Search

EP-4736367-A1 - SYSTEM AND METHOD FOR ADVERTISING SUPPLICANTS IN A NETWORK

EP4736367A1EP 4736367 A1EP4736367 A1EP 4736367A1EP-4736367-A1

Abstract

Provided are system, method, and device for enabling network entities to view authenticated supplicants in a network. According to embodiments, the system may include: a memory storage storing computer-executable instructions; and at least one processor communicatively coupled to the memory storage, wherein the at least one processor may be configured to execute the instructions to: create a first authentication list for a first network entity; receive a second authentication list from a second network entity; and create a trust list for the first network entity based on the first authentication list and the second authentication list, wherein the trust list for the first network entity specifies a trust level between the first network entity and one or more network entities in the first and second authentication lists.

Inventors

  • CHINTAN SHAH, Paromita
  • BYKAMPADI, Nagendra Shridhar
  • ADHARAPURAPU, Krishna Pramod

Assignees

  • Rakuten Symphony, Inc.

Dates

Publication Date
20260506
Application Date
20230627

Claims (20)

  1. 1. A system comprising: at least one memory storage storing computer-executable instructions; and at least one processor communicatively coupled to the at least one memory storage, wherein the at least one processor is configured to execute the instructions to: create a first authentication list for a first network entity, wherein the first authentication list specifies one or more network entities that are authenticated with the first network entity; receive a second authentication list from a second network entity, wherein the second authentication list specifies one or more network entities that are authenticated with the second network entity, and wherein the first network entity and the second network entity are authenticated with each other; and create a trust list for the first network entity based on the first authentication list and the second authentication list, wherein the trust list for the first network entity specifies a trust level between the first network entity and one or more network entities in the first and second authentication lists.
  2. 2. The system according to claim 1, wherein: the trust level comprises one of direct trust and indirect trust; and the trust level is between one or more ports of the first network entity and one or more ports of the one or more network entities in the first and second authentication lists that has a role of a supplicant.
  3. 3. The system according to claim 2, wherein the trust list for the first network entity comprises one or more MAC address of the one or more ports of the first network entity and one or more MAC address of the one or more ports of the one or more network entities in the first and second authentication lists that has the role of the supplicant.
  4. 4. The system according to claim 1 , wherein the at least one processor is configured to execute the instructions to create the trust list for the first network entity based on the first authentication list and the second authentication list by: creating the trust list based on the first authentication list, such that the trust list specifies a trust level between the first network entity and the one or more network entities in the first authentication list; in response to receiving the second authentication list, updating the first authentication list to include the second authentication list; and updating the trust list based on the updated first authentication list, such that the trust list further specifies a trust level between the first network entity and the one or more network entities in the second authentication list.
  5. 5. The system according to claim 4, wherein the at least one processor is further configured to execute the instmctions to transmit the updated first authentication list to the one or more network entities that are authenticated with the first network entity.
  6. 6. The system according to claim 1, wherein: the second authentication list further specifies one or more network entities that are authenticated with a third network entity; and the third network entity is authenticated with the second network entity.
  7. 7. The system according to claim 1, wherein: the first authentication list specifies one or more first MAC address of one or more ports of the first network entity, one or more third MAC address of one or more ports of one or more network entities authenticated with the one or more first MAC address, and a role of the one or more ports of the first network entity; the second authentication list specifies one or more second MAC address of one or more ports of the second network entity, one or more fourth MAC address of one or more ports of one or more network entities authenticated with the one or more second MAC address, and a role of the one or more ports of the second network entity; and the role comprises one of an authenticator and a supplicant.
  8. 8. The system according to claim 1, wherein an authentication between the first network entity, the second network entity, and the one or more network entities are based on a portbased network access control IEEE 802. lx.
  9. 9. The system according to claim 1, wherein the first network entity, the second network entity, and the one or more network entities comprise at least one of O-CU, O-DU, O-RU, and Transport Network elements.
  10. 10. A system comprising: at least one memory storage storing computer-executable instructions; and at least one processor communicatively coupled to the at least one memory storage, wherein the at least one processor is configured to execute the instructions to: receive a first authentication list from a first network entity, wherein the first authentication list specifies one or more network entities that are authenticated with the first network entity; receive a second authentication list from the second network entity, wherein the second authentication list specifies one or more network entities that are authenticated with the second network entity, and wherein the first network entity and the second network entity are authenticated with each other; and create a trust list for the first network entity based on the first authentication list and the second authentication list, wherein the trust list for the first network entity specifies a trust level between the first network entity and one or more network entities in the first and second authentication lists.
  11. 11. A method comprising: creating a first authentication list for a first network entity, wherein the first authentication list specifies one or more network entities that are authenticated with the first network entity; receiving a second authentication list from a second network entity, wherein the second authentication list specifies one or more network entities that are authenticated with the second network entity, and wherein the first network entity and the second network entity are authenticated with each other; and creating a trust list for the first network entity based on the first authentication list and the second authentication list, wherein the trust list for the first network entity specifies a trust level between the first network entity and one or more network entities in the first and second authentication lists.
  12. 12. The method according to claim 11, wherein: the trust level comprises one of direct trust and indirect trust; and the trust level is between one or more ports of the first network entity and one or more ports of the one or more network entities in the first and second authentication lists that has a role of a supplicant.
  13. 13. The method according to claim 12, wherein the trust list for the first network entity comprises one or more MAC address of the one or more ports of the first network entity and one or more MAC address of the one or more ports of the one or more network entities in the first and second authentication lists that has the role of the supplicant.
  14. 14. The method according to claim 11, wherein the creating the trust list for the first network entity based on the first authentication list and the second authentication list comprises: creating the trust list based on the first authentication list, such that the trust list specifies a trust level between the first network entity and the one or more network entities in the first authentication list; in response to receiving the second authentication list, updating the first authentication list to include the second authentication list; and updating the trust list based on the updated first authentication list, such that the trust list further specifies a trust level between the first network entity and the one or more network entities in the second authentication list.
  15. 15. The method according to claim 14, further comprising transmitting the updated first authentication list to the one or more network entities that are authenticated with the first network entity.
  16. 16. The method according to claim 11, wherein: the second authentication list further specifies one or more network entities that are authenticated with a third network entity; and the third network entity is authenticated with the second network entity.
  17. 17. The method according to claim 11, wherein: the first authentication list specifies one or more first MAC address of one or more ports of the first network entity, one or more third MAC address of one or more ports of one or more network entities authenticated with the one or more first MAC address, and a role of the one or more ports of the first network entity; the second authentication list specifies one or more second MAC address of one or more ports of the second network entity, one or more fourth MAC address of one or more ports of one or more network entities authenticated with the one or more second MAC address, and a role of the one or more ports of the second network entity; and the role comprises one of an authenticator and a supplicant.
  18. 18. The method according to claim 11, wherein an authentication between the first network entity, the second network entity, and the one or more network entities are based on a portbased network access control IEEE 802. lx.
  19. 19. The method according to claim 11, wherein the first network entity, the second network entity, and the one or more network entities comprise at least one of O-CU, O-DU, O-RU, and Transport Network elements.
  20. 20. A method comprising: receiving a first authentication list from a first network entity, wherein the first authentication list specifies one or more network entities that are authenticated with the first network entity; receiving a second authentication list from the second network entity, wherein the second authentication list specifies one or more network entities that are authenticated with the second network entity, and wherein the first network entity and the second network entity are authenticated with each other; and creating a trust list for the first network entity based on the first authentication list and the second authentication list, wherein the trust list for the first network entity specifies a trust level between the first network entity and one or more network entities in the first and second authentication lists.

Description

SYSTEM AND METHOD FOR ADVERTISING SUPPLICANTS IN A NETWORK TECHNICAL FIELD [0001] Systems, methods, and computer programs consistent with example embodiments of the present disclosure relate to a telecommunication network, and more specifically, relate to enabling network entities to view authenticated supplicants in a telecommunication network. BACKGROUND [0002] A radio access network (RAN) is an important component in a telecommunications system, as it connects end-user devices (or user equipment) to other parts of the network. The RAN includes a combination of various network elements (NEs) that connect end-users to a core network. Traditionally, hardware and/or software of a particular RAN is vendor specific. [0003] Open RAN (O-RAN) technology has emerged to enable multiple vendors to provide hardware and/or software to a telecommunications system. Since different vendors are involved, the type of hardware and/or software provided may also be different. That is, different types of NEs may be provided by different vendors, and depending on the specific service, the NE could be virtualized in software form (e.g., virtual machine (VM)-based, cloud native functions, etc.), or could be in physical hardware form (e.g., non-VM based). [0004] In an open front haul network of a telecommunications system employing the O- RAN architecture, network entities may employ a port-based network access control IEEE 802. lx in order to regulate access to the network, as well as guard against transmission and reception by unidentified or unauthorized parties, and consequent network disruption, theft of service, or data loss. Network entities may refer to entities such as RAN elements (e.g., O-RAN Centralized Unit (O-CU), O-RAN Distributed Unit (O-DU), O-RAN Radio Unit (O-RU), etc) and Transport Network elements, and may have a role of either an authenticator or a supplicant. Under IEEE 802. lx, data traffic is allowed to pass between network entities only if said network entities are authenticated with each other. [0005] In the related art, information regarding authenticated network entities (e g., which network entities are authenticated and trustworthy) is kept locally within the corresponding network entities involved in such authentication, and such information is not shared with network entities that are not involved in such authentication. Further, in the related art, network entities may be assumed to be trustworthy if such network entities are connected to an authenticated network entity. [0006] Accordingly, the above approach for authentication of network entity in the related art may have at least the following shortcomings. Since the information regarding authenticated network entities is kept locally and network entities may simply be assumed to be trustworthy by being connected to an authenticated network entity, such process is against the Zero Trust Model of the O-RAN architecture and there is no mechanism for a single network entity in the open front haul network to have a comprehensive view of all the authenticated network entities within the network. SUMMARY [0007] Example embodiments of the present disclosure enable network entities to view authenticated supplicants in the network. As such, example embodiments of the present disclosure enable the development of a data store of information on authenticated supplicants for the network elements, thus building a comprehensive view of all the authenticated supplicants and defining an explicit level of trust. [0008] According to embodiments, a system is provided. The system may include: a memory storage storing computer-executable instructions; and at least one processor communicatively coupled to the memory storage, wherein the at least one processor may be configured to execute the instructions to: create a first authentication list for a first network entity, wherein the first authentication list specifies one or more network entities that are authenticated with the first network entity; receive a second authentication list from a second network entity, wherein the second authentication list specifies one or more network entities that are authenticated with the second network entity, and wherein the first network entity and the second network entity are authenticated with each other; and create a trust list for the first network entity based on the first authentication list and the second authentication list, wherein the trust list for the first network entity specifies a trust level between the first network entity and one or more network entities in the first and second authentication lists. [0009] According to embodiments, a system is provided. The system may include: a memory storage storing computer-executable instructions; and at least one processor communicatively coupled to the memory storage, wherein the at least one processor may be configured to execute the instructions to: receive a first authentication list from a first network entity, wher