A system and method for announcing supplicants on a network.

By sharing and integrating authentication lists between network entities, the system addresses the lack of a comprehensive trust view in open RAN architectures, enhancing network security and integrity through explicit trust level definitions.

JP2026519623APending Publication Date: 2026-06-16RAKUTEN SYMPHONY INC

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
RAKUTEN SYMPHONY INC
Filing Date
2023-06-27
Publication Date
2026-06-16

AI Technical Summary

Technical Problem

Conventional network authentication methods in open RAN architectures lack a comprehensive view of authenticated network entities, leading to potential network disruptions and data security vulnerabilities due to the assumption of trust based on local connections, contradicting the zero-trust model.

Method used

A system and method for creating and sharing authentication lists between network entities to develop a comprehensive view of authenticated supplicants, defining explicit trust levels through the exchange and integration of first and second authentication lists.

Benefits of technology

Enables network entities to maintain a centralized understanding of trust relationships, enhancing network security and integrity by providing a comprehensive view of authenticated entities and their trust levels.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 2026519623000001_ABST
    Figure 2026519623000001_ABST
Patent Text Reader

Abstract

A system, method, and device are provided for enabling a network entity to view authenticated supplicants within the network. According to an embodiment, the system may include a storage device for storing computer executable instructions and at least one processor communicably connected to the storage device, wherein the at least one processor may be configured to execute instructions to create a first authentication list for a first network entity, receive a second authentication list from a second network entity, create a trust list for the first network entity based on the first and second authentication lists, and the trust list for the first network entity may specify a level of trust between the first network entity and one or more network entities in the first and second authentication lists.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] Systems, methods, and computer programs consistent with exemplary embodiments of the present disclosure relate to telecommunications networks, and more particularly, to enabling network entities to view authenticated subscribers within a telecommunications network.

Background Art

[0002] A radio access network (RAN) is an important component in a telecommunications system as it connects end-user devices (or user equipment) to other parts of the network. A RAN includes a combination of various network elements (NEs) that connect end-users to the core network. Conventionally, the hardware and / or software of a particular RAN are vendor-specific.

[0003] Open RAN (O-RAN) technology has emerged to enable multiple vendors to provide hardware and / or software to a telecommunications system. Due to the involvement of different vendors, the types of hardware and / or software provided may also vary. That is, different types of NEs may be provided by different vendors, and depending on a particular service, the NEs may be virtualized in software form (e.g., virtual machine (VM)-based, cloud-native functions, etc.) or in physical hardware form (e.g., non-VM-based).

[0004] In open fronthaul networks of telecommunications systems employing an O-RAN architecture, network entities may employ port-based network access control (IEEE 802.1x) to regulate access to the network and to prevent transmission and reception by unverified or unauthorized parties, and consequently to network disruption, theft of service, or data loss. Network entities may refer to entities such as RAN elements (e.g., O-RAN Centralized Unit (O-CU), O-RAN Distributed Unit (O-DU), O-RAN Radio Unit (O-RU), etc.) and transport network elements, and may have either the role of an authenticator or a supplicant. Under IEEE 802.1x, data traffic is permitted to pass between network entities only if the network entities have authenticated each other.

[0005] In conventional technologies, information about authenticated network entities (e.g., which network entities are authenticated and trustworthy) is maintained locally within the corresponding network entity involved in such authentication, and such information is not shared with network entities not involved in such authentication. Furthermore, in conventional technologies, a network entity may be assumed to be trustworthy if it is connected to an authenticated network entity.

[0006] Therefore, the above methods for authenticating network entities in conventional technologies may have at least the following drawbacks: Since information about authenticated network entities is kept locally and it can be assumed that network entities are simply trusted by being connected to authenticated network entities, such a process contradicts the zero-trust model of O-RAN architectures, and there is no mechanism for a single network entity in an open fronthaul network to have a comprehensive view of all authenticated network entities in the network. [Overview of the project]

[0007] Exemplary embodiments of this disclosure enable a network entity to browse authenticated supplicants within the network. Accordingly, exemplary embodiments of this disclosure enable the development of a data store of information about authenticated supplicants of a network element, thereby constructing a comprehensive view of all authenticated supplicants and defining explicit trust levels.

[0008] According to the embodiment, a system is provided. The system may include a storage device for storing computer executable instructions, and at least one processor communicably connected to the storage device, wherein the at least one processor can be configured to execute instructions to create a first authentication list for a first network entity, the first authentication list specifying one or more network entities authenticated with the first network entity, receive a second authentication list from a second network entity, the second authentication list specifying one or more network entities authenticated with the second network entity, the first and second network entities authenticate each other, create a trust list for the first network entity based on the first and second authentication lists, and the trust list for the first network entity specifies a trust level between the first network entity and one or more network entities in the first and second authentication lists.

[0009] According to the embodiment, a system is provided. The system may include a storage device for storing computer executable instructions, and at least one processor communicably connected to the storage device, wherein the at least one processor can be configured to execute instructions to receive a first authentication list from a first network entity, the first authentication list specifying one or more network entities to be authenticated with the first network entity, receive a second authentication list from a second network entity, the second authentication list specifying one or more network entities to be authenticated with the second network entity, the first and second network entities authenticate each other, create a trust list for the first network entity based on the first and second authentication lists, and the trust list for the first network entity specifies a trust level between the first network entity and one or more network entities in the first and second authentication lists.

[0010] According to the embodiment, a method is provided. The method may include creating a first authentication list for a first network entity, wherein the first authentication list specifies one or more network entities that are authenticated with the first network entity; receiving a second authentication list from a second network entity, wherein the second authentication list specifies one or more network entities that are authenticated with the second network entity, wherein the first network entity and the second network entity are authenticated with each other; and creating a trust list for the first network entity based on the first and second authentication lists, wherein the trust list for the first network entity specifies a trust level between the first network entity and one or more network entities in the first and second authentication lists.

[0011] According to the embodiment, a method is provided. The method may include receiving a first authentication list from a first network entity, wherein the first authentication list specifies one or more network entities that are authenticated with the first network entity; receiving a second authentication list from a second network entity, wherein the second authentication list specifies one or more network entities that are authenticated with the second network entity, wherein the first network entity and the second network entity are authenticated with each other; and creating a trust list for the first network entity based on the first and second authentication lists, wherein the trust list for the first network entity specifies a trust level between the first network entity and one or more network entities in the first and second authentication lists.

[0012] Additional embodiments are some of which are described below, some of which are evident from the description, and some may be realized by the practice of the embodiments presented in this disclosure.

[0013] The features, advantages, and importance of exemplary embodiments of this disclosure will be described below with reference to the attached drawings, where similar reference numerals indicate similar elements. [Brief explanation of the drawing]

[0014] [Figure 1] This is a block diagram of an exemplary system configuration for enabling a network entity to view authenticated supplicants in a peer-to-peer configuration, according to one or more embodiments.

[0015] [Figure 2]A block diagram of an exemplary system configuration for enabling a network entity to view authenticated supplicants in a hub-and-spoke configuration, according to one or more embodiments.

[0016] [Figure 3] Illustrates a block diagram of exemplary components in an authentication viewing (AV) system, according to one or more embodiments.

[0017] [Figure 4] A flowchart of an exemplary method for enabling a network entity to view authenticated supplicants in a peer-to-peer configuration, according to one or more embodiments.

[0018] [Figure 5] A diagram showing an exemplary configuration of a network entity in a peer-to-peer configuration, according to one or more embodiments.

[0019] [Figure 6] A diagram showing an example of an authentication list, according to one or more embodiments.

[0020] [Figure 7] A flowchart of an exemplary method for enabling a network entity to view authenticated supplicants in a hub-and-spoke configuration, according to one or more embodiments.

[0021] [Figure 8] A diagram showing an exemplary configuration of a network entity in a hub-and-spoke configuration, according to one or more embodiments.

[0022] [Figure 9] A flowchart of an exemplary method for creating a trust list, according to one or more embodiments.

[0023] [Figure 10A]FIG. showing an example of a trust list for network entity A created based on the authentication list of network entity A according to one or more embodiments.

[0024] [Figure 10B] FIG. showing an example of an updated authentication list for network entity A according to one or more embodiments.

[0025] [Figure 10C] FIG. showing an example of an updated trust list for network entity A according to one or more embodiments.

[0026] [Figure 11] FIG. showing an exemplary environment in which the systems and / or methods described herein may be implemented.

BEST MODE FOR CARRYING OUT THE INVENTION

[0027] The following detailed description of exemplary embodiments refers to the accompanying drawings. The same reference numbers in different drawings may identify the same or similar elements.

[0028] The above disclosure provides examples and explanations, but is not intended to be exhaustive or to limit the disclosed embodiments to the exact forms disclosed. Modifications and variations are possible in light of the above disclosure, or may be obtained from the practice of the embodiments. Further, one or more features or components of one embodiment may be incorporated into another embodiment (or one or more features of another embodiment), or may be combined with another embodiment (or one or more features of another embodiment). In addition, it is understood that in the following description of operations, one or more operations may be omitted, one or more operations may be added, one or more operations may be (at least partially) executed simultaneously, and the order of one or more operations may be interchanged.

[0029] It will be apparent that the systems and / or methods described herein may be implemented in different forms of hardware, firmware, or combinations of hardware and software. The actual dedicated control hardware or software code used to implement these systems and / or methods is not limiting to the implementation form. Therefore, the operation and behavior of the systems and / or methods are described herein without reference to specific software code. It should be understood that software and hardware may be designed to implement the systems and / or methods based on the descriptions herein.

[0030] Even if certain combinations of features are disclosed herein, these combinations are not intended to limit the disclosure of possible implementations. In fact, many of these features may be combined in ways not specifically disclosed herein.

[0031] Any element, action, or command used herein should not be construed as important or essential unless expressly stated otherwise. Furthermore, where used herein, the articles “a” and “an” are intended to include one or more items and may be used interchangeably with “one or more.” When only one item is intended, the term “one” or similar language should be used. Also, where used herein, terms such as “has,” “have,” “having,” “include,” and “including” are intended to be non-restrictive. Additionally, the phrase “based on” is intended to mean “at least partially based on” unless otherwise specified. Furthermore, expressions such as “at least one of [A] and [B]” or “at least one of [A] or [B]” should be understood as including only A, only B, or both A and B.

[0032] The systems, methods, devices, etc., provided in exemplary embodiments of this disclosure enable network entities to browse authenticated supplicants within the network.

[0033] According to one embodiment, the system can create or receive a first authentication list for a first network entity specifying one or more network entities to be authenticated with the first network entity, receive a second authentication list from a second network entity specifying one or more network entities to be authenticated with the second network entity, and then create a trust list for the first network entity based on the first and second authentication lists, the trust list for the first network entity specifying the trust level between the first network entity and one or more network entities in the first and second authentication lists.

[0034] Ultimately, exemplary embodiments of this disclosure enable network entities to browse authenticated supplicants within the network, thereby enabling the development of a data store of information about authenticated supplicants of network elements, thus constructing a comprehensive view of all authenticated supplicants and defining explicit levels of trust.

[0035] The features, advantages, and importance of the exemplary embodiments described above are only a part of this disclosure and are not intended to be exhaustive or to limit the scope of this disclosure.

[0036] The following provides a further description of the features, components, configuration, operation, and embodiments of the threshold adjustment system of the present disclosure, according to one or more embodiments.

[0037] Exemplary system architecture Figure 1 shows a block diagram of an exemplary system configuration 100 for enabling network entities to view authenticated supplicants in a peer-to-peer configuration, according to one or more embodiments. As illustrated in Figure 1, the system configuration 100 may include multiple network entities (e.g., network entity A 110, network entity B 120, and network entity C 130) that are connected to each other in a peer-to-peer configuration and capable of communicating with one another.

[0038] Each of the multiple network entities 110, 120, and 130 may include a system, platform, module, etc., which can be configured to perform one or more operations or actions to enable the network entity to see authenticated supplicants within the network. According to the embodiment, the multiple network entities 110, 120, and 130 may include entities such as RAN elements (e.g., O-RAN Centralized Unit (O-CU), O-RAN Distributed Unit (O-DU), O-RAN Radio Unit (O-RU), etc.) and transport network elements.

[0039] Figure 2 shows a block diagram of an exemplary system configuration 200 for enabling network entities to view authenticated supplicants in a hub-and-spoke configuration, according to one or more embodiments. As shown in Figure 2, the system configuration 200 may include a plurality of network entities (e.g., network entity A 210, network entity B 220, and network entity C 230) that are communicated with one another, and a hub 240 that is communicated with each of the plurality of network entities 210, 220, and 230 in a hub-and-spoke configuration.

[0040] Hub 240 may include a system, platform, module, etc., which can be configured to perform one or more actions or behaviors that enable network entities to see authenticated supplicants within the network.

[0041] According to the embodiment, the multiple network entities 210, 220, 230 may include entities such as RAN elements (e.g., O-RAN Centralized Unit (O-CU), O-RAN Distributed Unit (O-DU), O-RAN Radio Unit (O-RU), etc.) and transport network elements.

[0042] According to one embodiment, the hub 240 may include a centralized service that serves as a communication hub for multiple network entities 210, 220, and 230. According to one embodiment, the hub 240 may be hosted on any element in an open fronthaul network that has communication paths to the multiple network entities 210, 220, and 230, such as a service management orchestrator (SMO) or an IEEE 802.1x authentication server.

[0043] The configurations shown in Figures 1 and 2 are simplified for illustrative purposes and should be understood as not limiting the scope of this disclosure. For example, in practice, the number of network entities in the system can be any number.

[0044] Exemplary actions that can be performed by multiple network entities 110, 120, and 130 to enable network entities to view authenticated supplicants are described below with reference to Figure 4, and exemplary actions that can be performed by hub 240 to enable network entities to view authenticated supplicants are described below with reference to Figure 7. Furthermore, several exemplary components that may be included in the multiple network entities 110, 120, and 130 and hub 240 in one or more embodiments are described below with reference to Figure 3.

[0045] Figure 3 illustrates a block diagram of exemplary components in an Authentication Viewing (AV) system 300 according to one or more embodiments. The AV system 300 may correspond to at least one of the multiple network entities 110, 120, 130 in Figure 1, or to the hub 240 in Figure 2. Therefore, the features relating to the multiple network entities 110, 120, 130 and the hub 240 and the AV system 300 may be similarly applicable to each other unless otherwise specified.

[0046] As shown in Figure 3, the AV system 300 may include at least one communication interface 310, at least one processor 320, at least one input / output component 330, and at least one storage device 340, but it will be understood that the AV system 300 may include more or fewer components than those shown in Figure 3, and / or be arranged in a different manner than those shown in Figure 3, without departing from the scope of this disclosure.

[0047] The communication interface 310 may include at least one transceiver-like component (e.g., transceivers, separate receivers and transmitters, buses, etc.) that enables the components of the AV system 300 to communicate with each other via wired connections, wireless connections, or a combination of wired and wireless connections, and / or with one or more components outside the AV system 300.

[0048] For example, the communication interface 310 can connect the processor 320 to the storage device 340, thereby enabling them to communicate and interact with each other when performing one or more operations. In another example, the communication interface 310 can connect the AV system 300 (or one or more components contained therein) to separate network entities, enabling them to communicate with each other and interoperate.

[0049] According to one or more embodiments, the communication interface 310 may include one or more application programming interfaces (APIs) that enable the AV system 300 (or one or more components contained therein) to communicate with one or more software applications.

[0050] The input / output component 330 may include at least one component that enables the AV system 300 to receive information and / or provide output information. In some embodiments, it will be understood that the input / output component 330 may include at least one input component (e.g., a touchscreen display, a button, a switch, a microphone, a sensor, etc.) and at least one output component (e.g., a display, a speaker, one or more light-emitting diodes (LEDs), etc.), each of which may be separated from one another.

[0051] The storage device 340 may include one or more storage media suitable for storing data, information, and / or computer executable instructions. According to embodiments, the storage device 340 may include at least one storage device such as random access memory (RAM), read-only memory (ROM), and / or another type of dynamic or static storage device (e.g., flash memory, magnetic memory, and / or optical memory) for storing information and / or instructions for use by the processor 320. Additionally or alternatively, the storage device 340 may include, together with a corresponding drive, a hard disk (e.g., magnetic disk, optical disk, magneto-optical disk, and / or solid-state disk), a compact disk (CD), a digital multipurpose disk (DVD), a floppy disk, a cartridge, magnetic tape, and / or another type of non-temporary computer-readable media.

[0052] In some embodiments, the storage device 340 may be configured to store information such as raw data and metadata. Additionally or alternatively, the storage device 340 may be configured to store one or more pieces of information relating to one or more operations performed by the processor 320. For example, the storage device 340 may store information defining historical operations performed by the processor 320 in order to enable a network entity to view authenticated supplicants or one or more results of operations performed by the processor 320. Furthermore, the storage device 340 may store data or information necessary to enable a network entity to view authenticated supplicants. For example, the storage device 340 may store authentication lists and / or trust lists (described below with reference to Figures 6 and 10).

[0053] In some implementations, the storage device 340 may include multiple storage media, and the storage device 340 may be configured to store copies or duplicates of at least a portion of the information in the multiple storage media to provide redundancy and back up the information or related data. Furthermore, the storage device 340 may also store computer-readable instructions or computer-executable instructions that, when executed by one or more processors (e.g., processor 320), cause one or more processors to perform one or more actions / operations described herein.

[0054] The processor 320 may include at least one processor that can be programmed or configured to perform the functions or operations described herein. For example, the processor 320 may be configured to execute computer executable instructions stored in at least one storage medium or memory device (e.g., memory device 340) to perform one or more actions or operations described herein.

[0055] According to the embodiment, the processor 320 may be configured to receive one or more signals and / or one or more user inputs that define one or more instructions for performing one or more operations (for example, via the communication interface 310, via the input / output component 330, etc.). Furthermore, the processor 320 may be implemented in hardware, firmware, or a combination of hardware and software. For example, the processor 320 may include at least one of the following: a central processing unit (CPU), a graphics processing unit (GPU), an accelerator processing unit (APU), a microprocessor, a microcontroller, a digital signal processor (DSP), a field-programmable gate array (FPGA), an application-specific integrated circuit (ASIC), and / or another type of processing or computing component.

[0056] According to one embodiment, the processor 320 may be configured to collect, extract, and / or receive one or more pieces of information (in the form of signals or data, for example), process the received pieces of information, and thereby enable a network entity to view an authenticated supplicant.

[0057] A description of some exemplary operations that can be performed by processor 320 is provided below with reference to Figures 4 to 10.

[0058] Exemplary behavior to enable network entities to view authenticated supplicants in a peer-to-peer configuration as described in this disclosure The following describes some exemplary operations that can be performed by the AV system of this disclosure, with reference to Figures 4 to 6.

[0059] Figure 4 shows a flowchart of an exemplary method 400, according to one or more embodiments, for enabling a network entity to view an authenticated supplicant in a peer-to-peer configuration. One or more operations in method 400 may be performed by at least one processor (e.g., processor 320) of the AV system that can correspond to at least one network entity (i.e., a first network entity) among a plurality of network entities in the system.

[0060] As illustrated in Figure 4, in operation S410, at least one processor may be configured to create a first authentication list for the first network entity. According to the embodiment, the first authentication list can specify one or more network entities to be authenticated with the first network entity. In particular, according to the embodiment, the first authentication list can specify one or more MAC addresses of one or more ports of the first network entity (hereinafter referred to herein as "one or more first MAC addresses"), and one or more MAC addresses of one or more ports of one or more network entities authenticated with one or more first MAC addresses. According to the embodiment, the first authentication list may also specify roles of one or more ports of the first network entity, such as an authenticator and a supplicant.

[0061] For example, see Figure 5, which shows an exemplary configuration of network entities in a peer-to-peer configuration according to one or more embodiments. As shown in Figure 5, the system may include seven network entities: network entity Y, network entity A, network entity M, network entity X, network entity Z, network entity O, and network entity N.

[0062] As shown in Figure 5, for example, network entity A is authenticated by network entities Y and M, where port AuP4 of network entity A has MAC address M4 and the role of an authenticator authenticated by port SuP11 of network entity Y with MAC address M11 and the role of a supplicant, and port SuP5 of network entity A has MAC address M5 and the role of a supplicant authenticated by port AuP3 of network entity M with MAC address M3. A similar explanation applies to network entities Y, M, X, Z, O, and N.

[0063] Authentication between network entities may be performed based on port-based network access control IEEE 802.1x with an IEEE 802.1x authentication server. In particular, as part of an Extensible Authentication Protocol (EAP) over LAN (EAPoL) process, a network entity acting as an authenticator requests identification information from a network entity acting as a supplicant and relays said identification information to the authentication server. The authentication server then verifies the identification information of the network entity acting as a supplicant and determines whether the network entity is permitted to access the network. If the network entity acting as a supplicant is permitted to access the network, the network entity acting as a supplicant is authenticated by the network entity acting as an authenticator. Through the above authentication process, the network entities involved in the authentication process can obtain information from each other such as port identification information, port MAC addresses, port roles, and authorization status.

[0064] Figure 6 shows an example of an authentication list according to one or more embodiments. As shown in Figure 6, for example, network entity A may be configured to create its authentication list, such an authentication list may specify MAC addresses M4 and M5 of ports AuP4 and SuP5 of network entity A, as well as MAC address M11 of port SuP11 of network entity Y authenticated at port AuP4, and MAC address M3 of port AuP3 of network entity M authenticated at port SuP5. Furthermore, the authentication list of network entity A may also specify that port AuP4 of network entity A has the role of an authenticator and port SuP5 of network entity A has the role of a supplicant. Thus, the authentication list can specify network entities Y and M (having ports SuP11 and AuP3) to be authenticated at network entity A (having ports AuP4 and SuP5). A similar description applies to network entities Y, M, X, Z, O, and N. Since network entities Y, X, and Z each have only one port, the authentication list for these network entities is omitted from Figure 6. The process then proceeds to operation S420.

[0065] According to one embodiment, at least one processor may be configured to periodically execute an SNMPv3 query for OID "1.3.111.2.802.1.1.15.2.2.3". Subsequently, based on the SNMPv3 response (which will indicate the status of object type "ieee8021XPaeLogonGroup"), at least one processor may then create an authentication list.

[0066] According to one embodiment, at least one processor may also be configured to send a first authentication list to one or more network entities authenticated with the first network entity.

[0067] In operation S420, at least one processor may be configured to receive a second authentication list from a second network entity. According to the embodiment, the first network entity and the second network entity may authenticate each other. According to the embodiment, similar to the first authentication list, the second authentication list may specify one or more network entities to be authenticated with the second network entity. In particular, according to the embodiment, the second authentication list may specify one or more MAC addresses of one or more ports of the second network entity (hereinafter referred to as "one or more second MAC addresses"), and one or more MAC addresses of one or more ports of the one or more network entities authenticated by one or more second MAC addresses. According to the embodiment, the second authentication list may also specify roles of one or more ports of the second network entity, such as authenticator and supplicant.

[0068] For example, returning to Figures 5 and 6, network entity A can receive the authentication list of network entity M shown in Figure 6 from network entity M (which is authenticated by network entity A). The method then proceeds to operation S430.

[0069] According to one embodiment, the transmission of the first authentication list and the reception of the second authentication list may be performed via a notification interface.

[0070] In operation S430, at least one processor may be configured to create a trust list for the first network entity based on a first authentication list and a second authentication list. According to one embodiment, the trust list for the first network entity specifies the trust level between the first network entity and one or more network entities in the first authentication list and the second authentication list.

[0071] For example, returning to Figures 5 and 6, the authentication list for network entity A specifies network entities Y and M (which are authenticated by network entity A), and the authentication list for network entity M specifies network entities X and N (which are authenticated by network entity M via port MAC addresses M12 and M6). Therefore, the trust list for network entity A can specify the trust levels between network entity A and network entities Y, M, X, and N.

[0072] An example of the process for creating a trust list is described below with reference to Figure 9.

[0073] When operation S430 is executed, method 400 can be terminated or interrupted. Alternatively, method 400 may return to operation S420, as a result, at least one processor may be configured to repeatedly perform the reception of a second authentication list (in operation S420) and the creation of a trust list (in operation S430) for at least a predetermined period of time. For example, at least one processor may receive multiple authentication lists sequentially (or periodically) from multiple network entities, and then resume the reception of a second authentication list (in operation S420) and the creation of a trust list (in operation S430).

[0074] For this purpose, the system of this disclosure can enable network entities to view authenticated supplicants within the network.

[0075] Exemplary behavior to enable a network entity to see an authenticated supplicant in a hub-and-spoke configuration of this disclosure The following describes some exemplary operations that can be performed by the AV system of this disclosure with reference to Figures 7, 6, and 8.

[0076] Figure 7 shows a flowchart of an exemplary method 700, according to one or more embodiments, for enabling network entities to view authenticated supplicants in a hub-and-spoke configuration. One or more operations in method 700 may be performed by at least one processor (e.g., processor 320) of an AV system that can correspond to a hub communicably connected to multiple network entities in the system.

[0077] As illustrated in Figure 7, in operation S710, at least one processor may be configured to receive a first authentication list from a first network entity. The first authentication list may be the same as the first authentication list described above in relation to method 400.

[0078] For example, see Figure 8, which shows an exemplary configuration of network entities in a hub-and-spoke configuration according to one or more embodiments. The exemplary configuration of network entities in a hub-and-spoke configuration shown in Figure 8 is similar to the exemplary configuration of network entities in a peer-to-peer configuration shown in Figure 5, with the addition of hubs that are communicably connected to each of network entities Y, A, M, X, Z, O, and N.

[0079] As shown in Figure 8, for example, the hub may be configured to receive an authentication list from network element A (for example, the authentication list of network element A shown in Figure 6). The method then proceeds to operation S720.

[0080] In operation S720, at least one processor may be configured to receive a second authentication list from a second network entity. According to the embodiment, the first network entity and the second network entity may authenticate each other. The second authentication list may be the same as the second authentication list described above in relation to method 400.

[0081] For example, returning to Figures 6 and 8, the hub can receive the authentication list of network entity M shown in Figure 6 from network entity M (which is authenticated by network entity A). The method then proceeds to operation S730.

[0082] According to one embodiment, the reception of the first authentication list and the second authentication list may be performed via a notification interface.

[0083] In operation S730, at least one processor may be configured to create a trust list for a first network entity based on a first authentication list and a second authentication list. The trust list may be similar to the trust list described above in relation to method 400.

[0084] For example, returning to Figures 6 and 8, the authentication list for network entity A specifies network entities Y and M (which are authenticated by network entity A), and the authentication list for network entity M specifies network entities X and N (which are authenticated by network entity M via port MAC addresses M12 and M6). Therefore, the trust list for network entity A can specify the trust levels between network entity A and network entities Y, M, X, and N.

[0085] An example of the process for creating a trust list is described below with reference to Figure 9.

[0086] When operation S730 is executed, method 700 can be terminated or interrupted. Alternatively, method 700 may return to operation S720, as a result, at least one processor may be configured to repeatedly perform the reception of the second authentication list (in operation S720) and the creation of the trust list (in operation S730) for at least a predetermined period of time. For example, at least one processor may receive multiple authentication lists sequentially (or periodically) from multiple network entities, and then resume receiving the second authentication list (operation S720) and creating the trust list (operation S730).

[0087] For this purpose, the system of this disclosure can enable network entities to view authenticated supplicants within the network.

[0088] Exemplary actions for creating a trust list in this disclosure In some of the following exemplary operations, the operations that can be performed by at least one processor to create a trust list are illustrated with reference to Figures 9 and 10.

[0089] Figure 9 shows a flowchart of an exemplary method 900 for creating a trust list according to one or more embodiments. One or more operations in method 900 can be performed by at least one processor of the AV system (e.g., processor 320), which may correspond to at least one network entity among multiple network entities in the system (i.e., a first network entity), or to a hub that is communicably connected to multiple network entities in the system.

[0090] According to one embodiment, the trust list may form a network-level authenticated supplicant table.

[0091] As illustrated in Figure 9, in operation S910, at least one processor may be configured to create a trust list for a first network entity based on a first authentication list. According to one embodiment, the trust list created for a first network entity based on the first authentication list can specify the trust level between the first network entity and one or more network entities in the first authentication list.

[0092] In particular, according to the embodiment, the trust level may be one of direct trust and indirect trust, and may be between one or more ports of a first network entity and one or more ports of one or more network entities in a first authentication list having the role of supplicant. According to the embodiment, the trust list for the first network entity may include one or more MAC addresses of one or more ports of the first network entity and one or more MAC addresses of one or more ports of one or more network entities in a first authentication list having the role of supplicant.

[0093] For example, see Figure 10A, which shows an example of a trust list for network entity A created based on an authentication list for network entity A according to one or more embodiments. As shown in Figure 10A, the trust list for network entity A specifies MAC addresses M5 and M4 for ports SuP5 and AuP4 of network entity A.

[0094] Furthermore, since the port of network entity Y (i.e., SuP11), which acts as a supplicant (and is in the authentication list of network entity A), is authenticated by the port AuP4 of network entity A, the trust list of network entity A specifies the MAC address M11 of the port SuP11 and specifies that the trust level between the port SuP11 of network entity Y and the port AuP4 of network entity A is direct trust.

[0095] On the other hand, the port of network entity M (i.e., SuP2), which acts as a supplicant (and is in the authentication list of network entity A), is authenticated by port SuP5 of network entity A via port AuP3 of network entity M. Therefore, the trust list of network entity A specifies the MAC address M2 of port SuP2 and specifies that the trust level between port SuP2 of network entity M and port SuP5 of network entity A is indirect trust. The method can then proceed to operation S920.

[0096] In operation S920, at least one processor may be configured to update the first authentication list to include the second authentication list in response to receiving the second authentication list.

[0097] For example, see Figure 10B, which shows an example of an updated authentication list for network entity A according to one or more embodiments. As shown in Figure 10B, the authentication list for network entity A is updated to include the authentication list for network entity M in Figure 6. The method can then proceed to operation S930.

[0098] According to one embodiment, in a peer-to-peer configuration, at least one processor may also be configured to send an updated first authentication list to one or more network entities authenticated with the first network entity. Thus, the received second authentication list may also further specify one or more network entities authenticated with the third network entity authenticated with the second network entity.

[0099] In operation S930, at least one processor may be configured to update the trust list based on the updated first authentication list. According to one embodiment, the updated trust list may further specify the trust levels between the first network entity and one or more network entities in the second authentication list.

[0100] In particular, according to the embodiment, the trust level may be one of direct trust and indirect trust, and may further be between one or more ports of a first network entity and one or more ports of one or more network entities in a second authentication list (currently included in the first authentication list) that acts as a supplicant. According to the embodiment, the trust list for the first network entity may include one or more MAC addresses of one or more ports of the first network entity and one or more MAC addresses of one or more ports of one or more network entities in the second authentication list that acts as a supplicant.

[0101] For example, see Figure 10C, which shows an example of an updated trust list for network entity A according to one or more embodiments. In particular, since a port of network entity X (i.e., SuP12) acting as a supplicant (which is in the authentication list of network entity M, which is currently included in the authentication list of network entity A) is authenticated at port SuP5 of network entity A via ports AuP1 and AuP3 of network entity M, the trust list of network entity A further specifies the MAC address M12 of port SuP12 and specifies that the trust level between port SuP12 of network entity X and port SuP5 of network entity A is indirect trust. Similarly, a port of network entity N (i.e., SuP7) acting as a supplicant (which is in the authentication list of network entity M, currently included in the authentication list of network entity A) is authenticated at port SuP5 of network entity A via port AuP6 of network entity N and ports SuP2 and AuP3 of network entity M. Therefore, the trust list of network entity A further specifies the MAC address M7 of port SuP7 and specifies that the trust level between port SuP7 of network entity N and port SuP5 of network entity A is indirect trust.

[0102] It should be understood that the ports of network entity A itself, which are currently included in the authentication list of network entity M, can be ignored in the process described above.

[0103] When operation S930 is performed, method 900 can be terminated or interrupted. Alternatively, method 900 can return to operation S920, so that at least one processor may be configured to repeatedly perform the first authentication list update (operation S920) and the trust list update (operation S930) until each of the multiple network entities has a comprehensive view of all authenticated network entities in the network.

[0104] For example, in a peer-to-peer configuration, after the authentication list of network entity A is updated to include the authentication list of network entity M, and the trust list of network entity A is updated based on the updated authentication list as described above, network entity M can receive the authentication list of network entity N from network entity N (specifying network entity O to be authenticated by network entity N). Then, the authentication list of network entity M may be updated to include the authentication list of network entity N (where the authentication list of network entity N specifies network entity O), and the trust list of network entity M is updated based on the updated authentication list in the same manner as described above. Subsequently, network entity M can send its updated authentication list back to network entity A, and the process is repeated, with network entity A's authentication list and trust list being updated, again specifying network entity O. The above process may be repeated until each of the multiple network entities has a comprehensive view of all authenticated network entities in the network.

[0105] Therefore, for example, if network entity Z functions as an O-DU and network entity X functions as an O-RU, the above method allows the O-DU and O-RU to form indirect trust with each other, even if they are not authenticated by each other.

[0106] Figures 5 and 6 show the configuration. Figures 8 and 10A to 10C are simplified for illustrative purposes and are not intended to limit the scope of this disclosure. For example, in practice, the number of network entities in the system can be any number, the number of ports in each of the network entities can be any number, each of the network entities can authenticate with any other network entity, and similarly, the authentication list and trust list can take any other form and may include any additional information as used.

[0107] Exemplary Implementation Environment Figure 11 is a diagram of an exemplary environment 1100 in which the systems and / or methods described herein may be implemented. As shown in Figure 11, the environment 1100 may include devices 1110, a platform 1120, and a network 1130. The devices in environment 1100 can be interconnected via wired connections, wireless connections, or a combination of wired and wireless connections. In some embodiments, any of the functions and operations described with reference to Figures 1 to 10 above may be performed by any combination of the elements shown in Figure 11.

[0108] According to embodiments, the AV system described herein can be stored, hosted, or deployed on a cloud computing platform 1120. In this regard, device 1110 may include devices, systems, equipment, etc., that are used by users (e.g., users of the marketing team, users of the network planning team, etc.) to access the AV system. In this case, device 1110 may include one or more devices capable of receiving, generating, storing, processing, and / or providing information related to platform 1120.

[0109] Platform 1120 includes one or more devices capable of receiving, generating, storing, processing, and / or providing information. In some implementations, Platform 1120 may include a cloud server or a group of cloud servers. In some implementations, Platform 1120 may be designed to be modular so that certain software components can be swapped in or swapped out as needed. Thus, Platform 1120 can be easily and / or quickly reconfigured for different uses.

[0110] In some implementations, as illustrated, platform 1120 may be hosted in a cloud computing environment 1122. In particular, the implementations described herein describe platform 1120 as being hosted within the cloud computing environment 1122, but in some implementations, platform 1120 may not be cloud-based (i.e., may be implemented outside a cloud computing environment) or may be partially cloud-based.

[0111] The cloud computing environment 1122 includes an environment that hosts platform 1120. The cloud computing environment 1122 may provide services that do not require the end user (e.g., user device 1110) to know about the physical location and configuration of the system and / or devices that host platform 1120, such as computing, software, data access, and storage. As shown in the figure, the cloud computing environment 1122 may include a group of computing resources 1124 (collectively referred to as “computing resources 1124” and individually referred to as “computing resources 1124”).

[0112] Computing resource 1124 includes one or more personal computers, clusters of computing devices, workstation computers, server devices, or other types of computing and / or communication devices. In some implementations, computing resource 1124 can host platform 1120. Cloud resources may include computing instances running within computing resource 1124, storage devices located within computing resource 1124, data transfer devices provided by computing resource 1124, etc. In some implementations, computing resource 1124 may communicate with other computing resources 1124 via wired connections, wireless connections, or a combination of wired and wireless connections.

[0113] As further shown in Figure 11, the computing resource 1124 includes a group of cloud resources such as one or more applications ("APP") 1124-1, one or more virtual machines ("VM") 1124-2, virtualized storage devices ("VS") 1124-3, and one or more hypervisors ("HYP") 1124-4.

[0114] Application 1124-1 includes one or more software applications that can be provided to or accessed by the user device 1110. Application 1124-1 eliminates the need to install and run software applications on the user device 1110. For example, Application 1124-1 may include software related to platform 1120 and / or any other software that can be provided via the cloud computing environment 1122. In some implementations, one application 1124-1 may send and receive information to and from one or more other applications 1124-1 via a virtual machine 1124-2.

[0115] A virtual machine 1124-2 includes a machine (e.g., a computer) in the form of a software implementation that runs programs like a physical machine. Depending on its application and the degree to which the virtual machine 1124-2 corresponds to an actual machine, the virtual machine 1124-2 may be either a system virtual machine or a process virtual machine. A system virtual machine can provide a complete system platform that supports the execution of a complete operating system ("OS"). A process virtual machine can run a single program and can support a single process. In some implementations, the virtual machine 1124-2 may run on behalf of a user (e.g., a user device 1110) and may manage the infrastructure of a cloud computing environment 1122, such as data management, synchronization, or long-term data transfer.

[0116] The virtualized storage device 1124-3 includes one or more storage systems and / or one or more devices that use virtualization technology within the storage system or device of the computing resource 1124. In some implementations, in the context of a storage system, the types of virtualization may include block virtualization and file virtualization. Block virtualization may refer to extracting (or separating) logical storage from physical storage so that the storage system can be accessed regardless of whether it is physical storage or heterogeneous. Separation may allow the administrator of the storage system to gain flexibility in how the administrator manages the storage device for end users. File virtualization may eliminate the dependency between data accessed at the file level and the location where the file is physically stored. This may enable optimization of storage device usage, server consolidation, and / or performance of non-disruptive file migration.

[0117] The hypervisor 1124-4 can provide hardware virtualization technology that enables multiple operating systems (e.g., "guest operating systems") to run simultaneously on a host computer such as computing resource 1124. The hypervisor 1124-4 can present a virtual operating platform to the guest operating system and manage the execution of the guest operating system. Multiple instances of various operating systems can share virtualized hardware resources.

[0118] Network 1130 may include one or more wired and / or wireless networks. For example, Network 1130 may include cellular networks (e.g., fifth-generation (5G) networks, long-term evolution (LTE) networks, third-generation (3G) networks, code division multiple access (CDMA) networks, etc.), public land mobile networks (PLMN), local area networks (LANs), wide area networks (WANs), metropolitan area networks (MANs), telephone networks (e.g., public switched telephone networks (PSTNs)), private networks, ad-hoc networks, intranets, the Internet, fiber optic-based networks, etc., and / or combinations of these or other types of networks.

[0119] The number and arrangement of devices and networks shown in Figure 11 are provided as examples. In practice, there may be additional devices and / or networks, fewer devices and / or networks, different devices and / or networks, or devices and / or networks in different arrangements compared to those shown in Figure 11. Furthermore, two or more devices shown in Figure 11 may be implemented within a single device, or a single device shown in Figure 11 may be implemented as multiple distributed devices. In addition, or instead, a set of devices in environment 1100 (e.g., one or more devices) may perform one or more functions that are described as being performed by another set of devices in environment 1100.

[0120] Various embodiments The foregoing disclosures provide examples and explanations, but are not intended to be exhaustive or to limit implementations to the exact forms disclosed. Modifications and variations are possible in light of the foregoing disclosures, or such modifications and variations may be derived from the practice of embodiments.

[0121] Some embodiments may relate to systems, methods, and / or computer-readable media in integration at any possible level of technical detail. Furthermore, one or more of the above-described components may be implemented as instructions stored in a computer-readable medium and executable by at least one processor (and / or may include at least one processor). The computer-readable medium may include one or more computer-readable non-temporary storage media having computer-readable program instructions for causing a processor to perform an operation.

[0122] A computer-readable storage medium can be a tangible device capable of holding and storing instructions for use by an instruction-executing device. A computer-readable storage medium may, but is not limited to, electronic storage devices, magnetic storage devices, optical storage devices, electromagnetic storage devices, semiconductor storage devices, or any suitable combination of the aforementioned. A non-exhaustive list of more specific examples of computer-readable storage media includes portable computer diskettes, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), static random access memory (SRAM), compact disc read-only memory (CD-ROM), digital multipurpose discs (DVDs), memory sticks, floppy disks, mechanically encoded devices such as punched cards or grooved raised structures on which instructions are recorded, and any suitable combination of the aforementioned. When used herein, computer-readable storage media should not be construed as transient signals themselves, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmitting media (e.g., light pulses passing through optical fiber cables), or electrical signals transmitted over wires.

[0123] The computer-readable program instructions described herein can be downloaded from a computer-readable storage medium to each computing / processing device, or to an external computer or external storage device via a network, such as the Internet, a local area network, a wide area network, and / or a wireless network. The network may include transmission copper cables, transmission optical fibers, wireless transmission, routers, firewalls, switches, gateway computers, and / or edge servers. A network adapter card or network interface within each computing / processing device receives computer-readable program instructions from the network and transfers the computer-readable program instructions for storage in a computer-readable storage medium within each computing / processing device.

[0124] Computer-readable program code / instructions for performing an operation may be assembler instructions, instruction-set-architecture (ISA) instructions, machine instructions, machine-dependent instructions, microcode, firmware instructions, state-setting data, integrated circuit configuration data, or source code or object code written in any combination of one or more programming languages, including object-oriented programming languages ​​such as Smalltalk and C++, and procedural programming languages ​​such as the C programming language or similar programming languages. Computer-readable program instructions may run entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer via any type of network, including a local area network (LAN) or wide area network (WAN), or a connection to an external computer may be made (for example, via the Internet using an Internet service provider). In some embodiments, for example, an electronic circuit including a programmable logic circuit, a field-programmable gate array (FPGA), or a programmable logic array (PLA) can execute computer-readable program instructions and personalize the electronic circuit by utilizing state information of computer-readable program instructions to perform a manner or operation.

[0125] These computer-readable program instructions may be provided to a general-purpose computer, a dedicated computer, or a processor of another programmable data processing device to generate a machine such that instructions executed by the processor of the computer or other programmable data processing device form means for performing functions / operations specified in one or more blocks of a flowchart and / or block diagram. These computer-readable program instructions may also be stored on a computer-readable storage medium on which the instructions are stored can be instructed to function in a particular manner on a computer, a programmable data processing device, and / or other device to constitute a product containing instructions that perform the modes of functions / operations specified in one or more blocks of a flowchart and / or block diagram.

[0126] Computer-readable program instructions can also be loaded into a computer, other programmable device, or other device to generate a computer implementation process by causing the computer, other programmable device, or other device to execute a series of operational steps so that the instructions executed on the computer, other programmable device, or other device perform a function / operation specified in one or more blocks of a flowchart and / or block diagram.

[0127] The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer-readable media in various embodiments. In this regard, each block in a flowchart or block diagram may represent a microservice module, segment, or portion of an instruction containing one or more executable instructions for implementing a specified logical function. Methods, computer systems, and computer-readable media may include additional blocks, fewer blocks, different blocks, or blocks arranged differently from those shown in the figures. In some alternative implementations, the functions described in the blocks may be performed in a different order than shown in the figures. For example, two blocks shown consecutively may actually be executed simultaneously or substantially simultaneously, or blocks may sometimes be executed in reverse order depending on the associated functionality. It should also be noted that each block in a block diagram and / or flowchart, as well as combinations of blocks in a block diagram and / or flowchart, may be implemented by a dedicated hardware-based system that performs the specified function or operation, or a combination of dedicated hardware and computer instructions.

[0128] It will be apparent that the systems and / or methods described herein may be implemented in different forms of hardware, firmware, or combinations of hardware and software. The actual dedicated control hardware or software code used to implement these systems and / or methods is not limited to the implementation form. Therefore, the operation and behavior of the systems and / or methods are described herein without reference to specific software code, and it is understood that software and hardware may be designed to implement the systems and / or methods based on the descriptions herein.

[0129] Various further embodiments and features of the embodiments of this disclosure may be defined by the following items. Item [1]: A system which may include a storage device for storing computer executable instructions and at least one processor communicatively connected to the storage device, wherein the at least one processor can be configured to execute instructions to create a first authentication list for a first network entity, the first authentication list specifying one or more network entities to be authenticated with the first network entity; to receive a second authentication list from a second network entity, the second authentication list specifying one or more network entities to be authenticated with the second network entity; the first and second network entities to be authenticated with each other; to create a trust list for the first network entity based on the first and second authentication lists; and the trust list for the first network entity specifying a level of trust between the first network entity and one or more network entities in the first and second authentication lists. Item [2]: The system described in Item [1], wherein the trust level may include one of direct trust and indirect trust, and the trust level may be between one or more ports of a first network entity and one or more ports of one or more network entities in the first and second authentication lists having the role of supplicant. Item [3]: The system described in Item [2], wherein the trust list for a first network entity may include one or more MAC addresses of one or more ports of the first network entity and one or more MAC addresses of one or more ports of one or more network entities in the first and second authentication lists that have the role of supplicant. Item [4]: ​​The system according to any one of items [1] to [3], wherein at least one processor may be configured to create a trust list for a first network entity based on a first and second authentication list by executing an instruction to create a trust list based on a first authentication list such that the trust list specifies a level of trust between a first network entity and one or more network entities in the first authentication list; updating the first authentication list to include a second authentication list in response to receiving a second authentication list; and updating the trust list based on the updated first authentication list such that the trust list further specifies a level of trust between a first network entity and one or more network entities in the second authentication list. Item [5]: The system described in Item [4], wherein at least one processor may be further configured to execute instructions and send an updated first authentication list to one or more network entities authenticated by the first network entity. Item [6]: A system described in any one of items [1] to [5], wherein the second authentication list may further specify one or more network entities to be authenticated by the third network entity, and the third network entity may be authenticated with the second network entity. Item [7]: A system as described in any one of items [1] to [6], wherein the first authentication list can specify one or more first MAC addresses of one or more ports of a first network entity, one or more third MAC addresses of one or more ports of one or more network entities authenticated by one or more first MAC addresses, and roles of one or more ports of the first network entity, and the second authentication list can specify one or more second MAC addresses of one or more ports of a second network entity, one or more fourth MAC addresses of one or more ports of one or more network entities authenticated by one or more second MAC addresses, and roles of one or more ports of the second network entity, and roles can include one of certifier and supplicant. Item [8]: A system described in any one of items [1] to [7], in which authentication between a first network entity, a second network entity, and one or more network entities can be based on port-based network access control IEEE 802.1x. Item [9]: The system described in any one of items [1] to [8], wherein the first network entity, the second network entity, and one or more network entities can include at least one of the O-CU, O-DU, O-RU, and transport network elements. Item

[10] : A system which may include a storage device for storing computer executable instructions and at least one processor communicatively connected to the storage device, wherein the at least one processor can execute instructions to receive a first authentication list from a first network entity, the first authentication list specifying one or more network entities to be authenticated with the first network entity; receive a second authentication list from a second network entity, the second authentication list specifying one or more network entities to be authenticated with the second network entity; the first and second network entities to be authenticated with each other; create a trust list for the first network entity based on the first and second authentication lists; and the trust list for the first network entity specifies a level of trust between the first network entity and one or more network entities in the first and second authentication lists. Item

[11] : A method which may include creating a first authentication list for a first network entity, wherein the first authentication list specifies one or more network entities that are authenticated with the first network entity; receiving a second authentication list from a second network entity, wherein the second authentication list specifies one or more network entities that are authenticated with the second network entity, wherein the first network entity and the second network entity are authenticated with each other; and creating a trust list for the first network entity based on the first and second authentication lists, wherein the trust list for the first network entity specifies a level of trust between the first network entity and one or more network entities in the first and second authentication lists. Item

[12] : The method according to Item

[11] , wherein the trust level may include one of direct trust and indirect trust, and the trust level may be between one or more ports of a first network entity and one or more ports of one or more network entities in first and second authentication lists having the role of supplicant. Item

[13] : The method according to Item

[12] , wherein the trust list for a first network entity can include one or more MAC addresses of one or more ports of the first network entity and one or more MAC addresses of one or more ports of one or more network entities in the first and second authentication lists that have the role of supplicant. Item

[14] : The method described in any one of items

[11] to

[13] , which may include creating a trust list for a first network entity based on a first authentication list and a second authentication list, creating a trust list based on the first authentication list such that the trust list specifies a level of trust between the first network entity and one or more network entities in the first authentication list, updating the first authentication list to include the second authentication list in response to receiving the second authentication list, and updating the trust list based on the updated first authentication list such that the trust list further specifies a level of trust between the first network entity and one or more network entities in the second authentication list. Item

[15] : The method described in Item

[14] , which may further include sending the updated first authentication list to the first network entity and one or more network entities to be authenticated. Item

[16] : A system described in any one of items

[11] to

[15] , wherein the second authentication list may further specify one or more network entities to be authenticated by the third network entity, and the third network entity may be authenticated with the second network entity. Item

[17] : The method according to any one of items

[11] to

[16] , wherein the first authentication list can specify one or more first MAC addresses of one or more ports of a first network entity, one or more third MAC addresses of one or more ports of one or more network entities authenticated by one or more first MAC addresses, and roles of one or more ports of the first network entity, and the second authentication list can specify one or more second MAC addresses of one or more ports of a second network entity, one or more fourth MAC addresses of one or more ports of one or more network entities authenticated by one or more second MAC addresses, and roles of one or more ports of the second network entity, and roles can include one of certifier and supplicant. Item

[18] : Authentication between a first network entity, a second network entity, and one or more network entities may be based on port-based network access control IEEE 802.1x, as described in any one of items

[11] to

[17] . Item

[19] : The method described in any one of items

[11] to

[18] , wherein a first network entity, a second network entity, and one or more network entities can include at least one of O-CU, O-DU, O-RU, and transport network elements. Item

[20] : A method which may include receiving a first authentication list from a first network entity, wherein the first authentication list specifies one or more network entities that are authenticated with the first network entity; receiving a second authentication list from a second network entity, wherein the second authentication list specifies one or more network entities that are authenticated with the second network entity, wherein the first network entity and the second network entity are authenticated with each other; and creating a trust list for the first network entity based on the first and second authentication lists, wherein the trust list for the first network entity specifies a level of trust between the first network entity and one or more network entities in the first and second authentication lists.

[0130] In light of the above teachings, it can be seen that many modifications and variations of this disclosure are possible. It will be apparent that, within the scope of the appended clauses, this disclosure may be implemented in ways other than those specifically described herein.

Claims

1. It is a system, A storage device for storing computer executable instructions, The system includes at least one processor that is communicably connected to the at least one storage device, wherein the at least one processor executes the instructions. A first authentication list is created for a first network entity, and the first authentication list specifies one or more network entities that are authenticated with the first network entity. The first network entity receives a second authentication list from a second network entity, the second authentication list specifies one or more network entities to be authenticated with the second network entity, and the first network entity and the second network entity are authenticated with each other. A trust list is created for the first network entity based on the first authentication list and the second authentication list, and the trust list for the first network entity specifies the level of trust between the first network entity and one or more network entities in the first authentication list and the second authentication list. A system that is configured in such a way.

2. The aforementioned confidence level includes one of direct confidence and indirect confidence, The trust level is between one or more ports of the first network entity and one or more ports of the one or more network entities in the first and second authentication lists that have the role of supplicant. The system according to claim 1.

3. The system according to claim 2, wherein the trust list for the first network entity includes one or more MAC addresses of one or more ports of the first network entity and one or more MAC addresses of one or more ports of one or more network entities in the first and second authentication lists having the role of supplicant.

4. The at least one processor executes the instruction, Creating the trust list based on the first authentication list, such that the trust list specifies the trust level between the first network entity and one or more network entities in the first authentication list, In response to receiving the second authentication list, the first authentication list is updated to include the second authentication list, The trust list is updated based on the updated first authentication list so that the trust list further specifies the trust level between the first network entity and one or more network entities in the second authentication list. The system according to claim 1, configured to create the trust list for the first network entity based on the first authentication list and the second authentication list.

5. The system according to claim 4, wherein the at least one processor is further configured to execute the instructions and transmit the updated first authentication list to the one or more network entities authenticated by the first network entity.

6. The second authentication list further specifies one or more network entities to be authenticated by the third network entity, The third network entity is authenticated with the second network entity. The system according to claim 1.

7. The first authentication list specifies one or more first MAC addresses of one or more ports of the first network entity, one or more third MAC addresses of one or more ports of one or more network entities authenticated by the one or more first MAC addresses, and the roles of the one or more ports of the first network entity. The second authentication list specifies one or more second MAC addresses of one or more ports of the second network entity, one or more fourth MAC addresses of one or more ports of one or more network entities authenticated by the one or more second MAC addresses, and the roles of the one or more ports of the second network entity. The aforementioned roles include one of the certifier and the supplicant. The system according to claim 1.

8. The system according to claim 1, wherein authentication between the first network entity, the second network entity, and the one or more network entities is based on port-based network access control IEEE 802.1x.

9. The system according to claim 1, wherein the first network entity, the second network entity, and the one or more network entities include at least one of O-CU, O-DU, O-RU, and transport network elements.

10. It is a system, A storage device for storing computer executable instructions, The system includes at least one processor that is communicably connected to the at least one storage device, The at least one processor executes the instruction, A first authentication list is received from a first network entity, and the first authentication list specifies one or more network entities to be authenticated with the first network entity. The first network entity receives a second authentication list from the second network entity, the second authentication list specifies one or more network entities to be authenticated with the second network entity, and the first network entity and the second network entity are authenticated with each other. A trust list is created for the first network entity based on the first authentication list and the second authentication list, and the trust list for the first network entity specifies the level of trust between the first network entity and one or more network entities in the first authentication list and the second authentication list. A system that is configured in such a way.

11. Creating a first authentication list for a first network entity, wherein the first authentication list specifies one or more network entities that are authenticated with the first network entity. Receiving a second authentication list from a second network entity, wherein the second authentication list specifies one or more network entities that are authenticated with the second network entity, and the first network entity and the second network entity are authenticated with each other, Creating a trust list for the first network entity based on the first authentication list and the second authentication list, wherein the trust list for the first network entity specifies a level of trust between the first network entity and one or more network entities in the first authentication list and the second authentication list. A method that includes this.

12. The aforementioned confidence level includes one of direct confidence and indirect confidence, The trust level is between one or more ports of the first network entity and one or more ports of the one or more network entities in the first and second authentication lists that have the role of supplicant. The method according to claim 11.

13. The method according to claim 12, wherein the trust list for the first network entity includes one or more MAC addresses of one or more ports of the first network entity and one or more MAC addresses of one or more ports of the one or more network entities in the first and second authentication lists having the role of supplicant.

14. Creating the trust list for the first network entity based on the first authentication list and the second authentication list is: Creating the trust list based on the first authentication list, such that the trust list specifies the trust level between the first network entity and one or more network entities in the first authentication list, In response to receiving the second authentication list, the first authentication list is updated to include the second authentication list, Updating the trust list based on the updated first authentication list, such that the trust list further specifies the level of trust between the first network entity and one or more network entities in the second authentication list; The method according to claim 11, including the method described in claim 11.

15. The method according to claim 14, further comprising transmitting the updated first authentication list to one or more network entities authenticated by the first network entity.

16. The second authentication list further specifies one or more network entities to be authenticated by the third network entity, The third network entity is authenticated with the second network entity. The method according to claim 11.

17. The first authentication list specifies one or more first MAC addresses of one or more ports of the first network entity, one or more third MAC addresses of one or more ports of one or more network entities authenticated by the one or more first MAC addresses, and the roles of the one or more ports of the first network entity. The second authentication list specifies one or more second MAC addresses of one or more ports of the second network entity, one or more fourth MAC addresses of one or more ports of one or more network entities authenticated by the one or more second MAC addresses, and the roles of the one or more ports of the second network entity. The aforementioned roles include one of the certifier and the supplicant. The method according to claim 11.

18. The method according to claim 11, wherein authentication between the first network entity, the second network entity, and the one or more network entities is based on port-based network access control IEEE 802.1x.

19. The method according to claim 11, wherein the first network entity, the second network entity, and the one or more network entities include at least one of O-CU, O-DU, O-RU, and transport network elements.

20. Receiving a first authentication list from a first network entity, wherein the first authentication list specifies one or more network entities that are authenticated with the first network entity, Receiving a second authentication list from a second network entity, wherein the second authentication list specifies one or more network entities that are authenticated with the second network entity, and the first network entity and the second network entity are authenticated with each other, Creating a trust list for the first network entity based on the first authentication list and the second authentication list, wherein the trust list for the first network entity specifies a level of trust between the first network entity and one or more network entities in the first authentication list and the second authentication list. A method that includes this.