Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network, and wherein one of the first and second security edge protection proxy elements is a sending security edge protection proxy element and the other of the first and second security edge protection proxy elements is a receiving security edge protection proxy element, the receiving security edge protection proxy element receives a message from the sending security edge protection proxy element. The receiving security edge protection proxy element detects one or more error conditions associated with the received message. The receiving security edge protection proxy element determines one or more error handling actions to be taken in response to the one or more detected error conditions.

Abstract: There is disclosed a network apparatus that is caused to receive analytics data from a first network apparatus, determine that said analytics data is usable by a second network apparatus, and send said analytics data to the second network apparatus in dependence on said determining.

Abstract: In accordance with an example embodiment, there is provided an apparatus, such as a user equipment, configured to receive, from a communication network, an authentication request which comprises a nonce and a received sequence number, check, whether the received sequence number is advanced with respect to a first sequence number, the first sequence number being from a most recent previous authentication request handled by the apparatus, check, responsive to the received sequence number not being advanced with respect the first sequence number, whether the nonce is identical to one from among plural stored nonces, and send, responsive to the nonce being identical to the one stored nonce, a response to the authentication request which comprises as a synchronization failure token a dummy value which is not derived from the first sequence number.

Abstract: Example embodiments of the present disclosure relate to devices, methods and computer readable storage media for service provisioning to facilitate analysis of a service from a network function (NF). In example embodiments, one or more logs are received from at least one of a first NF, a network repository function (NRF) and a service communication proxy (SCP). The one or more logs are associated with a service from a second NF. Further, analysis of provision of the service from the second NF is facilitated based on the one or more logs.

Abstract: Techniques are disclosed for security management for authentication failure notification in a communication system. For example, a method comprises receiving, at user equipment from a network entity in a communication system, a message comprising an indication of at least one specific cause for a failure in an authentication procedure between the communication system and the user equipment, wherein the at least one specific cause comprises an occurrence of an authentication credential expiration. The user equipment may apply a policy and/or take one or more actions in response to receipt of the message.

Abstract: According to an example aspect of the present invention, there is provided a method comprising, transmitting to a Network Function, NF, service producer, by a Service Communication Proxy, SCP, a service request on behalf of an NF service consumer, wherein the service request comprises an access token, receiving, by the SCP, a service response from the NF service producer and upon receiving the service response, transmitting to the NF service consumer, by the SCP, information related to the access token.

Abstract: In given user equipment seeking access to a first communication network (e.g., 5G network), wherein the given user equipment comprises a subscriber identity module (e.g., USIM) configured for a second communication network, and wherein the second communication network is a legacy network with respect to the first communication network (e.g., legacy 4G network), a method includes: initiating an authentication procedure with at least one network entity of the first communication network and selecting an authentication method to be used during the authentication procedure; and participating in the authentication procedure with the at least one network entity using the selected authentication method and, upon successful authentication, the given user equipment obtaining a set of keys to enable the given user equipment to access the first communication network.

Abstract: A session management function of a 5G system receives information that a secondary authentication is to be done for a given user equipment for authorising user equipment to use a data network; and responsively to the received information, communicates with the data network and receives from the data network an indication; and allows a 5G access to the user equipment so that the user equipment can communicate with the data network according to the indication either without cryptographic protection or with cryptographic protection depending on the indication.

Abstract: Techniques for preventing sequence number leakage during user equipment authentication in a communication network are provided. For example, a method comprises obtaining a permanent identifier and an authentication sequence value that are unique to user equipment, concealing the permanent identifier and the authentication sequence value, and sending the concealed permanent identifier and the authentication sequence value in a registration message from the user equipment to a communication network. Then, advantageously, in response to receipt of an authentication failure message from the communication network, the user equipment can send a response message to the communication network containing a failure cause indication without a re-synchronization token.

Abstract: According to an example aspect of the present invention, there is provided an apparatus configured to process a request for an access token authorizing access for a network function consumer to a service provided by a network function producer, the request being received in the apparatus from a service communication proxy, wherein the processing comprises one or more of the following verification: verification that a credential data element comprised in the request, cryptographically signed by the network function consumer, identifies the request, the service or a type of the service, and verification with reference to a further node, or to a profile of the network function consumer, that the service communication proxy is authorized to act on behalf of the network function consumer, and transmit, responsive to at least one of the verifications being successful, the requested access token, the access token comprising an indication of the service communication proxy.

Abstract: The apparatus includes a memory configured to store security information, and at least one processing core, configured to generate the security information by defining a security policy concerning user plane transfer of precision time protocol messages, and to instruct at least one network node to implement the security policy by transmitting the security information to the at least one network node.

Abstract: A technique comprising: receiving, at a data analytics function of a core network of a mobile communication system, travel path data from a traffic management entity, wherein the travel path data indicates a travel path for a vehicle comprising a user equipment registered to the mobile communication system; receiving, at the data analytics function, location data for the vehicle transmitted by the user equipment; and in response to detecting an inconsistency between the travel path data for the vehicle and the location data for the vehicle transmitted by the user equipment, outputting a travel path deviation report for the traffic management entity.

Abstract: There is provided an apparatus comprising at least one processor and at least one memory including a computer program code, the at least one memory and computer program code configured to, with the at least one processor, cause the apparatus at least to: receive, at a first network repository function in a first network from a security edge protection proxy in a second network, a request for discovering one or more roaming hubs and/or security edge protection proxies in the first network; and send, from the first network repository function to the security edge protection proxy in the second network, a response comprising information identifying the one or more roaming hubs and/or security edge protection proxies in the first network and information identifying one or more further networks which can be reached via a respective roaming hub and/or security edge protection proxy in the first network.

Abstract: A method, apparatus and computer program product for providing and evaluating machine leaning models are provided. In the context of an apparatus, the apparatus comprises at least one processor; and at least one memory including computer program code, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus at least to perform: responsive to receiving a benchmarking data request, identify user equipment capability data associated with the benchmarking data request; identify a machine learning model associated with the benchmarking data request; generate benchmarking data based at least in part on the machine learning model and the user equipment capability data; and provide the benchmarking data for use in conjunction with the machine learning model.

Abstract: The disclosure relates to an apparatus comprising at least one processor and at least one memory including computer code for one or more programs, the at least one memory and the computer code configured, with the at least one processor, to cause the apparatus at least to: receive one or more rules for storing data or analytics in a storage; determine a storage approach based on the one or more rules for storing data or analytics in the storage; and track data or analytics in the storage and determine whether to store, update or remove all or a portion of the data or analytics in the storage based on the storage approach.

Abstract: The disclosure relates to a first apparatus comprising at least one processor and at least one memory including computer code for one or more programs, the at least one memory and the computer code configured, with the at least one processor, to cause the apparatus at least to: send (500), to a second apparatus, a request comprising information indicating a list of public land mobile network identifiers identifying a first public land mobile network supported by the first apparatus, and information to derive a second public land mobile network supported by the second apparatus; and receive (502), from the second apparatus, a response comprising information indicating a list of public land mobile network identifiers identifying the second public land mobile network supported by the second apparatus.

Abstract: A method, apparatus and computer program product may be provided for signaling-based remote provisioning and updating of protection policy information in a SEPP of a visited network. A method may include obtaining, at a home network node (hSEPP), protection policy information from a local repository in a home network or via configuration. The hSEPP is a network node at a boundary of the home netowork, and the home network is a public land mobile network (hPLMN). The method includes distributing, via a signaling interface, the protection policy information to a visited network node (vSEPP) within a visited network (vPLMN). The vSEPP is a network node at a boundary of a second network. The protection policy information includes information regarding protection of signaling messages addressed for network functions (NFs) hosted in the hPLMN and is configured for enabling the vSEPP to selectively protect outgoing messages to hSEPP in the home network.

Abstract: According to an example aspect of the present invention, there is provided an apparatus configured to function as a network function repository, and transmit to a network function consumer an access token authorizing access to a service provided by a network function producer, the access token comprising an at least one of: indication of a fully qualified domain name of the network function consumer, an indication of a domain from which access to the network function producer is allowed and an indication of a stand-alone non-public network from which access to the network function producer is allowed.

Abstract: Authentication in a public land mobile network, PLMN, having tenant slices is performed by a network element that has: a memory comprising program code; a communication circuitry for communication with entities in the PLMN; and a processing circuitry configured to execute the program code and according to the program code to cause: detecting a registration request from a mobile communication device, MCDt; detecting whether the registration request requests access to a network slice with one-tier authentication with the network slice, and: if yes, causing beginning of authenticating the MCDt with the network slice independently of any authentication between the MCDt and the PLMN.

Abstract: Systems, methods, and software for inter-PLMN communications. In one embodiment, a roaming hub receives a message from a sending entity across an N32 interface, and determines whether the message includes an HTTP custom header that indicates a PLMN that is validated. When the message as received does not include the HTTP custom header, the roaming hub adds the HTTP custom header to the message that indicates the PLMN of the sending entity, integrity protects the HTTP custom header, and forwards the message toward a receiving entity.