Abstract: Methods and systems for group re-authentication of devices in a wireless telecommunication network are provided. According to one aspect, a method of operation of a base station in a wireless telecommunication network comprises receiving a group authentication request message from a mobility management entity, the group authentication request message comprising a group identifier; identifying at least one user equipment as belonging to a group identified by the group identifier; sending an individual authentication request message to each identified UE; receiving an authentication response from at least one of the identified UE; aggregating the received at least one authentication response to create a group authentication response message; and sending the group authentication response message to the mobility management entity.

Abstract: Systems and methods are disclosed herein that relate to secure monitoring or interception of traffic in a wireless communications system. In some embodiments, a method of operation of a network node comprises receiving a list of one or more obfuscated target identifiers from a monitoring node, where each obfuscated target identifier is a user identifier of a target user that is encrypted using a first encryption key that is unknown to the network node. The method further comprises receiving an encrypted packet from another network node and determining whether an encrypted user identifier of the encrypted packet matches one of the obfuscated target identifiers. The method further comprises, if the encrypted user identifier matches one of the obfuscated target identifiers, further encrypting the encrypted packet using a second encryption key negotiated between the network node and the monitoring node and transmitting the further encrypted packet to the monitoring node.

Abstract: Methods, systems, and computer program products for security context escrowing are provided herein. According to one aspect, a method of operation of a network node for a telecommunications network comprises storing security context information associated with a small data, fast path connection between a wireless device and a first gateway that is serving the wireless device, determining a change in the gateway that is serving the wireless device from the first gateway to a second gateway, and, in response to determining the change, providing the stored security context information to the second gateway for use with the wireless device.

Abstract: Systems and methods relating to an efficient communication system to, e.g., support Massive Machine Type Communication (M-MTC) devices are disclosed. In some embodiments, a base station in a cellular communications network comprises, during initial attachment of a wireless device, establishing a Data Radio Bearer (DRB) between the base station and the wireless device, updating a context of the wireless device to include information regarding the DRB established between the base station and the wireless device to thereby provide a mapping between the DRB and a cellular network identifier of the wireless device. The method further comprises, during initial attachment of the wireless device, providing, to the wireless device, at least a portion of an Internet Protocol (IP) address assigned to the wireless device and updating the context of the wireless device to include the at least a portion of the IP address of the wireless device.

Abstract: Systems and methods are disclosed herein that relate to secure monitoring or interception of traffic in a wireless communications system. In some embodiments, a method of operation of a network node comprises receiving a list of one or more obfuscated target identifiers from a monitoring node, where each obfuscated target identifier is a user identifier of a target user that is encrypted using a first encryption key that is unknown to the network node. The method further comprises receiving an encrypted packet from another network node and determining whether an encrypted user identifier of the encrypted packet matches one of the obfuscated target identifiers. The method further comprises, if the encrypted user identifier matches one of the obfuscated target identifiers, further encrypting the encrypted packet using a second encryption key negotiated between the network node and the monitoring node and transmitting the further encrypted packet to the monitoring node.

Abstract: In one aspect of the teachings herein, a controlling gateway and an associated radio access point are configured for operation in a radio access network and use a radio protocol stack that is split on the network side between the gateway and the access point, for conveying radio bearer traffic going between the radio access network and a wireless device. According to methods and apparatuses disclosed, the radio protocol entities affected by the stack split communicate using Internet Protocol, IP, sessions. Advantageously, the radio bearer traffic conveyed over the split stack maps to different IP sessions in dependence on any one or more of network capabilities, various isolation or privacy requirements associated with the device and/or traffic, the types of data being conveyed, the types of radio bearers involved, and the involved Radio Link Control, RLC, operating modes.

Abstract: In one aspect of the teachings herein, a controlling gateway and an associated radio access point are configured for operation in a radio access network and use a radio protocol stack that is split on the network side between the gateway and the access point, for conveying radio bearer traffic going between the radio access network and a wireless device. According to methods and apparatuses disclosed, the radio protocol entities affected by the stack split communicate using Internet Protocol, IP, sessions. Advantageously, the radio bearer traffic conveyed over the split stack maps to different IP sessions in dependence on any one or more of network capabilities, various isolation or privacy requirements associated with the device and/or traffic, the types of data being conveyed, the types of radio bearers involved, and the involved Radio Link Control, RLC, operating modes.

Abstract: Systems and methods relating to scheduling Paging Occasions (POs) are disclosed. Embodiments of a method of operation of a network node are disclosed. In some embodiments, the method of operation of a network nodes comprises assigning POs to a plurality of User Equipments (UEs) in accordance with one or more anti-affinity groups such that, for a defined time interval, POs within the defined time interval are assigned to UEs in a same anti-affinity group. The method further comprises notifying the plurality of UEs of the POs assigned to the UEs. In this manner, the expected maximum number of pages within the defined time interval is substantially reduced.

Abstract: Methods and systems for group re-authentication of devices in a wireless telecommunication network are provided. According to one aspect, a method of operation of a base station in a wireless telecommunication network comprises receiving a group authentication request message from a mobility management entity, the group authentication request message comprising a group identifier; identifying at least one user equipment as belonging to a group identified by the group identifier; sending an individual authentication request message to each identified UE; receiving an authentication response from at least one of the identified UE; aggregating the received at least one authentication response to create a group authentication response message; and sending the group authentication response message to the mobility management entity.

Abstract: Systems and methods relating to scheduling Paging Occasions (POs) are disclosed. Embodiments of a method of operation of a network node are disclosed. In some embodiments, the method of operation of a network nodes comprises assigning POs to a plurality of User Equipments (UEs) in accordance with one or more anti-affinity groups such that, for a defined time interval, POs within the defined time interval are assigned to UEs in a same anti-affinity group. The method further comprises notifying the plurality of UEs of the POs assigned to the UEs. In this manner, the expected maximum number of pages within the defined time interval is substantially reduced.

Abstract: Methods, systems, and computer program products for security context escrowing are provided herein. According to one aspect, a method of operation of a network node for a telecommunications network comprises storing security context information associated with a small data, fast path connection between a wireless device and a first gateway that is serving the wireless device, determining a change in the gateway that is serving the wireless device from the first gateway to a second gateway, and, in response to determining the change, providing the stored security context information to the second gateway for use with the wireless device.

Abstract: In one aspect of the teachings herein, a controlling gateway and an associated radio access point are configured for operation in a radio access network and use a radio protocol stack that is split on the network side between the gateway and the access point, for conveying radio bearer traffic going between the radio access network and a wireless device. According to methods and apparatuses disclosed, the radio protocol entities affected by the stack split communicate using Internet Protocol, IP, sessions. Advantageously, the radio bearer traffic conveyed over the split stack maps to different IP sessions in dependence on any one or more of network capabilities, various isolation or privacy requirements associated with the device and/or traffic, the types of data being conveyed, the types of radio bearers involved, and the involved Radio Link Control, RLC, operating modes.

Abstract: Systems and methods relating to an efficient communication system to, e.g., support Massive Machine Type Communication (M-MTC) devices are disclosed. In some embodiments, a base station in a cellular communications network comprises, during initial attachment of a wireless device, establishing a Data Radio Bearer (DRB) between the base station and the wireless device, updating a context of the wireless device to include information regarding the DRB established between the base station and the wireless device to thereby provide a mapping between the DRB and a cellular network identifier of the wireless device. The method further comprises, during initial attachment of the wireless device, providing, to the wireless device, at least a portion of an Internet Protocol (IP) address assigned to the wireless device and updating the context of the wireless device to include the at least a portion of the IP address of the wireless device.

Abstract: In one aspect of the teachings herein, a controlling gateway and an associated radio access point are configured for operation in a radio access network and use a radio protocol stack that is split on the network side between the gateway and the access point, for conveying radio bearer traffic going between the radio access network and a wireless device. According to methods and apparatuses disclosed, the radio protocol entities affected by the stack split communicate using Internet Protocol, IP, sessions. Advantageously, the radio bearer traffic conveyed over the split stack maps to different IP sessions in dependence on any one or more of network capabilities, various isolation or privacy requirements associated with the device and/or traffic, the types of data being conveyed, the types of radio bearers involved, and the involved Radio Link Control, RLC, operating modes.

Abstract: In one aspect of the teachings herein, a radio node provides a local loopback mode of operation in at least some operational instances, in which it loops “local” traffic between wireless devices operating within a local radio cell or cells, rather than forwarding such traffic along to a controlling gateway for handling. The wireless devices operating within the cell(s) and involved in the loopback operation switch over from symmetric encryption that involves the controlling gateway as a secure endpoint for their traffic, to asymmetric or public-private key pair encryption. The radio node uses a correspondingly derived loopback encryption key to enable security on the loopback traffic flow between the involved local devices. Use of the loopback encryption key means that the radio node need not know or otherwise have access to the symmetric encryption keys used by the involved devices and the controlling gateway for “normal” non-loopback operation.

Abstract: In one aspect of the teachings herein, a controlling gateway and an associated radio access point are configured for operation in a radio access network and use a radio protocol stack that is split on the network side between the gateway and the access point, for conveying radio bearer traffic going between the radio access network and a wireless device. According to methods and apparatuses disclosed, the radio protocol entities affected by the stack split communicate using Internet Protocol, IP, sessions. Advantageously, the radio bearer traffic conveyed over the split stack maps to different IP sessions in dependence on any one or more of network capabilities, various isolation or privacy requirements associated with the device and/or traffic, the types of data being conveyed, the types of radio bearers involved, and the involved Radio Link Control, RLC, operating modes.

Abstract: In one aspect of the teachings herein, a radio node provides a local loopback mode of operation in at least some operational instances, in which it loops “local” traffic between wireless devices operating within a local radio cell or cells, rather than forwarding such traffic along to a controlling gateway for handling. The wireless devices operating within the cell(s) and involved in the loopback operation switch over from symmetric encryption that involves the controlling gateway as a secure endpoint for their traffic, to asymmetric or public-private key pair encryption. The radio node uses a correspondingly derived loopback encryption key to enable security on the loopback traffic flow between the involved local devices. Use of the loopback encryption key means that the radio node need not know or otherwise have access to the symmetric encryption keys used by the involved devices and the controlling gateway for “normal” non-loopback operation.

Abstract: A system and method for steering traffic through a set of services is provided. A service path or service chain is assigned to a received packet based on a classification of the packet and correlation of the packet with a traffic flow. A new service chain identifier can be created if no such correlation exists. A next service type and a particular instance of the next service type can be determined in accordance with the service chain identifier. A next destination for the traffic can be set in accordance with the instance of the next service.

Abstract: A system and method for steering traffic through a set of services is provided. A service path or service chain is assigned to a received packet based on a classification of the packet and correlation of the packet with a traffic flow. A new service chain identifier can be created if no such correlation exists. A next service type and a particular instance of the next service type can be determined in accordance with the service chain identifier. A next destination for the traffic can be set in accordance with the instance of the next service.

Abstract: A method for redirecting a traffic flow in a communication network, in which a first or default service path has been configured for the traffic flow to go through is disclosed. The method comprises: receiving a notification message from a network node, the notification message including a traffic characteristic information of a packet of the traffic flow; creating a set of rules based on the received traffic characteristic information; and sending the set of rules to a plurality of switches in the communication network, the set of rules configuring a second or alternative service path to be used by subsequent packets of this traffic flow. Also, a network node for carrying out this method is provided.