Abstract: According to an example aspect of the present invention, there is provided an apparatus comprising means for receiving, by a network function configured to provide centralized user consent authorization in a cellular communication system, a user consent authorization request from a logical network entity, wherein the user consent authorization request comprises an identity of at least one user equipment whose user consent is requested by the logical network entity, the logical network entity being a network function service consumer or an application function, means for retrieving user consent information concerning the at least one user equipment whose user consent is requested by the logical network entity, wherein said user consent information indicates individually whether the logical network entity is authorized to access data related to each of the at least one user equipment, means for determining, based on said user consent information, whether the logical network entity is authorized to access data r

Abstract: According to an example aspect of the present invention, there is provided a method comprising, determining, by an apparatus configured to operate as a network function a cellular communication system, at least two disjoint network paths, wherein the at least two disjoint network paths are different paths, and comprise different physical resources, transmitting, by the apparatus, a subscription request to an analytics function of the cellular communication system, to request notifications about attacks or risks of attacks on at least one network function on at least one of the at least two disjoint network paths, receiving from the analytics function, by the apparatus, information about at least one compromised network entity and/or at least one network entity having a risk of being compromised on said at least one of the at least two disjoint network paths and performing, by the apparatus, attack mitigation based on said information.

Abstract: An apparatus comprising means for performing: sending, to a network entity, a Network Function Discovery request comprising parameter information; and receiving, from the network entity, a response to the request, the response comprising: at least one identifier for at least one Network Function service producer; and at least one of: information ranking the at least one Network Function service producer according to how well the at least one Network Function service producer matches the request; and an indication of how much of the parameter information is matched by one or more parameters of the at least one Network Function service producer.

Abstract: There are provided measures for optimization of network function profile administration and discovery. Such measures exemplarily comprise, at a network entity in a network entity composition, transmitting, towards a network repository function, a network entity registration request including an identifier of said network entity, an identifier of said network entity composition, and network entity specific attributes of said network entity, and receiving a network entity registration response indicative of a result of said network entity registration request.

Abstract: According to an example aspect of the present invention, there is provided a method comprising, receiving, by an intermediary network function, a subscription request from a network function consumer requesting data of a network function producer, wherein the subscription request comprises a client credential assertion of the network function consumer and an access token, authorizing and authenticating, by the intermediary network function, the network function consumer upon successful validation of the access token and the client credential assertion validation and transmitting, by the intermediary network function, an access token request to an authorization server to get another access token, wherein said another access token is to be used to validate the network function consumer to access services of the network function producer, and the access token request comprises the client credential assertion of the network function consumer requesting data of the network function producer.

Abstract: There are provided measures for optimization of network function profile administration and registration. Such measures exemplarily comprise, at a network repository function entity, receiving, from a control entity, network entity profile template information, storing said network entity profile template information, wherein said network entity profile template information comprises a network entity profile template including an identifier of said network entity profile template and a profile content of said network entity profile template, said profile content including at least one profile attribute, receiving, from a network entity, a network entity registration request comprising said identifier of said network entity profile template, and generating a network entity profile for said network entity based on said at least one profile attribute.

Abstract: Techniques are disclosed for managing reauthentication and revocation in a communication network environment. In one example, a method comprises receiving, at a first network entity (e.g., an NSWOF), a request from a second network entity (e.g., a UDM) of a communication network to which user equipment is subscribed (e.g., HN), wherein the received request is for a reauthentication or a revocation of the user equipment in accordance with wireless local area network access. The first network entity identifies the user equipment based on information about the user equipment (e.g., UE context) previously stored by the first network entity. The first network entity sends at least a portion of the received request toward the user equipment, and then continues to participate in the reauthorization or revocation based on the request.

Abstract: Techniques for accessing a core network via access points and gateway functions are provided. For example, a method comprises: determining one or more candidate gateway functions for accessing the core network via the access point; transmitting, to the one or more candidate gateway functions or to a core network function, a request for use of the one or more gateway functions to access the core network; and receiving, from the gateway function or from the core network function, a request response per candidate gateway function, the request response being configured to indicate whether the access to the core network via the respective gateway function is rejected and, in the case of rejection, to indicate a cause of rejection. The method may be performed by the terminal device (e.g., a user equipment, UE). Corresponding methods that can be performed by a network device are also provided.

Abstract: There is provided an apparatus configured to receive, from a first network entity associated with a first domain in a communication network, a request to communicate; determine a second network entity to which to send the request; determine that the second network entity is associated with a second domain in the communication network; and enforce at least one access policy for routing the request to the network entity, wherein the apparatus is a first service communication proxy trusted in both the first and second domains.

Abstract: Techniques for authentication and key management for applications (AKMA) in a communication network are disclosed. For example, a method comprises receiving an indication from an application function that a first expiry time of a first application function key, generated using a first random value and configured to enable user equipment to participate in a session with the application function, has expired. The method generates a second application function key for the application function, using a second random value, with a second expiry time.

Abstract: There is provided an apparatus comprising means for determining a change of connection at a user equipment from a source access point to a target access point, and means for receiving, from the target access point, an indication that an associated gateway function is the same for the source access point and the target access point. The apparatus also comprising means for generating an access point key based on the received indication from the target access point, and means for securing communications with the target access point using the generated access point key.

Abstract: An apparatus for a network node acting as a gateway entity of a second communication network providing access to a first communication network being different to the second communication network, the apparatus comprising at least one processor, and at least one memory storing instructions that, when executed by the at least one processor, cause the apparatus at least to receive a registration request of a user equipment for a registration to the first communication network via the second communication network, wherein the registration request comprises an anonymized subscriber identification element, to obtain a temporary identification for the user equipment, and to forward the temporary identification for the user equipment to the user equipment.

Abstract: There is provided an apparatus comprising at least one processor and at least one memory including a computer program code, the at least one memory and computer program code configured to, with the at least one processor, cause the apparatus at least to: receive, at a first network repository function in a first network from a security edge protection proxy in a second network, a request for discovering one or more roaming hubs and/or security edge protection proxies in the first network; and send, from the first network repository function to the security edge protection proxy in the second network, a response comprising information identifying the one or more roaming hubs and/or security edge protection proxies in the first network and information identifying one or more further networks which can be reached via a respective roaming hub and/or security edge protection proxy in the first network.

Abstract: If a first condition for a handover of an analytics calculation for a user equipment by an analytics function is met, the analytics function requests, of at least one other analytics function of the communication network, preparation of the handover of the analytics calculation. If a second condition for the handover of the analytics calculation is met, the analytics function confirms the handover to one of the at least one other analytics function, the analytics calculation for the user equipment at the analytics function being deemed complete.

Abstract: Techniques for enhancing subscription authorization in a communications network are provided. For example, a method in a source network function service producer or an apparatus for a source network function service provider is disclosed. The method comprises: receiving a subscription request including access authorization information from a network function service consumer for a subscription to receive a notification upon occurrence of a specific event; verifying that the network function service consumer is authorized to create the subscription to the source network function service producer; storing subscription context and access authorization information granted for the subscription if the subscription request is authorized.

Abstract: According to an example aspect of the present invention, there is provided a method comprising storing, by an apparatus, one or more key information elements, wherein each key information element comprises a stored key identifier and a stored key or a certificate, receiving by the apparatus, from a requesting network function, a request message comprising a first field and a second field, wherein the first field comprises an instance identity of the requesting network function and the second field comprises the instance identity of the requesting network function, and the first field is unprotected and the second field is protected with the key or the certificate, determining by the apparatus the key or the certificate used for protecting the second field, validating by the apparatus the second field using the key or the certificate, validating by the apparatus the request message when the instance identity of the requesting network function in the first field matches with the instance identity of the request

Abstract: A method, apparatus, and computer program for receiving an application session establishment request comprising an authentication and key management for applications, AKMA, Key Identifier, A-KID; producing an application key request (Naanf_AKMA_ApplicationKey_Get_request) comprising information elements AKMA Key Identifier A-KID; an application function identifier, AF_ID; and an application encryption key indication (Nnef_AKMA_AF_Encryption_Key_Indication); and sending the produced application key request (Naanf_AKMA_ApplicationKey_Get_request) to a home AKMA anchor function, hAAnF, or to a network exposure function, NEF, for enabling lawful interception in the VPLMN.

Abstract: Techniques for managing user equipment policy data in a communication network environment are disclosed. For example, techniques are provided for managing user equipment policy data to be sent to user equipment by protecting the user equipment policy data in a communication network to which the user equipment is subscribed (e.g., a home communication network) such that the user equipment policy data can be sent to the user equipment through a communication network to which the user equipment is attached (e.g.

Abstract: Inter-alia, methods and apparatuses are disclosed for authorization of a network function consumer by a network function provider.

Abstract: According to an example aspect of the present invention, there is provided an apparatus comprising means for determining a data privacy filter of a user equipment, wherein the data privacy filter is configured to be used in a visited network by the user equipment to determine whether a request, from a network function in the visited network, to collect data from the user equipment is acceptable and whether the user equipment should transmit said data to the network function and means for transmitting, to the user equipment located in the visited network, the data privacy filter of the user equipment.