Abstract: According to one aspect is provided a method for establishing a secure connection between a client device and a network gateway. The method is performed by an access point. The method comprises establishing a first secure connection between the access point and the network gateway. The method comprises establishing a second secure connection serving as a virtual private network tunnel between the client device and the network gateway. There is also provided corresponding methods as performed by the client device and the network gateway.

Abstract: This disclosure provides a method, performed in a resource-constrained device 60, for establishing a secure session with a service 800 delivered by a server terminal 80 using a security protocol over a communication network. The resource-constrained device 60 is registered at a management terminal 70. The method comprises receiving, from the server terminal 80, a credential associated with the service 800. The method comprises sending, to the management terminal 70, a service approval request 803. The service approval request 803 comprises an identifier of the service 800 and/or the credential. The method comprises receiving, from the management terminal 70, a response 804. The response 804 comprises an indication that the service 800 is approved, and a security context for a resumption of the secure session. The secure session has been established by the management terminal 70. The method comprises initiating the resumption of the secure session with the service 800 using the security context.

Abstract: The disclosure relates to methods and nodes for mapping a subscription in a network (10) to a service user identity, wherein a communication device (12) accesses the network (10) using the subscription, and wherein the service user identity is used for accessing a service provided by the first network node (16). The method (30) comprises receiving (31), from the communication device (12) a request for a service, the request comprising an authenticated service user identity, providing (32), in response to the request, the communication device (12) access to the service, receiving (33), from the communication device (12), a message comprising a token identifying a mapping of the service user identity to the subscription, and verifying (34) that a service user identity obtained from the token corresponds to the service user identity used when providing access to the communication device (12).

Abstract: It is disclosed a method and a capillary gateway, CGW, (50, 60, 204, 304) capable to determine whether to allow a first machine-to-machine, M2M, device network access. The CGW is adapted to intercept (310) an authentication request message sent from a M2M device, and intercept (318) an authentication response message sent from a M2M management service. If the CGW determines that the authentication is successful based on the authentication response message and that there is a valid subscription for the M2M device and the authentication response message is received from a trusted management service, the CGW may allow (414) the first M2M device network access. Embodiments of the present disclosure have the advantage that disclosure can provide low-powered devices Internet reachability based on user subscriptions in non-traditional scenarios such as where devices are deployed straight out-of-the-box, i.e., without any customization.

Abstract: The invention relates to a method at a network node in a communications network configured to receive messages from at least one MTC device manager intended for an MTC device, as well as the network node. The invention further relates to a network node and a method at the network node to receive messages from at least one MTC device intended for a one or more MTC device managers. In a first aspect of the present invention, a method is provided at a network node in a communications network configured to receive messages from at least one MTC device manager intended for an MTC device. The method comprises merging the received messages into at least one MTC device message, and sending the at least one MTC device message to the MTC device.

Abstract: A relay module (30) for use in a lightweight machine to machine (LWM2M) communication network comprises a first interface module (31) for interfacing with one or more server devices, and a second interface module (33) for interfacing with a plurality of client devices. A processing unit (35) is adapted to establish at least one group object instance, wherein each group object instance is used to control communication between a server device and a group of client devices.

Abstract: A method is presented of establishing communications with a Virtual Machine, VM, in a virtualized computing environment using a 3GPPcommunications network. The method includes establishing a Machine-to-Machine Equipment Platform, M2MEP, which comprises a Communications Module, CM, providing an end-point of a communication channel between the 3GPP network and the VM. A virtual Machine-to-Machine Equipment is established that comprises a VM running on the M2MEP and a downloadable Subscriber Identity Module, associated with the CM. The Subscriber Identity Module includes security data and functions for enabling access via the 3GPP network. The CM utilizes data in the Subscriber Identity Module for controlling communication over the communication channel between the VM and the 3GPP network.

Abstract: A method is presented of providing a subscriber identity for the provision of services on behalf of the subscriber in a virtual computing environment. The method includes receiving a request to establish an execution environment for a virtual machine-to-machine equipment, vM2 M E. The vM2ME is provided, comprising software for execution in the virtual computing environment and a downloadable Subscriber Identity Module. A Communications Module, CM, is set up for execution in a domain of a virtualization platform. The CM provides an end-point for communications between the vM2ME and a 3GPP network. The Subscriber Identity Module is installed for execution together with the CM, the Subscriber Identity Module including a 3GPP identity of the subscriber, security data and functions for enabling access to the vM2ME via the 3GPP network.

Abstract: A network element provides an application service to a device over a network. Using a shared key generated according to the Generic Bootstrapping Architecture (GBA), the network element authenticates a request message sent from the device. The network element sends to the device a response indicating a successful authentication. The response includes information that indicates one or more supported protocols for establishing a communication session between the device and the network element.

Abstract: It is disclosed a method of establishing a secure connection between a device and a network-based entity, NAF, via an access gateway, where the device and a network-based bootstrapping server, BSF, have a pre-established trust relationship. The method comprises the access gateway acting as a proxy between the device and the BSF. A reference to a NAF received from the BSF is used to securely authenticate the device to the NAF. An identity of the access gateway is sent to the NAF and the identity is sued to authorise the device to use the access gateway. The access gateway identity is authenticated at the BSF and/or the NAF. The access gateway may relay messages to the device over a non-HTTP link.

Abstract: The disclosure relates to methods and nodes for mapping a subscription in a network (10) to a service user identity, wherein a communication device (12) accesses the network (10) using the subscription, and wherein the service user identity is used for accessing a service provided by the first network node (16). The method (30) comprises receiving (31), from the communication device (12) a request for a service, the request comprising an authenticated service user identity, providing (32), in response to the request, the communication device (12) access to the service, receiving (33), from the communication device (12), a message comprising a token identifying a mapping of the service user identity to the subscription, and verifying (34) that a service user identity obtained from the token corresponds to the service user identity used when providing access to the communication device (12).

Abstract: A method (200) of establishing a secure connection (213) between a master device (101) and a slave device (102), sharing at least a first communication channel, is provided. The method comprises transmitting (201) an identifier IDM of the master device over the first communication channel, generating (202) a proof-of-possession XS of a key KS, using KS IDM, and a first identifier I DSi of the slave device, generating (202) a key MKS using IDM, I DSi, and KS storing (204) MKS, and transmitting (203) I DSi and XS to the master device. The method further comprises transmitting (205) IDSi, XS and IDM, to a bootstrapping server, acquiring (206) KS using IDSi, and generating (207) a proof-of-possession XB of KS using KS, IDM, and IDSi. The method further comprises, if XB and XS are identical (208), generating (210) a key MKB using IDM, I DSi, and KS, and transmitting (211) MKB to the master device where it is stored (212).

Abstract: The present invention relates to methods and devices for detecting persistency of a first network node (12). In a first aspect of the invention, a method is provided comprising the steps of monitoring (S101), during a specified observation period, whether the first network node has established a connection to a second network node (13), and determining (S102) a total number of sessions of connectivity occurring during said specified observation period in which the first network node connects to the second network node. Further, the method comprises the steps of determining (S103), from the total number of sessions, a number of sessions comprising at least one communication flow between the first network node and the second network node, and determining (S104) inter-session persistence of the first network node on the basis of the total number of sessions and the number of sessions comprising at least one communication flow.

Abstract: It is presented a method, executed in a gateway, the gateway being arranged to facilitate communication between a client device and an application server. The method comprises the steps of: sending a request for an electronically transferable subscriber identity module, the request comprising an identifier based on an identity of the client device; receiving a response indicating that an electronically transferable subscriber identity module, generated based on the identifier, is available; downloading the electronically transferable subscriber identity; and storing the electronically transferable subscriber identity module with an association to the client device, along with any previously stored electronically transferable subscriber identity modules. A corresponding gateway, computer program and computer program product are also presented.

Abstract: According to a first aspect, it is presented a method, executed in a gateway, the gateway being arranged to facilitate communication between a client device and an application server. The method comprises the steps of: receiving a client request from the client device, the client request comprising at least a portion being bound for the application server; sending an application server request to the application server; receiving an application server response from the application server, the application server response indicating a need to provide authentication; establishing at least one authentication credential using an authentication server for a connection between the client device and the application server; and sending a client response to the client device, the client response being based on the application server response and comprising the at least one authentication credential. An associated gateway, client device, vehicle, computer program and computer program product are also presented.

Abstract: A method of migrating a virtual machine comprises a first manager, managing a first computing environment (such as a computing cloud), initiates migration of a virtual machine currently executing on a first vM2ME (virtual machine-to-machine equipment) in the first computing environment to a second computing environment (such as another computing cloud). Once the VM has migrated, the first manager disables execution of the first vM2ME.

Abstract: A method of handling mobility-related signalling in a communications system comprising a mobile node, a mobile router, and a peer node. The method comprises providing the mobile router with a delegation certificate that is cryptographically signed by or on behalf of the mobile node. At the mobile router, a mobility-related signalling exchange is initiated with the peer node on behalf of the mobile node, the mobile router providing to the peer node within this exchange, said delegation certificate or an identification of the certificate, and a sequence number associated with the certificate. At the peer node, the received sequence number is compared with a sequence number maintained by the peer node in respect of the delegation certificate, and the exchange authorized in dependence upon the result of the comparison.

Abstract: The present invention relates to methods and devices for detecting persistency of a first network node (12). In a first aspect of the invention, a method is provided comprising the steps of monitoring (S101), during a specified observation period, whether the first network node has established a connection to a second network node (13), and determining (S102) a total number of sessions of connectivity occurring during said specified observation period in which the first network node connects to the second network node. Further, the method comprises the steps of determining (S103), from the total number of sessions, a number of sessions comprising at least one communication flow between the first network node and the second network node, and determining (S104) inter-session persistence of the first network node on the basis of the total number of sessions and the number of sessions comprising at least one communication flow.

Abstract: A method is presented of establishing communications with a Virtual Machine, VM, in a virtualised computing environment using a 3GPPcommunications network. The method includes establishing a Machine-to-Machine Equipment Platform, M2MEP, which comprises a Communications Module, CM, providing an end-point of a communication channel between the 3GPP network and the VM. A virtual Machine-to-Machine Equipment is established that comprises a VM running on the M2MEP and a downloadable Subscriber Identity Module, associated with the CM. The Subscriber Identity Module includes security data and functions for enabling access via the 3GPP network. The CM utilises data in the Subscriber Identity Module for controlling communication over the communication channel between the VM and the 3GPP network.

Abstract: A method is presented of providing a subscriber identity for the provision of services on behalf of the subscriber in a virtual computing environment. The method includes receiving a request to establish an execution environment for a virtual machine-to-machine equipment, vM2 M E. The vM2ME is provided, comprising software for execution in the virtual computing environment and a downloadable Subscriber Identity Module. A Communications Module, CM, is set up for execution in a domain of a virtualisation platform. The CM provides an end-point for communications between the vM2ME and a 3GPP network. The Subscriber Identity Module is installed for execution together with the CM, the Subscriber Identity Module including a 3GPP identity of the subscriber, security data and functions for enabling access to the vM2ME via the 3GPP network.