Abstract: A method for dynamically adjusting service-based interface (SBI) message priority for roaming traffic includes receiving, by a security edge protection proxy (SEPP), an SBI message destined for a network function (NF) located in an administrative domain. The method further includes determining, by the SEPP and based on an SBI message priority configuration of the administrative domain, an SBI message priority attribute value for the SBI message. The method further includes dynamically adjusting, by the SEPP and using the SBI message priority attribute value determined based on the SBI message priority configuration of the administrative domain, a priority attribute value in the SBI message. The method further includes forwarding, by the SEPP, the SBI message with the dynamically adjusted SBI message priority attribute value to the administrative domain.

Abstract: The technology disclosed herein enables resiliency of routing between NFs when degraded 5G NF topology information is provided to an SCP by an NRF. In a particular example, a method includes transmitting requests for NRF status from a Service Communications Proxy (SCP) to NRFs in a 5G network. The NRFs exchange messages with each other to determine whether Network Function (NF) topology information is available from the NRFs. The method further includes receiving responses to the requests in the SCP. The responses indicate a number of the NRFs from which the NF topology information is available. The method also includes identifying one or more failed NRFs of the NRFs that are in a failed state based on the responses. The NF topology information is aggregated from operative NRFs should one or more of the NRFs still be operative.

Abstract: A method for network analytics data director (NADD)-informed configuration of a 3gpp-Sbi-Max-Rsp-Time header value includes receiving, at the NADD and from network functions (NFs), NF configuration details and copies of service-based interface (SBI) messages transmitted to and received by the NFs, determining service operation processing times of the NFs, and communicating, to an NF service consumer, NF analytics data including the service operation processing times and the NF configuration details. The method further includes automatically determining, by the NF service consumer and using the NF analytics data, a 3gpp-Sbi-Max-Rsp-Time header value for an SBI request message, adding, by the NF service consumer, the 3gpp-Sbi-Max-Rsp-Time header value to the SBI request message, and transmitting, by the NF service consumer, the SBI request message to a destination.

Abstract: A method for routing, alternate routing, or load balancing of SBI request messages among NFs that are members of the same NF set and located in different regions using an SCP includes actively learning NF topology information of NFs that are located in the different regions. The method further includes receiving an SBI request message and determining an NF set-Id of a first target NF of the SBI request message, the first target NF being located in a first region. The method further includes using the NF set-Id and the NF topology information to identify at least one second target NF that is in the same NF set as the first target NF and located in a different region from the first region. The method further includes routing, alternate routing, or load balancing the SBI request message to a least one of the first target NF and the at least one second target NF.

Abstract: A method for NADD-assisted dynamic configuration of HTTP parameter settings at NFs includes receiving, at the NADD, SBI message feeds from a plurality of producer NFs. The method further includes determining, by the NADD and from at least one of the SBI message feeds, an HTTP parameter setting for one of the producer NFs. The method further includes communicating, by the NADD, the HTTP parameter setting to the producer NF. The method further includes receiving, by the producer NF and from the NADD, the HTTP parameter setting. The method further includes using, by the producer NF, the HTTP parameter setting to control traffic flow from a consumer NF to the producer NF.

Abstract: A method for automatically binding an SBI communications digital certificate lifecycle to an NF lifecycle includes receiving, at an NRF, an NF deregister request message for deregistering an NF. The method further includes generating, by the NRF and in response to the NF deregister request message or successful completion of deregistration of the NF, a certificate revocation request message for revoking at least one digital certificate used by NF for SBI communications. The method further includes transmitting, by the NRF, the certificate revocation request message to a certificate authority. The method further includes receiving, by the NRF, an NF register request message identifying the NF. The method further includes determining, by the NRF, that the at least one digital certificate of the NF has been revoked.

Abstract: A method for network analytics data director (NADD)-assisted producer network function (NF) selection includes receiving, at the NADD and from consumer NFs, copies of service-based interface (SBI) messages transmitted to and received from producer NFs. The method further includes calculating, by the NADD, delay values associated with transport and processing of the SBI messages by the producer NFs. The method further includes providing, by the NADD, the delay values to a consumer NF. The method further includes using, by the consumer NF, the delay values to select a producer NF for processing an SBI request message originated or received by the consumer NF. The method further includes transmitting, by the consumer NF, the SBI request message to the producer NF.

Abstract: A method for automatic configuration and use of Category 1 message filtering rules includes, at a network function (NF), subscribing, with an NF repository function (NRF), to receive notification of NF profile changes. The method further includes receiving, from the NRF and as a result of the subscribing, notification of an NF profile change. The method further includes automatically configuring, based on the notification of the NF profile change, at least one Category 1 message filtering rule implemented. The method further includes using the at least one Category 1 message filtering rule to filter service based interface (SBI) messages.

Abstract: A method for increasing resilience of network topology hiding across geo-redundant SEPPs includes subscribing, with an NRF to receive notification of network topology updates of producer NFs configured to send inter-PLMN messages. The method includes receiving a notification including updated network topology information regarding one of the producer NFs. The method further includes generating, based on the updated network topology information, updated network topology hiding information for the producer NF. The method further includes receiving an inter-PLMN SBI request message requiring network topology recovery. The method further includes performing, using the updated network topology hiding information, the network topology recovery and forwarding the inter-PLMN SBI request message to the producer NF.

Abstract: A method for using a security edge protection proxy (SEPP) for providing mobile terminated (MT) short message service (SMS) to outbound roaming subscribers includes receiving, by a SEPP, a message generated for a UE roaming in a visited public land mobile network (PLMN). The method further includes initiating, by the SEPP, MT SMS delivery to the UE, where initiating the MT SMS delivery includes: obtaining, by the SEPP, an identifier of a short message service function (SMSF) serving the UE for delivering mobile terminated SMS messages to the UE; and transmitting, by the SEPP, a mobile terminated SMS message to the SMSF for delivery to the UE.

Abstract: A method for performing a location and velocity check at a security edge protection proxy (SEPP) using a service communication proxy (SCP) includes receiving, at an SEPP, an SBI request message relating to a user equipment (UE). The method further includes querying, by the SEPP, a service communication proxy (SCP) to obtain information indicative of a last known update of the UE with the home network of the UE. The method further includes receiving, at the SEPP, a response from the SCP, the response including the information indicative of the last known update of the UE. The method further includes reading, by the SEPP and from the response, the information indicative of the last known update of the UE. The method further includes performing, by the SEPP and using the information indicative of the last known update of the UE, a location and velocity check for the UE. The method further includes performing a network security action based on results of the location and velocity check.

Abstract: A method for detecting and mitigating security attacks on producer network NFs using access token to non-access-token parameter correlation at a proxy NF includes receiving an inter-PLMN SBI request message. The method further includes obtaining, from an access token transmitted with the inter-PLMN SBI request message, at least one network- or service-identifying parameter and obtaining, externally from the access token, at least one network- or service-identifying parameter. The method further includes comparing the at least one network- or service-identifying parameter obtained from the access token and the at least one network- or service-identifying parameter obtained externally from the access token and performing a network security action when the at least one network- or service-identifying parameter obtained from the access token does not match the at least one network- or service-identifying parameter obtained externally from the access token.

Abstract: A method for using an optimized token bucket algorithm for ingress message rate limiting across distributed producer network function (NF) applications includes implementing a producer NF instance as distributed producer NF applications and implementing distributed ingress gateways (IGWs) for performing ingress message rate limiting for the distributed producer NF applications. The method further includes maintaining, for each of the distributed IGWs, a local token bucket for rate limiting of ingress service-based interface (SBI) request messages received by each of the distributed IGWs and maintaining a distributed token bucket for refilling the local token buckets.

Abstract: A method for protecting against unauthorized use of CMP client identity private keys and CMP public key certificates associated with NFs includes receiving, by a CMP CA proxy, a first CMP certificate request for renewing a security certificate associated with a first NF, the CMP certificate request including a public key certificate associated with the first NF and is protected by a CMP client identity private key associated with the first NF.

Abstract: A method for communicating and using producer network function (NF) network slice level load information includes receiving, by a service communication proxy (SCP) and from a producer NF, a service-based interface (SBI) message including producer NF network slice level load information. The method further includes reading, by the SCP and from the SBI message, the producer NF network slice level load information. The method further includes communicating, by the SCP and to an NF repository function (NRF), the producer NF network slice level load information. The method further includes storing, by the NRF, the producer NF network slice level load information. The method further includes using, by the NRF, the producer NF network slice level load information to generate a response message to be sent to a consumer NF or the SCP.

Abstract: A method for identifying cached NF discovery results impacted by an NF profile update to NF discovery service consumers includes receiving an NF discovery request including query parameters, generating an NF discovery response, communicating the NF discovery response to the NF discovery service consumer, and caching information associated with the NF discovery response. The method further includes receiving an NF update message for changing a value of at least one attribute of an NF profile of a producer NF, determining that the change in the value of at least one attribute of the NF profile of the producer NF would have impacted the NF discovery response, updating the cached information associated with the NF discovery response, and communicating, to the NF discovery service consumer, a notification message including the NF profile of the producer NF and identifying the NF discovery response as an impacted NF discovery response.

Abstract: A method for communicating and using producer network function (NF) network slice level load information includes receiving, by a service communication proxy (SCP) and from a producer NF, a service-based interface (SBI) message including producer NF network slice level load information. The method further includes reading, by the SCP and from the SBI message, the producer NF network slice level load information. The method further includes communicating, by the SCP and to an NF repository function (NRF), the producer NF network slice level load information. The method further includes storing, by the NRF, the producer NF network slice level load information. The method further includes using, by the NRF, the producer NF network slice level load information to generate a response message to be sent to a consumer NF or the SCP.

Abstract: A method for offloading verification of consumer NF security certificates includes receiving, by an SCP, an SBI request message including a consumer NF security token signed by a consumer NF for authenticating the consumer NF to a producer NF. The method further includes obtaining, by the SCP and from the consumer NF security token, an identifier for a consumer NF security certificate or a copy of the consumer NF security certificate. The method further includes verifying, by the SCP and on behalf of the producer NF, the consumer NF security certificate. The method further includes performing, by the SCP and based on a verification result of the consumer NF security certificate, a network security action.

Abstract: A method for offloading verification of consumer NF security certificates includes receiving, by an SCP, an SBI request message including a consumer NF security token signed by a consumer NF for authenticating the consumer NF to a producer NF. The method further includes obtaining, by the SCP and from the consumer NF security token, an identifier for a consumer NF security certificate or a copy of the consumer NF security certificate. The method further includes verifying, by the SCP and on behalf of the producer NF, the consumer NF security certificate. The method further includes performing, by the SCP and based on a verification result of the consumer NF security certificate, a network security action.

Abstract: A method for mitigating network security attacks by linking NF discovery results to subsequent messages includes receiving, at a proxy NF, NF discovery messages. The method further includes reading, by the proxy NF, producer NF and consumer-NF-identifying parameters from the NF discovery messages. The method further includes creating, by the proxy NF, records in an NF-discovery-linked security database maintained by the proxy NF, wherein the records include the consumer NF and producer-NF-identifying parameters read from the NF discovery messages. The method further includes receiving, by the proxy NF, a service-based interface (SBI) request message. The method further includes screening, by the proxy NF and using the records in the NF-discovery-linked security database, the SBI request message. The method further includes performing, by the proxy NF, a network security action for the SBI request message based on results of the screening.