Abstract: A method for prioritizing among alternate network function (NF) instances includes registering a first NF profile of a first NF instance with a first NF repository function (NRF), and defining, as part of the first NF profile, alternate NF instance information identifying a plurality of individual alternate NF instances to function as backups in response to unavailability of the first NF instance and specifying, for each alternate NF instance, a priority attribute value indicating a relative priority of the alternate NF instance with respect to the other alternate NF instances. The method further includes, at a first consumer NF or SCP, discovering, from the first NRF, the first NF profile of the first NF instance, detecting unavailability of the first NF instance, and, using the alternate NF instance information in the first NF profile to select and contact one of the alternate NF instances identified by the alternate NF instance information.

Abstract: A method for generating and using network function (NF) set load information, the method includes, at a service communication proxy (SCP), receiving service based interface (SBI) requests from consumer NFs. The method further includes forwarding the SBI requests to producer NF instances that are members of an NF set. The method further includes receiving responses to the SBI requests from the producer NF instances. The method further includes determining NF instance load control information (LCI) for the producer NF instances using the responses. The method further includes computing, by the SCP and from the NF instance LCI for the producer NF instances, NF set LCI for the NF set. The method further includes communicating the NF set LCI for the NF set to at least one of the consumer NFs or using the NF set LCI for the NF set to select a producer NF instance within an NF set to provide a service for one of the consumer NFs.

Abstract: A method for generating, conveying, and using attempted producer network function (NF) instance communication information includes, at a first service communication proxy (SCP), receiving, from a sender, a first service based interface (SBI) request message. The method further includes attempting to obtain a service requested by the first SBI request message from at least one producer NF instance. The method further includes receiving at least one error response or failing to receive a response from the at least one producer NF instance. The method further includes generating, from the at least one error response or the failing to receive a response from the at least one producer NF instance, attempted producer NF instance communication information. The method further includes communicating, to the sender, the attempted producer NF instance communication information.

Abstract: A method for protecting against mass NF deregistration attacks can be performed at an NRF or SCP. The method includes receiving an NFDeregister request for deregistering an NF. The method further includes classifying the NFDeregister request as suspect based on application of suspect NFDeregister request classification rules. The method further includes in response to classifying the NFDeregister request as suspect, queueing the NFDeregister request. The method further includes receiving an NF heart-beat message concerning the NF. The method further includes determining that the NF heart-beat message is received within an NF heart-beat time interval for the NF. The method further includes in response to determining that the NF heart-beat message is received within the NF heart-beat time interval for the NF, preventing processing of the NF Deregister request and blacklisting a sender of the NFDeregister request.

Abstract: A method for routing inter-public land mobile network (inter-PLMN) messages relating to existing subscriptions with a network function (NF) repository functions (NRFs) includes, at a security edge protection proxy (SEPP) implemented using at least one processor, automatically populating, by the SEPP, a subscription identifier to target NRF resource identification information mapping database accessible to the SEPP with mappings between subscription identifiers and target NRF resource identification information. The method further includes receiving an inter-PLMN message for modifying or deleting a subscription. The method further includes reading a subscription identifier from the message for modifying or deleting the subscription. The method further includes using the subscription identifier from the message for modifying or deleting the subscription to access the database and obtain an identifier associated with an NRF that created the subscription.

Abstract: A method for obtaining and using a single-use OAuth 2.0 access token for securing specific service-based architecture (SBA) interfaces includes generating, by a consumer network function (NF) an access token request. The method further includes inserting, in the access token request, a hash of at least a portion of a service-based interface (SBI) request message. The method further includes sending the access token request to an NF repository function (NRF). The method further includes receiving, from the NRF, an access token response, the access token response having an OAuth 2.0 access token including the hash of the at least a portion of the SBI request message. The method further includes using the OAuth 2.0 access token including the hash of the at least a portion of the SBI request message to access an SBI service.

Abstract: Methods, systems, and computer readable media for network function (NF) discovery using preferred-locality information are disclosed. One example method for NF discovery using preferred-locality information comprises: at a first NF comprising at least one processor: receiving a message relating to a transaction involving a consumer NF; identifying, from the message, an NF instance identifier (ID) corresponding to the consumer NF; determining, using the NF instance ID and a data store including NF related information and corresponding preferred-locality information, a preferred-locality value; including the preferred-locality value in a preferred-locality information element (IE) of an NF discovery request; and transmitting the NF discovery request toward a second NF.

Abstract: A method for providing for optimized service based interface (SBI) communications by performing network function (NF) fully qualified domain name (FQDN) resolution at an NF repository function (NRF) includes, at an NRF including at least one processor, receiving NF register requests including NF profiles and/or NF service profiles, at least some of which include FQDNs and do not include Internet protocol (IP) addresses. The method further includes storing the NF profiles and/or NF service profiles in an NF profiles database. The method further includes resolving the FQDNs in NF profiles and/or NF service profiles into IP addresses. The method further includes receiving NF discovery requests. The method further includes generating lists of NF profiles and/or NF service profiles that match query parameters in the NF discovery requests. The method further includes providing the lists of NF profiles and/or NF service profiles including the IP addresses to consumer NFs in NF discovery responses.

Abstract: A method for distributing network function (NF) high availability (HA) topology information in a core network includes, at an NF repository function (NRF) including at least one processor, receiving, from a plurality of producer NFs in an NF set, NFRegister requests including NF HA topology information for the producer NFs. The method further includes registering the producer NFs and storing the NF HA topology information for the producer NFs. The method further includes receiving, from a consumer NF or service communication proxy (SCP), an NFDiscover request containing at least one service discovery parameter that corresponds to a service provided by the producer NFs. The method further includes responding to the NFDiscover request by generating an NFDiscover response, including, in the NFDiscover response, the NF HA topology information for the producer NFs, and transmitting the NFDiscover response to the consumer NF or SCP.

Abstract: The subject matter described herein includes a method for reducing the likelihood of successful denial of service (DoS) attacks by validating overload control information (OCI) scope information against network function (NF) profile information obtained using target resource identification information. The method includes receiving a service based interface (SBI) request message, obtaining, from the SBI request message, target resource identification information, obtaining NF profile information using the target resource identification information and storing the NF profile information, receiving an SBI response message including overload control information and scope information for the overload control information, using the stored NF profile information to determine whether the scope information for the overload control information is valid, and, in response to determining that the scope information for the overload control information is invalid, rejecting the SBI response message.

Abstract: A method for DoS attacks at an NF includes maintaining, at a first NF, an NF subscription database containing rules that specify maximum numbers of allowed subscriptions and corresponding rule criteria. The method further includes receiving, at the first NF and from a second NF, a subscription request for establishing a subscription. The method further includes determining, by the first NF, that the subscription request matches criteria for at least one rule in the NF subscription database and incrementing, by the first NF, at least one count of a number of subscriptions for the at least one rule. The method further includes determining, by the first NF, that the at least one count of the number of subscriptions exceeds a maximum number of allowed subscriptions for the at least one rule.

Abstract: A method for optimized routing of service based interface (SBI) request messages to remote network function (NF) repository functions (NRFs) using indirect communications via a service communications proxy (SCP) includes, at an SCP including at least one processor, receiving an SBI request message. The method further includes forwarding the SBI request message to a remote NRF. The method further includes determining that the remote NRF is unable to process the SBI request message, and, in response to determining that the remote NRF is unable, identifying a georedundant mate of the remote NRF. The method further includes forwarding the SBI request message to the georedundant mate NRF of the remote NRF that is unable to process the SBI request message.

Abstract: A method for providing for network function (NF) fallback to a recovered network function NF repository function (NRF) includes, at an NF including at least one processor, generating an NF register message including an indication to notify the NF of recovery of a first NRF after a failure of the first NRF. The method further includes transmitting the NF register message to the first NRF. The method further includes communicating with the first NRF and detecting failure of the first NRF. The method further includes, in response to detecting failure of the first NRF, initiating communications with a second NRF that is a geo-redundant mate of the first NRF. The method further includes receiving notification of recovery of the first NRF and falling back to communicating with the first NRF.

Abstract: Methods, systems, and computer readable media for hiding network function (NF) instance identifiers (IDs) in communications networks are disclosed. One method for hiding NF instance IDs in a communications network occurs at an NF repository function (NRF) comprising at least one processor. The method comprises: receiving, from a first NF, an NF registration request message for registering a first NF instance of the first NF, wherein the NF registration request message includes a first NF instance ID for identifying the first NF instance; storing, in a data store, a mapping between the first NF instance ID and at least one pseudo NF instance ID, wherein the data store includes mappings between NF instance IDs and related pseudo NF instance IDs; and generating and sending, to the first NF, an NF registration response message including the at least one pseudo NF instance ID for identifying the first NF instance.

Abstract: A method for generating and using network function (NF) set load information, the method includes, at a service communications proxy (SCP), receiving service based interface (SBI) requests from consumer NFs. The method further includes forwarding the SBI requests to producer NF instances that are members of an NF set. The method further includes receiving responses to the SBI requests from the producer NF instances. The method further includes determining NF instance load control information (LCI) for the producer NF instances using the responses. The method further includes computing, by the SCP and from the NF instance LCI for the producer NF instances, NF set LCI for the NF set. The method further includes communicating the NF set LCI for the NF set to at least one of the consumer NFs or using the NF set LCI for the NF set to select a producer NF instance within an NF set to provide a service for one of the consumer NFs.

Abstract: A method for optimizing network bandwidth utilization through intelligent updating of network function (NF) profiles includes, at an NF repository function (NRF), receiving, from a first NF that previously communicated with a failed geo-redundant mate of the NRF as primary, an NF heart-beat request message. The method further includes locating an NF profile for the first NF in an NF profiles database maintained by the NRF. The method further includes computing an NF profile data modification detection value for the NF profile. The method further includes transmitting the NF profile data modification detection value to the first NF.

Abstract: A method for generating network function (NF) set load information aware NF discovery responses includes, at an NF repository function (NRF), receiving NFUpdate messages from producer NF instances. The method further includes collecting or generating, from the NFUpdate messages, NF set load information for NF sets of which the producer NF instances are members. The method further includes receiving, from a consumer NF, an NF discovery request. The method further includes generating, using query parameters in the NF discovery request, an NF discovery response including NF profiles of producer NF instances corresponding to the query and, including, in the NF discovery response, NF set load information for NF sets of producer NF instances whose NF profiles are included in the NF discovery response. The method further includes forwarding the NF discovery response including the NF set load information to the consumer NF.

Abstract: A method for preventing subscriber identifier leakage from a telecommunications network includes receiving, by a security edge protection proxy (SEPP), an authentication response message authorizing a subscriber in a visitor network, wherein the authentication response message includes a home subscriber identifier used to identify the subscriber within a home network. The method further includes replacing, by the SEPP, the home subscriber identifier in the authentication response message with a visitor subscriber identifier. The method further includes forwarding, by the SEPP, the authentication response message with the visitor subscriber identifier to a visitor network.

Abstract: A method for resource object level authorization at a network function (NF) includes maintaining, by a first NF, a service based interface (SBI) resource object access authorization policy database containing policies for controlling access to SBI resource objects and dynamically populating a resource object owner database containing records for resource objects and corresponding resource object owners. The method further includes receiving, by the first NF and from a second NF, a first SBI resource object access request for accessing a resource object, accessing, using information from the first SBI resource object access request, the resource object access authorization policy database and the resource object owner database, determining that an access to the resource object requested by the first resource object access request is not permitted, and preventing the access to the resource object requested by the first resource object access request.

Abstract: A method for mitigating a 5G roaming attack using a security edge protection proxy (SEPP), includes receiving, at an SEPP, user equipment (UE) registration messages for outbound roaming subscribers. The method further includes creating, in a SEPP security database, UE roaming registration records derived from UE registration messages. The method further includes receiving, at the SEPP, a packet data unit (PDU) session establishment request message. The method further includes performing, using at least one parameter value extracted from the PDU session establishment request message, a lookup in the SEPP security database for a UE roaming registration record. The method further includes determining, by the SEPP and based on results of the lookup, whether to allow or reject the PDU session establishment request message.