Abstract: Example embodiments of the present disclosure relate to UP traffic handling for emergency case. A first terminal device determines that UP traffic is to be communicated between the first terminal device and a second terminal device without confidentiality protection. The first terminal device determines that the UP traffic is to be communicated between the first terminal device and the second terminal device without integrity protection or with a partial integrity protection. The first terminal device transmits, to the second terminal device, a message indicating that the UP traffic is to be communicated without the confidentiality protection or the integrity protection, or without the confidentiality protection and with the partial integrity protection.

Abstract: Example embodiments of the present disclosure relate to devices, methods, apparatuses and computer readable media supporting network slice or tenant specific automated certificate management configurations. A network slice certificate orchestrator may be configured to receive from a management system certification authority configuration indicative of a certification authority configured for one or more network slices, and transmit to a registration authority or a certification authority a certificate request with respect to a network function allocated to one of the one or more network slices along with information of the certification authority configured for the one or more network slices.

Abstract: There is provided an apparatus for a network node comprising means for receiving an indication of a serving network name of a first user equipment, the first user equipment configured to operate as a relay between a second user equipment and a network by providing a proximity-based service between the first user equipment and the second user equipment, means for determining an authentication vector for a proximity-based service authentication for the second user equipment based on the serving network name of the first user equipment; and means for providing an indication of the serving network name of the first user equipment to the second user equipment.

Abstract: Various example embodiments relate to methods and apparatuses for network slice security for non-3GPP access. An apparatus may be configured to send to an access network device, a request message comprising network slice group information corresponding to network slice identification information of the terminal device; and receive from the access network device, an identification of a non-3GPP access network device capable of serving at least one network slice indicated in the network slice identification information in response to the request message.

Abstract: Embodiments of the present disclosure provide a method and apparatus for accessing information about spatial anchor. A method (400) performed by a first apparatus for accessing information about at least one spatial anchor may comprise: transmitting (S402), to a second apparatus, a first request for an authorization to access information about the at least one spatial anchor; receiving (S404), from the second apparatus, a first response indicating the authorization; transmitting (S406), to a third apparatus, a second request based at least on the authorization, for accessing information about at least one spatial anchor; and receiving (S408), from the third apparatus, a second response.

Abstract: Methods and apparatus are disclosed for protecting information for a SoR procedure initiated by a user equipment (UE). A method comprises, creating at a UE, a first secured packet which is protected with one or more keys, wherein the first secured packet comprises enhanced steering of roaming (SoR) related information for triggering a SoR procedure; and sending from the UE to a first visited public land mobile network (VPLMN), a message comprising the first secured packet. Each of the one or more keys is a symmetric key, which is available for the UE and a home public land mobile network (HPLMN) of the UE before a primary authentication of an initial registration to the first VPLMN.

Abstract: Embodiments of the present disclosure relate to registration enhancements for multi-access. A terminal device is provided comprising at least one processor and at least one memory storing instructions. The instructions, when executed by the at least one processor, cause the terminal device at least to: initiate a first registration procedure with a first network device of a first PLMN, and based on determining that the first registration procedure is completed, initiate a second registration procedure with a second network device of a second PLMN. As such, registration for multi-access is enhanced.

Abstract: Embodiments of the present disclosure relate to security communication in ProSe U2N relay. According to one aspect of the present disclosure, remote UE and relay UE receive a configuration comprising at least a set of indicators of a CP based security procedure or a UP based security procedure for a set of relay services. Based on an indicator for a relay service in the set of indicators, the remote UE and relay UE performs one of the CP based security procedure or the UP based security procedure for a communication between the remote UE and the relay UE for the relay service. In this way, remote UE and remote UE may correctly trigger a security procedure for U2N relay communication.

Abstract: Embodiments of the present disclosure relate to security communication in ProSe U2N relay. According to one aspect of the present disclosure, remote UE and relay UE receive a configuration comprising at least a set of indicators of a CP based security procedure or a UP based security procedure for a set of relay services. Based on an indicator for a relay service in the set of indicators, the remote UE and relay UE performs one of the CP based security procedure or the UP based security procedure for a communication between the remote UE and the relay UE for the relay service. In this way, remote UE and remote UE may correctly trigger a security procedure for U2N relay communication.

Abstract: There is disclosed an apparatus. The apparatus comprises means for performing: in response to determining a lack of resource or an impending lack of resource in a communication network, determining whether an agreed level of service for one or more service requirements of one or more services will be affected; and when it is determined that the agreed level of service for one or more service requirements of one or more services will be affected, determining whether one or more customers can tolerate non-compliance with the agreed level of service.

Abstract: Provided herein are systems and methods for preventing network attacks in a network slice. In particular, security requirements of a network slice instance are retrieved and specific security policies to be applied to each of multiple constituent network slice subnet instances within the network slice instance are identified based on the security requirements. A deployment of one or more security function instances for each subnet instance configured according to a corresponding security policy is then facilitated.

Abstract: Example embodiments of the present disclosure relate to dynamic authorization. According to embodiments of the present disclosure, a solution for dynamic access control to data is proposed. On receiving data registration from a data source, a first device checks the data types to be produced by the data source and adds policies for the data or updates existing policies for the data according to its property. It also serves as access control decision point to determine consumers' access rights based on centrally managed policies. Authorization for data access is granted/denied according to local attributes/policies. In this way, it achieves a dynamic, context-aware and risk-intelligent access control to different kind of data from various data sources (i.e., service producers).

Abstract: A method and an apparatus for controlling over performance measurements. The method includes associating a measurement list with a containing MOI; associating number of MCIs with said containing MOI according to said measurement list; collecting measurement records according to attributes of at least one of said MCIs after said at least one MCI is activated; processing the measurement records and making them available to number of consumers. The solution is aligned with Services Based Management Architecture management paradigm that 3GPP SA5 introduced for 5G management in 3GPP Rel-15, which increases flexibility of both Management and Managed Entity, and enables reusability of the measurement data and tasks.

Abstract: An entity that creates an adaptive trust model, by a trust model adaptor of the apparatus, configured to establish a trust relationship with an other apparatus according to a composition of trust of the other apparatus derived from a trust evaluator of the other apparatus and a composition of trust of the apparatus derived from a trust evaluator of the apparatus. The entity authenticates the other apparatus based on the adaptive trust model and policies defined in the adaptive trust model; defines access control rules for the other apparatus based on the adaptive trust model and the policies defined in the adaptive trust model; builds a secure channel with the other apparatus based on the adaptive trust model and policies defined in the adaptive trust model; and records behaviors of the other apparatus on the apparatus.

Abstract: There is provided an apparatus for a network node comprising means for receiving an indication of a serving network name of a first user equipment, the first user equipment configured to operate as a relay between a second user equipment and a network by providing a proximity-based service between the first user equipment and the second user equipment, means for determining an authentication vector for a proximity-based service authentication for the second user equipment based on the serving network name of the first user equipment; and means for providing an indication of the serving network name of the first user equipment to the second user equipment.

Abstract: Example embodiments of the present disclosure relate to UP traffic handling for emergency case. A first terminal device determines that UP traffic is to be communicated between the first terminal device and a second terminal device without confidentiality protection. The first terminal device determines that the UP traffic is to be communicated between the first terminal device and the second terminal device without integrity protection or with a partial integrity protection. The first terminal device transmits, to the second terminal device, a message indicating that the UP traffic is to be communicated without the confidentiality protection or the integrity protection, or without the confidentiality protection and with the partial integrity protection.

Abstract: An example method may include receiving slice isolation policy for a network slice subnet (NSS) in a transport network (TN) domain, mapping the slice isolation policy to network resource isolation policy and traffic isolation policy, and mapping the network resource isolation policy and the traffic isolation policy to network resource allocation policy and data traffic forward policy, respectively. The network resource allocation policy and the data traffic forward policy may be applied in creation of the TN NSS.

Abstract: Systems, methods, apparatuses, and computer program products for the management of heartbeat notifications, for instance, in a service based management architecture are provided. One method may include receiving, from a first entity, information comprising one or more attributes relating to management of an emission of heartbeat notifications at a second entity. The method may also include associating, by the second entity, the attributes with a subscription, associating the attributes with a communication channel between the second entity and a third entity relating to the subscription, and starting the emission of the heartbeat notifications according to the information received by the second entity from the first entity.

Abstract: Embodiments of the present disclosure relate to path switch between relays and security procedures. A terminal device obtains a selection policy for selecting a RSC from a plurality of RSCs, an RSC of the plurality of RSCs being associated with an indicator for indicating whether the RSC supports a CP security procedure or an UP security procedure. Based on determining that path switching from a source relay terminal device with a source RSC is triggered, the terminal device selects a target RSC based on the selection policy, a source indicator being associated with the source RSC, and a plurality of indicators being associated with the plurality of RSCs. The terminal device selects, for the path switching, a target relay terminal device based on the target RSC. As such, the service continuity after path switching between relays can be improved and delay or disruptions to the service can be avoided.

Abstract: Embodiments of the present disclosure relate to security communication in ProSe U2N relay. According to one aspect of the present disclosure, remote UE and relay UE receive a configuration comprising at least a set of indicators of a CP based security procedure or a UP based security procedure for a set of relay services. Based on an indicator for a relay service in the set of indicators, the remote UE and relay UE performs one of the CP based security procedure or the UP based security procedure for a communication between the remote UE and the relay UE for the relay service. In this way, remote UE and remote UE may correctly trigger a security procedure for U2N relay communication.