Abstract: Methods, terminal and a data center gateway are provided for allowing efficient debugging and troubleshooting of data session encrypted with Perfect Forward Secrecy (PFS) encryption techniques such as for example the Transport Layer Security (TLS) protocol version 1.3. Embodiments of the invention allow the user terminal to authorize a data center gateway to persistently store one or more encryption keys associated with the data session for use to access the recorded data session and troubleshooting it after the session ended, when faults are detected. When a fault is detected, the user terminal provides authorization to the gateway to persistently store the data session along with one or more encryption key(s). With this, the gateway allows for the data session to be later decrypted and faults to be investigated despite the data session being encrypted with PFS techniques.

Abstract: A method, system and apparatus are disclosed. According to one or more embodiments, a verifier is provided. The verifier includes processing circuitry configured to obtain a hash algorithm and a fully qualified domain name, FQDN, associated with a virtual network function, VNF, image, determine an identifier for the VNF image based at least on the hash algorithm and the FQDN, perform domain name system security extensions, DNSSEC, resolution of the determined identifier for the VNF image at least in part by requesting at least one attribute of the VNF image using the determined identifier for the VNF image and validating a response associated with the request, and perform validation of the VNF image in response to successful DNSSEC resolution.

Abstract: Methods and systems for automatic provisioning of security policies for content streaming control within a Content Delivery Network (CDN) are provided. According to one aspect, a method for automatic provisioning of security policies for content streaming control by a network node within a CDN that supports at least one streaming media protocol comprises: obtaining a manifest, the manifest being generated in response to a user requesting a streaming content from the CDN; determining a first security policy associated with the user and/or the requested streaming content in accordance with the manifest; updating a set of firewall rules for implementing security policies in accordance with the determined first security policy; and applying the updated set of firewall rules to validate requests from the user for the streaming content. The policies are dynamically configured and may be sparsely provisioned, e.g., downloaded only to the pertinent nodes and activated only when necessary.

Abstract: Systems and methods for selective User Plane protection in a 5G virtual RAN are provided. A method performed by a gNB Central Unit (gNB-CU) for communicating with a gNB-Distributed Unit (gNB-DU) includes determining whether to selectively encrypt a PDU to be sent to the gNB-DU if the PDU is not otherwise encrypted. In response to determining to selectively encrypt, the method includes encrypting the PDU to be sent to the gNB-DU. In response to determining to not selectively encrypt, the method includes passing the PDU to be sent to the gNB-DU. In this way, additional security is provided while performance impact is minimized. In some embodiments, this provides a lower overhead on the gNB-CU-UP side compared to applying a generic protection of all PDUs. Additionally, the latency overhead is limited since a secure session establishment and handshake is confined to the gNB-CU-UP-SEG domain instead of gNB-CU-UP to gNB-DU.

Abstract: Systems and methods for maintaining privacy of security protocol parameters are provided. A node receives an encrypted packet and determines if the Security Parameters Index (SPI) value has been updated. The node can modify its stored SPI value(s) accordingly and process the encrypted packet.

Abstract: A system, node and wireless device are provided. An intermediate node is provided that includes processing circuitry configured to: receive a packet where the packet includes metadata associated with first input data of a first node, first output data of the first node, a first PC signature and a public cryptographic key associated with the first node, verify that the first PC signature corresponds to a process that led from the first input data to the first output data using the public cryptographic key, verify a link between first node and the intermediate node by comparing the received packet and the first output data, and determine whether to perform at least one service function on the packet based at least in part on the verification of the first PC signature and the verification of the link between the first node and the intermediate node.

Abstract: Systems and methods for virtualizing edge node functionality as a service for handling content delivery are described herein. An edge node receives a packet and determines if it associated with an established session and if it should be offloaded for processing. An offload status indicator and/or session context information can be added to the offloaded packet and it is transmitted to a subsequent edge node.

Abstract: Systems and methods for managing firewall rules in a distributed firewall system are provided. A first subset of rules is identified to be removed from a first firewall in a first domain and to be added to a second firewall in a second domain. A second subset of rules is identified to be duplicated from the first firewall to the second firewall. Usage statistics for the rules in the identified subsets are synchronized between the first and second firewalls and the second firewall can be configured accordingly.

Abstract: Systems and methods are disclosed herein that relate to secure monitoring or interception of traffic in a wireless communications system. In some embodiments, a method of operation of a network node comprises receiving a list of one or more obfuscated target identifiers from a monitoring node, where each obfuscated target identifier is a user identifier of a target user that is encrypted using a first encryption key that is unknown to the network node. The method further comprises receiving an encrypted packet from another network node and determining whether an encrypted user identifier of the encrypted packet matches one of the obfuscated target identifiers. The method further comprises, if the encrypted user identifier matches one of the obfuscated target identifiers, further encrypting the encrypted packet using a second encryption key negotiated between the network node and the monitoring node and transmitting the further encrypted packet to the monitoring node.

Abstract: Systems and methods for processing inbound and outbound secure packet traffic are provided herein. A first lookup operation can be performed to identify a security association corresponding to a received packet. A second lookup operation can be performed to determine a security parameters index associated with the packet and the identified security association. The packet can be processed in accordance with the security association and the security parameters index.

Abstract: Systems and methods are provided for mitigating security attacks by enabling collaboration between security service functions. A Service Function Chaining (SFC) node receives a packet and determines whether to apply a service function to the packet. Responsive to determining that the packet has been treated by the service function, the packet can be reclassified and switched to a different SFC path.

Abstract: An endpoint node and method are provided. The endpoint node is configured to access a transport layer and a communication layer different from the transport layer. The communication layer is a layer configured to use sequence numbers in messaging. The endpoint node includes processing circuitry configured to: detect a missing packet transmitted from another endpoint node, temporarily suspend at least a portion of signaling associated with retransmission of the missing packet using the transport layer based on the detected missing packet, attempt retransmission of the missing packet using the communication layer, and determine if retransmission of the missing packet using the communication layer is unsuccessful, and in response to determining retransmission of the missing packet using the communication layer is unsuccessful, cause retransmission of the missing packet using the transport layer.

Abstract: Apparatuses and methods are disclosed for enabling signalling storm mitigation in Internet Protocol (IP) Security (IPsec)-secured virtual Radio Access Network (vRAN). In one embodiment a method in a first network node includes receiving a trigger to establish an IPsec session with a second network node, the IPsec session being associated with a user equipment (UE); responsive to the trigger to establish the IPsec session associated with the UE, derive a unique identifier for the UE; generate a Security Parameter Index (SPI) value based at least in part on the unique identifier derived for the UE, the SPI value being unique to the IPsec session; and communicate an indication of the SPI value to the second network node.

Abstract: Methods and systems for automatic provisioning of security policies for content streaming control within a Content Delivery Network (CDN) are provided. According to one aspect, a method for automatic provisioning of security policies for content streaming control by a network node within a CDN that supports at least one streaming media protocol comprises: obtaining a manifest, the manifest being generated in response to a user requesting a streaming content from the CDN; determining a first security policy associated with the user and/or the requested streaming content in accordance with the manifest; updating a set of firewall rules for implementing security policies in accordance with the determined first security policy; and applying the updated set of firewall rules to validate requests from the user for the streaming content. The policies are dynamically configured and may be sparsely provisioned, e.g., downloaded only to the pertinent nodes and activated only when necessary.

Abstract: Systems and methods are provided for packet handling and steering in a service function chaining network such that the full metadata associated with a packet need not be appended to the packet itself.

Abstract: Methods, terminal and a data center gateway are provided for allowing efficient debugging and troubleshooting of data session encrypted with Perfect Forward Secrecy (PFS) encryption techniques such as for example the Transport Layer Security (TLS) protocol version 1.3. Embodiments of the invention allow the user terminal to authorize a data center gateway to persistently store one or more encryption keys associated with the data session for use to access the recorded data session and troubleshooting it after the session ended, when faults are detected. When a fault is detected, the user terminal provides authorization to the gateway to persistently store the data session along with one or more encryption key(s).

Abstract: Systems and methods for virtualizing edge node functionality as a service for handling content delivery are described herein. An edge node receives a packet and determines if it associated with an established session and if it should be offloaded for processing. An offload status indicator and/or session context information can be added to the offloaded packet and it is transmitted to a subsequent edge node.

Abstract: A method, node and identifier authorizing entity for generating a unique identifier at a node in a hierarchal tree having a plurality of nodes, the hierarchical tree arranged in a plurality of levels. The method includes obtaining a first limit condition from a higher level node of the plurality of nodes in the hierarchal tree, generating the identifier, applying a function to the generated identifier, verifying that an output of the function satisfies the limit condition, determining a second limit condition for at least one lower level node of the plurality of nodes in the hierarchal tree, and sending the second limit condition to the at least one lower level node of the plurality of nodes in the hierarchal tree.

Abstract: Systems and methods are provided for mitigating security attacks by enabling collaboration between security service functions. A Service Function Chaining (SFC) node receives a packet and determines whether to apply a service function to the packet. Responsive to determining that the packet has been treated by the service function, the packet can be reclassified and switched to a different SFC path.

Abstract: Systems and methods are disclosed herein that relate to secure monitoring or interception of traffic in a wireless communications system. In some embodiments, a method of operation of a network node comprises receiving a list of one or more obfuscated target identifiers from a monitoring node, where each obfuscated target identifier is a user identifier of a target user that is encrypted using a first encryption key that is unknown to the network node. The method further comprises receiving an encrypted packet from another network node and determining whether an encrypted user identifier of the encrypted packet matches one of the obfuscated target identifiers. The method further comprises, if the encrypted user identifier matches one of the obfuscated target identifiers, further encrypting the encrypted packet using a second encryption key negotiated between the network node and the monitoring node and transmitting the further encrypted packet to the monitoring node.