FOR SEPARATED CONTROL PLANES AND USER PLANES

TECHNICAL FIELD

Embodiments presented herein relate to methods, a control plane function entity, a user plane function entity, computer programs, and a computer program product for deep packet inspection of user data packets.

BACKGROUND

In communications networks, there may be a challenge to obtain good performance and capacity for a given communications protocol, its

parameters and the physical environment in which the communications network is deployed.

For example, one parameter in providing good performance and capacity for a given communications protocol in a communications network is latency. In this respect the 3rd Generation Partnership Project (3GPP) has specified that the control plane and the user plane of the serving gateway (SGW), the packet data network gateway (PGW) and the traffic detection function (TDF) in the evolved packet core (EPC) network could be separated. Such a separation could enable a flexible placement of the thus separated control plane and user plane functions for supporting diverse deployment scenarios (e.g. central or distributed user plane function) without affecting the overall functionality provided by these EPC entities. For example, such a separation could enable the user plane functions to be located operatively closer to the end-user than if the user plane functions are not separated from user plane functions, thus enabling latency to be reduced. When the control plane and the user plane of the PGW are separated from each other into a control plane function (CPF) and a user plane function (UPF) the UPF in some aspects is responsible for forwarding user data (i.e., packets), performing bearer binding at receiving user data from upstream, performing accounting of the packets and applying Quality of Service (QoS) enforcement per service data flow (SDF), per bearer (such as for an aggregation of all SDFs associated with a bearer) and/or per session (such as for an aggregation of all SDFs associated with the packet data network connection), under the control of the CPF. In such a network architecture, if the UPF does not have a deep packet inspection (DPI) functionality, the UPF cannot properly identify the service flow, which is needed in order for the UPF to perform other actions, e.g. bearer binding, accounting and enforce QoS.

On the other hand, since DPI is needed to identify the SDF to which the packets belong, it is not possible for the CPF to provide any so-called IP 5- tuple rule (where IP is short for Internet Protocol) to the UPF over the so- called Sx interface to identify such a service data flow.

Hence, there is still a need for improved mechanisms for DPI of user data packets.

SUMMARY

An object of embodiments herein is to provide efficient DPI for user data packets.

According to a first aspect there is presented a method for deep packet inspection of user data packets. The method is performed by a control plane function entity. The method comprises providing instructions to a user plane function entity to re-direct received user data packets requiring deep packet inspection to a deep packet inspection entity. The method comprises providing instructions to the user plane function entity to set up a data traffic end point in the user plane function entity for at least one service data flow. The method comprises providing instructions to the user plane function entity how to route the received user data packets when the received user data packets are received at the data traffic end point. The method comprises providing instructions to the deep packet inspection entity to direct the received user data packets for the at least one service data flow to the data traffic end point. According to a second aspect there is presented a control plane function entity for deep packet inspection of user data packets. The control plane function entity comprises processing circuitry. The processing circuitry is configured to cause the control plane function entity to provide instructions to a user plane function entity to re-direct received user data packets requiring deep packet inspection to a deep packet inspection entity. The processing circuitry is configured to cause the control plane function entity to provide instructions to the user plane function entity to set up a data traffic end point in the user plane function entity for at least one service data flow. The processing circuitry is configured to cause the control plane function entity to provide instructions to the user plane function entity how to route the received user data packets when the received user data packets are received at the data traffic end point. The processing circuitry is configured to cause the control plane function entity to provide instructions to the deep packet inspection entity to direct the received user data packets for the at least one service data flow to the data traffic end point.

According to a third aspect there is presented a control plane function entity for deep packet inspection of user data packets. The control plane function entity comprises processing circuitry and a computer program product. The computer program product stores instructions that, when executed by the processing circuitry, causes the control plane function entity to perform operations, or steps. The operations, or steps, cause the control plane function entity to provide instructions to a user plane function entity to redirect received user data packets requiring deep packet inspection to a deep packet inspection entity. The operations, or steps, cause the control plane function entity to provide instructions to the user plane function entity to set up a data traffic end point in the user plane function entity for at least one service data flow. The operations, or steps, cause the control plane function entity to provide instructions to the user plane function entity how to route the received user data packets when the received user data packets are received at the data traffic end point. The operations, or steps, cause the control plane function entity to provide instructions to the deep packet inspection entity to direct the received user data packets for the at least one service data flow to the data traffic end point.

According to a fourth aspect there is presented a control plane function entity for deep packet inspection of user data packets. The control plane function entity comprises a provide module configured to provide instructions to a user plane function entity to re-direct received user data packets requiring deep packet inspection to a deep packet inspection entity. The control plane function entity comprises a provide module configured to provide

instructions to the user plane function entity to set up a data traffic end point in the user plane function entity for at least one service data flow. The control plane function entity comprises a provide module configured to provide instructions to the user plane function entity how to route the received user data packets when the received user data packets are received at the data traffic end point. The control plane function entity comprises a provide instructions to the deep packet inspection entity to direct the received user data packets for the at least one service data flow to the data traffic end point.

According to a fifth aspect there is presented a computer program for deep packet inspection of user data packets, the computer program comprising computer program code which, when run on processing circuitry of a control plane function entity, causes the control plane function entity to perform a method according to the first aspect.

According to a sixth aspect there is presented a method for deep packet inspection of user data packets. The method is performed by a user plane function entity. The method comprises re-directing received user data packets requiring deep packet inspection to a deep packet inspection entity. The method comprises setting up a data traffic end point in the user plane function entity for at least one service data flow. The method comprises routing the received user data packets when the received user data packets are received at the data traffic end point. According to a seventh aspect there is presented a user plane function entity for deep packet inspection of user data packets. The user plane function entity comprises processing circuitry. The processing circuitry is configured to cause the user plane function entity to re-direct received user data packets requiring deep packet inspection to a deep packet inspection entity. The processing circuitry is configured to cause the user plane function entity to set up a data traffic end point in the user plane function entity for at least one service data flow. The processing circuitry is configured to cause the user plane function entity to route the received user data packets when the received user data packets are received at the data traffic end point.

According to an eighth aspect there is presented a user plane function entity for deep packet inspection of user data packets. The user plane function entity comprises processing circuitry and a computer program product. The computer program product stores instructions that, when executed by the processing circuitry, causes the user plane function entity to perform operations, or steps. The operations, or steps, cause the user plane function entity to re-direct received user data packets requiring deep packet inspection to a deep packet inspection entity. The operations, or steps, cause the user plane function entity to set up a data traffic end point in the user plane function entity for at least one service data flow. The operations, or steps, cause the user plane function entity to route the received user data packets when the received user data packets are received at the data traffic end point.

According to a ninth aspect there is presented a user plane function entity for deep packet inspection of user data packets. The user plane function entity comprises a re-direct module configured to re-direct received user data packets requiring deep packet inspection to a deep packet inspection entity. The user plane function entity comprises a set up module configured to set up a data traffic end point in the user plane function entity for at least one service data flow. The user plane function entity comprises a route module configured to route the received user data packets when the received user data packets are received at the data traffic end point. According to a tenth aspect there is presented a computer program for deep packet inspection of user data packets, the computer program comprising computer program code which, when run on processing circuitry of a user plane function entity, causes the user plane function entity to perform a method according to the sixth aspect.

According to an eleventh aspect there is presented a computer program product comprising a computer program according to at least one of the fifth aspect and the tenth aspect and a computer readable storage medium on which the computer program is stored. The computer readable storage medium could be a non-transitory computer readable storage medium.

Advantageously these methods, these control plane function entities, these user plane function entities, and these computer programs provide efficient DPI of the user data packets

Advantageously these methods, these control plane function entities, these user plane function entities, and these computer programs, by allocating a data traffic end point per SDF (possibly where several service data flows share the same data traffic end point), provide an efficient mechanism that for those packets requiring a deep packet inspection (where the packets cannot be identified IP 5-tuple rule) allows the user plane function entity (which does not comprise any DPI function) to perform bearer mapping, QoS enforcement, and accounting per SDF.

It is to be noted that any feature of the first, second, third, fourth, fifth, sixth seventh, eight, ninth, tenth and eleventh aspects may be applied to any other aspect, wherever appropriate. Likewise, any advantage of the first aspect may equally apply to the second, third, fourth, fifth, sixth, seventh, eight, ninth, tenth, and/or eleventh aspect, respectively, and vice versa. Other objectives, features and advantages of the enclosed embodiments will be apparent from the following detailed disclosure, from the attached dependent claims as well as from the drawings. Generally, all terms used in the enumerated embodiments are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise herein. All references to "a/an/the element, apparatus, component, means, step, etc." are to be interpreted openly as referring to at least one instance of the element, apparatus, component, means, step, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.

BRIEF DESCRIPTION OF THE DRAWINGS

The inventive concept is now described, by way of example, with reference to the accompanying drawings, in which:

Figs, l and 2 are schematic diagrams illustrating parts of a communication network according to embodiments;

Figs. 3, 4, 5, and 6 are flowcharts of methods according to embodiments; Fig. 7 is a schematic diagram showing functional units of a control plane function entity according to an embodiment;

Fig. 8 is a schematic diagram showing functional modules of a control plane function entity according to an embodiment;

Fig. 9 is a schematic diagram showing functional units of a user plane function entity according to an embodiment;

Fig. 10 is a schematic diagram showing functional modules of a user plane function entity according to an embodiment; and

Fig. 11 shows one example of a computer program product comprising computer readable means according to an embodiment. DETAILED DESCRIPTION

The inventive concept will now be described more fully hereinafter with reference to the accompanying drawings, in which certain embodiments of the inventive concept are shown. This inventive concept may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided by way of example so that this disclosure will be thorough and complete, and will fully convey the scope of the inventive concept to those skilled in the art. Like numbers refer to like elements throughout the description. Any step or feature illustrated by dashed lines should be regarded as optional.

Fig. l is a schematic diagram illustrating parts of a communications network loo where embodiments presented herein can be applied. The

communications network 100 comprises an SGW no, a PGW 120, a TDF 130, and an IP network 140. In the SGW 110, the PGW 120, and the TDF 130 the respective control planes are separated from the respective user planes. Thus, in turn, the SGW 110 comprises a control plane serving gateway SGW-C 110a and a user plane serving gateway SGW-U nob, the PGW 120 comprises a control plane packet data network gateway PGW-C 120a and a user plane packet data network gateway PGW-U 120b, and the TDF 140 comprises a control plane traffic detection function TDF-C 140a and a user plane traffic detection function TDF-U 140b. The SGW 110, SGW-C 110a, SGW-U 110b, PGW 120, PGW-C 120a, PGW-U 120b, TDF 140, TDF-C 140a, TDF-U 140b, and IP network 140 are interconnected via interfaces denoted S11, S4-C,

S5/8-C, Gn/Gp-C, S2a-C, S2b-C, Gx, Gy, Gz, S6b, Sd, Gyn, Gzn, SGi, Gn/Gp- U, S2a-U, S2b-U, S12, S4-U, Si-U, Sxa, Sxb, and Sxc.

Further, the communications network 100 comprises a control plane function (CPF) entity 200 a user plane function (UPF) entity 300. The control plane function entity 200 could be implemented in the PGW-C 120a (as in Fig. 1), in the TDF-C 140a, or even in the SGW-C 110a. The user plane function entity 300 could be implemented in the PGW-U 120b (as in Fig. 1), in the TDF-U 140b, or even in the SGW-U nob. Functionality of the control plane function entity 200 and the user plane function entity 300 will be described below. Fig. 2 is a schematic diagram illustrating the PGW-C 120a and the PGW-U 120b in more detail. In the illustrative example of Fig. 2, the PGW-C 120a and/or the CPF entity 200 comprises, is co-located with, or is operatively connected to, a deep packet inspection entity 400. In general terms, deep packet inspection (DPI, also called complete packet inspection and information extraction or IX) is a form of computer network packet filtering that examines the data part (and possibly also the header) of a packet as it passes an inspection point, searching for protocol non-compliance, viruses, spam, intrusions, and/or defined criteria to decide whether the packet may pass or if it needs to be routed to a different destination, and/or, for the purpose of collecting statistical information that functions at the Application layer of the OSI (Open Systems Interconnection model). Examples of how to perform DPI are as such known in the art and further description thereof is therefore omitted.

As will be disclosed in more detail below, in order for DPI to be performed on user data packets received by the PGW-U 120b and/or the UPF entity 300, the user data packets need to be re-directed to the PGW-C 120a and/or the CPF entity 200. As will also be disclosed in more detail below, in order for such a re-direction to be performed, end points need to be set up.

At least one Sx UP End Point at CP (where UP is short for user plane and CP is short for control plane) is therefore provided by the CPF entity 200 to the UPF entity 300 at Sx session establishment so that packets e.g. IPv6 router solicitation / router advertisement (RS/RA), In band Radius/DHCP (where DHCP is short for Dynamic Host Configuration Protocol) messages (e.g. for scenarios 2, 3 and 4 in document 3GPP TS 23.214 Vo.1.0) can be routed to the PGW-C 120a, as well as for those IP packets which requires DPI for both uplink (UL) and downlink (DL) to identify which SDF it belongs to. In general terms, the CPF entity 200 could allocate any number of data traffic end points to receive different traffic, e.g. one for receiving RS/RA, one for DHCP, another for user data packets from a first web server, another one for user data packets from a second web server, etc. Further, in general terms, any such data end point may be allocated within the CPF entity 200, but could alternatively be located in another standalone entity, e.g. in another user plane entity. For each Sx UP End Point at CP the CPF entity 200 could provide a filtering rule (IP 5-tuple rule) that identifies the data traffic that requires to be redirected to the Sx UP End Point at CP, e.g. for further processing using DPI.

There could be multiple Sx UP End Point at CP provided by the CPF entity 200 to the UPF entity 300, each identified by a filtering rule.

The Sx UP End Point at CP could alternatively be provided during a Release Access Bearer Procedure when the SGW-U 110b does not perform buffering of downlink data.

For each SDF, or group of SDFs, that could only be identified by DPI, the CPF entity 200 requests the UPF entity 300 to allocate an Sx DL User Data End Point at UP and an Sx UL User Data End Point at UP at the UPF entity 300, and to assign a corresponding packet forwarding rule to route the packets received at this end point to either a remote DL user data end point (towards a next GTP-U hop, e.g. SGW) or toward Packet Data Network over the SGi in uplink direction, or towards some other destinations, e.g. towards a server for further processing of the user data packets, respectively. Additionally the CPF entity 200 could inform the UPF entity 300 about the corresponding parameters (bearer mapping, accounting, enforcement, etc.).

The request from the CPF entity 200 to the UPF entity 300 to allocate the Sx DL User Data End Point at UP and the Sx UL User Data End Point at UP can e.g. occur at the time a pre-defined rule, such as a pre-defined policy and charging control (PCC) rule is activated, which implies that a certain service is enabled/activated, or at the time the first user plane packet subject to DPI processing arrives at the Sx UP End Point at CP entity. For each bearer context at the interface S5/S8, the CPF entity 200 could be required to inform the UPF entity 300 of the remote DL user data End Point (i.e. SGW S5/S8-U), and allocate an UL user data End Point (i.e. PGW S5/S8- U which will be sent to the SGW-C 110a). The embodiments disclosed herein particularly relate to mechanisms for deep packet inspection of user data packets and deep packet inspection. In order to obtain such mechanisms there is provided a control plane function entity 200, a method performed by the control plane function entity 200, a computer program product comprising code, for example in the form of a computer program, that when run on processing circuitry of the control plane function entity 200, causes the control plane function entity 200 to perform the method. In order to obtain such mechanisms there is further provided a user plane function entity 300, a method performed by the user plane function entity 300, and a computer program product comprising code, for example in the form of a computer program, that when run on processing circuitry of the user plane function entity 300, causes the user plane function entity 300 to perform the method.

Figs. 3 and 4 are flow charts illustrating embodiments of methods for deep packet inspection of user data packets as performed by the control plane function entity 200. Figs. 5 and 6 are flow charts illustrating embodiments of methods for deep packet inspection of user data packets as performed by the user plane function entity 300. The methods are advantageously provided as computer programs 1120a, 1120b. The methods are advantageously implemented in the network architecture of Figs. 1 and 2.

Reference is now made to Fig. 3 illustrating a method for deep packet inspection of user data packets as performed by the control plane function entity 200 according to an embodiment.

The user plane function entity 300 is assumed not capable of performing deep packet inspection. The control plane function entity 200 is therefore configured to perform step S102:

S102: The control plane function entity 200 provides instructions to the user plane function entity 300 to re-direct received user data packets requiring deep packet inspection to a deep packet inspection entity 400. Further, in order for the user plane function entity 300 to receive user data packets on which deep packet inspection has been performed the user plane function entity 300 needs to set up a data traffic end point. Otherwise, it may even potentially be so that the user plane function entity 300 would once again re-direct the received user data packets requiring deep packet inspection deep packet inspection entity 400, despite that the user data packets already have been subjected to deep packet inspection. The control plane function entity 200 is therefore configured to perform step S104:

S104: The control plane function entity 200 provides instructions to the user plane function entity 300 to set up a data traffic end point in the user plane function entity 300 for at least one service data flow. In Fig. 2 two such data traffic end points are denoted Sx DL user data end point at UP per SDF and Sx DL user data end point at UP per SDF, respectively.

In this respect the user plane function entity 300 may not be enabled to identify the service data flow as such and is therefore instructed to set up the data traffic end point such that it can receive the user data packets after deep packet inspection has been performed.

The user data packets on which deep packet inspection has been performed are provided to the user plane function entity 300 from the deep packet inspection entity 400 and are then to be delivered towards their destination by the user plane function entity 300. The control plane function entity 200 therefore instructs the user plane function entity 300 how to route the received user data packets after deep packet inspection. The control plane function entity 200 is therefore configured to perform step S106: S106: The control plane function entity 200 provides instructions to the user plane function entity 300 how to route the received user data packets when the received user data packets are received at the data traffic end point.

Deep packet inspection is performed by the deep packet inspection entity 400 and in order for the deep packet inspection entity 400 to provide the user data packets on which deep packet inspection has been performed back to the user plane function entity 300 the control plane function entity 200 instructs the deep packet inspection entity 400 how to direct the user data packets. The control plane function entity 200 is therefore configured to perform step S110. S110: The control plane function entity provides instructions to the deep packet inspection entity 400 to direct the received user data packets for the at least one service data flow to the data traffic end point.

The user plane function entity 300 is thereby enabled to route the user data packets according to the instructions provided by the control plane function entity in step S106.

In this respect it is noted that the received user data packets are instructed to be re-directed in step S102 whilst the received user data packets are instructed to be directed in step S110. This distinction is made since the received user data packets otherwise in step S102 by default would not be directed to the deep packet inspection entity 400 whereas step S110 does not involve any re-direction of the received user data packets.

Further in this respect, in the illustrative example of Fig. 2 the user data packets are in the PGW-U 120b, by default, routed by a routing engine. The CPF entity 200 thus needs to instruct the UPF entity 300 such that user data packets requiring DPI are (at least temporarily) re-directed from the PGW-U 120b to the PGW-C 120a such that DPI can be performed. Hence in this example the routing engine needs to be configured to perform such redirection of the user data packets.

Embodiments relating to further details of deep packet inspection as performed by the control plane function entity 200 will now be disclosed.

Reference is now made to Fig. 4 illustrating methods for deep packet inspection of user data packets as performed by the control plane function entity 200 according to further embodiments. It is assumed that steps S102, S104, S106, S110 are performed as described above with reference to Fig. 3 and a thus repeated description thereof is therefore omitted.

In addition to provide instructions to the user plane function entity 300 how to route the received user data packets the control plane function entity 200 in some aspects instructions to the user plane function entity 300 to count the received user data packets. Hence according to an embodiment the control plane function entity 200 is configured to perform step S108:

S108: The control plane function entity 200 provides instructions to the user plane function entity 300 to count the received user data packets at the data traffic end point.

There could be different types of instructions regarding routing of the received user data packets. According to an embodiment the control plane function entity 200 provides instructions to the user plane function entity to route the received user data packets at the data traffic end point to either a remote data traffic end point (e.g., in the SGW 110) in downlink direction, or to an upstream node in the Packet Data Network (e.g., over interface SGi) in uplink direction, or to another server where the user data packets may be processed further. According to an embodiment the control plane function entity 200 provides instructions to the user plane function entity to route the received user data packets as part of a packet forwarding rule during a session management procedure, such as during a Sx session management procedure.

There could be different types of instructions regarding setting up the data traffic end point. For example, the control plane function entity 200 could instruct the user plane function entity 300 to either set up a data traffic end point, e.g. a GTP-U end point if GTP-U is used, for each of service data flow or for an aggregate of service data flow, in the PGW-U 120b. Hence according to an embodiment the instructions specifies to set up a separate data traffic end point for each of the at least one service data flows whilst according to another embodiment the instructions specifies to set up a common data traffic end point for an aggregate of the at least one service data flows.

According to some embodiments the instructions specifies the data traffic end point to be set up in the user plane function entity 300. Possible locations of the traffic end points (when provided as Sx UP end Point at CP) have been disclosed above.

Further, according to an embodiment the deep packet inspection entity 400 is instructed by the control plane function entity 200 to direct the received user data packets after performing deep packet inspection of the received user data packets. Reference is now made to Fig. 5 illustrating a method for deep packet inspection of user data packets as performed by the user plane function entity 300 according to an embodiment. The methods are advantageously implemented in the network architecture of Figs. 1 and 2.

As disclosed above, the control plane function entity 200 in step S102 provides instructions to the user plane function entity 300 to re-direct received user data packets for deep packet inspection. Hence the user plane function entity 300 is configured to perform step S202:

S202: The user plane function entity 300 re-directs received user data packets requiring deep packet inspection to the deep packet inspection entity 400.

As disclosed above, the control plane function entity 200 in step S104 provides instructions to the user plane function entity 300 to set up a data traffic end point. Hence the user plane function entity 300 is configured to perform step S204: S204: The user plane function entity 300 sets up a data traffic end point in the user plane function entity 300 for at least one service data flow.

As disclosed above, the control plane function entity 200 in step S106 provides instructions to the user plane function entity 300 how to route the received user data packets. Hence the user plane function entity 300 is configured to perform step S206:

S206: The user plane function entity 300 routes the received user data packets when the received user data packets are received at the data traffic end point.

According to some embodiments, to re-direct in step S202, to set up in step S204, and how to route in step S206 are defined by instructions received from the control plane function entity 200.

Embodiments relating to further details of deep packet inspection as performed by the user plane function entity 300 will now be disclosed.

Reference is now made to Fig. 6 illustrating methods for deep packet inspection of user data packets as performed by the user plane function entity 300 according to further embodiments. It is assumed that steps S202-S206 are performed as described above with reference to Fig. 5 and a thus repeated description thereof is therefore omitted.

As disclosed above, according to an embodiment the control plane function entity 200 provides instructions to the user plane function entity 300 to count the received user data packets at the data traffic end point. Hence according to an embodiment the user plane function entity 300 is configured to perform step S208:

S208: The user plane function entity 300 counts the received user data packets at the data traffic end point.

According to some embodiments, to count in step S208 is defined by instructions received from the control plane function entity 200. In accordance with the above disclosed embodiments, according to some embodiments the user plane function entity 300 routes the received user data packets at the data traffic end point to either a remote data traffic end point in downlink direction, or to an upstream node in uplink direction. In further accordance with the above disclosed embodiments, according to some embodiments the user plane function entity routes the received user data packets as part of a packet forwarding rule during a session management procedure. There could be different ways for the user plane function entity 300 to receive the user data packets. For example, the user data packets could be received either from downlink or uplink. Hence, according to an embodiment wherein the received user data packets are by the user plane function entity received from an upstream node in downlink direction whilst according to another embodiment the received user data packets are by the user plane function entity received from a user plane entity in uplink direction.

There could be different types of data traffic end points. According to an embodiment the data traffic end point is a user plane General Packet Radio Service Tunneling Protocol (GTP-U) type end point. In accordance with the above disclosed embodiments, according to an embodiment a separate data traffic end point is set up for each of the at least one service data flows whilst according to another embodiment a common data traffic end point is set up for an aggregate of the at least one service data flows. In accordance with the above disclosed embodiments, according to an embodiments the data traffic end point is set up in the user plane function entity 300.

Fig. 7 schematically illustrates, in terms of a number of functional units, the components of a control plane function entity 200 according to an

embodiment. Processing circuitry 210 is provided using any combination of one or more of a suitable central processing unit (CPU), multiprocessor, microcontroller, digital signal processor (DSP), etc., capable of executing software instructions stored in a computer program product 1110a (as in Fig. 11), e.g. in the form of a storage medium 230. The processing circuitry 210 l8 may further be provided as at least one application specific integrated circuit (ASIC), or field programmable gate array (FPGA).

Particularly, the processing circuitry 210 is configured to cause the control plane function entity 200 to perform a set of operations, or steps, S102-S110, as disclosed above. For example, the storage medium 230 may store the set of operations, and the processing circuitry 210 may be configured to retrieve the set of operations from the storage medium 230 to cause the control plane function entity 200 to perform the set of operations. The set of operations may be provided as a set of executable instructions. Thus the processing circuitry 210 is thereby arranged to execute methods as herein disclosed.

The storage medium 230 may also comprise persistent storage, which, for example, can be any single one or combination of magnetic memory, optical memory, solid state memory or even remotely mounted memory.

The control plane function entity 200 may further comprise a

communications interface 220 for communications at least with the user plane function entity 300. As such the communications interface 220 may comprise one or more transmitters and receivers, comprising analogue and digital components.

The processing circuitry 210 controls the general operation of the control plane function entity 200 e.g. by sending data and control signals to the communications interface 220 and the storage medium 230, by receiving data and reports from the communications interface 220, and by retrieving data and instructions from the storage medium 230. Other components, as well as the related functionality, of the control plane function entity 200 are omitted in order not to obscure the concepts presented herein.

Fig. 8 schematically illustrates, in terms of a number of functional modules, the components of a control plane function entity 200 according to an embodiment. The control plane function entity 200 of Fig. 8 comprises a number of functional modules; a provide module 210a configured to perform step S102, a provide module 210b configured to perform step S104, a provide module 210c configured to perform step S106, and a provide module 2ioe configured to perform step S110. The control plane function entity 200 of Fig. 8 may further comprise a number of optional functional modules, such as a provide module 2iod configured to perform step S108. In general terms, each functional module 2ioa-2ioe may be implemented in hardware or in software. Preferably, one or more or all functional modules 2ioa-2ioe may be implemented by the processing circuitry 210, possibly in cooperation with functional units 220 and/or 230. The processing circuitry 210 may thus be arranged to from the storage medium 230 fetch instructions as provided by a functional module 2ioa-2ioe and to execute these instructions, thereby performing any steps of the control plane function entity 200 as disclosed herein.

Fig. 9 schematically illustrates, in terms of a number of functional units, the components of a user plane function entity 300 according to an embodiment. Processing circuitry 310 is provided using any combination of one or more of a suitable central processing unit (CPU), multiprocessor, microcontroller, digital signal processor (DSP), etc., capable of executing software instructions stored in a computer program product mob (as in Fig. 11), e.g. in the form of a storage medium 330. The processing circuitry 310 may further be provided as at least one application specific integrated circuit (ASIC), or field

programmable gate array (FPGA).

Particularly, the processing circuitry 310 is configured to cause the user plane function entity 300 to perform a set of operations, or steps, S202-S2o6a, as disclosed above. For example, the storage medium 330 may store the set of operations, and the processing circuitry 310 may be configured to retrieve the set of operations from the storage medium 330 to cause the user plane function entity 300 to perform the set of operations. The set of operations may be provided as a set of executable instructions. Thus the processing circuitry 310 is thereby arranged to execute methods as herein disclosed. The storage medium 330 may also comprise persistent storage, which, for example, can be any single one or combination of magnetic memory, optical memory, solid state memory or even remotely mounted memory.

The user plane function entity 300 may further comprise a communications interface 320 for communications at least with the control plane function entity 200. As such the communications interface 320 may comprise one or more transmitters and receivers, comprising analogue and digital

components.

The processing circuitry 310 controls the general operation of the user plane function entity 300 e.g. by sending data and control signals to the

communications interface 320 and the storage medium 330, by receiving data and reports from the communications interface 320, and by retrieving data and instructions from the storage medium 330. Other components, as well as the related functionality, of the user plane function entity 300 are omitted in order not to obscure the concepts presented herein.

Fig. 10 schematically illustrates, in terms of a number of functional modules, the components of a user plane function entity 300 according to an embodiment. The user plane function entity 300 of Fig. 10 comprises a number of functional modules; a re-direct module 310a configured to perform step S202, a set up module 310b configured to perform step S204, and a route module configured to perform step S206. The user plane function entity 300 of Fig. 10 may further comprises a number of optional functional modules, such as a count module 3iod configured to perform step S208. In general terms, each functional module 3ioa-3iod may be implemented in hardware or in software. Preferably, one or more or all functional modules 3ioa-3iod may be implemented by the processing circuitry 310, possibly in cooperation with functional units 320 and/or 330. The processing circuitry 310 may thus be arranged to from the storage medium 330 fetch instructions as provided by a functional module 3ioa-3iod and to execute these instructions, thereby performing any steps of the user plane function entity 300 as disclosed herein. The control plane function entity 200 and/or user plane function entity 300 may be provided as standalone devices or as a part of at least one further device. For example, according to an embodiment the control plane function entity 200 is provided in the control plane packet data network gateway PGW-C 120a, and according to an embodiment the user plane function entity 300 is provided in the user plane packet data network gateway PGW-U 120b. Additionally or alternatively the control plane function entity 200 could be provided in the control plane traffic detection function TDF-C 140a and the user plane function entity 300 could be provided in the user plane traffic detection function TDF-C 140b. Further, functionality of the control plane function entity 200 and/or user plane function entity 300 may be distributed between at least two devices, or nodes. These at least two nodes, or devices, may either be part of the same network part or may be spread between at least two such network parts. In general terms, instructions that are required to be performed in real time may be performed in a device, or node, operatively closer to the end-user of the user data packets than instructions that are not required to be performed in real time. In this respect, the user plane function entity 300 may be provided operatively closer to the end-user than the control plane function entity 200. The control plane function entity 200 and the user plane function entity 300 could be physically separated (and thus be implemented in physically separated devices). Thus, a first portion of the instructions performed by the control plane function entity 200 / user plane function entity 300 may be executed in a first device, and a second portion of the of the instructions performed by the control plane function entity 200 / user plane function entity 300 may be executed in a second device; the herein disclosed embodiments are not limited to any particular number of devices on which the instructions performed by the control plane function entity 200 / user plane function entity 300 may be executed. Hence, the methods according to the herein disclosed embodiments are suitable to be performed by a control plane function entity 200 / user plane function entity 300 residing in a cloud computational environment. Therefore, although a single processing circuitry 210, 310 is illustrated in Figs. 7 and 9 the processing circuitry 210, 310 may be distributed among a plurality of devices, or nodes. The same applies to the functional modules 2ioa-2ioe, 3ioa-3iod of Figs. 8 and 10 and the computer programs 1120a, 1120b of Fig. 11 (see below). Fig. 11 shows one example of a computer program product 1110a, mob comprising computer readable means 1130. On this computer readable means 1130, a computer program 1120a can be stored, which computer program 1120a can cause the processing circuitry 210 and thereto operatively coupled entities and devices, such as the communications interface 220 and the storage medium 230, to execute methods according to embodiments described herein. The computer program 1120a and/or computer program product 1110a may thus provide means for performing any steps of the control plane function entity 200 as herein disclosed. On this computer readable means 1130, a computer program 1120b can be stored, which computer program 1120b can cause the processing circuitry 310 and thereto operatively coupled entities and devices, such as the communications interface 320 and the storage medium 330, to execute methods according to embodiments described herein. The computer program 1120b and/or computer program product mob may thus provide means for performing any steps of the user plane function entity 300 as herein disclosed.

In the example of Fig. 11, the computer program product 1110a, mob is illustrated as an optical disc, such as a CD (compact disc) or a DVD (digital versatile disc) or a Blu-Ray disc. The computer program product 1110a, mob could also be embodied as a memory, such as a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM), or an electrically erasable programmable read-only memory (EEPROM) and more particularly as a non-volatile storage medium of a device in an external memory such as a USB (Universal Serial Bus) memory or a Flash memory, such as a compact Flash memory. Thus, while the computer program 1120a, 1120b is here schematically shown as a track on the depicted optical disk, the computer program 1120a, 1120b can be stored in any way which is suitable for the computer program product 1110a, mob. Some embodiments described above have been summarised below in a list of enumerated embodiments:

1. A method for deep packet inspection of user data packets, the method being performed by a user plane function entity (300), the method

comprising:

re-directing (S202) received user data packets requiring deep packet inspection to a deep packet inspection entity (400);

setting up (S204) a data traffic end point in the user plane function entity (300) for at least one service data flow; and

routing (S206) the received user data packets when the received user data packets are received at the data traffic end point.

2. The method according to item 1, further comprising:

counting (S208) the received user data packets at the data traffic end point. 3. The method according to item 1, wherein the user plane function entity (300) routes the received user data packets at the data traffic end point to either a remote data traffic end point in downlink direction, or to an upstream node in uplink direction.

4. The method according to item 1, wherein the user plane function entity (300) routes the received user data packets as part of a packet forwarding rule during a session management procedure.

5. The method according to item 1, wherein to re-direct, to set up, and how to route are defined by instructions received from a control plane function entity (200). 6. The method according to item 1, wherein the received user data packets are by the user plane function entity (300) received from an upstream node in downlink direction. 7. The method according to item 1, wherein the received user data packets are by the user plane function entity (300) received from a user plane entity in uplink direction.

8. The method according to item 1, wherein the data traffic end point is a user plane General Packet Radio Service Tunneling Protocol, GTP-U, type end point.

9. The method according to item 1, wherein a separate data traffic end point is set up for each of the at least one service data flows.

10. The method according to item 1, wherein a common data traffic end point is set up for an aggregate of the at least one service data flows.

11. The method according to item 1, wherein the data traffic end point is set up in the user plane function entity (300).

12. A method for deep packet inspection of user data packets, the method being performed by a control plane function entity (200), the method comprising:

providing (S102) instructions to a user plane function entity (300) to redirect received user data packets requiring deep packet inspection to a deep packet inspection entity (400);

providing (S104) instructions to the user plane function entity (300) to set up a data traffic end point in the user plane function entity (300) for at least one service data flow;

providing (S106) instructions to the user plane function entity (300) how to route the received user data packets when the received user data packets are received at the data traffic end point; and

providing (S110) instructions to the deep packet inspection entity (400) to direct the received user data packets for the at least one service data flow to the data traffic end point. 13. The method according to item 12, further comprising:

providing (S108) instructions to the user plane function entity (300) to count the received user data packets at the data traffic end point.

14. The method according to item 12, wherein the user plane function entity (300) is instructed by the control plane function entity (200) to route the received user data packets at the data traffic end point to either a remote data traffic end point in downlink direction, or to an upstream node in uplink direction.

15. The method according to item 12, wherein the user plane function entity (300) is instructed by the control plane function entity (200) to route the received user data packets as part of a packet forwarding rule during a session management procedure.

16. The method according to item 12, wherein the deep packet inspection entity (400) is instructed by the control plane function entity (200) to direct the received user data packets after performing deep packet inspection of the received user data packets.

17. The method according to item 7 or 12, wherein the control plane function entity (200) is provided in a control plane packet data network gateway, PGW-C (120a). 18. The method according to item 1 or 6, wherein the user plane function entity (300) is provided in a user plane packet data network gateway, PGW-U (120b).

18. The method according to item 1 or 12, wherein the control plane function entity (200) and the user plane function entity (300) are physically separated.

19. A user plane function entity (300) for deep packet inspection of user data packets, the user plane function entity (300) comprising processing circuitry (310), the processing circuitry being configured to cause the user plane function entity (300) to: re-direct received user data packets requiring deep packet inspection to a deep packet inspection entity (400);

set up a data traffic end point in the user plane function entity (300) for at least one service data flow; and

route the received user data packets when the received user data packets are received at the data traffic end point.

20. A user plane function entity (300) for deep packet inspection of user data packets, the user plane function entity (300) comprising:

processing circuitry (310); and

a computer program product (mob) storing instructions that, when executed by the processing circuitry, causes the user plane function entity (300) to:

re-direct received user data packets requiring deep packet inspection to a deep packet inspection entity (400);

set up a data traffic end point in the user plane function entity

(300) for at least one service data flow; and

route the received user data packets when the received user data packets are received at the data traffic end point.

21. A user plane function entity (300) for deep packet inspection of user data packets, the user plane function entity (300) comprising:

a re-direct module (310a) configured to re-direct received user data packets requiring deep packet inspection to a deep packet inspection entity (400);

a set up module (310b) configured to set up a data traffic end point in the user plane function entity (300) for at least one service data flow; and a route module (310c) configured to route the received user data packets when the received user data packets are received at the data traffic end point.

22. A control plane function entity (200) for deep packet inspection of user data packets, the control plane function entity (200) comprising processing circuitry (210), the processing circuitry being configured to cause the control plane function entity (200) to: provide instructions to a user plane function entity (300) to re-direct received user data packets requiring deep packet inspection to a deep packet inspection entity (400);

provide instructions to the user plane function entity (300) to set up a data traffic end point in the user plane function entity (300) for at least one service data flow;

provide instructions to the user plane function entity (300) how to route the received user data packets when the received user data packets are received at the data traffic end point; and

provide instructions to the deep packet inspection entity (400) to direct the received user data packets for the at least one service data flow to the data traffic end point.

23. A control plane function entity (200) for deep packet inspection of user data packets, the control plane function entity (200) comprising:

processing circuitry (210); and

a computer program product (1110a) storing instructions that, when executed by the processing circuitry, causes the control plane function entity (200) to:

provide instructions to a user plane function entity (300) to re- direct received user data packets requiring deep packet inspection to a deep packet inspection entity (400);

provide instructions to the user plane function entity (300) to set up a data traffic end point in the user plane function entity (300) for at least one service data flow;

provide instructions to the user plane function entity (300) how to route the received user data packets when the received user data packets are received at the data traffic end point; and

provide instructions to the deep packet inspection entity (400) to direct the received user data packets for the at least one service data flow to the data traffic end point.

24. A control plane function entity (200) for deep packet inspection of user data packets, the control plane function entity (200) comprising: a provide module (210a) configured to provide instructions to a user plane function entity (300) to re-direct received user data packets requiring deep packet inspection to a deep packet inspection entity (400);

a provide module (210b) configured to provide instructions to the user plane function entity (300) to set up a data traffic end point in the user plane function entity (300) for at least one service data flow;

a provide module (210c) configured to provide instructions to the user plane function entity (300) how to route the received user data packets when the received user data packets are received at the data traffic end point; and a provide module (2ioe) configured to provide instructions to the deep packet inspection entity (400) to direct the received user data packets for the at least one service data flow to the data traffic end point.

25. A computer program (1120b) for deep packet inspection of user data packets, the computer program comprising computer code which, when run on processing circuitry (310) of a user plane function entity (300), causes the user plane function entity (300) to:

re-direct received user data packets requiring deep packet inspection to a deep packet inspection entity (400);

set up a data traffic end point in the user plane function entity (300) for at least one service data flow; and

route the received user data packets when the received user data packets are received at the data traffic end point.

26. A computer program (1120a) for deep packet inspection of user data packets, the computer program comprising computer code which, when run on processing circuitry (210) of a control plane function entity (200), causes the control plane function entity (200) to:

provide instructions to a user plane function entity (300) to re-direct received user data packets requiring deep packet inspection to a deep packet inspection entity (400);

provide instructions to the user plane function entity (300) to set up a data traffic end point in the user plane function entity (300) for at least one service data flow; provide instructions to the user plane function entity (300) how to route the received user data packets when the received user data packets are received at the data traffic end point; and

provide instructions to the deep packet inspection entity (400) to direct the received user data packets for the at least one service data flow to the data traffic end point.

27. A computer program product (1110a, mob) comprising a computer program (1120a, 1120b) according to at least one of items 25 and 26, and a computer readable storage medium (1130) on which the computer program is stored.

The inventive concept has mainly been described above with reference to a few embodiments. However, as is readily appreciated by a person skilled in the art, other embodiments than the ones disclosed above are equally possible within the scope of the inventive concept.