Abstract: Embodiments described herein provide methods and apparatus for configuring a service based architecture for discovery of a Network Function, NF. A method in a Network Function Discovery Orchestration includes configuring, in a domain name system, DNS, a first DNS entry associating a first domain name of the NF with at least one NF Internet Protocol, IP, address of the NF, and a second DNS entry associating the first domain name with at least one edge security node IP address of an edge security node in the first PLMN, wherein, the first DNS entry is for use in resolving requests for the NF which originate from within the first PLMN, and the second DNS entry is for use in resolving requests for the NF which originate from outside the first PLMN. Further methods and apparatus in a Network Repository Function, a Domain Name System and an edge security node are also provided.

Abstract: A method performed by a wireless device includes determining whether a first message received from a network node includes an Authentication and Key Management for Applications (AKMA) key indicator and, based on whether the first message includes the AKMA indicator, determining whether to generate AKMA key material for the authentication procedure with the network.

Abstract: A method performed by an authentication server in a home network of a UE for obtaining a subscription permanent identifier, SUPI. The method comprises: receiving a SUCI which comprises an encrypted part in which at least a part of the SUPI is encrypted, and a clear-text part which comprises a home network identifier and an encryption scheme identifier that identifies an encryption scheme used by the UE to encrypt the SUPI in the SUCI; determining a de-concealing server to use to decrypt the encrypted part of the SUCI; sending the SUCI to the de-concealing server; and receiving the SUPI in response. Methods performed by a UE and a de-concealing server are also disclosed. Furthermore, UEs, de-concealing servers, authentication servers, computer program and a memory circuitry are also disclosed.

Abstract: Network equipment (26) in a wireless communication network is configured to receive at least a portion of a subscription concealed identifier, SUCI, (34) for a subscriber (13). The SUCI (34) contains a concealed subscription permanent identifier, SUPI, (20) for the subscriber (13). The received at least a portion of the SUCI (34) indicates a sub-domain code, SDC, (32). The SDC (32) indicates a certain sub-domain, from among multiple sub-domains (30-1, 30-2, . . . 30-N) of a home network of the subscriber (13), to which the subscriber (13) is assigned. The network equipment (26) is also configured to determine, based on the SDC (32) and from among multiple instances (24-1, 24-2, . . . 24-M) of a provider network function in the home network respectively allocated to provide a service to be consumed for subscribers assigned to different sub-domains, an instance of the provider network function to provide the service to be consumed for the subscriber (13).

Abstract: A method performed by a wireless device (110) includes determining whether a first message received from a network node (160) includes an Authentication and Key Management for Applications (AKMA) key indicator and, based on whether the first message includes the AKMA indicator, determining whether to generate AKMA key material for the authentication procedure with the network.

Abstract: A method by an AUSF of a home PLMN configured to communicate through an interface with electronic devices is provided. A first authentication request is received from a first PLMN that is authenticating an electronic device. A first security key used for integrity protection of messages delivered from the home PLMN to the electronic device is obtained. A second authentication request is received from a second PLMN that is authenticating the electronic device. A second security key used for integrity protection of the messages delivered from the home PLMN to the electronic device is obtained. A message protection request is received. Which of the first security key and the second security key is a latest security key is determined. The latest security key is used to protect a message associated with the message protection request.

Abstract: A method performed by an authentication server for provisioning a user equipment (1), UE. The method comprises: obtaining a message authentication code, MAC, based on a provisioning key specific to the UE to the UE and a privacy key of a home network (3) of the UE, wherein the provisioning key is a shared secret between the authentication server (14) and the UE and the privacy key comprises a public key of the home network; and transmitting the privacy key and the MAC to the UE. Methods performed by a de-concealing server and the UE, respectively are also disclosed as well as authentication servers, de-concealing servers and UEs. A computer program and a memory circuitry (13) are also disclosed.

Abstract: A method by an AUSF of a home PLMN configured to communicate through an interface with electronic devices is provided. A first authentication request is received from a first PLMN that is authenticating an electronic device. A first security key used for integrity protection of messages delivered from the home PLMN to the electronic device is obtained. A second authentication request is received from a second PLMN that is authenticating the electronic device. A second security key used for integrity protection of the messages delivered from the home PLMN to the electronic device is obtained. A message protection request is received. Which of the first security key and the second security key is a latest security key is determined. The latest security key is used to protect a message associated with the message protection request.

Abstract: A method performed by a user equipment (UE) including establishing a primary authentication with a security anchor function, establishing a user plane (UP) session or connection with a UP function (UPF), receiving an extensible authentication protocol (EAP) based authentication request from the UPF, sending an EAP based authentication response to the UPF, and receiving an EAP based authentication result based on a verification response from an external authentication, authorization, and accounting (AAA) server. A method performed by a UPF includes establishing a UP session or connection to a UE, sending an EAP based authentication request to the UE, receiving an EAP based authentication response from the UE, forwarding the EAP based authentication response to an external AAA server, receiving a verification response from the external AAA server, and sending an authentication result to the UE based on the verification response from the external AAA server.

Abstract: The present invention faces the issue of improving isolation of network slices in network slicing deployments where a centralized User Data Management, which includes subscription information for all users in a network with a plurality of network slices, is shared by the plurality of network slices. To solve this issue, the present invention provides for a distributed slice data repository for handling slice selection data for users equipped with a user equipment, UE, in a network that includes a plurality of network slices. This distributed slice data repository has: a slice user data repository, SDR, per network slice basis and including subscription information for each UE to be served by the network slice, and a slice selection repository, SSR, which is external to any network slice, shared by the plurality of network slices, and only includes slice selection data for every UE in the network.

Abstract: The present invention faces the issue of introducing a new direct interface NG10, between a unified data management function and a session management function in a HPLMN, i.e., a home SMF, in order to obtain a service profile for a UE, at the home SMF from the UDM, and provides for the home SMF obtaining such service profile from a policy control function via the existing NG7 interface.

Abstract: A method for handling change of serving Access and Mobility Managing Function for a user equipment. The method comprises sending of a context request to a source Access and Mobility Managing Function. This sending is performed from a target Access and Mobility Managing Function. In the target Access and Mobility Managing Function, a context is received (S3) in reply from the source Access and Mobility Managing Function. The context comprises a parameter which identifies a Security Anchor Function Access and Mobility Managing Function. The Security Anchor Function Access and Mobility Managing Function keeps a key, which is shared with the user equipment. A method for handling a change of serving Access and Mobility Managing Function in a user equipment is also disclosed as well as Access and Mobility Managing Function and User Equipments therefore.

Abstract: A method of initiating a Packet Data Unit, PDU, session between an User Equipment, UE, and a Data Network Name, DNN, in a telecommunication network, said method comprising the steps of; receiving, by an Access & Mobility Function, AMF, a registration request for an UE for registering said UE in said telecommunication network, retrieving, by said AMF, from an Unified Data Management, UDM, node, one or more DNNs to which PDU sessions are expected to be established by said UE in said telecommunication network, and wherein said step of retrieving is triggered by said receiving of said registration request, instructing, by said AMF, said UE to initiate said one or more PDU sessions between said UE and said one or more DNNs. Complementary methods and Devices for performing a method according to the invention are also presented herein.

Abstract: Network equipment (26) in a wireless communication network is configured to receive at least a portion of a subscription concealed identifier, SUCI, (34) for a subscriber (13). The SUCI (34) contains a concealed subscription permanent identifier, SUPI, (20) for the subscriber (13). The received at least a portion of the SUCI (34) indicates a sub-domain code, SDC, (32). The SDC (32) indicates a certain sub-domain, from among multiple sub-domains (30-1, 30-2, . . . 30-N) of a home network of the subscriber (13), to which the subscriber (13) is assigned. The network equipment (26) is also configured to determine, based on the SDC (32) and from among multiple instances (24-1, 24-2, . . . 24-M) of a provider network function in the home network respectively allocated to provide a service to be consumed for subscribers assigned to different sub-domains, an instance of the provider network function to provide the service to be consumed for the subscriber (13).

Abstract: A method of registering a User Equipment, UE, in a communication network, said method comprising the steps of receiving, by a control node in said core network, from an access network, a registration request message for registering a UE in said communication network, transmitting, by said control node, to a subscriber node in said communication network, a subscription request message, wherein said subscription request message requests subscription information for said UE and comprises an identification of a type of said access network, AN, via which said UE registration request message is received and an identification of a Radio Access Technology, RAT, used by said UE for connecting to said access network, receiving, by said control node, from said subscriber node, a subscription response message comprising said subscription information for said UE based on said AN and said RAT and transmitting, by said control node, to said UE, a registration complete message for indicating that said UE has registered in th

Abstract: A network node (500, 600) in a home network, HN, of a wireless device (10, 300, 400) assigns a different priority to each of one or more parameter sets in a priority list. Each parameter set comprises one or more parameters used for calculating the subscription identifier. The network node (500, 600) provides the wireless device (10, 300, 400) with the priority list to facilitate the calculation of the subscription identifier by the wireless device (10, 300, 400). The wireless device (10, 300, 400) obtains the priority list, and calculates the subscription identifier using a null parameter set or one of the one or more parameter sets in the priority list selected responsive to the defined priorities. The wireless device (10, 300, 400) then informs the HN of the subscription of the wireless device (10, 300, 400) by sending the calculated subscription identifier to the network node (500, 600).

Abstract: A method performed by a user equipment (UE) including establishing a primary authentication with a security anchor function, establishing a user plane (UP) session or connection with a UP function (UPF), receiving an extensible authentication protocol (EAP) based authentication request from the UPF, sending an EAP based authentication response to the UPF, and receiving an EAP based authentication result based on a verification response from an external authentication, authorization, and accounting (AAA) server. A method performed by a UPF includes establishing a UP session or connection to a UE, sending an EAP based authentication request to the UE, receiving an EAP based authentication response from the UE, forwarding the EAP based authentication response to an external AAA server, receiving a verification response from the external AAA server, and sending an authentication result to the UE based on the verification response from the external AAA server.

Abstract: A report message (304) is transmitted between a control node (107) of a first network and a subscriber service node (109). The report message (304) indicates granted or failed authorization of a subscriber to establish a packet data session with a second network via all access point node.

Abstract: A method of establishing a Packet Data Unit, PDU, session between a User Equipment, UE (51; 600), and a data network identified by a Data Network Name, DNN, in a telecommunication network. The telecommunication network comprising an Access and Mobility Function, AMF (56; 66; 500), and a Policy Control Function, PCF (60; 700).

Abstract: Methods and apparatus for secondary authentication in a network. A method performed by a user equipment (UE) comprises establishing a user plane (UP) session or connection with a UP function (UPF), receiving an extensible authentication protocol (EAP) based authentication request from the UPF and sending an EAP based authentication response to the UPF. A method performed by a user plane UP function (UPF) comprises establishing a UP session or connection to a user equipment (UE), sending an extensible authentication protocol (EAP) based authentication request to the UE, and receiving an EAP based authentication response from the UE.