BACKGROUND

[0001] The present invention relates a method for an improved operation of a telecommunications network with a broadband access network, the telecommunications network being operated as a multi-operator sliced network, and especially comprising a central office point of delivery and/or a provider infrastructure control center for the service activation and/or operation of a network termination node,

wherein a plurality of communication service providers being enabled to use the infrastructure of the telecommunications network for providing communication services to a plurality of users being connected to the telecommunications network using a network termination node.

[0002] Furthermore, the present invention relates to a telecommunications network for an improved operation, the telecommunications network having a broadband access network, the telecommunications network being operated as a multi-operator sliced network, and especially comprising a central office point of delivery and/or a provider infrastructure control center for the service activation and/or operation of a network termination node,

wherein a plurality of communication service providers being enabled to use the infrastructure of the telecommunications network for providing communication services to a plurality of users being connected to the telecommunications network using a network termination node.

[0003] Additionally, the present invention relates to a system for an improved operation of a telecommunications network with a broadband access network, the telecommunications network being operated as a multi-operator sliced network, and especially comprising a central office point of delivery and/or a provider infrastructure control center for the service activation and/or operation of a network termination node, wherein a plurality of communication service providers being enabled to use the infrastructure of the telecommunications network for providing communication services to a plurality of users being connected to the telecommunications network using a network termination node, the system comprising the telecommunications network and a specific provider of the communication service providers.

[0004] Furthermore, the present invention relates to a provider infrastructure control center of an inventive telecommunications network or of an inventive system and/or to the use of a provider infrastructure control center in an inventive telecommunications network or in an inventive system or in a method according to the present invention.

[0005] Furthermore, the present invention relates to a program comprising a computer readable program code, and a computer-readable medium.

[0006] The exchange of packetized information in broadband communication systems or telecommunications networks, both in fixed-line as in wireless communication systems (or fixed-line communication networks and mobile communication networks) has already grown dramatically and probably will also grow in the future due to the rapid spread of different data services in such communication networks.

[0007] The present invention generally relates to the area of aggregation networks linking remote or central access nodes to a backbone network or core network of the telecommunications network, e.g. broadband access network platforms such as 5G or CORD (Central Office Re-architected as a Data Center).

[0008] Typically in such architectures, multiple network termination ports are aggregated by an access node (e.g. a DSLAM device (Digital Subscriber Line Access Multiplexer) or an OLT (Optical Line Terminal) device) and interconnected to a subscriber termination device via a layer-2 infrastructure such as a datacenter fabric.

[0009] In today’s broadband networks, an optical network terminal device (or network termination node) needs to be authenticated by an optical line terminal (or line

termination node). This typically requires knowledge on device-specific information (basic credentials, usually a serial number) before the optical network terminal device (network termination node) gets connected. In conventionally known networks, the network operator typically owns and provides the optical network terminal device (or network termination nodes) and thus knows the built-in credentials (such as identity information or hardware identity information or serial numbers, etc.) which are typically configured by network operator technicians at time of setup.

[0010] On the one hand, the (regulatory) requirement of free choice of the used PON (passive optical network) or optical network terminals or home gateway devices by the customer needs to be satisfied. Additionally, possibility to enable the sharing of infrastructure among multiple operators is a further requirement.

SUMMARY [0011] An object of the present invention is to provide a technically simple, effective and cost effective solution for an improved operation of a telecommunications network with a broadband access network, the telecommunications network being operated as a multi-operator sliced network, and especially comprising a central office point of delivery and/or a provider infrastructure control center for the service activation and/or operation of a network termination node, wherein a plurality of communication service providers being enabled to use the infrastructure of the telecommunications network for providing communication services to a plurality of users being connected to the

telecommunications network using a network termination node, wherein the central office point of delivery and/or the broadband access network comprises a plurality of line termination nodes, wherein a specific line termination node of the plurality of line termination nodes is connectable to at least one specific network termination node of a plurality of network termination nodes, wherein an authentication of the specific network termination node is performed, after connecting the specific network termination node to the specific line termination node, by means of a provider federation operation, relating the specific network termination node to a specific provider of the plurality of

communication service providers. A further object of the present invention is to provide a corresponding telecommunications network, a corresponding system, a corresponding provider infrastructure control center, and a corresponding network of a service provider.

[0012] The object of the present invention is achieved by a method for an improved operation of a telecommunications network with a broadband access network, the telecommunications network being operated as a multi-operator sliced network, and especially comprising a central office point of delivery and/or a provider infrastructure control center for the service activation and/or operation of a network termination node, wherein a plurality of communication service providers being enabled to use the infrastructure of the telecommunications network for providing communication services to a plurality of users being connected to the telecommunications network using a network termination node,

wherein the central office point of delivery and/or the broadband access network comprises a plurality of line termination nodes, wherein a specific line termination node of the plurality of line termination nodes is connectable to at least one specific network termination node of a plurality of network termination nodes,

wherein an authentication of the specific network termination node is performed, after connecting the specific network termination node to the specific line termination node, by means of a provider federation operation, relating the specific network termination node to a specific provider of the communication service providers,

wherein the method for improved operation of the telecommunications network and/or service activation and/or operation of the specific network termination node comprises the following steps:

-- in a first step, the specific network termination node is connected to the specific line termination node and activated, wherein a walled garden access is provided, to the specific network termination node, to access the provider infrastructure control center of the telecommunications network,

-- in a second step, subsequent to the first step, the walled garden access is used, by the specific network termination node or by a client device connected to the specific network termination node, to access a provider-specific server environment of the specific provider,

-- in a third step, subsequent to the second step, the specific network termination node is authenticated and federated with the specific provider. [0013] It is thereby advantageously possible according to the present invention to provide a solution to multi-operator infrastructure sharing, i.e. the infrastructure is shared among multiple operators, wherein a shared server architecture plays an important role to federate service endpoints shared among multiple service providers in a commonly used access network, especially a passive optical network (PON)-based access network. According to the present invention, it is advantageously possible that - in contrast to RADIUS based wholesale - a provider-neutral overlay approach can be realized in order to decouple the infrastructure provider from the service provider.

[0014] In today’s PON-based broadband networks, an optical network terminal (ONT ), or network termination node, needs to be authenticated by an optical line terminal (OLT), or line termination node. This typically requires hardware information before the optical network terminal (or network termination node) gets connected to the

telecommunications network. Conventionally, the operator typically owns the network termination node and provides the credentials which are configured by operators technician at time of set up. However, due to regulatory requirements (free choice of network termination nodes (such PON ONTs and/or homegateways), the operator needs to authenticate the unkown network termination node (especially an optical network terminal).

[0015] The present invention describes a method of detection untrusted/unknown ONT devices in order to provide connectivity to a service edge and validating customer connectivity by setting up a centralized server architecture serving wholesale and multi operator environment. This kind of authentication logic supports the principles disclosed in European Patent application 17 175 601.8 and can be regarded as the procedure executed before the registration-ID driven process according to European Patent application 17 175 601.8 can be executed. According to the present invention, a control logic serving multiple provider in a centralized server architecture is used.

[0016] It is possible according to the present invention to detect untrusted optical network terminal devices (or network termination nodes) in order to provide connectivity to a service edge in view to validate customer connectivity. Especially, it is

advantageously possible according to the present invention, to detect unknown optical network terminal devices (or network termination nodes), to correlate the built-in but unknown identity information or hardware ID (especially a serial number or the like or another hardware identity information) with a path setup towards a specific service provider connected to the telecommunications network.

[0017] In conventionally known telecommunications networks - especially switching networks that are typically so-called SDN-based (software defined network-based) networks or switching networks (that typically provide the backbone of access PODs (central office points of delivery) -, an SDN (software defined network) controller takes care of the connectivity between different nodes of the central office point of delivery, such as, e.g., leaf and spine switches (or nodes). In conventionally known

telecommunications networks, this configuration is typically done by source and destination identifiers (IDs or identity information) which provide (or realize) a mutual assignment between a specific optical network terminal device (or specific network termination node), on the one hand, and a service edge node, on the other hand. From a free choice of the used passive optical network (PON) components or optical network terminals results that the identities (or identity information) of optical network terminal devices (or network termination nodes) are unknown to the network operator and/or to the infrastructure provider.

[0018] According to the present invention, a solution is provided for a new multi operator POD Control and Provider Federation VPN network, a new server farm providing all necessary location look up functions in order to enable flexible PON endpoint provider federation. In SDN-based networks, an SDN controller takes care of provisioning and managing connectivity between the different network nodes, especially leaf and spine switches (especially using source and destination identities or identifiers). In a PON-based access network (with unknown ONT IDs) however, this model cannot be applied straightforwardly as required information for privisioning the path is not available: Either the relation between the ONT identity, on the one hand, to layer 2 circuit identity (or identifier) - which is also known as Line ID -, on the other hand, is missing, or (otherwise) the session correlation in the service edge to the optical network terminal (network termination node) identifier (or identity) cannot be performed. Another problem is the fixed assignment of physical L2 hand off ports towards wholesale partners: This forces an operator to provide a single unchangeable hand off port at service edge (BNG).

[0019] Especially, it is advantageously possible according to the present invention to avoid these drawbacks and to provide a flexible fabric setup (within the central office point of delivery) between optical line terminal devices (or line termination nodes) on the one hand, and layer-2 service edge nodes (SE3) on the other hand, is provided.

[0020] Hence, according to the present invention, it is advantageously possible that an improved operation of a telecommunications network is possible, the

telecommunications network being operated as a multi-operator sliced network, and especially comprising a central office point of delivery and/or a provider infrastructure control center for the service activation and/or operation of a network termination node. A plurality of communication service providers are enabled to use the infrastructure of the telecommunications network for providing communication services to a plurality of users (using network termination nodes). The specific network termination node is

authenticated, after connecting the specific network termination node to the specific line termination node, by means of a provider federation operation, relating the specific network termination node to a specific provider of the communication service providers.

[0021] The method comprises the steps of:

in a first step: the specific network termination node is connected to the specific line termination node and activated, wherein a walled garden access is provided, to the specific network termination node, to access the provider infrastructure control center of the telecommunications network,

in a second step, subsequent to the first step: the walled garden access is used, by the specific network termination node or by a client device connected to the specific network termination node, to access a provider-specific server environment of the specific provider,

in a third step, subsequent to the second step: the specific network termination node is authenticated and federated with the specific provider.

[0022] The telecommunications network according to the present invention might be a fixed-line telecommunications network or a mobile communication network but preferably is a telecommunications network having both aspects (or parts) of a fixed-line telecommunications network (or being a fixed-line telecommunications network in such parts) and aspects (or parts) of a mobile communication network (or being a mobile communication network in such parts); such networks are also known under the term fixed-mobile-convergence networks (FMC networks).

[0023] Furthermore, it is advantageously possible and preferred according to the present invention that during the first step, an identity information of the specific network termination node is transmitted to the specific line termination node, the identity information of the specific network termination node especially being a hardware identity information of the specific network termination node, especially a serial number of the specific network termination node.

[0024] By means of the identity information of the specific network termination node being a hardware identity information of the specific network termination node, especially a serial number of the specific network termination node, it is advantageously possible to easily identify the specific network termination node and/or distinguish different network termination nodes. According to a furthermore preferred embodiment, the identity information of the specific network termination node is a hardware identity information of the specific network termination node such that the identity information is unique, especially universally unique. [0025] Furthermore, and according to an alternative embodiment of the present invention, it is preferred that the provider infrastructure control center comprises a reverse federation proxy entity, the reverse federation proxy entity providing access - using the walled garden access of the specific network termination node or of a client device connected to the specific network termination node - to the provider-specific server environment of the specific provider.

[0026] Thereby, it is advantageously possible to provide for efficient realization of the present invention, such that a connection request is able to be routed to the network of the service provider (e.g. a landing page). [0027] According to a further preferred embodiment of the present invention, in order for the specific provider being able to provide a communication service to the specific network termination node or to the client device connected to the specific network termination node, a specific internet protocol address information is to be associated with the identity information of the specific network termination node, wherein the reverse federation proxy entity transmits the specific internet protocol address information to the specific provider.

[0028] Thereby, it is advantageously possible to easily and effectively realize the inventive method of an improved operation of a telecommunications network with a broadband access network, and especially the telecommunications network being operated as a multi-operator sliced network.

[0029] According to a further embodiment of the present invention, in order to federate the specific provider with the communication service access provided by the specific network termination node, the specific internet protocol address information is transmitted to the specific line termination node or to the central office point of delivery the specific line termination node is part of or connected to.

[0030] By means of transmitting the specific internet protocol address information to the specific line termination node or to the central office point of delivery the specific line termination node is part of or connected to, it is advantageously possible to easily and effectively realize the inventive method of an improved operation of a telecommunications network.

[0031] According to still a further embodiment of the present invention, - during the second step and while the specific network termination node or the client device connected to the specific network termination node uses the walled garden access to access a provider-specific server environment of the specific provider - customer data and/or or a location identification information is provided by the specific network termination node or the client device connected to the specific network termination node.

[0032] By means of the specific network termination node or the client device connected to the specific network termination node providing customer data and/or or a location identification information, it is advantageously possible to realize the inventive method efficiently.

[0033] According to a further embodiment of the present invention, the provider infrastructure control center comprises a domain name server entity, the domain name server entity referring to the reverse federation proxy entity regarding known hostnames, especially hostnames of provider networks.

[0034] Thereby, it is advantageously possible to easily and effectively implement the inventive method. [0035] According to still a further embodiment of the present invention, the telecommunications network comprises a repository node, the respository node comprising or being able to access relevant pieces of information, especially the corresponding pieces of identity information, regarding all network termination nodes of the plurality of network termination nodes within the broadband access network or within the central office point of delivery.

[0036] Thereby, it is advantageously possible to provide for an identification of such optical network terminal devices or network termination nodes that are not under control of the network operator - hence that are in the first place unknown to the network operator. [0037] Furthermore, the present invention relates to a telecommunications network for an improved operation, the telecommunications network having a broadband access network, the telecommunications network being operated as a multi-operator sliced network, and especially comprising a central office point of delivery and/or a provider infrastructure control center for the service activation and/or operation of a network termination node,

wherein a plurality of communication service providers being enabled to use the infrastructure of the telecommunications network for providing communication services to a plurality of users being connected to the telecommunications network using a network termination node,

wherein the central office point of delivery and/or the broadband access network comprises a plurality of line termination nodes, wherein a specific line termination node of the plurality of line termination nodes is connectable to at least one specific network termination node of a plurality of network termination nodes,

wherein an authentication of the specific network termination node is performed, after connecting the specific network termination node to the specific line termination node, by means of a provider federation operation, relating the specific network termination node to a specific provider of the communication service providers,

wherein the telecommunications network is configured such that:

-- the specific network termination node is connected to the specific line termination node and activated, wherein a walled garden access is provided, to the specific network termination node, to access the provider infrastructure control center of the

telecommunications network,

-- the walled garden access is used, by the specific network termination node or by a client device connected to the specific network termination node, to access a provider- specific server environment of the specific provider,

-- the specific network termination node is authenticated and federated with the specific provider.

[0038] Furthermore, the present invention relates to a system for an improved operation of a telecommunications network with a broadband access network, the telecommunications network being operated as a multi-operator sliced network, and especially comprising a central office point of delivery and/or a provider infrastructure control center for the service activation and/or operation of a network termination node, wherein a plurality of communication service providers being enabled to use the infrastructure of the telecommunications network for providing communication services to a plurality of users being connected to the telecommunications network using a network termination node, the system comprising the telecommunications network and a specific provider of the communication service providers

wherein the central office point of delivery and/or the broadband access network comprises a plurality of line termination nodes, wherein a specific line termination node of the plurality of line termination nodes is connectable to at least one specific network termination node of a plurality of network termination nodes,

wherein an authentication of the specific network termination node is performed, after connecting the specific network termination node to the specific line termination node, by means of a provider federation operation, relating the specific network termination node to the specific provider,

wherein the method for improved operation of the telecommunications network and/or service activation and/or operation of the specific network termination node comprises the following steps:

-- in a first step, the specific network termination node is connected to the specific line termination node and activated, wherein a walled garden access is provided, to the specific network termination node, to access the provider infrastructure control center of the telecommunications network,

-- in a second step, subsequent to the first step, the walled garden access is used, by the specific network termination node or by a client device connected to the specific network termination node, to access a provider-specific server environment of the specific provider,

-- in a third step, subsequent to the second step, the specific network termination node is authenticated and federated with the specific provider.

[0039] Additionally, the present invention relates to a provider infrastructure control center of an inventive telecommunications network or of an inventive system and/or use of a provider infrastructure control center in an inventive telecommunications network or in an inventive system or in a method according to the present invention.

[0040] Still additionally, the present invention relates to a network of a service provider to be connected to an inventive telecommunications network as a specific service provider or network of a service provider as a specific service provider of an inventive system and/or use of a service provider as a specific service provider in an inventive telecommunications network or in an inventive system or in a method according to the present invention.

[0041] Still additionally, the present invention relates to a program comprising a computer readable program code which, when executed on a computer and/or on a central office point of delivery and/or on a provider infrastructure control center, or in part on a central office point of delivery and/or in part on a provider infrastructure control center, causes the computer and/or the central office point of delivery and/or the provider infrastructure control center to perform a method according to the present invention. [0042] Furthermore, the present invention relates to a computer-readable medium comprising instructions which when executed on a computer and/or on a central office point of delivery and/or on a provider infrastructure control center, or in part on a central office point of delivery and/or in part on a provider infrastructure control center, causes the computer and/or the central office point of delivery and/or the provider infrastructure control center to perform a method according to the present invention.

[0043] These and other characteristics, features and advantages of the present invention will become apparent from the following detailed description, taken in conjunction with the accompanying drawings, which illustrate, by way of example, the principles of the invention. The description is given for the sake of example only, without limiting the scope of the invention. The reference figures quoted below refer to the attached drawings. BRIEF DESCRIPTION OF THE DRAWINGS

[0044] Figure 1 schematically illustrates a telecommunications network according to the present invention, having a broadband access network with a central office point of delivery.

[0045] Figure 2 schematically illustrates a part of a broadband access network of an inventive telecommunications network with a central office point of delivery and a plurality of service edge nodes as well as a provider federation control network.

[0046] Figure 3 schematically illustrates the provider federation control network in more detail, the provider federation control network exemplarily comprising the networks for three different providers.

[0047] Figure 4 schematically illustrates another illustration of the multi provider federation network.

[0048] Figure 5 schematically illustrates details regarding the provider federation control network.

[0049] Figure 6 schematically illustrates details regarding the reverse federation proxy entity.

[0050] Figure 7 schematically illustrates a flow diagram relating to the inventive provider federation process.

DETAILED DESCRIPTION

[0051] The present invention will be described with respect to particular

embodiments and with reference to certain drawings but the invention is not limited thereto but only by the claims. The drawings described are only schematic and are non- limiting. In the drawings, the size of some of the elements may be exaggerated and not drawn on scale for illustrative purposes.

[0052] Where an indefinite or definite article is used when referring to a singular noun, e.g.“a”,“an”,“the”, this includes a plural of that noun unless something else is specifically stated. [0053] Furthermore, the terms first, second, third and the like in the description and in the claims are used for distinguishing between similar elements and not necessarily for describing a sequential or chronological order. It is to be understood that the terms so used are interchangeable under appropriate circumstances and that the embodiments of the invention described herein are capable of operation in other sequences than described or illustrated herein.

[0054] In Figure 1 , a telecommunications network 100 according to the present invention is schematically shown, having - preferably - at least a fixed line part. A mobile (or cellular) part might be present as well, as part of the telecommunications network 100, but is not specifically illustrated in Figure 1. User equipments or client devices 51 , 52 are connected to the telecommunications network 100 by means of a (broadband) access network 120. The telecommunications network 100 comprises, especially as part of the broadband access network 120, at least one logical or physical central office point of delivery 110 that is preferably realized within a data center and that is especially handling different access requirements, especially different access possibilities, of the client devices 51 , 52 to network functionalities provided by the telecommunications network 100 or via the telecommunications network 100. The client devices 51 , 52 are typically connected to the logical or physical central office point of delivery 110 by means of a customer premises equipment device 50, 50’ or by means of a customer premises equipment functionality that might be built in the client devices 51 , 52. Preferably but not necessarily, the central office point of delivery 1 10 comprises a switching fabric 115 comprising a plurality of spine network nodes and typically also a plurality of leaf network nodes which are not explicitly represented in Figure 1.

[0055] Figure 2 schematically illustrates a central office point of delivery 1 10 as part of a broadband access network 120 of a telecommunications network 100, wherein the represented part of the telecommunications network 100 comprises - besides a controller node 180 and at least one repository node 182 - a plurality of line termination nodes 151 , 152, 153. Typically, each of the line termination nodes 151 , 152, 153 has one or a plurality of access node ports (not specifically illustrated in Figure 2). In the example represented in Figure 2, the broadband access network 120 comprises three line termination nodes, a first line termination node 151 , a second line termination node 152, and a third line termination node 153. The line termination nodes 151 , 152, 153 might be provided to support different access technologies to a home gateway or customer premises equipment 50. In the exemplary embodiment shown in Figure 2, the first line termination node 151 is taken as a line termination node supporting to be connected to an optical network, especially a passive optical network (PON), typically a so-called optical line terminal (OLT) or optical line terminal device. In such a situation, a client device 51 is connected to the telecommunications network 100 (i.e. to the first (or also called specific) line termination node 151 ) via the customer premises equipment 50 (or home gateway device 50) and a network termination node 75. The functionality of the customer premises equipment 50 (or home gateway device 50) and the functionality of the network termination node 75 might also be integrated in one device or“box”. Even the functionality of the client device 51 , the functionality of the customer premises equipment 50 (or home gateway device 50) and the functionality of the network termination node 75 might be integrated in one device or“box”. Nevertheless, these functionalities are represented in Figure 2 as separated functionalities. In Figure 2, only one home gateway device 50 (or customer premises equipment 50) (i.e. a specific customer premises equipment), and only one client device 51 , and only one network termination node 75 (i.e. a specific network termination node) are shown. However, also the second and/or third line termination nodes 152, 153 might be connected to corresponding network

termination nodes and customer premises equipments (not represented in Figure 2).

[0056] In the context of the present invention, in order to separate the“specific” or considered entities from the other entities of the same kind within the broadband access network 120, the first line termination node 151 is also called the specific line termination node 151 , the network termination node 75 connected to the first line termination node 151 is also called the specific network termination node 75, and the customer premises equipment 50 connected to the specific network termination node 75 is also called the specific customer premises equipment.

[0057] In case of the line termination nodes 151 , 152, 153 having a plurality of access node ports, also a plurality of network termination nodes are able to be connected to one line termination node 151 , 152, 153 and/or (in case that a network termination node has a plurality of ports also a plurality of customer premises equipments are able to be connected to one network termination node.

[0058] The central office point of delivery 110 and/or the broadband access network 120 comprises a controller node 180, at least one repository node 182, a plurality of line termination nodes 151 , 152, 153, and a plurality of service edge nodes 171 , 172, 173,

174, wherein a specific line termination node 151 of the plurality of line termination nodes is connectable - using an access node port of the specific line termination node 151- to typically only one specific network termination node 75 (of a plurality of network termination nodes that are, however, not shown in Figure 2). [0059] Hence, Figure 2 schematically shows a typical setup of a central office point of delivery 110. The specific customer premises equipment 50 (or specific home gateway 50) is connected via the specific optical network terminal (or the specific network termination node 75) and the specific optical line terminal (OLT MAC) (or the specific line termination node 151 ) to a leaf switch 161 (of a plurality of leaf switches 161 , 162, 163) which is dual-homed at a plurality of spine switches 171 , 172, 173. In the exemplary embodiment shown in Figure 2, it is assumed that the plurality of spine switches 171 ,

172, 173 also have a functionality of a service edge or a service edge user plane function or functionality (SE_U), especially for plain internet access built-in. However, the spine switch functionality might also be separated from the service edge functionality and vice versa, i.e. the service edge function or functionality may as well reside inside a different node in the central office point of delivery (than the spine switch functionality). However, reference signs 171 , 172, 173, 174 refer to the service edge functionality, and in case that the service edge functionality is separated from the spine switch functionality (or corresponding nodes are separated), an additional layer of network nodes are present between the leaf switches 161 , 162, 163, and the service edge nodes 171 , 172, 173, 174. A fourth service edge node 174, used for a bit stream access (BSA-SE-U) is assumed to be the layer-2 handoff for Layer-2 bitstream access which does not require IP routing capabilities. The controller or controller node 180 for the access domain - which controls the central office point of delivery 1 10 - has an access domain repository or repository node 182 (so-called A4 repository) which holds all devices within the passive optical network, including the connected optical network terminal devices (network termination nodes) and/or home gateways 50.

[0060] A service edge control plane 188 (or service edge control plane node 188) is shown as residing in the controller node 180, however, according to the present invention, it is also possible that the service edge control plane 188 (or service edge control plane node 188) is located separately from the controller node 180.

[0061] Besides the repository node 182, a database for alarms and anomalies is shown. This holds the history even in case of that the A4 repository (or repository node 182) already lost the session context (of a connection session) due to session

termination.

[0062] At the controller node 180, typically applications or functionalities like an ONT authentication application or functionality 184, and/or a vOLTHA functionality 185 and/or a fabric agent (FN-C) functionality 185 are located that control the configuration and management of related devices. [0063] For communication towards a policy server RP (Radius Proxy), a PFS client or PFS client functionality 189 takes care. A PFS functionality or PFS node 183 corresponds to a platform control which is or corresponds to an AAA (authentication, authorization, and accounting) and Policy Control Server. This platform device receives session initiation requests usually by BNGs which is part of the communication of the central office point of delivery 1 10. Furthermore, the PFS node 183 is the policy controller providing access profile settings based on policies rules and decisions. This information is sent to central office point of delivery 110 in order to configure at the service edge nodes 171 , 172, 173, 174 (SE-U) service related parameters. [0064] As already mentioned, in the typical central office point of delivery setup shown in Figure 2, a homegateway (HGW) or customer premises equipment 50 is connected via ONT (or network termination node 75) and OLT MAC (or line termination node 151 ) to a leaf switch 161 which is dual edged at spine 1 (reference sign 171 ) and spine 2 (reference sign 172). It is assumed that the spine nodes 171 , 172 have the SE (service edge) capability for plain internet access. Node 173 (SE 3) is assumed to be the L2 handoff for L2 bitstream access which does not require IP routing capabilities. The controller 180 for the access domain which controls the POD has an access domain repository (A4 repository) 182 which holds all devices within a PON including connected ONTs/HGW. According to the present invention, the description is mainly based on the usage of PPP-based dial in, but the principle is applicable to any kind of dial in (e.g. DHCPv4/v6, SLAAC etc.). Besides the local repository, a database for alarms and anomalies 181 is shown; this holds the history even in case that A4 repository (reference sign 181 ) already lost session context due to session termination.

[0065] According to the present invention, a federation with different service providers is possible, using the POD Control and Provider Federation network or a provider federation control network 200, which solves the problem of global ONT localization and provider federation. By means of this architecture, it is possible to solve network wide endpoint authentication in conjunction with multiservice and multi operator functionality. This mechanism is the basic function of an multi operator sliced network on infrastructure level. Today 5G technology considers slicing on application level only. According to the present invention, multi provider federation is possible by means of the control logic serving multiple provider in a centralized server architecture.

[0066] Hence, according to the present invention, a method to realize a federation between a specific network termination node 75, on the one hand, and a specific service provider or service provider network, on the other hand, is provided. In order for the central office point of delivery 1 10 to be able to realize such a federation, the central office point of delivery 1 10 is connected to the provider federation control network 200.

[0067] In Figure 3, the provider federation control network 200 is shown in more detail. The provider federation control network 200 exemplarily comprises the networks of three different service providers 310, 320, 330, namely a first service provider 310, a second service provider 320, and a third service provider 330. The provider federation control network 200 is represented by a dashed line and reference sign 200. The first service provider 310 comprises a first MPLS (multi protocol label switch) VPN (virtual private network) cloud or network 31 1 , and a first registration web server 312. Likewise, the second service provider 320 comprises a second MPLS VPN cloud or network 321 , and a second registration web server 322. Likewise, the third service provider 330 comprises a third MPLS VPN cloud or network 331 , and a third registration web server 332. The provider federation control network 200 furthermore comprises a reverse federation proxy entity 220, a domain name server entity 230, a data store entity 240, a DHCP (dynamic host configuration protocol) entity 241 (or DHCP server entity 241 ), and a radius entity 242 (or radius server entity 242), as well as - besides an MPLS backbone 201 - a first MPLS VPN 202 of the multi provider federation network, a second MPLS VPN 203 of the multi provider federation network, a third MPLS VPN 204 of the multi provider federation network, a fourth MPLS VPN 205 of the multi provider federation network, and an MPLS VPN 206 of or to the first service provider 310 or the network of the first service provider 310 and an MPLS VPN 207 of or to the third service provider 330 or the network of the third service provider 330. On the left hand side of Figure 3, the central office point of delivery 1 10 is schematically shown together with other kinds of access possibilities, such as BNG (broadband network gateway) access 11 1 , and BRAS (broadband remote access server) access 112.

[0068] The architecture for Multi Provider Federation consists of service edges (e.g. POD, BNG, BRAS) 110, 11 1 , 112 connected via a Multi Provider Federation VPN to centralized data center which hosts the reverse proxy 220. This reverse proxy 220 is switching requests based on DNS look ups towards service provider dedicated VPNs 311 , 321 , 331 , 206, 207. So each service provider 310, 320, 330 can host its own customers without getting in contact with a landing page provided by the provider who owns the access infrastructure. In wholesale scenarios, subscribers using access lines connected to a POD 110 of operator A will be served by BNGs residing in other operators’ networks. To allow for this, there needs to be a network interconnection to those carriers which is - in the exemplary embodiment shown in Figure 3 - usually provided by an IP/MPLS network. The provider federation control network 200 comprises a provider infrastructure control center (PICC) 210 (likewise represented by means of a dashed line and reference sign 210) that enables the selection of the data path to the right wholesale operator (service provider 310, 320, 330) based on credentials the user has been given by this operator. The provider federation control network 200, and especially the provider infrastructure control center 210, provide the possibility to enable wholesale for broadband access customers connected to the POD 110.

[0069] In Figure 4, another illustration of the multi provider federation network 200 is schematically shown, comprising different VPN networks 202, 203, 205, and server farms 21 1 , 212. [0070] Especially, a global MPLS VPN (Hub & Spoke) for virtual routing and forwarding (VRF) POD Multi Provider Federation is provided for all clients, i.e. customers, that are unknown. All central office points of delivery and broadband network gateways are part of the VPN as SPOKE member. In two datacenter clusters, the server farms are realized; these are part of the VPN but as hub members. All server farms publish the same networks (e.g., 10.255.255.0, 16,32/28) with different metrics. All server farms are similary if not identically realized; if one fails, the other is able to take the failed one by means of a metric. Advantageously, the server farms are completely stateless and do not have any information or status information of from a client. The clients, central office points of delivery 1 10 and broadband network gateways 1 11 are able to access the server farm and vice versa; however, clients (or customers), central office points of delivery or broadband network gateways are not able to reach each other. A server farm does no routing and no switching.

[0071] Figure 5 schematically illustrates details regarding the provider federation control network:

The server farm comprises the domain name server entity 230, an auxiliary or redundant domain name server entity 230’, the data store entity 240, the reverse federation proxy entity 220, and an auxiliary or redundant reverse federation proxy entity 220’. These configurations are static configurations. The domain name server entity 230 returns (as a consequence or requests regarding known hostnames) basically always the address of the reverse federation proxy entity 220. Unknown hostnames are answered by means of „NXDOMAIN“ or are routed to a catch-all Webserver. The default gateway is always 10.255.255.1 and is assigned by the PPA RA. The internet protocol addresses of the domain name server entity 230 are statically defined (or assigned) by the VRF system (virtual routing and forwarding): 10.255.255.17 (for the domain name server entity 230) and 10.255.255.18 (for the auxiliary or redundant domain name server entity 230’) and are provided to the client (or to the specific network termination node 75) by the PPA RA. Additionally, the internet protocol addresses of the reverse federation proxy entity 220/220’ are also statically defined by the VRF: 10.255.255.33 (for the reverse federation proxy entity 220) and 10.255.255.34 (for the auxiliary or redundant reverse federation proxy entity 220’). The reverse federation proxy entity 220 is a member of the plurality of provider VPN networks 206 (for the first (or specific) service provider 310), 207 (for the second service provider 320), and 208 (for the third service provider 330) as a HUB device. A customer location ID server (CLIS) resolves the access transaction ID (ATI) received from the client (or from the specific network termination node 75 or from a connected device 50, 51 such as a customer premises equipment device or a client device connected thereto) and returns the name of the specific (or used) central office point of delivery 1 10 by means of which the correct (specific) central office point of delivery 110 is contacted based on the serial number registration ID to be provided. The customer location ID server (CLIS) might be provided (or constructed or defined) in a hierarchical manner, and comprises all customer location ID information (i.e. the information content of all the customer location IDs) available within the

telecommunications network 100.

[0072] Figure 6 schematically illustrates details regarding the reverse proxy server 220. The domain name server entity 230 always returns the internet protocol address of the reverse federation proxy entity 220. The reverse proxy enitty 220 does only react to hostnames as part of the uniform resource location information. Especially, the reverse federation proxy entity 220 needs to have server name indication (SNI) capability

(HTTPS). The reverse federation proxy entity 220 comprises or acts according to a list (or database) that defines which hostname is routed to which internet protocol address. The reverse federation proxy entity 220 is connected to all service provider VPN networks (represented by reference signs 206, 207, 208 in both figures 5 and 6) as a HUB device. Eache service provider 310, 320, 330 needs to implement its own server (or network) infrastructure. By means of the MPLS VPN, any service provider is allowed (or is enabled) to redundantly operate a plurality of server infrastructures, especially according to a BGP metric principle. Any service provider is independent from the infrastructure provider’s network, and is free to follow own implementation guidelines, provided, however, that the service provider’s network is able to be reached by the reverse federation proxy entity 220 (or is capable to cooperate with the reverse federation proxy entity 220). Especially, the service provider 310, 320, 330 is able/allowed to request and obtain data from the data store entity 240 (using the internet protocol address of the reverse federation proxy entity 220) from its own VPN network. In the example shown in Figure 6, the configuration of the reverse federation proxy entity 220 and of the domain name server entity 230 is provided as follows:

[0073] Configuration of the reverse federation proxy entity 220:

Proxy Config

registrierung.telekom.de PROXY TO 172.16.1.33

registrierung.1 und1.de PROXY TO 172.16.2.33

registrierung.telefonica.de PROXY TO 172.16.3.33

^* PROXY TO CATCH ALL WEBSERVER Configuration of the domain name server entity 230:

Zonenfile

registrierung.telekom.de IN A 10.255.255.33

IN A 10.255.255.34

registrierung.l undl .de IN A 10.255.255.33

IN A 10.255.255.34

registrierung.telefonica.de IN A 10.255.255.33

IN A 10.255.255.34

IN A 10.255.255.33

[0074] Figure 7 schematically illustrates a flow diagram relating to the inventive provider federation process:

ONT Power Up - Control steps inside the POD

A. the ONT is turned on, and the control system (PPA) receives a port-up message and realizes that it does not know the serial number or registration ID of the device

C. The control system (PPA) creates a local database entry for this device and set the „walled garden flag"

D. The control system (PPA) assigns the tunnel that creates for the ONT an outer-VLAN tag from a pre defined range (e.g. 3900-4080)

E. The control system (PPA) configures a L2 tunnel to the service egde (SE) inside the POD that is handling such customers

F. The customer’s home gateway connects to the SE using PPPoE. The credentials are irrelevant

G. During the RADIUS authentication from the SE via the control system (PPA). The control system (PPA) detects that this customer had been flagged in the database as

„walled garden customer" H. The control system (PPA) selects a free IP address (e.g. lO.x.x.x) from the walled garden VPN (e.g. VRF WALLEDGARDEN) as well as DNS server (e.g.

10.255.255.17 and .18) and Default Gateway (e.g., 10.255.255.1 )

I. The control system (PPA) writes all this information including the ONT serial number into a separate database (WG Data Store)

J. control system (PPA) replies to the SE with access-accept and a vendor-specific walled garden flag

K. SE connects the customer’s L2 tunnel into the walled garden VRF and replies with IP addresses selected [0075] Customer Power Up

A1. The customer sets up a session via (e.g. PPP, DHCPv4/6, SLAAC...)

B1. The customer has received a URL to type into a device connected to the home gateway example : http://registation.telekom.de. The customer enters this URL into the browser

C1. The customer’s end device will resolve the DNS name using the assigned servers (here 10.255.255.17 or .18)

D1. The DNS server replies with the IP address oft he Proxy Server (PS) (here

10.255.255.33 or .34)

E1. The browser on the device sets up a TCP connection to one of these servers F1. The browser issues an HTTP Request :„GET Ar\n Host: registration.telekom.de"

G1. Proxy detetcs by Hostname ..registration. telekom.de" to pass the request towards IP destination 172.16.1.33

H1. Proxy set up through provider VPN (which is unknown for him) a connection towards server with IP 172.16.1.33

11. Proxy forwards customer IP (given in H to associate registration data later). This can be done e.g. by special Header information.

J1. Server 172.16.1.33 (as example), retrieve customer IP out of 11.

K1. Server 172.16.1.33 gets data out of Central Data Store (e.g. via REST API) and by customer IP also serial number of ONT.

L1. Frontend provides customer ability to insert customer data and location ID

(provided by operator and assigned for PON endpoint at time of installation of passive infrastructure.

M1. Server 172.16.1.33 communicates location-ID, Serial number an customer IP to central Data Store

N1. Central Data Store checks data and responds in case of correctness with registration ID und Line-ID und all relvant customer data 01. Central Data Store inserts Registration ID und Serial number and alle data in POD Data Base and set the flag that autoprovisoning active.

P1. Central Data Store acknowledges and triggers POD controller to release connectivity to VPN

Q1. POD Controller triggers fabric in order to redirect customer to regular

SE(independent if Retail or Wholesale); The ONT does not need to be rebooted (big benefit of that invention, that customer is not requested to terminate the PON).

[0076] Customer Power Up - after the registration procedure:

I. the optical network terminal (network termination node 75) powers up;

II. the central office point of delivery controller 180 does not have a registration ID but a serial number;

III. the central office point of delivery controller 180 requests and gets a serial number information (in the database of the controller (CDB)) being associated with the information“Autoprovisioning”;

IV. the central office point of delivery controller 180 now has a registration ID in the database that the customer should have provided using the optical network terminal (or network termination node) device;

V. the central office point of delivery controller 180 knows the Line ID - based on the knowledge of the registration ID;

VI. the central office point of delivery controller 180 is therefore able to apply the normal process as if the customer had input the registration ID; optionally it is also possible to store this registration ID in the device.

[0077] The present invention especially comprises four major points:

-- The Port Up Event of a unknown ONT triggers a request toward POD Control and Provider Federation VPN;

-- POD Control and Service Provider Federation VPN Reverse (federation) Proxy entity triggers customer request in order resolving provider related server environment -- Registration server provides the ability to trigger federation to provider and service -- POD initiates reroute towards regular service edge in order to provide instantiated service

[0078] According to the present invention, especially a system and a procedure is provided to automatically provision Layer-2 tunnels for subscribers connected to a broadband access infrastructure of an operaor A (service provider 310, 320, 330) to a broadband access server of operator B (specific service provider 310) by routing a first request via an intelligent proxy to the respective operator portal server, being enabled to correlate a subscriber-specific information - especially the subscribers IP address - to the serial number of the customer device (i.e. the specific network termination node 75, or the customer premises equipment device 50 or client device 51 ) by querying the operator A infrastructure server’s database allowing to persistently correlate the customer information to create a persistant mapping to the target operator B (i.e. the specific service provider 310). Possible methods or protocols include: the use of a PIC, the use of PPP or of IpoE, the use of IPv4 and IPv6, or the use of any kind of VPN. It is also conceivable to enable a plurality of such methods or protocols: In this case, the controller assigns them according a distribution rule which is either load dependent or operator pre- configured.