Abstract: Embodiments described herein provide methods and apparatuses for providing a network function, NF, service producer access to a key set, wherein the key set is for use in verifying an access token received from an NF service consumer. A method in a network repository function, NRF, comprises receiving a request from the NF service producer to provide an indication of services provided by the NRF; and responsive to the request, transmitting a first address where the key set can be retrieved, as part of an indication of an authorization service.

Abstract: Network equipment is configured for use in one of multiple different core network domains of a wireless communication system. The network equipment is configured to receive a message that has been, or is to be, transmitted between the different core network domains. The network equipment is also configured to apply inter-domain security protection to, or remove inter-domain security protection from, one or more portions of the content of a field in the message according to a protection policy. The protection policy includes information indicating to which one or more portions of the content inter-domain security protection is to be applied or removed. The network equipment is also configured to forward the message, with inter-domain security protection applied or removed to the one or more portions, towards a destination of the message.

Abstract: Network equipment (300, 400) is configured for use in one of multiple different core network domains of a wireless communication system (10). The network equipment (300, 400) is configured to receive a message (60) that has been, or is to be, transmitted between the different core network domains. The network equipment (300, 400) is also configured to apply inter-domain security protection to, or remove inter-domain security protection from, one or more portions of the content of a field in the message according to a protection policy (80). The protection policy (80) includes information indicating to which one or more portions of the content inter-domain security protection is to be applied or removed. The network equipment (300, 400) is also configured to forward the message (60), with inter-domain security protection applied or removed to the one or more portions, towards a destination of the message (60).

Abstract: There is provided mechanisms for enabling selection of service-providing NFs in a 3GPP communication network. A method is performed by an NRF. The method comprises obtaining one register request from each of the service-providing NFs. Each registration request comprises an NF profile. Each NF profile comprises a security setting attribute. The method comprises storing the NF profiles of the service-providing NFs. The method comprises obtaining a discovery request from a service-requesting NF. The request indicates an NF type. The method comprises providing a discovery response to the service-requesting NF. The discovery response comprises the NF profile of at least one of the service-providing NFs of the NF type, thereby enabling selection of the service-providing NFs. The security setting attribute may pertain to support for mutual TLS and/or for use of OAuth-2 based authorization.

Abstract: The invention relates to a method for operating a container (100) providing a service to a user in a cloud environment, wherein the container is generated from a container image (51) which comprises an encrypted software package, the container image further comprising a decryption entity, wherein the method comprises the steps of receiving a message to set up the container (100) out of the container image (51), the message comprising an access identifier allowing access to a restricted area (60) to which the access is not provided without the access identifier, the restricted area comprising a plurality of decryption keys, and accessing the restricted area (60) using the access identifier received with the message, and retrieving a decryption key from the restricted area (60) based on the access identifier, and decrypting the encrypted software package with the retrieved decryption key in order to generate a decrypted software package, providing the service to the user based on the decrypted software package.

Abstract: Embodiments described herein provide methods and apparatus for configuring a service based architecture for discovery of a Network Function, NF. A method in a Network Function Discovery Orchestration includes configuring, in a domain name system, DNS, a first DNS entry associating a first domain name of the NF with at least one NF Internet Protocol, IP, address of the NF, and a second DNS entry associating the first domain name with at least one edge security node IP address of an edge security node in the first PLMN, wherein, the first DNS entry is for use in resolving requests for the NF which originate from within the first PLMN, and the second DNS entry is for use in resolving requests for the NF which originate from outside the first PLMN. Further methods and apparatus in a Network Repository Function, a Domain Name System and an edge security node are also provided.

Abstract: There is provided mechanisms for enabling discovery of a service-providing NF in a 3GPP communication network. A method is performed by a Network Repository Function. The method comprises registering locality information of service-providing NFs according to locality attribute of each service-providing NF. Each locality attribute comprises structured values of location information of its service-providing NF. The method comprises obtaining a request from a service-requesting NF for one of the service-providing NFs. The request specifies a preferred locality of the requested service-providing NF. The preferred locality indicates, in terms of structured values of location information, geographical location where the service-requesting NF is deployed.

Abstract: Methods and apparatus are provided for creating and distributing analytics reports in a wireless core network. A CNF requests analytic reports for a plurality of UEs from a NWDAF. Responsive to the request, the NWDAF compiles the requested data and generates analytics reports for the UEs identified in the request. During compilation of the analytics data, the NWDAF performs cluster analysis to identify groups of UEs 100, referred to herein as ephemeral groups, that share the same analytics report and generates a consolidated analytics report for each ephemeral group to reduce the number of analytics reports sent to the CNF 200.

Abstract: A network repository function, NRF, in a core network domain of a mobile communication network is provided, wherein the NRF is configured to register network function, NF, profiles for NF discovery, and wherein NF certificates have been issued to the NFs, each NF certificate including a public key of the respective NF and at least one signature of at least one certification authority, CA. The NRF is configured to receive, from a registering NF having an NF certificate, profile information comprising an NF identity of the registering NF, an NF type of the registering NF, and at least one CA certificate of at least one CA that signed the NF certificate issued to the registering NF. The NRF is further configured to store the received profile information in a repository.

Abstract: A method for operating a flow control entity which is configured to control a data packet flow in a network in which at least one virtualized gateway and at least one other gateway exchange routing data is disclosed. The flow control entity receives a message from a node located in an interconnection used by the at least one virtualized gateway and the at least one other gateway to exchange routing data by which one the gateways informs the other of the gateways about new routes and withdrawn routes for data packet flows which traverse the at least one virtualized gateway and the at least one other gateway, extracts the routing data from the received message, translates the extracted routing data into routing information, and transmits the routing information to an infrastructure managing entity configured to manage a virtualized infrastructure of the network.

Abstract: Methods and systems are provided for selecting a network slice to which a User Equipment (UE) can connect in the telecommunications network. A Cache Inventory Repository (CIR) stores cache associations indicating content cached at each of a plurality of Cache Network Functions (Cache NFs) and the network slice in which each Cache NR is located. A Network Slice Selection Function (NSSF) transmits to the CIR a request for cache data indicating a particular content cached in one or more network slices. The CIR determines the requested cache data based on the stored cache associations and transmits the requested cache data to the NSSF. The NSSF selects a network slice to which the UE can connect, based at least in part on the received cache data identifying the one or more network slices.

Abstract: Embodiments described herein provide methods and apparatus for configuring a service based architecture for discovery of a Network Function, NF. A method in a Network Function Discovery Orchestration includes configuring, in a domain name system, DNS, a first DNS entry associating a first domain name of the NF with at least one NF Internet Protocol, IP, address of the NF, and a second DNS entry associating the first domain name with at least one edge security node IP address of an edge security node in the first PLMN, wherein, the first DNS entry is for use in resolving requests for the NF which originate from within the first PLMN, and the second DNS entry is for use in resolving requests for the NF which originate from outside the first PLMN. Further methods and apparatus in a Network Repository Function, a Domain Name System and an edge security node are also provided.

Abstract: Selecting a network slice (202a-n) to which a User Equipment, UE, (204a-b) can connect in the telecommunications network. A CIR (216) stores, based on content data received from a plurality of Cache NFs (210), cache associations indicating content cached at each of the Cache NFs and the network slice in which each Cache NF is located. An NSSF (218) transmits to the CIR a request for cache data indicating a particular content cached in one or more network slices. The CIR determines the requested cache data based on the stored cache associations and transmits the requested cache data to the NSSF. The cache data comprises at least one of: one or more Cache NFs and one or more network slices caching the particular content. The NSSF selects a network slice to which the UE can connect, based at least in part on the received cache data identifying the one or more network slices.

Abstract: Methods and apparatus for implementing a service function chain of a mobile telecommunications network. A method for implementing a charging function in a service function chain of a mobile telecommunications network in which the service function chain includes a plurality of service functions in which each service function is configured to apply one or more services associated with a user packet traversing the service function chain towards a destination, and is configured to provide charging data related to the service function. A receiver receives collective charging data provided by the plurality of service functions, the collective charging data includes charging data for a plurality of services associated with a user packet. A charging controller controls charging for the plurality of services associated with the user packet based on the collective charging data.

Abstract: Network equipment (300, 400) is configured for use in one of multiple different core network domains of a wireless communication system (10). The network equipment (300, 400) is configured to receive a message (60) that has been, or is to be, transmitted between the different core network domains The network equipment (300, 400) is also configured to apply inter-domain security protection to, or remove inter-domain security protection from, one or more portions of the content of a field in the message according to a protection policy (80). The protection policy (80) includes information indicating to which one or more portions of the content inter-domain security protection is to be applied or removed. The network equipment (300, 400) is also configured to forward the message (60), with inter-domain security protection applied or removed to the one or more portions, towards a destination of the message (60).

Abstract: The disclosure provides techniques for negotiating security mechanisms between security gateways (102A, 102B). In these techniques, an initiating security gateway (102A) sends (302) a request message to a responding security gateway (102B) over a first connection established between the security gateways. The first connection provides integrity protection for 5 the messages. The request message includes one or more security mechanisms supported by the initiating security gateway. Upon receipt, the responding security gateway selects (406) one of the security mechanisms and transmits (408) a response message to the initiating security gateway indicating the selected security mechanism. Signaling messages are then communicated (310, 412) between the security gateways using the selected security 10 mechanism.

Abstract: A method for operating a flow control entity which is configured to control a data packet flow in a network in which at least one virtualized gateway and at least one other gateway exchange routing data is disclosed. The flow control entity receives a message from a node located in an interconnection used by the at least one virtualized gateway and the at least one other gateway to exchange routing data by which one the gateways informs the other of the gateways about new routes and withdrawn routes for data packet flows which traverse the at least one virtualized gateway and the at least one other gateway, extracts the routing data from the received message, translates the extracted routing data into routing information, and transmits the routing information to an infrastructure managing entity configured to manage a virtualized infrastructure of the network.

Abstract: In a telecommunication network, a method is carried out for assisting a first user terminal (1001) in benefiting from a data connectivity. A second user terminal (1002) indicates (s10), to a connectivity donation server (200), that it is willing to sponsor data connectivity of the first terminal (1001) and that, restriction(s) are imposed on how the sponsored connectivity can be used. The restriction(s) comprise: i) where the first terminal (1001) is to be located for benefiting from the sponsored connectivity; and ii) which access network(s) the first terminal (1001) has to connect to for benefiting from the sponsored connectivity. The connectivity donation server (200) then transmits a token to the second terminal (1002), which in turn transmits (s30) it to the first terminal (1001) using proximity-based means. Terminals, network nodes, and computer programs for use in the above method are also disclosed.

Abstract: A method is provided that includes defining at an ANDSF server an ANDSF rule that includes a validity condition to be fulfilled. The validity condition includes a validity location area and a validity trajectory towards the validity location area, and the validity trajectory includes a list with one or more previous location areas. The method also includes transmitting the ANDSF rule from the ANDSF server to an ANDSF client of the UE; tracking, at the ANDSF client, a historical trajectory for the UE by storing a list with one or more successive location areas where the UE has been located; and upon matching a current location of the UE with the validity location area, and the tracked historical trajectory for the UE with the validity trajectory, determining that the validity condition is fulfilled and applying the ANDSF rule at the ANDSF client.

Abstract: In a telecommunication network, a method is carried out for assisting a user terminal (100) in connecting to an access network. The user terminal (100) obtains (s20) information (50), i.e. “tag information”, from an electronic tag or a visual tag. The user terminal (100) transmits (s40), to a network node hosting an access network discovery and selection function (ANDSF), i.e. to an “ANDSF node” (200), the tag information (50). The ANDSF node (200) then transmits (s60), to the user terminal (100), credentials (70) for allowing the user terminal (100) to connect to said access network. The invention also relates to methods carried out by a user terminal (100), to methods carried out by an ANDSF node (200), to user terminals (100), to ANDSF nodes (200), to computer programs, and to computer program products for assisting user terminals (100) in connecting to an access network.