Abstract: In some aspects, the disclosure is directed to methods and systems for management of path selection and reservation between layer 3 devices, as well as path selection and reservation across L2/L3 boundaries. In one implementation, path selection can be managed by separating independent but “cooperating” layers, with layer 3 topology and non-adjacent layer 2 topologies handled separately. A first layer 3 router can be identified as a path computation engine (PCE), while other layer 3 routers can be implemented as path control clients (PCC(s)). One layer 2 PCE can be assigned per layer 2 topology, preventing competing path assignments and reservations.

Abstract: A method, apparatus, computer program, and system is provided to redirect an internet protocol mobility session establishment request. According to certain embodiments of the invention, the request message is redirected from an original local mobility anchor (“LMA”) to an alternative LMA. According to certain embodiments of the invention, this redirection provides load balancing between the LMAs.

Abstract: There is provided a mechanism for establishing a single PDN connection with plural IP addresses and breakout or terminating points. When a communication connection provided with multiple IP addresses via a multi-address bearer connection is established, an indication is prepared for indicating a terminating point represented by a network element of the cellular communication network where data traffic, based on one of the multiple IP addresses, is branched to another network being different to the cellular communication network by means of an IP based communication link The indication element is sent to the communication network by means of a PDCP signaling e.g. as a new PDU type code. In the network, it is decided whether a local receiving network element is indicated as a terminating point, wherein in this case a breakout connection to another network being different to the cellular communication network by the IP based communication link is established.

Abstract: There is provided an intra-realm AAA (authentication, authorization and accounting) fallback mechanism, wherein the single global realm may be divided in one or more sub-realms. The thus presented mechanism exemplarily comprises detecting a failure of an authentication server serving at least one authentication client within a first sub-realm of a single-realm authentication system, and routing authentication messages of the at least one authentication client to a fallback authentication server within a second sub-realm of the single-realm authentication system, wherein routing may exemplarily comprise sub-realm based source routing.

Abstract: Apparatus, method, system and computer program product for server failure handling A mechanism for a first apparatus is described. The mechanism comprising receiving, from a first apparatus, a first authentication request comprising an user identity and an identity of said first apparatus, wherein said first apparatus being capable for provide authentication related service with respect to said user identity; determining if a third apparatus, originally associated with said user identity for providing authentication related service, is available for providing said service; registering said first apparatus as the server associated with said user identity for providing authentication related service, if said third apparatus is not available; sending a response to said first apparatus to acknowledge the first authentication request.

Abstract: A second internet protocol network is logically connected to a packet data network connection provided between a user equipment and a first internet protocol network over a radio access network, the second internet protocol network located on a data path from the first internet protocol network to the user equipment. The first internet protocol network represents the highest level internet protocol point of attachment to the packet data network connection. Router advertisements are sent from the second internet protocol network to the user equipment over the radio access network via the packet data network connection.

Abstract: An apparatus and a method are provided, by which a gateway function between a first network and a second network is carried out, a packet is received from a network node located in the second network, wherein the packet comprises a source address which topologically does not belong to the second network, the received packet is encapsulated in a new packet, and the new packet is sent to the first network.

Abstract: It is provided a method, comprising providing a non 3GPP network access to a user equipment (S10); connecting an apparatus performing the method via an interface to a packet data network gateway of a packet core network (S20); indicating, to the packet data network gateway via the interface, an indication whether the non 3GPP network access is a trusted access (S30).

Abstract: There is provided an intra-realm AAA (authentication, authorization and accounting) fallback mechanism, wherein the single global realm may be divided in one or more sub-realms. The thus presented mechanism exemplarily comprises detecting a failure of an authentication server serving at least one authentication client within a first sub-realm of a single-realm authentication system, and routing authentication messages of the at least one authentication client to a fallback authentication server within a second sub-realm of the single-realm authentication system, wherein routing may exemplarily comprise sub-realm based source routing.

Abstract: There is provided an intra-realm AAA (authentication, authorization and accounting) fallback mechanism, wherein the single global realm may be divided in one or more sub-realms. The thus presented mechanism exemplarily comprises detecting a failure of an authentication server serving at least one authentication client within a first sub-realm of a single-realm authentication system, and routing authentication messages of the at least one authentication client to a fallback authentication server within a second sub-realm of the single-realm authentication system, wherein routing may exemplarily comprise sub-realm based source routing.

Abstract: A mechanism for routing in a network is described. The mechanism comprising receiving a request from a node; obtaining, based on the received request, an identifier relevant to said node; allocating a first local prefix; setting a first timer indicating a length of time the first local prefix or an address comprising the first local prefix is valid; setting a second timer indicating a length of time the first local prefix or the address comprising the first local prefix is preferred when the first local prefix or the address is valid; and sending a first message comprising said identifier, said first local prefix and said first timer to a network element.

Abstract: Various methods for determining network entity timeout values to improve keep-alive signaling are provided. One example method may comprise providing for transmission of a request for a timeout value associated with a keep-alive timer. The method of this example embodiment may further comprise receiving a response to the request, wherein the response comprises an indication of the timeout value of the keep-alive timer. Additionally, the method may further comprise determining an expiration time of the keep-alive timer based at least in part on the timeout value. The example method may further comprise providing for transmission of a keep-alive data packet prior to the determined expiration time. Similar and related example methods, example apparatuses, and example computer program products are also provided.

Abstract: There are provided measures for supporting an authentication to an external packet data network over an untrusted access network, said measures exemplarily comprising authenticating a user equipment to a communication network providing connectivity for the user equipment across an unsecured access network in response to a first authentication request, wherein the authentication request is an authentication request of a key information exchange mechanism and includes authentication data, receiving a second authentication request for authenticating the user equipment towards a packet data network external to the communications network. The measures may further comprise creating a binding update message including the authentication data and identity information of the user received from the user equipment.

Abstract: It is provided an apparatus, comprising advertisement receiving means adapted to receive an advertisement message according to a first network layer protocol, wherein the advertisement message comprises a flag, a network layer address according to a second network layer protocol different from the first network layer protocol, and a first link layer address; flag detecting means adapted to detect if the flag is set in the advertisement message; routing table setting means adapted to set the first link layer address as a router address in a routing table of the second network layer protocol if the flag is set; and directing means adapted to direct a message of the second network layer protocol to the router address as a first hop router.

Abstract: A method and apparatus for synthesized address prefix detection is provided. One example method includes generating a request for a first protocol address record of a name that has been assigned an address in accordance with a second protocol, causing the request to be sent to a domain name system server, and analyzing a response to the request for the first protocol address record to determine whether the domain name system server generated a synthesized address for the name in accordance with the first protocol. Similar and related example methods and example apparatuses are also provided.

Abstract: A communications system comprising a radio access network for providing local wireless access for a mobile device and an authentication entity in a public land mobile network, wherein the authentication entity is arranged to authenticate the mobile device accessing the radio access network on the basis of authentication signalling between the authentication entity and the mobile device. The system includes a proxy entity via which transfer of the authentication signalling is arranged, and encapsulated transmission of the authentication signalling to and from the mobile device is arranged in messages of a cryptographic client-server transport layer encapsulation protocol between the mobile device and the proxy entity. The system provides encapsulated transfer of the authentication signalling to and from the authentication entity in messages of an AAA client-server protocol between the proxy entity and the authentication entity.

Abstract: A node discovery mechanism is described. The mechanism includes determining if an entry relating to a desired service is found in a table stored in a node; performing a hash transform to a pair of data including a domain name and an application identifier relating to the desired service to obtain a key if the entry is not found in the table; sending a query including the obtained key to an overlay network, wherein the node is either part of the overlay network or connected to the overlay network through a proxy or an agent; obtaining a data object associated with the key from the overlay network; updating the table based on the data object.

Abstract: A solution for providing a data security service in a wireless communications system (S) is disclosed. In the solution, a first security association (SA1) is established between an anchor node (LMA1) located in a home operator network (N1) and a concentrator node (Ha) located in an interconnecting operator network (GRXa). In addition, a second security association (SA2, SA3, SA4, SA5) is established between an access node (MAG1, MAG2, MAG3, MAG4, MAG5) located in a roaming operator network (N2, N3, N4, N5) and the concentrator node (Ha, Hb) located in the interconnecting operator network (GRXa, GRXb). A user terminal (UE1-2, UE1-3, UE1-4, UE1-5) roaming in the roaming operator network (N2, N3, N4, N5) can then access external network services (E) by utilizing the first security association (SA1) and the second security association (SA2, SA3, SA4, SA5), respectively.

Abstract: A method, apparatus, computer program, and system is provided to redirect an internet protocol mobility session establishment request. According to certain embodiments of the invention, the request message is redirected from an original local mobility anchor (“LMA”) to an alternative LMA. According to certain embodiments of the invention, this redirection provides load balancing between the LMAs.

Abstract: A method and a device for conveying traffic by a network element comprising a first router instance and a second router instance are provided, wherein the traffic is conveyed between the first router instance and a network via a mobility anchor; and wherein the traffic is directly conveyed between the second router instance and the network. Furthermore, a communication system is suggested comprising said device.