Technical Field

[0001] The present disclosure relates to Network Function (NF) services provided by a

telecommunications Core Network (CN), and particularly to NF service registration, discovery, and access.

Background

[0002] The Core Network (CN) defined by the Third Generation Partnership Project (3GPP) is the part of the mobile broadband network that connects the Next Generation (NG) Radio Access Network (RAN) and User Equipment (UE) to other external Data Networks (DN), e.g., the Internet. The CN is, among others, responsible for forwarding packets between the UEs and the destination DNs, applying several tasks such as charging and policy control, Quality of Service (QoS) management, etc. The 3GPP

Technical Specification (TS) 23.501 , Version 15.4.0 defines some components and interfaces of a Fifth Generation (5G) CN (5GC), some of which are illustrated in Figure 1.

5GC Architecture

[0003] Figure 1 illustrates a wireless communication system represented as a 5GC architecture, composed of core Network Functions (NFs), where interaction between any two NFs is represented by a point-to-point reference point/interface.

[0004] Seen from the access side, the 5G network architecture shown in Figure 1 comprises a plurality of UEs connected to either a RAN or an Access Network (AN), referred to herein as a“(R)AN,” as well as an Access and Mobility Management Function (AMF). Typically, the (R)AN comprises base stations, e.g., such as enhanced or evolved Node Bs (eNBs) or 5G base stations (gNBs) or similar. Seen from the core network side, the 5G core NFs shown in Figure 1 include a Network Slice Selection Function (NSSF), an Authentication Server Function (AUSF), a Unified Data Management (UDM), a Policy Control Function (PCF), an Application Function (AF), an AMF, a Session Management Function (SMF), and a User Plane Function (UPF).

[0005] Reference point representations of the 5G network architecture are used to develop detailed call flows in the normative standardization. The N1 reference point is defined to carry signaling between the UE and AMF. The reference points for connecting between the (R)AN and AMF and between the (R)AN and UPF are defined as N2 and N3, respectively. N4 is used by the SMF and UPF so that the UPF can be set using the control signal generated by the SMF, and the UPF can report its state to the SMF. N5 is the reference point by which the PCF applies policy to the AF. N7 is the reference point between the SMF and the PCF and by which the PCF applies policy to the SMF. N8 is the reference point by which the AMF gets subscription data for the UE from the UDM. N9 is the reference point for the connection between different UPFs. N10 is the reference point by which the SMF gets subscription data for the UE from the UDM. There is a reference point, N1 1 , between the AMF and SMF, which implies that the SMF is at least partly controlled by the AMF. N12 is required for the AMF to perform authentication of the UE via the AUSF. N3 is the reference point by which the AUSF communicates with the UDM. N14 is the reference point connecting between different AMFs, respectively. N15 is the reference point through which the PCF applies policy to the AMF. N22 is the reference point by which the AMF communicates with the NSSF.

[0006] The 5G core network aims at separating user plane and control plane. The user plane carries user traffic while the control plane carries signaling in the network. In Figure 1 , the UPF is in the user plane and all other NFs, i.e., the AMF, SMF, PCF, AF, AUSF, and UDM, are in the control plane. At least one UPF is traversed by the packets between the (R)AN - in this example, an NG-RAN - and a destination DN. N6 is the reference point for the connection between the UPF and the DN. Separating the user and control planes guarantees each plane resource to be scaled independently. It also allows UPFs to be deployed separately from control plane functions in a distributed fashion. In this architecture, UPFs may be deployed very close to UEs to shorten the Round Trip Time (RTT) between UEs and data network for some applications requiring low latency.

[0007] The core 5G network architecture is composed of modularized functions. For example, the AMF and SMF are independent functions in the control plane. Separated AMF and SMF allow independent evolution and scaling. Other control plane functions like the PCF and AUSF can be separated as shown in Figure 1. Modularized function design enables the 5G core network to support various services flexibly.

[0008] Each NF interacts with another NF directly. It is possible to use intermediate functions to route messages from one NF to another NF. In the control plane, a set of interactions between two NFs is defined as service so that its reuse is possible. This service enables support for modularity. The user plane supports interactions such as forwarding operations between different UPFs. For both the user plane and the control plane, the view of the core network as comprising a set of NFs that provide services to each other is referred to as a Service Based Architecture (SBA), and each service is requested and provided via a Service Based Interface (SBI).

[0009] Figure 2 illustrates a 5G network architecture using service-based interfaces between the NFs in the control plane, instead of the point-to-point reference points/interfaces used in the 5G network architecture of Figure 1. Flowever, the NFs described above with reference to Figure 1 correspond to the NFs shown in Figure 2. Figure 2 also includes a User Data Repository (UDR). The service(s) etc. that an NF provides to other authorized NFs can be exposed to the authorized NFs through the service-based interface. In Figure 2 the service based interfaces are indicated by the letter“N” followed by the name of the NF, e.g., Namf for the service based interface of the AMF and Nsmf for the service based interface of the SMF etc. The Network Exposure Function (NEF) and the Network Repository Function (NRF) in Figure 2 are not shown in Figure 1 discussed above. Flowever, it should be clarified that all NFs depicted in Figure 1 can interact with the NEF and the NRF of Figure 2 as necessary, though not explicitly indicated in Figure 1. [0010] Some properties of the NFs shown in Figures 1 and 2 may be described in the following manner. The AMF provides UE-based authentication, authorization, mobility management, etc. A UE even using multiple access technologies is basically connected to a single AMF because the AMF is independent of the access technologies. The SMF is responsible for session management and allocates Internet Protocol (IP) addresses to UEs. It also selects and controls the UPF for data transfer. If a UE has multiple sessions, different SMFs may be allocated to each session to manage them individually and possibly provide different functionalities per session. The AF provides information on the packet flow to the PCF responsible for policy control in order to support QoS. Based on the information, the PCF determines policies about mobility and session management to make the AMF and SMF operate properly. The AUSF supports authentication function for UEs or similar and thus stores data for authentication of UEs or similar while the UDM stores subscription data of the UE. The DN, not part of the 5G core network, provides Internet access or operator services and similar.

Conventional NF Service Registration, Discovery, and Access

[001 1] Figure 3 illustrates an overview of the conventional process for NF service registration, discovery, authorization, and access. According to 3GPP TS 33.501 , Version 15.3.1 , the NF and NRF service access authorization and authentication are mandatory and based on the OAuth 2.0 framework (Internet Engineering Task Force (IETF) Request for Comments (RFC) 6749 and RFC 8252) and Transport Layer Security (TLS) (RFC 8446), respectively. An NF may be an NF service producer { i.e., may offer a service), an NF service consumer [ i.e., may use a service), or both. As used herein, the terms“NF service producer,”“NF producer,” and“service producer” are synonymous. As used herein, the terms“NF service consumer,”“NF consumer,” and“service consumer” are synonymous.

[0012] In the conventional process, the NF consumer contacts with the NRF first to find NF producers. If the NRF authorizes the access to a certain NF producer, e.g., the NF producer may be deployed in a different slice or have some access restriction policy in place, some information such as IP or Uniform Resource Locator (URL) address is sent back in the response message. Subsequently, the NF consumer must request an access token for the discovered NF producer from the NRF. Note that, in an OAuth 2.0 framework, the entity that owns the resource (i.e., the functions registry) is not the same as the entity that grants access (i.e., the authorization server). Thus, the steps of the conventional process are as follows:

[0013] Service Registration. An NF that is a service producer must register itself (step 300) with the NRF. This registration process can include authorization and/or authentication (e.g., the NRF can decide whether or not the NF is authorized to provide the advertised service and the NRF can determine whether or not the purported NF provider is authentic). As used herein, the terms“NF service registration request,” “NF registration request,”“service registration request,” and“registration request” are synonymous except where explicitly indicated otherwise. [0014] Service Discovery. Once the NF service producer is registered with the NRF, that service producer can be discovered by an NF service consumer, by issuing an NF Service Discovery request (step 302) to the NRF. The NRF may check to see whether the NF service consumer is authorized to make such a discovery request, and if so, the NRF will provide the NF service consumer with the identity of an appropriate NF service producer. As used herein, the terms“NF service discovery request,”“NF discovery request,”“service discovery request,” and“discovery request” are synonymous except where explicitly indicated otherwise.

[0015] Service Authorization. An NF service consumer may be authorized to discover available services and yet not be authorized to access some of those available services. Thus, the NF service consumer issues an NF service authorization request (step 304) to the NRF. The NRF may grant or deny authorization. The authorization may be granted in the form of an authorization token provided to the NF service consumer by the NRF. As used herein, the terms“NF service authorization request,”“NF authorization request,”“service authorization request,” and“authorization request” are synonymous except where explicitly indicated otherwise.

[0016] Service Request. If the NF service consumer is authorized to access the NF service, the NF service consumer may then make a service request (step 306) to the NF service producer. Where an authorization token was provided to the NF service consumer by the NRF, the NF service consumer must provide that authorization token to the NF service producer, either a part of the service request (step 306) or in a separate communication (step 308). As used herein, the terms“NF service access request,”“NF access request,”“service access request,”“service request,” and“access request” are synonymous except where explicitly indicated otherwise.

[0017] While authorization granted by the NRF in the form of access tokens follows the OAuth 2.0 framework, authentication relies on TLS.

[0018] Figure 4 illustrates in more detail the conventional NF service registration, whereby NF service producers contact the NRF to register their services that should be made available to other NFs. An NF service producer sends an NF service registration request to an NRF or other authorization server (step 400). The NRF registers the NF service producer and stores the NF service producer profile (step 402), and sends an NF service registration response to the NF service producer (step 404). Analogously, NF service consumers contact the NRF to find out about NF producers. This process is shown in Figure 5.

[0019] Figure 5 illustrates in more detail the conventional NF service discovery and authorization processes. For NFs to directly reach each other, e.g., through an NF service request, an access token must be issued by the NRF to the NF consumer. To do this, an NF service consumer sends an NF service discovery request to an NRF or other authorization server (step 500). The NRF determines whether or not the NF service consumer is authorized to make the NF service discovery request (step 502), and issues an NF service discovery response to the NF service consumer (step 504). For example, if the NF service consumer is authorized to make the NF service discovery request, then the NF service discovery response may include the identity of an appropriate NF service producer. On the other hand, if the NF service consumer is not authorized to make the NF service discovery request, the NF service discovery response may indicate that the NF service discovery request is denied.

[0020] In the example illustrated in Figure 5, the NF service consumer is authorized to make the service discovery request, so the NF service consumer must then issue an NF service authorization request to the NRF (step 506). If the NF service consumer is authorized to access the identified NF service, the NRF authorizes access to the NF service by the NF service consumer (step 508). In this example, the NRF indicates authorization by generating an access token, which it sends back to the NF service consumer as part of the NF service authorization response (step 510). In this example, the NF service authorization response also includes an expiration date of the token. This access token will be used by the NF service consumer when it attempts to access the NF service provided by the NF service producer.

[0021] In Figures 4 and 5, the NRF and NFs authenticate each other during the registration and discovery steps, since these steps demand confidentiality, integrity, and protection from replay attacks (i.e., when a malicious entity detects a legitimate access sequence, which it duplicates to obtain unauthorized access). Specifically, in Figure 5, the NRF determines whether the NF service consumer can discover a service based on the NF service consumer and NF service producer profiles and policies, e.g., the NF service producer could follow some access policy. Flence, the NRF allows the service discovery request based on an existing service discovery configuration policy.

[0022] It should be noted that just because an NF service consumer may be authorized to perform an NF service discovery, that does not necessarily mean that the NF service consumer will be granted access to a discovered NF service. For example, an NF service consumer may be able to determine a list of available NF services in the area, including those services that the NF service consumer is not authorized to access.

[0023] Once the access token is issued by the NRF, the NF service consumer requests the service from the NF service producer directly using the token. The same token must be verified in a separate step by the NF service producer and/or against the NRF, as shown in Figure 6.

[0024] Figure 6 illustrates in more detail the conventional NF service request with an access token. In Figure 6, the NF service consumer issues an NF service access request to the NF service producer (step 600). In this example, the NF service access request includes the access token that the NF service consumer previously received from the NRF, such as in step 510 of Figure 5. The NF service producer validates the token (step 602), which may or may not be done with assistance from the NRF (optional step 604). The NF service consumer then sends an NF service access response to the NF service consumer (step 606) indicating that the service access request was granted or denied. Conventional NF Service Processes Roaming

[0025] Figure 7 illustrates the conventional NF service discovery process in a roaming scenario. As shown in Figure 7, a roaming NF service consumer issues an NF service discovery request (step 700) towards the home authorization server, which in this example is the Flome NRF (HNRF). The NF service discovery request is routed to the HNRF via a Visited NRF (VNRF), which receives the NF service discovery request and determines whether the NF service consumer is authorized for NF service discovery (step 702). In the example illustrated in Figure 7, the roaming NF service consumer is authorized to make such a request, and so the NF service discovery request is forwarded from the VNRF to the HNRF (step 704). The HNRF responds by sending an NF service discovery response (step 706) to the VNRF, which forwards the response to the roaming NF service consumer (step 708).

[0026] Figure 8 illustrates the conventional NF authorization process in a roaming scenario. As shown in Figure 8, a roaming NF service consumer must first register within the visited network (step 800), which involves a mutual authentication (step 802) between the VNRF and the HNRF. The roaming NF service consumer then issues an access token request (step 804) towards the HNRF, which is received by the VNRF. In the example illustrated in Figure 8, the access token request includes parameters such as the NF instance ID, the NF consumer type, the target NF type, the FIPLMN ID, and the VPLMN ID. The VNRF authenticates the client (step 806). In the example illustrated in Figure 8, the authentication was successful, and so the VNRF forwards the access token request to the target HNRF (step 808). The HNRF authorizes the client (step 810), and if successful, generates an access token. In the example illustrated in Figure 8, the client is successfully authorized, so the HNRF issues an access token response (step 812) to the VNRF, which forwards the access token response to the roaming NF service consumer (step 814).

Problems with conventional solutions

[0027] The conventional method of NF service discovery and access suffers a number of inefficiencies, perhaps in part due to the fact that the discovery and access steps are managed by different working groups (SA2 and SA3, respectively) within 3GPP. As a result, an NF service consumer must perform an NF service discovery according to the procedures defined in 3GPP TS 23.501 , Version 15.4.0 and 3GPP TS 23.502, Version 15.4.0 (using Hypertext T ransfer Protocol (HTTP) GET), and then perform an authorization according to procedures defined in 3GPP TS 33.501 , Version 15.3.1 (using HTTP POST), which currently use OAuth 2.0 Services, originally designed for single sign-on for the web. From the OAuth 2.0 framework, the base for the service authorization framework in 5GC, the roles can be mapped to the following in 5GC:

• The NRF shall have both the authorization server and the resource owner roles, which grants access to a protected resource, e.g., a service from a certain NF producer.

• The NF consumer shall be the OAuth 2.0 client, which is an application that requests access to a certain service, e.g., from an NF producer. • The NF producer shall be the OAuth 2.0 server, which is an application offering a service.

[0028] As a result, every time an NF service consumer performs a service discovery, there are at least two transactions - a discovery request, then an access request - which can result in substantial signaling traffic in cells that are supporting a large number of wireless devices or other NF service consumers. The NRF can become a bottleneck as it will have to handle many message exchanges, including registrations, discoveries, token requests, and token verifications.

[0029] In addition, because the discovery request and access request occur at different times, the NRF needs to maintain state information from the time that it receives a discovery request to at least the time that it receives a corresponding access request - presuming that the NRF does later receive the corresponding access request. The state information maintained for a particular discovery request is herein referred to as a“state instance.” Since the NRF may not receive the later access request, the NRF must maintain a timeout timer for each state instance. Each state instance and timer consumes some amount of processing resources within the NRF.

[0030] In roaming scenarios, the NF service consumers and/or consumers may cross the Public Land Mobile Network (PLMN) or other network operator’s borders, e.g., between a Flome PLMN (FIPLMN) and a Visiting PLMN (VPLMN). A roaming NF service consumer has to reach their home network operator to request access at the NRF, where NF service producers must be registered. Thus, the high signaling overhead associated with conventional methods of NF discovery and access extends across networks in a roaming scenario, thus increasing network traffic between operator networks.

Summary

[0031] Methods and systems for optimizing Network Function (NF) service discovery are herein provided. As disclosed herein, the service discovery and service authorization steps are combined, which reduces the number of messages exchanged and thus reduces latency, as well as reducing the processing burden on the Network Repository Function (NRF).

[0032] According to one aspect of the present disclosure, a method, implemented in an NF consumer, for optimizing NF service discovery comprises: sending, to an authorization server, a combined service discovery and authorization request for an NF service; and receiving, from the authorization server, a service discovery response and an authorization response for the NF service.

[0033] In some embodiments, sending the service discovery and authorization request to an authorization server comprises sending the service discovery and authorization request to a NRF.

[0034] In some embodiments, receiving the service discovery response and the authorization response comprises receiving a combined service discovery and authorization response.

[0035] In some embodiments, receiving the service discovery response and the authorization response comprises receiving the service discovery response separate from the authorization response. [0036] In some embodiments, the authorization response comprises an access token for accessing the NF service.

[0037] In some embodiments, sending the combined service discovery and authorization request comprises sending a combined service discovery and authorization request for a plurality of NF services.

[0038] In some embodiments, receiving the service discovery response and an authorization response comprises receiving a service discovery response for the plurality of NF services.

[0039] In some embodiments, the service discovery response further comprises an authorization response for the plurality of NF services.

[0040] In some embodiments, receiving the service discovery response and an authorization response comprises receiving at least one authorization response separate from the service discovery response.

[0041] In some embodiments, the authorization response for the plurality of NF services comprises at least one access token.

[0042] In some embodiments, the authorization response for the plurality of NF services comprises one access token to be used for accessing the plurality of NF services.

[0043] In some embodiments, the authorization response for the plurality of NF services comprises a plurality of tokens to be used for accessing the plurality of NF services.

[0044] In some embodiments, the NF consumer comprises an Access and Mobility Management Function (AMF).

[0045] In some embodiments, sending the combined service discovery and authorization request comprises sending a service discovery request that comprises an access token request message having access token request message parameters.

[0046] In some embodiments, sending the combined service discovery and authorization request comprises sending a service discovery request that comprises at least one access token request message parameter.

[0047] In some embodiments, sending the combined service discovery and authorization request comprises sending an access token request message parameter that is not known until after service discovery, the access token request message parameter being set to a placeholder value within the combined service discovery and authorization request and replaced with an actual value after service discovery.

[0048] In some embodiments, the combined service discovery and authorization request specifies an access type, all possible access types, or all allowed access types for access to the NF service.

[0049] According to one aspect of the present disclosure, a method, implemented in an authorization server, for optimizing NF service discovery comprises: receiving, from a requesting entity, a service discovery request; determining that the received request is a combined service discovery and authorization request, and, upon determination that the received request is a combined service discovery and authorization request: authorizing the service discovery, and, upon determination that the service discovery is authorized, prepare a service discovery response; authorizing the client, and, upon determination that the client is authorized to access the service, prepare an authorization response; and sending, to the requesting entity, the service discovery response and the authorization response.

[0050] In some embodiments, the authorization server comprises an NRF.

[0051] In some embodiments, determining that the received service discovery request is a combined service discovery and authorization request for an NF service comprises determining that the received combined service discovery and authorization request comprises an access token request message having access token request message parameters.

[0052] In some embodiments, determining that the received service discovery request is a combined service discovery and authorization request for an NF service comprises determining that the received combined service discovery and authorization request comprises at least one access token request message parameter.

[0053] In some embodiments, determining that the received service discovery request is a combined service discovery and authorization request for an NF service comprises determining that the received combined service discovery and authorization request comprises an access token request message parameter that is not known until after service discovery.

[0054] In some embodiments, the combined service discovery and authorization request specifies an access type, all possible access types, or all allowed access types for access to the NF service.

[0055] In some embodiments, sending the service discovery response and the authorization response comprises sending a combined service discovery and authorization response.

[0056] In some embodiments, sending the service discovery response and the authorization response comprises sending the service discovery response separate from the authorization response.

[0057] In some embodiments, the authorization response comprises an access token for accessing the NF service.

[0058] In some embodiments, sending the combined service discovery and authorization request comprises sending a combined service discovery and authorization request for a plurality of NF services.

[0059] In some embodiments, receiving the service discovery response and an authorization response comprises receiving a service discovery response for the plurality of NF services.

[0060] In some embodiments, the service discovery response further comprises an authorization response for the plurality of NF services.

[0061] In some embodiments, receiving the service discovery response and an authorization response comprises receiving at least one authorization response separate from the service discovery response. [0062] In some embodiments, the authorization response for the plurality of NF services comprises at least one access token.

[0063] In some embodiments, the authorization response for the plurality of NF services comprises one access token to be used for accessing the plurality of NF services.

[0064] In some embodiments, the authorization response for the plurality of NF services comprises a plurality of tokens to be used for accessing the plurality of NF services.

[0065] In some embodiments, the requesting entity comprises an NF service consumer.

[0066] In some embodiments, the NF service consumer comprises an AMF.

[0067] According to one aspect of the present disclosure, a method, implemented in an authorization server, for optimizing NF service discovery comprises: receiving, from a requesting entity, a service discovery request; determining that the received request is a combined service discovery and authorization request, and, upon determination that the received request is a combined service discovery and authorization request: determining that the requesting entity is a roaming entity, and, upon determination that the requesting entity is a roaming entity, authorizing the service discovery, and, upon determination that the service discovery is authorized: forwarding the received service discovery and authorization request to an authorization server in the home network of the requesting entity; receiving from the authorization server in the home network of the requesting entity, a service discovery and authorization response; and sending, to the requesting entity, the service discovery and authorization response.

[0068] In some embodiments, at least one of the authorization server and the authorization server in the home network of the requesting entity comprises an NRF.

[0069] In some embodiments, the requesting entity comprises an NF service consumer.

[0070] In some embodiments, determining that the received service discovery request is a combined service discovery and authorization request for an NF service comprises determining that the received combined service discovery and authorization request comprises an access token request message having access token request message parameters.

[0071] In some embodiments, determining that the received service discovery request is a combined service discovery and authorization request for an NF service comprises determining that the received combined service discovery and authorization request comprises at least one access token request message parameter.

[0072] In some embodiments, determining that the received service discovery request is a combined service discovery and authorization request for an NF service comprises determining that the received combined service discovery and authorization request comprises an access token request message parameter that is not known until after service discovery.

[0073] In some embodiments, the combined service discovery and authorization request specifies an access type, all possible access types, or all allowed access types for access to the NF service. [0074] In some embodiments, sending the service discovery response and the authorization response comprises sending a combined service discovery and authorization response.

[0075] In some embodiments, sending the service discovery response and the authorization response comprises sending the service discovery response separate from the authorization response.

[0076] In some embodiments, authorizing the service discovery further comprises performing the service discovery and preparing the service discovery response.

[0077] In some embodiments, forwarding the received service discovery and authorization request to the authorization server in the home network further comprises forwarding the prepared service discovery response to the authorization server in the home network.

[0078] According to one aspect of the present disclosure, a method, implemented in an authorization server, for optimizing NF service discovery comprises: receiving, from a requesting entity, a service discovery request; determining that the received request is a combined service discovery and authorization request, and, upon determination that the received request is a combined service discovery and authorization request: determining that the requesting entity is an authorization server in a visited network, and, upon determination that the requesting entity is an authorization server in a visited network:

authorizing the client, and, upon determination that the client is authorized to access the service, prepare an authorization response; and sending, to the requesting entity, the authorization response.

[0079] In some embodiments, at least one of the authorization server and the authorization server in the visited network comprises an NRF.

[0080] In some embodiments, determining that the received service discovery request is a combined service discovery and authorization request for an NF service comprises determining that the received combined service discovery and authorization request comprises an access token request message having access token request message parameters.

[0081] In some embodiments, determining that the received service discovery request is a combined service discovery and authorization request for an NF service comprises determining that the received combined service discovery and authorization request comprises at least one access token request message parameter.

[0082] In some embodiments, determining that the received service discovery request is a combined service discovery and authorization request for an NF service comprises determining that the received combined service discovery and authorization request comprises an access token request message parameter that is not known until after service discovery.

[0083] In some embodiments, the combined service discovery and authorization request specifies an access type, all possible access types, or all allowed access types for access to the NF service. [0084] In some embodiments, receiving the combined service discovery and authorization request comprises receiving a service discovery response prepared by the authorization server in the visited network.

[0085] In some embodiments, sending the authorization response further comprises sending the received service discovery response.

[0086] In some embodiments, the method further comprises preparing a service discovery response, and sending the authorization response further comprises sending the service discovery response.

[0087] In some embodiments, sending the service discovery response and the authorization response comprises sending a combined service discovery and authorization response.

[0088] In some embodiments, sending the service discovery response and the authorization response comprises sending the service discovery response separate from the authorization response.

[0089] According to one aspect of the present disclosure, a network node for performing optimized NF service discovery comprises: a network interface; one or more processors; and memory storing instructions executable by the one or more processors, whereby the network node is operable to perform any of the methods disclosed herein.

[0090] According to one aspect of the present disclosure, a network node for performing optimized NF service discovery is provided, the network node being adapted to perform any of the methods disclosed herein.

[0091] According to one aspect of the present disclosure, a network node for performing optimized NF service discovery comprises means for performing any of the methods disclosed herein.

[0092] According to one aspect of the present disclosure, a network node for performing optimized NF service discovery comprises one or more modules operable to perform any of the methods disclosed herein.

[0093] According to one aspect of the present disclosure, a non-transitory computer readable medium stores software instructions that when executed by one or more processors of a network node for performing optimized NF service discovery, cause network node to perform any of the methods disclosed herein.

[0094] According to one aspect of the present disclosure, a computer program comprises instructions which, when executed by at least one processor, cause the at least one processor to perform any of the methods disclosed herein.

[0095] According to one aspect of the present disclosure, a carrier comprises the computer program above, wherein the carrier is one of an electronic signal, an optical signal, a radio signal, or a computer readable storage medium. [0096] The accompanying drawing figures incorporated in and forming a part of this specification illustrate several aspects of the disclosure, and together with the description serve to explain the principles of the disclosure.

[0097] Figure 1 illustrates a conventional wireless communication system represented as a Fifth Generation Core Network (5GC) architecture composed of core Network Functions (NFs), where interaction between any two NFs is represented by a point-to-point reference point/interface;

[0098] Figure 2 illustrates a 5G network architecture using service-based interfaces between the NFs in the control plane instead of the point-to-point reference points/interfaces used in the 5G network architecture of Figure 1 ;

[0099] Figure 3 illustrates an overview of the conventional process for NF service registration, discovery, and access;

[0100] Figure 4 illustrates in more detail the conventional NF service registration process;

[0101] Figure 5 illustrates in more detail the conventional NF service discovery and authorization processes;

[0102] Figure 6 illustrates in more detail the conventional NF service access process;

[0103] Figure 7 illustrates the conventional NF service discovery process in a roaming scenario;

[0104] Figure 8 illustrates the conventional NF authorization process in a roaming scenario;

[0105] Figure 9 illustrates one example of a cellular communications network according to some embodiments of the present disclosure;

[0106] Figure 10 illustrates an exemplary method for NF service discovery according to some embodiments of the present disclosure;

[0107] Figure 11 illustrates an exemplary method for NF service discovery in a roaming scenario according to some embodiments of the present disclosure;

[0108] Figure 12 illustrates a simplified example of a conventional User Equipment (UE) registration procedure, in which separate service discovery requests and authorization requests are made for each NF needed;

[0109] Figure 13 illustrates an optimized UE registration process according to some embodiments of the present disclosure, which uses a combined service discovery and authorization request for each NF needed;

[0110] Figure 14 illustrates a UE registration process even further optimized according to some embodiments of the present disclosure, which uses a single combined service discovery and authorization request for multiple NFs;

[0111] Figure 15 illustrates an optimized NF service discovery according to some embodiments of the present disclosure, which uses a single service discovery request for multiple NFs; [0112] Figure 16 is a schematic block diagram of a network node according to some embodiments of the present disclosure;

[0113] Figure 17 is a schematic block diagram that illustrates a virtualized embodiment of the network node of Figure 16 according to some embodiments of the present disclosure;

[0114] Figure 18 is a schematic block diagram of the network node of Figure 15 according to some other embodiments of the present disclosure;

[0115] Figure 19 is a schematic block diagram of a UE according to some embodiments of the present disclosure;

[0116] Figure 20 is a schematic block diagram of the UE of Figure 18 according to some other embodiments of the present disclosure;

[0117] Figure 21 illustrates a telecommunication network connected via an intermediate network to a host computer in accordance with some embodiments of the present disclosure;

[0118] Figure 22 is a generalized block diagram of a host computer communicating via a base station with a UE over a partially wireless connection in accordance with some embodiments of the present disclosure;

[0119] Figure 23 is a flowchart illustrating a method implemented in a communication system in accordance with one embodiment of the present disclosure;

[0120] Figure 24 is a flowchart illustrating a method implemented in a communication system in accordance with one embodiment of the present disclosure;

[0121] Figure 25 is a flowchart illustrating a method implemented in a communication system in accordance with one embodiment on the present disclosure; and

[0122] Figure 26 is a flowchart illustrating a method implemented in a communication system in accordance with one embodiment of the present disclosure. Detailed Description

[0123] Methods and systems for optimizing Network Function (NF) service discovery are herein provided. As disclosed herein, the service discovery and service authorization steps are combined, which reduces the number of messages exchanged and thus reduces latency, as well as reducing the processing burden on the Network Repository Function (NRF).

[0124] Combining the service discovery and authorization steps provides several benefits, including: lower latency, which is particularly relevant in roaming when NFs and the NRF may be in different locations, e.g., NF via a Flome NRF (HNRF) and Visiting NRF (VNRF); optimized signaling in the Fifth Generation Core Network (5GC) by reducing the number of messages exchanged between NFs and the NRF; and lower resource usage at the NRF, which may be a bottlenecked resource. Using the methods and systems of the present disclosure, the NRF can proactively provision an access token to the NF during the discovery process.

[0125] The embodiments set forth below represent information to enable those skilled in the art to practice the embodiments and illustrate the best mode of practicing the embodiments. Upon reading the following description in light of the accompanying drawing figures, those skilled in the art will understand the concepts of the disclosure and will recognize applications of these concepts not particularly addressed herein. It should be understood that these concepts and applications fall within the scope of the disclosure.

[0126] Radio Node: As used herein, a“radio node” is either a radio access node or a wireless device.

[0127] Radio Access Node: As used herein, a“radio access node” or“radio network node” is any node in a radio access network of a cellular communications network that operates to wirelessly transmit and/or receive signals. Some examples of a radio access node include, but are not limited to, a base station (e.g., a New Radio (NR) base station (gNB) in a Third Generation Partnership Project (3GPP) Fifth Generation (5G) NR network or an enhanced or evolved Node B (eNB) in a 3GPP Long Term Evolution (LTE) network), a high-power or macro base station, a low-power base station (e.g., a micro base station, a pico base station, a home eNB, or the like), and a relay node.

[0128] Core Network Node: As used herein, a“core network node” is any type of node in a core network. Some examples of a core network node include, e.g., a Mobility Management Entity (MME), a Packet Data Network Gateway (P-GW), a Service Capability Exposure Function (SCEF), or the like.

[0129] Wireless Device: As used herein, a“wireless device” is any type of device that has access to (i.e., is served by) a cellular communications network by wirelessly transmitting and/or receiving signals to a radio access node(s). Some examples of a wireless device include, but are not limited to, a User Equipment device (UE) in a 3GPP network and a Machine Type Communication (MTC) device.

[0130] Network Node: As used herein, a“network node” is any node that is either part of the radio access network or the core network of a cellular communications network/system.

[0131] Note that the description given herein focuses on a 3GPP cellular communications system and, as such, 3GPP terminology or terminology similar to 3GPP terminology is oftentimes used. However, the concepts disclosed herein are not limited to a 3GPP system.

[0132] Note that, in the description herein, reference may be made to the term“cell”; however, particularly with respect to 5G NR concepts, beams may be used instead of cells and, as such, it is important to note that the concepts described herein are equally applicable to both cells and beams.

[0133] Figure 9 illustrates one example of a cellular communications network 900 according to some embodiments of the present disclosure. In the embodiments described herein, the cellular communications network 900 is a 5G NR network. In this example, the cellular communications network 900 includes base stations 902-1 and 902-2, which in LTE are referred to as eNBs and in 5G NR are referred to as gNBs, controlling corresponding macro cells 904-1 and 904-2. The base stations 902-1 and 902-2 are generally referred to herein collectively as base stations 902 and individually as base station 902. Likewise, the macro cells 904-1 and 904-2 are generally referred to herein collectively as macro cells 904 and individually as macro cell 904. The cellular communications network 900 may also include a number of low power nodes 906-1 through 906-4 controlling corresponding small cells 908-1 through 908-4. The low power nodes 906-1 through 906-4 can be small base stations (such as pico or femto base stations) or Remote Radio Heads (RRHs), or the like. Notably, while not illustrated, one or more of the small cells 908-1 through 908-4 may alternatively be provided by the base stations 902. The low power nodes 906-1 through 906-4 are generally referred to herein collectively as low power nodes 906 and individually as low power node 906. Likewise, the small cells 908-1 through 908-4 are generally referred to herein collectively as small cells 908 and individually as small cell 908. The base stations 902 (and optionally the low power nodes 906) are connected to a core network 910, such as the core network illustrated in Figure 1 or 2.

[0134] The base stations 902 and the low power nodes 906 provide service to wireless devices 912-1 through 912-5 in the corresponding cells 904 and 908. The wireless devices 912-1 through 912-5 are generally referred to herein collectively as wireless devices 912 and individually as wireless device 912.

The wireless devices 912 are also sometimes referred to herein as UEs.

[0135] An NF may be implemented either as a network element on a dedicated hardware, as a software instance running on a dedicated hardware, or as a virtualized function instantiated on an appropriate platform, e.g., a cloud infrastructure. An NF may be an NF producer, an NF consumer, or both an NF producer and an NF consumer. An NF consumer may also be an entity that is not also an NF, such as a wireless device or UE.

Optimized NF Discovery

[0136] In the present disclosure, the NF service discovery and NF service authorization steps are combined so that an NF consumer does not need to explicitly request an access token in a separate step after discovering an NF service.

[0137] Figure 10 illustrates an exemplary method for NF service discovery according to some embodiments of the present disclosure. In the embodiment illustrated in Figure 10, the service discovery request and the authorization request are combined into a single NF service discovery and authorization request (step 1000). In some embodiments, the service discovery message also includes the necessary parameters to indicate that a token is also requested as well as data which are needed by the NRF to generate the token. Because an authorization request may also be referred to as an“access token request,” the combined message may also be referred to herein as an“NF service discovery and access token request” or as an“NF service discovery and access request.” In the embodiment illustrated in Figure 10, for example, the NF service discovery and authorization request includes the NF service name, the NF type, and Client ID, but other parameters, or other combinations of parameters, are also considered to be within the scope the present disclosure.

[0138] The NF service discovery and authorization request is sent to an authorization server. In the embodiment illustrated in Figure 10, the authorization server is an NRF. In response to receiving the NF service discovery and authorization request, the NRF authorizes the NF service discovery (step 1002), then authorizes the client (step 1004). If the client is authorized, the NRF will generate an access token.

[0139] For the NRF to recognize that the message sent in step 1000 is both a service discovery request and an authorization request, in some embodiments that message will include the necessary access token request parameters inside the service discovery request in step 1000. This could be implemented in a number of ways. For example:

[0140] In one embodiment, the service discovery message also contains the access token request message, i.e., a full token request message or all the parameters sent with a regular access token request, except that the parameters of a conventional access token request message that normally identifies the target NF, for instance - information that, in the conventional process, is provided by a prior discovery request -- could either be set to NULL or set to the values that are normally part of the conventional discovery message. That is, where the conventional access token request message would contain the Internet Protocol (IP) address of the discovered NF producer, the new message might use the name of the desired NF (e.g., Authentication Server Function (AUSF)).

[0141] In another embodiment, only parameters that the NRF cannot deduce from a regular discovery message are included. This approach would make message size smaller, but would require additional logic in the NRF. For example, the NRF will know the identity, etc., of the consumer through the consumer having authenticated to the NRF as part of service discovery, and will know the details of the producer instance through the service discovery and the response generated for the consumer. However, the NRF might or might not know the resource provided by the producer that the consumer wants to access, so the consumer might have to explicitly indicate this in the message unless the service discovery itself is directly targeting a resource. In some cases, the NRF will not know what type of access (e.g.,

read/write/execute/other) the consumer would like to have to the resource, in which case the message would need to include this information. For some resources, there might only be one possible access type possible, either due to type of resource, general producer policy, or consumer specific producer policy (i.e., what the consumer can do with the specific resource according to access policies of the producer).

Alternatively, the NRF could generate a token that authorizes all of the access types that the requester is allowed to perform. In this approach, the consumer does not need to indicate the access type desired.

[0142] In some embodiments, the message might contain an indication that the message is a combined resource discovery and authorization request message or the fact that the selected additional access request related parameters are included implicitly communicates this. [0143] In some embodiments, the consumer does not indicate that it wants to do a combined service discovery and access token request, e.g., not with a flag, nor by having any additional parameters included in the service discovery message. In these embodiments, the NRF could have some pre-configured policies such that when an NF of a certain type does service discovery for another specific type of NF, it most probably means it will want a token for a specific resource of the identified NF. Based on this, the NRF could opportunistically generate a token and communicate it to the NF performing service discovery.

[0144] Referring again to Figure 10, the NRF then responds to the NF service consumer. In one embodiment, the NRF sends a single message that includes both the service discovery response and the authorization response (step 1006) that includes, but is not limited to, information identifying the NF instance and authorization information. In the embodiment illustrated in Figure 10, the authorization information includes, but is not limited to, an access token and may also include additional information associated with the access token, such as an expiration date. In an alternative embodiment, the NRF may send the service discovery response (step 1008) and the authorization response (step 1010) as separate messages. This alternative may be used to avoid having to define a new response message such as the one in step 1006, or if space is critical, e.g., if the service discovery and authorization response and the access token in one message becomes too big.

[0145] In one embodiment, prior to authorization, during the authentication steps between NF consumer and the NRF for performing the service discovery, the NF consumer must provide enough information, e.g., NF consumer type, NF consumer ID, or target NF producer type, so that the NRF can figure out the correct and corresponding access rights. The NRF can then authorize the discovery, perform the discovery for the consumer, and finally generate a suitable access token for the consumer based on the received parameters and the policies stored in the NRF.

[0146] In one embodiment, in addition to the access token (which is the authorization response) received in step 1006, the service discovery and authorization response may include a list of available instances of the NF producer (i.e., the service discovery response), e.g., instances that the NF consumer can access. If there are multiple NF producer instances in the response, then in one embodiment the access token can be used to access any of these instances, which should be stated in the token claims. Alternatively, the NRF can also append a set of (typically short lived) tokens in the response, each of them usable to access one specific of the NF producer instance provided in the response.

Optimized NF Service Registration

[0147] While the main use case for combining resource discovery and authorization request messages is for NF consumers, the solution could optionally also work for NF registration at the NRF.

Some NFs might follow a specific access pattern in the network. For example, some NF needs to contact other NFs in its initialization phase. In these cases, in one embodiment the NRF could be pre-configured with some policies indicating that when a certain NF type performs a service registration, it is very likely that the same NF will conduct service discovery and request an access token to certain NF producer(s). Thus, in some embodiments, the registration could for specific NF types be seen as also containing an implicit service discovery and authorization request. In this case the registration response could also include an opportunistic service discovery response for identified services as well as associated access token(s).

Optimized NF Discovery Roaming

[0148] In a roaming scenario, an NF service consumer, such as a UE that belongs to a subscriber to a home PLMN (HPLMN), is operating within a visited PLMN (VPLMN) and therefore referred to herein as a roaming NF service consumer. An NRF within the VPLMN is herein referred to as a VNRF, and an NRF within the FIPLMN is herein referred to as an HNRF. When a roaming NF service consumer requests access to an NF service, such requests are received by the VNRF and forwarded to the HNRF. Likewise, the response from the HNRF is sent to the VNRF, which forwards the response to the roaming NF service consumer. Generally speaking, the VNRF is responsible for generating access tokens for granting access to an NF within the VPLMN, and the HNRF is responsible for generating access tokens for granting access to an NF within the HPLMN. However, it is the HNRF that controls what NF services any of its subscribers - roaming or not - may access. Thus, NF service discovery in a roaming scenario generally involves interactions between the VNRF and the HNRF. These interactions may be optimized according to the present disclosure, as will now be described.

[0149] Figure 10 illustrates a scenario in which the NF producer is in the same PLMN as the NRF, in which case the NRF performs both service discovery and service authorization step. This process may apply when the NF service consumer, the authorization server, and the NF service provider are all in the NF service consumer’s home network (HPLMN) or when the NF service consumer, the authorization server, and the NF service provider are all in a visited network (VPLMN). Thus, the process illustrated in Figure 10 may represent a non-roaming scenario, but it also may represent a roaming scenario in which it is not necessary to access an NF service provider in the HPLMN, i.e., the desired NF service exists within the VPLMN (and, optionally, where the authorization server within the VPLMN possesses sufficient information to authorize access and thus does not need to interact with the authorization server within the HPLMN.

[0150] If the desired NF service producer is not within the VPLMN but is within the HPLMN, then the roles of the NRF in the VPLMN (VNRF) and the NRF in the HPLMN (HNRF) may be different. This scenario will now be described.

[0151] Figure 11 illustrates an exemplary method for NF service discovery in a roaming scenario according to some embodiments of the present disclosure. In the embodiment illustrated in Figure 1 1 , an NF service consumer is registered with a VNRF (step 1 100) which has mutually authenticated with an HNRF (step 1 102). The NF service consumer issues an NF service discovery and authorization request (step 1104) towards the HNRF via the VNRF. The VNRF receives the NF service discovery and authorization request and, in response, authenticates the client and authorizes the NF service discovery (step 1106). In the embodiment illustrated in Figure 1 1 , the client is successfully authenticated and authorized for service discovery, so the VNRF forwards the NF service discovery and authorization request to the HNRF (step 1 108). The HNRF performs discovery, authorizes the client, and generates the authorization response, e.g., the HNRF generates an access token (step 11 10), then issues an NF service discovery and authorization response (step 1 112) to the VNRF, which forwards the NF service discovery and authorization response to the NF service consumer (step 1 1 14).

[0152] In some embodiments, the NF service discovery and authorization response sent by the HNRF to the VNRF does not include the discovery response, e.g., such as when the authorization response contains sufficient information such that the discovery response is redundant or unnecessary. In other embodiments, the HNRF sends both a discovery response and an authorization response. In these embodiments, the discovery response may be sent together with the authorization response, or the discovery response may be sent separately from the authorization response.

[0153] In some embodiments, the desired NF service exists within the VPLMN, in which case the VNRF may generate the discovery response, forward the original NF service discovery and authorization response (with or without the discovery response) to the HNRF, which authorizes the request and (if authorized), sends an authorization response to the VNRF. The VNRF sends both a discovery response and an authorization response to the NF service consumer. In these embodiments, the discovery response may be sent together with the authorization response, or the discovery response may be sent separately from the authorization response.

Combining Multiple Service Discoveries and Authorization Requests

[0154] In 5G system procedures, it is quite common that the same NF consumer has to call different NF providers in order to finish the system procedure. For example, in the UE registration procedure, which is defined in 3GPP Technical Specification (TS) 23.502, Version 15.4.0, the Access and Mobility

Management Function (AMF) has to call an AUSF for UE authentication, and then it has to call a Unified Data Management (UDM) for registering the association between the AMF and UE. In some cases, the AMF also has to call a Session Management Function (SMF) for some Protocol Data Unit (PDU) session updates.

[0155] Figure 12 illustrates a simplified example of this conventional procedure, in which the service discovery and the authorization token request are separated. In the conventional example shown in Figure 12, the procedure includes the following steps. A UE issues a UE registration request to its current Radio Access Network (RAN) (step 1200), which forwards the request to the serving AMF (step 1202). The AMF then communicates with the NRF several times: first, to discover an AUSF service (steps 1204 and 1206); then, to request access to the discovered AUSF (steps 1208 and 1210). The AMF then authenticates the UE with the AUSF (step 1212). The AMF again communicates with the NRF several times: to discover a UDM service (steps 1214 and 1216) and request access to the discovered UDM service (steps 1218 and 1220) in order to register the UE context information with the UDM (step 1222); to discover an SMF service (steps 1224 and 1226) and request access to the discovered SMF service (steps 1228 and 1230) in order to perform PDU session updates with the SMF (step 1232). The AMF then responds to the UE registration request by sending a UE registration response to the UE (step 1234). As can be seen in this more detailed example, registration of just one UE requires multiple signaling messages to and from the NRF.

[0156] Figure 13 illustrates an optimized UE registration process according to some embodiments of the present disclosure. In the embodiment illustrated in Figure 13, a UE issues a UE registration request to its current RAN (step 1300), which forwards the request to the serving AMF (step 1302). The AMF then communicates with the NRF several times: first, it sends a combined service discovery and authorization request to the NRF for an AUSF service (step 1304), and receives a response from the NRF that identifies an AUSF instance and provides an access token for accessing the identified AUSF (step 1306). The AMF then authenticates the UE with the AUSF (step 1308). The AMF then sends a combined service discovery and authorization request to the NRF for a UDM service (step 1310), and receives a response from the NRF that identifies a UDM instance and provides an access token for accessing the identified UDM (step 1312). The AMF registers the UE context association with the UDM (step 1314). The AMF then sends a combined service discovery and authorization request to the NRF for an SMF service (step 1316), and receives a response from the NRF that identifies an SMF instance and provides an access token for accessing the identified SMF (step 1318). The AMF then performs PDU session updates with the SMF (step 1320), and responds to the UE registration request by sending a UE registration response to the UE (step 1322). As can be seen in this more detailed example, registration of one UE according to the optimized procedure illustrated in Figure 13 requires six fewer signaling messages to and from the NRF compared with the conventional process.

[0157] Figure 14 illustrates a UE registration process even further optimized according to some embodiments of the present disclosure, by combining multiple service discovery and token requests together. When an AMF receives a UE registration request, the AMF knows that it will need to contact an AUSF, a UDM, and an SMF. Therefore, the AMF can send the corresponding service discoveries all together as well as the token requests. This is shown in Figure 14. In the embodiment illustrated in Figure 14, a UE issues a UE registration request to its current RAN (step 1400), which forwards the request to the serving AMF (step 1402). The AMF then communicates with the NRF just once: it sends a combined service discovery and authorization request to the NRF (step 1404) for all of the services that will be needed by the UE registration procedure - in this example, an AUSF service, a UDM service, and an SMF service. The AMF receives a response from the NRF (step 1406) that identifies an AUSF instance, a UDM instance, and an SMF instance, and provides one or more access token(s) for accessing the identified AUSF, UDM, and SMF. In one embodiment, the NRF may send a single token that is used to access multiple NFs. In another embodiment, the NRF may send multiple tokens, each for a different NF. Where the NRF sends multiple tokens, the NRF may send all of the tokens together in one discovery and authorization response message (e.g., step 1406), or it may send the tokens in separate discovery and authorization response messages. The AMF then authenticates the UE with the AUSF (step 1408), registers the UE context association with the UDM (step 1410), performs PDU session updates with the SMF (step 1412), and responds to the UE registration request by sending a UE registration response to the UE (step 1414). As can be seen in this more detailed example, registration of one UE according to the optimized procedure illustrated in Figure 14 requires eleven fewer signaling messages to and from the NRF compared with the conventional process.

[0158] In some embodiments, the OAuth 2.0 framework, Representational State Transfer (REST)-ful Application Program Interface (APIs) are used. In these embodiments, all communication is via Hypertext Transfer Protocol (HTTP), which is the application layer protocol that carries messages between NFs and the NRF. The HTTP-based communication is moving towards HTTP/2, the de facto application layer protocol improvement over HTTP/1.1 and HTTP/1.0, and described in the Internet Engineering Task Force (IETF) Request for Comments (RFC) 7540. Thus, in alternative embodiments, all communication is via HTTP/2. A HTTP/2-based framework supports better connection management compared to its predecessor HTTP/1.1 and HTTP/1.0. For example, The SERVER PUSH option in HTTP/2 allows the server to preemptively send responses to the client in association with a previous request. In some embodiments, this feature from HTTP/2 may be employed where NFs service discovery and service requests are separate requests. Alternatively, this can also be realized by the PUSH_PROMISE frame option, which is semantically equivalent to SERVER PUSH, i.e., it needs a previously existing request from the same client. More concretely, SERVER PUSH is meant for web servers preemptively sending content towards a client, which the server knows that the client will need based on a previous request from the same client, e.g., some style files that format all pages from a website that client is interested to download. This could be utilized by some embodiments of the present disclosure, e.g., by having the NRF respond to the service discovery with a regular service discovery response message, and right after that send, using SERVER PUSH, the associated token, which the NF might have requested explicitly (flag indicating combined discovery and token request), implicitly (by including token request related parameters in the service discovery), or opportunistically (based on local policy in the NRF).

[0159] Although Figures 13 and 14 illustrate an optimized UE registration, the subject matter of the present disclosure is not limited to UE registration. The optimizations described herein are applicable to other procedures that involve multiple NF services.

Optimized NF Discovery - Multiple NFs

[0160] Figure 13 illustrates an optimization in which, for each NF, the service discovery request and authorization request are combined into one request (e.g., combined requests 1304, 1310, and 1316). Figure 14 illustrates an optimization in which all of the separate combined service discovery and authorization requests for each NF are combined into one combined service discovery and authorization request for multiple NF services (e.g., combined request for multiple NFs 1404).

[0161] Figure 15 illustrates an optimized NF service discovery according to some embodiments of the present disclosure, which uses a single service discovery request (with no authorization request) for multiple NFs. In the embodiment illustrated in Figure 15, an NF consumer issues an NF service discovery request (step 1500) to an authorization server, the service discovery request identifying a plurality of NF services (e.g., NF service 1 , NF service 2, ...). The authorization server authorizes the NF service discoveries (step 1502) and generates the NF service discovery responses (step 1504). The authorization server then sends the service discovery responses to the NF service consumer, which may be in various forms, such as, for example, a combined multi-NF response (step 1506), or as separate, single-NF responses (steps 1508 and 1510). In the scenario illustrated in Figure 14, for example, the AMF would issue a service discovery request for an AUSF service, a UDM service, and an SMF service, and the NRF would issue a service discovery response that identifies an AUSF instance, a UDM instance, and an SMF instance. The authorization requests would be handled using a mechanism separate from the multiple-NF discovery request.

[0162] Regarding implementation, in 3GPP TS 29.510, Version 15.1.0, the service discovery is performed via a HTTP GET message whereas a token request (service authorization), is performed via a HTTP POST message which is aligned with OAuth 2.0 framework. In some embodiments of the present disclosure, this difference may be used to an advantage when combining both discovery and authorization together: a conventional service discovery could be sent via HTTP GET as usual while a combined service discovery and authorization could be sent via HTTP POST. In this manner, the NRF receiving the request can distinguish a conventional request from a combined request based simply on whether the request was sent via HTTP GET or HTTP POST. In such embodiments, if the NRF receives a service discovery request using HTTP GET, it means that the discovery should be performed according to how it is currently defined in 3GPP, as shown in Figure 5. Flowever, if the NF consumer uses HTTP POST, it means that it is sending a combined service discovery and authorization with the access token request, as shown in Figure 10.

Example Implementations

[0163] Figure 16 is a schematic block diagram of a network node 1600 according to some embodiments of the present disclosure. The network node 1600 may be, for example, a radio network node or a core network node. As illustrated, the network node 1600 includes a control system 1602 that includes one or more processors 1604 (e.g., Central Processing Units (CPUs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs), and/or the like), memory 1606, and a network interface 1608. The one or more processors 1604 are also referred to herein as processing circuitry. In addition, the network node 1600 may include one or more radio units 1610 that each includes one or more transmitters 1612 and one or more receivers 1614 coupled to one or more antennas 1616.

The radio units 1610 may be referred to or be part of radio interface circuitry. In some embodiments, the radio unit(s) 1610 is external to the control system 1602 and connected to the control system 1602 via, e.g., a wired connection (e.g., an optical cable). However, in some other embodiments, the radio unit(s) 1610 and potentially the antenna(s) 1616 are integrated together with the control system 1602. The one or more processors 1604 operate to provide one or more functions of a network node 1600 as described herein. In some embodiments, the function(s) are implemented in software that is stored, e.g., in the memory 1606 and executed by the one or more processors 1604.

[0164] Figure 17 is a schematic block diagram that illustrates a virtualized embodiment of the network node 1600 according to some embodiments of the present disclosure. This discussion is equally applicable to radio network nodes, core network nodes, or other types of network nodes. Further, other types of network nodes may have similar virtualized architectures.

[0165] As used herein, a“virtualized” network node is an implementation of the network node 1600 in which at least a portion of the functionality of the network node 1600 is implemented as a virtual component(s) (e.g., via a virtual machine(s) executing on a physical processing node(s) in a network(s)).

As illustrated, in this example, the network node 1600 includes the control system 1602 that includes the one or more processors 1604 (e.g., CPUs, ASICs, FPGAs, and/or the like), the memory 1606, and the network interface 1608 and the one or more radio units 1610 that each includes the one or more transmitters 1612 and the one or more receivers 1614 coupled to the one or more antennas 1616, as described above. The control system 1602 is connected to the radio unit(s) 1610 via, for example, an optical cable or the like. The control system 1602 is connected to one or more processing nodes 1700 coupled to or included as part of a network(s) 1702 via the network interface 1608. Each processing node 1700 includes one or more processors 1704 (e.g., CPUs, ASICs, FPGAs, and/or the like), memory 1706, and a network interface 1708.

[0166] In this example, functions 1710 of the network node 1600 described herein are implemented at the one or more processing nodes 1700 or distributed across the control system 1602 and the one or more processing nodes 1700 in any desired manner. In some particular embodiments, some or all of the functions 1710 of the network node 1600 described herein are implemented as virtual components executed by one or more virtual machines implemented in a virtual environment(s) hosted by the processing node(s) 1700. As will be appreciated by one of ordinary skill in the art, additional signaling or communication between the processing node(s) 1700 and the control system 1602 is used in order to carry out at least some of the desired functions 1710. Notably, in some embodiments, the control system 1602 may not be included, in which case each of the radio unit(s) 1610 communicates directly with the processing node(s) 1700 via an appropriate network interface(s). [0167] In some embodiments, a computer program including instructions which, when executed by at least one processor, causes the at least one processor to carry out the functionality of network node 1600 or a node (e.g., a processing node 1700) implementing one or more of the functions 1710 of the network node 1600 in a virtual environment according to any of the embodiments described herein is provided. In some embodiments, a carrier comprising the aforementioned computer program product is provided. The carrier is one of an electronic signal, an optical signal, a radio signal, or a computer readable storage medium (e.g., a non-transitory computer readable medium such as memory).

[0168] Figure 18 is a schematic block diagram of the network node 1600 according to some other embodiments of the present disclosure. The network node 1600 includes one or more modules 1800, each of which is implemented in software. The module(s) 1800 provide the functionality of the network node 1600 described herein. This discussion is equally applicable to the processing node 1700 of Figure 17 where the modules 1800 may be implemented at one of the processing nodes 1700 or distributed across multiple processing nodes 1700 and/or distributed across the processing node(s) 1700 and the control system 1602.

[0169] Figure 19 is a schematic block diagram of a UE 1900 according to some embodiments of the present disclosure. As illustrated, the UE 1900 includes one or more processors 1902 (e.g., CPUs, ASICs, FPGAs, and/or the like), memory 1904, and one or more transceivers 1906 each including one or more transmitters 1908 and one or more receivers 1910 coupled to one or more antennas 1912. The transceiver(s) 1906 includes radio-front end circuitry connected to the antenna(s) 1912 that is configured to condition signals communicated between the antenna(s) 1912 and the processor(s) 1902, as will be appreciated by on of ordinary skill in the art. The processors 1902 are also referred to herein as processing circuitry. The transceivers 1906 are also referred to herein as radio circuitry. In some embodiments, the functionality of the UE 1900 described above may be fully or partially implemented in software that is, e.g., stored in the memory 1904 and executed by the processor(s) 1902. Note that the UE 1900 may include additional components not illustrated in Figure 19 such as, e.g., one or more user interface components (e.g., an input/output interface including a display, buttons, a touch screen, a microphone, a speaker(s), and/or the like and/or any other components for allowing input of information into the UE 1900 and/or allowing output of information from the UE 1900), a power supply (e.g., a battery and associated power circuitry), etc.

[0170] In some embodiments, a computer program including instructions which, when executed by at least one processor, causes the at least one processor to carry out the functionality of the UE 1900 according to any of the embodiments described herein is provided. In some embodiments, a carrier comprising the aforementioned computer program product is provided. The carrier is one of an electronic signal, an optical signal, a radio signal, or a computer readable storage medium (e.g., a non-transitory computer readable medium such as memory). [0171] Figure 20 is a schematic block diagram of the UE 1900 according to some other embodiments of the present disclosure. The UE 1900 includes one or more modules 2000, each of which is implemented in software. The module(s) 2000 provide the functionality of the UE 1900 described herein.

[0172] Figure 21 illustrates an exemplary telecommunication network connected via an intermediate network to a host computer according to some embodiments of the present disclosure. With reference to Figure 21 , in accordance with an embodiment, a communication system includes a telecommunication network 2100, such as a 3GPP-type cellular network, which comprises an access network 2102, such as a RAN, and a core network 2104. The access network 2102 comprises a plurality of base stations 2106A, 2106B, 2106C, such as NBs, eNBs, gNBs, or other types of wireless Access Points (APs), each defining a corresponding coverage area 2108A, 2108B, 2108C. Each base station 2106A, 2106B, 2106C is connectable to the core network 2104 over a wired or wireless connection 21 10. A first UE 21 12 located in coverage area 2108C is configured to wirelessly connect to, or be paged by, the corresponding base station 2106C. A second UE 21 14 in coverage area 2108A is wirelessly connectable to the corresponding base station 2106A. While a plurality of UEs 21 12, 21 14 are illustrated in this example, the disclosed embodiments are equally applicable to a situation where a sole UE is in the coverage area or where a sole UE is connecting to the corresponding base station 2106.

[0173] The telecommunication network 2100 is itself connected to a host computer 2116, which may be embodied in the hardware and/or software of a standalone server, a cloud-implemented server, a distributed server, or as processing resources in a server farm. The host computer 21 16 may be under the ownership or control of a service provider, or may be operated by the service provider or on behalf of the service provider. Connections 2118 and 2120 between the telecommunication network 2100 and the host computer 21 16 may extend directly from the core network 2104 to the host computer 21 16 or may go via an optional intermediate network 2122. The intermediate network 2122 may be one of, or a combination of more than one of, a public, private, or hosted network; the intermediate network 2122, if any, may be a backbone network or the Internet; in particular, the intermediate network 2122 may comprise two or more sub-networks (not shown).

[0174] The communication system of Figure 21 as a whole enables connectivity between the connected UEs 21 12, 21 14 and the host computer 21 16. The connectivity may be described as an Over- the-Top (OTT) connection 2124. The host computer 21 16 and the connected UEs 21 12, 21 14 are configured to communicate data and/or signaling via the OTT connection 2124, using the access network 2102, the core network 2104, any intermediate network 2122, and possible further infrastructure (not shown) as intermediaries. The OTT connection 2124 may be transparent in the sense that the participating communication devices through which the OTT connection 2124 passes are unaware of routing of uplink and downlink communications. For example, the base station 2106 may not or need not be informed about the past routing of an incoming downlink communication with data originating from the host computer 21 16 to be forwarded (e.g., handed over) to a connected UE 21 12. Similarly, the base station 2106 need not be aware of the future routing of an outgoing uplink communication originating from the UE 21 12 towards the host computer 21 16.

[0175] Figure 22 illustrates an exemplary generalized block diagram of a host computer

communicating via a base station with a UE over a partially wireless connection in accordance with some embodiments of the present disclosure. Example implementations, in accordance with an embodiment, of the UE, base station, and host computer discussed in the preceding paragraphs will now be described with reference to Figure 22. In a communication system 2200, a host computer 2202 comprises hardware 2204 including a communication interface 2206 configured to set up and maintain a wired or wireless connection with an interface of a different communication device of the communication system 2200. The host computer 2202 further comprises processing circuitry 2208, which may have storage and/or processing capabilities. In particular, the processing circuitry 2208 may comprise one or more programmable processors, ASICs, FPGAs, or combinations of these (not shown) adapted to execute instructions. The host computer 2202 further comprises software 2210, which is stored in or accessible by the host computer 2202 and executable by the processing circuitry 2208. The software 2210 includes a host application 2212. The host application 2212 may be operable to provide a service to a remote user, such as a UE 2214 connecting via an OTT connection 2216 terminating at the UE 2214 and the host computer 2202. In providing the service to the remote user, the host application 2212 may provide user data which is transmitted using the OTT connection 2216.

[0176] The communication system 2200 further includes a base station 2218 provided in a telecommunication system and comprising hardware 2220 enabling it to communicate with the host computer 2202 and with the UE 2214. The hardware 2220 may include a communication interface 2222 for setting up and maintaining a wired or wireless connection with an interface of a different communication device of the communication system 2200, as well as a radio interface 2224 for setting up and maintaining at least a wireless connection 2226 with the UE 2214 located in a coverage area (not shown in Figure 22) served by the base station 2218. The communication interface 2222 may be configured to facilitate a connection 2228 to the host computer 2202. The connection 2228 may be direct or it may pass through a core network (not shown in Figure 22) of the telecommunication system and/or through one or more intermediate networks outside the telecommunication system. In the embodiment shown, the hardware 22120 of the base station 2218 further includes processing circuitry 2230, which may comprise one or more programmable processors, ASICs, FPGAs, or combinations of these (not shown) adapted to execute instructions. The base station 2218 further has software 2232 stored internally or accessible via an external connection.

[0177] The communication system 2200 further includes the UE 2214 already referred to. The UE’s 2214 hardware 2234 may include a radio interface 2236 configured to set up and maintain a wireless connection 2226 with a base station serving a coverage area in which the UE 2214 is currently located.

The hardware 2234 of the UE 2214 further includes processing circuitry 2238, which may comprise one or more programmable processors, ASICs, FPGAs, or combinations of these (not shown) adapted to execute instructions. The UE 2214 further comprises software 2240, which is stored in or accessible by the UE 2214 and executable by the processing circuitry 2238. The software 2240 includes a client application 2242. The client application 2242 may be operable to provide a service to a human or non-human user via the UE 2214, with the support of the host computer 2202. In the host computer 2202, the executing host application 2212 may communicate with the executing client application 2242 via the OTT connection 2216 terminating at the UE 2214 and the host computer 2202. In providing the service to the user, the client application 2242 may receive request data from the host application 2212 and provide user data in response to the request data. The OTT connection 2216 may transfer both the request data and the user data. The client application 2242 may interact with the user to generate the user data that it provides.

[0178] It is noted that the host computer 2202, the base station 2218, and the UE 2214 illustrated in Figure 22 may be similar or identical to the host computer 21 16, one of the base stations 2106A, 2106B,

2106C, and one of the UEs 21 12, 21 14 of Figure 21 , respectively. This is to say, the inner workings of these entities may be as shown in Figure 22 and independently, the surrounding network topology may be that of Figure 21.

[0179] In Figure 22, the OTT connection 2216 has been drawn abstractly to illustrate the

communication between the host computer 2202 and the UE 2214 via the base station 2218 without explicit reference to any intermediary devices and the precise routing of messages via these devices. The network infrastructure may determine the routing, which may be configured to hide from the UE 2214 or from the service provider operating the host computer 2202, or both. While the OTT connection 2216 is active, the network infrastructure may further take decisions by which it dynamically changes the routing (e.g., on the basis of load balancing consideration or reconfiguration of the network).

[0180] The wireless connection 226 between the UE 2214 and the base station 2218 is in accordance with the teachings of the embodiments described throughout this disclosure. One or more of the various embodiments improve the performance of OTT services provided to the UE 2214 using the OTT connection 2216, in which the wireless connection 2226 forms the last segment. More precisely, the teachings of these embodiments may reduce the signaling and processing overhead of NF service discovery and access authentication and thereby provide benefits such as reduced signaling and processing latency for the NRF as well as for NF consumers and NF producers, as well as reduced processing overhead for the NRF.

[0181] A measurement procedure may be provided for the purpose of monitoring data rate, latency, and other factors on which the one or more embodiments improve. There may further be an optional network functionality for reconfiguring the OTT connection 2216 between the host computer 2202 and the UE 2214, in response to variations in the measurement results. The measurement procedure and/or the network functionality for reconfiguring the OTT connection 2216 may be implemented in the software 2210 and the hardware 2204 of the host computer 2202 or in the software 2240 and the hardware 2234 of the UE 2214, or both. In some embodiments, sensors (not shown) may be deployed in or in association with communication devices through which the OTT connection 2216 passes; the sensors may participate in the measurement procedure by supplying values of the monitored quantities exemplified above, or supplying values of other physical quantities from which the software 2210, 2240 may compute or estimate the monitored quantities. The reconfiguring of the OTT connection 2216 may include message format, retransmission settings, preferred routing, etc.; the reconfiguring need not affect the base station 2218, and it may be unknown or imperceptible to the base station 2218. Such procedures and functionalities may be known and practiced in the art. In certain embodiments, measurements may involve proprietary UE signaling facilitating the host computer’s 2202 measurements of throughput, propagation times, latency, and the like. The measurements may be implemented in that the software 2210 and 2240 causes messages to be transmitted, in particular empty or‘dummy’ messages, using the OTT connection 2216 while it monitors propagation times, errors, etc.

[0182] Figure 23 is a flowchart illustrating a method implemented in a communication system, in accordance with one embodiment. The communication system includes a host computer, a base station, and a UE which may be those described with reference to Figures 21 and 22. For simplicity of the present disclosure, only drawing references to Figure 23 will be included in this section. In step 2300, the host computer provides user data. In sub-step 2302 (which may be optional) of step 2300, the host computer provides the user data by executing a host application. In step 2304, the host computer initiates a transmission carrying the user data to the UE. In step 2306 (which may be optional), the base station transmits to the UE the user data which was carried in the transmission that the host computer initiated, in accordance with the teachings of the embodiments described throughout this disclosure. In step 2308 (which may also be optional), the UE executes a client application associated with the host application executed by the host computer.

[0183] Figure 24 is a flowchart illustrating a method implemented in a communication system, in accordance with one embodiment. The communication system includes a host computer, a base station, and a UE which may be those described with reference to Figures 21 and 22. For simplicity of the present disclosure, only drawing references to Figure 24 will be included in this section. In step 2400 of the method, the host computer provides user data. In an optional sub-step (not shown) the host computer provides the user data by executing a host application. In step 2402, the host computer initiates a transmission carrying the user data to the UE. The transmission may pass via the base station, in accordance with the teachings of the embodiments described throughout this disclosure. In step 2404 (which may be optional), the UE receives the user data carried in the transmission. [0184] Figure 25 is a flowchart illustrating a method implemented in a communication system, in accordance with one embodiment. The communication system includes a host computer, a base station, and a UE which may be those described with reference to Figures 21 and 22. For simplicity of the present disclosure, only drawing references to Figure 25 will be included in this section. In step 2500 (which may be optional), the UE receives input data provided by the host computer. Additionally or alternatively, in step 2502, the UE provides user data. In sub-step 2504 (which may be optional) of step 2500, the UE provides the user data by executing a client application. In sub-step 2506 (which may be optional) of step 2502, the UE executes a client application which provides the user data in reaction to the received input data provided by the host computer. In providing the user data, the executed client application may further consider user input received from the user. Regardless of the specific manner in which the user data was provided, the UE initiates, in sub-step 2508 (which may be optional), transmission of the user data to the host computer. In step 2510 of the method, the host computer receives the user data transmitted from the UE, in accordance with the teachings of the embodiments described throughout this disclosure.

[0185] Figure 26 is a flowchart illustrating a method implemented in a communication system, in accordance with one embodiment. The communication system includes a host computer, a base station, and a UE which may be those described with reference to Figures 21 and 22. For simplicity of the present disclosure, only drawing references to Figure 26 will be included in this section. In step 2600 (which may be optional), in accordance with the teachings of the embodiments described throughout this disclosure, the base station receives user data from the UE. In step 2602 (which may be optional), the base station initiates transmission of the received user data to the host computer. In step 2604 (which may be optional), the host computer receives the user data carried in the transmission initiated by the base station.

[0186] Any appropriate steps, methods, features, functions, or benefits disclosed herein may be performed through one or more functional units or modules of one or more virtual apparatuses. Each virtual apparatus may comprise a number of these functional units. These functional units may be implemented via processing circuitry, which may include one or more microprocessor or microcontrollers, as well as other digital hardware, which may include Digital Signal Processors (DSPs), special-purpose digital logic, and the like. The processing circuitry may be configured to execute program code stored in memory, which may include one or several types of memory such as Read Only Memory (ROM), Random Access Memory (RAM), cache memory, flash memory devices, optical storage devices, etc. Program code stored in memory includes program instructions for executing one or more telecommunications and/or data communications protocols as well as instructions for carrying out one or more of the techniques described herein. In some implementations, the processing circuitry may be used to cause the respective functional unit to perform corresponding functions according one or more embodiments of the present disclosure.

[0187] While processes in the figures may show a particular order of operations performed by certain embodiments of the present disclosure, it should be understood that such order is exemplary (e.g., alternative embodiments may perform the operations in a different order, combine certain operations, overlap certain operations, etc.).

[0188] At least some of the following abbreviations may be used in this disclosure. If there is an inconsistency between abbreviations, preference should be given to how it is used above. If listed multiple times below, the first listing should be preferred over any subsequent listing(s).

3GPP Third Generation Partnership Project

5G Fifth Generation

5GC Fifth Generation Core Network

AF Application Function

AMF Access and Mobility Management Function

AN Access Network

AP Access Point

API Application Programming Interface

ASIC Application Specific Integrated Circuit

AUSF Authentication Server Function

CN Core Network

CPU Central Processing Unit

DN Data Network

DSP Digital Signal Processor

eNB Enhanced or Evolved Node B

FPGA Field Programmable Gate Array

gNB New Radio Base Station

HNRF Flome Network Repository Function

FIPLMN Flome Public Land Mobile Network

FHTTP FHypertext T ransfer Protocol

ID Identifier, Identity

IETF Internet Engineering Task Force

IP Internet Protocol

LTE Long Term Evolution

MME Mobility Management Entity

MTC Machine Type Communication

NB Node B

NEF Network Exposure Function

NF Network Function • NG Next Generation

• NR New Radio

• NRF Network Repository Function

• NSSF Network Slice Selection Function

• OTT Over-the-Top

• PCF Policy Control Function

• PDU Protocol Data Unit

• P-GW Packet Data Network Gateway

• PLMN Public Land Mobile Network

• QoS Quality Of Service

• RAM Random Access Memory

• RAN Radio Access Network

• REST Representational State Transfer

• RFC Request For Comments

• ROM Read Only Memory

• RRH Remote Radio Head

• RTT Round Trip Time

• SBA Service Based Architecture

• SBI Service Based Interface

• SCEF Service Capability Exposure Function

• SMF Session Management Function

• TLS Transport Layer Security

• TS Technical Specification

• UDM Unified Data Management

• UDR User Data Repository

• UE User Equipment

• UPF User Plane Function

• URL Uniform Resource Locator

• VNRF Visited Network Repository Function

• VPLMN Visited Public Land Mobile Network

[0189] Those skilled in the art will recognize improvements and modifications to the embodiments of the present disclosure. All such improvements and modifications are considered within the scope of the concepts disclosed herein.