Search

EP-4736366-A1 - SYSTEM AND METHOD FOR NETWORK FUNCTION (NF) WHITELISTING IN COMMUNICATION NETWORK

EP4736366A1EP 4736366 A1EP4736366 A1EP 4736366A1EP-4736366-A1

Abstract

The present disclosure provides a system (108) for network function (NF) whitelisting in a communication network (106). The present disclosure supports authentication based on client credentials assertion (CCA). The system includes one or more processors (202) and a memory (204) which stores instructions for supporting authentication based on whitelisting conditions/list with the ability to enable or disable the feature. The present disclosure supports authorization for own services (management and discovery) based on open authorization token. Additionally, the system (108) provides support for counters and logs for authentication and authorization.

Inventors

  • BHATNAGAR, AAYUSH
  • Shetty, Mukta
  • Jha, Alok
  • KUMAR, SANJEEV
  • Jadhav, Sayali
  • NARAYAN, Gaurav
  • Khamesra, Apoorva
  • GUPTA, ADITYA

Assignees

  • Jio Platforms Limited

Dates

Publication Date
20260506
Application Date
20240606

Claims (20)

  1. 1. A method for performing authentication of a plurality of network functions (NFs) in a network (106), the method comprising: receiving, by a network repository function (NRF), a message from one of the plurality of NFs; and authenticating, by the NRF, the NF based on a whitelisting authentication, wherein the whitelisting authentication comprises of: checking, by the NRF, whether a runtime user configurable flag is enabled; on detecting that the runtime user configurable flag is enabled, performing, by the NRF, authentication of the message by checking whether the message match present in a whitelist and missing in a blacklist; and on detecting that the message match present in the whitelist and missing in the blacklist, authenticating, by the NRF, the NF.
  2. 2. The method as claimed in claim 1, wherein the message comprises a registration request or an access request.
  3. 3. The method as claimed in claim 1 further comprising: on detecting that the message match is present in the blacklist, rejecting, by the NRF, the authentication of the NF.
  4. 4. The method as claimed in claim 1, wherein the whitelist and the blacklist comprise a combination of an NF instance identifier (ID) and an NF type or a combination of an internet protocol (IP) subnet and the NF type, wherein the NRF is configured to enable or disable the whitelisting authentication.
  5. 5. The method as claimed in claim 4, wherein the combination of NF instance ID and the NF type comprises a NF instance ID range, the NF type and a public land mobile network (PLMN), wherein the combination of the IP subnet and the NF type comprises an IP range, the NF type and the PLMN.
  6. 6. The method as claimed in claim 1, wherein the NRF is configured to create counters for authentication and authorization, wherein the NRF is configured to generate a log for failed authentication attempts.
  7. 7. The method as claimed in claim 1, wherein the NRF is configured to support authorization by providing an open authorization token for NRF services and management and discovery services.
  8. 8. The method as claimed in claim 1, wherein the NRF is configured to perform one or more authentication techniques, wherein the authentication techniques comprise a hypertext transfer protocol secure (HTTPS), a client credentials assertion (CCA) and the whitelisting authentication, wherein performing authentication in order of the HTTPS, the CCA and the whitelisting authentication.
  9. 9. The method as claimed in claim 1 further comprising: authenticating a first message received from a direct peer node and allowing subsequent messages from the direct peer node, wherein the first message is a NF register message.
  10. 10. A system (108) for performing authentication of a plurality of network functions (NFs) in a network (106), by a network repository function (NRF), wherein the NRF comprising: a receiving unit (220) configured to receive a message from one of the plurality of NFs; and an authentication unit (214) configured to authenticate the NF based on a whitelisting authentication, wherein the whitelisting authentication comprises of: a processing unit (208) configured to check whether a runtime user configurable flag is enabled; on detecting that the runtime user configurable flag is enabled, the authentication unit (214) is configured to perform authentication of the message by checking whether the message match present in a whitelist and missing in a blacklist; and on detecting that the message match present in the whitelist and missing in the blacklist, the authentication unit (214) is configured to authenticate the NF.
  11. 11. The system (108) as claimed in claim 10, wherein on detecting that the message match present in the blacklist, the authentication unit (214) configured to reject the authentication of the NF.
  12. 12. The system (108) as claimed in claim 10, wherein the message comprises a registration request or an access request.
  13. 13. The system (108) as claimed in claim 10, wherein the whitelist and the blacklist comprise a combination of an NF instance identifier (ID) and an NF type and a combination of an internet protocol (IP) subnet and the NF type, wherein the NRF is configured to enable or disable the whitelisting authentication.
  14. 14. The system (108) as claimed in claim 13, wherein the combination of NF instance identifier (ID) and the NF type comprises a NF instance ID range, the NF type and a public land mobile network (PLMN), wherein the combination of the IP subnet and the NF type comprises an IP range, the NF type and the PLMN.
  15. 15. The system (108) as claimed in claim 10, wherein the NRF is configured to create counters for authentication and authorization, wherein the NRF is configured to generate a log for failed authentication attempts.
  16. 16. The system (108) as claimed in claim 10, wherein the NRF is configured to support authorization by providing an open authorization token for NRF services and management and discovery services.
  17. 17. The system (108) as claimed in claim 10, wherein the NRF is configured to perform one or more authentication techniques, wherein the authentication techniques comprise a hypertext transfer protocol secure (HTTPS), a client credentials assertion (CCA) and the whitelisting authentication, wherein performing authentication in order of the https, the CCA and the whitelisting authentication.
  18. 18. The system (108) as claimed in claim 10, wherein the NRF is configured to authenticate a first message received from a direct peer node and not authenticating for subsequent messages from the direct peer node, wherein the first message is a NF register message.
  19. 19. A user equipment (UE) communicatively coupled with a system (108), the coupling comprises steps of: receiving, by the system, a connection request; sending an acknowledgment of the connection request to the UE; and transmitting a plurality of signals in response to the connection request to the system (108), wherein the system (108) configured for performing authentication of a plurality of network functions (NFs) in a network, by a network repository function (NRF) as claimed in claim 10.
  20. 20. A computer program product comprising a non-transitory computer- readable medium comprising instructions that, when executed by one or more processors, cause the one or more processors to execute a method for performing authentication of a plurality of network functions (NFs) in a network (106), the method comprising: receiving, by a network repository function (NRF), a message from one of the plurality of NFs; and authenticating, by the NRF, the NF based on a whitelisting authentication, wherein the whitelisting authentication comprises of: checking, by the NRF, whether a runtime user configurable flag is enabled; on detecting that the runtime user configurable flag is enabled, performing, by the NRF, authentication of the message by checking whether the message match present in a whitelist and missing in a blacklist; and on detecting that the message match present in the whitelist and missing in the blacklist, authenticating, by the NRF, the NF.

Description

SYSTEM AND METHOD FOR NETWORK FUNCTION (NF) WHITELISTING IN COMMUNICATION NETWORK RESERVATION OF RIGHTS [001] A portion of the disclosure of this patent document contains material, which is subject to intellectual property rights such as, but are not limited to, copyright, design, trademark, integrated circuit (IC) layout design, and/or trade dress protection, belonging to Jio Platforms Limited (JPL) or its affiliates (herein after referred as owner). The owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent files or records, but otherwise reserves all rights whatsoever. All rights to such intellectual property are fully reserved by the owner. TECHNICAL FIELD [002] The present disclosure relates to a field of a communication network, and specifically to a system and a method for Network Function (NF) whitelisting in a communication network. BACKGROUND [003] The following description of related art is intended to provide background information pertaining to the field of the disclosure. This section may include certain aspects of the art that may be related to various features of the present disclosure. However, it should be appreciated that this section be used only to enhance the understanding of the reader with respect to the present disclosure, and not as admissions of prior art. [004] Generally, 3rd Generation Partnership Project (3GPP) release 33.501 provides methods for authentication and authorization between a Network Function (NF) and a Network Repository Function (NRF). An existing NRF already provides support for direct method authentication, which are also used in InDirect approach. In the InDirect approach, the NF Service Producer and NF Service Consumer shall use implicit authentication by relying on authentication between NF Service Consumer and Service Communication Proxy (SCP), and between the SCP and the NF Service Producer, provided by the transport layer protection solution, NDS/IP, or physical security. These methods either use protection at a transport layer by Transport Layer Security/Hypertext Transfer Protocol Secure (TLS/HTTPS) or Physical Security. TLS/HTTPS support is provided by NRF but not all NFs use authentication approach for TLS. Similarly, although the existing NRF is closely guarded and provides physical security, still there might be attack avenues that hacker may use. [005] To plug some of those avenues, standard has also provided with direction of using the Client Credentials Assertion (CCA) especially during an indirect communication with NRF which is currently not supported by the NRF. But even if the NRF offers the CCA based authentication in future, it might happen that not all NFs are ready with CCA. Using either CCA or HTTPS may limit those types of NFs. In addition, CCA may not be used with Route Processor (RP) NFs, thus further tuning needs to be done at the NRF. [006] Thus, there is, a need to provide a solution which includes HTTPS and CCA as option but also provides other means to whitelist/blacklist the NFs that may communicate with the NRF by overcoming the deficiencies of the prior arts. OBJECTS OF THE PRESENT DISCLOSURE [007] It is an object of the present disclosure to provide a system for Network Function (NF) whitelisting in a communication network. [008] It is an object of the present disclosure to support authentication based on Client Credentials Assertion (CCA). [009] It is an object of the present disclosure to support authentication based on whitelisting conditions/list with ability to enable or disable the feature. [0010] It is an object of the present disclosure to support authorization for own services (Management and Discovery) based on Open Authorization (OAuth) Token. [0011] It is an object of the present disclosure to provide support for counters and logs for authentication and authorization. SUMMARY [0012] A method for performing authentication of a plurality of network functions (NFs) in a network is described. The method comprises receiving, by a network repository function (NRF), a message from one of the plurality of NFs. The method comprises authenticating, by the NRF, the NF based on a whitelisting authentication. The whitelisting authentication comprises of checking, by the NRF, whether a runtime user configurable flag is enabled. On detecting that the runtime user configurable flag is enabled, performing, by the NRF, authentication of the message by checking whether the message match present in a whitelist and missing in a blacklist. On detecting that the message match present in the whitelist and missing in the blacklist, authenticating, by the NRF, the NF. [0013] In some embodiment, the message comprises a registration request or an access request. [0014] In some embodiment, the method further comprises on detecting that the message match present in the blacklist, rejecting, by the NRF, the authentication of the