Abstract: There is provided mechanisms for enabling subscription profile download to a subscriber entity. A method is performed by a network node of an SNPN. The method comprises receiving a request from the subscriber entity for network registration with EAP based authentication to the SNPN. The method comprises granting network connectivity for the subscriber entity to the SNPN by completing the network registration upon successful EAP based authentication of the subscriber entity and upon verification that there is a pending subscription profile available for download to the subscriber entity. The network connectivity enables subscription profile download to the subscriber entity.

Abstract: A method enabling migration of a subscription from a source device to a destination device is disclosed. The method may be performed in a migration entity and comprises: receiving, from the source device, a confirmation of a first profile associated with the subscription having been deleted in the source device, securing a second profile associated with the subscription to be provisioned onto the eUICC of the destination device, wherein at least one piece of subscription information is the same for the first and second profiles, and providing an activation code for use in migration of the subscription to the destination device. A method in a source device, migration entity, source device, computer programs and computer program products are also provided.

Abstract: According to one aspect is provided a method for establishing a secure connection between a client device and a network gateway. The method is performed by an access point. The method comprises establishing a first secure connection between the access point and the network gateway. The method comprises establishing a second secure connection serving as a virtual private network tunnel between the client device and the network gateway. There is also provided corresponding methods as performed by the client device and the network gateway.

Abstract: A Bluetooth device (702) is disclosed, the Bluetooth device being provisioned with a security credential (710) that is shared with an authentication server (706). The Bluetooth device comprises processing circuitry configured to use a Bluetooth pairing mechanism to establish a pairing with a Bluetooth gateway (704a-c) by establishing a shared secret key with the Bluetooth gateway and to perform an Extensible Authentication Protocol (EAP) authentication method towards the authentication server using the security credential, wherein performing the EAP authentication method comprises using the paired Bluetooth gateway to forward messages to and from the authentication server. The processing circuitry is further configured to bind the pairing established with the paired Bluetooth gateway to the performed EAP authentication method. Also disclosed are a Bluetooth gateway and methods performed by a Bluetooth device and a Bluetooth gateway.

Abstract: It is presented a method for configuring a network path. The method is performed in a routing control device of a software defined network and comprises the steps of: receiving a first node packet originating from a first node of the software defined network, the first node packet forming part of an ARP exchange between an ARP requester and an ARP responder, the first node packet comprising a request for network properties encoded in a first address; determining a network path through the software defined network; changing a source address of a packet to the ARP requester to be a second address; configuring all switches forming part of the network path, to route packets in accordance with the network path; and configuring an edge switch to replace, for all packets having a destination address being equal to the second address, the destination address with an address of the ARP responder.

Abstract: There is provided mechanisms for remote provisioning of a SIM profile to a subscriber entity. A method is performed by a remote SIM provisioning server. The method comprises obtaining a request from an MNO entity for generation of the SIM profile. The method comprises generating the SIM profile. The method comprises providing, to a storage entity, a key-value pair of the SIM profile. The key-value pair comprises a unique identifier comprising at least one profile specific element of the SIM profile as key and binding information of the at least one profile specific element as value. The unique identifier comprising at least one profile specific element of the SIM profile is represented by profile/subscription unique data elements for the SIM profile. The binding information of the at least one profile specific element is represented by an BID of the subscriber entity, ICCID of the SIM profile, IMSI, and an MNO identifier.

Abstract: There is provided mechanisms for remote provisioning of a SIM profile to a subscriber entity. A method is performed by a remote SIM provisioning server. The method includes obtaining a request from an MNO entity for generation of the SIM profile. The method includes generating the SIM profile. The method includes providing, to a storage entity, a key-value pair of the SIM profile. The key-value pair includes a unique identifier including at least one profile specific element of the SIM profile as key and binding information of the at least one profile specific element as value. The unique identifier including at least one profile specific element of the SIM profile is represented by an ICCID of the SIM profile. The binding information of the at least one profile specific element is represented by an EID and profile/subscription unique data elements for the SIM profile.

Abstract: A method, performed by an EAP authenticator in a communication network, is disclosed. An identification of at least one EAP method supported by an EAP authentication server providing an EAP authentication service to the EAP authenticator is obtained, wherein the identification is obtained from a network entity of the communication network or from inspection of traffic through the EAP authenticator. The identification of at least one EAP method is provided to a device operable to request communication network access from the EAP authenticator. Also disclosed is a method, performed in an EAP authentication server in a communication network. A request for identification of EAP methods supported by the EAP authentication server is received, and a response to the request is sent identifying at least one EAP method supported by the EAP authentication server. An EAP authenticator, EAP authentication server and computer program are also disclosed.

Abstract: There is provided mechanisms for initial network access of a subscriber entity to a radio access network. A method is performed by the subscriber entity. The method comprises transmitting an attach message towards a network node. The attach message indicates a request for network access of the subscriber entity to a radio access network of the network node. The method comprises receiving an identification request originating from the network node. The identification request requests identification of the subscriber entity. The method comprises transmitting a response message towards the network node. The response message comprises an Access Identifier of the subscriber entity. The Access Identifier indicates that the subscriber entity is subscription-less. The method comprises receiving a grant from the network node. The grant allows the subscriber entity limited network access.

Abstract: A wireless device includes a first mobile equipment and a second mobile equipment sharing a single subscriber identity module. The wireless device sends a first attach request as part of a first attach procedure to a cellular network using the first mobile equipment via a first base station to establish a first communication channel to the cellular network, and sends a second attach request as part of a second attach procedure to the cellular network using the second mobile equipment via a second base station to establish a second communication channel to the cellular network. The first and second attach procedures are performed using a same subscriber identity provided by the single subscriber identity module. Upon completion of the first and second attach procedures, data communicated between the wireless device and the cellular network is transferred redundantly over the first communication channel and the second communication channel.

Abstract: There is provided mechanisms for event handling for at least one subscriber entity. A method is performed by an event handling server. The method comprises obtaining, from an RSP entity, an event registration message of the event. The event registration message comprises an identifier field containing a string of characters identifying the at least one subscriber entity. The string of characters comprises at least one marker character specifying an event type and/or indicating that the event is valid for more than one subscriber entity. The method comprises storing an event record of the event. The event record comprises the identifier field and an address of that RSP entity from which data of the event is to be fetched. The method comprises providing the event record to the at least one subscriber entity.

Abstract: There is provided mechanisms for certificate revocation check during a subscription related procedure for a subscriber entity. A method is performed by the subscriber entity. The method comprises receiving a message from a subscription management entity during the subscription related procedure for the subscriber entity. The message comprises a certificate and an OCSP response for the certificate. The OCSP response indicates a revocation state of the certificate. The method comprises determining whether the certificate has been revoked or not by checking the revocation state as indicated in the OCSP response.

Abstract: A method for operating a system hosted on a mobile entity is disclosed, wherein the system is operable to connect to a communication network. The method, performed by a controller of the system, comprises seeking to establish a trust relationship with a cooperating system hosted on a mobile entity, and, if a trust relationship with the cooperating system is established, performing at least one of: initiating use of a resource provided by the cooperating system, or initiating provision of a resource for use by the cooperating system. Also disclosed is a method for operating a function comprising a digital representative of a system hosted on a mobile entity, wherein the system is operable to connect to a communication network.

Abstract: There is provided mechanisms for authenticating a first radio communication device with a network. A method is performed by the first radio communication device. The method comprises obtaining credentials for a network subscription to the network. The method comprises obtaining an upper part of a radio protocol stack, according to which radio protocol stack the first radio communication device is configured to communicate with the network. The method comprises authenticating with the network. The method comprises providing, to a second radio communication device, at least one key, as derived from the credentials during the authenticating, for use by the second radio communication device when executing the remaining part of the radio protocol stack for communication between the second radio communication device and the network.

Abstract: Embodiments herein relate to a method performed by a network controller node (130) in a data processing network (100) for enabling routing of data flows to or from a service (150) in the data processing network (100). The network controller node (130) receives information indicating network requirements on the data processing network (100) by a service (150) to be initiated in the data processing network (100). Also, the network controller node (130) determines a network identifier for the service (150) in the data processing network (100) based on the obtained network requirements. Embodiments herein also relate to a method performed by a resource controller node (140) in a data processing network (100) for enabling routing of data flows to or from a service (150) in the data processing network (100). The resource controller node (140) obtains information indicating network requirements on the data processing network (100) by a service (150) to be initiated in the data processing network (100).

Abstract: There is provided mechanisms for handling access to a service in a network. A method is performed by a network controller. The method comprises obtaining an indication of the service is accessible in the network. The indication is received from a network switch operatively connecting a server of the service to the network. The indication causes a timer to start. The method comprises obtaining an indication of a client requesting to access the service. The indication is received from the network switch. The method comprises recording, only when the timer has not yet expired, identity information of the client in an access control list. The method comprises providing the access control list at least to the network switch upon expiration of the timer.

Abstract: Using an authentication server to program network elements, such as a network node, in accordance with software-defined networking techniques in order to establish a traffic flow rule for a communication device or user of the communication device. After successfully authenticating a communication device or user, the authentication server and/or network node may use an identifier received at the authentication server in connection with the authentication procedure in order to obtain a traffic flow rule for the communication device. The traffic flow rule may be established at the network node or forwarded to a second network node configured to receive network packets from the communication device. The first identifier may be any one of a user identifier identifying a user, an application identifier identifying an application, and a device identifier unique to the communication device.

Abstract: There is provided mechanisms for updating a private key of a host entity. The private key is based on parameters negotiated between the host entity and a key issuer. The host entity further has a group public key that is generated by the key issuer and associated with the private key. A method is performed by the host entity. The method comprises obtaining a need to acquire a new private key. The method comprises, in response thereto, performing a private key update procedure with the key issuer using the public key and the current private key, wherein parameters for the new private key are negotiated with the key issuer. The method comprises generating the new private key using the negotiated parameters.

Abstract: There are provided mechanisms for combined migration and remigration of a network subscription of a source subscriber entity. A method is performed by a profile handling unit of the source subscriber entity. The method includes initiating a combined migration and remigration of the network subscription by providing a migration start message to a migration service entity. The migration start message includes a remigration condition. The method includes accepting the network subscription to be unavailable to the source subscriber entity upon migration of the network subscription and until remigration of the network subscription back to the source subscriber entity.

Abstract: Methods and systems for optimizing Network Function (NF) service authorization are presented. According to one aspect, a method implemented in an NF consumer comprises: sending, to an authorization server, an authorization request for a procedure that involves a plurality of NF services; and receiving, from the authorization server, an authorization response for the procedure, the authorization response including information authorizing access to the plurality of NF services. In some embodiments, the NF consumer may comprise an Access and Mobility Management Function (AMF). In some embodiments, the authorization server may comprise a Network Repository Function (NRF). In some embodiments, the authorization response may include one or more access tokens.