See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/329839002

Dynamic Authorization for 5G Systems

Conference Paper · October 2018

DOI: 10.1109/CSCN.2018.8581725

CITATIONS READS
0 399

4 authors, including:

Samir Ferdi Yogendra Shah

InterDigital Institute of Electrical and Electronics Engineers
4 PUBLICATIONS   20 CITATIONS    46 PUBLICATIONS   698 CITATIONS   

SEE PROFILE SEE PROFILE

Alec Brusilovsky
Institute of Telecommunications
12 PUBLICATIONS   46 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Wireless Systems & Security View project

All content following this page was uploaded by Yogendra Shah on 02 January 2019.

The user has requested enhancement of the downloaded file.

 Dynamic Authorization for 5G Systems
Samir Ferdi2, Yogendra Shah1, Vinod Kumar Choyi1, Alec Brusilovsky1
1
InterDigital Communications, Inc., Conshohocken, PA
2
InterDigital Canada Ltee, Montreal, Canada
{samir.ferdi, yogendra.shah, vinod.choyi, alec.brusilovsky}@interdigital.com

Abstract — 5G Networks are being designed to provide a II. BACKGROUND

diverse set of services using Network Slices (NS) that are enabled
by Network Function Virtualization (NFV) and Software A. 4G Systems Service Authorization Model
Defined Network (SDN) technologies. Given the expected Since its inception in 3GPP Release 8, the Evolved Packet
diversity of service offerings and variety of connected devices, System (EPS) has adopted a service authorization model
it’s desirable to have a service authorization architecture that
whereby any subscribed service available on a network is
accommodates delivery of services from a variety of
implicitly authorized for a registered UE. A default (bearer)
infrastructure service providers, while simultaneously
protecting these infrastructure service providers from
service is provided automatically to the UE during a network
unauthorized service consumption. We illustrate an attach procedure upon successful authentication.
authorization framework to enable dynamic, context-based Service authorization in Long Term Evolution (LTE)
authorization for services offered over 5G networks. centers around a static Subscription Profile (SP). Essentially,
the authorization matrix for each UE is stored in the Home
Keywords—5G systems; access tokens; context-sensitive access
Network (HN) and is downloaded to the Serving Network
control; dynamic authorization; NFV, network slice; OAuth;
(SN) following UE authentication [2]. The SN then uses the
SDN, service negotiation; service selection; subscription profile;
virtualized networks.
received authorization matrix to authorize the authenticated
UE for access to services provisioned in its SP.
I. INTRODUCTION Standardization and adoption of this static SP based
authorization model has been successful from an
The goal of 5G systems standardization is to not only interoperability standpoint, when applied to a market with a
meet an increased demand for traffic growth, but to also limited set of services delivered over wireless networks
accommodate a diversity of service level requirements. The controlled by one or two Mobile Network Operator (MNOs).
use cases driving the 5G network architecture vary from an
ongoing need for Enhanced Mobile Broadband (eMBB) Incremental changes to decouple authentication from
connectivity, Massive Internet of Things (MIoT) to Ultra- authorization have been introduced for some new services but
Reliable Low Latency Critical Communications (URLLC) only on a case-by-case basis within the constraints of existing
services [1]. In addition, 5G systems will need to interwork LTE networks. For example, Proximity Services (ProSe) in
with the previous generation Evolved Packet System (EPS). 3GPP Release 12 and Cellular IoT (CIoT) optimizations in
Release 13.
Collectively, the flexibility of delivering services using a
NS architecture aligns well with the desire to offer a rich set A systematic design approach where modular
of application layer services to 5G system subscribers, while authorization functions and procedures may be used across
taking into consideration architectural approaches for the multiple services is a key to future-proofing the emerging 5G
deployment of 5G networks that reduce CAPEX and OPEX system. Such an approach will allow 5G networks to cope
costs. with the expected, much broader diversity of network
services delivered over multi-tenant NSs.
Legacy wireless networks have provided a complete set
of application services within a single network. B. 5G Systems Service Authorization Work
Authentication and implicit authorization provide access to a 1) 5G Standardization for NextGen Mobile Networks
full spectrum of services offered by the network. However, Standardization efforts for 5G systems are currently
with 5G networks and NSs, the services may be provided over ongoing [3][4]. In particular, the concept of an SP will
one or more NSs, which may be operated by multiple continue to play a central role for service access
infrastructure service providers/stakeholders. Furthermore, it authorization. However, a static SP based authorization
is desirable to provide access authentication and subsequent approach may expose the following problems and limitations
authorization to only those services that are aligned with the when applied to a 5G system context:
UE subscription, rather than full access to the multiplicity of
services across multiple NSs. Hence, the motivation to  The approach may not scale to adequately support the
provide a dynamic, context sensitive authorization high diversity of expected 5G services or cater to the
mechanism that provides granular access to services of a 5G desire of MNOs to offer differentiated service
network, as applications are accessed by a UE. offerings. This may lead to a situation where there is
a higher risk of mismatch between services available
This paper is organized as follows. Section II provides a
in an SN and those described in the SP (from the HN).
background to authorization requirements, and prior work
pertaining to 5G systems. Section III provides an overview of  The approach may not be flexible enough to
an authorization framework that evolves from current 4G accommodate deployments based on a NS
systems to accommodate dynamic service negotiation in 5G. architecture, where multiple stakeholders and various
Section IV provides illustrative technical details of the trust models [5][6] may be involved in providing 5G
authorization protocols to realize the described capabilities. network services. The role of multiple stakeholder
Section V provides concluding remarks and suggestions for infrastructure service providers poses a challenge for
further work.
 2

5G systems to align the accounting and billing refer to as Basic Services and as deployed in LTE but also
functions of the various stakeholders’ systems with escalating layers of dynamic service authorization, which we
appropriate authorization functions for the services refer to as Restricted and Negotiated Services.
that are consumed by a user.
Dynamic authorization for services that go beyond a
 Blanket and static pre-authorization of services may Basic Service set is addressed using concepts of Restricted
pose a risk to the network operator and stakeholders. and Negotiated Services. The service delivery mechanisms
A diversity of devices are expected to attach to 5G are captured in an enhanced SP offering an evolutionary path
networks designed for specific vertical use cases. from the familiar LTE authorization approach centered
These devices require a limited set of service around a simple inspection of the SP. The mechanism allows
requirements and it’s desirable to provide access to a subscriber to dynamically access 5G services that are not
only the services required for the specific application initially enabled as part of an SP (e.g., enable some optional
context and prevent access to other services. For services based on user session context, referred here as
example, using a static SP may lead to over Restricted Services) or to align a service request with an SN
provisioning authorization for services, leading to offering/capability (e.g., provision a new service based on SN
potential denial of service attacks and malicious abuse capabilities), which we refer to as Negotiated Services. By
of services. Conversely, under provisioning way of illustration of the authorization concepts we take as an
authorization may lead to loss of revenues for the example a roaming scenario or a multi-tenant scenario where
MNO due to a poor user experience and under- a third-party infrastructure provider is offering services to a
utilization of the network services available. user.
2) Network Slicing: A New Dimension to Authorization 1) Basic Services
In a traditional LTE mobile network owned and operated A UE may request a service from an SN. Upon receipt of
by a single MNO, it was logical to combine the authentication a service request by the SN, the UE’s SP is inspected for the
and authorization functions at the Mobility Management requested service. If the service is enabled and is a part of the
Entity (MME). The use of statically provisioned Basic Services, then the subscriber is automatically granted
authorization data in an SP was considered sufficient in order access to the service. Basic Services are statically provisioned
to achieve secure deployments with simple management and in current 4G systems.
operation, rather than a dynamic or distributed alternative.
Such a static authorization approach prevailed as the 3GPP 2) Restricted Services
architecture evolved to address optimizations related to Restricted Services may be optional services in the UE’s
operational cost and network performance for Radio Access SP that may have some service flows enabled while other
Network (RAN) sharing [7] or Dedicated Core Networks [8]. service flows may be disabled or turned off by default. These
services may be considered as services that have a set of
In contrast to these earlier efforts, the emerging network characteristics (Quality of Service (QoS), security etc.) that
slice paradigm - thanks to the flexibility of NFV [9] and SDN have been agreed upon between a HN and SN but where
[10] building blocks - is anticipated to evolve the mobile explicit supplementary authorization may be required to
network architecture into full support of multi-tenancy. This enable the services for a User. When an authenticated User
latter capability is crucial for future networks to requests access to a Restricted Service, a dynamic
accommodate new use cases catering to new players in authorization is initiated and upon authorization, the
various vertical industries, tighter alignment with business Restricted Service is enabled in the SP. This explicit
application services and Over The Top (OTT) providers’ authorization enables fine-tuning of the SP and flexibility in
specific service requirements. It may also enable more cost enabling services on a per device basis and may be based on
efficient and dynamic service provisioning on behalf of specific contextual information such as type of device,
network slice tenants that lease resources from infrastructure geographic area, subscriber plan information etc. Such a type
providers. As a result, the 5G mobile network may support a of authorization is based on a Pull Model. Once the UE is
more distributed and dynamic authorization functionality to authorized and as long the Restricted Service remains enabled
control access to a diversity of service offerings. in the SP in the SN, any subsequent request to access the
service is granted automatically, similarly to the Basic
C. Related Work Services authorization process (i.e. without any additional
There have been several efforts to develop standards for messaging towards the HN).
dynamic authorization for web services as well as for the IoT
as part of the Internet Engineering Task Force (IETF) [11]. As an example, in the case of IoT systems, some basic
The OAuth framework [12] is one of the more widely connectivity services may be pre-provisioned in a UE as
deployed mechanisms for services offered over the Internet. Basic Services and a wider set of services recorded as
An access token (e.g., JSON access token) is utilized, Restricted Services. An IoT service provider may be able to
whereby, a service owner may provide an entity (subject) dynamically authorize a UE, for a specific IoT application, in
with access to a service (object) based on the claims made the field after the UE is deployed. Such service-specific
within the token. enabling protects the network from misuse of the IoT device
subscription and restricts service usage to the agreed upon
III. DYNAMIC SERVICE AUTHORIZATION ARCHITECTURE AND IoT services and policy settings. In considering the potential
FRAMEWORK excess signalling due to dynamic authorization messages
coming from an SN, an IoT service provider may implement
A. Types of Services a policy to provision Restricted Services that need to be
We propose an authorization solution that evolves the authorized only once, for example, during the very first
current 3GPP SP based authorization mechanism to support connection and for the lifetime of an IoT device.
not only existing implicit service authorization, which we
 3

3) Negotiated Services video from various cameras located around the stadium for a
A Negotiated Service is a service that may not be rich experience of the game. A request to deliver the service
provisioned by the HN Operator in an SP and builds on the to the user is sought by the SN from the HN. Following the
concept of Restricted Services. These services may be offered request and negotiation, upon receipt of the authorization, the
by an SN that caters to a specific set of service characteristics user is seamlessly provisioned with the live video feed of the
deliverable over a NS. When an authenticated UE requests a game. The dynamic request can be as simple as possession of
service, the SP is inspected and if it does not contain the an authorization token. Following activation of the App for
requested service, either as a Basic or Restricted Service, then the live video feed, an authorization from the user may be
a dynamic negotiation may be performed to seek sought by way of a Terms and Conditions dialog box. Upon
authorization for the requested service. For example, the acceptance of the terms, a user consent authorization token is
requested service, as indicated within the UE’s SP for Basic generated by the Sports Stadium. A recorded trace of the
and Restricted Services, may not be aligned with services authorization information enables the Sports Stadium and the
available over a basic NS of an SN. However, the requested HN to settle accounts in a seamless manner, following
services may be available as an optional additional service, consumption of the service by the user.
over a second NS. An alignment of the services and The Sports Stadium may host a RAN sharing
appropriate authorization checks may be performed and
infrastructure service with value-added services offered by
negotiated between the SN and the SP whether it be the HN way of a LBO service. The Sports Stadium has an
or a Data Network (DN) in a Local Break Out (LBO) setting.
arrangement with the SN to host and maintain the
A dynamic service negotiation may be carried out to indicate
infrastructure. The first NS, provisioning such services as
the required service characteristics, such as 5G QoS Class
Internet access, texting and voice calls is classified as Basic
Identifier (QCI), and receive a dynamic authorization.
Services, for which the authorization is provided via the UE’s
In an alternative deployment scenario, service SP. A 4K streaming video service over a second NS is part of
authorization based on a push model may be performed with some Restricted Services recorded in the user’s SP for which
an OTT service provider, DNN or HN to provide pre- access is granted after the SN has sought authorization from
authorization. Such an offering enables service scalability in the HN. Once authorized, the user’s SP is updated with the
terms of seamless inclusion of OTT service providers and authorization information and the services delivered to the
multi-tenant service providers and to provide a broader user. A key feature of Restricted Services is that if the service
geographic reach. In order to enable such an authorization to is logged in the user’s SP as “off” then the HN authorization
an SN who may then perform appropriate authorization is solicited whether in the context of a Home Routed (HR) or
decisions, the policies may be pre-negotiated and a LBO scenario, where data traffic is routed to/from a DN
communicated by way of a Proof-of-Authorization (PoA) through the HN as a home routed service or through the SN
provisioned in the UE. by way of a LBO service. In contrast, Basic Services are
automatically authorized based on a straightforward
B. Use Case Example inspection of the SP provided by the HN during UE
registration.

Figure 1: Example of Service Authorization over Network Slices

In order to illustrate the utility of the proposed

authorization mechanisms for the various services, we
consider the use case of a user going to a Sports Stadium to
watch a game and upon arriving, wishing to access a video Figure 2: Dynamic Authorization for Negotiated Services
service while (s)he is waiting for the game to start. Illustrated
in Figure 1 is an example of the user consuming various types The Augmented/Virtual Reality (AR/VR) live video
of services over NSs provisioned by an SN. The Sports service is offered by the SN using a third dedicated NS, in an
Stadium hosts a 5G network service and offers Basic services LBO configuration. As illustrated in Figure 2, upon request
such as Internet access, texting and voice calls to the user, via for the live video feed, the SN checks the user’s SP and finds
the user’s HN, without seeking authorization. The user no authorization settings for this service. The SN then checks
request for access to the video service triggers a request to the if the user has provided an authorization token and if the user
user’s HN for authorization to provide the video service. is allowed to request negotiated services. The SN then
Once authorized, the services are delivered to the user. After initiates a request by sending an authorization request to the
the game has started, the user wishes to receive real-time live HN. The authorization function in the HN performs checks
 4

on the user’s profile, the authorization token, and the optional service flows on a per UE basis. For example,
requested characteristics of the service to determine if the referring to the example of Figure 1, the “4K Streaming”
requested service can be delivered to the user. There may be service may be authorized at home but require explicit
a dialog between the SN and HN authorization functions to dynamic authorization when roaming. In determining an
make adjustments to the duration of the offering and other authorization decision, the AF in the HN may also take into
information to arrive at a mutual agreement. Following a consideration contextual information (e.g. UE type, location,
successful negotiation, the HN sends the authorization to the time of day). This Restricted Services model enables a very
SN. Upon receipt of the authorization, the SN registers the scalable, flexible, and agile architecture to dynamically
authorization information for the user and provisions the user authorize a particular service while a user is roaming or
with the live video feed of the game. After concluding the connected through a particular network in a LBO setting.
service, the SN informs the HN of the service consumption
In the case of Negotiated Services (i.e., a service
information for later billing to the user.
characteristic or feature not specified in the SP), the SN and
C. Service Authorization Architecture HN AFs may enter into a negotiation protocol. For example,
In the general descriptions that follow for an a service alignment may be performed between the services
Authorization Function (AF), a UE wishes to access a service offered in the SN and those recorded in the SP by the HN and
from an SN for which the UE does not have pre-authorization the service request mapped to a service in the SP and
in its SP. The requested service is part of a Restricted Service authorized by the HN. In an example, the service request may
or Negotiated Service that may require dynamic authorization be offered by the SN in a separate NS, managed by a 3rd party
for the specific service(s). infrastructure provider, that requires explicit authorization.
The negotiation between the SN and the 3rd party may result
1) Service Access in the Home Network in an authorization for the SN to provision the requested
In this scenario, a UE attached to its HN requests access services to the UE. This procedure is to be contrasted with the
to use a service provisioned by its HN. The request specifies previous scenario where the HN could unilaterally authorize
a set of network services the UE is seeking from a specific the service request. Additional information from the UE may
slice type (e.g., eMBB, URLLC, MIoT) on behalf of a given be obtained by the HN AF through the SN AF (e.g., user
application. Referring to an illustrative example provided in consent confirmation). Following a successful authorization,
Figure 1 the network services “Internet Access” or access to the service is provided to the UE.
“Messaging” may be delivered through the same eMBB slice
but using service flows with different QoS characteristics IV. DETAILED SOLUTION
(e.g. latency, throughput, delay) which the network is able to Figure 3 depicts a procedure for a Negotiated Service
map to a particular QCI [3]. The HN AF obtains the authorization procedure by an HN (i.e. A Home Public Land
subscription information from a Unified Data Management Mobile Network (HPLMN)) delivered through an SN (i.e.
function (5G equivalent of Home Subscriber Server (HSS)) Visited PLMN (VPLMN)) in a 5G network environment.
and local network authorization policies from a policy control
function (PCF). As part of the authorization logic, the AF The description of the steps is as follows (see Figure 3 for
compares the set of service QCI from the UE request against acronym definitions):
the content of the SP matrix. The services description data 0. A UE has registered with the SN and as a result, the
may be conveyed by the UE by way of a Network Slice SN has obtained the UE SP from the HN and the UE
Selection Assistance Information (NSSAI) identifier or a has obtained information about the NS based services
Service Description Document (SDD) [13]. In the case of being offered by the SN.
Restricted Services, some of these service flow parameters
1. The UE sends a request for an on-demand service
may be present in the SP but turned off by default and turned
provided by an SN but not provisioned by the HN in
on through the authorization process.
the User’s SP. The corresponding single slice
In the case of Negotiated Services, some service flows identifier (i.e. Single NSSAI (S-NSSAI)) may have
may be absent from the SP and may be authorized on demand been communicated by the SN via a prior message
e.g., contingent on a supplementary authorization check, user (e.g. Registration or Configuration). Referring to the
payment confirmation. The AF may perform an SP check, example of Figure 2, the request may be triggered
apply operator policies, evaluate additional UE contextual when the user starts a live AR/VR video app on his
information (such as location or time-of-day), and request device while in the Sports Stadium. In the example,
additional information from the UE (e.g., user consent the given S-NSSAI comprises a standard slice type
confirmation) in the decision-making process to authorize the (eMBB) and a non-standard Slice Differentiator
UE for access to the service. Following a successful (AR/VR). The request is transported though the RAN
authorization, the appropriate network resource allocation to the AMF.
and configurations are performed, and the UE may be granted 2. The AMF checks the User’s SP to verify that the HN
access to the services over one or more NS. has enabled a capability to request Negotiated
Services, since the request refers to a slice identifier
2) Service Access in a Serving Network (S-NSSAI) which is not provisioned by the HN in the
A UE that is authenticated and registered with an SN, may User’s SP.
request a particular service from the SN. The request specifies
the service requirements similarly to the UE request in its HN, 3. The AMF forwards a Policy Check Request message
as described in the previous non-roaming scenario. The SN to the Visited Policy Control Function (V-PCF) in
AF inspects the SP of the UE and forwards the request to the order to determine the right set of policies (e.g. QoS,
HN AF for service authorization since the requested service security policies) to provide the UE access to the
is part of a Restricted Service. Such a request allows the HN requested NS.
AF to administer network policies to authorize access to the
View publication stats

4. The V-PCF determines that the requested NS does compared to existing LTE networks. Negotiated Services go
match the service / slices allowed for by the HN. The even further, introducing a concept of dynamic service
V-PCF sends a service negotiation request to the alignment between networks and opening the door for on-
Home PCF (H-PCF) that includes a description of the demand service enrollment and provisioning on behalf of the
negotiated Service Characteristics (e.g. QoS, Security user. Further work to align the dynamic authorization
policies). A standardized service definition template architecture described here with 3GPP standardization efforts
or fields format (e.g. standard QCI values) may be can benefit the adoption of rich application services in 5G
used for interoperability across various network systems.
domains.
5. Upon receiving the request, the H-PCF obtains the SP
from the UDM
6. The H-PCF uses the HPLMN policy rules, the UE’s
subscription information, the requested service
characteristics (e.g. QoS, security), the capabilities of
the UE, any pre-authorizations, and the roaming
agreements with the SN in order to determine
authorization for access to the service.
7. Upon confirmation of the checks, The H-PCF records
the authorization for the service including any
contextual parameters such as a duration of the
authorization in the UE’s subscription information. In
addition, such data may be recorded in the SN for
faster re-authorization (e.g., for a subsequent request
to use the service from the UE during the allowed
authorization period).
8. The H-PCF sends a Service Negotiation Response
message to the V-PCF that authorizes service delivery
according to the selected service characteristics.
9. The V-PCF sends a positive Policy Check Response
message that contains the authorization information
including the accepted service characteristics to the
AMF. The AMF selects the NS accordingly (e.g. the
AR/VR Slice in Figure 1).
10. The AMF sends a PDU Session Request message to
the appropriate SMF that is associated with the
selected slice instance to perform service setup.
11. The SMF establishes a User Plane connection with the
UPF. Figure 3: Negotiated Service Authorization 5G Mobile Network Call Flow
12. The SMF also completes a User Plane setup in the
RAN (via the AMF) and in the Core network. REFERENCES
13. The SMF replies to the UE via the AMF with a [1] Alliance, N. G. M. N. "5G white paper.": Next Generation Mobile
positive response. Networks, White paper (2015).
[2] 3GPP TS 23.008, Organization of subscriber data
14. The user proceeds to consume the AR/VR service
[3] 3GPP TS 23.501, System Architecture for the 5G System
provided by the SN.
[4] 3GPP TS 33.501, Security architecture and procedures for 5G system
V. CONCLUSION [5] Huawei: 5G Security: Forward Thinking Huawei White Paper:
https://www.huawei.eu/sites/default/files/5G_Security_Whitepaper_e
We have presented a framework for providing dynamic n.pdf, 2015
authorization in 5G networks. The framework enables [6] Ericsson: 5G Security Scenarios and Solutions:
authorization and negotiation of a network service to https://www.ericsson.com/assets/local/publications/white-papers/wp-
requesting UEs/applications in 5G systems that include 5g-security.pdf, June 2017
MNOs and 3rd party service providers. We introduced a [7] 3GPP TS 23.251, Network sharing; Architecture and functional
concept of Restricted and Negotiated Services as an evolution description
of the current Basic Services that are based on the static [8] 3GPP TR 23.707, Architecture Enhancements for Dedicated Core
Subscription Profile and authorization model of 3GPP. Networks
Restricted Services allow for fully standardized service [9] NFVISG ETSI: Network functions virtualization, white paper, 2012.
definitions and persistence of existing pre-provisioning [10] O. N. Foundation: Software-defined networking: The new norm for
networks, tech. rep., Open Network Foundation, 2012.
practices, in a similar fashion to existing Basic Services, but
with the noteworthy advantage of accommodating dynamic [11] IETF: AAA Authorization Framework, RFC 2904, August 2000
service authorization. This capability is enabled due to the [12] IETF: The OAuth 2.0 Authorization Framework, RFC 6749, October
2012
notion of optional service authorizations that may be turned
[13] Vinod Choyi, Ayman Abdel-Hamid, Yogendra Shah, Samir Ferdi,
on or off based on the context of the service request. These Alec Brusilovsky: Network slice selection, assignment and routing
optional service authorizations allow the Home Network to within 5G Networks, IEEE Conference on Standards for
gain more control of the authorization process when Communications and Networking (CSCN), 2016