Abstract: A method for optimized routing of service based interface (SBI) request messages to remote network function (NF) repository functions (NRFs) using indirect communications via a service communication proxy (SCP) includes, at an SCP including at least one processor, receiving an SBI request message. The method further includes forwarding the SBI request message to a remote NRF. The method further includes determining that the remote NRF is unable to process the SBI request message, and, in response to determining that the remote NRF is unable, identifying a georedundant mate of the remote NRF. The method further includes forwarding the SBI request message to the georedundant mate NRF of the remote NRF that is unable to process the SBI request message.

Abstract: Methods, systems, and computer readable media for ingress message rate limiting are disclosed. One method includes, at a network node, receiving a service request message from a service consumer network function and extracting, from the received service request message, an access token that includes a consumer network function instance identifier identifying the service consumer network function. The method further includes determining, using the consumer network function instance identifier, that an allowed ingress message rate associated with the service consumer network function has been reached or exceeded and in response to determining that the allowed ingress message rate associated with the service consumer network function has been reached or exceeded, performing a message rate limiting action.

Abstract: A method for automatic configuration and use of Category 1 message filtering rules includes, at a network function (NF), subscribing, with an NF repository function (NRF), to receive notification of NF profile changes. The method further includes receiving, from the NRF and as a result of the subscribing, notification of an NF profile change. The method further includes automatically configuring, based on the notification of the NF profile change, at least one Category 1 message filtering rule implemented. The method further includes using the at least one Category 1 message filtering rule to filter service based interface (SBI) messages.

Abstract: A method for automatic key management of network access token public keys for 5GC authorization to mitigate security attacks includes providing, at the NRF, a network access token public key status update notification subscription interface that allows producer NFs to subscribe to receive notifications of updates in status of service access token public keys issued by the NRF. When the NRF determines that an update in status of a service access token public key is required, the NRF updates the status of the public key in its local database and notifies producer NFs that have subscribed to receive the updates. The producer NFs use the public keys to validate service requests from consumer NFs. In one variation, the NRF maintains and updates the status of service access token public keys associated with different service access levels.

Abstract: Methods, systems, and computer readable media for providing a unified interface that is configured to support communication between a user equipment (UE) and application function (AF) via a network exposure function (NEF) are disclosed. One method includes receiving, by a NEF from a session management function (SMF), a protocol data unit (PDU) session event change notification message associated with a UE, establishing, by the NEF, a data delivery path between the UE and an application function (AF) via one of a plurality of data delivery planes that traverse the NEF in response to the PDU session event change notification message and processing, by the NEF, messages communicated between the UE and the AF over any of the plurality of data delivery planes using a single unified interface supported by the NEF.

Abstract: A method for resolution of inter-network domain names between telecommunications networks includes storing, at a security edge protection proxy (SEPP) of a home network, a mapping between a domain name and a network address of a producer network function of the home network. The method includes receiving, at the SEPP of the home network, a request message from a consumer network function of a visitor network. The method includes resolving, at the SEPP of the home network, a request message domain name of the request message using the mapping between the domain name and the network address of the producer network function of the home network.

Abstract: A method for mitigating network function (NF) update and deregister attacks includes, at an NF repository function (NRF) implemented by at least one processor, receiving, from an NF, an NFRegister request including a hash of a first authentication string, an NF instance identifier, and an NF profile. The method further includes storing the hash of the first authentication string. The method further includes registering the NF by storing the NF profile in an NF profile database. The method further includes receiving a first NFUpdate or NFDeregister request including the NF instance identifier. The method further includes using the stored hash of the first authentication string to validate or reject the first NFUpdate or NFDeregister request.

Abstract: Methods, systems, and computer readable media for network function (NF) discovery using preferred-locality information are disclosed. One example method for NF discovery using preferred-locality information comprises: at a first NF comprising at least one processor: receiving a message relating to a transaction involving a consumer NF; identifying, from the message, an NF instance identifier (ID) corresponding to the consumer NF; determining, using the NF instance ID and a data store including NF related information and corresponding preferred-locality information, a preferred-locality value; including the preferred-locality value in a preferred-locality information element (IE) of an NF discovery request; and transmitting the NF discovery request toward a second NF.

Abstract: A method for automatic domain name system (DNS) configuration for 5G core (5GC) network functions (NFs) includes, at an NF repository function (NRF) including at least one processor, receiving a message concerning a 5GC network function. The method further includes determining a first DNS resource record parameter for the 5GC NF. The method further includes determining a second DNS resource record parameter for the 5GC NF. The method further includes automatically configuring a DNS with a mapping between the first and second DNS resource record parameters for the 5GC NF.

Abstract: A method for routing inter-public land mobile network (inter-PLMN) messages relating to existing subscriptions with a network function (NF) repository functions (NRFs) includes, at a security edge protection proxy (SEPP) implemented using at least one processor, automatically populating, by the SEPP, a subscription identifier to target NRF resource identification information mapping database accessible to the SEPP with mappings between subscription identifiers and target NRF resource identification information. The method further includes receiving an inter-PLMN message for modifying or deleting a subscription. The method further includes reading a subscription identifier from the message for modifying or deleting the subscription. The method further includes using the subscription identifier from the message for modifying or deleting the subscription to access the database and obtain an identifier associated with an NRF that created the subscription.

Abstract: A method for automatically managing a platform firewall using a network function (NF) repository function (NRF) or service communication proxy (SCP) includes receiving message relating to registering, updating, or deregistering an NF profile in an NF profiles database separate from a platform firewall. The method further includes determining that the registering, updating, or deregistering of the NF profile requires a change to a firewall rules configuration of the platform firewall. The method further includes, in response to determining that the registering, updating, or deregistering of the NF profile requires a change to the firewall rules configuration of the platform firewall, automatically updating, by the NRF or SCP, the firewall rules configuration of the platform firewall.

Abstract: A method for selective inter-PLMN security handshake validation includes receiving, at a SEPP, a first inter-PLMN security handshake request message. The method further includes performing, by the SEPP and in an SEPP trust relationship database, a lookup to determine whether the first inter-PLMN security handshake request message originates from a trusted SEPP. The method further includes determining that the first inter-PLMN security handshake request message does not originate from a trusted SEPP, and, in response, performing, by the SEPP, an inter-PLMN security handshake validation procedure on the first inter-PLMN security handshake request message. The method further includes determining that the first inter-PLMN security handshake request message fails the inter-PLMN security handshake validation procedure, and, in response, performing a network protective operation.

Abstract: A method for mitigating spoofing attacks on an SEPP inter-PLMN forwarding interface includes obtaining, by a responding SEPP, a first SEPP identifier and/or a first PLMN identifier from at least one message received over an inter-PLMN control interface. The method further includes storing the first SEPP identifier and/or the first PLMN identifier in an identity cross-validation database. The method further includes obtaining, from at least one message received over an inter-PLMN forwarding interface a second SEPP identifier and/or a second PLMN identifier and performing a lookup in the identity cross-validation database using a lookup key comprising at least one of the second SEPP identifier and the second PLMN identifier, determining that a record corresponding to the lookup key is not present in the identity cross-validation database, and, in response, preventing the at least one message received over the inter-PLMN forwarding interface from entering a PLMN protected by the responding SEPP.

Abstract: A method for generating, conveying, and using attempted producer network function (NF) instance communication information includes, at a first service communication proxy (SCP), receiving, from a sender, a first service based interface (SBI) request message. The method further includes attempting to obtain a service requested by the first SBI request message from at least one producer NF instance. The method further includes receiving at least one error response or failing to receive a response from the at least one producer NF instance. The method further includes generating, from the at least one error response or the failing to receive a response from the at least one producer NF instance, attempted producer NF instance communication information. The method further includes communicating, to the sender, the attempted producer NF instance communication information.

Abstract: Roaming spoofing attacks can be initiated during N32-c handshake procedure used for inter-PLMN communication in 5G network. One example solution described herein uses the SEPP to mitigate the N32-c roaming spoofing attacks by cross validating the sender attribute present in N32-c handshake security capability exchange messages against the endpoint identity in the X.509v3 certificate shared during TLS handshake and the remote SEPP identity configured in the SEPP's local database.

Abstract: A method for providing for network function (NF) fallback to a recovered network function NF repository function (NRF) includes, at an NF including at least one processor, generating an NF register message including an indication to notify the NF of recovery of a first NRF after a failure of the first NRF. The method further includes transmitting the NF register message to the first NRF. The method further includes communicating with the first NRF and detecting failure of the first NRF. The method further includes, in response to detecting failure of the first NRF, initiating communications with a second NRF that is a geo-redundant mate of the first NRF. The method further includes receiving notification of recovery of the first NRF and falling back to communicating with the first NRF.

Abstract: Methods, systems, and computer readable media for message validation in fifth generation (5G) communications networks are disclosed. One method occurring at a first network node of a first network comprises: obtaining, from at least one authentication and key agreement (AKA) procedure related message associated with a user device communicating via a second network, authentication information identifying the user device; storing the authentication information in a data store for validating subsequent messages; receiving a request message associated with the user device; determining, using the authentication information, that the request message is invalid; and in response to determining that the request message is invalid, performing an invalid message action.

Abstract: A method for mitigating a 5G roaming attack for an Internet of things (IoT) device based on expected user equipment (UE) behavior patterns includes receiving, at a network function (NF) including at least one processor, a service request message requesting a service from a home public land mobile network (PLMN) of a UE identified in the service request message, wherein the UE comprises an IoT device and obtaining, for the UE identified in service request message, at least one parameter provisioned in the home PLMN to indicate an expected UE behavior pattern. The method further includes comparing the at least one parameter provisioned in the home PLMN to indicate the expected UE behavior pattern to at least one parameter from the service request message and that the at least one parameter from the service request message is not indicative of the expected UE behavior pattern of the UE. The method further includes dropping or rejecting the service request message.

Abstract: A method for delegated authorization at a service communications proxy (SCP) includes intercepting, from a consumer network function (NF) that does not support access token based authorization, a service based interface (SBI) request. The method further includes operating as an access token authorization client to obtain a first access token on behalf of the consumer NF. The method further includes using the first access token to enable the consumer NF to access the service provided by a first producer NF that requires access-token-based authorization. The SCP may also function as an access token authorization server on behalf of an NRF that does not support access-token-based authorization.

Abstract: A method for error information propagation from a service communication proxy (SCP) to a consumer network function (NF) to support a circuit breaker design at the consumer NF includes receiving, at the SCP and from the consumer NF, a first service based interface (SBI) service request message. The method further includes attempting, by the SCP, to forward the first SBI service request to N producer NF instances, N being an integer of at least one. The method further includes detecting, by the SCP, an error involving the N producer NF instances. The method further includes performing, by the SCP, successful alternate routing of the first SBI service request message to an (N+1)th producer NF instance. The method further includes receiving, by the SCP, a success response message from the (N+1)th producer NF instance. The method further includes propagating, by the SCP, with the success response message and to the consumer NF, error information regarding the N producer NF instances.