There are more and more IoT devices or none-3GPP devices, e.g. media server, printer, smart thermostat/sprinkler/blinds, NAS server, smart plug, smart watch, smart pet collar, earbuds, VR goggle headset, smart garage door, etc., that can provide services for users at home or out of home in the home settings. These devices are usually behind a wireless gateway. In recent years, there are some security risks found in such settings due to port forwarding and unsecure connectivity provided by the wireless gateway for in home devices.
When considering the gateway with 5G capability for accessing 5G services, , it is important to enable the support of the secure connectivity for allowing authorized users from anywhere in the world to access authorized services provided by these IoT devices or none-3GPP devices in terms of user authentication and authorization.
These IoT devices or non-3GPP devices acting as a PIN Elements can be smart plug, smart watch, smart pet collar, earbuds, VR goggle headset, etc. that usually are connected to the UE as a PIN Element with Gateway Capability via non-3GPP access, e.g. WLAN, Bluetooth®. When the UE moves, the PIN moves with the UE and its associated PIN Elements. These PIN Elements authorized to communicate with each other are regarded in a Personal IoT Network (PIN). There are other IoT devices, or non-3GPP devices usually stationary connected to the eRG using non-3GPP access (WLAN, wireline), e.g. media server, printer, smart thermostat, smart sprinkler, smart blinds, smart garage, etc. These IoT devices or non-3GPP devices authorized to communicate with each other directly or via the eRG are regarded in a Customer Premises Network (CPN).
Figure 5.5.1-1 shows the scenarios of the 5G network enabling connectivity service support for the UE using direct network connection (case a) or direct device connection or PIN direct connection (case b and case c) to access services provided by PIN Element. Each PIN Element may provide one or more services. For example, the PIN Element is a smart watch, earbuds, VR goggles, media server, smart TV, smart video doorbell, etc., which provide one media service. For another example, the PIN Element is a NAS server which can provide multiple services, e.g. media service, web server service, live security cams services, etc.
In Figure 5.5.1-1, a user using an authorized UE, e.g. smartphone or tablet, accesses the service A provided by an PIN Element which has connection with PIN Element with Gateway Capability via a non-3GPP access technologies, e.g. WLAN, Bluetooth®, etc.
Case (a):
the user/UE is out of Home and uses authorised service A provided by a PIN Element behind a PIN Element with Gateway Capability which relays traffic to and from 5G network. The PIN Element with Gateway Capability and the PIN Element connects to each other using direct device connection or PIN direct connection while the PIN Element with Gateway Capability connects to the 5G network using direct network connection.
Case (b):
the user/UE operating as a PIN Element is at home and uses authorised service A on the other PIN Element via PIN Element with Gateway Capability which supports relay communication between two PIN Elements. The UE and the PIN Element connect to PIN Element with Gateway Capability using direct device connection or PIN direct connections. One or more PIN Elements can connect to the PIN Element with Gateway Capability.
Case (c):
the user/UE operating as a PIN Element is at home and uses authorised service A directly provided by the PIN Element using direct device connection or PIN direct connection. If connecting to 5G network is required by the PIN Element, the UE can operate as a PIN Element with Gateway Capability to relay traffic to/from the PIN Element.
To avoid the potential security/privacy risks that invade the PIN Elements and services, it is important that the 5G network can enable supports of secure access to the PIN Elements and their services for authenticated and authorized users. According to clause 26a of TS 22.101, an "User" to be identified could be
an individual human user, using a UE with a certain subscription, or
an application running on or connecting via a UE, or
a device ("thing") behind a gateway UE.
In the context of PIN (personal IoT network), a "User" includes a service ("application") running on or connected via a PIN Element behind a PIN Element with Gateway Capability.
The following service aspects for IoT device and non-3GPP device as PIN Element connected to the 5G network via a PIN Element with Gateway Capability, needs to be considered:
User Identity and user authentication;
User Identity of PIN Element or application running on PIN Element;
The authentication of User Identity or application running on the PIN Element;
Access to PIN Element or its application running on the PIN Element;
User Profiles and User Identifiers for PIN Element or its applications provided by an PIN Element;
The Incruedible family adopts civilian identities and lives at suburbs for a normal life to hide their superheroes identities. To ensure secure communication for the Incruedible family accessing services of PIN Elements from anywhere in the world, Mr. Incruedible sets up many PIN Elements and subscribes to a reliable network operator's services, which can act as User Identity provider and provide secure access to his PIN Elements and the applications running on or connected to the PIN Element behind the PIN Element with Gateway Capability, for all UEs of his family, including smartphones, tablets.
Mr. Incruedible, signs in his account at operator's network that provides 5G connectivity services for all UEs of his family. In his account, there are two listed subscriptions with gateway capabilities, including one smartphone , i.e. a UE as PIN Element with Gateway Capability, and one eRG. In Mr. Incruedible's account, he can create Users with User Identities for family members, PIN Elements, and services provided by PIN Elements.
Further, for each service of the PIN Element behind a PIN Element with Gateway Capability, Mr. Incruedible configures User Profiles, e.g. via scanning the QR code of the PIN Element to get some information and editing details manually. For each service identified by a User Identity, it can have one or more User Profile(s) and each User Profile contains the following information:
User Identifier
Specific service settings and parameters, e.g. active/inactive time, number of accesses, etc.
Authentication/authorization policy and access restriction policy required for the service, which are going to be used to authenticate/authorize a User for accessing to the PIN Element or application running on the PIN Element.
Credential information, e.g. password for the authorized service, security keys for encryption/decryption, and hash algorithm for message digital signing, etc.
For an authorized human user(s), its User Profile can indicate the authorized service identified by User Identity and allowed User Identifiers.
Step2: [Registration of PIN Element and Update of User Profiles for services provided by the PIN Element]
(2a):
When an PIN Element is turned on, the PIN Element with Gateway Capability discovers and connects to the PIN Device at the first time, the PIN Element with gateway Capability determines if the PIN Element is an authorized User identified by a User Identity indicated in its UE configuration.
(2b):
The serving network of the PIN Element with gateway Capability authenticates User Identity of the PIN Element based on its credentials, and then updates User Profiles of the services provided by the PIN Element. In return, the network responds the PIN Element with gateway Capability with the authentication result and updated User Profiles of the registered services.
(2c):
The serving network of the PIN Element with gateway Capability further provides updated User Profiles of the services to 5G subscriber's HPLMN. The HPLMN of PIN Element with gateway Capability updates its stored User Profiles of all impacted Users.
(2d):
Based on serving network's policies, the serving network can update User Profiles of impacted Users and UE configuration towards PIN Element with gateway Capability.
Step3: [User/UE at home or out of home accessing services provided by PIN devices]
Violeta, Mr. Incruedible's daughter as an authorized user (User) of the service provided by a PIN Element, would like to use the authorized UE to access a registered application-A of a PIN Element behind a PIN Element with gateway Capability. For example, the PIN Element is a smart garage door and Violeta would like to request the smart home application-A on the PIN Element to open the garage door for the delivery crew to put the package inside the garage. The communication method that connects her UE and the PIN Element is different based on the location of her UE as follows:
Case (a): When Violeta (User) using authorized UE is out of home, the 5G network connects the UE to the PIN Element behind the PIN Element with gateway Capability.
Case (b): When Violeta (User) using authorized UE is at home, the PIN Element with gateway Capability discovers and connects the UE acting as an PIN Element and using PIN direct connection or direct device connection based on stored UE policies or user preferences.
Case (c): When Violet (User) using authorized UE is at home, the UE acting as a gateway UE discovers and connects with PIN Device directly via a non-3GPP access technologies, e.g. Bluetooth, WiFi, or via 3GPP direct communication, instead of via indirect communication over 5RG, based on stored UE policies of the UE or user preferences.
(3b):
Based on stored User Profiles of the PIN Element with authorised Users, the PIN Element with gateway Capability can determine whether to accept access request of the PIN Element from the User/UE.
(3c):
The PIN Element with gateway Capability can further perform user authentication of the application-A based on the security polices and credentials in stored User Profiles of the application-A. If the application-A is configured to apply user authentication by the 5G system, the PIN Element with Gateway Capability requests user authentication for the application-A by the 5G system.
(3d):
The PIN Element with gateway Capability forwards the service access request to the PIN Element only if the user authentication is successful. Otherwise, the PIN Element with gateway Capability rejects the request for service access.
(3e):
The PIN Element with gateway Capabilitystarts to forward the traffic to/from the PIN Elements.
Step4: [UE policies in the home settings]
When the authorized User/UE moves from out of home, i.e. case (a), to in home, i.e. case (b) or case (c), the User can manually determine how the used UE adopts case(a)/case (b)/case(c), or UE can automatically adapt to case(a)/ case(b)/case (c) based on the UE policies, including the following information provisioned by the 5G network:
one or more operation modes (e.g. PIN Element, UE, PIN Element with gateway Capability);
communication methods (e.g. direction network connection, direct device connection, PIN direct connection);
The Incruedible family can safely live with hidden superheroes identities by securely accessing application of the PIN Elements from anywhere in the world without compromising the security of the PIN Elements/services at home.
Referring to clause 26a of TS 22.101, the user to be identified could be an individual human user, using a UE with a certain subscription, or an application running on or connecting via a UE, or a device ("thing") behind a gateway UE. The following service requirements have been supported:
The 3GPP network shall be able to provide a User Identifier for a non-3GPP device that is connected to the network via a UE that acts as a gateway.
The 3GPP network shall support to perform authentication of a User Identity used by devices that are connected via a UE that acts as a gateway.
The User Identifier may be provided by some entity within the operator's network or by a 3rd party.
The 3GPP system shall be able to take User Identity specific service settings and parameters into account when delivering a service.
The 3GPP system shall be able to store and update a User Profile for a user.
The 3GPP System shall support to authenticate a User Identity to a service with a User Identifier.
When a user requests to access a service, the 3GPP System shall support authentication of the User Identity with a User Identifier towards the service if the level of confidence for the correct association of a User Identity with a User Identifier complies to specified policies of the service.
A service shall be able to request the 3GPP network to only authenticate users to the service for which the association of the user with a User Identifier has been established according to specified authentication policies of the service.
Subject to operator policy, the 3GPP system shall be able to update User Profile related to a User Identifier, according to the information shared by a trusted 3rd party.
The User Profile may include one or more pieces of the following information:
additional User Identifiers of the user's User Identities and potentially linked 3GPP subscriptions,
used UEs (identified by their subscription and device identifiers),
capabilities the used UEs support for authentication,
information regarding authentication policies required by different services and slices to authenticate a user for access to these services or slices.
User Identity specific service settings and parameters.
Those shall include network parameters (e.g. QoS parameters), IMS service (e.g. MMTEL supplementary services) and operator deployed service chain settings.
User Identity specific network resources (e.g., network slice).
The following service requirement in clause 26a of TS 22.101 provide the principle for user centric identifiers and authentication by the 3GPP system:
The 3GPP System shall support operators to act as User Identity provider and to authenticate users for accessing operator and non-operator deployed (i.e. external non-3GPP) services.
This use case and requirements consider that the application running on the PIN Element is a non-operator deployed (i.e. external non-3GPP) services behind a PIN Element with Gateway Capability in a PIN.
The 5G system shall support secure mechanisms for a PIN Element using direct PIN connection or via PIN Element with Gateway Capability to access and communicate with another PIN Element for a PIN.
[PR-5.5.6-2]:
The 5G system shall be able to support "User Identity and Authentication" requirements (as defined in TS 22.101 clause sec 26.a) for PIN Elements of a PIN.
PIN elements (e.g. media server, printer, smart thermostat/sprinkler/blinds, smart lightning system, NAS server, etc.) can be located behind a PIN Element with Gateway Capability (e.g., a residential gateway with PIN capability, or a UE with gateway PIN capability). This PIN Element with Gateway Capability can host, or locally be connected to, significant compute and storage resources. , which can host an Application Server. An application on an Application Server can be either in the MNO domain (i.e. a trusted application) or external to the MNO domain (i.e. an authorized third-party application).
An AS can be useful to process sensitive data locally. Data generated by some PIN elements can be sensitive, it is therefore important to limit the scope of its dissemination (e.g. temperature and light readings can be used to know if there is someone at home). The AS can also be useful to perform latency sensitive processing. For games and office applications it can be beneficial to render a latency sensitive application locally. The AS can be accessed by local users located in the PIN network, or by remote users connected through the 5G network.
The AS can be hosted on a locally connected hardware hosting platform (e.g., a game console, an application server), and/or be embedded in a PIN Element with Gateway Capability (e.g., leveraging virtualization technology to host AS on the PIN element). While an AS can be a standalone service, it can also be an on-site extension of an in-network service hosted on a hosting environment such as an edge computing platform. In this case, the service operator (e.g., a MEC server operator), can influence discovering/authorizing/orchestrating an AS. The AS can be under the control of a 5G network operator, a customer or an authorized third party.
the user/UE1 is at home and uses a client application that connects to an AS deployed at home.
Case (b):
the user/UE2 is out of home and uses a client application that connects to an AS deployed at home (on the PIN Element with Gateway Capability or on other hardware at home). UE2 is connected to the 5G network, e.g., it may be in another PIN.
Service aspects:
Deployment of an AS on a hosting platform on, or locally attached to, a PIN Element with a Gateway Capability hosted Service Hosting Environment and hosted on the applications by service provider.
Access to AS hosted in PIN, by UE2 outside of home.
Additional aspects are already covered in clause 5.4 and clause 5.5 of TR 22.858. Therefore no specific new routing support is needed between PIN element/UE1 and AS:
Access to AS in PIN by UE1 or PIN device from inside home.
Access to services offered by PIN elements or UE1 from AS in PIN.
User deploys PIN elements behind a PIN Element with Gateway Capability and subscribes with a service provider for AS. This subscription can be directly with the service provider(s), or through a 5G network operator.
Hosting environment is installed on PIN Element with Gateway Capability or other PIN element with compute/storage capability (by service provider, 5G network operator or User). User requests some compute/storage resources (in PIN Element with Gateway Capability or other PIN element with compute/storage capability) to be reserved for usage by the hosting environment
b) Service provider can provide and configure an AAA server to control access to AS hosted in PIN.
AS is enabled on hosting environment (by service provider, 5G network operator or User).
Using an AS:
User installs client applications on UE, e.g. a client application that configures temperature at home based on time or day or other triggers.
Service provider provisions corresponding serving AS in hosting environment in PIN.
Client application on UE connects through 5G network to serving AS in PIN, after authorisation from AAA server. User configures application through the client. The serving AS can communicate with PIN element, e.g. to collect and process data locally.
The user can install and use a different UE application supported by the service provider. The service provider deploys corresponding AS in PIN. Suitable AS include all kind of applications acting on privacy sensitive data, and, when the client UE is at home or close to home, latency sensitive rendering or interactive application components for games or office applications.
The following potential requirements defined in TR 22.858 partly cover the use case functionality:
[PR. 5.4.6-001]
The 5G system shall be able to support efficient routing, without going through the 5GC, for the communication between a UE and a non-3GPP device, via the residential gateway and an indoor small base station connected to that residential gateway.
[PR. 5.5.6-001]
The 5G system shall be able to provide E2E QoS control for the communication path between the UE and a residential gateway via an indoor small base station.
[PR. 5.5.6-002]
The 5G system shall be able to support efficient routing for communication between UEs via a residential gateway without going through the 5GC.
[PR. 5.5.6-003]
The 5G system shall ensure the use of a residential gateway does not compromise the security of any PLMN or broadband access network.
[PR. 5.5.6-004]
The 5G system shall ensure the use of a residential gateway does not compromise the security of the UE.
[PR. 5.5.6-005]
The 5G system shall enable the network operator associated with a residential gateway to control the security policy of the residential gateway.
The following 3GPP solutions are incompatible with this use case as they address different areas of the 3GPP system architecture:
3GPP TS 23.548 [19]:
5G System Enhancements for Edge Computing: Figure 4.3-1 in clause 4 defines the reference architecture and connectivity models for Edge Computing support in the 3GPP system.
3GPP TS 23.558 [20]:
Architecture for enabling Edge Applications (EA). This specification defines the application enablers for Edge Computing.
Subject to the PIN being connected to the 5G Network, the 5G system shall be able to provide support for a PIN element discover and access an application on another PIN element. Discovery mechanisms are needed both inside the PIN and to UEs connected to the 5G network, e.g., PIN elements in other PINs, subject to the PIN being connected to the 5G Network.
[PR 5.6.6-2]
Based on operator policy and subject to the PIN being connected to the 5G network, the 5G network shall be able to support routing of data traffic between a PIN element and an application on another PIN element.
[PR 5.6.6-3]
Subject to the PIN being connected to the 5G network, the 5G system shall be able to support QoS for access by a PIN element to an application on another PIN element.
[PR 5.6.6-4]
Subject to the PIN being connected to the 5G network, the 5G system shall support a secure mechanism for a PIN element to access an application on another PIN element.
There are many attractions around the world that are very popular with tourists. Some of the things to see at an attraction have a lot of history or a lot information to be convey about it e.g. how it works etc. In order to help the tourists and provide them with more information tourists can participate in tours, be they either audio tours where by the tourist is given a digital media player, the digital media player being configured for the tourist language or a personalised tour where a tour guide provides a description. In the latter case the tour guide probably gives the tour in one language and can also answer questions.
In both the audio tour and tour guide tour a headset and digital media device are provided to the tourist. The headsets and media devices are usually all the same meaning that the tourist is unfamiliar with how they operate. In addition, a large number of these need to be maintained by the tour company including spares in case there are operational problems. Batteries also need to be charged. When digital media device is provided if additional information for tourists needs to be added / removed all of the digital media players need to be updated.
This use case looks at how a user with a smartphone and set of wearable devices can participate in a tour without specialised equipment.
Each tourist has a smartphone (UE) (PIN Element) and at least one of smart earbuds and eye glasses (additional PIN Elements). The later 2 are collectively known as wearables. The collection of all 3 is known as a Personal IoT Network. The earbuds and eye glasses communicate wirelessly using PIN direct connections. Tourists use their PINs for listening to music, watching videos and having messenger application video and phone calls. The earbuds will play notifications, sound and the eye glasses will display video images and notifications.
A tour guide has a smartphone (UE), smart earbuds and eye glasses. The earbuds and/or eyeglasses may be IoT devices that communicate with the UE within the PIN.
In popular tourist destinations the Quality Tour Guide (QTG) has a Service Level Agreement (SLA) with service provider C to ensure that the tour guide tours are of the best quality. QTG has been authorised by service provider C to be able to add tourists into QTG PIN. Service provider C also ensures that the security of the service provided to QTG is such that those that have not been authorised by QTG to join the group cannot hear or see QTG tour. Cheaper Tour Guide (CTG) has the same equipment but does not have an SLA, they cannot guarantee a high level of security as QTG can to their tour participants.
Terracotta Warriors is a very popular place in China where millions of visitors go each year. Peng (uses service provider A) and Pan (uses service provider B) have decided to visit and are going to take a tour with Quality Tour Guide (QTG) (uses service provider C). They also invite their friend Adrian (uses service provider D from another country, data roaming is turned off) to join. While Adrian is on his way to meet his friends he listens to music on his earbuds from his smartphone.
Meanwhile Pongo and Poppet have also decided to visit but have decided to take a tour with Cheaper Tour Guide (CTG).
When Peng, Pan and Adrian arrive at QTG their earbuds provide a notification sound and the smart glasses provide a visual indication that QTG service is available. They all acknowledge on their smartphone that they authorise QTG to provide the service. In the authorisation information collateral provided by QTG it indicates that QTG has no access to personal information from tour participants (e.g. phone number, IMEI, UICC ID etc) however QTGs service provider will have access to such information for quality assurance purposes. The collateral also indicates that QTG requires access to microphone, earbuds and display capabilities. Pan further configures the service so that he can get notifications from all his other services while Peng has chosen to not be disturbed while in the tour. Adrian has no data service and can only participate in the tour offered by QTG but can still listen to his music. QTG is notified that 3 tourists are ready for a tour and sees a picture of them on their headset.
Pongo and Poppet arrive at CTG where they scan a QR code for the CTG service. CTG receives notification that 2 tourists are ready for a tour.
QTG and CTG take their respective tourists to the 1st sight of a clay warrior. It is very busy at the exhibit with lots of tourists and other tour guides giving their tours. QTG, and CTG give basically the same tour. At this exhibit they provide a verbal description of the clay figure, provide some pictures of the clay figure being excavated and small video clip from the farmer who discovered the clay figure. As Peng, Adrian and Pan listen it is just like standing next to the tour guide with no other tourists, the audio quality is superb. As the pictures are displayed on the smartglasses with some audio description the video then starts to play and can be seen on the smartglasses. Suddenly Pan receives a notification on the glass's and less pounced notification tone of a WeChat group message, it is from their manager Fei who wants to talk to Pan and Peng. Peng does not get the notification as he has opted not to be disturbed. Adrian has no other service apart from the tour. Pan receives a messenger application call from Fei, the audio from the video display is muted and the messenger application is received from the smartphone UE. Pan walks into a huge metal structure, as Pan is on the messenger application call all of the sudden the call stops. Pan looks at his phone and notices that there is no cellular service.
While Peng, Adrian and Pan were having their tour Poppet and Pongo were receiving the same type of tour from CTG. Poppet and Pongo's audio quality was not as good as Peng and Pan's, and when the video stream was playing at times the sound would be lost or a video frame corrupted. The problems seemed to get worse when there were more people around, especially when it got very crowded.
Later that week QTG receives a bill from service provider C indicating that 3 tourists used the service for time Y and consumed Z bytes of data.
Service provider C is provided with a set of records indicating that QTG used a specific amount of PIN data.
Service provider C is provided with the identities of the UEs that joined QTG PIN.
All the individuals had successful tours.
The 5G system shall support that a PIN Element may be a member of more than one Personal IoT Network.
[PR 5.7.6-2]
The 5G system shall support a PIN Element being added or removed from a PIN by an authorised 3rd party.
[PR 5.7.6-3]
The 5G system shall enable PIN direct communications between PIN Elements in a PIN to use licensed spectrum (under the control of a MNO) or between PIN Elements to use unlicensed spectrum (may be under the control of the MNO, or not).
[PR 5.7.6-4]
The 5G system shall be able to provision PIN Elements that have been authorised to use that PIN with the necessary configuration parameters to use that PIN subject to MNO and local policies.
[PR 5.7.6-5]
The 5G system shall be able to support a PIN Element shall be able to concurrently use both operator managed and non-operator managed PIN direct connectivity with another PIN Element.
[PR 5.7.6-6]
The 5G system shall be able to support that a PIN Element can support concurrent communications with PIN Elements in more than one PIN.
[PR 5.7.6-7]
The 5G system shall be able to provide secure communications between PIN Elements in a PIN or across different PIN.
In a home network, services are provided for e.g. home automation and wireless hi-fi, which often are based on e.g. UPnP/DNLA, Bonjour and other protocols that can make extensive use of discovery and other broadcast-type messages. The user wants to be able to use the service via both the home network (e.g. Wi-Fi) as well as via the public network.
Several services make extensive use of broadcast messages, e.g. smart home systems. The status or discovery-like messages in e.g. UPnP/DNLA, Bonjour and other protocols are broadcast to all 'participating' IoT devices in the network. This is less of a problem when the service is used in a home network (e.g. via LAN) only. However, when the PIN is used outside the home network via a public network (e.g. smartphone joins the PIN via the 3GPP Network), the phone still receives all broadcast messages. This can cause increased messaging to the UE, while these messages are not always relevant to the user.
The user should have the choice to receive discovery and status messages on demand, or filtered (e.g. only when there is a status change) when using the service via the public network.
Furthermore, the 5G system needs to ensure that the service discovery messages are authentic and sent in sufficiently low numbers as to be not present an obstacle to useful transmissions within the PIN.
Mary has a smart home system in her home, in which wireless hi-fi systems (IoT device) are connected to a media server (IoT device) via a non-3GPP wireless radio technology in an in-home network. The IoT devices use a broadcast-based service discovery to find other IoT devices in the network. If Mary wants to control the IoT devices in this smart home system, she uses her smartphone which is also connected to the same in-home network.
Mary is in her living room and wants to turn on the hi-fi system to listen to music from her media server. Mary can easily do this using her smartphone.
It is a nice day outside and Mary decides to sit in the garden. Mary wants to listen to the music outside but cannot hear the music, so she tries to change the volume of the wireless hi-fi system using her smartphone. However, Mary discovers that she is using the public network instead of the in-home network, and therefore cannot control the smart home system using her smartphone.
Mary is unhappy with the situation and therefore she purchases a solution from her network operator that allows her to control the wireless hi-fi system via the public mobile network using her smartphone.
Now she can control the music from her smartphone, even when she is outside. Fortunately, the operator solution filters the broadcast traffic, so that these broadcast messages are not counted for the amount of data she is sending via the mobile network.
The 5G system shall enable service discovery of PIN Elements (e.g. based on certain device applications) in PIN by UEs in the PIN or via the public network.
[PR 5.8.6-1a]
The 5G system shall enable an authorized PIN user to configure which UEs connected to the public network can perform service discovery of PIN Elements in a PIN. The 5G system shall support configuration per 5GLAN VN, per group of UEs, or per individual UE.
[PR 5.8.6-2]
The The PIN Element with gateway capability shall support optimization ofservice discovery of PIN Elements in a PIN by UEs on the public network, e.g. by reducing the amount and frequency of service discovery messages sent from PIN Elements.
[PR 5.8.6-3]
The 5G system shall support a mechanism(s) to mitigate a malicious flood of service discovery messages.
[PR 5.8.6-4]
The 5G system shall support a mechanism(s) to mitigate spoofing of service discovery messages.
Due to the increasing costs and pressure on the healthcare system, care providers, insurance companies and people themselves are looking at new ways to monitor their health, and manage people's health remotely. One way this could be achieved until now is that people buy for example a smartwatch or step counter themselves, pair it to their phone, and download an application to their phone to monitor some of their health data. As the requirements for these devices are getting more demanding, requiring to monitor additional physiological data with higher accuracy and improved reliability, and moving towards cloud/edge based analysis of these streams of data, also the requirements on the underlying network connections and manageability of these devices gets more demanding. It also should be made as easy as possible for the user to be able to connect and manage these networked health devices.
In this use case, Fred has been feeling exhausted in the last weeks and went to his general practitioner for a check up. The general practitioner performed a thorough exam and told Fred that he is quite worried about his health, given that his blood pressure is way too high, his cholesterol is at alarming levels, and that he has initial signs of diabetes and heart problems. If Fred continues like this, he has a serious chance of heart failure or ending up in the hospital. Next to some medicines, his general practitioner subscribes him to a new program offered by his insurance company in cooperation with a health provider to monitor Fred's health. This new program includes a 24/7 wearable monitoring device combined with a cloud service operated by the health provider for early detection and warning of heart arrhythmia and heart failure and hypertension. The device will be sent to Fred's home in a few days.
Fred has a 5G enabled mobile phone UE with a USIM and a valid 5G subscription, and supports the PIN gateway UE function. Fred also has a Wi-Fi Access Point at home that may be integrated in or associated with a residential gateway connected to the 5G network.
The 24/7 wearable monitoring device uses non-3GPP RAT (e.g. Wi-Fi) and may not be equipped with a (e)UICC.
This use case assumes that the health provider has an SLA with Fred's mobile operator and that the insurance company either pays or allows Fred to get reimbursed for any additional data or subscription extensions.
Fred receives a package that includes a 24/7 wearable monitoring device from his insurance company. The package also includes a set of instructions to follow. All he has to do is use the camera on his 5G enabled UE to scan a QR code on the wearable monitoring device (or e.g. touch the device with NFC).
Fred unpacks the 24/7 wearable monitoring device and scans the QR code using his 5G enabled UE, acting as a PIN gateway UE. Upon doing this, a sequence of events is initiated, which includes the provisioning of credentials (and other configuration information) onto the 24/7 wearable monitoring device enabling it to setup an identifiable connection to an application server through the 5G core network to which the 5G enabled UE is connected.
The connection may be an indirect network connection through the 5G enabled UE, and may be operated by a slice that offers the QoS and reliability guarantees required for this application. In order to facilitate that the 24/7 wearable monitoring device can always connect to the application server, without requiring the 5G enabled UE to be always available or nearby (e.g. wearing the 24/7 wearable monitoring device under the shower, in bed or when the 5G enabled UE is out-of-energy), the 24/7 wearable monitoring device also gets temporary credentials to allow the device to temporarily disconnect from the 5G enabled UE and directly connect to the 5G core network via non-3GPP access to communicate with the application server.
The data from the 24/7 wearable monitoring device is continuously sent to the application server through the 5G network. Fred feels very safe knowing that his health is constantly being monitored.
From TS 22.261"Service requirements for the 5G system":
The connection between a remote UE and a relay UE shall be able to use 3GPP RAT or non-3GPP RAT and use licensed or unlicensed band.
The 5G system shall support a secure mechanism for a home operator to remotely provision the 3GPP credentials of a uniquely identifiable and verifiably secure IoT device.
Note that the above requirement only partially covers the above mentioned uses case. 3GPP currently relies on the external GSMA remote provisioning framework to perform this function. However, the remote provisioning framework requires a (e)UICC to be supported on the UE, which is not required in this use case. This requirement may need to be further clarified or additional requirements may need to be added to cover non-UICC, non-3GPP RAT devices and the use of a gateway UE to be involved in the provisioning or communication.
From TS 22.101"Service aspects; Service principles":
The 3GPP network shall be able to provide a User Identifier for a non-3GPP device that is connected to the network via a UE that acts as a gateway.
The 3GPP network shall support to perform authentication of a User Identity used by devices that are connected via a UE that acts as a gateway.
A subscriber shall be able to link and unlink one or more user Identities with his 3GPP subscription.
The User Identifier may be provided by some entity within the operator's network or by a 3rd party.
The 3GPP system shall support to interwork with a 3rd party network entity for authentication of the User Identity.
The 3GPP system shall support to perform authentication of a User Identity regardless of the user's access, the user's UE and its HPLMN as well as the provider of the User Identifier.
The 3GPP system shall support user authentication with User Identifiers from devices that connect via the internet; the 3GPP system shall support secure provisioning of credentials to those devices to enable them to access the network and its services according to the 3GPP subscription that has been linked with the User Identity.
The 5G system shall support an authorized PIN Element to access the 5G network and its services via a PIN Element with Gateway Capability, via non-3GPP access when the PIN Element is associated to a 3GPP subscription and configured with credentials or via direct network connection when the PIN Element is a UE.
[PR 5.9.6-2]
The 3GPP system shall support secure provisioning of credentials to a device which User Identifier has been linked with the 3GPP subscription of the UE that acts as gateway, via that UE, to enable it to access the network and its services according to the linked subscription when connected via the internet