Abstract: A method, network node and non-transitory computer readable media having stored thereon instructions for correlating a remote attestation quote with a virtualized network function (VNF) resource allocation event. The method comprises obtaining a set of VNF components (VNFCs) that require remote attestation. The method comprises obtaining an attestation quote for each VNFC of the set of VNFCs, the attestation quote ensuring that instances of each VNFC are used in a legitimate context. The method comprises correlating each attestation quote with the VNF resource allocation event.

Abstract: A system, node and wireless device are provided. An intermediate node is provided that includes processing circuitry configured to: receive a packet where the packet includes metadata associated with first input data of a first node, first output data of the first node, a first PC signature and a public cryptographic key associated with the first node, verify that the first PC signature corresponds to a process that led from the first input data to the first output data using the public cryptographic key, verify a link between first node and the intermediate node by comparing the received packet and the first output data, and determine whether to perform at least one service function on the packet based at least in part on the verification of the first PC signature and the verification of the link between the first node and the intermediate node.

Abstract: Apparatuses and methods are disclosed for enabling signalling storm mitigation in Internet Protocol (IP) Security (IPsec)-secured virtual Radio Access Network (vRAN). In one embodiment a method in a first network node includes receiving a trigger to establish an IPsec session with a second network node, the IPsec session being associated with a user equipment (UE); responsive to the trigger to establish the IPsec session associated with the UE, derive a unique identifier for the UE; generate a Security Parameter Index (SPI) value based at least in part on the unique identifier derived for the UE, the SPI value being unique to the IPsec session; and communicate an indication of the SPI value to the second network node.

Abstract: A method, system and apparatus are disclosed. According to one or more embodiments, a verifier is provided. The verifier includes processing circuitry configured to obtain a hash algorithm and a fully qualified domain name, FQDN, associated with a virtual network function, VNF, image, determine an identifier for the VNF image based at least on the hash algorithm and the FQDN, perform domain name system security extensions, DNSSEC, resolution of the determined identifier for the VNF image at least in part by requesting at least one attribute of the VNF image using the determined identifier for the VNF image and validating a response associated with the request, and perform validation of the VNF image in response to successful DNSSEC resolution.

Abstract: Methods and systems for automatic provisioning of security policies for content streaming control within a Content Delivery Network (CDN) are provided. According to one aspect, a method for automatic provisioning of security policies for content streaming control by a network node within a CDN that supports at least one streaming media protocol comprises: obtaining a manifest, the manifest being generated in response to a user requesting a streaming content from the CDN; determining a first security policy associated with the user and/or the requested streaming content in accordance with the manifest; updating a set of firewall rules for implementing security policies in accordance with the determined first security policy; and applying the updated set of firewall rules to validate requests from the user for the streaming content. The policies are dynamically configured and may be sparsely provisioned, e.g., downloaded only to the pertinent nodes and activated only when necessary.

Abstract: Systems and methods for selective User Plane protection in a 5G virtual RAN are provided. A method performed by a gNB Central Unit (gNB-CU) for communicating with a gNB-Distributed Unit (gNB-DU) includes determining whether to selectively encrypt a PDU to be sent to the gNB-DU if the PDU is not otherwise encrypted. In response to determining to selectively encrypt, the method includes encrypting the PDU to be sent to the gNB-DU. In response to determining to not selectively encrypt, the method includes passing the PDU to be sent to the gNB-DU. In this way, additional security is provided while performance impact is minimized. In some embodiments, this provides a lower overhead on the gNB-CU-UP side compared to applying a generic protection of all PDUs. Additionally, the latency overhead is limited since a secure session establishment and handshake is confined to the gNB-CU-UP-SEG domain instead of gNB-CU-UP to gNB-DU.

Abstract: Systems and methods for maintaining privacy of security protocol parameters are provided. A node receives an encrypted packet and determines if the Security Parameters Index (SPI) value has been updated. The node can modify its stored SPI value(s) accordingly and process the encrypted packet.

Abstract: A system, node and wireless device are provided. An intermediate node is provided that includes processing circuitry configured to: receive a packet where the packet includes metadata associated with first input data of a first node, first output data of the first node, a first PC signature and a public cryptographic key associated with the first node, verify that the first PC signature corresponds to a process that led from the first input data to the first output data using the public cryptographic key, verify a link between first node and the intermediate node by comparing the received packet and the first output data, and determine whether to perform at least one service function on the packet based at least in part on the verification of the first PC signature and the verification of the link between the first node and the intermediate node.

Abstract: Methods and systems for group re-authentication of devices in a wireless telecommunication network are provided. According to one aspect, a method of operation of a base station in a wireless telecommunication network comprises receiving a group authentication request message from a mobility management entity, the group authentication request message comprising a group identifier; identifying at least one user equipment as belonging to a group identified by the group identifier; sending an individual authentication request message to each identified UE; receiving an authentication response from at least one of the identified UE; aggregating the received at least one authentication response to create a group authentication response message; and sending the group authentication response message to the mobility management entity.

Abstract: Systems and methods for virtualizing edge node functionality as a service for handling content delivery are described herein. An edge node receives a packet and determines if it associated with an established session and if it should be offloaded for processing. An offload status indicator and/or session context information can be added to the offloaded packet and it is transmitted to a subsequent edge node.

Abstract: Systems and methods are disclosed herein that relate to secure monitoring or interception of traffic in a wireless communications system. In some embodiments, a method of operation of a network node comprises receiving a list of one or more obfuscated target identifiers from a monitoring node, where each obfuscated target identifier is a user identifier of a target user that is encrypted using a first encryption key that is unknown to the network node. The method further comprises receiving an encrypted packet from another network node and determining whether an encrypted user identifier of the encrypted packet matches one of the obfuscated target identifiers. The method further comprises, if the encrypted user identifier matches one of the obfuscated target identifiers, further encrypting the encrypted packet using a second encryption key negotiated between the network node and the monitoring node and transmitting the further encrypted packet to the monitoring node.

Abstract: Systems and methods for processing inbound and outbound secure packet traffic are provided herein. A first lookup operation can be performed to identify a security association corresponding to a received packet. A second lookup operation can be performed to determine a security parameters index associated with the packet and the identified security association. The packet can be processed in accordance with the security association and the security parameters index.

Abstract: Apparatuses and methods are disclosed for enabling signalling storm mitigation in Internet Protocol (IP) Security (IPsec)-secured virtual Radio Access Network (vRAN). In one embodiment a method in a first network node includes receiving a trigger to establish an IPsec session with a second network node, the IPsec session being associated with a user equipment (UE); responsive to the trigger to establish the IPsec session associated with the UE, derive a unique identifier for the UE; generate a Security Parameter Index (SPI) value based at least in part on the unique identifier derived for the UE, the SPI value being unique to the IPsec session; and communicate an indication of the SPI value to the second network node.

Abstract: Methods and systems for automatic provisioning of security policies for content streaming control within a Content Delivery Network (CDN) are provided. According to one aspect, a method for automatic provisioning of security policies for content streaming control by a network node within a CDN that supports at least one streaming media protocol comprises: obtaining a manifest, the manifest being generated in response to a user requesting a streaming content from the CDN; determining a first security policy associated with the user and/or the requested streaming content in accordance with the manifest; updating a set of firewall rules for implementing security policies in accordance with the determined first security policy; and applying the updated set of firewall rules to validate requests from the user for the streaming content. The policies are dynamically configured and may be sparsely provisioned, e.g., downloaded only to the pertinent nodes and activated only when necessary.

Abstract: Methods, systems, and computer program products for security context escrowing are provided herein. According to one aspect, a method of operation of a network node for a telecommunications network comprises storing security context information associated with a small data, fast path connection between a wireless device and a first gateway that is serving the wireless device, determining a change in the gateway that is serving the wireless device from the first gateway to a second gateway, and, in response to determining the change, providing the stored security context information to the second gateway for use with the wireless device.

Abstract: Systems and methods for virtualizing edge node functionality as a service for handling content delivery are described herein. An edge node receives a packet and determines if it associated with an established session and if it should be offloaded for processing. An offload status indicator and/or session context information can be added to the offloaded packet and it is transmitted to a subsequent edge node.

Abstract: Systems and methods relating to an efficient communication system to, e.g., support Massive Machine Type Communication (M-MTC) devices are disclosed. In some embodiments, a base station in a cellular communications network comprises, during initial attachment of a wireless device, establishing a Data Radio Bearer (DRB) between the base station and the wireless device, updating a context of the wireless device to include information regarding the DRB established between the base station and the wireless device to thereby provide a mapping between the DRB and a cellular network identifier of the wireless device. The method further comprises, during initial attachment of the wireless device, providing, to the wireless device, at least a portion of an Internet Protocol (IP) address assigned to the wireless device and updating the context of the wireless device to include the at least a portion of the IP address of the wireless device.

Abstract: Systems and methods are disclosed herein that relate to secure monitoring or interception of traffic in a wireless communications system. In some embodiments, a method of operation of a network node comprises receiving a list of one or more obfuscated target identifiers from a monitoring node, where each obfuscated target identifier is a user identifier of a target user that is encrypted using a first encryption key that is unknown to the network node. The method further comprises receiving an encrypted packet from another network node and determining whether an encrypted user identifier of the encrypted packet matches one of the obfuscated target identifiers. The method further comprises, if the encrypted user identifier matches one of the obfuscated target identifiers, further encrypting the encrypted packet using a second encryption key negotiated between the network node and the monitoring node and transmitting the further encrypted packet to the monitoring node.

Abstract: In one aspect of the teachings herein, a controlling gateway and an associated radio access point are configured for operation in a radio access network and use a radio protocol stack that is split on the network side between the gateway and the access point, for conveying radio bearer traffic going between the radio access network and a wireless device. According to methods and apparatuses disclosed, the radio protocol entities affected by the stack split communicate using Internet Protocol, IP, sessions. Advantageously, the radio bearer traffic conveyed over the split stack maps to different IP sessions in dependence on any one or more of network capabilities, various isolation or privacy requirements associated with the device and/or traffic, the types of data being conveyed, the types of radio bearers involved, and the involved Radio Link Control, RLC, operating modes.

Abstract: Systems and methods for processing inbound and outbound secure packet traffic are provided herein. A first lookup operation can be performed to identify a security association corresponding to a received packet. A second lookup operation can be performed to determine a security parameters index associated with the packet and the identified security association. The packet can be processed in accordance with the security association and the security parameters index.