Abstract: Apparatuses, methods, and systems are disclosed for supporting remote unit reauthentication. One apparatus includes a network interface that receives a first authentication message for reauthenticating a remote unit and a processor that verifies a first domain-name. The first domain-name identifies a key management domain name and an associated gateway function holding a reauthentication security context. Here, the first authentication message includes a NAI containing a first username and the first domain-name. The processor validates the first authentication message using at least the first username and generates a second authentication message in response to successfully validating the first authentication message. Via the network interface, the processor responds to the first authentication message by sending the second authentication message.

Abstract: Apparatuses, methods, and systems are disclosed for voice session handover. One method (800) includes receiving (802) a handover message including first information indicating a voice handover request to handover a voice session from a first network to a second network. The method (800) includes determining (804) a first network function configured to facilitate communication with the second network. The method (800) includes transmitting (806) a relocation request message to the first network function, wherein the relocation request message includes second information related to the voice handover request. The method (800) includes receiving (808) a relocation response message from the first network function, wherein the relocation response message indicates completion of a voice handover. The method (800) includes transmitting (810) third information related to the voice handover to a third network function, wherein the third network function suspends non-guaranteed bit rate data flows.

Abstract: Apparatuses, methods, and systems are disclosed for using a pseudonym for access authentication over non-3GPP access. One apparatus includes a processor and a transceiver that communicates with a mobile communication network using a 3GPP access network and a non-3GPP access network. The processor sends a registration message to a first network function in the mobile communication network via the 3GPP access network, the first authentication message comprising a first indicator and a SUCI for the apparatus, wherein the first indicator comprises an indication that the apparatus has the capability for access authentication for non-3GPP access in an EPS. The processor receives a first identity pseudonym for the apparatus in response to the registration message comprising the first indicator and performs access authentication via a non-3GPP access network using the first identify pseudonym.

Abstract: The invention provides for a method of selecting a Dedicated Core Network (DCN) based on assisting indication by mobile terminals, and including the step of configuring the RAN Nodes of the mobile network with the DCN Types of the serving EPC Nodes so that the RAN Nodes can map the DCN selection assisting information from the connecting mobile terminals with the right dedicated EPC Node. This allows for the RAN Node to connect the mobile terminals with EPC Node of the mobile terminal's dedication at initial attach and then keep the mobile terminals on the same DCN. Thus, a re-routing of mobile terminals NAS message from one EPC Node to another EPC node is avoided. The invention also allows for a flexible and dynamic change of the EPC Nodes dedication based on operator's configuration and policy. Additionally, the invention allows for DCN access restriction control by broadcasting of the supported DCN Types by the RAN Node.

Abstract: Apparatuses, methods, and systems are disclosed for deriving a key based on an edge enabler client identifier. One method includes receiving, at a network function, a request message from an edge server function. The request message includes: an edge server identifier; and an edge enabler client identifier (EEC-ID), wherein the EEC-ID includes: an unencrypted EEC-ID; or an encrypted EEC-ID. The encrypted EEC-ID is encrypted with an authentication and key management (AKMA) key (KAKMA). The method includes deriving a unique key (KAFEEC) based on the edge server identifier and the EEC-ID. The method includes transmitting a response message to the edge server function. The response message includes: the KAFEEC; and an unencrypted EEC-ID.

Abstract: Apparatuses, methods, and systems are disclosed for establishing an IP multimedia subsystem session. One method includes receiving, at a first network entity from a user device, a first session initiation protocol message comprising a session description protocol, wherein the first session initiation protocol message is used to establish an internet protocol multimedia subsystem session for an application. The method includes transmitting, from the first network entity to a second network entity, a first message comprising an internet protocol address and an identifier for the application. The method includes receiving, at the first network entity from the second network entity, a status of a radio access technology of the user device, wherein the status of the radio access technology of the user device is received by the second network entity from a third network entity.

Abstract: Apparatuses, methods, and systems are disclosed for supporting TNGF reauthentication. One apparatus includes a network interface that communicates with a remote unit (i.e., UE) and with a mobile communication network. The apparatus includes a processor that receives a first EAP message containing a NAI from the UE. Here, the NAI indicates that the UE requests to reauthenticate with a source gateway function. The processor receives a UE context of the UE and derives a first EAP challenge packet using the UE context. Via the network interface, the processor sends the first EAP challenge packet to the UE. Here, the first EAP challenge packet is used to authenticate the target TNGF with the UE.

Abstract: Apparatuses, methods, and systems are disclosed for provisioning a UE with information to access a specific service. One apparatus (500) includes a transceiver (525) that communicates with a mobile communication network and a processor (505) that sends (705) a first registration request to the mobile communication network, the mobile communication network supporting a plurality of network slices. The processor (505) receives (705) configuration information from the mobile communication network, the configuration information enabling the apparatus to us eat least one network slice from the plurality of network slices, wherein the configuration information includes a frequency priority for the at least one network slice.

Abstract: Apparatuses, methods, and systems are disclosed for supporting TNGF reauthentication. One apparatus includes a processor that establishes connectivity with a first access point in a non-3GPP access network. The processor sends a first EAP message containing a NAI. If the NAI indicates a request to reauthenticate with a gateway function in the non-3GPP access network, then the processor receives a first EAP challenge packet used to authenticate the gateway function. If the NAI indicates a request to initiate a NAS signaling procedure with a mobile communication network, then the processor receives an EAP start packet. Here, the EAP start packet triggers the processor to send a first NAS message to the mobile communication network. The processor completes an EAP session initiated by one of the first EAP challenge packet and the EAP start packet.

Abstract: Apparatuses, methods, and systems are disclosed for setting up multiple user plane (“UP”) security contexts. One apparatus includes a transceiver and a processor that derives distinct UP integrity and ciphering keys for a selected central unit user plane (“CU-UP”) node in the RAN, said derivation using a key derivation function. The processor assigns a UP Security Indicator to uniquely identify the derived distinct UP integrity and ciphering keys and the transceiver sends a setup request to the selected CU-UP node, said setup request containing the UP Security Indicator and the distinct UP integrity and ciphering keys. The transceiver receives a setup response from the selected CU-UP node and the processor activates distinct UP security at a UE.

Abstract: Apparatuses, methods, and systems are disclosed for reporting monitored parameter information. One method includes receiving an indication to monitor parameters in an idle mode. The method includes monitoring the parameters in the idle mode. The method includes transmitting a request to a first base station. The method includes, in response to not receiving a correct response from the first base station: performing a cell reselection resulting in selection of a second base station; and transmitting a failure report to the second base station. The failure report includes information corresponding to the parameters monitored in the idle mode.

Abstract: Embodiments of the present application are directed to a method and apparatus for providing onboarding and provisioning services. A method according to an embodiment of the present application may include: receiving a registration request for a user equipment (UE), wherein the register request indicates an identity of the UE, an onboarding and provisioning flag, and an onboarding and provisioning function (OPF) identity; selecting an OPF entity at least based on the OPF identity in the case of an onboarding request being supported for the UE; and transmitting the onboarding request at least indicating the identity of the UE to the selected OPF entity.

Abstract: Apparatuses, methods, and systems are disclosed for enabling roaming with authentication and key management for applications. An apparatus includes a processor that determines a serving network of a user equipment (“UE”) device, the serving network comprising a visited public land mobile network (“VPLMN”) that is different from a home PLMN (“HPLMN”) associated with the UE. The processor selects a network function within the serving network for provisioning an authentication and key management for applications (“AKMA”) security context for an application function (“AF”) based on a name for the serving network. The apparatus includes a transceiver that sends the security context to the network function.

Abstract: Apparatuses, methods, and systems are disclosed for network slice authentication. One method includes receiving a registration request message associated with a UE and determining an authentication requirement for a network slice based at least in part on the received registration request. The method includes transmitting an authentication request to a network entity based at least in part on the determined authentication requirement for the network slice and receiving an authentication response from the network entity based at least in part on the transmitted authentication request. The method includes determining, based at least in part on the received authentication response, whether to include the network slice within a set of allowed NSSAI and transmitting a registration accept message comprising the allowed NSSAI.

Abstract: Apparatuses, methods, and systems are disclosed for establishing a connection with a dual registered device. One method includes receiving a first request to establish an internet protocol multimedia subsystem session with a first device, wherein the first device is dual registered to: a first network access supporting 5G core network connectivity; and a second network access supporting evolved packet core network connectivity and circuit switched network connectivity, wherein the first device has connectivity to an internet protocol multimedia subsystem via either the first network access or the second network access. The method includes determining first information corresponding to a network access connectivity selected from the first network access and the second network access through which the first device has internet protocol connectivity with the internet protocol multimedia subsystem. The method includes transmitting a second request to a first network function to retrieve second information.

Abstract: Apparatuses, methods, and systems are disclosed for re-authentication key generation. One method (1100) includes transmitting (1102) a re-authentication key with a key set identifier in an extensible authentication protocol message. The re-authentication key is generated using: a public land mobile network identifier; a serving network name identifier; a trusted network domain name identifier; a trusted gateway function identifier; a subscription permanent identifier; a network access identifier; a user equipment identifier; a reauthentication code; a separator; a length of a parameter; or some combination thereof.

Abstract: A communication terminal (10) according to the present disclosure includes: a control unit (12) configured to, in a case of a movement from a communication area formed by the 5GS to a communication area formed by the EPS or a movement from a communication area formed by the EPS to a communication area formed by the 5GS, determine whether or not a communication system forming a communication area at a movement destination can satisfy requirements of services; and a communication unit (11) configured to, when it is determined that the communication system forming the communication area at the movement destination can satisfy the requirements of the services, send a connection request message to the communication system forming the communication area at the movement destination.

Abstract: Provided is an authentication device capable of generating a master key suited to a UE in a 5GS. The authentication device (10) includes a communication unit (11) configured to, in registration processing of user equipment (UE), acquire UE key derivation function (KDF) capabilities indicating a pseudo random function supported by the UE, a selection unit (12) configured to select a pseudo random function used for generation of a master key related to the UE by use of the UE KDF capabilities, and a key generation unit (13) configured to generate a master key related to the UE by use of the selected pseudo random function.

Abstract: Apparatuses, methods, and systems are disclosed for key refresh triggering. One apparatus includes a transceiver and a processor that starts a counter corresponding to a UE having a small-data traffic pattern. In response to the transceiver receiving small-data traffic associated with the UE, the processor determines if a security key is valid based on a value of the counter. If the value of the counter indicates the security key is invalid, then the processor triggers a key refresh procedure. The processor relays the small-data traffic in response to the UE having a valid security key.

Abstract: Apparatuses, methods, and systems are disclosed for establishing a connection with a dual registered device. One method includes receiving a first request to establish an internet protocol multimedia subsystem session with a first device, wherein the first device is dual registered to: a first network access supporting 5G core network connectivity; and a second network access supporting evolved packet core network connectivity and circuit switched network connectivity, wherein the first device has connectivity to an internet protocol multimedia subsystem via either the first network access or the second network access. The method includes determining first information corresponding to a network access connectivity selected from the first network access and the second network access through which the first device has internet protocol connectivity with the internet protocol multimedia subsystem. The method includes transmitting a second request to a first network function to retrieve second information.