Abstract: A method for automatic key management of network access token public keys for 5GC authorization to mitigate security attacks includes providing, at the NRF, a network access token public key status update notification subscription interface that allows producer NFs to subscribe to receive notifications of updates in status of service access token public keys issued by the NRF. When the NRF determines that an update in status of a service access token public key is required, the NRF updates the status of the public key in its local database and notifies producer NFs that have subscribed to receive the updates. The producer NFs use the public keys to validate service requests from consumer NFs. In one variation, the NRF maintains and updates the status of service access token public keys associated with different service access levels.

Abstract: Methods, systems, and computer readable media for providing a unified interface that is configured to support communication between a user equipment (UE) and application function (AF) via a network exposure function (NEF) are disclosed. One method includes receiving, by a NEF from a session management function (SMF), a protocol data unit (PDU) session event change notification message associated with a UE, establishing, by the NEF, a data delivery path between the UE and an application function (AF) via one of a plurality of data delivery planes that traverse the NEF in response to the PDU session event change notification message and processing, by the NEF, messages communicated between the UE and the AF over any of the plurality of data delivery planes using a single unified interface supported by the NEF.

Abstract: Methods, systems, and computer readable media for ingress message rate limiting are disclosed. One method includes, at a network node, receiving a service access request message from a service consumer network function and extracting, from the received service access request message, an access token that includes a consumer network function instance identifier identifying the service consumer network function. The method further includes determining, using the consumer network function instance identifier, that an allowed ingress message rate associated with the service consumer network function has been reached or exceeded and in response to determining that the allowed ingress message rate associated with the service consumer network function has been reached or exceeded, performing a message rate limiting action.

Abstract: Methods, systems, and computer readable media for ingress message rate limiting are disclosed. One method occurs at a first network node of a first network comprises: obtaining, from a transport layer security (TLS) message from a second network node of a second network, an identifier identifying the second network node or the second network; receiving a request message from the second network node or the second network; determining, using the identifier, that an allowed ingress message rate associated with the second network node or the second network has been reached or exceeded; and in response to determining that the allowed ingress message rate associated with the second network node or the second network has been reached or exceeded, performing a rate limiting action.

Abstract: Methods, systems, and computer readable media for validating a session management function (SMF) registration request are disclosed. One method occurs at a network node. The method comprises: receiving, from a first SMF in a home network, a registration request indicating a first network identifier identifying a visited network where a user device is roaming; determining whether the registration request is valid by comparing the first network identifier and a second network identifier associated with an access and mobility management function (AMF) serving the user device; and performing at least one action based on the determining.

Abstract: Roaming spoofing attacks can be initiated during N32-c handshake procedure used for inter-PLMN communication in 5G network. One example solution described herein uses the SEPP to mitigate the N32-c roaming spoofing attacks by cross validating the sender attribute present in N32-c handshake security capability exchange messages against the endpoint identity in the X.509v3 certificate shared during TLS handshake and the remote SEPP identity configured in the SEPP's local database.

Abstract: A method for mitigating spoofing attacks on an SEPP inter-PLMN forwarding interface includes obtaining, by a responding SEPP, a first SEPP identifier and/or a first PLMN identifier from at least one message received over an inter-PLMN control interface. The method further includes storing the first SEPP identifier and/or the first PLMN identifier in an identity cross-validation database. The method further includes obtaining, from at least one message received over an inter-PLMN forwarding interface a second SEPP identifier and/or a second PLMN identifier and performing a lookup in the identity cross-validation database using a lookup key comprising at least one of the second SEPP identifier and the second PLMN identifier, determining that a record corresponding to the lookup key is not present in the identity cross-validation database, and, in response, preventing the at least one message received over the inter-PLMN forwarding interface from entering a PLMN protected by the responding SEPP.

Abstract: The subject matter described herein includes methods, systems, and computer readable media for monitoring machine type communications (MTC) device related information. One method occurring at an service capability exposure function (SCEF) node includes receiving a monitoring configuration request associated with an MTC device; sending, to a home subscriber server (HSS), a send routing information (SRI) request for requesting a serving network node associated with the MTC device; receiving, from the HSS, an SRI response indicating the serving network node associated with the MTC device; sending, to the serving network node, an insert subscriber data (ISD) request for requesting device related information; and receiving, from the serving network node, an ISD response including the device related information.

Abstract: A method for mitigating a 5G roaming attack using a security edge protection proxy (SEPP), includes receiving, at an SEPP, user equipment (UE) registration messages for outbound roaming subscribers. The method further includes creating, in a SEPP security database, UE roaming registration records derived from UE registration messages. The method further includes receiving, at the SEPP, a packet data unit (PDU) session establishment request message. The method further includes performing, using at least one parameter value extracted from the PDU session establishment request message, a lookup in the SEPP security database for a UE roaming registration record. The method further includes determining, by the SEPP and based on results of the lookup, whether to allow or reject the PDU session establishment request message.

Abstract: A method for mobile originated (MO) non-Internet protocol data delivery (NIDD) to plural application servers (ASs) includes creating an AS group NIDD context record at an exposure function node for an AS group including a plurality of ASs to receive MO NIDD communications from a same UE. The method further includes receiving, at the exposure function node, a request for creating a single packet data network (PDN) connection with the exposure function node on behalf of the UE. The method further includes updating the AS group NIDD context record to include PDN connection information for the single PDN connection. The method further includes receiving, at the exposure function node and over the single PDN connection, MO NIDD data from the UE. The method further includes distributing, from the exposure function node and using the AS group NIDD context record, the MO NIDD data to each of the plural ASs identified as members of the group in the AS group NIDD context record.

Abstract: A method for implementing indirect GTP firewall filtering includes using a signaling message routing node to dynamically populate an indirect GTP-C firewall filtering database with IMSIs and VPLMN IDs extracted from mobility management signaling messages for updating the locations of outbound roaming subscribers. The method further includes receiving a CCR-I message generated in response to a GTP-C message. The method further includes extracting an IMSI and a VPLMN ID from the CCR-I message. The method further includes accessing the indirect GTP-C firewall filtering database using the IMSI extracted from the CCR-I message. The method further includes determining that a record corresponding to the IMSI is present in the indirect GTP-C firewall filtering database. The method further includes determining that a VPLMN ID in the record does not match the VPLMN ID extracted from the CCR-I message.

Abstract: A method for distributing network function (NF) topology information among proxy nodes and for using the NF topology information for inter-proxy node message routing includes configuring a first proxy node as a leader service communications proxy (SCP). The method further includes configuring a plurality of second proxy nodes as worker proxy nodes. The method further includes registering the worker proxy nodes with the leader SCP. The method further includes subscribing, by the worker proxy nodes and with the leader SCP, to receive NF topology information from the leader SCP. The method further includes, at the leader SCP, receiving NF topology information from the worker proxy nodes and communicating the NF topology information to the worker proxy nodes subscribed to receive the NF topology information. The method further includes, at the worker proxy nodes, using the NF topology information to route messages to proxy nodes serving destination NFs.

Abstract: A method for mobile originated (MO) non-Internet protocol data delivery (NIDD) to plural application servers (ASs) includes creating an AS group NIDD context record at an exposure function node for an AS group including a plurality of ASs to receive MO NIDD communications from a same UE. The method further includes receiving, at the exposure function node, a request for creating a single packet data network (PDN) connection with the exposure function node on behalf of the UE. The method further includes updating the AS group NIDD context record to include PDN connection information for the single PDN connection. The method further includes receiving, at the exposure function node and over the single PDN connection, MO NIDD data from the UE. The method further includes distributing, from the exposure function node and using the AS group NIDD context record, the MO NIDD data to each of the plural ASs identified as members of the group in the AS group NIDD context record.

Abstract: A method for distributing network function (NF) topology information among proxy nodes and for using the NF topology information for inter-proxy node message routing includes configuring a first proxy node as a leader service communications proxy (SCP). The method further includes configuring a plurality of second proxy nodes as worker proxy nodes. The method further includes registering the worker proxy nodes with the leader SCP. The method further includes subscribing, by the worker proxy nodes and with the leader SCP, to receive NF topology information from the leader SCP. The method further includes, at the leader SCP, receiving NF topology information from the worker proxy nodes and communicating the NF topology information to the worker proxy nodes subscribed to receive the NF topology information. The method further includes, at the worker proxy nodes, using the NF topology information to route messages to proxy nodes serving destination NFs.

Abstract: A method includes receiving an ingress Diameter message related to a mobile subscriber from a MME located in a non-home network, sending a RIR message containing a mobile subscriber identifier to a HSS in a home network of the mobile subscriber, receiving identification information identifying a MME in the home network that conducted a most recent attachment of the mobile subscriber, utilizing the identification information to send an IDR message containing the mobile subscriber identifier to the identified MME, receiving an IDA message containing attachment timestamp data corresponding to the most recent attachment of the mobile subscriber in the home network, determining a transit time using the UE attachment timestamp data and timestamp information corresponding to the ingress Diameter message, and analyzing the transit time to determine if the ingress Diameter message is to be designated as a suspicious ingress message.

Abstract: A method for monitoring LWM2M IoT device state includes, in an SCEF, providing an interface for receiving subscription requests from IoT application servers or service capability servers for monitoring LWM2M IoT device state, the method further includes maintaining, in the SCEF, a database of identifiers of IoT devices that utilize LWM2M protocols, receiving, via the interface and from an SCS or AS, a first monitoring event request for subscribing to receive state information regarding an IoT device, and performing a lookup in the database using an IoT device identifier extracted from the first monitoring event request and identifying the first monitoring event request as being associated with an LWM2M IoT device. The method further includes communicating with the LWM2M IoT device using LWM2M constrained application protocol (CoAP) messaging to subscribe to and receive state information from the LWM2M IoT device and communicating the state information to the SCS or AS.

Abstract: A method for authenticating a mobility management entity (MME) for outbound roaming subscribers includes maintaining a Diameter authentication information request (AIR)/update location request (ULR) mapping database at a Diameter edge agent (DEA). A Diameter AIR message is received at the DEA. The DEA determines that the AIR message includes a visited public land mobile network identifier (VPLMN ID) not of record in the database. The DEA records the VPLMN ID in the database. A Diameter ULR message is received at the DEA, and a VPLMN ID is read from the ULR message. The DEA determines that the VPLMN ID read from the ULR message does not match the VPLMN ID recorded for the subscriber in the database. In response to determining that the VPLMN ID does not match the VPLMN ID recorded for the subscriber in the database, the DEA rejects the ULR message.

Abstract: A method for overload and flow control at a service capability exposure function (SCEF) includes providing for configuration of, in memory accessible by the SCEF, at least one of user equipment (UE), service capability server (SCS), application server (AS), and application programming interface (API) gateway specific message priority rules. The method further includes providing for configuration of, in the memory accessible by the SCEF, at least one of SCS, AS, and API gateway capacity information. The method further includes throttling message traffic at the SCEF based on the at least one of UE, SCS, AS, and API gateway specific message priority rules and the at least one of SCS, AS, and API gateway capacity information.

Abstract: A method for overload and flow control at a service capability exposure function (SCEF) includes providing for configuration of, in memory accessible by the SCEF, at least one of user equipment (UE), service capability server (SCS), application server (AS), and application programming interface (API) gateway specific message priority rules. The method further includes providing for configuration of, in the memory accessible by the SCEF, at least one of SCS, AS, and API gateway capacity information. The method further includes throttling message traffic at the SCEF based on the at least one of UE, SCS, AS, and API gateway specific message priority rules and the at least one of SCS, AS, and API gateway capacity information.

Abstract: Methods, systems, and computer readable media for sharing identification information of network nodes in an IMS network are disclosed. One method includes determining, by a packet data network gateway (PGW), policy and charging rules function (PCRF) identification information corresponding to a PCRF node designated to support an IMS-based subscriber session requested by a user equipment device and establishing, by the PGW, a subscriber Gx session with the PCRF node corresponding to the determined PCRF identification information. The method further includes determining, by the PGW, application function (AF) identification information corresponding to an AF server designated to support the IMS-based subscriber session and generating, by the PGW, a create session response message including at least the PCRF identification information and the AF identification information. The method also includes sending, by the PGW, the create session response message containing the at least the PCRF identification inform.