Abstract: An aspect provides a method by user plane function (UPF) in a core network (CN) of a communication network for registering the UPF at a network repository function (NRF) of the CN. The UPF is to selectively route uplink data traffic in one or more data sessions from a user equipment (UE) to one of a plurality of session anchor network functions (NFs). The method by the UPF comprises sending (1701) a registration request to the NRF. The registration request comprises registration information comprising an indication of a type of filter supported by the UPF to selectively route uplink data traffic from a UE to a particular session anchor NF. The type of filter relates to an application identity; and an indication of a value for the indicated type of filter.

Abstract: A network operator node (17) is provided. The network operator node (17) includes processing circuitry (42) configured to receive data traffic that is encrypted using one of an uplink and downlink public cryptographic key, decrypt the data traffic using one of an uplink and downlink private cryptographic key, apply at least a first traffic management action to the decrypted data traffic, after applying at least the first traffic management action, encrypt the data traffic using one of an application server, AS, public cryptographic key and an application client, AC, public cryptographic key where the AS public cryptographic key is associated with an AS private cryptographic key that remains unshared with the network operator node (17), and the AC public cryptographic key is associated with an AC private cryptographic key that remains unshared with the network operator node (17).

Abstract: Methods, apparatus and systems performed and configured to operate in a wireless communication network are presented. In example implementations, a request to register or update a Network Function, NF, profile of an NF in a Network Repository Function, NRF, is sent from the NF to the NRF. The NF profile signaled via the request comprises one or more parameters relating to one or more of a hardware characteristic of hardware comprised in the wireless communication network, a latency characteristic of the wireless communication network, and a throughput characteristic of the wireless communication network. An acknowledgement of the request may be sent from the NRF to the NF.

Abstract: A User Plane Function, UPF (35), sends a load report to a Session Management Function, SMF (45). Responsive to receiving the load report from the UPF (35), the SMF (45) installs a load reduction policy rule in the UPF (35). The load reduction policy rule comprises a criterion for identifying one or more users subject to the load reduction policy rule. The UPF (35) selectively applies the load reduction policy rule to user plane traffic of the one or more users based on the criterion.

Abstract: The invention relates to a method for operating an application server providing a service to a multipath enabled mobile entity connected to the application server with a first bearer of a first access network of a first mobile communications network, wherein the application server is external to the mobile communications network, whereas the method comprises the steps of receiving an indication that the mobile entity has an option to use another bearer not belonging to the first mobile communications network for accessing the application server, and of transmitting a request message towards a policy control entity of the first mobile communications network requesting the policy control entity to disconnect the first bearer.

Abstract: Method for operating a policy control entity (260) in a wireless communications network (200). In the wireless communications network (200) a multipath transmission with at least two data packet sessions can be provided between a content provider (300) and a user equipment (100), where a first data packet session of the at least two data packet sessions is transmitted through the wireless communications network (200) over a cellular access node (210) and a second data packet sessions of the at least two data packet sessions is transmitted through the wireless communications network (200) over a non-cellular access node (220). The method comprises the following steps. First an establishment request is received (SS) from a network exposure entity (270) to set up the multipath transmission.

Abstract: A communication network (10) tracking usage information for each of two or more components of traffic associated with the same application identifier provides a basis for differentiating charging with respect to the two or more components. For example, traffic carried by a communication network (10) for a social media application running on a User Equipment (UE) (12) may be identified by a corresponding application identifier. However, the so-identified traffic may include multiple components, such as traffic providing the social-media service(s) and traffic constituting advertising or other ancillary or supplementary content. Tracking and reporting the network usage associated with respective components, i.e., at a granularity finer than that provided by the overall application or traffic flow identifier, provides an advantageous basis for differentiated charging as between the respective components.

Abstract: There is provided a computer-implemented method for enabling an Application Function (AF) to request User Plane capabilities of a Mobile Network Operator (MNO). The method comprises requesting, by the AF from a Network Exposure Function (NEF), one or more UP capability groups for a first application identifier (App-ID) and/or one or more UP capabilities for the first App-ID, providing, from the NEF to a network entity, information associated with the one or more UP capability groups for the first App-ID and/or one or more UP capabilities for the first App-ID, storing, at the network entity, the one or more UP capability groups for the first App-ID and/or one or more UP capabilities for the first App-ID; and providing an indication from the NEF to the AF to indicate that the request has been accepted.

Abstract: A computer-implemented method, performed by a first node (111). The method is for handling encrypted traffic in a communications system (100). The first node (111) receives (304), from a second node (112) one or more keys to enable decryption by a third node (113) of traffic. The traffic is routed between two or more endpoints (130, 120) and is encrypted between the endpoints (130, 120) The first node (111) also receives (304) the one or more indications. The one or more indications indicate a respective protocol to be used with the one or more keys to enable decryption of the traffic. The first node (111) also initiates (305) sending the one or more keys and the one or more indications to the third node (113), thereby enabling decryption of the traffic. The first node (111) and the third node (113) are different from any of the two or more endpoints (130, 120).

Abstract: The use of multipath enabled mobile entities accessing a service outside the network in a multipath connection. The invention relates to a method for operating an application server (100) providing a service to a multipath enabled mobile entity (10) connected to the application server with a first bearer of a first access network of a first mobile communications network, wherein the application server is external to the mobile communications network, whereas the method comprises the steps of receiving an indication that the mobile entity (10) has an option to use another bearer not belonging to the first mobile communications network for accessing the application server, and of transmitting a request message towards a policy control entity (50) of the first mobile communications network requesting the policy control entity to disconnect the first bearer.

Abstract: The invention relates to various methods, entities, systems and computer programs for allowing a wireless communications network to implement content filtering even when a protocol used for packet data flow through the wireless communications network requires encryption of a domain name. One method relates in particular to a method for operating a policy control entity (240) in a wireless communications network (200), in which a data packet flow is provided for exchanging data packets between a user equipment (100) and a content provider (400), the data packet flow encrypting a domain name of the content provider (400). The method comprises a step of receiving (S6, S31) a user policy profile from a data repository (250), the user policy profile comprising a content filtering policy for filtering the data packets.

Abstract: A technique of configuring a core network domain of a wireless communication network for detection of service traffic that is to be trustfully handled in accordance with traffic handling information stored in a blockchain is provided. A method implementation of this technique comprises receiving, from a service provider, traffic detection information for service traffic that is to be handled in accordance with the traffic handling information. The method further comprises triggering an association, in the blockchain, of the received traffic detection information with the traffic handling information, and providing the traffic detection information to the core network domain for detecting the service traffic that is to be handled in accordance with the traffic handling information.

Abstract: Embodiments described herein relate to methods and apparatuses for the provision of an address resolver function. An application client is connected to a core network via a wireless device, wherein the application client is unaware of a session binding internet protocol, IP, address associated with a PDU session established between the wireless device and an anchor point to a data network. A method in the application client comprises transmitting an address request to an address resolver function, wherein the address resolver function is connected between the wireless device and a Network Address Translation, NAT, function; receiving an indication of the session binding IP address from the address resolver function; and transmitting an augmented service request to an application function, wherein the augmented service request comprises the session binding IP address.

Abstract: A method for operating a user plane entity configured to handle a user plane of data packet sessions exchanged in a cellular network, each data packet session comprising data packet flows of a plurality of applications, the data packet flows of each application being identified by an application identifier, the method includes: determining that a tracking of data packet flows identified by an application identifier should be stopped, determining one or more application detection filters configured to detect data packet flows identified by the application identifier, removing the one or more application detection filters and the application identifier from the user plane entity, and requesting a session control entity configured to control the data packet sessions to remove packet detection rules usable to detect the data packet flows identified by the application identifier, wherein the request includes the application identifier.

Abstract: A technique for enabling exposure of information related to encrypted communication between a User Equipment, UE, and an application server in a mobile communication system is disclosed. A method implementation of the technique is performed by the UE and comprises establishing (S302) a communication channel with a network node of the mobile communication system, the communication channel being established as part of an application layer communication channel between the UE and the application server, wherein the network node acts as application layer proxy in the communication between the UE and the application server, and sending (S304) encrypted traffic through the communication channel to the network node for further delivery to the application server, wherein the communication channel is used to exchange supplemental information related to the encrypted traffic between the UE and the network node.

Abstract: The embodiments herein relate to a method performed by a UPF (303) for handling pre-configured profiles for sets of detection and enforcement rules. The UPF (303) comprises one or more pre-configured profiles applicable to any user session. Each pre-configured profile comprises a set of detection and enforcement rules. Each pre-configured profile comprises a profile ID and the set of detection or enforcement rules. The UPF (303) receives, from a CPF (301) a first request for session establishment comprising at least one indication for profile activation. The at least one indication profile activation comprises the profile ID of the pre-configured profile to be activated. The UPF (303) establishes the session indicated in the first request. For the established session, the UPF (303) activates the at least one pre-configured profile identified by the profile ID by instantiating the set of detection and enforcement rules for the pre-configured profile.

Abstract: A method, performed by a first node (111), for handling usage of a Domain Name Service (DNS) server (121) in a communications network (100). The first node (111) obtains (301) one or more first indications. The one or more first indications indicate one or more rules on how a device (140) is to select, based on one or more criteria, a DNS server (121), out of one or more DNS servers (120) for use by the device (140) for an application. The one or more first indications comprise an explicit indication of one of: a) which applications the one or more rules apply to, and b) that the one or more rules apply to all applications. The first node (111) sends (305) a second indication to one of: another node (113) and the device (140). The second indication indicates the obtained one or more first indications.

Abstract: A first network node operating in a first communications network can receive a first message from a second network node operating in a second communications network. The first network node can further, responsive to receiving the first message, determine that the second network node is associated with a network operator that has a service-level agreement, SLA, with a content operator associated with the first network node. The first network node can further transmit a second message to the second network node, the second message including information based on the second node being associated with the network operator that has the SLA with the content operator. The information being associated with whether a subsequent message from a communication device associated with the second network node is to be transmitted to an origin server with an unencrypted server name indication, SNI.

Abstract: A method of and a Session Management Function, SMF, for provisioning processing rules for user traffic at a User Plane Function, UPF, in a core network of a telecommunication network are disclosed. The core network comprises an Access and Mobility Management Function, AMF and a Policy Control Function, PCF. The SMF first transmits to the PCF a request for obtaining processing rules for user traffic; the SMF then receives from the PCF processing rules enabling at least one of a Uniform Resource Identifier, URI, level processing policy and a Server Name Indication, SNI, level processing policy for the user traffic and provision the received processing rules with the UPF. The UPF can then process user traffic based on the provisioned processing rules, differentiating the user traffic at the more detailed URI and/or SNI level.

Abstract: Various embodiments of the present disclosure provide a method for traffic detection. The method which may be performed by a first network node includes receiving a message from a second network node. The method further includes determining packet flow description information for traffic detection according to the message. The packet flow description information may indicate a combination criterion for two or more packet flow descriptions, and/or a protocol matching criterion for a domain name in a packet flow description. According to the embodiments of the present disclosure, the packet flow description definition can be extended to support more accurate traffic detection.