Search

EP-4736384-A1 - SYSTEM AND METHOD FOR ESTABLISHING A TOPOLOGY FOR ADVERTISING SUPPLICANTS IN A NETWORK

EP4736384A1EP 4736384 A1EP4736384 A1EP 4736384A1EP-4736384-A1

Abstract

Provided are system, method, and device for advertising authenticated network entities in a network. According to embodiments, the system may include: a memory storage storing computer-executable instructions; and at least one processor communicatively coupled to the memory storage, wherein the at least one processor may be configured to execute the instructions to: create a first authentication list for a first network entity, wherein the first authentication list specify one or more network entities that are authenticated with the first network entity; and advertise the first authentication list to a second agent deployed in a second network entity, wherein the second network entity is authenticated with the first network entity.

Inventors

  • CHINTAN SHAH, Paromita
  • BYKAMPADI, Nagendra Shridhar
  • ADHARAPURAPU, Krishna Pramod

Assignees

  • Rakuten Symphony, Inc.

Dates

Publication Date
20260506
Application Date
20230627

Claims (20)

  1. 1. A system comprising: at least one memory storage storing computer-executable instructions; and at least one processor communicatively coupled to the at least one memory storage, wherein the at least one processor is configured to execute the instructions to: create a first authentication list for a first network entity, wherein the first authentication list specifies one or more network entities that are authenticated with the first network entity; and advertise the first authentication list to a second agent deployed in a second network entity, wherein the second network entity is authenticated with the first network entity.
  2. 2. The system according to claim 1 , wherein the at least one processor is configured to execute the instructions to advertise the first authentication list by transmitting the first authentication list to the second agent.
  3. 3. The system according to claim 2, wherein the at least one processor is configured to execute the instructions to: update the first authentication list to include one or more authentication lists received from one or more agents deployed in one or more network entities that are authenticated with the first network entity; update the first authentication list to further specify one or more network entities that are newly authenticated with the first network entity; and transmit the updated first authentication list to the one or more agents deployed in the one or more network entities that are authenticated with the first network entity.
  4. 4. The system according to claim 3, wherein: the system comprises the first network entity that comprises a first agent; and the first agent is configured to create the first authentication list, transmit the first authentication list, update the first authentication list, and transmit the updated first authentication list.
  5. 5. The system according to claim 4, wherein the first agent and the second agent are mutually authenticated with each other via at least one of digital certificate and an application programming interface (API) key.
  6. 6. A system comprising: at least one memory storage storing computer-executable instructions; and at least one processor communicatively coupled to the at least one memory storage, wherein the at least one processor is configured to execute the instructions to: receive a first authentication list from a first agent deployed in a first network entity, wherein the first authentication list specifies one or more network entities that are authenticated with the first network entity; and advertise the first authentication list to a second agent deployed in a second network entity, wherein the second network entity is authenticated with the first network entity.
  7. 7. The system according to claim 6, wherein: the at least one processor is configured to execute the instructions to receive a second authentication list from the second agent; and the at least one processor is configured to execute the instructions to advertise the first authentication list by: updating the second authentication list to include the first authentication list; and transmitting the updated second authentication list to the second agent.
  8. 8. The system according to claim 7, wherein the at least one processor is configured to execute the instructions to : transmit a notification regarding the updated second authentication list to the second agent; receive a request to transmit the updated second authentication list from the second agent; and transmit the updated second authentication list in response to receiving the request.
  9. 9. The system according to claim 7, wherein: the first agent is configured to transmit the first authentication list periodically; and the at least one processor is configured to execute the instructions to transmit the updated second authentication list to the second agent periodically.
  10. 10. The system according to claim 6, wherein: the system comprises a hub communicatively coupled to the first agent and the second agent; and the first agent and the second agent are mutually authenticated with the hub via a mutual TLS (mTLS) .
  11. 11. A method comprising: creating a first authentication list for a first network entity, wherein the first authentication list specifies one or more network entities that are authenticated with the first network entity; and advertising the first authentication list to a second agent deployed in a second network entity, wherein the second network entity is authenticated with the first network entity.
  12. 12. The method according to claim 11, wherein the advertising the first authentication list comprises transmitting the first authentication list to the second agent.
  13. 13. The method according to claim 12, further comprising: updating the first authentication list to include one or more authentication lists received from one or more agents deployed in one or more network entities that are authenticated with the first network entity; updating the first authentication list to further specify one or more network entities that are newly authenticated with the first network entity; and transmitting the updated first authentication list to the one or more agents deployed in the one or more network entities that are authenticated with the first network entity.
  14. 14. The method according to claim 13, wherein: the first network entity comprises a first agent; and the first agent is configured to create the first authentication list, transmit the first authentication list, update the first authentication list, and transmit the updated first authentication list.
  15. 15. The method according to claim 14, wherein the first agent and the second agent are mutually authenticated with each other via at least one of digital certificate and an application programming interface (API) key.
  16. 16. A method comprising: receiving a first authentication list from a first agent deployed in a first network entity, wherein the first authentication list specifies one or more network entities that are authenticated with the first network entity; and advertising the first authentication list to a second agent deployed in a second network entity, wherein the second network entity is authenticated with the first network entity.
  17. 17. The method according to claim 16, further comprising: receiving a second authentication list from the second agent; wherein the advertising the first authentication list comprises: updating the second authentication list to include the first authentication list; and transmitting the updated second authentication list to the second agent.
  18. 18. The method according to claim 17, further comprising : transmitting a notification regarding the updated second authentication list to the second agent; receiving a request to transmit the updated second authentication list from the second agent; and transmitting the updated second authentication list in response to receiving the request.
  19. 19. The method according to claim 17, wherein: the first agent is configured to transmit the first authentication list periodically; and the updated second authentication list is transmitted to the second agent periodically.
  20. 20. The method according to claim 16, wherein: the receiving the first authentication list and the advertising the first authentication list are performed by a hub communicatively coupled to the first agent and the second agent; and the first agent and the second agent are mutually authenticated with the hub via a mutual TLS (mTLS) .

Description

SYSTEM AND METHOD FOR ESTABLISHING A TOPOLOGY FOR ADVERTISING SUPPLICANTS IN A NETWORK TECHNICAL FIELD [0001] Systems, methods, and computer programs consistent with example embodiments of the present disclosure relate to a telecommunication network, and more specifically, relate to advertising authenticated network entities for enabling network entities to view authenticated supplicants in a telecommunication network. BACKGROUND [0002] A radio access network (RAN) is an important component in a telecommunications system, as it connects end-user devices (or user equipment) to other parts of the network. The RAN includes a combination of various network elements (NEs) that connect end-users to a core network. Traditionally, hardware and/or software of a particular RAN is vendor specific. [0003] Open RAN (O-RAN) technology has emerged to enable multiple vendors to provide hardware and/or software to a telecommunications system. Since different vendors are involved, the type of hardware and/or software provided may also be different. That is, different types of NEs may be provided by different vendors, and depending on the specific service, the NE could be virtualized in software form (e.g., virtual machine (VM)-based), or could be in physical hardware form (e.g., non-VM based). [0004] In an open front haul network of a telecommunications system employing the O- RAN architecture, network entities may employ a port-based network access control IEEE 802. lx in order to regulate access to the network, as well as guard against transmission and reception by unidentified or unauthorized parties, and consequent network disruption, theft of service, or data loss. Network entities may refer to entities such as RAN elements (e.g., O-RAN Centralized Unit (O-CU), O-RAN Distributed Unit (O-DU), O-RAN Radio Unit (O-RU), etc) and Transport Network elements, and may have a role of either an authenticator or a supplicant. Under IEEE 802. lx, data traffic is allowed to pass between network entities only if said network entities are authenticated with each other. [0005] In the related art, information regarding authenticated network entities (e g., which network entities are authenticated and trustworthy) is kept locally within the corresponding network entities involved in such authentication, and such information is not shared with network entities that are not involved in such authentication. Further, in the related art, network entities may be assumed to be trustworthy if such network entities are connected to an authenticated network entity. [0006] Accordingly, the above approach for authentication of network entity in the related art may have at least the following shortcomings. Since the information regarding authenticated network entities is kept locally and network entities may simply be assumed to be trustworthy by being connected to an authenticated network entity, such process is against the Zero Trust Model of the O-RAN architecture and there is no mechanism for a single network entity in the open front haul network to have a comprehensive view of all the authenticated network entities within the network. [0007] Further, there is no clearly defined technique of advertising information regarding authenticated network entities in either a peer-to-peer or hub-and-spoke configuration in order to enable network entities to view authenticated supplicants in a telecommunication network. There is also no clearly defined implementation of a centralized service in the hub-and-spoke configuration, nor technique for regularly updating network elements to adapt to changes in the network. SUMMARY [0008] Example embodiments of the present disclosure advertises authenticated network entities for enabling network entities to view authenticated supplicants in a telecommunication network. As such, example embodiments of the present disclosure enable the development of a data store of information on authenticated supplicants for the network elements, thus building a comprehensive view of all the authenticated supplicants and defining an explicit level of trust. Further, in a hub-and-spoke configuration, the hub will store a repository of information for all the authenticated supplicants in the open front haul network; where a network mapping application may be developed on the hub to build a comprehensive topological overview of all the trusted authenticated supplicant nodes based on the data sent by each agent. [0009] According to embodiments, a system is provided. The system may include: a memory storage storing computer-executable instructions; and at least one processor communicatively coupled to the memory storage, wherein the at least one processor may be configured to execute the instructions to: create a first authentication list for a first network entity, wherein the first authentication list specify one or more network entities that are authenticated with the first network entity; and advertise the first authentication l