Abstract: Apparatuses, methods, and systems are disclosed for user equipment authentication. One method includes transmitting, from a user equipment, a request message to one or more network devices. The method includes, in response to transmitting the request message, attempting authentication with the one or more network devices. The method includes, in response to successfully authenticating with the one or more network devices, transmitting a message comprising first location information corresponding to the user equipment to the one or more network devices.

Abstract: Apparatuses, methods, and systems are disclosed for protecting the user identity and credentials. One apparatus includes a processor registers with a mobile communication network using a first set of credentials, the mobile communication network supporting a plurality of network slices. The processor receives a public key for a network slice where slice-specific authentication is required and encrypts a second set of credentials using the public key. Here, the second set of credentials is used for authentication with the network slice. The apparatus includes a transceiver that sends a message to the mobile communication network, the message including the encrypted second set of credentials.

Abstract: In order for making MTC more efficient and/or secure, a base station forming a communication system connects a UE to a core network. A node serves as an entering point to the core network for a service provider, and transmits traffic between the service provider and the UE. The node establishes, as a connection to the base station, a first connection for directly transceiving messages between the node and the base station. Alternatively, the node establishes a second connection for transparently transceiving the messages through a different node that is placed within the core network and has established a different secure connection to the base station.

Abstract: A purpose of the present disclosure is to provide a communication system that are capable of maintaining a high security level in each divided network in the case of applying network slicing to a core network. A communication system according to the present disclosure includes a subscriber-information management apparatus (10) configured to manage subscriber information of a communication terminal; and a security apparatus (20) configured to manage identification information of the communication terminal in association with security information used in at least one network slice system usable by the communication terminal. The subscriber-information management apparatus (10) acquires, using the identification information of the communication terminal and identification information of a network slice system used by the communication terminal, security information used in the network slice system used by the communication terminal from the security apparatus (20).

Abstract: Apparatuses, methods, and systems are disclosed for key refresh triggering. One apparatus includes a transceiver and a processor that starts a counter corresponding to a UE having a small-data traffic pattern. In response to the transceiver receiving small-data traffic associated with the UE, the processor determines if a security key is valid based on a value of the counter. If the value of the counter indicates the security key is invalid, then the processor triggers a key refresh procedure. The processor relays the small-data traffic in response to the UE having a valid security key.

Abstract: A communication apparatus for supporting a registration procedure for an inbound roamer user equipment, ‘UE’, in a visited public land mobile network, ‘VPLMN’ that includes a transceiver and a controller. The controller is configured to: control the transceiver to receive, from a communicator of the VPLMN, a request for authentication information; retrieve the authentication information from a communicator of a home public land mobile network, ‘HPLMN’; and control the transceiver to transmit the authentication information to the serving CSCF of the VPLMN for use in the registration procedure.

Abstract: In order for making MTC more efficient and/or secure, a base station forming a communication system connects a UE to a core network. A node serves as an entering point to the core network for a service provider, and transmits traffic between the service provider and the UE. The node establishes, as a connection to the base station, a first connection for directly transceiving messages between the node and the base station. Alternatively, the node establishes a second connection for transparently transceiving the messages through a different node that is placed within the core network and has established a different secure connection to the base station.

Abstract: Apparatuses, methods, and systems are disclosed for accessing a denied network resource. One apparatus includes a processor and a transceiver that receives a first message indicating that access to a network resource in a mobile communication network is denied due to authorization specific for the network resource. Here, the network resource is identified by at least one of: a network slice identifier and a data network name (“DNN”). The processor monitors for a condition to be met prior to initiating a new request for establishing an access to the denied network resource and initiates signaling towards the network to establish an access to the denied network resource in response to the condition being met.

Abstract: Apparatuses, methods, and systems are disclosed for establishing a connection with a dual registered device. One method includes receiving a first request to establish an internet protocol multimedia subsystem session with a first device, wherein the first device is dual registered to: a first network access supporting 5G core network connectivity; and a second network access supporting evolved packet core network connectivity and circuit switched network connectivity, wherein the first device has connectivity to an internet protocol multimedia subsystem via either the first network access or the second network access. The method includes determining first information corresponding to a network access connectivity selected from the first network access and the second network access through which the first device has internet protocol connectivity with the internet protocol multimedia subsystem. The method includes transmitting a second request to a first network function to retrieve second information.

Abstract: A system is described in which a default MME (9A) receives a NAS message (S501, S505) from a mobile device (3D); sends a rerouting request (S509) to a base station (5) serving the mobile device (3D) and includes information identifying a group of dedicated MMEs (9D) to which the NAS message should be rerouted. If none of the dedicated MMEs (9D) is available, then the default MME (9A) receives a message from the base station (5), the message rerouting the NAS message to the default MME (9A), instead of a dedicated MME (9D). The default MME (9A) either proceeds (S515a) to serving the mobile device (3D) or the default MME (9A) rejects (S515b) the NAS message.

Abstract: A method of facilitating P-CSCF restoration when a P-CSCF failure has occurred is disclosed. The method comprises a Proxy Call Session Control Function, ‘P-CSCF’ receiving a Session Initiation Protocol, ‘SIP’, message when said P-CSCF has been selected as an alternative P-CSCF to a failed P-CSCF and providing, to an associated Policy and Charging Rules Function, ‘PCRF’, a message comprising an indication that P-CSCF restoration is required.

Abstract: Apparatuses, methods, and systems are disclosed for integrity protection for a packet data unit. One method includes determining a first portion of a packet data unit, wherein the packet data unit includes the first portion and a second portion. The method includes applying an integrity protection function to the first portion of the packet data unit to result in an integrity protection indicator without applying the integrity protection function to the second portion of the packet data unit. The method includes transmitting the packet data unit with the integrity protection indicator.

Abstract: Apparatuses, methods, and systems are disclosed for network slice authentication. One apparatus includes a processor that provides an application layer and a non-access stratum (“NAS”) layer and a transceiver for communicating with a mobile communication network. The processor receives, at an application at the application layer, network slice authentication information for a subscribed service and stores the network slice authentication information at an application module. The processor associates the network slice authentication information with single network slice selection assistance information (“S-NSSAI”) and registers the application with the NAS layer, said registration pointing to the associated S-NSSAI. Additionally, the transceiver that exchanges, via the NAS layer, authentication messages with an authentication, authorization, and accounting (“AAA”) server for network slice authentication information.

Abstract: Apparatuses, methods, and systems are disclosed for selecting a transport layer protocol for SIP messaging. One apparatus includes a processor and a transceiver that receives a SIP message from a remote unit, the SIP message comprising a first request to initiate a session for an IMS MMTEL. The processor determines that the SIP message is communicated using TCP as a transport layer protocol and forwards the first request to a network entity, wherein the first request is sent using UDP as the transport layer protocol.

Abstract: Apparatuses, methods, and systems are disclosed for indicating radio capability changes in an inactive state. One method includes detecting a trigger to change radio capabilities of a UE in an inactive state; transmitting a first message comprising information indicating to change the radio capabilities of the UE, wherein the first message comprises a first access stratum message; receiving a second message, wherein the second message comprises information corresponding to an action, and the second message comprises a second access stratum message; receiving a third message comprising information requesting the radio capabilities of the UE; transmitting a fourth message comprising the radio capabilities of the UE; and receiving a fifth message comprising information for configuring a radio resource control of the UE and activating data radio bearers of the UE, wherein the fifth message is determined based on the radio capabilities of the UE.

Abstract: This disclosure provides a User Equipment (UE) (3), including a receiver (31) and a controller (34). The receiver (31) is configured to receive a control plane data back-off timer included in a Service Accept message from a network. The controller (34) is configured to consider a current data transfer via a control plane as successful based on the Service Accept message and not to initiate data transfer via Control Plane Cellular Internet of Things (CIoT) Evolved Packet System (EPS) Optimization while the control plane data back-off timer is running.

Abstract: Apparatuses, methods, and systems are disclosed for selective security protection of user plane traffic. One apparatus includes a transceiver that sends a UE security capability to a mobile communication network and receives an indication of data protection policy. The apparatus includes a processor that applies a security protection to a subset of user plane traffic with the mobile communication network according to the data protection policy. In such embodiments, a portion of the user plane traffic is communicated without the security protection.

Abstract: Embodiments of this disclosure enable the I-CSCF and S-CSCF to detect inbound roaming UEs to network supporting Service Domain Centralization in IMS, so that the S-CSCF is able to select the appropriate database entity and can understand the CS authentication vector.

Abstract: Provided is an authentication device capable of generating a master key suited to a UE in a 5GS. The authentication device (10) includes a communication unit (11) configured to, in registration processing of user equipment (UE), acquire UE key derivation function (KDF) capabilities indicating a pseudo random function supported by the UE, a selection unit (12) configured to select a pseudo random function used for generation of a master key related to the UE by use of the UE KDF capabilities, and a key generation unit (13) configured to generate a master key related to the UE by use of the selected pseudo random function.

Abstract: This invention provides a network node for IP Multimedia Subsystem (IMS) Centralized Services (ICS), comprising: a memory storing instructions; and at least one processor configured to process the instructions to: receive an Update Location Request with an IMSI (International Mobility Subscriber Identity) and an MSRN (Mobile Station Routing Number) from a MSC (Mobile Switching Centre) Server, retrieve a subscription profile and service settings from a HSS (Home Subscriber Server), map the subscription profile with service settings into a CS (Circuit-Switched) profile with CS settings, and send an Insert Subscriber Data message including the mapped CS profile and CS settings, to the MSC Server.