5G网络切片白皮书（英文版）

5GService-GuaranteedNetworkSlicing

WhitePaper

Issue V1.0

Date 2017-02-28

ChinaMobileCommunicationsCorporation,HuaweiTechnologiesCo.,Ltd.,DeutscheTelekomAG，Volkswagen

Abstract

Previousgenerationsofmobilenetworksenabledvoice,data,video,andotherlife-changingservices.Incomparison,5Gwillchangeoursocietybyopeningupthetelecomecosystemtoverticalindustries.5Gwillhelpverticalindustriestoachievethe“InternetofEverything”visionofubiquitouslyconnected,highlyreliable,ultra-lowlatencyservicesformassivenumberofdevices.Service-guaranteednetworkslicingintroducedinthiswhitepaperisoneoftheessen-tialfeaturesfor5Gtoachievethisvision.Keyplayersfromoperators,vendors,andverticalindustrieshavecometogethertoestablishacommonunderstandingonservice-guaranteednetworkslicingintermsofthevision,end-toend(E2E)solution,keyenablingtechnologies,andtheimpactsforverticalindustries.Thiswhitepaperdescribesthethinkingonnetworkslicingin5G.

TableofContents

IndustryTrendsandRequirements 02

VisionsofService-GuaranteedNetworkSlicing 04

OverallArchitectureofService-guaranteedNetworkSlicing 06

Concepts 06

ConceptClarifications 06

Architecture 07

KeyTechnologiestoEnableService-GuaranteedNetworkSlicing 09

NetworkManagementSystem 09

NetworkSliceManagement(NSM)Architecture 09

NetworkCapabilityExposureviaBusinessSupportSystem 10

Third-partyApplications 11

Security 11

InfrastructureSecurity 11

NetworkManagementSecurity 11

NSISecurity 12

EnablingTechnologiesforDifferentTechnicalDomains 12

AccessNetwork 12

CoreNetwork 14

TransportNetwork 15

Terminal 17

TechnologyEvolution 17

UseCaseforService-GuaranteedNetworkSlicing 18

SummaryandSuggestions 20

02

03

IndustryTrendsandRequirements

The5Gnetworksarenotonlyenvisionedasasupportfor“InternetofThings”(IoT),butalsoasmeanstogiverisetoanunprecedentedscaleofemergingindustries,instillinganinfinitevitalityinfuturetelecommunications.IoTrequiressupportforadiverserangeofservicetypes,suchaseHealth,InternetofVehicles(IoV),smarthouseholds,industrialcontrol,environmentmonitoring,andsoon.TheseserviceswilldrivetherapidgrowthofIoTandfacilitatehundredsofbillionsofdevicestoconnecttothenetwork,whichalsoconceivesthe“InternetofEverything”visionespeciallyfromverticalindustries.

TherequirementsforIoTservicesarealsovery

Servicediversity

Theservicesforeseeninthe5Gerafallintothreetypicalscenarios:enhancedMobileBroadband(eMBB),Ultra-ReliableandLowLatencyCommu-nications(URLLC),andmassiveMachineTypeCommunications(mMTC).eMBBfocusesonservicescharacterizedbyhighdatarates,suchashighdefinition(HD)videos,virtualreality(VR),augmentedreality(AR),andfixedmobileconver-gence(FMC).URLLCfocusesonlatency-sensitiveservices,suchasself-driving,remotesurgery,ordronecontrol.mMTCfocusesonservicesthathavehighrequirementsforconnectiondensity,suchasthosetypicalforsmartcityandsmartagricultureusecases.Eachscenariorequiresacompletelydifferentnetworkserviceandposesrequirementsthatareradicallydifferent,some-timesevencontradictory.

diverse.Servicessuchassmarthouseholds,smartgrid,smartagriculture,andintelligentmeterreading,willrequiresupportinganextremelylargenumberofconnectionsandfrequentlytransmittedsmalldatapackets.Servicessuchassmartvehiclesandindustrialcontrolwillrequiremillisecond-levellatencyandnearly100%reliability,whileinfotainmentserviceswillrequireextremefix/mobilebroad-bandconnectivity.Theserequirementsindicatethatthe5Gnetworksneedbemoreflexibleandscalabletosupportmassiveconnectionsofdifferentnature.Meanwhile,operatorswillperformagradualshiftawayfrompipeservicestowardscopingwithverticalindustryneeds:

Guaranteedperformance

Severalkeyperformanceindicators(KPIs)mustbesimultaneouslysatisfiedforsomeoftheabove-mentionedservices.Forexample,VRandARhavestrictrequirementsondatarateaswellaslatency.Suchdemandsbecomemorestrin-gentforverticalindustries,wheretheterminalsarenormally"machines"withverylowtoleranceonperformancedegradation.

Fastdeploymentandshorttime-to-market(TTM)

Itisalongprocesstodeployconventionalmobilenetworks.Asimpleserviceupdatemaytakefrom10to18months.SuchlongcyclesareverydifficulttomeettailoredandfastserviceprovisioningandshortTTMdemandsfromverticalindustries.

ResourcemultiplexingandisolationDifferentfromcurrenttelecompractice,verticalindustriesarelikelytogetinvolvedwithspecial-izednetworkfunctions(dedicatedrouting,mobilitysupport,customizedflowhandling,

in-networkprocessing,etc.).Tohandlesuchdiversitywithoutlosingoperationefficiency,operatorsprefertouseresourcemultiplexingapproachwithsecuredisolationprovisioning.

Automation

Flexibilityandscalabilityarethekeyfeaturesofthe5Gnetworks.Suchnetworkscannotdependonmanualmanagement.Fullyautomaticnetworkmanagementtechniques,suchasself-diagnosis,self-healing,automaticconfiguration,self-optimization,andautoinstallation/plug-and-play,arefundamentaltoachieveefficientnetworkoperationsandtoprovidethedynamicservicemix.Withtheprogressoftheautomaticnetworkmanagementtechniques,managementwillbecomemoreagileandmoreadaptive.Newtoolsforsuchmanagementarerequired;inparticular,artificialintelligence(AI)andauto-maticlearningtechniquesshouldbeconsideredforthe5Gnetworks.

NewecosystemandbusinessmodelThe5Gnetworkswillsupportnewrolesandbusinessmodels,whichmayinvolvenetworkinfrastructureproviders,operators(mobilenetworkoperators,mobilevirtualnetworkoperators,etc.),andverticalserviceproviders.Thesenewrolesandbusinessrelationshipshelpthetelecomindustrytobuildanewecosystemtogetherwithverticalindustries.

ConvergenceoffixedandmobileaccessFMCisalsoaveryimportantrequirement,becausecustomersdoexpectthesameuserexperienceregardlessoftheaccesstechnologyused.Whiletodaythearchitectures,serviceconceptsandecosystemsoffixedandmobilenetworksdifferinmanyaspects,itisenvisionedthatwith5Gthesewillconverge.Anarchitecturethatcannativelyhandleallkindsoffixedandmobileaccesstechnologieswillcontributesignificantlytoenablethedesigngoaloftrulyconverged5Gnetworks.

04

05

VisionsofService-GuaranteedNetworkSlicing

Inthe5Gera,verticalindustrieswilltriggerthenetworkstoshiftfromthetraditional

“human-centric”servicesto“machine-centric”services.Thisnotonlyallowsthe

Vision1:Provideguaranteedperformancetomeetthefundamentalservicerequire-mentsofverticalindustries.

Uponthefundamentalconnectivityservice,guaranteedperformance(e.g.,latency,datarate,reliability,connectivity,andpowerconsumption)willenableoperatorstoembraceverticalindus-triesin5Gecosystem.Guaranteedperformanceisnotonlyaboutqualityofservice(QoS),italsoimpliescustomizednetworkfunctionsandresourcestotackledifferenttypesofservices,forinstance,toprovidevehicle-to-everything(V2X)servicewithcustomizedmobilitymanagement.

Vision2:Providecustomizedservicestoenhancethecompetenceofverticalindustries.

Provisioningaguaranteedperformanceisonlythebasicpropositiontocooperatewithverticalindustriesin5G.Thefurtheressentialsteptowardssuccessistobringmoreconcretevaluefortheverticalservices,forinstance,reducingtheirserviceoperationalcostandcapitalcost,shorteningTTM,etc.Helpingverticalindustriestoincreasetheircompetenceisavitalcomponentof

telecommunicationindustrytodevelopanewecosystem,butalsobecomesthenewenginetoboostthesocialeconomywiththefollowingcorevisions:

the5Gecosystem.

Basedonthefundamentalconnectivityservices,operatorsshouldinvokedeeperbusinesspoten-tialsviaprovidingcustomizedservices,forinstance:

Networkservices:Thenetworkcapabilities,e.g.,caching,canbeusedtoenhanceverticalserviceperformance.

Resourceservices:Verticalindustriesareencouragedtodeploytheirservicesintheoperator’sedgedatacenters(DCs)andcoreDCs,becauseoperatorscouldusetheadvantageoftheorchestrationofnetworkandcloudresource,aswellasedgecomputing.

Networkoperationandmaintenance(O&M)services:IndependentO&Maccordingtocustom-izedpoliciesisanappealingfeatureforverticalindustries.

Terminal

CustomizedService

Vertical

third-partyservices

ResourceService

NetworkO&MService

NetworkService

ConnectivityService

EdgeDC

CoreDC

IndustryControlAPPs

V2XAPPs

Smart-meterApps

·Figure1:Service-guaranteednetworkslicingvision

Aspresentedabove,theflexibilityanddiversityexpectationsfromthecorevisionsarerealandtremendous.Thequestionishowtofulfillthese:theflexibilityofservicesontheonehandandthediversityofnecessarynetworktechnologiesontheotherhandposeadauntingrequirementonthenetworkdesign,control,operationsandmanagement.Suchasystembearsahighriskofcrumblingunderitsowncomplexity.Toovercomethesechallengeswhilestillfulfillingtheexpectedfuturedemands,aservice-guaranteednetworkslicingisintroducedinthiswhitepaper,aimingtorealizetheabovecorevisions.Itproposestohave

severallogicalnetworkswithdifferentnetworkservices,provisions,mechanisms,orassurancesonthesameinfrastructure.Verticalindustriesinterestedinthesupportedservicesthereforewouldonlyberequiredtoconcentrateonthemanagementofthenetworkslicingspecificprovisions,tightlycoupledwiththeexpectedservices.Suchconcentrationonthebusinessneedsensuresinterestandcompetenceofverticalindustriesontheonehandand,ontheotherhand,offloadthemfromcomplexconsiderationsofdesigning,deploying,testingandrunningsuchnetworks.

06

07

OverallArchitectureofService-guaranteedNetworkSlicing

Concepts

Since“networkslicing”appearedinthe5Gvocabulary,anumberofconceptshavebeenderivedfromit,i.e.networkslicinginstance,networkslicetype,etc.Thissectionaimstoclarifythedefinitionoftheseconceptsandtheircorrespondingrelationships:

Networkslicing:Networkslicingisthecollec-tionofasetoftechnologiestocreatespecialized,dedicatedlogicalnetworksasaservice(NaaS)insupportofnetworkservicedifferentiationandmeetingthediversifiedrequirementsfromverticalindustries.Throughflexibleandcustom-izeddesignoffunctions,isolationmechanisms,andO&Mtools,networkslicingiscapabletoprovidelogicaldedicatednetworksuponacommoninfrastructure.

Networksliceinstance(NSI):AnNSIistherealizationofnetworkslicingconcept.ItisanE2Elogicalnetwork,whichcomprisesofagroupofnetworkfunctions,resourcesandconnectionrelationships.AnNSItypicallycoversmultipletechnicaldomains,whichincludesterminal,accessnetwork(AN),trans-portnetwork(TN)andcorenetwork(CN),aswellasDCdomainthathoststhird-partyapplicationsfromverticalindustries.DifferentNSIsmayhavedifferentnetworkfunctionsandresources.Theymayalsosharesomeofthenetworkfunctionsandresources.

Networkslicetype:Networkslicetypesarehigh-levelcategoriesforNSIs,whichreflectthedistinctdemandsfornetworksolutions.Three

fundamentalnetworkslicetypeshavebeenidenti-fiedfor5G:eMBB,mMTC,andURLLC.Thesecouldbefurtherextended,e.g.accordingtotheoperator’spoliciesorwiththedevelopmentof5G.

Networkslicetemplate:NetworkslicetemplateistheoutputoftheslicedesignphaseusedtocreateNSIs.

Tenant:Tenantsaretheoperators'customers(forexample,customersfromverticalindustries)ortheoperatorsthemselves.TheyutilizetheNSIstoprovideservicestotheirusers.TenantstypicallywillhaveindependentO&Mrequire-ments,whichareuniquelyapplicabletotheNSIs.

ConceptClarifications

Theaforementionedkeyconceptshavethefollowingrelationships.

NetworkslicetypesandtenantsareimportantreferencesforcreatinganNSI.AnNSIisinstanti-atedfromonenetworkslicetemplatewithaspecificnetworkslicetype.AtenantthatprovidesdifferentservicetypesmayusemultipleNSIswithdifferentnetworkslicetypes.Fortenants,whomayprovideservicesofthesameservicetype,theycanstillusedifferentiatedNSIsviathe

customizationofthenetworkslicetemplatewiththesamenetworkslicetypes.

NetworkslicetemplatedesignisseparatefromtheNSIoperation.Inthedesignphase,thenetworkslicetemplateisgeneratedbasedonthenetworkcapabilityofeachtechnicaldomainandatenant'sparticularrequirements.Intheopera-tionphase,anNSIisinstantiatedbasedonthenetworkslicetemplate,whichincludesthedeploymentandconfigurationofrelatednetworkfunctionsandrelatedresourcesindifferenttechnicaldomains.Thenetworkslicedesignisseparatefromtheoperationtoenabletherepeateduseofanetworkslicetemplate.

NSIsrequiremulti-dimensionalmanagement.AnNSIusuallyincludesmultipletechnicaldomains.AnNSImayalsoincludemultipleadministrativedomainsthatbelongtodifferentoperators.ToguaranteeNSI’sfastdeployment,itisessentialtouseefficientmulti-dimensionalmanagementviacoordinationandcooperationacrosssuchdifferentdomains.

NSIsensureSLAcompliance.Tenantswillsignservice-levelagreement(SLA)withoperators,whichmayincluderequirementagreementsrelatedtosecurity/confidentiality,visibility/manageability,specificservicecharac-teristics(servicetype,airinterfacestandard,andcustomizedfunctions),andcorrespondingperformanceindicators(latency,throughput,packetlossrate,calldroprate,andreliability/availability).

TerminalsmaybeinvolvedintheselectionofNSIs.TerminalscanaccessoneormultipleNSIs.TerminalscouldassistNSIselectionbasedon,forinstance,networkslicetype,whilethenetworkperformsthefinalselectiondecision.Simpleterminals,suchassensors,areusuallyinastaticandone-to-onerelationshipwithNSIs,becausethecostsandpowerconsumptionrequirementslimittheterminalcapability.Therefore,theNSIselectionissolelyperformedbythenetwork.

Architecture

Enablingnetworkslicingin5Grequiresnativesupportfromtheoverallsystemarchitecture.AsshowninFigure2,theoverallarchitectureconsistsofthreefundamentallayers:theinfra-structurelayer,networkslicelayerandnetworkmanagementlayer.Theinfrastructurelayerprovidesthephysicalandvirtualizedresources,forinstance,computingresource,storageresource,andconnectivity.Thenetworkslicelayerrunsabovetheinfrastructurelayerandprovidesnecessarynetworkfunctions,toolsandmechanismstoformend-to-end(E2E)logicalnetworksviaNSIs.ThenetworkmanagementlayercontainsthegenericBSS/OSSandnetworkslicemanagement(NSM)system,whichdesignsandmanagesnetworkslicing.Moreover,italsoassurestheSLArequirements.

Theoverallarchitecturehasthefollowingkeyfeatures:

Commoninfrastructure:Beingdifferentfromthededicatednetworksolutionthatusesphysi-callyisolatedandstaticnetworkstosupporttenants,networkslicingpromotestheuseofacommoninfrastructureamongtenantsfromthesameoperator.IthelpstoachievehigherresourceutilizationefficiencyandreducetheserviceTTM.Moreover,suchdesignisbeneficialforlong-termtechnologyevolutionaswellasforshapingahealthyindustryecosystem.

On-demandcustomization:EachtechnicaldomaininanNSIhasdifferentcustomizationcapabilities,whicharecoordinatedthroughtheNSMsystemduringtheprocessofnetworkslicetemplatedesign,andNSIdeploymentandO&M.Eachtechnicaldomaincanperformanindepen-denttailoring-processintermsofdesignschemestoachieveaneffectivebalancebetweenthesimplicityneededbycommercialpracticeandarchitecturalcomplexity.

Isolation:TheoverallarchitecturesupportstheisolationofNSIs,includingresourceisola-tion,O&Misolation,andsecurityisolation.NSIs

08

09

canbeeitherphysicallyorlogicallyisolatedatdifferentlevels.

Guaranteed-performance:Networkslicingseamlesslyintegratesdifferentdomainstomeetandensureindustry-defined5Gperformancespecificationsandtoaccommodateverticalindustryrequirements.

Scalability:Duetovirtualization,whichisoneofthekeyenablingtechnologiesfornetworkslicing,resourcesoccupiedbyanNSIcandynamicallychange,e.g.,scalingin/out.

O&MCapabilityExposure:Tenantsmayusededicated,sharedorpartiallysharedNSIs.

Furthermore,differenttenantsmayhaveinde-pendentO&Mdemands.TheNSMsystemprovidesaccesstoanumberofO&MfunctionsofNSIsforthetenants,whichforinstanceallowsthemtoconfigureNSIsrelatedparameters,e.g.,policy.

Supportformulti-vendorandmulti-operatorscenarios:Networkslicingallowsasingleopera-tortomanagemultipletechnicaldomains,whichmaybecomposedofnetworkelementssuppliedbydifferentvendors.Inaddition,thearchitecturealsoneedstosupportthescenario,wheretheservicesfromthetenantsmaycoverdifferentadministrativedomainsownedbydifferentoperators.

NSIA

Third-party“BSS”

Third-party“BSS”

BSS

NSIB

AN

OSS

NetworkSliceManagementSystem

AP

EdgeDC

CoreDC

Terminal AccessNetwork TransportNetwork CoreNetwork 3rdpartyAPP

CommonInfrastructure

AN

·Figure2:Overallarchitecturetoenablenetworkslicing

KeyTechnologiestoEnableService-GuaranteedNetworkSlicing

NetworkManagementSystem

NetworkSliceManagement(NSM)Architecture

TheNSMsystemplaysanimportantroleintheentiresystemarchitecture.Itprovidesthefollow-ingservices:

Design:designnetworkslicetemplatesaccordingtothenetworkcapabilitiesandSLArequirements.

Provisioning:comprisesliceinstantiation,configuration,andactivation.

Runtimeassurance:observetherunningstatusofNSIsandensureSLA.

Decommissioning:deleteanNSIwhenitsservicesarenotusedanymore.

TheNSMshallbebasedonthestateoftheartcloudmanagementtechnologieswithenhancedfeaturestosupportnetworkslicing.ItprovidesO&Mcapabilityusingastreamlineofaforemen-tionedservices,whichaddressinadequaciesofthetraditionalnetworkmanagementsystem,e.g.,longTTMorlackofautomaticO&Mmethods.TheNSMsystemcouldfurtherhelpoperatorstoestablishanopenecosystemtoenablenewbusinessopportunities.

Figure3depictstheoverallNSMsystemarchi-tecture,whichuses“Layer-andDomain-basedmanagement”designprinciple.“Layer-based”managementdefinestwolayerswithintheNSM:slicesupportsystem(SSS)anddomainslicesupportsystem(DSS).“Domain-based”manage-mentimpliesthatthebasiccapabilitiesareprovidedbyeachindividualtechnicaldomain.ThecooperationbetweentheDSSandSSSguaran-teestheE2ESLA.

SliceSupportSystem(SSS)

TheSSSmainlycomprisestwofunctionalblocks:theNetworkSliceTemplateDesignerandtheCrossDomainSliceManager.Theformergener-atesthenetworkslicetemplateaccordingtothenetworkcapabilityofeachtechnicaldomainaswellasthefunctionalandperformancerequire-mentsfromthetenants.ThelatterisresponsiblefortheNSIlifecyclemanagement(i.e.provision-ing,runtimeassurance,anddecommissioning).TheSLAisguaranteedthroughmulti-dimensionalcoordinationamongdifferentdomains.Basedonthecapabilityofeachtechnicaldomain,theSSSdecomposesanSLAintermsofsetsofrequire-mentsandmapseachsegmentofSLAtothecorrespondingtechnicaldomain.ToensuretheoverallSLA,theSSSaggregatesthenetworkserviceperformancefromeachindividualtechni-

PAGE

10

PAGE

11

caldomain.Basedonthis,theSSSperformsnecessaryadjustmentsandconfigurationstoensureclosed-loopcontrol.

Tosupportmanagementacrossdifferentadmin-istrativedomainsfordifferentoperators,theinterworkingbetweendifferentSSSsiscompulsory.

DomainsliceSupportSystem(DSS)

TheDSScomprisestheDomainSliceManagers(DSMs)fordifferenttechnicaldomains:accessnetworkDSM(AN-DSM),corenetworkDSM(CN-DSM),andtransportnetworkDSM(TN-DSM).Asalogicalentity,theDSMisresponsibleforthedesign,provisioning,runtimeassurance,anddecommis-sioningofsubnetsinasingletechnicaldomain.The

DSSensuresthereal-timeguaranteefordecom-posedSLAcapabilitiesineachdomain,e.g.viamonitoringandfaultlocalization.EachdomainhasindependentSLA-specificclosed-loopcontroloffunctionsandresourcesforfastserviceschedulingandresourceoptimization.

ThetaskoftheNSMsystemisnotonlyaboutseamlesslymanagingandassuringtheSLA,togetherwithadvancedAIalgorithms,itcouldalsopredictthenetworkstatuschangesinordertoprovidecertainmanagementandcontrolactionsforprecaution.TheNSMsystemcouldbestandalone(anewmanagemententity)ornon-standalone(integratedwithOSS).

BBS

NetworkSliceManagementSystem

SSS

NetworkSlice

T

emplateDesigner

DDS

1:N

1:N

1:N

AP

EdgeDC

Terminal

AN(1…n)

TN(1…n)

CoreDC

CN(1…n) 3ndPartyApp

CN-DSM

TN-DSM

AN-DSM

CrossDomainSliceManager(multi-vendor)

·Figure3:Networkslicemanagement(NSM)architecture

OSS

NetworkCapabilityExposureviaBusinessSupportSystem

TheBusinessSupportSystem(BSS)fromopera-torsisdirectlyfacingthetenants.Therefore,itsusabilityisanessentialfactor.OperatorsusetheBSStoprovidetheirabstractednetworkcapabilitytothetenants.Itmainlysupportsthefollowing

capabilities:design,purchasing,deployment,andmonitoring.

Designincludesthedesignandofferingofcommercialproductsrelatedtonetworkslicing.Basedontheservicetypesandtenants’require-ments,theSLAisformulated.ApurchasableproductmayuseoneormoreNSIstoaccommodate

thetenants’service.SuchproductwithpackagedNSIsisusedasanofferingforthetenants,whichfocusonthecommercialattributesofproducts,suchas,pricingandsalesterritory.

Purchasingisthekeypartfortheuserexperienceofthetenants.Forinstance,itisessentialfortheBSStohaveawell-designedstorepagefordisplay-ingtheproductsandpersonalcenterformonitoringthepurchasingprogressandtriggeringnetworkservicerelatedupgradingprocess.

DeploymentofaproductistriggeredbytheBSSafterasuccessfulcustomerpurchase.

MonitoringreferstotheBSScapabilityofallow-ingtenantstoviewtheoperationalaswellasperformancerelatedinformationfortherunningservices,e.g.,throughputandlatencyofcertainNSIs.

Third-partyApplications

Theflexibilityandcustomizationofnetworkslicingarealsoreflectedintheaccommodationofthird-partyapplications.Inadditiontothevariousnetworkfunctionsprovidedbyoperators,itisalsofeasibletodeploythird-partyapplicationsonNSIstomeetthespecificrequirementsfromthetenants.Such

third-partyapplicationscouldbefromtenantsdirectly,orfromnon-tenantparties(e.g.,tenants’customerorprovider).

Themainreasontosupportthedeploymentofthird-partyapplicationsistoenableserviceswithspecificrequirements,suchas,URLLCservices

requiringultra-lowlatency.Itisbeneficialtoreducethelengthofthetransmissionpathbymovingthenetworkfunctionsandthird-partyapplicationsclosetotheAN,e.g.,leveragingtheadvantageofedgecomputing.

Inaddition,third-partyapplicationscanalsoprovidesubstitutionofnetworkfunctions,suchasuser-customizedauthenticationandmobilitymanage-ment,whicharedesignedespeciallytosupporttheirownservices.Otherthancontrolplanerelatednetworkfunctions,customizeduserplanenetwork

functions,suchasservicegatewayfromtenantscanbealsodeployedwithintheoperatornetworks.Thiswouldenablepreliminaryfiltrationandaggregationofalargeamountofdata(e.g.,fromsensors).TheNSMsystemshouldthussupportthedeploymentofthird-partyapplications.Thedeploymentpositionscanbeeitherspecified,e.g.,inanAN,CN,ordynami-callydeterminedbytheSSSbasedonservicerequirementsandnetworkconditionsduringthenetworkslicedesignphase.

Security

Theoverallarchitecturedefinedintheprevioussectioncontainsthreefundamentallayers:theinfrastructure,networkslice,andnetworkmanage-mentlayer.Eachlayermustconsideritsindividualsecurityrisksandprotectionmechanisms.More-over,itisnecessarytoconsideralldomainstogetherasanorganicwholetoprovideoverallsecurity.Ingeneral,thereexistthefollowingthreeaspectsinaholisticframeworkofnetworkslicesecurity.

InfrastructureSecurity

AsNSIsaresharingthesameinfrastructure,properisolationbetweenNSIsmustbeenforcedtoavoidadversecross-effectsandinformationleakage,especiallywhenNFVisused.Forexample,differentvirtualmachinesorcontainersareusedfordifferentnetworkfunctionsandthevirtuallinksconnectingVNFsdedicatedfordifferentNSIsshouldbelogicallyisolated.

NetworkManagementSecurity

SecurityrisksexistineveryphaseoftheNSIlifecyclemanagementinthenetworkmanagementlayer.

Maliciousattacksmayusemalwaretocompromiseanetworkslicetemplate,threateningallsubse-quentNSIs.Attacksmayalsopassthroughconfigu-rationinterfacesduringtheruntimephaseofanNSI.Confidentialdatacouldbeobtainedduringthedecommissioningphase,iftheNSIishandledimproperly.Therefore,thesecurityconsiderationsshouldcovereachsinglestepofthelifecycleman-agementofNSIs.

Assomenetworkcapabilitiesandinterfacesareexposedtotenants,thecapabilitiesgrantedtoaparticulartenantaredefinedbytheoperator.

Tenantsmustbeauthenticatedandauthorizedbeforebeingallowedtoaccessthesecapabilitiesandinterfaces.

NSISecurity

ToguaranteesecurityforthenetworkservicesprovidedbyanNSI,itrequiresembeddingthesecuritymechanismandsecurityprovisioningentity(e.g.securityanchorsandsecurityfunctions)intothelogicalnetworkarchitectureoftheNSI.

Securityisolation:Withoutsecurityisolation,maliciousattackswithaccesstooneNSImayusethatNSIasalaunchingpadforattackingotherNSIsby,forinst