Abstract: There are provided measures for error message generation and processing. Such measures exemplarily comprise, at a first network entity associated with a first network roaming interconnected with a second network, receiving a message indicative of a roaming service related error, wherein said message includes first error cause information related to said roaming service related error and addressed to said first network entity, and deciding on further handling of said message based on said first error cause information.

Abstract: According to an example aspect of the present invention, there is provided an apparatus configured at least to: receive, from a service communication proxy, a request for an access token which authorizes access to a service at a network function provider, transmit an authorization token to the service communication proxy, the authorization token being specific to the request, and provide the access token to the service communication proxy responsive to determining that a cryptographic signature of a network function consumer on a signed version of the authorization token, received in the apparatus from the service communication proxy, is correct. The apparatus may work in a network serving user equipments, for example.

Abstract: An apparatus comprises means for: causing information indicating a first security protocol profile of a first security protocol from a first security node of a first network to be sent from a first security node of a first network to a second security node of a second network, wherein the first security profile has one or more of: a modification policy; a data type policy; and a cipher suite; and causing the first security node to communicate with the second security node in accordance with the first security profile.

Abstract: A request is received at an authorization entity for access to a service producer by a service consumer. The request comprises a public key of the service consumer. The authorization entity generates an access token with the public key of the service consumer bound thereto. The authorization entity sends the access token to the service consumer. The service consumer digitally signs the access token using a private key that corresponds to the public key bound to the access token to form a digital signature. The service consumer sends the access token with the public key bound thereto and the digital signature to the service producer. The service producer validates the access token, obtains the public key from the access token, and verifies the digital signature using the obtained public key of the service consumer. The service consumer is authorized when the access token is successfully validated and the digital signature is successfully verified.

Abstract: According to an example aspect of the present invention, there is provided an apparatus comprising means for receiving from a requesting network function, by a network repository function, an access token request, wherein the access token request is related to a network function consumer requesting access to a service provided by a network function producer and comprises an identity of a vendor of the network function consumer requesting access to the service, means for verifying by the network repository function, based at least on the identity of the vendor of the network function consumer, that the network function consumer is allowed to access the service and means for transmitting to the requesting network function, by the network repository function, an access token upon successful verification, wherein the access token generated and signed by the network repository function comprises the identity of the vendor of the network function consumer and an identity of the vendor of the network function produc

Abstract: There is provided a method, apparatus, and computer program for causing a first network apparatus to perform: signalling, to a second network apparatus, a request for an access token for a network function consumer for authorizing the network function service consumer to access a first service from a network function service producer; receiving an access token from the second network apparatus, wherein the received access token comprises an indication of at least one second access right unassociated with accessing the first service; and causing the received access token to be provided to the network function service producer when the network function service producer is signalled a request to provide a service to the network function service consumer.

Abstract: There is provided an apparatus configured to protect security of communication in roaming scenarios between a first network and a second network, the apparatus being a first apparatus residing in the first network and comprising means for in response to a selection of transport layer security as a security capability mechanism, transmitting, to a second apparatus residing in the second network and configured to protect security of communication in roaming scenarios between the first network and the second network, a request to terminate connections over a forwarding interface between the first apparatus and the second apparatus.

Abstract: Techniques for dynamic security management in a communications network are disclosed. For example, a method comprises obtaining, at a network entity in a communication network, security information from one or more other network entities in the communication network. In response to at least a portion of the obtained security information, the method enables, by the network entity, dynamic enforcement within a user plane of the communication network of one or more security policies in accordance with one or more quality-of-service policies to manage one or more behaviors of user equipment.

Abstract: A trusted rating function in a communication network system obtains at least one verification information associated with at least one of an analytics function identifier, a service identifier and a service consumer identifier, receives, from a service consumer, rating information related to at least one rated service and consumer verification information associated with the service consumer, accepts the rating information based on a comparison between the obtained verification information and the consumer verification information, and updates a rating stored for the rated service based on the rating information.

Abstract: According to an example aspect of the present invention, there is provided an apparatus configured at least to determine whether a cryptographic signature of a token received in the apparatus from a network function consumer is valid, obtain a cryptographic signature of the apparatus of the token responsive to the cryptographic signature of the token being valid, and provide the token to a peer entity of the apparatus, wherein the cryptographic signature of the apparatus is either included into the token or provided in a header external to the token, wherein the peer entity is comprised in a second network, different from a first network where the apparatus is comprised in. The request may serve a user equipment, directly or indirectly.

Abstract: Example embodiments of the present disclosure relate to devices, methods and computer readable storage media for service provisioning to facilitate analysis of a service from a network function (NF). In example embodiments, one or more logs are received from at least one of a first NF, a network repository function (NRF) and a service communication proxy (SCP). The one or more logs are associated with a service from a second NF. Further, analysis of provision of the service from the second NF is facilitated based on the one or more logs.

Abstract: According to an example aspect of the present invention, there is provided an apparatus comprising means for receiving, by a network function configured to provide centralized user consent authorization in a cellular communication system, a user consent authorization request from a logical network entity, wherein the user consent authorization request comprises an identity of at least one user equipment whose user consent is requested by the logical network entity, the logical network entity being a network function service consumer or an application function, means for retrieving user consent information concerning the at least one user equipment whose user consent is requested by the logical network entity, wherein said user consent information indicates individually whether the logical network entity is authorized to access data related to each of the at least one user equipment, means for determining, based on said user consent information, whether the logical network entity is authorized to access data r

Abstract: According to an example aspect of the present invention, there is provided a method comprising, receiving, by an intermediary network function, a subscription request from a network function consumer requesting data of a network function producer, wherein the subscription request comprises a client credential assertion of the network function consumer and an access token, authorizing and authenticating, by the intermediary network function, the network function consumer upon successful validation of the access token and the client credential assertion validation and transmitting, by the intermediary network function, an access token request to an authorization server to get another access token, wherein said another access token is to be used to validate the network function consumer to access services of the network function producer, and the access token request comprises the client credential assertion of the network function consumer requesting data of the network function producer.

Abstract: There are provided measures for optimization of network function profile administration and registration. Such measures exemplarily comprise, at a network repository function entity, receiving, from a control entity, network entity profile template information, storing said network entity profile template information, wherein said network entity profile template information comprises a network entity profile template including an identifier of said network entity profile template and a profile content of said network entity profile template, said profile content including at least one profile attribute, receiving, from a network entity, a network entity registration request comprising said identifier of said network entity profile template, and generating a network entity profile for said network entity based on said at least one profile attribute.

Abstract: Improved techniques for secure access control in communication systems are provided. In one example, in accordance with an authorization server function, a method comprises receiving a request from a service consumer in a communication system for access to a service type and one or more resources associated with the service type. The method determines whether the service consumer is authorized to access the service type and the one or more resources associated with the service type. The method generates an access token that identifies one or more service producers for the service type and the one or more resources associated with the service type that the service consumer is authorized to access, and sends the access token to the service consumer. The service consumer can then use the access token to access the one or more services and one or more resources. In addition to such resource level access authorization, target network function group access authorization can be performed.

Abstract: According to an example aspect of the present invention, there is provided a method comprising receiving, by a network repository function, a request from a network function, wherein the request comprises a string associated with an instance identity of the network function, determining, by the network repository function, a type of the instance identity of the network function from a set of instance identity types, determining, by the network repository function, the instance identity of the network function based on the string associated with the instance identity of the network function and the type of the instance identity of the network function and transmitting, by the network repository function, a response to the network function, wherein the response depends on whether the instance identity of the network function was found in a list of network function instances registered at the network repository function.

Abstract: According to one example embodiment, a method may include receiving, by a repository entity, first information on data related to a network entity. The method may further include storing, by the repository entity, second information related to the network entity based on the first information. The second information may include at least one of an identifier of the network entity and an identifier of a data acquiring entity having acquired the data.

Abstract: Improved security management techniques between user equipment and a communication system are provided. For example, techniques are provided for preventing malicious attacks via a user equipment deregistration process. In one example, a method comprises sending a deregistration request message from the given user equipment to a communication system to which the given user equipment is registered, wherein the deregistration request message is security-protected and comprises a temporary identifier assigned to the given user equipment. By not sending the deregistration request message with a subscription concealed identifier, the given user equipment prevents a malicious actor from succeeding with a deregistration attack replaying the subscription concealed identifier.

Abstract: According to an example aspect of the present invention, there is provided an apparatus comprising at least one processing core, at least one memory including computer program code, the at least one memory and the computer program code being configured to, with the at least one processing core, cause the apparatus at least to establish a user equipment context for a user equipment registered with the apparatus, the user equipment context being associated with an identity of the user equipment, determine that a plurality of network messages comprising the identity of the user equipment as sender fail a network message integrity process, and trigger, responsive to the determination, at least one of: 1) sending a paging message to the user equipment, and 2) initiating an authentication process with a sender of the network messages, and deletion the user equipment context as a response to successful completion of the authentication process.

Abstract: There is provided an apparatus configured to receive, from a first network entity associated with a first domain in a communication network, a request to communicate; determine a second network entity to which to send the request; determine that the second network entity is associated with a second domain in the communication network; and enforce at least one access policy for routing the request to the network entity, wherein the apparatus is a first service communication proxy trusted in both the first and second domains.