Abstract: A method for generating network function (NF) set load information aware NF discovery responses includes, at an NF repository function (NRF), receiving NFUpdate messages from producer NF instances. The method further includes collecting or generating, from the NFUpdate messages, NF set load information for NF sets of which the producer NF instances are members. The method further includes receiving, from a consumer NF, an NF discovery request. The method further includes generating, using query parameters in the NF discovery request, an NF discovery response including NF profiles of producer NF instances corresponding to the query and, including, in the NF discovery response, NF set load information for NF sets of producer NF instances whose NF profiles are included in the NF discovery response. The method further includes forwarding the NF discovery response including the NF set load information to the consumer NF.

Abstract: A method for preventing subscriber identifier leakage from a telecommunications network includes receiving, by a security edge protection proxy (SEPP), an authentication response message authorizing a subscriber in a visitor network, wherein the authentication response message includes a home subscriber identifier used to identify the subscriber within a home network. The method further includes replacing, by the SEPP, the home subscriber identifier in the authentication response message with a visitor subscriber identifier. The method further includes forwarding, by the SEPP, the authentication response message with the visitor subscriber identifier to a visitor network.

Abstract: A method for mitigating a 5G roaming attack using a security edge protection proxy (SEPP), includes receiving, at an SEPP, user equipment (UE) registration messages for outbound roaming subscribers. The method further includes creating, in a SEPP security database, UE roaming registration records derived from UE registration messages. The method further includes receiving, at the SEPP, a packet data unit (PDU) session establishment request message. The method further includes performing, using at least one parameter value extracted from the PDU session establishment request message, a lookup in the SEPP security database for a UE roaming registration record. The method further includes determining, by the SEPP and based on results of the lookup, whether to allow or reject the PDU session establishment request message.

Abstract: A method for resource object level authorization at a network function (NF) includes maintaining, by a first NF, a service based interface (SBI) resource object access authorization policy database containing policies for controlling access to SBI resource objects and dynamically populating a resource object owner database containing records for resource objects and corresponding resource object owners. The method further includes receiving, by the first NF and from a second NF, a first SBI resource object access request for accessing a resource object, accessing, using information from the first SBI resource object access request, the resource object access authorization policy database and the resource object owner database, determining that an access to the resource object requested by the first resource object access request is not permitted, and preventing the access to the resource object requested by the first resource object access request.

Abstract: A method for resolution of inter-network domain names between telecommunications networks includes storing, at a security edge protection proxy (SEPP) of a home network, a mapping between a domain name and a network address of a producer network function of the home network. The method includes receiving, at the SEPP of the home network, a request message from a consumer network function of a visitor network. The method includes resolving, at the SEPP of the home network, a request message domain name of the request message using the mapping between the domain name and the network address of the producer network function of the home network.

Abstract: Methods, systems, and computer readable media for ingress message rate limiting are disclosed. One method occurs at a first network node of a first network comprises: obtaining, from a transport layer security (TLS) message from a second network node of a second network, an identifier identifying the second network node or the second network; receiving a request message from the second network node or the second network; determining, using the identifier, that an allowed ingress message rate associated with the second network node or the second network has been reached or exceeded; and in response to determining that the allowed ingress message rate associated with the second network node or the second network has been reached or exceeded, performing a rate limiting action.

Abstract: A method for providing for reliable service based interface (SBI) message transport using zero event notifications includes, at a consumer NF, sending an SBI message to a producer NF indicating an intent to use zero event notification messaging. The method further includes, at the producer NF, receiving the SBI message indicating the intent to use zero event notification messaging, and, transmitting a zero event notification request message to the consumer NF using a callback URI from the SBI message to confirm the callback URI and connectivity from the producer NF to the consumer NF. The method further includes, at the consumer NF, receiving the zero event notification request message and, in response, sending a zero event notification response message to the producer NF. The method further includes, at the producer NF, receiving the zero event notification response message, and, in response, continuing SBI subscription messaging with the consumer NF.

Abstract: A method for mitigating location tracking and DoS attacks that utilize an AMF location service includes receiving, at an NF, an authentication response message from an HPLMN of a UE. The method further includes extracting, by the NF and from the authentication response message, a subscription identifier and an indicator of an authentication result for the UE. The method further includes storing, by the NF and in an AMF location service validation database, the subscription identifier and the indicator of the authentication result for the UE. The method further includes receiving, by the NF, an AMF location service message and using at least one of a subscription identifier extracted from the AMF location service message and contents of the AMF location service validation database, to classify the AMF location service message as a location tracking or DoS attack. The method further includes preventing the location tracking or DoS attack.

Abstract: A method for protecting against mass NF deregistration attacks can be performed at an NRF or SCP. The method includes receiving an NFDeregister request for deregistering an NF. The method further includes classifying the NFDeregister request as suspect based on application of suspect NFDeregister request classification rules. The method further includes in response to classifying the NFDeregister request as suspect, queueing the NFDeregister request. The method further includes receiving an NF heart-beat message concerning the NF. The method further includes determining that the NF heart-beat message is received within an NF heart-beat time interval for the NF. The method further includes in response to determining that the NF heart-beat message is received within the NF heart-beat time interval for the NF, preventing processing of the NF Deregister request and blacklisting a sender of the NFDeregister request.

Abstract: A method for obtaining and using a single-use OAuth 2.0 access token for securing specific service-based architecture (SBA) interfaces includes generating, by a consumer network function (NF) an access token request. The method further includes inserting, in the access token request, a hash of at least a portion of a service-based interface (SBI) request message. The method further includes sending the access token request to an NF repository function (NRF). The method further includes receiving, from the NRF, an access token response, the access token response having an OAuth 2.0 access token including the hash of the at least a portion of the SBI request message. The method further includes using the OAuth 2.0 access token including the hash of the at least a portion of the SBI request message to access an SBI service.

Abstract: A method for creating single-use authentication messages includes creating, at a consumer network function of a core network of a telecommunications network, a message hash of at least a subset of a request message. The method includes adding, at the consumer network function, the message hash to a client credentials assertion (CCA) token for the consumer network function. The method includes sending, from the consumer network function, the request message with the CCA token to a producer network function.

Abstract: Methods, systems, and computer readable media for hiding network function (NF) instance identifiers (IDs) in communications networks are disclosed. One method for hiding NF instance IDs in a communications network occurs at an NF repository function (NRF) comprising at least one processor. The method comprises: receiving, from a first NF, an NF registration request message for registering a first NF instance of the first NF, wherein the NF registration request message includes a first NF instance ID for identifying the first NF instance; storing, in a data store, a mapping between the first NF instance ID and at least one pseudo NF instance ID, wherein the data store includes mappings between NF instance IDs and related pseudo NF instance IDs; and generating and sending, to the first NF, an NF registration response message including the at least one pseudo NF instance ID for identifying the first NF instance.

Abstract: A method for automatically managing a platform firewall using a network function (NF) repository function (NRF) or service communications proxy (SCP) includes receiving message relating to registering, updating or deregistering an NF profile in an NF profiles database separate from a platform firewall. The method further includes determining that the registering, updating, or deregistering of the NF profile requires a change to a firewall rules configuration of the platform firewall. The method further includes, in response to determining that the registering, updating, or deregistering of the NF profile requires a change to the firewall rules configuration of the platform firewall, automatically updating, by the NRF or SCP, the firewall rules configuration of the platform firewall.

Abstract: A method for mitigating network function (NF) update and deregister attacks includes, at an NF repository function (NRF) implemented by at least one processor, receiving, from an NF, an NFRegister request including a hash of a first authentication string, an NF instance identifier, and an NF profile. The method further includes storing the hash of the first authentication string. The method further includes registering the NF by storing the NF profile in an NF profile database. The method further includes receiving a first NFUpdate or NFDeregister request including the NF instance identifier. The method further includes using the stored hash of the first authentication string to validate or reject the first NFUpdate or NFDeregister request.

Abstract: A method for distributing network function (NF) high availability (HA) topology information in a core network includes, at an NF repository function (NRF) including at least one processor, receiving, from a plurality of producer NFs in an NF set, NFRegister requests including NF HA topology information for the producer NFs. The method further includes registering the producer NFs and storing the NF HA topology information for the producer NFs. The method further includes receiving, from a consumer NF or service communication proxy (SCP), an NFDiscover request containing at least one service discovery parameter that corresponds to a service provided by the producer NFs. The method further includes responding to the NFDiscover request by generating an NFDiscover response, including, in the NFDiscover response, the NF HA topology information for the producer NFs, and transmitting the NFDiscover response to the consumer NF or SCP.

Abstract: A method for routing messages relating to existing NF subscriptions includes receiving, at a first NRF, a request from a consumer NF instance creating a first NF subscription, determining that the first NRF does not have the requested NF profile, and forwarding the request to a second NRF. The method further includes receiving a response from the second NRF indicating that the second NRF has created the first NF subscription, modifying the response so that subsequent messages associated with the first subscription will be sent to the first NRF, and forwarding the response to the consumer NF instance. The method further includes receiving, by the first NRF, a message from the consumer NF instance relating to the first subscription, determining, that the second NRF is unavailable, and forwarding the message relating to the first subscription to a third NRF that functions as a mate of the second NRF.

Abstract: A method for delegated authorization at a service communications proxy (SCP) includes intercepting, from a consumer network function (NF) that does not support access token based authorization, a service based interface (SBI) request. The method further includes operating as an access token authorization client to obtain a first access token on behalf of the consumer NF. The method further includes using the first access token to enable the consumer NF to access the service provided by a first producer NF that requires access-token-based authorization.

Abstract: A method for delegated authorization at a security edge protection proxy (SEPP) includes intercepting, from a consumer network function (NF) that does not support access token based authorization, a service based interface (SBI) service request for accessing a service provided by a producer NF that requires access token based authorization. The method further includes operating as an access token authorization client to obtain a first access token on behalf of the consumer NF. The method further includes using the first access token to enable the consumer NF to access the service provided by the first producer NF. The SEPP may also operate as an access token authorization server on behalf of an NRF that does not support access-token-based authorization.

Abstract: A method for providing for reliable service based interface (SBI) message transport using zero event notifications includes, at a consumer NF, sending an SBI message to a producer NF indicating an intent to use zero event notification messaging. The method further includes, at the producer NF, receiving the SBI message indicating the intent to use zero event notification messaging, and, transmitting a zero event notification request message to the consumer NF using a callback URI from the SBI message to confirm the callback URI and connectivity from the producer NF to the consumer NF. The method further includes, at the consumer NF, receiving the zero event notification request message and, in response, sending a zero event notification response message to the producer NF. The method further includes, at the producer NF, receiving the zero event notification response message, and, in response, continuing SBI subscription messaging with the consumer NF.

Abstract: A method for resource object level authorization at a network function (NF) includes maintaining, by a first NF, a service based interface (SBI) resource object access authorization policy database containing policies for controlling access to SBI resource objects and dynamically populating a resource object owner database containing records for resource objects and corresponding resource object owners. The method further includes receiving, by the first NF and from a second NF, a first SBI resource object access request for accessing a resource object, accessing, using information from the first SBI resource object access request, the resource object access authorization policy database and the resource object owner database, determining that an access to the resource object requested by the first resource object access request is not permitted, and preventing the access to the resource object requested by the first resource object access request.