Trusted signaling in 3GPP interfaces in a network function virtualization wireless communication system

US 9,769,854 B1
Filed: 01/10/2017
Issued: 09/19/2017
Est. Priority Date: 02/07/2013
Status: Active Grant

First Claim

Patent Images

1. A method of wireless communication enabled by hardware assisted security, comprising:

receiving a trusted communication request from an enhanced node B (eNB) by an interface application, where the interface application is part of a virtualized network function provided by a virtual server executing in a virtual computing environment;

determining by a security monitor module of the virtualized network function that the trusted communication request has been received, where the security monitor module executes in a trusted security zone of compute resources provided by the virtual computing environment and wherein the trusted security zone provides hardware assisted security;

allocating a trustlet by the security monitor module to handle the trusted communication request of the eNB, where the trustlet executes in the trusted security zone, is associated with the interface application, and is part of the virtualized network function;

establishing trusted signaling by the trustlet with two or more serving gateway, mobility management entity (MME), home subscriber server (HSS), policy and charging rules function (PCRF) server virtualized network functions provided by virtual servers executing in the virtual computing environment; and

sending a trust token by the trustlet to the eNB, whereby a trusted communication link from the eNB is established via a virtualized network function path through the virtual computing environment.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for providing a trusted communication link in a wireless network. A mobility management entity (MME) interface of a MME virtualized network function (VNF) receives a trusted communication request. A MME interface trustlet is allocated to execute in a trusted security zone of compute resources provided by a virtual computing environment in which the MME VNF executes. The MME interface trustlet establishes trusted signaling with two or more different VNFs provided by virtual servers executing in the virtual computing environment. The MME interface trustlet sends a trust token to the eNB to establish the trusted communication link from the eNB via a virtualized network function path through the virtual computing environment.

683 Citations

20 Claims

1. A method of wireless communication enabled by hardware assisted security, comprising:
- receiving a trusted communication request from an enhanced node B (eNB) by an interface application, where the interface application is part of a virtualized network function provided by a virtual server executing in a virtual computing environment;
  
  determining by a security monitor module of the virtualized network function that the trusted communication request has been received, where the security monitor module executes in a trusted security zone of compute resources provided by the virtual computing environment and wherein the trusted security zone provides hardware assisted security;
  
  allocating a trustlet by the security monitor module to handle the trusted communication request of the eNB, where the trustlet executes in the trusted security zone, is associated with the interface application, and is part of the virtualized network function;
  
  establishing trusted signaling by the trustlet with two or more serving gateway, mobility management entity (MME), home subscriber server (HSS), policy and charging rules function (PCRF) server virtualized network functions provided by virtual servers executing in the virtual computing environment; and
  
  sending a trust token by the trustlet to the eNB, whereby a trusted communication link from the eNB is established via a virtualized network function path through the virtual computing environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the virtual server that provides the virtualized network function is configured to map execution of the security monitor module and execution of trustlets allocated by the security monitor module to the trusted security zone of the compute resources provided by the virtual computing environment in which the virtual server executes.
  - 3. The method of claim 2, wherein the virtual server that provides the virtualized network function is configured to map execution of the interface application to a rich execution zone of the compute resources provided by the virtual computing environment in which the virtual server executes.
  - 4. The method of claim 2, wherein the security monitor module determines that the trusted communication request has been received by polling the interface application at a periodic rate.
  - 5. The method of claim 4, wherein the security monitor module maintains a registry of trustlets, wherein each registry entry associates one of the trustlets to a trust token associated with the one of the trustlets, and wherein the security monitor module allocates the one of the trustlets based on a trust token embedded in a received trust request.
  - 6. The method of claim 1, wherein a serving gateway virtualized network function comprises at least two common functions selected from a policy function, a mobility function, a bearer function, a context function, and a data function.
  - 7. The method of claim 6, wherein each MME virtualized network function, HSS virtualized network function, and PCRF server virtualized network function comprises common functions selected from the policy function, the mobility function, the bearer function, the context function, and the data function.

8. A method of wireless communication enabled by hardware assisted security, comprising:
- receiving a trusted communication request from an enhanced node B (eNB) by an interface application, where the interface application is part of a virtualized network function provided by a virtual server executing in a virtual computing environment;
  
  allocating a trustlet to the eNB that requested the trusted communication, where the trustlet executes in a trusted security zone of compute resources provided by the virtual computing environment, is associated with the interface application, and is part of the virtualized network function;
  
  establishing trusted signaling by the trustlet with two or more serving gateway, mobility management entity (MME), home subscriber server (HSS), policy and charging rules function (PCRF) server virtualized network functions provided by virtual servers executing in the virtual computing environment; and
  
  sending a trust token by the trustlet to the eNB, whereby a trusted communication link from the eNB is established via a virtualized network function path through the virtual computing environment.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, wherein the virtual computing environment is a cloud computing environment.
  - 10. The method of claim 8, wherein the eNB is a wireless communication transceiver that established wireless communication links with user equipments (UEs) according to at least one of a long term evolution (LTE), a code division multiple access (CDMA), a global system for mobile communication (GSM), and a worldwide interoperability for microwave access (WiMAX) wireless communication protocol.
  - 11. The method of claim 8, wherein the virtualized network functions are provided by common functions comprising a policy function, a mobility function, a bearer function, a context function, an authentication function, an attach function, and a data function.
  - 12. The method of claim 11, wherein the policy function and the data function are executed in a trusted security zone of compute resources provided by the virtual computing environment.
  - 13. The method of claim 11, wherein a MME virtualized network function is provided by the attach function, the authentication function, the mobility function, the bearer function, and the context function and a serving gateway virtualized network function is provided by the policy function, the mobility function, the bearer function, the context function, and the data function.

14. A method of wireless communication enabled by hardware assisted security, comprising:
- receiving a trusted communication request from an enhanced node B (eNB) by an interface application, where the interface application is part of a virtualized network function provided by a virtual server executing in a virtual computing environment;
  
  determining by a security monitor module of the virtualized network function that the trusted communication request has been received, where the security monitor module executes in a trusted security zone of compute resources provided by the virtual computing environment and wherein the trusted security zone provides hardware assisted security;
  
  allocating a trustlet by the security monitor module to handle the trusted communication request of the eNB, where the trustlet executes in the trusted security zone, is associated with the interface application, and is part of the virtualized network function;
  
  establishing trusted signaling by the trustlet with two or more serving gateway, mobility management entity (MME), home subscriber server (HSS), policy and charging rules function (PCRF) server virtualized network functions provided by virtual servers executing in the virtual computing environment;
  
  sending a trust token by the trustlet to the eNB, whereby a trusted communication link from the eNB is established via a virtualized network function path through the virtual computing environment; and
  
  terminating, by the security monitor module, the trustlet and causing, by the security monitor module, permissive environment processing to resume in response to the trustlet indicating that trusted communication via the trusted communication link is completed.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, wherein the virtualized network functions are provided, at least in part, by common functions comprising a policy function, a mobility function, a bearer function, a context function, an authentication function, an attach function, and a data function.
  - 16. The method claim 15, wherein each common function is executed in one or more virtual servers and where different common functions do not execute on the same virtual server.
  - 17. The method of claim 16, wherein the policy function and the data function are executed in one or more trusted security zones of compute resources provided by the virtual computing environment.
  - 18. The method of claim 17, wherein the virtual servers in which the policy function and the data function execute are instantiated from server images that incorporate trusted security zone operating system support.
  - 19. The method of claim 18, wherein the security monitor module is part of the trusted security zone operating system support incorporated in the server images from which the virtual servers that the policy function and data function execute in are instantiated, and wherein the security monitor module instantiates trustlets of the policy function and of the data function on their respective virtual servers.
  - 20. The method of claim 19, wherein the trustlet of the policy function performs trusted instructions associated with the policy function on the virtual server executing the policy function and the trustlet of the data function performs trusted instructions associated with the data function on the virtual server executing the data function.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
T-Mobile Innovations LLC (Deutsche Telekom AG)
Original Assignee
Sprint Communications Company LP (Deutsche Telekom AG)
Inventors
Paczkowski, Lyle W., Ray, Amar N., Sisul, James P.
Primary Examiner(s)
Qureshi, Afsar M

Application Number

US15/403,166
Time in Patent Office

252 Days
Field of Search

370328, 370329, 370331, 455411
US Class Current
CPC Class Codes

H04L 63/0861   using biometrical features,...

H04L 63/126   the source of the received ...

H04L 63/20   for managing network securi...

H04W 12/08   Access security

H04W 12/10   Integrity

H04W 76/10   Connection setup

H04W 76/12   Setup of transport tunnels

H04W 88/16   Gateway arrangements

Trusted signaling in 3GPP interfaces in a network function virtualization wireless communication system

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

683 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Trusted signaling in 3GPP interfaces in a network function virtualization wireless communication system

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

683 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links