Abstract: A method and apparatus for refreshing the security keys of a subset of configured radio bearers including less than all of the currently configured radio bearers is provided. An indication is received from a network entity to release one or more radio bearers from the subset of configured radio bearers for which the refresh of security keys is desired. A new radio bearer is added for each of the one or more radio bearers being released. Each of the new radio bearers is added with new security keys.

Abstract: A method of facilitating P-CSCF restoration when a P-CSCF failure has occurred is disclosed. The method comprises a Proxy Call Session Control Function, P-CSCF receiving a Session Initiation Protocol, SIP, message when said P-CSCF has been selected as an alternative P-CSCF to a failed P-CSCF and providing, to an associated Policy and Charging Rules Function, PCRF, a message comprising an indication that P-CSCF restoration is required.

Abstract: Apparatuses, methods, and systems are disclosed for indicating a network for a remote unit. One method (600) includes transmitting (602) a first message including a first registration request from a remote unit (102). The method (600) includes receiving (604) a second message including a first indication of a network to which the remote unit (102) belongs. The second message is received in response to transmitting (602) the first message. The method (600) includes transmitting (606) a third message including a second registration request from the remote unit (102). The second registration request includes a second indication of the network to which the remote unit (102) belongs, and the second indication is based on the first indication.

Abstract: The invention provides for a method of selecting a Dedicated Core Network (DCN) based on assisting indication by mobile terminals, and including the step of configuring the RAN Nodes of the mobile network with the DCN Types of the serving EPC Nodes so that the RAN Nodes can map the DCN selection assisting information from the connecting mobile terminals with the right dedicated EPC Node. This allows for the RAN Node to connect the mobile terminals with EPC Node of the mobile terminal's dedication at initial attach and then keep the mobile terminals on the same DCN. Thus, a re-routing of mobile terminals NAS message from one EPC Node to another EPC node is avoided. The invention also allows for a flexible and dynamic change of the EPC Nodes dedication based on operator's configuration and policy. Additionally, the invention allows for DCN access restriction control by broadcasting of the supported DCN Types by the RAN Node.

Abstract: Apparatuses, methods, and systems are disclosed for indicating a network for a remote unit. One method (600) includes transmitting (602) a first message including a first registration request from a remote unit (102). The first message includes a discovery indication indicating that the remote unit (102) is attempting to discover a network configured for use by the remote unit (102). The method (600) includes receiving (604) a second message including a list of networks configured for use by the remote unit (102). The second message is received in response to transmitting (602) the first message. The method (600) includes transmitting (606) a third message including a second registration request from the remote unit (102). The second registration request includes an indication of a network selected from the list of networks configured for use by the remote unit (102).

Abstract: An object is to provide a key generation method capable of maintaining a high security level in each of sliced networks when network slicing is applied to a core network. A key generation method according to this disclosure specifies network slice identification information indicating a network slice system that provides a service to be used by a communication terminal (50) among a plurality of network slice systems included in a core network (10) and, using the network slice identification information, generates a service key to be used for security processing in the network slice system indicated by the network slice identification information.

Abstract: A method of facilitating P-CSCF restoration when a P-CSCF failure has occurred is disclosed. The method comprises a Proxy Call Session Control Function, ‘P-CSCF’ receiving a Session Initiation Protocol, ‘SIP’, message when said P-CSCF has been selected as a alternative P-CSCF to a failed P-CSCF and providing to an associated Policy and Charging Rules Function, ‘PCRF’, a message comprising to indication that P-CSCF restoration is required.

Abstract: A core network node includes a transmitter configured to transmit a control plane data back-off timer to restrict a request from a UE for data transmission via Control Plane CIoT EPS Optimization. A UE includes a receiver configured to receive a control plane data back-off timer from a core network node, and a controller configured to not initiate data transmission via Control Plane CIoT EPS Optimization while the control plane data back-off timer is running.

Abstract: Apparatuses, methods, and systems are disclosed for security mode integrity verification. One method includes transmitting a request message to one or more network devices. The method includes, in response to transmitting the request message, authenticating with the one or more network devices. The method includes, in response to successfully authenticating with the one or more network devices, receiving a security mode command message. The method includes verifying the integrity of the security mode command message. The method includes, in response to the verification of the integrity of the security mode command message indicating that a security key is invalid, performing a cell reselection procedure.

Abstract: Apparatuses, methods, and systems are disclosed for user equipment authentication. One method includes transmitting, from a user equipment, a request message to one or more network devices. The method includes, in response to transmitting the request message, attempting authentication with the one or more network devices. The method includes, in response to successfully authenticating with the one or more network devices, transmitting a message comprising first location information corresponding to the user equipment to the one or more network devices.

Abstract: Apparatuses, methods, and systems are disclosed for protecting the user identity and credentials. One apparatus includes a processor registers with a mobile communication network using a first set of credentials, the mobile communication network supporting a plurality of network slices. The processor receives a public key for a network slice where slice-specific authentication is required and encrypts a second set of credentials using the public key. Here, the second set of credentials is used for authentication with the network slice. The apparatus includes a transceiver that sends a message to the mobile communication network, the message including the encrypted second set of credentials.

Abstract: In order for making MTC more efficient and/or secure, a base station forming a communication system connects a UE to a core network. A node serves as an entering point to the core network for a service provider, and transmits traffic between the service provider and the UE. The node establishes, as a connection to the base station, a first connection for directly transceiving messages between the node and the base station. Alternatively, the node establishes a second connection for transparently transceiving the messages through a different node that is placed within the core network and has established a different secure connection to the base station.

Abstract: A purpose of the present disclosure is to provide a communication system that are capable of maintaining a high security level in each divided network in the case of applying network slicing to a core network. A communication system according to the present disclosure includes a subscriber-information management apparatus (10) configured to manage subscriber information of a communication terminal; and a security apparatus (20) configured to manage identification information of the communication terminal in association with security information used in at least one network slice system usable by the communication terminal. The subscriber-information management apparatus (10) acquires, using the identification information of the communication terminal and identification information of a network slice system used by the communication terminal, security information used in the network slice system used by the communication terminal from the security apparatus (20).

Abstract: Apparatuses, methods, and systems are disclosed for key refresh triggering. One apparatus includes a transceiver and a processor that starts a counter corresponding to a UE having a small-data traffic pattern. In response to the transceiver receiving small-data traffic associated with the UE, the processor determines if a security key is valid based on a value of the counter. If the value of the counter indicates the security key is invalid, then the processor triggers a key refresh procedure. The processor relays the small-data traffic in response to the UE having a valid security key.

Abstract: A communication apparatus for supporting a registration procedure for an inbound roamer user equipment, ‘UE’, in a visited public land mobile network, ‘VPLMN’ that includes a transceiver and a controller. The controller is configured to: control the transceiver to receive, from a communicator of the VPLMN, a request for authentication information; retrieve the authentication information from a communicator of a home public land mobile network, ‘HPLMN’; and control the transceiver to transmit the authentication information to the serving CSCF of the VPLMN for use in the registration procedure.

Abstract: In order for making MTC more efficient and/or secure, a base station forming a communication system connects a UE to a core network. A node serves as an entering point to the core network for a service provider, and transmits traffic between the service provider and the UE. The node establishes, as a connection to the base station, a first connection for directly transceiving messages between the node and the base station. Alternatively, the node establishes a second connection for transparently transceiving the messages through a different node that is placed within the core network and has established a different secure connection to the base station.

Abstract: Apparatuses, methods, and systems are disclosed for accessing a denied network resource. One apparatus includes a processor and a transceiver that receives a first message indicating that access to a network resource in a mobile communication network is denied due to authorization specific for the network resource. Here, the network resource is identified by at least one of: a network slice identifier and a data network name (“DNN”). The processor monitors for a condition to be met prior to initiating a new request for establishing an access to the denied network resource and initiates signaling towards the network to establish an access to the denied network resource in response to the condition being met.

Abstract: Apparatuses, methods, and systems are disclosed for establishing a connection with a dual registered device. One method includes receiving a first request to establish an internet protocol multimedia subsystem session with a first device, wherein the first device is dual registered to: a first network access supporting 5G core network connectivity; and a second network access supporting evolved packet core network connectivity and circuit switched network connectivity, wherein the first device has connectivity to an internet protocol multimedia subsystem via either the first network access or the second network access. The method includes determining first information corresponding to a network access connectivity selected from the first network access and the second network access through which the first device has internet protocol connectivity with the internet protocol multimedia subsystem. The method includes transmitting a second request to a first network function to retrieve second information.

Abstract: A system is described in which a default MME (9A) receives a NAS message (S501, S505) from a mobile device (3D); sends a rerouting request (S509) to a base station (5) serving the mobile device (3D) and includes information identifying a group of dedicated MMEs (9D) to which the NAS message should be rerouted. If none of the dedicated MMEs (9D) is available, then the default MME (9A) receives a message from the base station (5), the message rerouting the NAS message to the default MME (9A), instead of a dedicated MME (9D). The default MME (9A) either proceeds (S515a) to serving the mobile device (3D) or the default MME (9A) rejects (S515b) the NAS message.

Abstract: A method of facilitating P-CSCF restoration when a P-CSCF failure has occurred is disclosed. The method comprises a Proxy Call Session Control Function, ‘P-CSCF’ receiving a Session Initiation Protocol, ‘SIP’, message when said P-CSCF has been selected as an alternative P-CSCF to a failed P-CSCF and providing, to an associated Policy and Charging Rules Function, ‘PCRF’, a message comprising an indication that P-CSCF restoration is required.