Abstract: A method for operating a system hosted on a mobile entity is disclosed, wherein the system is operable to connect to a communication network. The method, performed by a controller of the system, comprises seeking to establish a trust relationship with a cooperating system hosted on a mobile entity, and, if a trust relationship with the cooperating system is established, performing at least one of: initiating use of a resource provided by the cooperating system, or initiating provision of a resource for use by the cooperating system. Also disclosed is a method for operating a function comprising a digital representative of a system hosted on a mobile entity, wherein the system is operable to connect to a communication network.

Abstract: There is provided mechanisms for authenticating a first radio communication device with a network. A method is performed by the first radio communication device. The method comprises obtaining credentials for a network subscription to the network. The method comprises obtaining an upper part of a radio protocol stack, according to which radio protocol stack the first radio communication device is configured to communicate with the network. The method comprises authenticating with the network. The method comprises providing, to a second radio communication device, at least one key, as derived from the credentials during the authenticating, for use by the second radio communication device when executing the remaining part of the radio protocol stack for communication between the second radio communication device and the network.

Abstract: Embodiments herein relate to a method performed by a network controller node (130) in a data processing network (100) for enabling routing of data flows to or from a service (150) in the data processing network (100). The network controller node (130) receives information indicating network requirements on the data processing network (100) by a service (150) to be initiated in the data processing network (100). Also, the network controller node (130) determines a network identifier for the service (150) in the data processing network (100) based on the obtained network requirements. Embodiments herein also relate to a method performed by a resource controller node (140) in a data processing network (100) for enabling routing of data flows to or from a service (150) in the data processing network (100). The resource controller node (140) obtains information indicating network requirements on the data processing network (100) by a service (150) to be initiated in the data processing network (100).

Abstract: There is provided mechanisms for handling access to a service in a network. A method is performed by a network controller. The method comprises obtaining an indication of the service is accessible in the network. The indication is received from a network switch operatively connecting a server of the service to the network. The indication causes a timer to start. The method comprises obtaining an indication of a client requesting to access the service. The indication is received from the network switch. The method comprises recording, only when the timer has not yet expired, identity information of the client in an access control list. The method comprises providing the access control list at least to the network switch upon expiration of the timer.

Abstract: Using an authentication server to program network elements, such as a network node, in accordance with software-defined networking techniques in order to establish a traffic flow rule for a communication device or user of the communication device. After successfully authenticating a communication device or user, the authentication server and/or network node may use an identifier received at the authentication server in connection with the authentication procedure in order to obtain a traffic flow rule for the communication device. The traffic flow rule may be established at the network node or forwarded to a second network node configured to receive network packets from the communication device. The first identifier may be any one of a user identifier identifying a user, an application identifier identifying an application, and a device identifier unique to the communication device.

Abstract: There is provided mechanisms for updating a private key of a host entity. The private key is based on parameters negotiated between the host entity and a key issuer. The host entity further has a group public key that is generated by the key issuer and associated with the private key. A method is performed by the host entity. The method comprises obtaining a need to acquire a new private key. The method comprises, in response thereto, performing a private key update procedure with the key issuer using the public key and the current private key, wherein parameters for the new private key are negotiated with the key issuer. The method comprises generating the new private key using the negotiated parameters.

Abstract: There are provided mechanisms for combined migration and remigration of a network subscription of a source subscriber entity. A method is performed by a profile handling unit of the source subscriber entity. The method includes initiating a combined migration and remigration of the network subscription by providing a migration start message to a migration service entity. The migration start message includes a remigration condition. The method includes accepting the network subscription to be unavailable to the source subscriber entity upon migration of the network subscription and until remigration of the network subscription back to the source subscriber entity.

Abstract: Methods and systems for optimizing Network Function (NF) service authorization are presented. According to one aspect, a method implemented in an NF consumer comprises: sending, to an authorization server, an authorization request for a procedure that involves a plurality of NF services; and receiving, from the authorization server, an authorization response for the procedure, the authorization response including information authorizing access to the plurality of NF services. In some embodiments, the NF consumer may comprise an Access and Mobility Management Function (AMF). In some embodiments, the authorization server may comprise a Network Repository Function (NRF). In some embodiments, the authorization response may include one or more access tokens.

Abstract: A method is provided for registration of a device as a Network Application Function, NAF, in a Generic Bootstrapping Architecture, GBA. The device performs a GBA bootstrap operation with a Bootstrapping Server Function, BSF, and sends to a NAF registration function a request to register as a NAF. The device receives NAF registration information from the NAF registration function, and performs a NAF registration with the BSF. The NAF registration function receives from the device a request to register as a NAF, confirms that that the device is authorised to act as a NAF, and transmits the NAF registration information to the device.

Abstract: Embodiments relate to a method for secure domain name system, DNS, queries. The method is performed in a DNS client, and the method includes obtaining an encryption key and internet protocol, IP, address for a final DNS resolver, creating a session key, encrypting a DNS query and the created session key with the obtained encryption key, and sending a DNS message containing the encrypted DNS query and the created session key to an intermediate DNS resolver, different from the final DNS resolver, together with the obtained IP address for the final DNS resolver. Methods, nodes, computer programs, and a computer program product for secure DNS queries are also presented.

Abstract: There is provided mechanisms for a manufacturer of an ML model to embed at least one marker in an electronic file. A method comprises obtaining the electronic file. The electronic file represents content that causes the ML model to determine an output for the electronic file according to a first processing strategy. The method comprises embedding, in the electronic file, the at least one marker that, only when detected by the ML model, causes the output of the electronic file to be determined according to a second processing strategy. The second processing strategy is unrelated to the first processing strategy and deterministically defined by the at least one marker.

Abstract: There is provided mechanisms for enabling management of a subscriber entity. A method is performed by the subscriber entity. The method comprises obtaining a message from a subscription server. The message comprises an event record. The event record is addressed to the subscriber entity and comprises a pointer to a primary entity. The method comprises establishing a connection to the primary entity for management of the subscriber entity.

Abstract: There is provided mechanisms for handling access to a service in a network. A method is performed by a network controller. The method comprises obtaining an indication of the service is accessible in the network. The indication is received from a network switch operatively connecting a server of the service to the network. The indication causes a timer to start. The method comprises obtaining an indication of a client requesting to access the service. The indication is received from the network switch. The method comprises recording, only when the timer has not yet expired, identity information of the client in an access control list. The method comprises providing the access control list at least to the network switch upon expiration of the timer.

Abstract: A wireless device includes a first mobile equipment and a second mobile equipment sharing a single subscriber identity module. The wireless device sends a first attach request as part of a first attach procedure to a cellular network using the first mobile equipment via a first base station to establish a first communication channel to the cellular network, and sends a second attach request as part of a second attach procedure to the cellular network using the second mobile equipment via a second base station to establish a second communication channel to the cellular network. The first and second attach procedures are performed using a same subscriber identity provided by the single subscriber identity module. Upon completion of the first and second attach procedures, data communicated between the wireless device and the cellular network is transferred redundantly over the first communication channel and the second communication channel.

Abstract: A method of ending a subscription performed in a network entity is disclosed. The method comprises receiving, from a device comprising an Embedded Universal Integrated Circuit Card, eUICC, a signed confirmation of a profile having been deleted in the device, the profile being associated with a subscription for the device; sending, to a Subscription Manager Data Preparation entity, a command for deletion of the profile; and deleting the user subscription and related profile in case an acknowledgement of the deletion of the profile is received from the Subscription Manager Data Preparation entity. Method in a device, method in a Subscription Manager Data Preparation entity, devices and entities, computer programs and computer program products are also provided.

Abstract: There is provided mechanisms for obtaining initial cellular network connectivity. A method is performed by a terminal device. The method comprises obtaining an activation code for a network subscription and MNO specific information. The method comprises identifying at least one MNO from the MNO specific information. The method comprises wirelessly authenticating with an MNO node of one of the at least one identified MNO by using the MNO specific information to obtain the initial cellular network connectivity.

Abstract: It is presented a method, executed in a gateway, the gateway being arranged to facilitate communication between a client device and an application server. The method comprises the steps of: sending a request for an electronically transferable subscriber identity module, the request comprising an identifier based on an identity of the client device; receiving a response indicating that an electronically transferable subscriber identity module, generated based on the identifier, is available; downloading the electronically transferable subscriber identity; and storing the electronically transferable subscriber identity module with an association to the client device, along with any previously stored electronically transferable subscriber identity modules. A corresponding gateway, computer program and computer program product are also presented.

Abstract: A method (100) for establishing a new identity for a constrained device is disclosed, wherein the device has an existing identity and is associated with an asymmetric key pair comprising a device public key and a device private key. The method comprises applying a hash function to the existing identity (106) and setting the resulting value as the new identity for the constrained device (108), wherein the existing identity comprises at least a first generation hash value of a hash chain formed by applying the hash function to the device public key. Also disclosed is a method (200) for managing an identity of a constrained device, the device being associated with an asymmetric key pair comprising a device public key and a device private key.

Abstract: It is provided a method performed in a gateway and comprises the steps of: receiving a first client request from the client device, the first client request comprising a first fully qualified domain name, FQDN; transmitting a gateway request to the application server; receiving an application server response from the application server, the application server response indicating a need to provide authentication; generating a second FQDN, based on the first FQDN and an identifier of the client device; generating a client specific shared key based on the second FQDN and a shared key; generating a redirect message comprising the second FQDN, an authentication request, a context identifier and the client specific shared key; transmitting the redirect message to the client device; receiving a second client request from the client device; and generating an authentication response in case the second client request fails to comprise an authentication response.

Abstract: A method (30) of ending a subscription performed in a network entity (20) is disclosed. The method (30) comprises receiving (33), from a device (10) comprising an Embedded Universal Integrated Circuit Card, eUICC, (14), a signed confirmation of a profile having been deleted in the device (10), the profile being associated with a subscription for the device (10); sending (34), to a Subscription Manager Data Preparation entity (19), a command for deletion of the profile; and deleting (35) the user subscription and related profile in case an acknowledgement of the deletion of the profile is received from the Subscription Manager Data Preparation entity (19). Method (60) in a device (10), method (90) in a Subscription Manager Data Preparation entity, devices and entities, computer programs and computer program products are also provided.