Tech-invite3GPPspaceIETF RFCsSIP
Quick21222324252627282931323334353637384‑5x

Content for  TS 23.256  Word version:  17.3.0

Top   Top   Up   Prev   Next
1…   4…   5…   5.2.3…   5.2.4…   5.2.5…   5.2.5.3…   5.2.5.4…   5.2.7…   5.3…

 

5  Functional description and information flowsp. 20

5.1  Control and user plane stacksp. 20

5.2  UAV Authentication and Authorizationp. 20

5.2.1  UUAA Modelp. 20

The following applies for UUAA for a UAV:
  • UUAA-MM is optional and performed at 5GS registration based on operator's policy. If required by the operator, UUAA-MM is performed if the UAV has an aerial UE subscription in the Access and Mobility Subscription Data and provides the CAA-Level UAV ID in the Registration Request message. If UUAA-MM is not performed, the UAV shall be authenticated by UUAA-SM during the PDU session establishment procedure for UAS service.
  • UUAA-SM is required at PDU session establishment (PDN connection in EPS) for a DNN corresponding to UAS services if UUAA-MM is not performed. The UUAA-SM is triggered by the SMF (SMF+PGW-C in EPS) based on the SM subscription data and the UAV provides the CAA-Level UAV ID in the PDU Session Establishment Request message in case of 5GS, or in the ESM message container in case of EPS.
  • UUAA-SM may be performed to re-authenticate the UAV or to reauthorize at PDU session modification or EPS bearer modification (e.g. in case of C2 authorization or flight plan authorization change) if the UE includes CAA-Level UAV ID and a UUAA Aviation Payload.
Up

5.2.2  UUAA at Registration in 5GS (UUAA-MM)p. 20

5.2.2.1  Generalp. 20

The UUAA-MM procedure is optional and triggered for a UE that requires UAV authentication and authorization by a USS when registering with 5GS. The UUAA-MM procedure is triggered by the AMF. UUAA-MM is triggered during the UE Registration based on the local network policy, if the UE has an Aerial UE subscription with the 5GS and if the UE has provided the CAA-Level UAV ID of the UAV in the Registration Request, or when the USS that authenticated the UAV triggers a re-authentication.
The UE is authenticated and authorized by USS using a CAA-Level UAV ID and credentials associated to the CAA-Level UAV ID, different from the 3GPP subscription credentials (e.g. SUPI and credentials used for PLMN access). During UUAA-MM procedure, the AMF communicates with the USS via a UAS NF and forwards authentication messages transparently between the UE and UAS NF.
UAS NF stores the UAV UEs UUAA context after successful UUAA procedure. The UUAA context may be stored in the UDSF or may be stored locally in the UAS NF depending on deployments. The UAS NF shall also create an implicit subscription for notification towards the AMF after the successful UUAA procedure. This notification is used by the UAS NF to trigger re-authentication, update authorization data or revoke authorization of the UAV, upon receipt of such request from the USS.
Copy of original 3GPP image for 3GPP TS 23.256, Fig. 5.2.2.1-1: UUAA in the context of the Registration procedure (UUAA-MM)
Up
Step 1.
The UE sends a Registration request message and, if configured with one, it shall provide a CAA-level UAV ID of the UAV and optionally a USS address when registering for UAS services.
Step 2.
If primary authentication is required (e.g. if this is an initial Registration), AMF invokes it as described in step 9 in Figure 4.2.2.2.2-1 of TS 23.502. Subsequently AMF retrieves UE subscription data from UDM as described in step 14 in Figure 4.2.2.2.2-1 of TS 23.502 - (not shown in the Figure).
Step 3.
AMF shall determine whether UUAA-MM is required for the UAV. The AMF decides that UUAA is required if:
  1. the UE has a valid Aerial UE subscription information;
  2. UUAA is to be performed during Registration according to local operator policy;
  3. there is no successful UUAA result from a previous UUAA-MM procedure;
  4. the UE has provided a CAA-Level UAV ID.
AMF shall not perform UUAA-MM for non-3GPP access and shall ensure that the UE is not allowed to access any aerial services in non-3GPP access by rejecting PDU session establishment requests for aerial services (identified by DNN/S-NSSAI).
Step 4.
If AMF determines in step 3 that a UUAA-MM is to be performed, AMF shall include a pending UUAA-MM indication in the Registration Accept message. The AMF stores in the UE context that a UUAA is pending. The UE shall wait for completion of the UUAA-MM procedure without attempting to register for UAS services or to establish user plane connectivity to USS or UAV-C.
If AMF determines that UUAA is not to be performed during this Registration procedure, UUAA may be triggered during PDU Session Establishment later on.
If UUAA is configured in the AMF to be performed during 5GS registration and the UE has provided a CAA-Level UAV ID in the registration request in step 1, but the UE does not have an aerial subscription in the UE subscription data retrieved from the UDM in step 2, then the AMF rejects the registration with an indication informing no aerial subscription. This information indicates to the UAV of the reason for the rejection for aerial services and ensures that the UE is not allowed to access any aerial service.
If UUAA is configured in the AMF to be performed during 5GS registration, the UE did not provide a CAA-Level UAV ID in the registration request in step 1, but UE has aerial subscription in the UE subscription data retrieved from UDM in step 2, then the AMF accepts the registration and ensures that the UE is not allowed to access any aerial service by storing in the UE context that 'UUAA-MM has FAILED', and further rejecting PDU session establishment requests for aerial services (identified by DNN/S-NSSAI). At a later point in time, if the UE wants to use the aerial services by providing the CAA Level UAV ID later on via UUAA-MM procedure, then the UE shall first perform Mobility Registration Update as explained in clause 4.2.2.2.2 of TS 23.502.
Step 5.
If UE indicates its support for Network Slice-Specific Authentication and Authorization (NSSAA) procedure in the UE MM Core Network Capability, and if the UE includes Requested S-NSSAI in Registration Request which is subject to NSSAA, however, the Requested S-NSSAI has not been successfully authenticated, the NSSAA procedure is executed as described in clause 4.2.2.2.2 of TS 23.502.
Step 6.
If required based on step 3 determination, and if the S-NSSAI that is associated with the UAS services is part of the Allowed NSSAI, UUAA-MM procedure (see clause 5.2.2.2) is executed at this step. Once the UUAA-MM procedure is successfully completed for the UAV, the AMF stores a successful UUAA result and updates the UE context indicating that UUAA is no longer pending and the authorized CAA-Level UAV ID if provided by the USS. The USS may provide a new CAA-Level UAV ID as the authorized CAA-Level UAV ID. The AMF shall trigger a UE Configuration Update procedure (see TS 23.502, clause 4.2.4.2) to deliver the UUAA result, the UUAA Authorization Payload containing UAV configuration and the authorized CAA-Level UAV ID if received from the USS to the UE.
If UUAA fails, based on local network policy, the AMF may decide to de-register the UE with an appropriate cause value in the De-Registration Request message, or keep the UE-registered with a failure UUAA result in UE context as described in step 7 of clause 5.2.2.2 and ensures that the UE is not allowed to access any aerial service based on the DNN/S-NSSAI value. If the UE is de-registered, the UE may re-attempt to re-register without including the CAA-level UAV ID.
Up

5.2.2.2  UUAA-MM Procedurep. 23

Copy of original 3GPP image for 3GPP TS 23.256, Fig. 5.2.2.2-1: UUAA-MM procedure
Figure 5.2.2.2-1: UUAA-MM procedure
(⇒ copy of original 3GPP image)
Up
Step 1.
For a UE that requires UUAA or when triggered by re-authentication by USS, the AMF triggers a UUAA-MM procedure. If the UE does not have an Aerial subscription in the UE subscription data retrieved from the UDM, the AMF shall not trigger a UUAA-MM procedure.
Step 2.
AMF to UAS NF/NEF: The AMF invokes Nnef_Authentication_AuthenticateAuthorize Request message. For initial authentication, this shall include the GPSI and the CAA-Level UAV ID and may include USS address (e.g. FQDN), UUAA Aviation Payload if it was provided by the UE. For re-authentication triggered by AMF, this may not include the CAA-Level UAV ID. UAS NF resolves the USS address based on CAA-Level UAV ID or uses the provided USS address, as described in clause 4.4.2. In addition, the AMF may also include the User Location Information (e.g. Cell ID). The UAS NF should store the serving AMF ID.
The AMF identifies the UAS NF/NEF based on local configuration or by NF discovery procedure using DNN/S-NSSAI and/or UE provided identity e.g. USS address.
The AMF also provides a Notification Endpoint to the UAS NF/NEF, so that UAS NF/NEF can include this Notification Endpoint together with UUAA updated parameters, as shown in clause 5.2.4. By providing the Notification Endpoint, the AMF is implicitly subscribed to be notified of re-authentication, update authorization data or revocation of UAV from UAS NF/NEF, if the UUAA result is successful in step 5.
Step 3.
UAS NF/NEF to USS: Naf_Authentication_AuthenticateAuthorize Request message, shall include the GPSI and CAA-Level UAV ID and optionally UAV location obtained from AMF in step 2 e.g. to support geo-caging functionality. UAS NF/NEF may translate the Cell ID received as UAV location from AMF in step 2 into a corresponding geographic area and/or may further obtain the UE location information using Location Service Procedures as defined in TS 23.273.
The UAS NF/NEF also provides a Notification Endpoint to the USS, so that USS can include this Notification Endpoint together with UUAA updated parameters, as shown in clause 5.2.4. By providing the Notification Endpoint, the UAS NF/NEF is implicitly subscribed to be notified of re-authentication, update authorization data or revocation of UAV from USS, if the UUAA result is successful in step 5.
Step 4.
[Conditional] Multiple round-trip messages as required by the authentication method used by USS. Naf_Authentication_AuthenticateAuthorize Response messages from USS shall include GPSI and shall include a authentication message based on authentication method used that is forwarded transparently to UE over NAS MM transport messages. The authentication message in step4d may contain UUAA Aviation Payload required by the USS if it was not provided by the UE before.
Step 5.
USS to UAS NF/NEF: (final) Naf_Authentication_AuthenticateAuthorize Response message, shall include: GPSI, a UUAA result (success/failure) for the UAV and the UAS NF, may include an authorized/new CAA-Level UAV ID for the UAV and a UUAA Authorization Payload to the UAV (e.g. security info to be used to secure communications with USS), and a final authentication message (e.g. indicating success or failure, and if the UUAA is for re-authentication, indicating whether the UAS service related network resource can be released in case of UUAA failure) based on authentication method used that is forwarded transparently to UE over NAS MM transport messages.
Step 6.
UAS NF/NEF to AMF: (final) Nnef_Authentication_AuthenticateAuthorize Response message, forwards information received from USS in step 5. If UUAA for re-authentication failed and UAS NF/NEF received indication that the UAS service related network resource can be released in step 5, the UAS NF/NEF includes an indication that the PDU sessions associated with the "DNN(s) subject to aerial services" can be released.
Step 7a.
[Conditional] UAS NF/NEF to AMF: If UUAA-MM succeeded and UAS NF/NEF has not subscribed to AMF for the Mobility Event Exposure before, UAS NF/NEF subscribes to AMF for the mobility event notification by sending Namf_EventExposure_Subscribe request with the mobility events as described in TS 23.502, Table 5.2.2.3.1-1 with Event ID = Reachability Filter.
Step 7b.
[Conditional] UAS NF/NEF to AMF: If UUAA-MM failed and UAS NF/NEF has subscribed to AMF for the Mobility Event Exposure earlier, UAS NF/NEF unsubscribes to AMF for the mobility event notification by sending Namf_EventExposure_Unsubscribe request with Subscription Correlation ID.
Step 8a.
[Conditional] AMF to UAS NF/NEF: The AMF acknowledges the subscription request from 7a by sending Namf_EventExposure_Subscribe response with Subscription Correlation ID.
Step 8b.
[Conditional] AMF to UAS NF/NEF: The AMF acknowledges the un-subscription request from 7b by sending Namf_EventExposure_Unsubscribe response.
Step 9.
AMF to UE: (final) NAS MM transport message forwarding authentication message from USS including authentication/authorization result (success/failure).
Step 10.
[Conditional] if UUAA-MM succeeded, AMF triggers a UE Configuration Update procedure to deliver to the UAV authorization information from USS, as described in clause 5.2.2.1.
Step 11.
[Conditional] If UUAA-MM fails during a Re-authentication and Re-authorization and there are PDU session(s) established using UAS services, and the USS has indicated that the network resources can be released, AMF may trigger these PDU Sessions release. AMF identifies the relevant PDU session(s) for UAS services based on the DNN/S-NSSAI value of the PDU session.
[Conditional] if UUAA-MM fails, based on network policy the AMF may trigger Network-initiated Deregistration procedure described (as specified in clause 4.2.2.3.3 of TS 23.502) and it shall include in the explicit De-Registration Request the appropriate rejection cause value.
If there is an AMF relocation for the UAV, the new serving AMF shall notify the UAS NF about the new AMF ID and the related CAA-level UAV ID using the existing AMF event notification service.
At any time after the initial registration, the USS (via UAS NF/NEF) or the AMF may initiate Re-authentication procedure for the UAV. For AMF initiated case the Re-authentication procedure shall start from step 2. USS initiated re-authentication procedure is described in clause 5.2.4.
If the UE is deregistered as per clause 4.2.2.3 of TS 23.502, then the AMF shall unsubscribe to UAS NF and then UAS NF/NEF may clear the UUAA-MM context and update USS.
Up

Up   Top   ToC