throughout the drawings, same or similar reference numbers indicate same or similar elements. A repetitive description on the same elements would be omitted.

DETAILED DESCRIPTION

Herein below, some example embodiments are described in detail with reference to the accompanying drawings. The following description includes specific details for the purpose of providing a thorough understanding of various concepts. However, it will be apparent to those skilled in the art that these concepts may be practiced without these specific details. In some instances, well known circuits, techniques and components are shown in block diagram form to avoid obscuring the described concepts and features.

Example embodiments of the present disclosure provide a solution of network slice with high security. According to the example embodiments of the present disclosure, the network slice with high security may be created as a network slice dedicated for security management or a network slice with a feature dedicated for security management.

FIG. 1 shows an exemplary scenario the example embodiments of the present disclosure may achieve. Referring to the FIG. 1, an E2E network slice with high security of the example embodiments of the present disclosure can provide required resources for reliable and secure security services and operational workflows for various end users such as the end user 1, end user 2, ..., end user n as well as various terminal devices such as the terminal device 1, terminal device 2, ..., terminal device n in various use-cases and/or applications such as certificate management, key distribution, key renewal, security software upgrade, vulnerable patch management, security event log collection, security event analytics.

FIG. 2 shows an exemplary sequence diagram for creating the network slice with high security according to the example embodiments of the present disclosure. In the FIG. 2, a RAN slice orchestrator 210, a transport slice orchestrator 220, a central slice orchestrator 230, and an operator 240 are shown as example entities for creating the network slice with high security.

Referring to the FIG. 2, the operator 240, which may be a network slice management consumer, may transmit, to the central slice orchestrator 230, which may be a network slice management producer, a request 242 for security management requirements in a network slice. The request 242 may trigger configuring the network slice with high security satisfying the security management requirements. In some embodiments, the operator 240 may request to create a network slice with high security for key management. Alternatively or additionally, in some embodiments, the operator 240 may request to create another network slice with high security for certificate management and patch management.

Receiving, from the operator 240, the request 242 for security management requirements in the network slice, in an operation 232, the central slice orchestrator 230 may evaluate resources for the security management requirements. In an embodiment, the central slice orchestrator 230 may evaluate at least transport resources and RAN resources required for the security management requirements. In this embodiment, the evaluated resources may comprise at least one of the transport resources and RAN resources.

The central slice orchestrator 230 may transmit, to the transport slice orchestrator 220, a request 234 for the transport resources for the security management requirements. For example, the transport resources may be the transport resources required for the security management requirements evaluated in the operation 232. Receiving the request 234, the transport slice orchestrator 220 may allocate the required transport resources and then transmit to the central slice orchestrator 230 a response 224 with the transport resources allocated for the security management requirements. And the central slice orchestrator 230 may receive, from the transport slice orchestrator 220, the response 224 with the transport resources allocated for the security management requirements.

Before, in parallel with, or after the transmission of the request 234 and the reception of the response 224, the central slice orchestrator 230 may transmit, to the RAN slice orchestrator 210, a request 236 for the RAN resources for the security management requirements. For example, the RAN resources may be the RAN resources required for the security management requirements evaluated in the operation 232. Receiving the request 236, the RAN slice orchestrator 210 may allocate the required RAN resources and then transmit to the central slice orchestrator 230 a response 216 with the RAN resources allocated for the security management requirements. And the central slice orchestrator 230 may receive, from the RAN slice orchestrator 210, the response 216 with the RAN resources allocated for the security management requirements.

Then, the central slice orchestrator 230 may transmit, to the operator 240, a report 238 for the resources allocated for the security management requirements. Receiving, from the central slice orchestrator 230, the report 238 for the resources allocated for the security management requirements, the operator 240 may make use of the network slice with high security for various use-cases as required. The network slice with high security may have configuration for use-cases regarding security management for industrial IoT, home safety, public safety, etc. of security services, for example, refreshing key for application function (KAF) for authentication and key management for applications (AKMA) , key management including short/long-term key distributions for IoT devices and/or UEs, certificate management on IoT devices and/or UEs, security patch management on IoT devices and/or UEs, security software management on IoT devices and/or UEs, Security logs collection from IoT devices and/or UEs, etc.

In an embodiment, the security management requirements may be associated with quality of service (QoS) and/or service level agreements (SLA) of the network slice. For example, the security management requirements may associated with different levels of QoSs. The QoS of the network slice may be e.g. ensuring high throughput for security log collection, patch download, secure software download and integrity protection, etc. kind of use-cases.

Alternatively or additionally, the security management requirements may be associated with different SLA requirements for E2E security management and/or operation for the network slice. The SLA requirements may be for example at least one of the following: enhanced slice isolation requirement, support network authorization by UE, authenticity of application function (AF) , E2E replay protection requirement, E2E confidentiality protection requirement, E2E integrity protection requirement, security policy on N6, which may be an interface between a user plane function (UPF) of a core network (CN) and data network (DN) , etc.

In an embodiment, the request 242 for the security management requirements may comprise at least one of the following: a dedicated slice service type (SST) value for the network slice, at least one service differentiator (SD) specific to the network slice, and at least one network slice type (NEST) attribute specific to the network slice.

For example, in a case where a dedicated SST value is introduced for a network slice dedicated for security management, if the dedicated SST value is included in the request 234, the network slice with high security may be created as a network slice dedicated for security management. For example, a SST value “6” may be introduced for a slice/service type of security with the characteristic of slice suitable for the handling of security services. With the dedicated SST value in the request 234, the network slice dedicated for security management may be created for security service (s) .

Alternatively or additionally, in an embodiment, at least one SD specific to the network slice may be included in the request 234. For example, for the same SST value, there may be different SDs corresponding to different security services such as security patch updates, software download and integrity protection, security log transfers, security analytics services, key distributions, etc. In this embodiment, as an option, the network slice dedicated for security management may share the SST value with other slice/service type. In a case where the SST value is not dedicated for security service type, the SST value may have at least one proprietary SD defined for at least one security service. With the at least one SD specific to the network slice in the request 234, the network slice dedicated for security management may be created for the corresponding security service (s) .

Alternatively or additionally, in an embodiment, at least one NEST attribute specific to the network slice may be included in the request 234. For example, different values of NEST attributes may be predefined and configured on the network slices with high security sharing the same security SST but having different SDs. In an embodiment, the at least one NEST attribute may correspond to at least one service of security management and/or operation, respectively. The NEST attributes corresponding to the services of security management and/or operation may be, for example, use-case specific attributes, e.g. key management related attributes, certificate management related attributes, and/or security log management related attributes. The certificate management related attributes may be, for example, least acceptable certificate expiry time would mean that all certificate renewals must happen before this time. For example, if the least acceptable certificate expiry time is set to 7 days, the certificate management must ensure that all certificates expiring within 7 days are renewed immediately. The security log management related attributes may be, for example, periodicity of security event log transfers from UEs/IoT devices to the network, security monitoring and log analysis function configurations at the network, etc. The NEST attributes may also be the attributes, for example, SLA defined in service profiles, isolation level could be physical isolation, availability should be ensured to 99.9999%, session and service continuity support, etc. With the at least one NEST attribute specific to the network slice included in the request 234, the network slice dedicated for security management or the network slice with a feature dedicated for security management may be created for the corresponding service (s) of security management and/or operation. In a case where the network slice with high security is used for E2E security management, E2E encryption may be required.

FIG. 3 shows an exemplary scenario some example embodiments of the present disclosure may achieve. In the scenario of the FIG. 3, a E2E network slicing comprises a UE slice, a RAN slice, a transport slice, and a CN slice. A slice 1 dedicated for enhanced mobile broadband (eMBB) , a slice 2 dedicated for ultra-reliable low latency communications (URLLC) and a slice 3 dedicated for security management are used by a UE 1, and a slice 3 dedicated for security management and a slice 4 dedicated for mobile internet of things (MIoT) are used by a UE 2. The RAN slice provides RAN eMBB for slice 1, RAN URLLC for slice 2, RAN security for slice 3, and RAN MIoT for slice 4. The CN slice provides CN eMBB for slice 1, CN URLLC for slice 2, CN security for slice 3, and CN MIoT for slice 4. The transport slice provides N2 and/or N3 interface between the RAN slice and the corresponding CN slice. The slice 3 dedicated for security management used by the UE 1 and the UE 2 is highly secure, and mobile network operator (MNO) may make use of the slice 3 for security operations.

FIG. 4 shows an exemplary scenario some example embodiments of the present disclosure may achieve. Compared with the FIG. 3, in the scenario of the FIG. 4, no network slice dedicated for security management is created, but a network slice with a feature dedicated for security management is created. In the FIG. 4, a slice 1, a slice 2, and a slice 3 are used by a UE. The slice 3 is created for a slice tenant, and two packet data unit (PDU) sessions are established in the slice 3. The PDU session 1 is for MIoT, and the PDU session 2 is dedicated for security management and is highly secure. The tenant of the slice 3 may make use of the PDU session 2 in the slice 3 for security operations.

FIG. 5 shows an exemplary sequence diagram for secure PDU session establishment for a slice with high security according to the example embodiments of the present disclosure. Referring to the FIG. 5, a UE 510, a RAN 520, a session management function (SMF) 530, a UPF 540, AF 550, an access and mobility management function (AMF) 560, and a unified data management (UDM) 570 are shown as entities for establishing a secure PDU session for the slice with high security. The slice with high security may be for example the network slice dedicated for security management e.g., the slice 3 shown in the FIG. 3 or the network slice with a feature dedicated for security management e.g. the slice 3 shown in the FIG. 4. The AF 550 may be controlled by an operator.

In an operation 512, the UE 510 may register in a slice with high security through a UE registration process. Then, the UE 510 may transmit a PDU session establishment request 514 to the SMF 530 via the AMF 560. Receiving the request 514, the SMF 530 may get, from the UDM 570, security policy satisfying security management requirements in the slice with high security. Here, the UDM 570 is shown as an example of a policy device, and it may be appreciated that a network slice selection function (NSSF) and/or a policy control function (PCF) may also be used as a policy device for storing and providing the security policy.

Getting the security policy, in an operation 534, the SMF 530 may configure a routing in the UPF 540 according to the security policy, and in an operation 522, the SMF 530 may create a PUD session via the AMF 560 with the RAN 520 according to the security policy such that the created PUD session may satisfy the security management requirements in the slice.

Then, the SMF 530 may transmit a PDU session establishment response 536 with the security policy via the AMF 560 to the UE 510. Compared with other slices or other PDU sessions, the created PUD session in the slice may provide highly secure E2E protection with enhanced security in e.g., encryption and/or integrity. For example, compared to other slices or other PUD sessions, the algorithm used for integrity and ciphering in the created PUD session may be with higher E2E security level.

In an operation 612, a PDU session is established in a slice with high security. For example, the PUD session may be created according to the exemplary sequence shown in e.g., the FIG. 5 to provide highly secure E2E protection with enhanced security in e.g., encryption and/or integrity compared with other slices or other PDU sessions.

In an operation 652, the AF 550 may, for example, update home network public keys. Then, the AF 550 may transmit the updated set of home network public keys and identifiers in a downlink (DL) packet 654 to the UE 510 via the UPF 540 and the RAN 520. In an operation 614, the UE 510 may store the updated set of home network public keys and identifiers in e.g., a universal subscriber identity module (USIM) .

In an operation 656, the AF 550 may perform other security updates in the USIM with protection scheme identifiers list. After the successful security updates, in an operation 616, the PDU session may be released.

FIG. 7 shows a flow chart illustrating an example method 700 for network slice with high security according to the example embodiments of the present disclosure. The example method 700 may be performed for example at a network slice management producer such as the central slice orchestrator 230.

Referring to the FIG. 7, the example method 700 may include an operation 710 of receiving, from a network slice management consumer, a request for security management requirements in a network slice; an operation 720 of evaluating resources for the security management requirements; and an operation 730 of transmitting, to the network slice management consumer, a report for the resources allocated for the security management requirements.

Details of the operation 710 have been described in the above descriptions with respect to at least the request 242, and repetitive descriptions thereof are omitted here.

Details of the operation 720 have been described in the above descriptions with respect to at least the operation 232, and repetitive descriptions thereof are omitted here.

Details of the operation 730 have been described in the above descriptions with respect to at least the report 238, and repetitive descriptions thereof are omitted here.

In an embodiment, the evaluated resources may comprise at least one of transport resources and RAN resources. The more details have been described in the above descriptions with respect to at least the operation 232, the request 234, and the request 236, and repetitive descriptions thereof are omitted here.

In an embodiment, the example method 700 may further include an operation of transmitting, to a transport slice orchestrator, a request for the transport resources for the security management requirements; and an operation of receiving, from the transport slice orchestrator, a response with the transport resources allocated for the security management requirements. The more details have been described in the above descriptions with respect to at least the request 234 and the response 224, and repetitive descriptions thereof are omitted here.

In an embodiment, the example method 700 may further include an operation of transmitting, to a RAN slice orchestrator, a request for the RAN resources for the security management requirements; and an operation of receiving, from the RAN slice orchestrator, a response with the RAN resources allocated for the security management requirements. The more details have been described in the above descriptions with respect to at least the request 236 and the response 216, and repetitive descriptions thereof are omitted here.

In an embodiment, the security management requirements may be associated with QoS and/or SLA of the network slice.

In an embodiment, the request for the security management requirements may comprise at least one of the following: a dedicated SST value for the network slice, at least one SD specific to the network slice, and at least one NEST attribute specific to the network slice. The more details have been described in the above descriptions with respect to at least the request 242, and repetitive descriptions thereof are omitted here.

In an embodiment, the at least one NEST attribute may correspond to at least one service of security management and/or operation, respectively.

FIG. 8 shows a flow chart illustrating an example method 800 for network slice with high security according to the example embodiments of the present disclosure. The example method 800 may be performed for example at a network slice management consumer such as the operator 240.

Referring to the FIG. 8, the example method 800 may include an operation 810 of transmitting, to a network slice management producer, a request for security management requirements in a network slice; and an operation 820 of receiving, from the network slice management producer, a report for resources allocated for the security management requirements.

Details of the operation 810 have been described in the above descriptions with respect to at least the request 242, and repetitive descriptions thereof are omitted here.

Details of the operation 820 have been described in the above descriptions with respect to at least the report 238, and repetitive descriptions thereof are omitted here.

FIG. 9 shows a block diagram illustrating an example device 900 for network slice with high security according to the example embodiments of the present disclosure. The device, for example, may be at least part of a network slice management producer such as the central slice orchestrator 230 in the above examples.

As shown in the FIG. 9, the example device 900 may include at least one processor 910 and at least one memory 920 that may include computer program code 930. The at least one memory 920 and the computer program code 930 may be configured to, with the at least one processor 910, cause the device 900 at least to perform the example method 700 described above.

In various example embodiments, the at least one processor 910 in the example device 900 may include, but not limited to, at least one hardware processor, including at least one microprocessor such as a central processing unit (CPU) , a portion of at least one hardware processor, and any other suitable dedicated processor such as those developed based on for example Field Programmable Gate Array (FPGA) and Application Specific Integrated Circuit (ASIC) . Further, the at least one processor 910 may also include at least one other circuitry or element not shown in the FIG. 9.

In various example embodiments, the at least one memory 920 in the example device 900 may include at least one storage medium in various forms, such as a volatile memory and/or a non-volatile memory. The volatile memory may include, but not limited to, for example, a random-access memory (RAM) , a cache, and so on. The non-volatile memory may include, but not limited to, for example, a read only memory (ROM) , a hard disk, a flash memory, and so on. Further, the at least memory 920 may include, but are not limited to, an electric, a magnetic, an optical, an electromagnetic, an infrared, or a semiconductor system, apparatus, or device or any combination of the above.

Further, in various example embodiments, the example device 900 may also include at least one other circuitry, element, and interface, for example at least one I/O interface, at least one antenna element, and the like.

In various example embodiments, the circuitries, parts, elements, and interfaces in the example device 900, including the at least one processor 910 and the at least one memory 920, may be coupled together via any suitable connections including, but not limited to, buses, crossbars, wiring and/or wireless lines, in any suitable ways, for example electrically, magnetically, optically, electromagnetically, and the like.

It is appreciated that the structure of the device on the side of the network slice management producer is not limited to the above example device 900.

FIG. 10 shows a block diagram illustrating an example device 1000 for network slice with high security according to the example embodiments of the present disclosure. The device, for example, may be at least part of a network slice management consumer such as the operator 240 in the above examples.

As shown in the FIG. 10, the example device 1000 may include at least one processor 1010 and at least one memory 1020 that may include computer program code 1030. The at least one memory 1020 and the computer program code 1030 may be configured to, with the at least one processor 1010, cause the device 1000 at least to perform the example method 800 described above.

In various example embodiments, the at least one processor 1010 in the example device 1000 may include, but not limited to, at least one hardware processor, including at least one microprocessor such as a central processing unit (CPU) , a portion of at least one hardware processor, and any other suitable dedicated processor such as those developed based on for example Field Programmable Gate Array (FPGA) and Application Specific Integrated Circuit (ASIC) . Further, the at least one processor 1010 may also include at least one other circuitry or element not shown in the FIG. 10.

In various example embodiments, the at least one memory 1020 in the example device 1000 may include at least one storage medium in various forms, such as a volatile memory and/or a non-volatile memory. The volatile memory may include, but not limited to, for example, a random-access memory (RAM) , a cache, and so on. The non-volatile memory may include, but not limited to, for example, a read only memory (ROM) , a hard disk, a flash memory, and so on. Further, the at least memory 1020 may include, but are not limited to, an electric, a magnetic, an optical, an electromagnetic, an infrared, or a semiconductor system, apparatus, or device or any combination of the above.

Further, in various example embodiments, the example device 1000 may also include at least one other circuitry, element, and interface, for example at least one I/O interface, at least one antenna element, and the like.

In various example embodiments, the circuitries, parts, elements, and interfaces in the example device 1000, including the at least one processor 1010 and the at least one memory 1020, may be coupled together via any suitable connections including, but not limited to, buses, crossbars, wiring and/or wireless lines, in any suitable ways, for example electrically, magnetically, optically, electromagnetically, and the like.

It is appreciated that the structure of the device on the side of the network slice management consumer is not limited to the above example device 1000.

FIG. 11 shows a block diagram illustrating an example apparatus 1100 for network slice with high security according to the example embodiments of the present disclosure. The apparatus, for example, may be at least part of a network slice management producer such as the central slice orchestrator 230 in the above examples.

As shown in FIG. 11, the example apparatus 1100 may include means 1110 for performing the operation 710 of the example method 700, means 1120 for performing the operation 720 of the example method 700, and means 1130 for performing the operation 730 of the example method 700. In one or more another example embodiments, at least one I/O interface, at least one antenna element, and the like may also be included in the example apparatus 1100.

In some example embodiments, examples of means in the example apparatus 1100 may include circuitries. For example, an example of means 1110 may include a circuitry configured to perform the operation 710 of the example method 700, an example of means 1120 may include a circuitry configured to perform the operation 720 of the example method 700, and an example of means 1130 may include a circuitry configured to perform the operation 730 of the example method 700. In some example embodiments, examples of means may also include software modules and any other suitable function entities.

FIG. 12 shows a block diagram illustrating an example apparatus 1200 for network slice with high security according to the example embodiments of the present disclosure. The apparatus, for example, may be at least part of a network slice management consumer such as the operator 240 in the above examples.

As shown in FIG. 12, the example apparatus 1200 may include means 1210 for performing the operation 810 of the example method 800, and means 1220 for performing the operation 820 of the example method 800. In one or more another example embodiments, at least one I/O interface, at least one antenna element, and the like may also be included in the example apparatus 1200.

In some example embodiments, examples of means in the example apparatus 1200 may include circuitries. For example, an example of means 1210 may include a circuitry configured to perform the operation 810 of the example method 800, and an example of means 1220 may include a circuitry configured to perform the operation 820 of the example method 800. In some example embodiments, examples of means may also include software modules and any other suitable function entities.

The term “circuitry” throughout this disclosure may refer to one or more or all of the following: (a) hardware-only circuit implementations (such as implementations in only analog and/or digital circuitry) ; (b) combinations of hardware circuits and software, such as (as applicable) (i) a combination of analog and/or digital hardware circuit (s) with software/firmware and (ii) any portions of hardware processor (s) with software (including digital signal processor (s) ) , software, and memory (ies) that work together to cause an apparatus, such as a mobile phone or server, to perform various functions) ; and (c) hardware circuit (s) and or processor (s) , such as a microprocessor (s) or a portion of a microprocessor (s) , that requires software (e.g., firmware) for operation, but the software may not be present when it is not needed for operation. This definition of circuitry applies to one or all uses of this term in this disclosure, including in any claims. As a further example, as used in this disclosure, the term circuitry also covers an implementation of merely a hardware circuit or processor (or multiple processors) or portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware. The term circuitry also covers, for example and if applicable to the claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in server, a cellular network device, or other computing or network device.

Another example embodiment may relate to computer program codes or instructions which may cause an apparatus to perform at least respective methods described above. Another example embodiment may be related to a computer readable medium having such computer program codes or instructions stored thereon. In some embodiments, such a computer readable medium may include at least one storage medium in various forms such as a volatile memory and/or a non-volatile memory. The volatile memory may include, but not limited to, for example, a RAM, a cache, and so on. The non-volatile memory may include, but not limited to, a ROM, a hard disk, a flash memory, and so on. The non-volatile memory may also include, but are not limited to, an electric, a magnetic, an optical, an electromagnetic, an infrared, or a semiconductor system, apparatus, or device or any combination of the above.

Unless the context clearly requires otherwise, throughout the description and the claims, the words “comprise, ” “comprising, ” and the like are to be construed in an inclusive sense, as opposed to an exclusive or exhaustive sense; that is to say, in the sense of “including, but not limited to. ” The word “coupled” , as generally used herein, refers to two or more elements that may be either directly connected, or connected by way of one or more intermediate elements. Likewise, the word “connected” , as generally used herein, refers to two or more elements that may be either directly connected, or connected by way of one or more intermediate elements. Additionally, the words “herein, ” “above, ” “below, ” and words of similar import, when used in this application, shall refer to this application as a whole and not to any particular portions of this application. Where the context permits, words in the description using the singular or plural number may also include the plural or singular number respectively. The word “or” in reference to a list of two or more items, that word covers all of the following interpretations of the word: any of the items in the list, all of the items in the list, and any combination of the items in the list.

Moreover, conditional language used herein, such as, among others, “can, ” “could, ” “might, ” “may, ” “e.g., ” “for example, ” “such as” and the like, unless specifically stated otherwise, or otherwise understood within the context as used, is generally intended to convey that certain embodiments include, while other embodiments do not include, certain features, elements and/or states. Thus, such conditional language is not generally intended to imply that features, elements and/or states are in any way required for one or more embodiments or that one or more embodiments necessarily include logic for deciding, with or without author input or prompting, whether these features, elements and/or states are included or are to be performed in any particular embodiment.

As used herein, the term "determine/determining" (and grammatical variants thereof) can include, not least: calculating, computing, processing, deriving, measuring, investigating, looking up (for example, looking up in a table, a database or another data structure) , ascertaining and the like. Also, "determining" can include receiving (for example, receiving information) , accessing (for example, accessing data in a memory) , obtaining and the like. Also, "determine/determining" can include resolving, selecting, choosing, establishing, and the like.

While some embodiments have been described, these embodiments have been presented by way of example, and are not intended to limit the scope of the disclosure. Indeed, the apparatus, methods, and systems described herein may be embodied in a variety of other forms; furthermore, various omissions, substitutions, and changes in the form of the methods and systems described herein may be made without departing from the spirit of the disclosure. For example, while blocks are presented in a given arrangement, alternative embodiments may perform similar functionalities with different components and/or circuit topologies, and some blocks may be deleted, moved, added, subdivided, combined, and/or modified. At least one of these blocks may be implemented in a variety of different ways. The order of these blocks may also be changed. Any suitable combination of the elements and actions of some embodiments described above can be combined to provide further embodiments. The accompanying claims and their equivalents are intended to cover such forms or modifications as would fall within the scope and spirit of the disclosure.

Abbreviations used in the description and/or in the figures are defined as follows:

AF application function

AKMA authentication and key management for applications

AMF access and mobility management function

CN core network

DL downlink

DN data network

eMBB enhanced mobile broadband

E2E end-to-end

IoT internet of things

KAF key for application function

MIoT mobile internet of things

MITM Man-in-the-Middle

MNO mobile network operator

NE network entity

NEST network slice type

NSSF network slice selection function

PCF policy control function

PDU packet data unit

QoS quality of service

RAN radio access network

SD service differentiator

SECaaS Security-as-a-service

SLA service level agreements

SMF session management function

SST slice service type

UDM unified data management

UE user equipment

UPF user plane function

URLLC ultra-reliable low latency communications

USIM universal subscriber identity module

5G the fifth generation

Claims

A network slice management producer, comprising:

at least one processor; and

at least one memory comprising computer program code, the at least one memory and the computer program code being configured to, with the at least one processor, cause the network slice management producer to perform:

receiving, from a network slice management consumer, a request for security management requirements in a network slice;

evaluating resources for the security management requirements; and

transmitting, to the network slice management consumer, a report for the resources allocated for the security management requirements.
The network slice management producer of claim 1, wherein the evaluated resources comprises at least one of transport resources and radio access network resources.
The network slice management producer of claim 2, wherein the at least one memory and the computer program code are further configured to, with the at least one processor, cause the network slice management producer to further perform:

transmitting, to a transport slice orchestrator, a request for the transport resources for the security management requirements; and

receiving, from the transport slice orchestrator, a response with the transport resources allocated for the security management requirements.
The network slice management producer of claim 2 or 3, wherein the at least one memory and the computer program code are further configured to, with the at least one processor, cause the network slice management producer to further perform:

transmitting, to a radio access network slice orchestrator, a request for the radio access network resources for the security management requirements; and

receiving, from the radio access network slice orchestrator, a response with the radio access network resources allocated for the security management requirements.
The network slice management producer of any of claims 1 to 4, wherein the security management requirements are associated with quality of service and/or service level agreements of the network slice.
The network slice management producer of any of claims 1 to 5, wherein the request for security management requirements comprises at least one of the following: a dedicated slice service type value for the network slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.
The network slice management producer of claim 6, wherein the at least one network slice type attribute corresponds to at least one service of security management and/or operation, respectively.
A network slice management consumer, comprising:

at least one processor; and

at least one memory comprising computer program code, the at least one memory and the computer program code being configured to, with the at least one processor, cause the network slice management consumer to perform:

transmitting, to a network slice management producer, a request for security management requirements in a network slice; and

receiving, from the network slice management producer, a report for resources allocated for the security management requirements.
The network slice management consumer of claim 8, wherein the security management requirements are associated with quality of service and/or service level agreements of the network slice.
The network slice management consumer of claim 8 or 9, wherein the request for security management requirements comprises at least one of the following: a dedicated slice service type value for the network slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.
The network slice management consumer of claim 10, wherein the at least one network slice type attribute corresponds to at least one service of security management and/or operation, respectively.
A method performed by a network slice management producer, comprising:

receiving, from a network slice management consumer, a request for security management requirements in a network slice;

evaluating resources for the security management requirements; and

transmitting, to the network slice management consumer, a report for the resources allocated for the security management requirements.
The method of claim 12, wherein the evaluated resources comprises at least one of transport resources and radio access network resources.
The method of claim 13, further comprising:

transmitting, to a transport slice orchestrator, a request for the transport resources for the security management requirements; and

receiving, from the transport slice orchestrator, a response with the transport resources allocated for the security management requirements.
The method of claim 13 or 14, further comprising:

transmitting, to a radio access network slice orchestrator, a request for the radio access network resources for the security management requirements; and

receiving, from the radio access network slice orchestrator, a response with the radio access network resources allocated for the security management requirements.
The method of any of claims 12 to 15, wherein the security management requirements are associated with quality of service and/or service level agreements of the network slice.
The method of any of claims 12 to 16, wherein the request for security management requirements comprises at least one of the following: a dedicated slice service type value for the network slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.
The method of claim 17, wherein the at least one network slice type attribute corresponds to at least one service of security management and/or operation, respectively.
A method performed by a network slice management consumer, comprising:

transmitting, to a network slice management producer, a request for security management requirements in a network slice; and

receiving, from the network slice management producer, a report for resources allocated for the security management requirements.
The method of claim 19, wherein the security management requirements are associated with quality of service and/or service level agreements of the network slice.
The method of claim 19 or 20, wherein the request for security management requirements comprises at least one of the following: a dedicated slice service type value for the network slice, at least one service differentiator specific to the network slice, and at least one network slice type attribute specific to the network slice.
The method of claim 21, wherein the at least one network slice type attribute corresponds to at least one service of security management and/or operation, respectively.
An apparatus as a network slice management producer, comprising:

means for receiving, from a network slice management consumer, a request for security management requirements in a network slice;

means for evaluating resources for the security management requirements; and

means for transmitting, to the network slice management consumer, a report for the resources allocated for the security management requirements.
An apparatus as a network slice management consumer, comprising:

means for transmitting, to a network slice management producer, a request for security management requirements in a network slice; and

means for receiving, from the network slice management producer, a report for resources allocated for the security management requirements.
A computer readable medium comprising program instructions for causing a network slice management producer to perform:

receiving, from a network slice management consumer, a request for security management requirements in a network slice;

evaluating resources for the security management requirements; and

transmitting, to the network slice management consumer, a report for the resources allocated for the security management requirements.
A computer readable medium comprising program instructions for causing a network slice management consumer to perform:

transmitting, to a network slice management producer, a request for security management requirements in a network slice; and

receiving, from the network slice management producer, a report for resources allocated for the security management requirements.