Abstract: A method, network node and non-transitory computer readable media having stored thereon instructions for correlating a remote attestation quote with a virtualized network function (VNF) resource allocation event. The method comprises obtaining a set of VNF components (VNFCs) that require remote attestation. The method comprises obtaining an attestation quote for each VNFC of the set of VNFCs, the attestation quote ensuring that instances of each VNFC are used in a legitimate context. The method comprises correlating each attestation quote with the VNF resource allocation event.

Abstract: A method, system and apparatus are disclosed. According to one or more embodiments, a verifier is provided. The verifier includes processing circuitry configured to obtain a hash algorithm and a fully qualified domain name, FQDN, associated with a virtual network function, VNF, image, determine an identifier for the VNF image based at least on the hash algorithm and the FQDN, perform domain name system security extensions, DNSSEC, resolution of the determined identifier for the VNF image at least in part by requesting at least one attribute of the VNF image using the determined identifier for the VNF image and validating a response associated with the request, and perform validation of the VNF image in response to successful DNSSEC resolution.

Abstract: Embodiments include methods for a software integrity tool of a host computing system configured with a runtime environment arranged to execute containers that include applications. Such methods include, based on an identifier of a container instantiated in the runtime environment, obtaining a container locator tag associated with the container and performing measurements on a filesystem associated with the container. Such methods include sending, to an attestation verification system (AVS), a representation of the container locator tag and a result of the measurements. Other embodiments include complementary methods for the container and for the AVS, as well as host computing systems configured to perform such methods.

Abstract: A method for steering an original packet transmitted by a UE. The method includes receiving a first packet, wherein the first packet encapsulates the original packet. The method also includes extracting networking information (e.g., IP source, IP destination, tunnel identifier) from the first packet. The method also includes generating an SFC header (e.g., an NSH header), wherein the SFC header comprises: i) an SPI that identifies a service path and ii) metadata, wherein the metadata comprises the networking information extracted from the first packet. The method also includes generating a second packet comprising the SFC header and the original packet. The method also includes providing the second packet to an SFF that is configured to select a service path based on the SPI included in the SFC header of the second packet and forward the second packet based on the selected service path.

Abstract: Embodiments include methods for a first node to manage rekeying of a security association (SA) between the first node and a second node in a communication network. Such methods include sending to the second node a request indicating a rekey priority of the first node, and receiving from the second node a response indicating a rekey priority of the second node. Such methods also include selectively initiating rekeying of the SA between the first node and the second node based on the request and the response. Other embodiments include complementary methods for the second node, as well as nodes (e.g., hosts, gateways, UEs, base stations, servers, etc.) configured to perform such methods.

Abstract: Systems and methods for maintaining privacy of security protocol parameters are provided. A node receives an encrypted packet and determines if the Security Parameters Index (SPI) value has been updated. The node can modify its stored SPI value(s) accordingly and process the encrypted packet.

Abstract: The present disclosure provides a method (200) performed by a first communication device. The method (200) includes: receiving (210), from a second communication device, an Encapsulating Security Payload, ESP, packet that is an initial fragment; calculating (220), from the ESP packet, a Maximum Transmission Unit, MTU, in a path from the second communication device to the first communication device; and notifying (230) the second communication device of the calculated MTU.

Abstract: Systems and methods for Transport Layer Security (TLS) authentication based on a hash of an expected certificate are disclosed. In one embodiment, a method performed by a client application comprises obtaining one or more configuration parameters for establishing a TLS session between the client application and a trusted server application, the one or more configuration parameters. The method further comprises determining that an error has occurred based the one or more configuration parameters and, responsive to determining that the error has occurred, performing one or more actions that directly or indirectly trigger reinitialization of the one or more configuration parameters.

Abstract: The present disclosure provides a method performed by a first communication device. The method includes: transmitting, to a second communication device, a first Internet Key Exchange, IKE, Authentication, IKE_AUTH, request; receiving, from the second communication device, a second IKE_AUTH request; transmitting, to the second communication device in response to the second IKE_AUTH request, a second IKE_AUTH response; and receiving, from the second communication device, a first IKE_AUTH response as a response to the first IKE_AUTH response. The first IKE_AUTH request and/or the second IKE_AUTH response contains a notification indicating a first policy supported by the first communication device for identifying duplicated IKE Security Associations, SAs, and the second IKE_AUTH request and/or the first IKE_AUTH response contains a notification indicating a second policy supported by the second communication device for identifying duplicated IKE SAs.

Abstract: A method, network node and non-transitory computer readable media having stored thereon instructions for correlating a remote attestation quote with a virtualized network function (VNF) resource allocation event. The method comprises obtaining a set of VNF components (VNFCs) that require remote attestation. The method comprises obtaining an attestation quote for each VNFC of the set of VNFCs, the attestation quote ensuring that instances of each VNFC are used in a legitimate context. The method comprises correlating each attestation quote with the VNF resource allocation event.

Abstract: A system, node and wireless device are provided. An intermediate node is provided that includes processing circuitry configured to: receive a packet where the packet includes metadata associated with first input data of a first node, first output data of the first node, a first PC signature and a public cryptographic key associated with the first node, verify that the first PC signature corresponds to a process that led from the first input data to the first output data using the public cryptographic key, verify a link between first node and the intermediate node by comparing the received packet and the first output data, and determine whether to perform at least one service function on the packet based at least in part on the verification of the first PC signature and the verification of the link between the first node and the intermediate node.

Abstract: Apparatuses and methods are disclosed for enabling signalling storm mitigation in Internet Protocol (IP) Security (IPsec)-secured virtual Radio Access Network (vRAN). In one embodiment a method in a first network node includes receiving a trigger to establish an IPsec session with a second network node, the IPsec session being associated with a user equipment (UE); responsive to the trigger to establish the IPsec session associated with the UE, derive a unique identifier for the UE; generate a Security Parameter Index (SPI) value based at least in part on the unique identifier derived for the UE, the SPI value being unique to the IPsec session; and communicate an indication of the SPI value to the second network node.

Abstract: The solutions and methods are directed to spoofing detection approaches and post-spoofing attack prevention schemes. When a first network node such as a Mobility Management Entity, MME, receives a request from an attacker, the first network node sends a modified copy of the request to a second network node such as Home Subscriber Server, HSS, for verification of the request. When the first network node receives a response from the second node and finds that the request is a spoofed request, the first network may disregard the request. This example of the spoofing detection approaches may help the second network node to avoid disruptions of services such as Denial-of-Service, DoS, attacks that could have been caused by multiple Update Location Requests, ULRs, sent by multiple User Equipment, UE, after the spoofing attempted by the attacker becomes successful.

Abstract: Methods, terminal and a data center gateway are provided for allowing efficient debugging and troubleshooting of data session encrypted with Perfect Forward Secrecy (PFS) encryption techniques such as for example the Transport Layer Security (TLS) protocol version 1.3. Embodiments of the invention allow the user terminal to authorize a data center gateway to persistently store one or more encryption keys associated with the data session for use to access the recorded data session and troubleshooting it after the session ended, when faults are detected. When a fault is detected, the user terminal provides authorization to the gateway to persistently store the data session along with one or more encryption key(s). With this, the gateway allows for the data session to be later decrypted and faults to be investigated despite the data session being encrypted with PFS techniques.

Abstract: A method, system and apparatus are disclosed. According to one or more embodiments, a verifier is provided. The verifier includes processing circuitry configured to obtain a hash algorithm and a fully qualified domain name, FQDN, associated with a virtual network function, VNF, image, determine an identifier for the VNF image based at least on the hash algorithm and the FQDN, perform domain name system security extensions, DNSSEC, resolution of the determined identifier for the VNF image at least in part by requesting at least one attribute of the VNF image using the determined identifier for the VNF image and validating a response associated with the request, and perform validation of the VNF image in response to successful DNSSEC resolution.

Abstract: Methods and systems for automatic provisioning of security policies for content streaming control within a Content Delivery Network (CDN) are provided. According to one aspect, a method for automatic provisioning of security policies for content streaming control by a network node within a CDN that supports at least one streaming media protocol comprises: obtaining a manifest, the manifest being generated in response to a user requesting a streaming content from the CDN; determining a first security policy associated with the user and/or the requested streaming content in accordance with the manifest; updating a set of firewall rules for implementing security policies in accordance with the determined first security policy; and applying the updated set of firewall rules to validate requests from the user for the streaming content. The policies are dynamically configured and may be sparsely provisioned, e.g., downloaded only to the pertinent nodes and activated only when necessary.

Abstract: Systems and methods for selective User Plane protection in a 5G virtual RAN are provided. A method performed by a gNB Central Unit (gNB-CU) for communicating with a gNB-Distributed Unit (gNB-DU) includes determining whether to selectively encrypt a PDU to be sent to the gNB-DU if the PDU is not otherwise encrypted. In response to determining to selectively encrypt, the method includes encrypting the PDU to be sent to the gNB-DU. In response to determining to not selectively encrypt, the method includes passing the PDU to be sent to the gNB-DU. In this way, additional security is provided while performance impact is minimized. In some embodiments, this provides a lower overhead on the gNB-CU-UP side compared to applying a generic protection of all PDUs. Additionally, the latency overhead is limited since a secure session establishment and handshake is confined to the gNB-CU-UP-SEG domain instead of gNB-CU-UP to gNB-DU.

Abstract: Systems and methods for maintaining privacy of security protocol parameters are provided. A node receives an encrypted packet and determines if the Security Parameters Index (SPI) value has been updated. The node can modify its stored SPI value(s) accordingly and process the encrypted packet.

Abstract: A system, node and wireless device are provided. An intermediate node is provided that includes processing circuitry configured to: receive a packet where the packet includes metadata associated with first input data of a first node, first output data of the first node, a first PC signature and a public cryptographic key associated with the first node, verify that the first PC signature corresponds to a process that led from the first input data to the first output data using the public cryptographic key, verify a link between first node and the intermediate node by comparing the received packet and the first output data, and determine whether to perform at least one service function on the packet based at least in part on the verification of the first PC signature and the verification of the link between the first node and the intermediate node.

Abstract: Systems and methods for virtualizing edge node functionality as a service for handling content delivery are described herein. An edge node receives a packet and determines if it associated with an established session and if it should be offloaded for processing. An offload status indicator and/or session context information can be added to the offloaded packet and it is transmitted to a subsequent edge node.