Abstract: According to an example aspect of the present invention, there is provided a method comprising receiving, by a network repository function, a request from a network function, wherein the request comprises a string associated with an instance identity of the network function, determining, by the network repository function, a type of the instance identity of the network function from a set of instance identity types, determining, by the network repository function, the instance identity of the network function based on the string associated with the instance identity of the network function and the type of the instance identity of the network function and transmitting, by the network repository function, a response to the network function, wherein the response depends on whether the instance identity of the network function was found in a list of network function instances registered at the network repository function.

Abstract: According to an aspect, there is provided a terminal device comprising means for performing the following. The terminal device transmits a tethering request for setting up a tethering cell over at least one communications network to at least one tethering terminal device capable of setting up a tethering cell. Then, the terminal device performs tethering cell discovery for discovering tethering cells set up by any of said at least one tethering terminal device. In response to discovering a tethering cell provided by a tethering terminal device of said at least one tethering terminal device, the terminal device accesses the tethering cell.

Abstract: Systems, methods, apparatuses, and computer program products for securing user plane (e.g., MB2-U) interface between a group communication service application server (GCS AS) and Broadcast Multicast Service Center (BM-SC) are provided. One method may include transmitting a message via a control plane, to an application server, indicating whether to establish a security association on a user plane in an interface between the GCS AS and the BM-SC. The method may also include providing, to the GCS AS, a target internet protocol (IP) address and possible port as a target for the security association.

Abstract: User equipment is registered with a visited public land mobile network, VPLMN, in a process including: producing at the user equipment a concealed identifier; producing at the user equipment a freshness code; and sending by the user equipment to the VPLMN the concealed identifier and the freshness code; receiving by the user equipment an identity request from the VPLMN indicating that the long-term identifier must be transmitted to the VPLMN in a non-concealed form; receiving by the user equipment from the VPLMN a permission authenticator; and verifying at the user equipment if the permission authenticator has been formed with a cryptographic authentication of the home public land mobile network, HPLMN, and the user equipment or a subscription module at the user equipment indicating permission to transmit the long-term identifier to the VPLMN in the non-concealed form and if yes, transmitting the long-term identifier to the VPLMN in the non-concealed form.

Abstract: A method, apparatus and computer program product may be provided for signaling-based remote provisioning and updating of protection policy information in a SEPP of a visited network. A method may include obtaining, at a home network node (hSEPP), protection policy information from a local repository in a home network or via configuration. The hSEPP is a network node at a boundary of the home netowork, and the home network is a public land mobile network (hPLMN). The method includes distributing, via a signaling interface, the protection policy information to a visited network node (vSEPP) within a visited network (vPLMN). The vSEPP is a network node at a boundary of a second network. The protection policy information includes information regarding protection of signaling messages addressed for network functions (NFs) hosted in the hPLMN and is configured for enabling the vSEPP to selectively protect outgoing messages to hSEPP in the home network.

Abstract: Techniques for automated management of a service level agreement between a first communication network and a second communication network are provided. For example, one of the communication networks is a visited network while the other is a home network whereby the service level agreement is a roaming agreement. In one example, a message is received at a first communication network from a second communication network, wherein at least a portion of the message relates to the service level agreement between the first communication network and the second communication network. An automated verification of information in the message is performed at the first communication network to determine compliance with the service level agreement. The message receiving step is performed by a security edge protection proxy function of the first communication network and the automated verification performing step is performed by a service level agreement management function of the first communication network.

Abstract: A session management function of a 5G system receives information that a secondary authentication is to be done for a given user equipment for authorising user equipment to use a data network; and responsively to the received information, communicates with the data network and receives from the data network an indication; and allows a 5G access to the user equipment so that the user equipment can communicate with the data network according to the indication either without cryptographic protection or with cryptographic protection depending on the indication.

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network, one of the first and second security edge protection proxy elements initiates a mutual authentication procedure with the other of the first and second security edge protection proxy elements. The one of the first and second security edge protection proxy elements exchanges credentials with the other of the first and second security edge protection proxy elements, wherein a secure channel is established between the first and second security edge protection proxy elements upon verification of the credentials.

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network, and wherein one of the first and second security edge protection proxy elements is a sending security edge protection proxy element and the other of the first and second security edge protection proxy elements is a receiving security edge protection proxy element, the receiving security edge protection proxy element receives a message from the sending security edge protection proxy element. The receiving security edge protection proxy element detects one or more error conditions associated with the received message. The receiving security edge protection proxy element determines one or more error handling actions to be taken in response to the one or more detected error conditions.

Abstract: There are provided measures for network authorization assistance. Such measures exemplarily comprise detecting a connection opportunity to a radio access network, obtaining a network identifier of said radio access network, said network identifier being indicative of trust related information with respect to said radio access network, circuitry 11 verifying correctness of said network identifier, and controlling a selection processing of selecting to connect to said radio access network or not based on said network identifier of said radio access network, if said network identifier is verified as being correct.

Abstract: A request is received at an authorization entity for access to a service producer by a service consumer. The request comprises a public key of the service consumer. The authorization entity generates an access token with the public key of the service consumer bound thereto. The authorization entity sends the access token to the service consumer. The service consumer digitally signs the access token using a private key that corresponds to the public key bound to the access token to form a digital signature. The service consumer sends the access token with the public key bound thereto and the digital signature to the service producer. The service producer validates the access token, obtains the public key from the access token, and verifies the digital signature using the obtained public key of the service consumer. The service consumer is authorized when the access token is successfully validated and the digital signature is successfully verified.

Abstract: In one example, a method initiates establishment of a secure tunnel by a security proxy element (e.g., SEPP) in a first communication network (e.g., VPLMN) with an internetwork exchange element (e.g., IPX node) which is operatively coupled between the first communication network and a second communication network (e.g., HPLMN). Upon establishment of the secure tunnel, the method sends a message from the security proxy element to the internetwork exchange element over the secure tunnel. The secure tunnel can be a VPN tunnel and can be established using TLS or IPsec. In one example, the internetwork exchange node functions as an HTTP proxy, and in another embodiment as an interception (e.g., MITM) proxy. In another example, HTTPS is used to establish a separate TLS connection for each HTTP message. In yet another example, the security proxy element is configured to select (and change as needed) the secure communication mechanism.

Abstract: Authentication in a public land mobile network, PLMN, having tenant slices is performed by a network element that has: a memory comprising program code; a communication circuitry for communication with entities in the PLMN; and a processing circuitry configured to execute the program code and according to the program code to cause: detecting a registration request from a mobile communication device, MCDt; detecting whether the registration request requests access to a network slice with one-tier authentication with the network slice, and: if yes, causing beginning of authenticating the MCDt with the network slice independently of any authentication between the MCDt and the PLMN.

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network; the method comprises configuring at least a given one of the first and second security edge protection proxy elements to apply application layer security to one or more information elements in a received message from a network function before sending the message to the other one of the first and second security edge protection proxy elements.

Abstract: It is provided a method, comprising instructing a subscription device to indicate an applied privacy protection to a visited network; instructing the subscription device to provide a protected subscription identifier to the visited network, wherein the protected subscription identifier is based on a permanent subscription identifier protected according to the applied privacy protection.

Abstract: In given user equipment seeking access to a first communication network (e.g., 5G network), wherein the given user equipment comprises a subscriber identity module (e.g., USIM) configured for a second communication network, and wherein the second communication network is a legacy network with respect to the first communication network (e.g., legacy 4G network), a method includes: initiating an authentication procedure with at least one network entity of the first communication network and selecting an authentication method to be used during the authentication procedure; and participating in the authentication procedure with the at least one network entity using the selected authentication method and, upon successful authentication, the given user equipment obtaining a set of keys to enable the given user equipment to access the first communication network.

Abstract: At given user equipment in a communication system, a unified subscription identifier data structure is constructed. The unified subscription identifier data structure includes a plurality of fields that specify information for a selected one of two or more subscription identifier types and selectable parameters associated with the selected subscription identifier type, and wherein the information in the unified subscription identifier data structure is useable by the given user equipment to access one or more networks associated with the communication system based on an authentication scenario corresponding to the selected subscription identifier type. For example, during different authentication scenarios, the given user equipment utilizes the unified subscription identifier data structure to provide the appropriate subscription identifier (e.g., SUPI, SUCI or IMSI) and associated parameters for the given authentication scenario.

Abstract: User equipment is registered with a visited public land mobile network, VPLMN, in a process including: producing at the user equipment a concealed identifier; producing at the user equipment a freshness code; and sending by the user equipment to the VPLMN the concealed identifier and the freshness code; receiving by the user equipment an identity request from the VPLMN indicating that the long-term identifier must be transmitted to the VPLMN in a non-concealed form; receiving by the user equipment from the VPLMN a permission authenticator; and verifying at the user equipment if the permission authenticator has been formed with a cryptographic authentication of the home public land mobile network, HPLMN, and the user equipment or a subscription module at the user equipment indicating permission to transmit the long-term identifier to the VPLMN in the non-concealed form and if yes, transmitting the long-term identifier to the VPLMN in the non-concealed form.

Abstract: According to an aspect, there is provided a terminal device comprising means for performing the following. The terminal device transmits a tethering request for setting up a tethering cell over at least one communications network to at least one tethering terminal device capable of setting up a tethering cell. Then, the terminal device performs tethering cell discovery for discovering tethering cells set up by any of said at least one tethering terminal device. In response to discovering a tethering cell provided by a tethering terminal device of said at least one tethering terminal device, the terminal device accesses the tethering cell.

Abstract: In a communication system comprising a first network operatively coupled to a second network, wherein the first network comprises a first security edge protection proxy element operatively coupled to a second security edge protection proxy element of the second network; the method comprises constructing a message at a network function in the first network destined for the second network, wherein the message comprises at least one information element and an indicator, wherein the indicator is set to specify at least one security operation to be applied to the at least one information element before sending the message to the second security edge protection proxy element of the second network.